SPLK-2003 Questions and Answers

The image shows a user interface of “splunk>phantom” with a search bar at the top, where a search for “Malware” has been initiated. The tabs labeled “Events,” “Indicators,” “Cases,” and “Tasks” suggest that the search functionality could span across various container fields within the Splunk SOAR environment. Typically, the search would include fields that are most relevant to the user’s query, which in this case, are likely to be the Event Name and Artifact Names. These fields are central to identifying and categorizing events and artifacts within Splunk SOAR, making them primary targets for a search term like “Malware” which is commonly associated with security events and indicators17.

References:

Understanding containers - Splunk Documentation

In Splunk SOAR, a child playbook can access both the container data and the action result data from the parent playbook. This capability allows child playbooks to continue processing data or actions that were initiated by the parent playbook, ensuring smooth data flow and facilitating complex workflows across multiple playbooks. When a parent playbook calls a child playbook, the container (which holds the event and artifact data) and action results (which hold the outputs of previously executed actions) are passed to the child playbook.

This access enables more flexible and powerful automation by allowing the child playbook to build upon the work done by the parent.

References:

Splunk SOAR Playbook Documentation.

Splunk SOAR Playbook Development Best Practices.

On the Investigation page in Splunk SOAR, users have the ability to edit or delete comments associated with an event or a container. Comments are generally used for collaboration and to provide additional context to an investigation. While action results, approval records, and artifact values are typically not editable or deletable to maintain the integrity of the investigative data, comments are more flexible and can be managed by users to reflect the current state of the investigation.

Investigation page allows you to view and edit various information and data related to an event or a case. One of the things that you can edit or delete in the Investigation page is the comments that you or other users have added to the activity feed. Comments are a way of communicating and collaborating with other users during the investigation process. You can edit or delete your own comments by clicking on the three-dot menu icon next to the comment and selecting the appropriate option. You can also reply to other users’ comments by clicking on the reply icon. Therefore, option B is the correct answer, as it is the only option that can be edited or deleted in the Investigation page. Option A is incorrect, because action results are the outputs of the actions or playbooks that have been run on the event or case, and they cannot be edited or deleted in the Investigation page. Option C is incorrect, because approval records are the logs of the approval requests and responses that have been made for certain actions or playbooks, and they cannot be edited or deleted in the Investigation page. Option D is incorrect, because artifact values are the data that has been collected or generated by the event or case, and they cannot be edited or deleted in the Investigation page.

1: Start with Investigation in Splunk SOAR (Cloud)

Splunk Phantom supports incremental backups in addition to full backups. An incremental backup is a type of backup that only copies the data that has changed since the last backup (whether that was a full backup or another incremental backup). This method is more storage-efficient than a full backup because it does not repeatedly back up the same data, reducing the amount of storage required and speeding up the backup process. Differential backups, which record the changes since the last full backup, and partial backups, which allow the selection of specific data to back up, are not standard backup types offered by Splunk Phantom according to its documentation.

The Splunk SOAR Automation Broker does not require inbound/ingress network connections from the Splunk SOAR (Cloud) or (On-premises) instance. Instead, it requires only outbound/egress connectivity. The Automation Broker is responsible for securely communicating with SOAR to execute actions, retrieve data, and send results, but this communication is initiated from the Automation Broker towards SOAR, using outbound connections (typically over TCP port 443). This ensures that no inbound connections need to be established, which simplifies firewall and security configurations.

Thus, option D is the incorrect statement, making it the right answer for this question.

References:

Splunk SOAR Documentation: Automation Broker Requirements.

Splunk SOAR Cloud and On-Premises Deployment Guide.

In Splunk SOAR, when needing to run multiple on_poll searches to a Splunk Cloud instance, the recommended approach is to configure a second Splunk asset specifically for the second query. This method allows each Splunk asset to maintain its own settings and query configurations, ensuring that each search can be managed and optimized independently. This separation also helps in troubleshooting and maintaining clarity in the configuration.

Option A, installing a second Splunk app, is not necessarily relevant as the app itself does not determine the number of queries but rather how they are managed and processed through assets.

Option B, configuring the second query in the Splunk App for SOAR Export, does not apply as this app typically handles data exportation from SOAR to Splunk, not managing multiple polling queries.

Option C, entering the two queries as comma-separated values, would not be practical or functional as Splunk SOAR’s asset configuration does not process multiple queries in this manner for polling purposes.

