Independence Day Deal! Unlock 25% OFF Today – Limited-Time Offer - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location PL
Mob_nav_barsMENU

Splunk Exam SPLK-5001 Topic 2 Question 17 Discussion

Actual exam question for Splunk's SPLK-5001 exam
Question #: 17
Topic #: 2
[All SPLK-5001 Questions]

An analyst is investigating a network alert for suspected lateral movement from one Windows host to another Windows host. According to Splunk CIM documentation, the IP address of the host from which the attacker is moving would be in which field?

Show Suggested Answer Hide Answer
Suggested Answer: D

by Casie at Jan 22, 2025, 02:34 AM

Limited Time Offer

25%

Off

Get Premium SPLK-5001 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel
Coral
1 months ago
I bet the answer is 'E) All of the above' because security is just a giant game of 'Guess the field'.
upvoted 0 times
...
Lilli
1 months ago
This question is a real brain-teaser. I'm just going to close my eyes and pick one at random. What could go wrong?
upvoted 0 times
...
Gerald
1 months ago
B) dest, of course! The attacker is moving to the destination host, so that's where the IP address would be.
upvoted 0 times
Frederica
16 days ago
C) src_nt_host
upvoted 0 times
...
Angelo
17 days ago
B) dest
upvoted 0 times
...
Richelle
1 months ago
A) host
upvoted 0 times
...
...
Lavina
2 months ago
I'm going with C) src_nt_host. It just makes sense that the Windows host the attacker is coming from would be in that field.
upvoted 0 times
Annamae
18 days ago
I'm not sure, but I think it might be A) host. That field could also contain the information we need.
upvoted 0 times
...
German
24 days ago
I agree with you, I also believe it's D) src_ip. It's a common field for source IP addresses.
upvoted 0 times
...
Hannah
1 months ago
I think it's D) src_ip. That field usually contains the IP address of the source.
upvoted 0 times
...
...
Gayla
2 months ago
Actually, according to Splunk CIM documentation, the IP address of the host from which the attacker is moving would be in the src_nt_host field.
upvoted 0 times
...
Franchesca
2 months ago
The src_ip field seems like the obvious choice here. I mean, that's where the attacker's IP address would be, right?
upvoted 0 times
Glory
1 months ago
I think it's src_nt_host. That field is specifically for the network host where the attack originated.
upvoted 0 times
...
Na
1 months ago
Yes, you're correct. The src_ip field would contain the IP address of the host from which the attacker is moving.
upvoted 0 times
...
...
Donette
3 months ago
I believe it should be in the dest field.
upvoted 0 times
...
Gayla
3 months ago
I think the IP address of the host would be in the src_ip field.
upvoted 0 times
...

Save Cancel
az-700  pass4success  az-104  200-301  200-201  cissp  350-401  350-201  350-501  350-601  350-801  350-901  az-720  az-305  pl-300  

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77