An analyst is building a search to examine Windows XML Event Logs, but the initial search is not returning any extracted fields. Based on the above image, what is themost likelycause?
Correct Answer:
D
In Splunk, when an analyst is building a search and finds that extracted fields are not appearing, it often relates to the search mode being used.Smart ModeorVerbose Modeare better suitedfor field extraction as they allow Splunk to automatically extract and display fields based on the data being searched.
✑ Search Modes in Splunk:
✑ Incorrect Options:
✑ Splunk Documentation:Search modes and their impact on field extraction.
According to Splunk CIM documentation, which field in the Authentication Data Model represents the user who initiated a privilege escalation?
Correct Answer:
C
According to Splunk CIM (Common Information Model) documentation, thesrc_userfield in the Authentication Data Model represents the user who initiated an action, including privilege escalation. This field is used to track the source user responsible for generating an authentication event, which is critical in understanding and responding to potential security incidents involving privilege escalation. The other fields likedest_userorusernamehave different roles, focusing on the target of the action or the general username involved.
Top of Form Bottom of Form
A Cyber Threat Intelligence (CTI) team delivers a briefing to the CISO detailing their view of the threat landscape the organization faces. This is an example of what type of Threat Intelligence?
Correct Answer:
B
A briefing delivered by a Cyber Threat Intelligence (CTI) team to a Chief Information Security Officer (CISO) detailing the overall threat landscape is an example ofStrategicThreat Intelligence. Strategic intelligence focuses on high-level analysis of broader trends, threat actors, and potential risks to the organization over time. It is designed to inform senior leadership and influence long-term security strategies and policies. This contrasts withTacticalintelligence, which deals with immediate threats and actionable information, andOperationalintelligence, which is more focused on the details of specific threat actors or campaigns.
What is the following step-by-step description an example of?
* 1. The attacker devises a non-default beacon profile with Cobalt Strike and embeds this within a document.
* 2. The attacker creates a unique email with the malicious document based on extensive research about their target.
* 3. When the victim opens this document, a C2 channel is established to the attacker??s temporary infrastructure on a compromised website.
Correct Answer:
D
The step-by-step description provided is an example of aTechniqueas defined in the MITRE ATT&CK framework. Techniques are the specific methods adversaries use to achieve their objectives during an attack, such as establishing command and control (C2) channels or delivering payloads via phishing emails. In this scenario, the attacker uses a non-default beacon profile in Cobalt Strike, sends a malicious document via email, and establishes a C2 channel once the victim interacts with the document, all of which are examples of adversary techniques.
Which of the following is not considered an Indicator of Compromise (IOC)?
Correct Answer:
D
Indicators of Compromise (IOCs) are artifacts that are used to identify potential malicious activity within a network or system. Common IOCs include domains, IP addresses, and file hashes that are associated with malicious activity. However, a specific password, while potentially sensitive, is not typically considered an IOC because it is more of a credential than an artifact indicating a compromise. IOCs are used to detect and respond to threats, while compromised credentials are a result of those threats.
