When performing "Outlier Detection" on file execution events, why is it important to normalize process paths?
To make the Splunk search run 50% faster.
To ensure that `C:\Windows\System32\cmd.exe` and `c:\windows\system32\cmd.exe` are treated as the same entity by the `stats` command.
To prevent Splunk from indexing the data.
To hide the process names from the end user.
Explanation: Outlier detection relies on accurate counts. If paths are not normalized (e.g., converted to lowercase), Splunk's case-sensitive nature might treat the same process as multiple different entities, skewing the frequency distribution and making it harder to identify true rare events.
Which Splunk ES commands leverage accelerated CIM for sourcetype assessment?
| inputlookup es_content.csv | search recommended_sourcetype
| tstats values(sourcetype) from datamodel=Authentication where nodename=* by datamodel
Splunk ES Content dashboard > Sourcetype Coverage widget
| datamodel Authentication search | stats values(sourcetype) by All_Times.earliest
Explanation: Tstats from accelerated Authentication reveals contributing sourcetypes efficiently. Datamodel search slower sans acceleration, others non-standard or UI-based not command.
A complex security search involves multiple subsearches to find commonalities between different datasets. The analyst notices that the subsearch is being automatically truncated. What is the default maximum number of results a subsearch can return in Splunk, and what is the best practice if more results are needed?
50,000; use the TRANSACTION command.
10,000; increase the limit in the subsearch using "maxresults".
100; use the APPEND command to combine results.
1,000; use a LOOKUP or JOIN instead if the dataset is large.
Explanation: By default, Splunk subsearches are limited to 1,000 results and a 60-second execution time. If an analyst needs to correlate data across larger sets, subsearches are not the best practice. Instead, they should
look at using the LOOKUP command, Data Model-based TSTATS, or potentially a STATS command that combines multiple sourcetypes and uses conditional logic to correlate.
SOAR from ES: Triggers incl. (Select all that apply)
Manual notable
Drilldown
Adaptive auto
All above but D
Risk search
Explanation: Adaptive, manual, risk; drilldown links not triggers.
In Splunk ES, an analyst investigating a risk notable notices the Risk Event Timeline visualization shows contributing events with varying calculated_risk_score values, some modified by custom risk factors based on MITRE ATT&CK annotations. The notable originated from the "ATT&CK Tactic Threshold Exceeded for Object Over Previous 7 days" correlation search. Which of the following accurately describes the role of risk factors and how they influence the final risk notable in this scenario?
Risk factors replace the need for the Risk Analysis adaptive response action entirely in correlation searches.
Risk factors dynamically multiply or adjust the base risk_score of intermediate findings based on conditions like annotations or entity metadata before threshold evaluation, directly impacting whether the risk notable is generated and its displayed score.
Risk factors are applied post-notable creation via manual ad-hoc risk entries only and do not affect the initial aggregation in risk incident rules.
All risk factors are disabled by default in risk notables, requiring manual override in the Incident Review dashboard for each event.
Explanation: Risk factors dynamically multiply or adjust the base risk_score of intermediate findings based on conditions like annotations or entity metadata before threshold evaluation, directly impacting whether the risk notable is generated and its displayed score because the risk framework uses risk factors (configured via the Risk factor editor) to modify scores at search time using metadata such as MITRE ATT&CK tactics from correlation search annotations, ensuring the aggregated risk for the object in the risk index accurately reflects contextual threat severity before a risk incident rule creates the notable.
Which of the following best describes the concept of threat hunting?
Proactively searching for hidden threats in the environment
Implementing security patches to prevent attacks
Monitoring network traffic for anomalies
Automating responses to detected threats
Explanation: Threat hunting involves proactively searching for hidden threats within an organization's environment. Unlike traditional security measures that react to alerts, threat hunting is a proactive approach to identifying and mitigating threats before they can cause harm.
A scenario-based question on SIEM best practices: After ingesting new endpoint data that fails to accelerate properly due to missing tags, what corrective actions align with Splunk Enterprise Security operation concepts? (Select all that apply)
Rebuild the data model after verifying sourcetype compliance with CIM.
Disable acceleration entirely to avoid summary indexing overhead.
Use Splunk Security Essentials to assess and recommend content gaps.
