Practice Free SPLK-2003 Exam Online Questions
Question #21
How can more than one user perform tasks in a workbook?
- A . Any user in a role with write access to the case’s workbook can be assigned to tasks.
- B . Add the required users to the authorized list for the container.
- C . Any user with a role that has Perform Task enabled can execute tasks for workbooks.
- D . The container owner can assign any authorized user to any task in a workbook.
Correct Answer: C
C
Explanation:
In Splunk SOAR, tasks within workbooks can be performed by any user whose role has the ‘Perform Task’ capability enabled. This capability is assigned within the role configuration and allows users with the appropriate permissions to execute tasks. It is not limited to users with write access or the container owner; rather, it is based on the specific permissions granted to the role with which the user is associated.
C
Explanation:
In Splunk SOAR, tasks within workbooks can be performed by any user whose role has the ‘Perform Task’ capability enabled. This capability is assigned within the role configuration and allows users with the appropriate permissions to execute tasks. It is not limited to users with write access or the container owner; rather, it is based on the specific permissions granted to the role with which the user is associated.
Question #22
How does a user determine which app actions are available?
- A . Add an action block to a playbook canvas area.
- B . Search the Apps category in the global search field.
- C . From the Apps menu, click the supported actions dropdown for each app.
- D . In the visual playbook editor, click Active and click the Available App Actions dropdown.
Correct Answer: C
C
Explanation:
In Splunk SOAR, a user can determine which app actions are available by navigating to the Apps menu. From there, the user can click on the supported actions dropdown for each app to view the actions that can be performed by that app. This dropdown menu provides a list of all the actions that the app is capable of executing, allowing the user to understand the functionality provided by the app and how it can be utilized within playbooks11.
Reference: Add and configure apps and assets to provide actions in Splunk SOAR (Cloud) – Splunk Documentation
C
Explanation:
In Splunk SOAR, a user can determine which app actions are available by navigating to the Apps menu. From there, the user can click on the supported actions dropdown for each app to view the actions that can be performed by that app. This dropdown menu provides a list of all the actions that the app is capable of executing, allowing the user to understand the functionality provided by the app and how it can be utilized within playbooks11.
Reference: Add and configure apps and assets to provide actions in Splunk SOAR (Cloud) – Splunk Documentation
Question #23
Which of the following expressions will output debug information to the debug window in the Visual Playbook Editor?
- A . phantom.debug()
- B . phantom.exception()
- C . phantom.print ()
- D . phantom.assert()
Correct Answer: A
A
Explanation:
The phantom.debug() function is used within Splunk SOAR playbooks to output debug information to the debug window in the Visual Playbook Editor. This function is instrumental in troubleshooting and developing playbooks, as it allows developers to print out variables, messages, or any relevant information that can help in understanding the flow of the playbook, the data being processed, and any issues that might arise during execution. This debugging tool is essential for ensuring that playbooks are functioning as intended and for diagnosing any problems that may occur.
A
Explanation:
The phantom.debug() function is used within Splunk SOAR playbooks to output debug information to the debug window in the Visual Playbook Editor. This function is instrumental in troubleshooting and developing playbooks, as it allows developers to print out variables, messages, or any relevant information that can help in understanding the flow of the playbook, the data being processed, and any issues that might arise during execution. This debugging tool is essential for ensuring that playbooks are functioning as intended and for diagnosing any problems that may occur.
Question #24
Which of the following are the default ports that must be configured on Splunk to allow connections from Phantom?
- A . SplunkWeb (8088), SplunkD (8089), HTTP Collector (8000)
- B . SplunkWeb (8089), SplunkD (8088), HTTP Collector (8000)
- C . SplunkWeb (8421), SplunkD (8061), HTTP Collector (8798)
- D . SplunkWeb (8000), SplunkD (8089), HTTP Collector (8088)
Correct Answer: D
D
Explanation:
The correct answer is D because the default ports that must be configured on Splunk to allow connections from Phantom are SplunkWeb (8000), SplunkD (8089), and HTTP Collector (8088). SplunkWeb is the port used to access the Splunk web interface. SplunkD is the port used to communicate with the Splunk server. HTTP Collector is the port used to send data to Splunk using the HTTP Event Collector (HEC). These ports must be configured on Splunk and Phantom to enable the integration between the two products. See Splunk SOAR Documentation for more details.
To allow connections from Splunk Phantom to Splunk, certain default ports need to be open and properly configured. The default ports include SplunkWeb (8000) for web access, SplunkD (8089) for Splunk’s management port, and the HTTP Event Collector (HEC) on port 8088, which is used for ingesting data into Splunk. These ports are essential for the communication between Splunk Phantom and Splunk, facilitating data exchange, search capabilities, and the integration of various functionalities between the two platforms.