When configuring a Splunk asset for SOAR to connect to a Splunk Cloud instance and there is a need to run two different on_poll searches, the appropriate action is to configure a second Splunk asset with the second query. This allows each Splunk asset to have its own unique on_poll search configuration, enabling them to run independently and retrieve different sets of data as required. The other options, such as installing a second app or entering queries as comma-separated values, are not standard practices for managing multiple on_poll searches in Splunk SOAR1.

References:Splunk SOAR documentation on configuring search in Splunk SOAR1.

Django filter queries in Splunk SOAR are performed by appending filter parameters directly to the REST API URL. This allows users to refine their search and retrieve specific data. For example, to filter containers by tags containing the word "sumo", the following URL structure would be used: https:// /rest/container?_filter_tags_contains="sumo". This format enables users to construct dynamic queries that can filter results based on specified criteria within the Django framework used by Splunk SOAR.

The correct way to perform a Django filter query in Splunk SOAR is to add parameters to the URL similar to the following: phantom/rest/container?_filter_tags_contains=“sumo”. This will return a list of containers that have the tag “sumo” in them. You can use various operators and fields to filter the results according to your needs. For more details, see Query for Data and Use filters in your Splunk SOAR (Cloud) playbook to specify a subset of artifacts before further processing. The other options are either incorrect or irrelevant for this question. For example:

•phantom/rest/search/app/contains/“sumo” is not a valid URL for a Django filter query. It will return an error message saying “Invalid endpoint”.

•There is no Django Filter Query Editor in the Administration panel of Splunk SOAR. You can use the REST API Tester to test your queries, but not to edit them.

•There is no SOAR Django App that needs to be installed or configured for performing Django filter queries. Splunk SOAR uses the Django framework internally, but you do not need to install or use any additional apps for this purpose.

In the Splunk SOAR platform, when writing a custom function in Python to handle data such as extracting a domain name from a URL, you can create a new artifact using the Python API call phantom.create_artifact(). This function allows you to specify the details of the new artifact, such as the type, CEF (Common Event Format) data, container it belongs to, and other relevant information necessary to create an artifact within the system.

To return all artifacts that contain a SHA1 file hash using the Splunk SOAR REST API, the correct query would use the _filter_cef_Shal_contains parameter. This parameter filters the artifacts to only those that contain a value in the SHA1 field within the Common Event Format (CEF) data structure. The contains operator is used to match any artifacts that have a SHA1 hash present1.

References:

Understanding artifacts - Splunk Documentation

System Health Display is a dashboard that shows the status and performance of the SOAR processes and components, such as the automation service, the playbook daemon, the DECIDED process, and the REST API. Some of the metrics that can be seen from the System Health Display are:

•Memory Usage: The percentage of memory used by the system and the processes.

•Disk Usage: The percentage of disk space used by the system and the processes.

•Load Average: The average number of processes in the run queue or waiting for disk I/O over a period of time.

Therefore, options B, C, and D are the correct answers, as they are the metrics that can be seen from the System Health Display. Option A is incorrect, because Playbook Usage is not a metric that can be seen from the System Health Display, but rather a metric that can be seen from the Playbook Usage dashboard, which shows the number of playbooks and actions run over a period of time.

1: Web search results from search_web(query="Splunk SOAR Automation Developer System Health Display")

The System Health Display in Splunk SOAR provides several metrics to help monitor and manage the health of the system. These typically include:

•B: Memory Usage - This metric shows the amount of memory being used by the SOAR platform, which is important for ensuring that the system does not exceed available resources.

•C: Disk Usage - This metric indicates the amount of storage space being utilized, which is crucial for maintaining adequate storage resources and for planning capacity.

•D: Load Average - This metric provides an indication of the overall load on the system over a period of time, which helps in understanding the system's performance and in identifying potential bottlenecks or issues.

Playbook Usage is generally not a metric displayed on the System Health page; instead, it's more related to the usage analytics of playbooks rather than system health metrics.

If, after configuring an external Splunk search head for search in SOAR, the search results do not include content that was previously returned, one possible issue could be that the user account configured on the SOAR side does not have the required permissions (such as the 'phantomsearch' capability) enabled on the Splunk side. This capability is necessary for the SOAR server to execute searches and retrieve results from the Splunk search head.

Wildcards are used within artifact data paths in Splunk SOAR playbooks to simplify the process of accessing data. They allow playbooks to reference dynamic or variable data structures without needing to specify exact paths, which can vary between artifacts. This flexibility makes it easier to write playbooks that work across different events and scenarios, without hard-coding data paths.

