Practice Free SPLK-2003 Exam Online Questions
Question #1
What is the default embedded search engine used by SOAR?
- A . Embedded Splunk search engine.
- B . Embedded SOAR search engine.
- C . Embedded Django search engine.
- D . Embedded Elastic search engine.
Correct Answer: B
B
Explanation:
the default embedded search engine used by SOAR is the SOAR search engine, which is powered by
the PostgreSQL database built-in to Splunk SOAR (Cloud). A Splunk SOAR (Cloud) Administrator can configure options for search from the Home menu, in Search Settings under Administration Settings. The SOAR search engine has been modified to accept the * wildcard and supports various operators and filters. For search syntax and examples, see Search within Splunk SOAR (Cloud)2.
Option A is incorrect, because the embedded Splunk search engine was used in earlier releases of Splunk SOAR (Cloud), but not in the current version.
Option C is incorrect, because Django is a web framework, not a search engine.
Option D is incorrect, because Elastic is a separate search engine that is not embedded in Splunk SOAR (Cloud).
1: Configure search in Splunk SOAR (Cloud) 2: Search within Splunk SOAR (Cloud)
Splunk SOAR utilizes its own embedded search engine by default, which is tailored to its security orchestration and automation framework. While Splunk SOAR can integrate with other search engines, like the Embedded Splunk search engine, for advanced capabilities and log analytics, its default setup comes with an embedded search engine optimized for the typical data and search patterns encountered within the SOAR platform.
B
Explanation:
the default embedded search engine used by SOAR is the SOAR search engine, which is powered by
the PostgreSQL database built-in to Splunk SOAR (Cloud). A Splunk SOAR (Cloud) Administrator can configure options for search from the Home menu, in Search Settings under Administration Settings. The SOAR search engine has been modified to accept the * wildcard and supports various operators and filters. For search syntax and examples, see Search within Splunk SOAR (Cloud)2.
Option A is incorrect, because the embedded Splunk search engine was used in earlier releases of Splunk SOAR (Cloud), but not in the current version.
Option C is incorrect, because Django is a web framework, not a search engine.
Option D is incorrect, because Elastic is a separate search engine that is not embedded in Splunk SOAR (Cloud).
1: Configure search in Splunk SOAR (Cloud) 2: Search within Splunk SOAR (Cloud)
Splunk SOAR utilizes its own embedded search engine by default, which is tailored to its security orchestration and automation framework. While Splunk SOAR can integrate with other search engines, like the Embedded Splunk search engine, for advanced capabilities and log analytics, its default setup comes with an embedded search engine optimized for the typical data and search patterns encountered within the SOAR platform.
Question #2
Two action blocks, geolocate_ip 1 and file_reputation_2, are connected to a decision block.
Which of the following is a correct configuration for making a decision on the action results from one of the given blocks?
A)
B)
C)
D)
- A . Option A
- B . Option B
- C . Option C
- D . Option D
Correct Answer: A
A
Explanation:
In the given decision block, you are trying to evaluate the results of two action blocks:
geolocate_ip_1 and file_reputation_2. The correct configuration for making a decision based on the result of geolocate_ip_1 is by checking the country_iso_code field from the action result and setting the evaluation option to != (not equal), with no specific value provided in the "Select Value" box. This essentially checks whether a valid country ISO code exists in the action result and proceeds if it’s not empty or different from a specific value. This is a common check when working with geolocation results to see if a response has been returned.
Other options (B, C, and D) include response codes or list comparisons, which do not align with the decision structure mentioned, which needs to operate based on a country_iso_code field.
Reference: Splunk SOAR Playbook Development Guide.
Splunk SOAR Documentation on Decision Blocks and Action Result Evaluation.
A
Explanation:
In the given decision block, you are trying to evaluate the results of two action blocks:
geolocate_ip_1 and file_reputation_2. The correct configuration for making a decision based on the result of geolocate_ip_1 is by checking the country_iso_code field from the action result and setting the evaluation option to != (not equal), with no specific value provided in the "Select Value" box. This essentially checks whether a valid country ISO code exists in the action result and proceeds if it’s not empty or different from a specific value. This is a common check when working with geolocation results to see if a response has been returned.
