New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Splunk SPLK-5001 Exam - Topic 2 Question 17 Discussion

Actual exam question for Splunk's SPLK-5001 exam
Question #: 17
Topic #: 2
[All SPLK-5001 Questions]

An analyst is investigating a network alert for suspected lateral movement from one Windows host to another Windows host. According to Splunk CIM documentation, the IP address of the host from which the attacker is moving would be in which field?

Show Suggested Answer Hide Answer
Suggested Answer: D

by Casie at Jan 22, 2025, 02:34 AM

Limited Time Offer

25%

Off

Get Premium SPLK-5001 Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Luis
3 months ago
I agree, src_ip makes the most sense here.
upvoted 0 times
...
Julieta
3 months ago
I'm surprised it's not in dest. That seems logical.
upvoted 0 times
...
Alease
3 months ago
No way, it's the host field for sure!
upvoted 0 times
...
Nakita
4 months ago
I thought it would be in src_nt_host.
upvoted 0 times
...
Arlie
4 months ago
It's definitely in the src_ip field.
upvoted 0 times
...
Dawne
4 months ago
I’m a bit confused; I thought dest was for the destination host, but I can see how src_nt_host could fit in this context as well.
upvoted 0 times
...
Maricela
4 months ago
I feel like the host field is more about the destination, so I'm leaning towards src_ip for the source IP address.
upvoted 0 times
...
Mauricio
4 months ago
I remember practicing a question similar to this, and I believe the src_nt_host field might be relevant too, but it could be tricky.
upvoted 0 times
...
Burma
5 months ago
I think the IP address of the host from which the attacker is moving should be in the src_ip field, but I'm not entirely sure.
upvoted 0 times
...
Shannon
5 months ago
This is a tricky one. I'm not super familiar with the Splunk CIM, so I'm not sure which field would contain the attacker's IP address. I'll have to guess and hope for the best on this one.
upvoted 0 times
...
Marshall
5 months ago
Okay, let me think this through. The question is asking about lateral movement, so the IP address we're looking for would be the source IP, not the destination. I'm pretty confident the answer is C. src_nt_host.
upvoted 0 times
...
Cassie
5 months ago
Hmm, I'm a bit unsure about this one. I know the Splunk CIM documentation is important, but I can't quite remember the specific field names off the top of my head. I'll need to review the documentation carefully before answering.
upvoted 0 times
...
Cathern
5 months ago
This seems straightforward. The question is asking about the field that would contain the IP address of the host from which the attacker is moving, so I think the answer is D. src_ip.
upvoted 0 times
...
Coral
10 months ago
I bet the answer is 'E) All of the above' because security is just a giant game of 'Guess the field'.
upvoted 0 times
...
Lilli
10 months ago
This question is a real brain-teaser. I'm just going to close my eyes and pick one at random. What could go wrong?
upvoted 0 times
...
Gerald
10 months ago
B) dest, of course! The attacker is moving to the destination host, so that's where the IP address would be.
upvoted 0 times
Frederica
9 months ago
C) src_nt_host
upvoted 0 times
...
Angelo
9 months ago
B) dest
upvoted 0 times
...
Richelle
9 months ago
A) host
upvoted 0 times
...
...
Lavina
10 months ago
I'm going with C) src_nt_host. It just makes sense that the Windows host the attacker is coming from would be in that field.
upvoted 0 times
Annamae
9 months ago
I'm not sure, but I think it might be A) host. That field could also contain the information we need.
upvoted 0 times
...
German
9 months ago
I agree with you, I also believe it's D) src_ip. It's a common field for source IP addresses.
upvoted 0 times
...
Hannah
10 months ago
I think it's D) src_ip. That field usually contains the IP address of the source.
upvoted 0 times
...
...
Gayla
11 months ago
Actually, according to Splunk CIM documentation, the IP address of the host from which the attacker is moving would be in the src_nt_host field.
upvoted 0 times
...
Franchesca
11 months ago
The src_ip field seems like the obvious choice here. I mean, that's where the attacker's IP address would be, right?
upvoted 0 times
Glory
10 months ago
I think it's src_nt_host. That field is specifically for the network host where the attack originated.
upvoted 0 times
...
Na
10 months ago
Yes, you're correct. The src_ip field would contain the IP address of the host from which the attacker is moving.
upvoted 0 times
...
...
Donette
11 months ago
I believe it should be in the dest field.
upvoted 0 times
...
Gayla
11 months ago
I think the IP address of the host would be in the src_ip field.
upvoted 0 times
...

Save Cancel