Add required CIM tags and fields via props.conf and transforms.conf.
Explanation: Adding required CIM tags and fields via props.conf and transforms.conf, rebuilding the data model after verifying sourcetype compliance with CIM, and using Splunk Security Essentials to assess and
recommend content gaps are the corrective actions that align with best practices for CIM, Data Models, acceleration, and threat analysis.
During a hypothesis-driven hunt for lateral movement, an analyst uses Splunk to model anomalies in SMB traffic. Which SPL commands are most effective for this configuration-based and modeling technique? (Select two)
| inputlookup smb_baseline.csv | stats count by src_ip,dest_ip | where count > threshold
| from datamodel:Authentication | eval anomaly_score=if(login_time > avg_login_time + 3*stdev,1,0)
| search sourcetype=stream:smb | cluster t=smb_command | where cluster_count<5
| tstats count from datamodel=Network_Traffic where nodename::action=smb by src,dest | anomaly(mean(count) by src)
Explanation: For modeling anomalies in SMB traffic, tstats leverages accelerated data models for efficient time- series anomaly detection on network traffic counts by source and destination, while the cluster command performs behavioral clustering on SMB commands to identify rare configurations indicative of tool usage like Cobalt Strike beacons. Inputlookup is for static IOC matching not dynamic modeling, and the authentication datamodel with eval is unrelated to SMB lateral movement hunting.
In industry practice, TTPs from a known threat actor are mapped in Splunk ES annotations to help correlate events involving lateral movement via remote service exploitation using a specific tool like EternalBlue. What is the correct hierarchical order of these TTP examples, and their regard in cybersecurity?
Tactic only, with techniques and procedures de-emphasized in modern analysis.
All treated as equivalent IOCs without hierarchy or industry regard.
Procedure first for exact steps, ignoring tactic and technique levels.
Lateral movement as tactic, exploitation of remote services as technique, and EternalBlue usage as procedure, regarded as critical for structured threat modeling in frameworks like MITRE ATT&CK.
Explanation: Lateral movement as tactic, exploitation of remote services as technique, and EternalBlue usage as procedure, regarded as critical for structured threat modeling in frameworks like MITRE ATT&CK is the correct order because TTPs follow a hierarchy where tactics are broad goals, techniques are methods to achieve them, and procedures are detailed implementations, and they are highly regarded industry-wide for enabling precise adversary emulation and defensive gap analysis.
SIEM scale: Best practice for 100 sourcetypes CIM compliance? (Select two)
Use Security Essentials audits pre-ingestion
Deploy universal TAs per vendor at forwarders/UF
Machine learning on raw events pre-CIM
Centralize acceleration on 10 core data models only
Explanation: TAs ensure vendor sourcetype normalization at edge. Security Essentials validates compliance iteratively. Acceleration post-compliance, ML post-normalization.
In a scenario involving a state-sponsored adversary targeting critical infrastructure, the attack begins with phishing for credentials (social engineering), progresses to supply chain injection for malware delivery, and culminates in data exfiltration over C2 channels with botnet support for redundancy. The overarching motivation is geopolitical disruption. Select the elements that define the attack types, motivations, and tactics here. (Select all that apply.)
Botnet redundancy for C2 and exfiltration as tactics in a supply chain attack motivated by geopolitical objectives
Pure DDoS flooding without exfiltration or supply chain as the primary motivation and vector
Zero-day exploitation exclusively through email compromise without bot or C2 components
Phishing-driven social engineering combined with registry persistence to support account takeover and ransomware
Explanation: Botnet redundancy for C2 and exfiltration as tactics in a supply chain attack motivated by geopolitical objectives captures the resilient command infrastructure and data theft in state-sponsored operations. Phishing-driven social engineering combined with registry persistence to support account takeover and ransomware correctly incorporates the initial credential harvesting and endpoint persistence common in such hybrid threats. Pure DDoS flooding without exfiltration or supply chain as the primary motivation and vector does not align with the described exfiltration and supply chain elements. Zero-day exploitation exclusively through email compromise without bot or C2 components overlooks the botnet and broader supply chain aspects.
An enterprise SOC is benchmarking against common standards and discovers its detections do not leverage Splunk's full framework capabilities for APT detection. A complex scenario requires updating multiple correlation searches. Who owns the task of ensuring annotations cover TTPs from MITRE ATT&CK while aligning with CIS Controls, and what is the benefit to the cyber landscape understanding?
