ExamGecko
Search Search Login
Home Home / Splunk / SPLK-2003

Splunk SPLK-2003 Practice Test - Questions Answers

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

What does a user need to do to have a container with an event from Splunk use context-aware actions designed for notable events?
Some of the playbooks on the SOAR server should only be executed by members of the admin role. How can this rule be applied?
Which of the following can be configured in the ROI Settings?
How can the DECIDED process be restarted?
What are the components of the I2A2 design methodology?
Which of the following queries would return all artifacts that contain a SHA1 file hash?
What is the default embedded search engine used by SOAR?
After a playbook has run, where are the results stored?
Which is the primary system requirement that should be increased with heavy usage of the file vault?
What values can be applied when creating Custom CEF field?

Question 1

Report
Export
Collapse

Configuring Phantom search to use an external Splunk server provides which of the following benefits?

A.
The ability to run more complex reports on Phantom activities.
A.
The ability to run more complex reports on Phantom activities.
Answers
B.
The ability to ingest Splunk notable events into Phantom.
B.
The ability to ingest Splunk notable events into Phantom.
Answers
C.
The ability to automate Splunk searches within Phantom.
C.
The ability to automate Splunk searches within Phantom.
Answers
D.
The ability to display results as Splunk dashboards within Phantom.
D.
The ability to display results as Splunk dashboards within Phantom.
Answers
Suggested answer: C

Question 2

Report
Export
Collapse

Within the 12A2 design methodology, which of the following most accurately describes the last step?

A.
List of the apps used by the playbook.
A.
List of the apps used by the playbook.
Answers
B.
List of the actions of the playbook design.
B.
List of the actions of the playbook design.
Answers
C.
List of the outputs of the playbook design.
C.
List of the outputs of the playbook design.
Answers
D.
List of the data needed to run the playbook.
D.
List of the data needed to run the playbook.
Answers
Suggested answer: D

Question 3

Report
Export
Collapse

Which of the following are the steps required to complete a full backup of a Splunk Phantom deployment' Assume the commands are executed from /opt/phantom/bin and that no other backups have been made.

A.
On the command line enter: rode sudo python ibackup.pyc --setup, then audo phenv python ibackup.pyc --backup.
A.
On the command line enter: rode sudo python ibackup.pyc --setup, then audo phenv python ibackup.pyc --backup.
Answers
B.
On the command line enter: sudo phenv python ibackup.pyc --backup —backup-type full, then sudo phenv python ibackup.pyc --setup.
B.
On the command line enter: sudo phenv python ibackup.pyc --backup —backup-type full, then sudo phenv python ibackup.pyc --setup.
Answers
C.
Within the UI: Select from the main menu Administration > System Health > Backup.
C.
Within the UI: Select from the main menu Administration > System Health > Backup.
Answers
D.
Within the UI: Select from the main menu Administration > Product Settings > Backup.
D.
Within the UI: Select from the main menu Administration > Product Settings > Backup.
Answers
Suggested answer: B

Question 4

Report
Export
Collapse

An active playbook can be configured to operate on all containers that share which attribute?

A.
Artifact
A.
Artifact
Answers
B.
Label
B.
Label
Answers
C.
Tag
C.
Tag
Answers
D.
Severity
D.
Severity
Answers
Suggested answer: B

Question 5

Report
Export
Collapse

Which of the following applies to filter blocks?

A.
Can select which blocks have access to container data.
A.
Can select which blocks have access to container data.
Answers
B.
Can select assets by tenant, approver, or app.
B.
Can select assets by tenant, approver, or app.
Answers
C.
Can be used to select data for use by other blocks.
C.
Can be used to select data for use by other blocks.
Answers
D.
Can select containers by seventy or status.
D.
Can select containers by seventy or status.
Answers
Suggested answer: A

Question 6

Report
Export
Collapse

A user has written a playbook that calls three other playbooks, one after the other. The user notices that the second playbook starts executing before the first one completes. What is the cause of this behavior?

A.
Incorrect Join configuration on the second playbook.
A.
Incorrect Join configuration on the second playbook.
Answers
B.
The first playbook is performing poorly.
B.
The first playbook is performing poorly.
Answers
C.
The steep option for the second playbook is not set to a long enough interval.
C.
The steep option for the second playbook is not set to a long enough interval.
Answers
D.
Synchronous execution has not been configured.
D.
Synchronous execution has not been configured.
Answers
Suggested answer: D

Explanation:

