Splunk Enterprise Security Certified Admin — Question 71

When investigating, what is the best way to store a newly-found IOC?

Answer options

• A. Paste it into Notepad.
• B. Click the ג€Add IOCג€ button.
• C. Click the ג€Add Artifactג€ button.
• D. Add it in a text note to the investigation.

Correct answer: B

Explanation

The correct answer is B because using the 'Add IOC' button directly integrates the IOC into the investigation workflow, ensuring proper tracking and management. The other options, while they may store the IOC, do not provide the same level of organization or functionality required for effective investigation processes.