Other options (B, C, and D) include response codes or list comparisons, which do not align with the decision structure mentioned, which needs to operate based on a country_iso_code field.
Reference: Splunk SOAR Playbook Development Guide.
Splunk SOAR Documentation on Decision Blocks and Action Result Evaluation.
Question #3
How can an individual asset action be manually started?
- A . With the > action button in the analyst queue page.
- B . By executing a playbook in the Playbooks section.
- C . With the > action button in the Investigation page.
- D . With the > asset button in the asset configuration section.
Correct Answer: C
C
Explanation:
An individual asset action can be manually started with the > action button in the Investigation page. This allows the user to select an asset and an action to perform on it. The other options are not valid ways to start an asset action manually. See Performing asset actions for more information. Individual asset actions in Splunk SOAR can be manually initiated from the Investigation page of a container.
The "> action" button on this page allows users to execute specific actions associated with assets directly, enabling on-the-fly operations on artifacts or indicators within a container. This feature is particularly useful for ad-hoc analysis and actions, allowing analysts to respond to or investigate specific aspects of an incident without the need for a full playbook.
C
Explanation:
An individual asset action can be manually started with the > action button in the Investigation page. This allows the user to select an asset and an action to perform on it. The other options are not valid ways to start an asset action manually. See Performing asset actions for more information. Individual asset actions in Splunk SOAR can be manually initiated from the Investigation page of a container.
The "> action" button on this page allows users to execute specific actions associated with assets directly, enabling on-the-fly operations on artifacts or indicators within a container. This feature is particularly useful for ad-hoc analysis and actions, allowing analysts to respond to or investigate specific aspects of an incident without the need for a full playbook.
Question #4
After a playbook has run, where are the results stored?
- A . Splunk Index
- B . Case
- C . Container
- D . Log file
Correct Answer: C
C
Explanation:
The correct answer is C because after a playbook has run, the results are stored in the container that triggered the playbook. The container is a data object that represents an event or a case in Phantom. The container contains information such as the name, the description, the severity, the status, the owner, and the labels of the event or case. The container also contains the artifacts, the action results, the comments, the notes, and the phases and tasks associated with the event or case. The answer A is incorrect because after a playbook has run, the results are not stored in a Splunk index, which is a data structure that stores events from various data sources in Splunk. The Splunk index is not directly accessible by Phantom, but can be queried by Phantom using the Splunk app. The answer B is incorrect because after a playbook has run, the results are not stored in a case, which is a type of container that represents a security incident in Phantom. The case is a subset of the container, and not all containers are cases. The answer D is incorrect because after a playbook has run, the results are not stored in a log file, which is a file that records the activities or events that occur in a system or a process. The log file is not a data object in Phantom, but can be a data source for Phantom.
Reference: Splunk SOAR User Guide, page 19. In Splunk Phantom, after a playbook has been executed, the results of the actions within that playbook are stored in the container associated with the event. A container is a data structure that encapsulates all relevant information and data for an incident or event within Phantom, including action results, artifacts, notes, and more. The container allows users to see a consolidated view of all the data and activity related to a particular event. These results are not stored in the Splunk Index, a separate case, or a log file as their primary storage but may be sent to a Splunk index for further analysis.
C
Explanation:
The correct answer is C because after a playbook has run, the results are stored in the container that triggered the playbook. The container is a data object that represents an event or a case in Phantom. The container contains information such as the name, the description, the severity, the status, the owner, and the labels of the event or case. The container also contains the artifacts, the action results, the comments, the notes, and the phases and tasks associated with the event or case. The answer A is incorrect because after a playbook has run, the results are not stored in a Splunk index, which is a data structure that stores events from various data sources in Splunk. The Splunk index is not directly accessible by Phantom, but can be queried by Phantom using the Splunk app. The answer B is incorrect because after a playbook has run, the results are not stored in a case, which is a type of container that represents a security incident in Phantom. The case is a subset of the container, and not all containers are cases. The answer D is incorrect because after a playbook has run, the results are not stored in a log file, which is a file that records the activities or events that occur in a system or a process. The log file is not a data object in Phantom, but can be a data source for Phantom.