The correct answer is D because synchronous execution has not been configured. Synchronousexecution is a feature that allows you to control the order of execution of playbook blocks. Bydefault, Phantom executes playbook blocks asynchronously, meaning that it does not wait forone block to finish before starting the next one. This can cause problems when you havedependencies between blocks or when you call other playbooks. To enable synchronousexecution, you need to use thesyncaction in therun playbookblock and specify the name of thenext block to run after the called playbook completes. SeeSplunk SOAR Documentationfor moredetails.In Splunk SOAR, playbooks can be executed either synchronously or asynchronously.Synchronous execution ensures that a playbook waits for a called playbook to complete beforeproceeding to the next step. If the second playbook starts executing before the first onecompletes, it indicates that synchronous execution was not configured for the playbooks.Without synchronous execution, playbooks will execute independently of each other'scompletion status, leading to potential overlaps in execution. This behavior can be controlledby properly configuring the playbook execution settings to ensure that dependent playbookscomplete their tasks in the desired order

Question 7

Report
Export
Collapse

A customer wants to design a modular and reusable set of playbooks that all communicate with each other. Which of the following is a best practice for data sharing across playbooks?

A.
Use the py-postgresq1 module to directly save the data in the Postgres database.
A.
Use the py-postgresq1 module to directly save the data in the Postgres database.
Answers
B.
Cal the child playbooks getter function.
B.
Cal the child playbooks getter function.
Answers
C.
Create artifacts using one playbook and collect those artifacts in another playbook.
C.
Create artifacts using one playbook and collect those artifacts in another playbook.
Answers
D.
Use the Handle method to pass data directly between playbooks.
D.
Use the Handle method to pass data directly between playbooks.
Answers
Suggested answer: C

Explanation:

The correct answer is C because creating artifacts using one playbook and collecting thoseartifacts in another playbook is a best practice for data sharing across playbooks. Artifacts aredata objects that are associated with a container and can be used to store information such asIP addresses, URLs, file hashes, etc. Artifacts can be created using theadd artifactaction in anyplaybook block and can be collected using theget artifactsaction in thefilterblock. Artifacts canalso be used to trigger active playbooks based on their label or type. SeeSplunk SOARDocumentationfor more details.In the context of Splunk SOAR, one of the best practices for data sharing across playbooks is tocreate artifacts in one playbook and use another playbook to collect and utilize those artifacts.Artifacts in Splunk SOAR are structured data related to security incidents (containers) thatplaybooks can act upon. By creating artifacts in one playbook, you can effectively pass data andcontext to subsequent playbooks, allowing for modular, reusable, and interconnected playbookdesigns. This approach promotes efficiency, reduces redundancy, and enhances the playbook'sability to handle complex workflows.

Question 8

Report
Export
Collapse

Which of the following are examples of things commonly done with the Phantom REST APP

A.
Use Django queries; use curl to create a container and add artifacts to it; remove temporary lists.
A.
Use Django queries; use curl to create a container and add artifacts to it; remove temporary lists.
Answers
B.
Use Django queries; use Docker to create a container and add artifacts to it; remove temporary lists.
B.
Use Django queries; use Docker to create a container and add artifacts to it; remove temporary lists.
Answers
C.
Use Django queries; use curl to create a container and add artifacts to it; add action blocks.
C.
Use Django queries; use curl to create a container and add artifacts to it; add action blocks.
Answers
D.
Use SQL queries; use curl to create a container and add artifacts to it; remove temporary lists.
D.
Use SQL queries; use curl to create a container and add artifacts to it; remove temporary lists.
Answers
Suggested answer: C

Question 9

Report
Export
Collapse

Which of the following are the default ports that must be configured on Splunk to allow connections from Phantom?

A.
SplunkWeb (8088), SplunkD (8089), HTTP Collector (8000)
A.
SplunkWeb (8088), SplunkD (8089), HTTP Collector (8000)
Answers
B.
SplunkWeb (8089), SplunkD (8088), HTTP Collector (8000)
B.
SplunkWeb (8089), SplunkD (8088), HTTP Collector (8000)
Answers
C.
SplunkWeb (8421), SplunkD (8061), HTTP Collector (8798)
C.
SplunkWeb (8421), SplunkD (8061), HTTP Collector (8798)
Answers
D.
SplunkWeb (8000), SplunkD (8089), HTTP Collector (8088)
D.
SplunkWeb (8000), SplunkD (8089), HTTP Collector (8088)
Answers
Suggested answer: D

Question 10

Report
Export
Collapse

Without customizing container status within Phantom, what are the three types of status for a container?

A.
New, In Progress, Closed
A.
New, In Progress, Closed
Answers
B.
Low, Medium, High
B.
Low, Medium, High
Answers
C.
Mew, Open, Resolved
C.
Mew, Open, Resolved
Answers
D.
Low, Medium, Critical
D.
Low, Medium, Critical
Answers
Suggested answer: A
Total 96 questions
Go to page: of 10
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms