Black Friday Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Splunk > Splunk SOAR Certified Automation Developer > SPLK-2003

SPLK-2003 Splunk SOAR Certified Automation Developer Exam Question and Answers

Question # 4

A user selects the New option under Sources on the menu. What will be displayed?

A.

A list of new assets.

B.

The New Data Ingestion wizard.

C.

A list of new data sources.

D.

A list of new events.

Full Access
Question # 5

When analyzing events, a working on a case, significant items can be marked as evidence. Where can ail of a case's evidence items be viewed together?

A.

Workbook page Evidence tab.

B.

Evidence report.

C.

Investigation page Evidence tab.

D.

At the bottom of the Investigation page widget panel.

Full Access
Question # 6

Some of the playbooks on the Phantom server should only be executed by members of the admin role. How can this rule be applied?

A.

Add a filter block to al restricted playbooks that Titters for runRole - "Admin''.

B.

Add a tag with restricted access to the restricted playbooks.

C.

Make sure the Execute Playbook capability is removed from al roles except admin.

D.

Place restricted playbooks in a second source repository that has restricted access.

Full Access
Question # 7

How is it possible to evaluate user prompt results?

A.

Set action_result.summary. status to required.

B.

Set the user prompt to reinvoke if it times out.

C.

Set action_result. summary. response to required.

D.

Add a decision Mode

Full Access
Question # 8

Is it possible to import external Python libraries such as the time module?

A.

No.

B.

No, but this can be changed by setting the proper permissions.

C.

Yes, in the global block.

D.

Yes. from a drop-down menu.

Full Access
Question # 9

What is the default log level for system health debug logs?

A.

INFO

B.

WARN

C.

ERROR

D.

DEBUG

Full Access
Question # 10

Which of the following items cannot be modified once entered into SOAR?

A.

A container.

B.

An artifact.

C.

A comment.

D.

A note.

Full Access
Question # 11

What is the default embedded search engine used by Phantom?

A.

Embedded Splunk search engine.

B.

Embedded Phantom search engine.

C.

Embedded Elastic search engine.

D.

Embedded Django search engine.

Full Access
Question # 12

Some of the playbooks on the SOAR server should only be executed by members of the admin role. How can this rule be applied?

A.

Make sure the Execute Playbook capability is removed from all roles except admin.

B.

Place restricted playbooks in a second source repository that has restricted access.

C.

Add a filter block to all restricted playbooks that filters for runRole = "Admin".

D.

Add a tag with restricted access to the restricted playbooks.

Full Access
Question # 13

Seventy can be set during ingestion and later changed manually. What other mechanism can change the severity or a container?

A.

Notes

B.

Actions

C.

Service level agreement (SLA) expiration

D.

Playbooks

Full Access
Question # 14

Which app allows a user to send Splunk Enterprise Security notable events to Phantom?

A.

Any of the integrated Splunk/Phantom Apps

B.

Splunk App for Phantom Reporting.

C.

Splunk App for Phantom.

D.

Phantom App for Splunk.

Full Access
Question # 15

Which of the following describes the use of labels in Phantom?

A.

Labels determine the service level agreement (SLA) for a container.

B.

Labels control the default seventy, ownership, and sensitivity for the container.

C.

Labels control which apps are allowed to execute actions on the container.

D.

Labels determine which playbook(s) are executed when a container is created.

Full Access
Question # 16

Which Phantom VPE Nock S used to add information to custom lists?

A.

Action blocks

B.

Filter blocks

C.

API blocks

D.

Decision blocks

Full Access
Question # 17

When configuring a Splunk asset for Phantom to connect to a SplunkC loud instance, the user discovers that they need to be able to run two different on_poll searches. How is this possible

A.

Enter the two queries in the asset as comma separated values.

B.

Configure the second query in the Phantom app for Splunk.

C.

Install a second Splunk app and configure the query in the second app.

D.

Configure a second Splunk asset with the second query.

Full Access
Question # 18

To limit the impact of custom code on the VPE, where should the custom code be placed?

A.

A custom container or a separate KV store.

B.

A separate code repository.

C.

A custom function block.

D.

A separate container.

Full Access
Question # 19

How can the DECIDED process be restarted?

A.

By restarting the playbook daemon.

B.

On the System Health page.

C.

In Administration > Server Settings.

D.

By restarting the automation service.

Full Access
Question # 20

What is the simplest way to pass data between playbooks?

