ExamGecko
Search Search Login
Home Home / Splunk / SPLK-2003
Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

What does a user need to do to have a container with an event from Splunk use context-aware actions designed for notable events?
Some of the playbooks on the SOAR server should only be executed by members of the admin role. How can this rule be applied?
Which of the following can be configured in the ROI Settings?
How can the DECIDED process be restarted?
Which of the following queries would return all artifacts that contain a SHA1 file hash?
What are the components of the I2A2 design methodology?
What is the default embedded search engine used by SOAR?
After a playbook has run, where are the results stored?
Which is the primary system requirement that should be increased with heavy usage of the file vault?
What values can be applied when creating Custom CEF field?

Question 20 - SPLK-2003 discussion

Report
Export

Some of the playbooks on the Phantom server should only be executed by members of the admin role. How can this rule be applied?

A.
Add a filter block to al restricted playbooks that Titters for runRole - "Admin''.
Answers
A.
Add a filter block to al restricted playbooks that Titters for runRole - "Admin''.
B.
Add a tag with restricted access to the restricted playbooks.
Answers
B.
Add a tag with restricted access to the restricted playbooks.
C.
Make sure the Execute Playbook capability is removed from al roles except admin.
Answers
C.
Make sure the Execute Playbook capability is removed from al roles except admin.
D.
Place restricted playbooks in a second source repository that has restricted access.
Answers
D.
Place restricted playbooks in a second source repository that has restricted access.
Suggested answer: C

Explanation:

The correct answer is C because the best way to restrict the execution of playbooks tomembers of the admin role is to make sure the Execute Playbook capability is removed from allroles except admin. The Execute Playbook capability is a permission that allows a user to runany playbook on any container. By default, all roles have this capability, but it can be removedor added in the Phantom UI by going to Administration > User Management > Roles. Removingthis capability from all roles except admin will ensure that only admin users can executeplaybooks. SeeSplunk SOAR Documentationfor more details. To ensure that only members of
the admin role can execute specific playbooks on the Phantom server, the most effectiveapproach is to manage role-based access controls (RBAC) directly. By configuring the system toremove the 'Execute Playbook' capability from all roles except for the admin role, you canenforce this rule. This method leverages Phantom's built-in RBAC mechanisms to restrictplaybook execution privileges. It is a straightforward and secure way to ensure that only userswith the necessary administrative privileges can initiate the execution of sensitive or criticalplaybooks, thus maintaining operational security and control.

Show Answer
asked 23/09/2024
Jesus De Leon Luis
47 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms