The Security Operations Center (SOC) manager is interested in creating a new dashboard for typosquatting after a successful campaign against a group of senior executives. Which existing ES dashboard could be used as a starting point to create a custom dashboard?
Correct Answer:
D
For creating a custom dashboard focused on typosquatting, theNew Domain Analysisdashboard in Splunk Enterprise Security (ES) would be a relevant starting point. Typosquatting typically involves the registration of domains similar to legitimate domains to deceive users, which is closely related to the analysis of newly registered or observed domains. This dashboard already includes tools and visualizations for monitoring and analyzing domain name activity, which can be adapted for the specific needs of monitoring for typosquatting.
Which of the following use cases is best suited to be a Splunk SOAR Playbook?
Correct Answer:
D
Splunk SOAR (Security Orchestration, Automation, and Response) playbooks are designed to automate security tasks, makingtaking containment action on a compromised hostthe best-suited use case. A SOAR playbook can automate the response actions such as isolating a host, blocking IPs, or disabling accounts, based on predefined criteria. This reduces response time and minimizes the impact of security incidents. The other options, like forming hypotheses for threat hunting or visualizing datasets, are more manual processes and less suited for automation via a playbook.
How are Notable Events configured in Splunk Enterprise Security?
Correct Answer:
D
Notable Events in Splunk Enterprise Security are configured as part of a correlation search, where an Adaptive Response Action can be set to create a Notable Event when certain conditions are met. These correlation searches are pre-defined or custom searches that look for specific patterns of interest, such as security incidents or anomalies. The use of Adaptive Response Actions within these searches allows for the automated creation of Notable Events, which can then be investigated by security analysts. This configuration is a crucial part of Splunk's security operations capabilities.
An IDS signature is designed to detect and alert on logins to a certain server, but only if they occur from 6:00 PM - 6:00 AM. If no IDS alerts occur in this window, but the signature is known to be correct, this would be an example of what?
Correct Answer:
A
In the context of Intrusion Detection Systems (IDS), determining whether an event is a True Negative, True Positive, False Negative, or False Positive depends on the system's detection and the reality of the situation.
Let's break down the scenario: IDS Signature Explanation:
The IDS is set to detect and alert on logins to a server, but only if they happen during a specific time window, from 6:00 PM to 6:00 AM.
The question states that no alerts occur during this time frame, but the IDS signature is known to be correct.
Understanding Detection Terms:
True Positive: The IDS correctly detects an intrusion or suspicious activity that is actually happening.
True Negative: The IDS does not detect any activity because no suspicious or malicious activity is occurring, and this lack of detection is correct.
False Positive: The IDS detects an intrusion or activity, but it is a false alarm (i.e., there is no real threat).
False Negative: The IDS fails to detect a real intrusion or activity when it should have, missing a legitimate alert.
Applying the Scenario:
In this case, no IDS alerts occurred during the specified time frame. If there were no actual logins during this period and the signature was designed correctly, then the absence of alerts is expected and appropriate.
Since no suspicious logins occurred, and the IDS did not trigger any alerts, this situation represents a True Negative—the system correctly identified that there was no suspicious activity to alert on.
Why the Answer is "True Negative":
The IDS signature is working as expected.
The condition that would trigger an alert (logins during the specified time) did not happen, so the lack of alerts is a correct response.
Therefore, this is classified as a True Negative because no malicious activity took place, and the IDS correctly refrained from raising an alert.
Comparison to Other Options:
* B. True Positive – This would indicate that an alert occurred because of actual suspicious activity, but in this case, no alerts occurred.
* C. False Negative – This would mean that suspicious activity occurred, but the IDS failed to detect it. In this case, there was no activity to detect, so this option is not correct.
* D. False Positive – This would suggest the IDS raised an alert when no suspicious activity happened, but again, no alerts occurred, so this doesn??t apply.
References:
Cybersecurity analysts working with IDS systems frequently use concepts like True Negative and False Positive in evaluating the effectiveness of their detection tools.
The correct handling of such detection cases is critical to minimizing unnecessary alerts (False Positives) and ensuring real threats are not missed (avoiding False Negatives).
Which of the following is a tactic used by attackers, rather than a technique?
Correct Answer:
A
Tacticsare the overarching objectives or strategies attackers use during their operations, whiletechniquesare the specific methods used to achieve these tactics. In this case,gathering information about a target(often referred to as Reconnaissance) is atacticbecause it represents a high-level objective of understanding the target. The other options provided (persistence, phishing, privilege escalation) are specifictechniquesused to achieve the broader goals or tactics.