SOAR uses wildcards within artifact data paths to make data access in playbooks easier. A data path is a way of specifying the location of a piece of data within an artifact. For example, artifact.cef.sourceAddress is a data path that refers to the source address field of the artifact. A wildcard is a special character that can match any value or subfield within a data path. For example, artifact.*.cef.sourceAddress is a data path that uses a wildcard to match any field name before the cef subfield. This allows the playbook to access the source address data regardless of the field name, which can vary depending on the app or source that generated the artifact. Therefore, option C is the correct answer, as it explains why SOAR uses wildcards within artifact data paths. Option A is incorrect, because wildcards do not make playbooks more specific, but more flexible and adaptable. Option B is incorrect, because wildcards do not make playbooks filter out nulls, but match any value or subfield. Option D is incorrect, because wildcards do not make decision execution in playbooks run faster, but make data access in playbooks easier.

1: Understanding datapaths in Administer Splunk SOAR (Cloud)

The correct answer is C because the default tenant’s ID is 1. The tenant ID is a unique identifier for each tenant on a multi-tenant Phantom server. The default tenant is the tenant that is created when Phantom is installed and contains all the existing data and assets. The default tenant’s ID is always 1 and cannot be changed. Other tenants have IDs that are assigned sequentially starting from 2. See Splunk SOAR Documentation for more details. In a multi-tenant Splunk SOAR environment, the default tenant is typically assigned an ID of 1. This ID is system-generated and is used to uniquely identify the default tenant within the SOAR database and system configurations. The default tenant serves as the primary operational environment before any additional tenants are configured, and its ID is crucial for database operations, API calls, and internal reference within the SOAR platform. Understanding and correctly using tenant IDs is essential for managing resources, permissions, and data access in a multi-tenant SOAR setup.

Creating smaller and more focused playbooks in Splunk SOAR is considered good design practice for several reasons:

•B: It reduces complexity, making playbooks easier to maintain. Large, complex playbooks can become unwieldy and difficult to troubleshoot or update.

•C: Encourages code reuse, as smaller playbooks can be designed to handle specific tasks that can be reused across different scenarios.

•D: Avoids duplication of code, as common functionalities can be centralized within specific playbooks, rather than having the same code replicated across multiple playbooks.

This approach has several benefits, such as:

•Reducing large complex playbooks which become difficult to maintain. Smaller playbooks are easier to read, debug, and update1.

•Encouraging code reuse in a more compartmentalized form. Smaller playbooks can be used as building blocks for multiple scenarios, reducing the need to write duplicate code12.

•Improving performance and scalability. Smaller playbooks can run faster and consume less resources than larger playbooks2.

The other options are not valid reasons for creating smaller and more focused playbooks. Reducing the amount of playbook data stored in each repo is not a significant benefit, as the playbook data is not very large compared to other types of data in Splunk SOAR. Avoiding duplication of code across multiple playbooks is a consequence of code reuse, not a separate goal.

In scenarios where there's a need to run different on_poll searches for a Splunk Cloud instance from Splunk SOAR, configuring a second Splunk asset for the additional query is a practical solution. Splunk SOAR's architecture allows for multiple assets of the same type to be configured with distinct settings. By setting up a second Splunk asset specifically for the second on_poll search query, users can maintain separate configurations and ensure that each query is executed in its intended context without interference. This approach provides flexibility in managing different data collection or monitoring needs within the same SOAR environment.

 When configuring Splunk Phantom to integrate with an external Splunk Enterprise instance, it is typically required to have user accounts with sufficient privileges to access data and perform necessary actions. The roles of "superuser" and "administrator" in Splunk provide the broad set of permissions needed for such integration, enabling comprehensive access to data, management capabilities, and the execution of searches or actions that Phantom may require as part of its automated playbooks or investigations.

Playbooks in Splunk SOAR are designed to handle various types of data to automate responses to security incidents. The correct types of data handled by playbooks include:

Container Data: Containers are used to group related data for an incident or event. Playbooks can access this information to perform actions and make decisions.

Artifact CEF Data: Artifacts hold detailed information about the event or incident, including CEF (Common Event Format) data. Playbooks often process this CEF data for various actions.

Result Data: This refers to the data generated from actions executed by the playbook, such as results from API calls, integrations, or automated responses.