Reference: Splunk SOAR User Guide, page 19. In Splunk Phantom, after a playbook has been executed, the results of the actions within that playbook are stored in the container associated with the event. A container is a data structure that encapsulates all relevant information and data for an incident or event within Phantom, including action results, artifacts, notes, and more. The container allows users to see a consolidated view of all the data and activity related to a particular event. These results are not stored in the Splunk Index, a separate case, or a log file as their primary storage but may be sent to a Splunk index for further analysis.
Question #5
Which of the following items cannot be modified once entered into SOAR?
- A . A container.
- B . An artifact.
- C . A comment.
- D . A note.
Correct Answer: B
B
Explanation:
In Splunk SOAR, once an artifact is entered, it cannot be modified. An artifact refers to a piece of data associated with a specific container, such as log files, emails, or other relevant information in an incident. The immutable nature of artifacts ensures the integrity and forensic value of the data. By preventing modification after creation, SOAR maintains a secure and audit-compliant environment, ensuring that data remains trustworthy throughout the incident’s lifecycle. However, containers, comments, and notes can be updated or modified, making artifacts unique in their immutability.
Reference: Splunk SOAR User Guide: Artifacts and Containers.
Splunk SOAR Best Practices for Incident Management.
B
Explanation:
In Splunk SOAR, once an artifact is entered, it cannot be modified. An artifact refers to a piece of data associated with a specific container, such as log files, emails, or other relevant information in an incident. The immutable nature of artifacts ensures the integrity and forensic value of the data. By preventing modification after creation, SOAR maintains a secure and audit-compliant environment, ensuring that data remains trustworthy throughout the incident’s lifecycle. However, containers, comments, and notes can be updated or modified, making artifacts unique in their immutability.
Reference: Splunk SOAR User Guide: Artifacts and Containers.
Splunk SOAR Best Practices for Incident Management.
Question #6
Which visual playbook editor block is used to assemble commands and data into a valid Splunk search within a SOAR playbook?
- A . An action block.
- B . A filter block.
- C . A format block.
- D . A prompt block.
Correct Answer: C
C
Explanation:
In Splunk SOAR playbook development, the format block is used to assemble commands and data into a valid Splunk search query. This block allows users to structure and manipulate strings, dynamically inserting variables, and constructing the precise format needed for a search query. By using a format block, playbooks can integrate data from various sources and ensure that it is assembled correctly before passing it to subsequent actions, such as executing a Splunk search.
Other blocks, like action, filter, and prompt blocks, serve different purposes (e.g., running actions, filtering data, or prompting for user input), but the format block is specifically designed for building structured data or queries like Splunk searches.
Reference: Splunk SOAR Documentation: Playbook Blocks Overview.
Splunk SOAR Playbook Editor Guide: Using the Format Block.
C
Explanation:
In Splunk SOAR playbook development, the format block is used to assemble commands and data into a valid Splunk search query. This block allows users to structure and manipulate strings, dynamically inserting variables, and constructing the precise format needed for a search query. By using a format block, playbooks can integrate data from various sources and ensure that it is assembled correctly before passing it to subsequent actions, such as executing a Splunk search.
Other blocks, like action, filter, and prompt blocks, serve different purposes (e.g., running actions, filtering data, or prompting for user input), but the format block is specifically designed for building structured data or queries like Splunk searches.
Reference: Splunk SOAR Documentation: Playbook Blocks Overview.
Splunk SOAR Playbook Editor Guide: Using the Format Block.
Question #7
What values can be applied when creating Custom CEF field?