No single role owns it; it is automated.
The Security Analyst owns it for daily use only.
The Security Architect owns only policy writing.
The Security Engineer owns the configuration of annotations in savedsearches.conf and security_framework_annotations.csv to map TTPs and controls, benefiting Analysts' understanding of attack vectors in the broader cyber landscape.
Explanation: The Security Engineer owns the configuration of annotations in savedsearches.conf and security_framework_annotations.csv to map TTPs and controls, benefiting Analysts' understanding of attack vectors in the broader cyber landscape because Engineers maintain the technical incorporation of frameworks like MITRE ATT&CK and CIS into Splunk ES, enhancing overall SOC awareness of the cyber landscape, standards, and TTPs.
A security analyst needs to identify brute-force attempts where a single user logs in from multiple distinct source IPs within a 5-minute window. Which SPL command structure is most efficient for grouping these related events into a single conceptual entity for analysis while maintaining the original event context?
`... | bin _time span=5m | stats values(src_ip) as ips by user | where mvcount(ips) > 1`
`... | tstats dc(src_ip) where index=auth by user _time span=5m | where 'dc(src_ip)' > 1`
`... | transaction user maxspan=5m | search dc(src_ip) > 1`
`... | streamstats window=5m dc(src_ip) as ip_count by user | search ip_count > 1`
Explanation: The transaction command is specifically designed to group events that share common characteristics into a single transaction based on constraints like maxspan. While stats is often more performant for counting, transaction is the correct term for creating a single conceptual entity that keeps the raw data of all related events together, which is essential for certain security forensics where the chronological relationship between events in a session matters.
In the context of continuous monitoring within Splunk Enterprise Security, the five basic stages of investigation according to Splunk emphasize structured progression from initial collection to final remediation. For a scenario involving a Risk Notable from anomalous DNS queries (correlation: | tstats count from datamodel=Network_Resolution where DNS.query=*malicious* by src_ip), the analyst has completed collection and examination but finds the activity benign upon analysis. Which metric would best quantify the efficiency of completing these stages, and how does disposition assignment factor in?
Risk score accumulation is the key metric, independent of disposition.
MTTA is the primary metric improved by quick disposition regardless of stage completion.
MTTD is directly lowered by faster correlation search execution in early stages.
Dwell time, calculated as MTTD plus MTTR, is reduced when Benign Positive is assigned promptly.
Explanation: Dwell time, calculated as MTTD plus MTTR, is reduced when Benign Positive is assigned promptly is correct because completing the five basic stages efficiently, including proper disposition assignment for benign activity, minimizes the overall time an alert remains open, directly impacting the breach detection gap metric in analyst performance tracking.
Which common sourcetypes are recommended for on-prem deployments in Splunk Security Essentials for endpoint threat detection? (Select all that apply)
Sysmon:Event for process creation (ID 1)
XmlWinEventLog:Security/4663 for object access
WinEventLog:Security for auth events
aws:cloudtrail for IAM anomalies
Explanation: WinEventLog:Security captures 4624/4625 logons essential for brute-force and privilege escalation baselines. XmlWinEventLog:Security/4663 detects sensitive object (e.g., registry) access, key for DCSync. Sysmon ID 1 provides rich process lineage (parent/cmdline/hash) for living-off-the-land hunting; aws:cloudtrail is cloud-native, not on-prem.
In the context of Splunk Enterprise Security, what is the primary purpose of "Identity Correlation"?
To encrypt user passwords before they are stored in the index.
To synchronize Splunk user roles with Active Directory groups.
To prevent users from logging into Splunk with more than one device simultaneously.
To link multiple account names (e.g., ssmith, admin_ssmith, ssmith@corp.com) to a single human entity.
Explanation: Identity Correlation within the Asset and Identity framework allows the SIEM to map various usernames and identifiers used across different systems back to one specific person. This is crucial for investigations to see the full scope of an individual's activity across the enterprise.
ES dashboard for notable | search index=notable | stats sum(risk_score) by rule_name?