List Data: Lists in Splunk SOAR are collections of reusable data (such as IP blocklists, whitelists, etc.) that playbooks can access to check values or make decisions based on external lists.

The inclusion of List data instead of Threat data distinguishes this option from others, as lists are more directly used by playbooks during execution, whereas threat data is a broader category that is often processed but not always directly handled by playbooks.

References:

Splunk SOAR Documentation: Playbook Data Handling.

Splunk SOAR Best Practices: Automating with Playbooks.

The primary objective of using the I2A2 playbook design methodology in Splunk SOAR is to create playbooks that are simple, reusable, and modular. This design philosophy emphasizes the creation of playbooks that can be easily understood and maintained, encourages the reuse of playbook components in different scenarios, and fosters the development of playbooks that can be modularly connected or used independently as needed.

I2A2 design methodology is a framework for designing playbooks that consists of four components:

•Inputs: The data that is required for the playbook to run, such as artifacts, parameters, or custom fields.

•Interactions: The blocks that allow the playbook to communicate with users or other systems, such as prompts, comments, or emails.

•Actions: The blocks that execute the core logic of the playbook, such as app actions, filters, decisions, or utilities.

•Artifacts: The data that is generated or modified by the playbook, such as new artifacts, container fields, or notes.

The I2A2 design methodology helps you to plan, structure, and test your playbooks in a modular and efficient way. The primary objective of using the I2A2 design methodology is to create simple, reusable, modular playbooks that can be easily maintained, shared, and customized. Therefore, option D is the correct answer, as it states the primary objective of using the I2A2 design methodology. Option A is incorrect, because creating detailed playbooks is not the primary objective of using the I2A2 design methodology, but rather a possible outcome of following the framework. Option B is incorrect, because creating playbooks that customers will not edit is not the primary objective of using the I2A2 design methodology, but rather a potential risk of not following the framework. Option C is incorrect, because meeting customer requirements using a single playbook is not the primary objective of using the I2A2 design methodology, but rather a challenge that can be overcome by using the framework.

1: Use a playbook design methodology in Administer Splunk SOAR (Cloud).

To restrict playbook execution to members of the admin role within Splunk SOAR, the 'Execute Playbook' capability must be managed appropriately. This is done by ensuring that this capability is removed from all other roles except the admin role. Role-based access control (RBAC) in Splunk SOAR allows for granular permissions, which means you can configure which roles have the ability to execute playbooks, and by restricting this capability, you can control which users are able to initiate playbook runs.

the default embedded search engine used by SOAR is the SOAR search engine, which is powered by the PostgreSQL database built-in to Splunk SOAR (Cloud). A Splunk SOAR (Cloud) Administrator can configure options for search from the Home menu, in Search Settings under Administration Settings. The SOAR search engine has been modified to accept the * wildcard and supports various operators and filters. For search syntax and examples, see Search within Splunk SOAR (Cloud)2.

Option A is incorrect, because the embedded Splunk search engine was used in earlier releases of Splunk SOAR (Cloud), but not in the current version. Option C is incorrect, because Django is a web framework, not a search engine. Option D is incorrect, because Elastic is a separate search engine that is not embedded in Splunk SOAR (Cloud).

1: Configure search in Splunk SOAR (Cloud) 2: Search within Splunk SOAR (Cloud)

Splunk SOAR utilizes its own embedded search engine by default, which is tailored to its security orchestration and automation framework. While Splunk SOAR can integrate with other search engines, like the Embedded Splunk search engine, for advanced capabilities and log analytics, its default setup comes with an embedded search engine optimized for the typical data and search patterns encountered within the SOAR platform.

In Splunk SOAR, parent and child playbooks can pass information between each other using arguments. The parent playbook can pass specific arguments to the child playbook when it is called, enabling the child playbook to utilize these values in its execution. Once the child playbook finishes its execution, it can return values through the end block. This mechanism allows for efficient and structured communication between parent and child playbooks, enabling complex, multi-step automation workflows.

Other options are incorrect because creating artifacts with specific naming conventions is not necessary for passing information between playbooks, and artifacts are not used for argument or result passing between playbooks in this manner.

References:

Splunk SOAR Documentation: Playbook Development Guide.

Splunk SOAR Best Practices: Parent and Child Playbooks Communication.

