Splunk Observability Cloud Certified Metrics User — Question 15

A threat hunter executed a hunt based on the following hypothesis:
As an actor, I want to plant rundll32 for proxy execution of malicious code and leverage Cobalt Strike for Command and Control.
Relevant logs and artifacts such as Sysmon, netflow, IDS alerts, and EDR logs were searched, and the hunter is confident in the conclusion that Cobalt Strike is not present in the company’s environment.
Which of the following best describes the outcome of this threat hunt?

Answer options

• A. The threat hunt was successful because the hypothesis was not proven.
• B. The threat hunt failed because the hypothesis was not proven.
• C. The threat hunt failed because no malicious activity was identified.
• D. The threat hunt was successful in providing strong evidence that the tactic and tool is not present in the environment.

Correct answer: D

Explanation

The correct answer is D because the threat hunt successfully provided evidence that Cobalt Strike is not present in the environment, fulfilling the objective of the hunt. Option A is incorrect as success is not determined solely by not proving the hypothesis. Option B is also wrong since the hunt yielded valuable findings, and option C is misleading as the absence of malicious activity does not define the hunt's success or failure.