Splunk splk-5001 practice test

Splunk Certified Cybersecurity Defense Analyst

Last exam update: Nov 18 ,2025
Page 1 out of 7. Viewing questions 1-15 out of 99

Question 1

Which of the following is the primary benefit of using the CIM in Splunk?

  • A. It allows for easier correlation of data from different sources.
  • B. It improves the performance of search queries on raw data.
  • C. It enables the use of advanced machine learning algorithms.
  • D. It automatically detects and blocks cyber threats.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

Which of the following data sources would be most useful to determine if a user visited a recently
identified malicious website?

  • A. Active Directory Logs
  • B. Web Proxy Logs
  • C. Intrusion Detection Logs
  • D. Web Server Logs
Mark Question:
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

Which of the following is a tactic used by attackers, rather than a technique?

  • A. Gathering information about a target.
  • B. Establishing persistence with a scheduled task.
  • C. Using a phishing email to gain initial access.
  • D. Escalating privileges via UAC bypass.
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

Enterprise Security has been configured to generate a Notable Event when a user has quickly
authenticated from multiple locations between which travel would be impossible. This would be
considered what kind of an anomaly?

  • A. Access Anomaly
  • B. Identity Anomaly
  • C. Endpoint Anomaly
  • D. Threat Anomaly
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

An analyst is investigating a network alert for suspected lateral movement from one Windows host
to another Windows host. According to Splunk CIM documentation, the IP address of the host from
which the attacker is moving would be in which field?

  • A. host
  • B. dest
  • C. src_nt_host
  • D. src_ip
Mark Question:
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

Which pre-packaged app delivers security content and detections on a regular, ongoing basis for
Enterprise Security and SOAR?

  • A. SSE
  • B. ESCU
  • C. Threat Hunting
  • D. InfoSec
Mark Question:
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

A Cyber Threat Intelligence (CTI) team produces a report detailing a specific threat actor’s typical
behaviors and intent. This would be an example of what type of intelligence?

  • A. Operational
  • B. Executive
  • C. Tactical
  • D. Strategic
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

In Splunk Enterprise Security, annotations can be added to enrich correlation search results with
security framework mappings. Which of the following security frameworks is not available as a
default annotation option?

  • A. MITRE ATT&CK
  • B. OWASP Top 10
  • C. CIS
  • D. Lockheed Martin Cyber Kill Chain
Mark Question:
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

An analyst learns that several types of data are being ingested into Splunk and Enterprise Security,
and wants to use the metadata SPL command to list them in a search. Which of the following
arguments should she use?

  • A. metadata type=cdn
  • B. metadata type=sourcetypes
  • C. metadata type=assets
  • D. metadata type=hosts
Mark Question:
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

While investigating findings in Enterprise Security, an analyst has identified a compromised device.
Without leaving ES, what action could they take to run a sequence of containment activities on the
compromised device that also updates the original finding?

  • A. Run an event-level workflow action that initiates a SOAR playbook.
  • B. Run a field-level workflow action that initiates a SOAR playbook.
  • C. Run an adaptive response action that initiates a SOAR playbook.
  • D. Run an alert action that initiates a SOAR playbook.
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

Which of the following is a best practice when creating performant searches within Splunk?

  • A. Utilize the transaction command to aggregate data for faster analysis.
  • B. Utilize Aggregating commands to ensure all data is available prior to Streaming commands.
  • C. Utilize specific fields to return only the data that is required.
  • D. Utilize multiple wildcards across fields to ensure returned data is complete and available.
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

Which of the following data sources can be used to discover unusual communication within an
organization’s network?

  • A. EDS
  • B. Net Flow
  • C. Email
  • D. IAM
Mark Question:
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

A Cyber Threat Intelligence (CTI) team delivers a briefing to the CISO detailing their view of the
threat landscape the organization faces. This is an example of what type of Threat Intelligence?

  • A. Tactical
  • B. Strategic
  • C. Operational
  • D. Executive
Mark Question:
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

Which of the Enterprise Security frameworks provides additional automatic context and correlation
to fields that exist within raw data?

  • A. Adaptive Response
  • B. Threat Intelligence
  • C. Risk
  • D. Asset and Identity
Mark Question:
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

An analyst needs to create a new field at search time. Which Splunk command will dynamically
extract additional fields as part of a Search pipeline?

  • A. rex
  • B. fields
  • C. regex
  • D. eval
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2