An analyst is investigating the number of failed login attempts by IP address. Which SPL command can be used to create a temporary table containing the number of failed login attempts by IP address over a specific time period?

1. A. index=security_logs eventtype=failed_login | eval count as failed_attempts by src_ip | sort -failed_attempts
2. B. index=security_logs eventtype=failed_login | transaction count as failed_attempts by src_ip | sort -failed_attempts
3. C. index=security_logs eventtype=failed_login | stats count as failed_attempts by src_ip | sort -failed_attempts
4. D. index=security_logs eventtype=failed_login | sum count as failed_attempts by src_ip |sort -failed_attempts

Correct Answer: C
Thestatscommand is used to generate statistics, such as counts, over specific fields. In this case, the commandindex=security_logs eventtype=failed_login | stats count as failed_attempts by src_ip | sort -failed_attemptscreates a temporary table that counts the number of failed login attempts (failed_attempts) for each source IP (src_ip). Thesort -failed_attemptsensures the results are ordered by the number of failed attempts in descending order, making it easier for an analyst to identify problematic IPs.

Tactics, Techniques, and Procedures (TTPs) are methods or behaviors utilized by attackers. In which framework are these categorized?

1. A. NIST 800-53
2. B. ISO 27000
3. C. CIS18
4. D. MITRE ATT&CK

Correct Answer: D
The MITRE ATT&CK framework categorizes Tactics, Techniques, and Procedures (TTPs) used by attackers. It is a globally accessible knowledge base of adversarial tactics and techniques based on real-world observations, and it is widely used by cybersecurity professionals to understand and defend against various cyber threats.
✑ Tactics, Techniques, and Procedures (TTPs):
✑ MITRE ATT&CK Framework:MITRE ATT&CK organizes these TTPs into a matrix that reflects different stages of an attack lifecycle, from initial access to exfiltration. The framework helps security teams by:
✑ Why MITRE ATT&CK:Unlike compliance-focused frameworks like NIST 800-53 or ISO 27000, which provide security controls and best practices, MITRE ATT&CK is specifically focused on the behavior of adversaries. This focus makes it an invaluable resource for understanding how attacks unfold and how to counteract them.
✑ MITRE ATT&CK Website:The official site provides detailed information on each tactic and technique, along with examples of how they have been used in real- world attacks.
✑ Threat Intelligence Platforms:Many platforms integrate with MITRE ATT&CK, providing enhanced detection and response capabilities by mapping security events to the framework.
✑ Security Research Papers:Numerous papers and reports analyze specific attacks using the ATT&CK framework, offering insights into its practical applications in cybersecurity defense.
References:MITRE ATT&CK is a foundational tool in modern cybersecurity, providing a detailed and actionable understanding of adversary behaviors that can be directly applied to enhance an organization's defensive posture.

Which of the following use cases is best suited to be a Splunk SOAR Playbook?

1. A. Forming hypothesis for Threat Hunting
2. B. Visualizing complex datasets.
3. C. Creating persistent field extractions.
4. D. Taking containment action on a compromised host

Correct Answer: D
Splunk SOAR (Security Orchestration, Automation, and Response) playbooks are designed to automate security tasks, makingtaking containment action on a compromised hostthe best-suited use case. A SOAR playbook can automate the response actions such as isolating a host, blocking IPs, or disabling accounts, based on predefined criteria. This reduces response time and minimizes the impact of security incidents. The other options, like forming hypotheses for threat hunting or visualizing datasets, are more manual processes and less suited for automation via a playbook.

After discovering some events that were missed in an initial investigation, an analyst determines this is because some events have an empty src field. Instead, the required data is often captured in another field called machine_name.
What SPL could they use to find all relevant events across either field until the field extraction is fixed?

1. A. | eval src = coalesce(src,machine_name)
2. B. | eval src = src + machine_name
3. C. | eval src = src . machine_name
4. D. | eval src = tostring(machine_name)

Correct Answer: A
Thecoalescefunction in Splunk is used to return the first non-null value from a list of fields. The SPL| eval src = coalesce(src,machine_name)allows the analyst to dynamically populate thesrcfield with the value frommachine_nameifsrcis empty. This is a useful technique when dealing with inconsistent data sources or during field extraction issues, ensuring that the analyst can continue their investigation without missing critical events.

An organization is using Risk-Based Alerting (RBA). During the past few days, a user account generated multiple risk observations. Splunk refers to this account as what type of entity?

1. A. Risk Factor
2. B. Risk Index
3. C. Risk Analysis
4. D. Risk Object

Correct Answer: D
In Splunk??s Risk-Based Alerting (RBA) framework, aRisk Objectrefers to the specific entity (such as a user account, IP address, or host) that is associated with risk observations. When auser account generates multiple risk observations, it is labeled as a Risk Object, allowing security teams to track and manage risk more effectively.
✑ Risk Object:
✑ Incorrect Options:
✑ Splunk RBA Documentation:Detailed descriptions of how Risk Objects function within the Risk-Based Alerting framework.