Incident Review; rule breakdowns
Risk Analysis; total scores
Both A and B
Session Intelligence; only
Explanation: Incident Review stats rule-level noteworthables; Risk Analysis aggregates scores—both display this SPL output.
When analyzing an incident involving insider threats, which adaptive response actions are most appropriate? (Select All that Apply)
Monitor the user's network activity
Lock the user's account
Allow the user to continue working
Inform HR about the incident
Explanation: Locking the user's account prevents further potential harm, monitoring their network activity provides insights into their actions, and informing HR is essential for addressing the human resources aspect of the incident. Allowing the user to continue working poses a risk to the organization.
A detection engineer incorporates intelligence on specific adversary procedures, such as custom PowerShell scripts for lateral movement (mapped to MITRE T1021), into custom correlation searches and risk scoring in Splunk ES to improve anomaly detection for upcoming threat hunts. This medium-term intelligence focuses on attack methods rather than active campaigns or board trends. Which tier is applied, and how?
Operational threat intelligence solely for immediate campaign response playbooks
Strategic threat intelligence limited to geopolitical forecasting
Basic IOC feeds without MITRE or procedure details
Tactical threat intelligence, enhancing threat analysis by mapping procedures to detections and hunts
Explanation: Tactical threat intelligence, enhancing threat analysis by mapping procedures to detections and hunts is the tier here as it provides technique/procedure details for proactive detection engineering and hunting in Splunk.
A security team wants to assess their "Data Readiness" for a new set of ransomware detections. Which Splunk tool provides a "Data Source Assessment" specifically to identify gaps in log ingestion for these detections?
Splunk Add-on for Microsoft Windows
Splunk Enterprise Security
Splunk Machine Learning Toolkit
Splunk Security Essentials
Explanation: Splunk Security Essentials (SSE) includes a "Data Source Assessment" tool. It allows organizations to see which data sources they currently have, which ones are needed for specific security use cases (like ransomware), and provides guidance on how to onboard the missing data.
A scenario unfolds with an adversary taking over a user account through phishing, modifying registry for persistence, and then exfiltrating data while maintaining C2. Identify all applicable common terms that define this multi-stage threat actor activity. (Select all that apply)
Account takeover via social engineering, registry for persistence, exfiltration, and C2 usage by a threat actor or APT.
Pure botnet DDoS without persistence or data theft elements.
Isolated email compromise ignoring account and registry aspects.
Zero trust model fully preventing supply chain ransomware.
Explanation: Account takeover via social engineering, registry for persistence, exfiltration, and C2 usage by a threat actor or APT define the activity because account takeover uses unauthorized access (often via phishing/social engineering), registry enables persistence, exfiltration steals data, C2 provides control, and threat actor/APT describes the sophisticated entity; this encompasses more than botnet DDoS alone, zero trust preventing ransomware/supply chain, or isolated email compromise.
You are looking for "Lateral Movement" using WMI. You search for events where
`process_name=wmiprvse.exe`. Which CIM field would typically contain the "Command Line" arguments used by the WMI process to help you identify the specific malicious script?
`command`
`args`
`process`
`cmd_line`
Explanation: In the "Endpoint" CIM model, the standardized field for the full command string executed by a process is `process` (for the name/path) and `process_exec` or `process` again, but most commonly in ES, the field `process` or a custom `cmd_line` is used. However, per Splunk CIM documentation for the "Processes" dataset, the field is specifically `process`. (Correction: In many TAs, it is mapped to `process`, which includes arguments).
In Splunk Enterprise Security, an analyst is reviewing a notable event triggered by a correlation search for suspicious registry modifications. The event displays mapped annotations including MITRE ATT&CK technique T1547 (Boot or Logon Autostart Execution) and Kill Chain phase for persistence. How do these annotations primarily function within the platform to support investigations?
They solely serve as decorative labels without any investigative or enrichment value
They limit visibility to only managed annotations and exclude custom analyst inputs
They enrich the notable event with framework mappings to facilitate root cause analysis and phase-based threat progression tracking
They replace the need for correlation searches by automatically generating risk scores
Explanation: They enrich the notable event with framework mappings to facilitate root cause analysis and
phase-based threat progression tracking accurately outlines the core purpose of annotations in Splunk ES, which add context from frameworks like MITRE and Kill Chain to detections for better investigation management.