D
Explanation:
The correct answer is D because the default ports that must be configured on Splunk to allow connections from Phantom are SplunkWeb (8000), SplunkD (8089), and HTTP Collector (8088). SplunkWeb is the port used to access the Splunk web interface. SplunkD is the port used to communicate with the Splunk server. HTTP Collector is the port used to send data to Splunk using the HTTP Event Collector (HEC). These ports must be configured on Splunk and Phantom to enable the integration between the two products. See Splunk SOAR Documentation for more details.
To allow connections from Splunk Phantom to Splunk, certain default ports need to be open and properly configured. The default ports include SplunkWeb (8000) for web access, SplunkD (8089) for Splunk’s management port, and the HTTP Event Collector (HEC) on port 8088, which is used for ingesting data into Splunk. These ports are essential for the communication between Splunk Phantom and Splunk, facilitating data exchange, search capabilities, and the integration of various functionalities between the two platforms.
Question #25
A customer wants to design a modular and reusable set of playbooks that all communicate with each other.
Which of the following is a best practice for data sharing across playbooks?
- A . Use the py-postgresq1 module to directly save the data in the Postgres database.
- B . Cal the child playbooks getter function.
- C . Create artifacts using one playbook and collect those artifacts in another playbook.
- D . Use the Handle method to pass data directly between playbooks.
Correct Answer: C
C
Explanation:
The correct answer is C because creating artifacts using one playbook and collecting those artifacts in another playbook is a best practice for data sharing across playbooks. Artifacts are data objects that are associated with a container and can be used to store information such as IP addresses, URLs, file hashes, etc. Artifacts can be created using the add artifact action in any playbook block and can be collected using the get artifacts action in the filter block. Artifacts can also be used to trigger active playbooks based on their label or type. See Splunk SOAR Documentation for more details.
In the context of Splunk SOAR, one of the best practices for data sharing across playbooks is to create artifacts in one playbook and use another playbook to collect and utilize those artifacts. Artifacts in Splunk SOAR are structured data related to security incidents (containers) that playbooks can act upon. By creating artifacts in one playbook, you can effectively pass data and context to subsequent playbooks, allowing for modular, reusable, and interconnected playbook designs. This approach promotes efficiency, reduces redundancy, and enhances the playbook’s ability to handle complex workflows.
C
Explanation:
The correct answer is C because creating artifacts using one playbook and collecting those artifacts in another playbook is a best practice for data sharing across playbooks. Artifacts are data objects that are associated with a container and can be used to store information such as IP addresses, URLs, file hashes, etc. Artifacts can be created using the add artifact action in any playbook block and can be collected using the get artifacts action in the filter block. Artifacts can also be used to trigger active playbooks based on their label or type. See Splunk SOAR Documentation for more details.
In the context of Splunk SOAR, one of the best practices for data sharing across playbooks is to create artifacts in one playbook and use another playbook to collect and utilize those artifacts. Artifacts in Splunk SOAR are structured data related to security incidents (containers) that playbooks can act upon. By creating artifacts in one playbook, you can effectively pass data and context to subsequent playbooks, allowing for modular, reusable, and interconnected playbook designs. This approach promotes efficiency, reduces redundancy, and enhances the playbook’s ability to handle complex workflows.
Question #26
A new project requires event data from SOAR to be sent to an external system via REST. All events with the label notable that are in new status should be sent.
Which of the following REST Django expressions will select the correct events?
A)
B)
C)
D)
- A . Option A
- B . Option B
- C . Option C
- D . Option D
Correct Answer: C
C
Explanation:
The correct REST Django expression to retrieve events with the label "notable" that are in the "new" status is using the container endpoint, as containers are used to store events and associated data in Splunk SOAR. The expression correctly filters the events by label (_filter_label="notable") and status (_filter_status="new"), ensuring only notable events that are still in the "new" status are selected.
A and D reference the wrong endpoints (event and notable respectively), which do not align with the container-based model used in Splunk SOAR for storing and filtering events.
B is incorrect due to the use of _filter_name instead of _filter_label, which is not a valid filter in this context.
Reference: Splunk SOAR Documentation: REST API Endpoints.
Splunk SOAR Developer Guide: Using Django REST for Filtering.
C
Explanation:
The correct REST Django expression to retrieve events with the label "notable" that are in the "new" status is using the container endpoint, as containers are used to store events and associated data in Splunk SOAR. The expression correctly filters the events by label (_filter_label="notable") and status (_filter_status="new"), ensuring only notable events that are still in the "new" status are selected.
A and D reference the wrong endpoints (event and notable respectively), which do not align with the container-based model used in Splunk SOAR for storing and filtering events.
B is incorrect due to the use of _filter_name instead of _filter_label, which is not a valid filter in this context.
Reference: Splunk SOAR Documentation: REST API Endpoints.
Splunk SOAR Developer Guide: Using Django REST for Filtering.
Question #27
Which of the following queries would return all artifacts that contain a SHA1 file hash?
