SPLK-1003 Macros, Saved Searches and CIM • Set 2
SPLK-1003 Macros, Saved Searches and CIM Practice Test 2 — 15 questions with explanations. Free, no signup.
A security analyst needs to monitor failed login attempts across multiple Windows domain controllers. The environment has a custom sourcetype 'WinEventLog:Security' and the data is indexed under 'windows_security'. The analyst wants to create a saved search that runs every 10 minutes, searches for EventCode 4625 (failed logon), and triggers an alert if more than 10 failures occur from the same source IP within the last 10 minutes. The saved search should use the Common Information Model (CIM) to ensure compatibility with other security apps. Which of the following saved search definitions best meets these requirements?