New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

SPLK-2003 Questions and Answers

Question # 6

In this image, which container fields are searched for the text "Malware"?

A.

Event Name and Artifact Names.

B.

Event Name, Notes, Comments.

C.

Event Name or ID.

Full Access
Question # 7

Which of the following is true about a child playbook?

A.

The child playbook does not have access to the parent playbook's container or action result data.

B.

The child playbook does not have access to the parent playbook's container, but to the parent's action result data.

C.

The child playbook has access to the parent playbook's container and the parent's action result data.

D.

The child playbook has access to the parent playbook's container, but not to the parent's action result data.

Full Access
Question # 8

Which of the following can be edited or deleted in the Investigation page?

A.

Action results

B.

Comments

C.

Approval records

D.

Artifact values

Full Access
Question # 9

In addition to full backups. Phantom supports what other backup type using backup?

A.

Snapshot

B.

Incremental

C.

Partial

D.

Differential

Full Access
Question # 10

Regarding the Splunk SOAR Automation Broker requirements, which of the following statements is not correct?

A.

The Splunk SOAR Automation Broker requires outbound/egress connectivity to the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance.

B.

The Splunk SOAR Automation Broker must be able to connect to TCP port 443 (HTTPS) on the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance.

C.

The Splunk SOAR Automation Broker requires both inbound/ingress and outbound/egress connectivity to the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance.

D.

The Splunk SOAR Automation Broker requires inbound/ingress network connection from the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance.

Full Access
Question # 11

When configuring a Splunk asset for SOAR to connect to a Splunk Cloud instance, the user discovers that they need to be able to run two different on_poll searches. How is this possible?

A.

Install a second Splunk app and configure the query in the second app.

B.

Configure the second query in the Splunk App for SOAR Export.

C.

Enter the two queries in the asset as comma separated values.

D.

Configure a second Splunk asset with the second query.

Full Access
Question # 12

How is a Django filter query performed?

A.

By adding parameters to the URL similar to the following: phantom/rest/container?_filter_tags_contains="sumo".

B.

phantom/rest/search/app/contains/"sumo"

C.

Browse to the Django Filter Query Editor in the Administration panel.

D.

Install the SOAR Django App first, then configure the search query in the App editor.

Full Access
Question # 13

When writing a custom function that uses regex to extract the domain name from a URL, a user wants to create a new artifact for the extracted domain. Which of the following Python API calls will create a new artifact?

A.

phantom.new_artifact ()

B.

phantom. update ()

C.

phantom.create_artifact ()

D.

phantom.add_artifact ()

Full Access
Question # 14

Which of the following queries would return all artifacts that contain a SHA1 file hash?

A.

https:// /rest/artifact?_filter_cef_md5_insull=false

B.

https:// /rest/artifact?_filter_cef_Shal_contains=””

C.

https:// /rest/artifact?_filter_cef_shal_insull=False

D.

https:// /rest/artifact?_filter_shal__insull=False

Full Access
Question # 15

What metrics can be seen from the System Health Display? (select all that apply)

A.

Playbook Usage

B.

Memory Usage

C.

Disk Usage

D.

Load Average

Full Access
Question # 16

The SOAR server has been configured to use an external Splunk search head for search and searching on SOAR works; however, the search results don't include content that was being returned by search before configuring external search. Which of the following could be the problem?

A.

The existing content indexes on the SOAR server need to be re-indexed to migrate them to Splunk.

B.

The user configured on the SOAR side with Phantomsearch capability is not enabled on Splunk.

C.

The remote Splunk search head is currently offline.

D.

Content that existed before configuring external search must be backed up on SOAR and restored on the Splunk search head.

Full Access
Question # 17

Why does SOAR use wildcards within artifact data paths?

A.

To make playbooks more specific.

B.

To make playbooks filter out nulls.

C.

To make data access in playbooks easier.

D.

To make decision execution in playbooks run faster.

Full Access
Question # 18

On a multi-tenant Phantom server, what is the default tenant's ID?

A.

0

B.

Default

C.

1

D.

*

Full Access
Question # 19

Why is it good playbook design to create smaller and more focused playbooks? (select all that apply)

A.

Reduces amount of playbook data stored in each repo.

B.

Reduce large complex playbooks which become difficult to maintain.

C.

Encourages code reuse in a more compartmentalized form.

D.

To avoid duplication of code across multiple playbooks.

Full Access
Question # 20

When configuring a Splunk asset for Phantom to connect to a SplunkC loud instance, the user discovers that they need to be able to run two different on_poll searches. How is this possible

A.