- A . https://<PHANTOM_URL>/rest/artifact?_filter_cef_md5_insull=false
- B . https://<PHANTOM_URL>/rest/artifact?_filter_cef_Shal_contains=””
- C . https://<PHANTOM_URL>/rest/artifact?_filter_cef_shal_insull=False
- D . https://<PHANTOM_URL>/rest/artifact?_filter_shal__insull=False
Correct Answer: B
B
Explanation:
To return all artifacts that contain a SHA1 file hash using the Splunk SOAR REST API, the correct query would use the _filter_cef_Shal_contains parameter. This parameter filters the artifacts to only those that contain a value in the SHA1 field within the Common Event Format (CEF) data structure. The contains operator is used to match any artifacts that have a SHA1 hash present1.
Reference: Understanding artifacts – Splunk Documentation
B
Explanation:
To return all artifacts that contain a SHA1 file hash using the Splunk SOAR REST API, the correct query would use the _filter_cef_Shal_contains parameter. This parameter filters the artifacts to only those that contain a value in the SHA1 field within the Common Event Format (CEF) data structure. The contains operator is used to match any artifacts that have a SHA1 hash present1.
Reference: Understanding artifacts – Splunk Documentation
Question #28
Which of the following views provides a holistic view of an incident – providing event metadata, Service Level Agreement status, Severity, sensitivity of an event, and other detailed event info?
- A . Executive
- B . Investigation
- C . Technical
- D . Analyst
Correct Answer: B
B
Explanation:
The Investigation view in Splunk SOAR provides a comprehensive and holistic view of an incident. This view includes vital details such as event metadata, Service Level Agreement (SLA) status, severity, sensitivity of the event, and other relevant information. It allows analysts to track and manage incidents effectively by presenting a clear picture of all aspects of the investigation process. This view is designed to help users take timely actions based on critical data points, making it a pivotal feature for incident response teams.
Other views like Executive or Analyst may focus on specific reporting or technical details, but the Investigation view provides the most complete perspective on the incident and its progress.
Reference: Splunk SOAR Documentation: Investigation View Overview.
Splunk SOAR Incident Response Best Practices.
B
Explanation:
The Investigation view in Splunk SOAR provides a comprehensive and holistic view of an incident. This view includes vital details such as event metadata, Service Level Agreement (SLA) status, severity, sensitivity of the event, and other relevant information. It allows analysts to track and manage incidents effectively by presenting a clear picture of all aspects of the investigation process. This view is designed to help users take timely actions based on critical data points, making it a pivotal feature for incident response teams.
Other views like Executive or Analyst may focus on specific reporting or technical details, but the Investigation view provides the most complete perspective on the incident and its progress.
Reference: Splunk SOAR Documentation: Investigation View Overview.
Splunk SOAR Incident Response Best Practices.
Question #29
How can a child playbook access the parent playbook’s action results?
- A . Child playbooks can access parent playbook data while the parent Is still running.
- B . By setting scope to ALL when starting the child.
- C . When configuring the playbook block in the parent, add the desired results in the Scope parameter.
- D . The parent can create an artifact with the data needed by the did.
Correct Answer: C
C
Explanation:
In Splunk Phantom, child playbooks can access the action results of a parent playbook through the use of the Scope parameter. When a parent playbook calls a child playbook, it can pass certain data along by setting the Scope parameter to include the desired action results. This parameter is configured within the playbook block that initiates the child playbook. By specifying the appropriate scope, the parent playbook effectively determines what data the child playbook will have access to, allowing for a more modular and organized flow of information between playbooks.
C
Explanation:
In Splunk Phantom, child playbooks can access the action results of a parent playbook through the use of the Scope parameter. When a parent playbook calls a child playbook, it can pass certain data along by setting the Scope parameter to include the desired action results. This parameter is configured within the playbook block that initiates the child playbook. By specifying the appropriate scope, the parent playbook effectively determines what data the child playbook will have access to, allowing for a more modular and organized flow of information between playbooks.
Question #30
Phantom supports multiple user authentication methods such as LDAP and SAML2.
What other user authentication method is supported?
- A . SAML3
- B . PIV/CAC
- C . Biometrics
- D . OpenID
Correct Answer: B
B
Explanation:
Splunk SOAR supports multiple user authentication methods to ensure secure access to the platform. Apart from LDAP (Lightweight Directory Access Protocol) and SAML2 (Security Assertion Markup Language 2.0), SOAR also supports PIV (Personal Identity Verification) and CAC (Common Access Card) as authentication methods. These are particularly used in government and military organizations for secure and authenticated access to systems, providing a high level of security through physical tokens or cards that contain encrypted user credentials.
B
Explanation:
Splunk SOAR supports multiple user authentication methods to ensure secure access to the platform. Apart from LDAP (Lightweight Directory Access Protocol) and SAML2 (Security Assertion Markup Language 2.0), SOAR also supports PIV (Personal Identity Verification) and CAC (Common Access Card) as authentication methods. These are particularly used in government and military organizations for secure and authenticated access to systems, providing a high level of security through physical tokens or cards that contain encrypted user credentials.