Home / Splunk / SPLK-2003

Question list

List of questions

Question 1

(0)

Configuring Phantom search to use an external Splunk server provides which of the following benefits?

Question 2

(0)

Within the 12A2 design methodology, which of the following most accurately describes the last step?

Question 3

(0)

Which of the following are the steps required to complete a full backup of a Splunk Phantom deployment' Assume the commands are executed from /opt/phantom/bin and that no other backups have been mad

Question 4

(0)

An active playbook can be configured to operate on all containers that share which attribute?

Question 5

(0)

Which of the following applies to filter blocks?

Question 6

(0)

A user has written a playbook that calls three other playbooks, one after the other. The user notices that the second playbook starts executing before the first one completes. What is the cause of

Question 7

(0)

A customer wants to design a modular and reusable set of playbooks that all communicate with each other. Which of the following is a best practice for data sharing across playbooks?

Question 8

(0)

Which of the following are examples of things commonly done with the Phantom REST APP

Question 9

(0)

Which of the following are the default ports that must be configured on Splunk to allow connections from Phantom?

Question 10

(0)

Without customizing container status within Phantom, what are the three types of status for a container?

Question 84 - SPLK-2003 discussion

Where in SOAR can a user view the JSON data for a container?

In the analyst queue.

On the Investigation page.

In the data ingestion display.

In the audit log.

Suggested answer: B

Explanation:

In Splunk SOAR, the Investigation page is where users can delve into the details of containers, artifacts, and actions. It provides a comprehensive view of the incident or event under investigation, including the JSON data associated with containers. This JSON data represents the structured information about the container, including its attributes, artifacts, and actions taken within the playbook. Options A, C, and D do not typically provide a direct view of the container's JSON data, making option B the correct answer for where a user can view this information within SOAR.

A container is the top-level data structure that SOAR playbook APIs operate on. Every container is a structured JSON object which can nest more arbitrary JSON objects, that represent artifacts. A container is the top-level object against which automation is run. To view the JSON data for a container, you need to navigate to the Investigation page, which shows the details of a container, such as its name, label, owner, status, severity, and artifacts. On the Investigation page, you can click on the JSON tab, which displays the JSON representation of the container and its artifacts. Therefore, option B is the correct answer, as it states where in SOAR a user can view the JSON data for a container. Option A is incorrect, because the analyst queue is not where a user can view the JSON data for a container, but rather where a user can view the list of containers assigned to them or their team. Option C is incorrect, because the data ingestion display is not where a user can view the JSON data for a container, but rather where a user can view the status and configuration of the data sources that ingest data into SOAR. Option D is incorrect, because the audit log is not where a user can view the JSON data for a container, but rather where a user can view the history of actions performed on the SOAR system, such as creating, updating, or deleting objects.

1: Understanding containers in Splunk SOAR (Cloud)

Show Answer

asked 13/11/2024

Dmitrii Nikolaevich

37 questions

Your answer: A B C D

0 comments

Sorted by