 The correct answer is A because the _filter parameter is used to filter the results based on a field value, and the icontain operator is used to perform a case-insensitive substring match. The filePath field is part of the Common Event Format (CEF) standard, and the cef_ prefix is used to access CEF fields in the REST API. The answer B is incorrect because it uses the wrong syntax for the REST API. The answer C is incorrect because it uses the wrong endpoint (result instead of artifact) and the wrong syntax for the REST API. The answer D is incorrect because it uses the wrong syntax for the REST API and the wrong spelling for the icontains operator. Reference: Splunk SOAR REST API Guide, page 18.

To query and display all artifacts that contain the term "results" in a filePath CEF (Common Event Format) value, using the REST API endpoint with a filter parameter is effective. The filter _filter_cef_filePath_icontain="results" is applied to search within the artifact data for filePath fields that contain the term "results", disregarding case sensitivity. This method allows users to precisely locate and work with artifacts that meet specific criteria, aiding in the investigation and analysis processes within Splunk SOAR.

In Splunk SOAR, roles serve multiple purposes, including granting users permission to access system functionality or restricting access to parts of the system1. Creating a new role is often necessary when there is a need to define a specific set of users who have access to a restricted app. This allows for granular control over who can interact with certain apps, ensuring that only authorized users can use them. While roles can also be used to manage access to labels, reports, and tags, the primary reason for creating a new role is typically related to controlling access to apps and their associated functionalities within the SOAR platform1.

References:

Splunk SOAR documentation on managing roles and permissions1.

The format block in Splunk SOAR is utilized to construct text strings by merging static text with dynamic values, which can then be used for both input to other playbook blocks and output for reports, emails, or other forms of communication. This capability is essential for customizing messages, commands, or data processing tasks within a playbook, allowing for the dynamic insertion of variable data into predefined text templates. This feature enhances the playbook's ability to present information clearly and to execute actions that require specific parameter formats.

In Splunk SOAR, tasks within workbooks can be performed by any user whose role has the 'Perform Task' capability enabled. This capability is assigned within the role configuration and allows users with the appropriate permissions to execute tasks. It is not limited to users with write access or the container owner; rather, it is based on the specific permissions granted to the role with which the user is associated.

The correct answer is D because the default ports that must be configured on Splunk to allow connections from Phantom are SplunkWeb (8000), SplunkD (8089), and HTTP Collector (8088). SplunkWeb is the port used to access the Splunk web interface. SplunkD is the port used to communicate with the Splunk server. HTTP Collector is the port used to send data to Splunk using the HTTP Event Collector (HEC). These ports must be configured on Splunk and Phantom to enable the integration between the two products. See Splunk SOAR Documentation for more details.

To allow connections from Splunk Phantom to Splunk, certain default ports need to be open and properly configured. The default ports include SplunkWeb (8000) for web access, SplunkD (8089) for Splunk's management port, and the HTTP Event Collector (HEC) on port 8088, which is used for ingesting data into Splunk. These ports are essential for the communication between Splunk Phantom and Splunk, facilitating data exchange, search capabilities, and the integration of various functionalities between the two platforms.

The Investigation view in Splunk SOAR provides a comprehensive and holistic view of an incident. This view includes vital details such as event metadata, Service Level Agreement (SLA) status, severity, sensitivity of the event, and other relevant information. It allows analysts to track and manage incidents effectively by presenting a clear picture of all aspects of the investigation process. This view is designed to help users take timely actions based on critical data points, making it a pivotal feature for incident response teams.

Other views like Executive or Analyst may focus on specific reporting or technical details, but the Investigation view provides the most complete perspective on the incident and its progress.

References:

Splunk SOAR Documentation: Investigation View Overview.

Splunk SOAR Incident Response Best Practices.

The correct answer is C because the last step of the 12A2 design methodology is to list the outputs of the playbook design. The outputs are the expected results or outcomes of the playbook execution, such as sending an email, creating a ticket, blocking an IP, etc. The outputs should be aligned with the objectives and goals of the playbook. See Splunk SOAR Certified Automation Developer for more details.

The 12A2 design methodology in the context of Splunk SOAR (formerly Phantom) refers to a structured approach to developing playbooks. The last step in this methodology focuses on defining the outputs of the playbook design. This step is crucial as it outlines what the expected results or actions the playbook should achieve upon its completion. These outputs can vary widely, from sending notifications, creating tickets, updating statuses, to generating reports. Defining the outputs is essential for understanding the playbook's impact on the security operation workflows and how it contributes to resolving security incidents or automating tasks.