ExamGecko
Search Search Login
Home Home / Splunk / SPLK-2003

Splunk SPLK-2003 Practice Test - Questions Answers, Page 6

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Some of the playbooks on the SOAR server should only be executed by members of the admin role. How can this rule be applied?
How can the DECIDED process be restarted?
Which of the following queries would return all artifacts that contain a SHA1 file hash?
What does a user need to do to have a container with an event from Splunk use context-aware actions designed for notable events?
What are the components of the I2A2 design methodology?
Which of the following can be configured in the ROI Settings?
What is the default embedded search engine used by SOAR?
After a playbook has run, where are the results stored?
Which is the primary system requirement that should be increased with heavy usage of the file vault?
What values can be applied when creating Custom CEF field?

Question 51

Report
Export
Collapse

A user wants to use their Splunk Cloud instance as the external Splunk instance for Phantom. What ports need to be opened on the Splunk Cloud instance to facilitate this? Assume default ports are in use.

A.
TCP 8088 and TCP 8099.
A.
TCP 8088 and TCP 8099.
Answers
B.
TCP 80 and TCP 443.
B.
TCP 80 and TCP 443.
Answers
C.
Splunk Cloud is not supported.
C.
Splunk Cloud is not supported.
Answers
D.
TCP 8080 and TCP 8191.
D.
TCP 8080 and TCP 8191.
Answers
Suggested answer: B

Explanation:

To integrate Splunk Phantom with a Splunk Cloud instance, network communication overcertain ports is necessary. The default ports for web traffic are TCP 80 for HTTP and TCP 443 forHTTPS. Since Splunk Cloud instances are accessed over the internet, ensuring that these portsare open is essential for Phantom to communicate with Splunk Cloud for various operations,such as running searches, sending data, and receiving results. It is important to note that TCP8088 is typically used by Splunk's HTTP Event Collector (HEC), which may also be relevantdepending on the integration specifics.

Question 52

Report
Export
Collapse

Which app allows a user to run Splunk queries from within Phantom?

A.
Splunk App for Phantom?
A.
Splunk App for Phantom?
Answers
B.
The Integrated Splunk/Phantom app.
B.
The Integrated Splunk/Phantom app.
Answers
C.
Phantom App for Splunk.
C.
Phantom App for Splunk.
Answers
D.
Splunk App for Phantom Reporting.
D.
Splunk App for Phantom Reporting.
Answers
Suggested answer: A

Question 53

Report
Export
Collapse

Which Phantom VPE Nock S used to add information to custom lists?

A.
Action blocks
A.
Action blocks
Answers
B.
Filter blocks
B.
Filter blocks
Answers
C.
API blocks
C.
API blocks
Answers
D.
Decision blocks
D.
Decision blocks
Answers
Suggested answer: C

Question 54

Report
Export
Collapse

How is it possible to evaluate user prompt results?

A.
Set action_result.summary. status to required.
A.
Set action_result.summary. status to required.
Answers
B.
Set the user prompt to reinvoke if it times out.
B.
Set the user prompt to reinvoke if it times out.
Answers
C.
Set action_result. summary. response to required.
C.
Set action_result. summary. response to required.
Answers
D.
Add a decision Mode
D.
Add a decision Mode
Answers
Suggested answer: C

Explanation:

In Splunk Phantom, user prompts are actions that require human input. To evaluate the resultsof a user prompt, you can set the response requirement in the action result summary. Bysetting action_result.summary.response to required, the playbook ensures that it captures theuser's input and can act upon it. This is critical in scenarios where subsequent actions dependon the choices made by the user in response to a prompt. Without setting this, the playbookwould not have a defined way to handle the user response, which might lead to incorrect orunexpected playbook behavior.

Question 55

Report
Export
Collapse

When is using decision blocks most useful?

A.
When selecting one (or zero) possible paths in the playbook.
A.
When selecting one (or zero) possible paths in the playbook.
Answers
B.
When processing different data in parallel.
B.
When processing different data in parallel.
Answers
C.
When evaluating complex, multi-value results or artifacts.
C.
When evaluating complex, multi-value results or artifacts.
Answers
D.
When modifying downstream data hi one or more paths in the playbook.
D.
When modifying downstream data hi one or more paths in the playbook.
Answers
Suggested answer: A

Question 56

Report
Export
Collapse

Which of the following accurately describes the Files tab on the Investigate page?

A.
A user can upload the output from a detonate action to the the files tab for further investigation.
A.
A user can upload the output from a detonate action to the the files tab for further investigation.
Answers
B.
Files tab items and artifacts are the only data sources that can populate active cases.
B.
Files tab items and artifacts are the only data sources that can populate active cases.
Answers
C.
Files tab items cannot be added to investigations. Instead, add them to action blocks.
C.
Files tab items cannot be added to investigations. Instead, add them to action blocks.
Answers
D.
Phantom memory requirements remain static, regardless of Files tab usage.
D.
Phantom memory requirements remain static, regardless of Files tab usage.
Answers
Suggested answer: A

Explanation:

The Files tab on the Investigate page allows the user to upload, download, and view filesrelated to an investigation. A user can upload the output from a detonate action to the Files tabfor further investigation, such as analyzing the file metadata, content, or hash. Files tab itemsand artifacts are not the only data sources that can populate active cases, as cases can alsoinclude events, tasks, notes, and comments. Files tab items can be added to investigations byusing the add file action block or the Add File button on the Files tab. Phantom memoryrequirements may increase depending on the Files tab usage, as files are stored in the Phantomdatabase.The Files tab on the Investigate page in Splunk Phantom is an area where users can manage andanalyze files related to an investigation. Users can upload files, such as outputs from a'detonate file' action which analyzes potentially malicious files in a sandbox environment. Thefiles tab allows users to store and further investigate these outputs, which can include reports,logs, or any other file types that have been generated or are relevant to the investigation. TheFiles tab is an integral part of the investigation process, providing easy access to file data foranalysis and correlation with other incident data.