A.

Action results

B.

File system

C.

Artifacts

D.

KV Store

Full Access
Question # 21

After a successful POST to a Phantom REST endpoint to create a new object what result is returned?

A.

The new object ID.

B.

The new object name.

C.

The full CEF name.

D.

The PostGres UUID.

Full Access
Question # 22

Which of the following is true about a child playbook?

A.

The child playbook does not have access to the parent playbook's container or action result data.

B.

The child playbook does not have access to the parent playbook's container, but to the parent's action result data.

C.

The child playbook has access to the parent playbook's container and the parent's action result data.

D.

The child playbook has access to the parent playbook's container, but not to the parent's action result data.

Full Access
Question # 23

Which of the following supported approaches enables Phantom to run on a Windows server?

A.

Install the Phantom RPM in a GNU Cygwin implementation.

B.

Run the Phantom OVA as a cloud instance.

C.

Install the Phantom RPM file in Windows Subsystem for Linux (WSL).

D.

Run the Phantom OVA as a virtual machine.

Full Access
Question # 24

Which of the following is a step when configuring event forwarding from Splunk to Phantom?

A.

Map CIM to CEF fields.

B.

Create a Splunk alert that uses the event_forward.py script to send events to Phantom.

C.

Map CEF to CIM fields.

D.

Create a saved search that generates the JSON for the new container on Phantom.

Full Access
Question # 25

Which of the following are the default ports that must be configured on Splunk to allow connections from SOAR?

A.

SplunkWeb (8088), SplunkD (8089), HTTP Collector (8000)

B.

SplunkWeb (8089), SplunkD (8088), HTTP Collector (8000)

C.

SplunkWeb (8000), SplunkD (8089), HTTP Collector (8088)

D.

SplunkWeb (8469), SplunkD (8702), HTTP Collector (8864)

Full Access
Question # 26

Which of the following are tabs of an asset configuration?

A.

Asset Name, Asset IP, Asset URL, Asset Nickname

B.

Tags, Asset Name, Asset Date, Asset Order

C.

App Name, App Order, App Expiry, App Version

D.

Asset Info, Asset Settings, Approval Settings, Access Control

Full Access
Question # 27

Which Phantom API command is used to create a custom list?

A.

phantom.add_list()

B.

phantom.create_list()

C.

phantom.include_list()

D.

phantom.new_list()

Full Access
Question # 28

What values can be applied when creating Custom CEF field?

A.

Name

B.

Name, Data Type

C.

Name, Value

D.

Name, Data Type, Severity

Full Access
Question # 29

Configuring SOAR search to use an external Splunk server provides which of the following benefits?

A.

The ability to run more complex reports on SOAR activities.

B.

The ability to ingest Splunk notable events into SOAR.

C.

The ability to automate Splunk searches within SOAR.

D.

The ability to display results as Splunk dashboards within SOAR.

Full Access
Question # 30

What does a user need to do to have a container with an event from Splunk use context-aware actions designed for notable events?

A.

Include the notable event's event_id field and set the artifacts label to aplunk notable event id.

B.

Rename the event_id field from the notable event to splunkNotableEventld.

C.

Include the event_id field in the search results and add a CEF definition to Phantom for event_id, datatype splunk notable event id.

D.

Add a custom field to the container named event_id and set the custom field's data type to splunk notable event id.

Full Access
Question # 31

A user has written a playbook that calls three other playbooks, one after the other. The user notices that the second playbook starts executing before the first one completes. What is the cause of this behavior?

A.

Synchronous execution has not been configured.

B.

The first playbook is performing poorly.

C.

The sleep option for the second playbook is not set to a long enough interval.

D.

Incorrect join configuration on the second playbook.

Full Access
Question # 32

How can parent and child playbooks pass information to each other?

A.

The parent can pass arguments to the child when called, and the child can return values from the end block.

B.

The parent can pass arguments to the child when called, but the child can only pass values back as new artifacts in the event.

C.

The parent must create a new artifact in the event named arg_xxx, and the child must return values by creating artifacts with the naming convention return_xxx.

D.

The parent must create a new artifact in the event named return_xxx, and the child must return values by creating artifacts with the naming convention arg_xxx.

Full Access
Question # 33

Which of the following is an asset ingestion setting in SOAR?

A.

Polling Interval

B.

Tag

C.

File format

D.

Operating system

Full Access