Enter the two queries in the asset as comma separated values.

B.

Configure the second query in the Phantom app for Splunk.

C.

Install a second Splunk app and configure the query in the second app.

D.

Configure a second Splunk asset with the second query.

Full Access
Question # 21

Splunk user account(s) with which roles must be created to configure Phantom with an external Splunk Enterprise instance?

A.

superuser, administrator

B.

phantomcreate. phantomedit

C.

phantomsearch, phantomdelete

D.

admin,user

Full Access
Question # 22

Playbooks typically handle which types of data?

A.

Container data, Artifact CEF data, Result data. Threat data

B.

Container CEF data, Artifact data, Result data, List data

C.

Container data, Artifact CEF data, Result data, List data

D.

Container data, Artifact data, Result data, Threat data

Full Access
Question # 23

What is the primary objective of using the I2A2 playbook design methodology?

A.

To create detailed playbooks.

B.

To create playbooks that customers will not edit.

C.

To meet customer requirements using a single playbook.

D.

To create simple, reusable, modular playbooks.

Full Access
Question # 24

Some of the playbooks on the SOAR server should only be executed by members of the admin role. How can this rule be applied?

A.

Make sure the Execute Playbook capability is removed from all roles except admin.

B.

Place restricted playbooks in a second source repository that has restricted access.

C.

Add a filter block to all restricted playbooks that filters for runRole = "Admin".

D.

Add a tag with restricted access to the restricted playbooks.

Full Access
Question # 25

What is the default embedded search engine used by SOAR?

A.

Embedded Splunk search engine.

B.

Embedded SOAR search engine.

C.

Embedded Django search engine.

D.

Embedded Elastic search engine.

Full Access
Question # 26

How can parent and child playbooks pass information to each other?

A.

The parent can pass arguments to the child when called, and the child can return values from the end block.

B.

The parent can pass arguments to the child when called, but the child can only pass values back as new artifacts in the event.

C.

The parent must create a new artifact in the event named arg_xxx, and the child must return values by creating artifacts with the naming convention return_xxx.

D.

The parent must create a new artifact in the event named return_xxx, and the child must return values by creating artifacts with the naming convention arg_xxx.

Full Access
Question # 27

Which of the following will show all artifacts that have the term results in a filePath CEF value?

A.

.../rest/artifact?_filter_cef_filePath_icontain=''results''

B.

...rest/artifacts/filePath=''%results%''

C.

.../result/artifacts/cef/filePath= '%results%''

D.

.../result/artifact?_query_cef_filepath_icontains=''results

Full Access
Question # 28

Which of the following is a reason to create a new role in SOAR?

A.

To define a set of users who have access to a special label.

B.

To define a set of users who have access to a restricted app.

C.

To define a set of users who have access to an event's reports.

D.

To define a set of users who have access to a sensitive tag.

Full Access
Question # 29

Which of the following can the format block be used for?

A.

To generate arrays for input into other functions.

B.

To generate HTML or CSS content for output in email messages, user prompts, or comments.

C.

To generate string parameters for automated action blocks.

D.

To create text strings that merge state text with dynamic values for input or output.

Full Access
Question # 30

How can more than one user perform tasks in a workbook?

A.

Any user in a role with write access to the case's workbook can be assigned to tasks.

B.

Add the required users to the authorized list for the container.

C.

Any user with a role that has Perform Task enabled can execute tasks for workbooks.

D.

The container owner can assign any authorized user to any task in a workbook.

Full Access
Question # 31

Which of the following are the default ports that must be configured on Splunk to allow connections from Phantom?

A.

SplunkWeb (8088), SplunkD (8089), HTTP Collector (8000)

B.

SplunkWeb (8089), SplunkD (8088), HTTP Collector (8000)

C.

SplunkWeb (8421), SplunkD (8061), HTTP Collector (8798)

D.

SplunkWeb (8000), SplunkD (8089), HTTP Collector (8088)

Full Access
Question # 32

Which of the following views provides a holistic view of an incident - providing event metadata, Service Level Agreement status, Severity, sensitivity of an event, and other detailed event info?

A.

Executive

B.

Investigation

C.

Technical

D.

Analyst

Full Access
Question # 33

Within the 12A2 design methodology, which of the following most accurately describes the last step?

A.

List of the apps used by the playbook.

B.

List of the actions of the playbook design.

C.

List of the outputs of the playbook design.

D.

List of the data needed to run the playbook.

Full Access