- A . Name
- B . Name, Data Type
- C . Name, Value
- D . Name, Data Type, Severity
Correct Answer: B
B
Explanation:
Custom CEF fields can be created with a name and a data type. The name must be unique and the data type must be one of the following: string, int, float, bool, or list. The severity is not a valid option for custom CEF fields. See Creating custom CEF fields for more details. When creating Custom Common Event Format (CEF) fields in Splunk SOAR (formerly Phantom), the essential values you need to specify are the "Name" of the field and the "Data Type." The "Name" is the identifier for the field, while the "Data Type" specifies the kind of data the field will hold, such as string, integer, IP address, etc. This combination allows for the structured and accurate representation of data within SOAR, ensuring that custom fields are compatible with the platform’s data processing and analysis mechanisms.
B
Explanation:
Custom CEF fields can be created with a name and a data type. The name must be unique and the data type must be one of the following: string, int, float, bool, or list. The severity is not a valid option for custom CEF fields. See Creating custom CEF fields for more details. When creating Custom Common Event Format (CEF) fields in Splunk SOAR (formerly Phantom), the essential values you need to specify are the "Name" of the field and the "Data Type." The "Name" is the identifier for the field, while the "Data Type" specifies the kind of data the field will hold, such as string, integer, IP address, etc. This combination allows for the structured and accurate representation of data within SOAR, ensuring that custom fields are compatible with the platform’s data processing and analysis mechanisms.
Question #8
When analyzing events, a working on a case, significant items can be marked as evidence.
Where can ail of a case’s evidence items be viewed together?
- A . Workbook page Evidence tab.
- B . Evidence report.
- C . Investigation page Evidence tab.
- D . At the bottom of the Investigation page widget panel.
Correct Answer: C
C
Explanation:
In Splunk SOAR, when working on a case and analyzing events, items marked as significant evidence are aggregated for review. These evidence items can be collectively viewed on the Investigation page under the Evidence tab. This centralized view allows analysts to easily access and review all marked evidence related to a case, facilitating a streamlined analysis process and ensuring that key information is readily available for investigation and decision-making.
C
Explanation:
In Splunk SOAR, when working on a case and analyzing events, items marked as significant evidence are aggregated for review. These evidence items can be collectively viewed on the Investigation page under the Evidence tab. This centralized view allows analysts to easily access and review all marked evidence related to a case, facilitating a streamlined analysis process and ensuring that key information is readily available for investigation and decision-making.
Question #9
How is a Django filter query performed?
- A . By adding parameters to the URL similar to the following:
phantom/rest/container?_filter_tags_contains="sumo". - B . phantom/rest/search/app/contains/"sumo"
- C . Browse to the Django Filter Query Editor in the Administration panel.
- D . Install the SOAR Django App first, then configure the search query in the App editor.
Correct Answer: A
A
Explanation:
Django filter queries in Splunk SOAR are performed by appending filter parameters directly to the REST API URL. This allows users to refine their search and retrieve specific data. For example, to filter containers by tags containing the word "sumo", the following URL structure would be used: https://<PHANTOM_URL>/rest/container?_filter_tags_contains="sumo". This format enables users to construct dynamic queries that can filter results based on specified criteria within the Django framework used by Splunk SOAR.
The correct way to perform a Django filter query in Splunk SOAR is to add parameters to the URL similar to the following: phantom/rest/container?_filter_tags_contains=“sumo”. This will return a list of containers that have the tag “sumo” in them. You can use various operators and fields to filter the results according to your needs. For more details, see Query for Data and Use filters in your Splunk SOAR (Cloud) playbook to specify a subset of artifacts before further processing. The other options are either incorrect or irrelevant for this question. For example:
• phantom/rest/search/app/contains/“sumo” is not a valid URL for a Django filter query. It will return an error message saying “Invalid endpoint”.
• There is no Django Filter Query Editor in the Administration panel of Splunk SOAR. You can use the REST API Tester to test your queries, but not to edit them.
• There is no SOAR Django App that needs to be installed or configured for performing Django filter queries. Splunk SOAR uses the Django framework internally, but you do not need to install or use any additional apps for this purpose.
A
Explanation:
Django filter queries in Splunk SOAR are performed by appending filter parameters directly to the REST API URL. This allows users to refine their search and retrieve specific data. For example, to filter containers by tags containing the word "sumo", the following URL structure would be used: https://<PHANTOM_URL>/rest/container?_filter_tags_contains="sumo". This format enables users to construct dynamic queries that can filter results based on specified criteria within the Django framework used by Splunk SOAR.
