Splunk Exam SPLK-5001 Topic 2 Question 17 Discussion

Actual exam question for Splunk's SPLK-5001 exam

Question #: 17
Topic #: 2

An analyst is investigating a network alert for suspected lateral movement from one Windows host to another Windows host. According to Splunk CIM documentation, the IP address of the host from which the attacker is moving would be in which field?

Ahost

Bdest

Csrc_nt_host

Dsrc_ip

Show Suggested Answer

Suggested Answer: D

by Casie at Jan 22, 2025, 02:34 AM

Limited Time Offer

25%

Off

Get Premium SPLK-5001 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Coral

25 days ago

I bet the answer is 'E) All of the above' because security is just a giant game of 'Guess the field'.

upvoted 0 times

...

Lilli

27 days ago

This question is a real brain-teaser. I'm just going to close my eyes and pick one at random. What could go wrong?

upvoted 0 times

...

Gerald

29 days ago

B) dest, of course! The attacker is moving to the destination host, so that's where the IP address would be.

upvoted 0 times

Frederica

1 days ago

C) src_nt_host

upvoted 0 times

...

Angelo

2 days ago

B) dest

upvoted 0 times

...

Richelle

19 days ago

A) host

upvoted 0 times

...

2 months ago

The src_ip field seems like the obvious choice here. I mean, that's where the attacker's IP address would be, right?

upvoted 0 times

Glory

21 days ago

I think it's src_nt_host. That field is specifically for the network host where the attack originated.

upvoted 0 times

...

Na

28 days ago

Yes, you're correct. The src_ip field would contain the IP address of the host from which the attacker is moving.

upvoted 0 times

...

Donette

2 months ago

I believe it should be in the dest field.

upvoted 0 times

...

Gayla

2 months ago

I think the IP address of the host would be in the src_ip field.

upvoted 0 times

...