Home

Home / Splunk / SPLK-2003

Question list

List of questions

Question 1

(0)

Configuring Phantom search to use an external Splunk server provides which of the following benefits?

Question 2

(0)

Within the 12A2 design methodology, which of the following most accurately describes the last step?

Question 3

(0)

Which of the following are the steps required to complete a full backup of a Splunk Phantom deployment' Assume the commands are executed from /opt/phantom/bin and that no other backups have been mad

Question 4

(0)

An active playbook can be configured to operate on all containers that share which attribute?

Question 5

(0)

Which of the following applies to filter blocks?

Question 6

(0)

A user has written a playbook that calls three other playbooks, one after the other. The user notices that the second playbook starts executing before the first one completes. What is the cause of

Question 7

(0)

A customer wants to design a modular and reusable set of playbooks that all communicate with each other. Which of the following is a best practice for data sharing across playbooks?

Question 8

(0)

Which of the following are examples of things commonly done with the Phantom REST APP

Question 9

(0)

Which of the following are the default ports that must be configured on Splunk to allow connections from Phantom?

Question 10

(0)

Without customizing container status within Phantom, what are the three types of status for a container?

Open VPLUS File

Convert VPLUS to PDF

Related questions

Which of the following can be configured in the ROI Settings?

What does a user need to do to have a container with an event from Splunk use context-aware actions designed for notable events?

Some of the playbooks on the SOAR server should only be executed by members of the admin role. How can this rule be applied?

How can the DECIDED process be restarted?

Which of the following queries would return all artifacts that contain a SHA1 file hash?

What are the components of the I2A2 design methodology?

What is the default embedded search engine used by SOAR?

After a playbook has run, where are the results stored?

Which is the primary system requirement that should be increased with heavy usage of the file vault?

What values can be applied when creating Custom CEF field?

Question 86 - SPLK-2003 discussion

Report

Which of the following actions will store a compressed, secure version of an email attachment with suspected malware for future analysis?

A.

Copy/paste the attachment into a note.

B.

Add a link to the file in a new artifact.

C.

Use the Files tab on the Investigation page to upload the attachment.

D.

Use the Upload action of the Secure Store app to store the file in the database.

Suggested answer: D

Explanation:

To securely store a compressed version of an email attachment suspected of containing malware for future analysis, the most effective approach within Splunk SOAR is to use the Upload action of the Secure Store app. This app is specifically designed to handle sensitive or potentially dangerous files by securely storing them within the SOAR database, allowing for controlled access and analysis at a later time. This method ensures that the file is not only safely contained but also available for future forensic or investigative purposes without risking exposure to the malware. Options A, B, and C do not provide the same level of security and functionality for handling suspected malware files, making option D the most appropriate choice.

Secure Store app is a SOAR app that allows you to store files securely in the SOAR database. The Secure Store app provides two actions: Upload and Download. The Upload action takes a file as an input and stores it in the SOAR database in a compressed and encrypted format. The Download action takes a file ID as an input and retrieves the file from the SOAR database and decrypts it. The Secure Store app can be used to store files that contain sensitive or malicious data, such as email attachments with suspected malware, for future analysis. Therefore, option D is the correct answer, as it states the action that will store a compressed, secure version of an email attachment with suspected malware for future analysis. Option A is incorrect, because copying and pasting the attachment into a note will not store the file securely, but rather expose the file content to anyone who can view the note. Option B is incorrect, because adding a link to the file in a new artifact will not store the file securely, but rather create a reference to the file location, which may not be accessible or reliable. Option C is incorrect, because using the Files tab on the Investigation page to upload the attachment will not store the file securely, but rather store the file in the SOAR file system, which may not be encrypted or compressed.

Show Answer

asked 13/11/2024

Mark Churly

31 questions

User

Your answer: A B C D

0 comments

Sorted by

Leave a comment first