The correct way to perform a Django filter query in Splunk SOAR is to add parameters to the URL similar to the following: phantom/rest/container?_filter_tags_contains=“sumo”. This will return a list of containers that have the tag “sumo” in them. You can use various operators and fields to filter the results according to your needs. For more details, see Query for Data and Use filters in your Splunk SOAR (Cloud) playbook to specify a subset of artifacts before further processing. The other options are either incorrect or irrelevant for this question. For example:
• phantom/rest/search/app/contains/“sumo” is not a valid URL for a Django filter query. It will return an error message saying “Invalid endpoint”.
• There is no Django Filter Query Editor in the Administration panel of Splunk SOAR. You can use the REST API Tester to test your queries, but not to edit them.
• There is no SOAR Django App that needs to be installed or configured for performing Django filter queries. Splunk SOAR uses the Django framework internally, but you do not need to install or use any additional apps for this purpose.
Question #10
When the Splunk App for SOAR Export executes a Splunk search, which activities are completed?
- A . CEF fields are mapped to CIM fields and a container is created on the SOAR server.
- B . CIM fields are mapped to CEF fields and a container is created on the SOAR server.
- C . CEF fields are mapped to CIM and a container is created on the Splunk server.
- D . CIM fields are mapped to CEF and a container is created on the Splunk server.
Correct Answer: B
B
Explanation:
When the Splunk App for SOAR Export executes a Splunk search, it typically involves mapping Common Information Model (CIM) fields from Splunk to the Common Event Format (CEF) used by SOAR, after which a container is created on the SOAR server to house the related artifacts and information. This process allows for the integration of data between Splunk, which uses CIM for data normalization, and Splunk SOAR, which uses CEF as its data format for incidents and events.
Splunk App for SOAR Export is responsible for sending data from your Splunk Enterprise or Splunk Cloud instances to Splunk SOAR. The Splunk App for SOAR Export acts as a translation service between the Splunk platform and Splunk SOAR by performing the following tasks:
• Mapping fields from Splunk platform alerts, such as saved searches and data models, to CEF
fields.
• Translating CIM fields from Splunk Enterprise Security (ES) notable events to CEF fields.
• Forwarding events in CEF format to Splunk SOAR, which are stored as artifacts.
Therefore, option B is the correct answer, as it states the activities that are completed when the Splunk App for SOAR Export executes a Splunk search.
Option A is incorrect, because CEF fields are not mapped to CIM fields, but the other way around.
Option C is incorrect, because a container is not created on the Splunk server, but on the SOAR server.
Option D is incorrect, because a container is not created on the Splunk server, but on the SOAR server.
B
Explanation:
When the Splunk App for SOAR Export executes a Splunk search, it typically involves mapping Common Information Model (CIM) fields from Splunk to the Common Event Format (CEF) used by SOAR, after which a container is created on the SOAR server to house the related artifacts and information. This process allows for the integration of data between Splunk, which uses CIM for data normalization, and Splunk SOAR, which uses CEF as its data format for incidents and events.
Splunk App for SOAR Export is responsible for sending data from your Splunk Enterprise or Splunk Cloud instances to Splunk SOAR. The Splunk App for SOAR Export acts as a translation service between the Splunk platform and Splunk SOAR by performing the following tasks:
• Mapping fields from Splunk platform alerts, such as saved searches and data models, to CEF
fields.
• Translating CIM fields from Splunk Enterprise Security (ES) notable events to CEF fields.
• Forwarding events in CEF format to Splunk SOAR, which are stored as artifacts.
Therefore, option B is the correct answer, as it states the activities that are completed when the Splunk App for SOAR Export executes a Splunk search.
Option A is incorrect, because CEF fields are not mapped to CIM fields, but the other way around.
Option C is incorrect, because a container is not created on the Splunk server, but on the SOAR server.
Option D is incorrect, because a container is not created on the Splunk server, but on the SOAR server.