Question 57

Report
Export
Collapse

What are the differences between cases and events?

A.
Case: potential threats.Events: identified as a specific kind of problem and need a structured approach.
A.
Case: potential threats.Events: identified as a specific kind of problem and need a structured approach.
Answers
B.
Cases: only include high-level incident artifacts.Events: only include low-level incident artifacts.
B.
Cases: only include high-level incident artifacts.Events: only include low-level incident artifacts.
Answers
C.
Cases: contain a collection of containers.Events: contain potential threats.
C.
Cases: contain a collection of containers.Events: contain potential threats.
Answers
D.
Cases: incidents with a known violation and a plan for correction.Events: occurrences in the system that may require a response.
D.
Cases: incidents with a known violation and a plan for correction.Events: occurrences in the system that may require a response.
Answers
Suggested answer: C

Explanation:

In Splunk SOAR, an event is a security occurrence that may require a response. It is ingestedfrom a third-party source and can be labeled to group related events together. The default labelfor containers is ''Events,'' which signifies potential threats13. A case, on the other hand, is acontainer that holds several containers, consolidating multiple events into one logicalmanagement unit. Cases can include artifacts and external evidence such as screen captures,analyst notes, and event data from third-party products22. They are used to manage andanalyze investigation data tied to specific security events and incidents, providing a structuredapproach to incident response34.Manage the status, severity, and resolution of events in Splunk SOAR (Cloud) - SplunkDocumentationManaging cases in SOAR - Splunk LanternWhat is Splunk Phantom (Renamed to Splunk SOAR)? - BlueVoyantOverview of cases - Splunk Documentation

Question 58

Report
Export
Collapse

Which Phantom API command is used to create a custom list?

A.
phantom.add_list()
A.
phantom.add_list()
Answers
B.
phantom.create_list()
B.
phantom.create_list()
Answers
C.
phantom.include_list()
C.
phantom.include_list()
Answers
D.
phantom.new_list()
D.
phantom.new_list()
Answers
Suggested answer: B

Explanation:

The Phantom API command to create a custom list is phantom.create_list(). This commandtakes a list name and an optional description as parameters and returns a list ID if successful.The other commands are not valid Phantom API commands. phantom.add_list() is a Pythonfunction that can be used in custom code blocks to add data to an existing list. To create acustom list in Splunk Phantom, the appropriate API command used is phantom.create_list().This function allows for the creation of a new list that can be used to store data such as IPaddresses, file hashes, or any other information that you want to track or reference acrossmultiple playbooks or within different parts of the Phantom platform. The custom list is aflexible data structure that can be leveraged for various use cases within Phantom, includingdata enrichment, persistent storage of information, and cross-playbook data sharing.

 

Question 59

Report
Export
Collapse

Why is it good playbook design to create smaller and more focused playbooks? (select all that apply)

A.

Reduces amount of playbook data stored in each repo.

A.

Reduces amount of playbook data stored in each repo.

Answers
B.

Reduce large complex playbooks which become difficult to maintain.

B.

Reduce large complex playbooks which become difficult to maintain.

Answers
C.

Encourages code reuse in a more compartmentalized form.

C.

Encourages code reuse in a more compartmentalized form.

Answers
D.

To avoid duplication of code across multiple playbooks.

D.

To avoid duplication of code across multiple playbooks.

Answers
Suggested answer: B, C, D

Explanation:

Creating smaller and more focused playbooks in Splunk SOAR is considered good design practice for several reasons:

* B: It reduces complexity, making playbooks easier to maintain. Large, complex playbooks can become unwieldy and difficult to troubleshoot or update.

* C: Encourages code reuse, as smaller playbooks can be designed to handle specific tasks that can be reused across different scenarios.

* D: Avoids duplication of code, as common functionalities can be centralized within specific playbooks, rather than having the same code replicated across multiple playbooks.

This approach has several benefits, such as:

* Reducing large complex playbooks which become difficult to maintain. Smaller playbooks are easier to read, debug, and update1.

* Encouraging code reuse in a more compartmentalized form. Smaller playbooks can be used as building blocks for multiple scenarios, reducing the need to write duplicate code12.

* Improving performance and scalability. Smaller playbooks can run faster and consume less resources than larger playbooks2.

The other options are not valid reasons for creating smaller and more focused playbooks. Reducing the amount of playbook data stored in each repo is not a significant benefit, as the playbook data is not very large compared to other types of data in Splunk SOAR. Avoiding duplication of code across multiple playbooks is a consequence of code reuse, not a separate goal.

Question 60

Report
Export
Collapse

What is the default log level for system health debug logs?

A.

INFO

A.

INFO

Answers
B.

WARN

B.

WARN

Answers
C.

ERROR

C.

ERROR

Answers
D.

DEBUG

D.

DEBUG

Answers
Suggested answer: A

Explanation:

The default log level for system health debug logs in Splunk SOAR is typically set to INFO. This log level provides a balance between verbosity and relevance, offering insights into the operational status of the system without the detailed granularity of DEBUG or the limited scope of WARN and ERROR levels.

The default log level for system health debug logs is INFO. This means that only informational messages and higher severity messages (such as WARN, ERROR, or CRITICAL) are written to the log files. You can adjust the logging level for each daemon running in Splunk SOAR to help debug or troubleshoot issues. For more details, see Configure the logging levels for Splunk SOAR (On-premises) daemons.

Total 96 questions
Go to page: of 10
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms