Weekend Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

SPLK-2003 Splunk SOAR Certified Automation Developer Exam Questions and Answers

Questions 4

How can a user with the username "pat" configure the Analyst Queue to only show new events that are assigned to the current user?

Options:

A.

Create a filter for label-new and owner-pat.

B.

Create a filter for status-open and owner-pat.

C.

Create a filter for status=new and owner=pat.

D.

Create a filter for status=new or owner=pat.

Buy Now
Questions 5

Regarding the Splunk SOAR Automation Broker requirements, which of the following statements is not correct?

Options:

A.

The Splunk SOAR Automation Broker requires outbound/egress connectivity to the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance.

B.

The Splunk SOAR Automation Broker must be able to connect to TCP port 443 (HTTPS) on the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance.

C.

The Splunk SOAR Automation Broker requires both inbound/ingress and outbound/egress connectivity to the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance.

D.

The Splunk SOAR Automation Broker requires inbound/ingress network connection from the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance.

Buy Now
Questions 6

When configuring a Splunk asset for SOAR to connect to a Splunk Cloud instance, the user discovers that they need to be able to run two different on_poll searches. How is this possible?

Options:

A.

Install a second Splunk app and configure the query in the second app.

B.

Configure the second query in the Splunk App for SOAR Export.

C.

Enter the two queries in the asset as comma separated values.

D.

Configure a second Splunk asset with the second query.

Buy Now
Questions 7

After a playbook has run, where are the results stored?

Options:

A.

Splunk Index

B.

Case

C.

Container

D.

Log file

Buy Now
Questions 8

Which of the following is a step when configuring event forwarding from Splunk to Phantom?

Options:

A.

Map CIM to CEF fields.

B.

Create a Splunk alert that uses the event_forward.py script to send events to Phantom.

C.

Map CEF to CIM fields.

D.

Create a saved search that generates the JSON for the new container on Phantom.

Buy Now
Questions 9

How can the debug log for a playbook execution be viewed?

Options:

A.

On the Investigation page, select Debug Log from the playbook's action menu in the Recent Activity panel.

B.

Click Expand Scope m the debug window.

C.

In Administration > System Health > Playbook Run History, select the playbook execution entry, then select Log.

D.

Open the playbook in the Visual Playbook Editor, and select Debug Logs in Settings.

Buy Now
Questions 10

Phantom supports multiple user authentication methods such as LDAP and SAML2. What other user authentication method is supported?

Options:

A.

SAML3

B.

PIV/CAC

C.

Biometrics

D.

OpenID

Buy Now
Questions 11

What does a user need to do to have a container with an event from Splunk use context-aware actions designed for notable events?

Options:

A.

Include the notable event's event_id field and set the artifacts label to aplunk notable event id.

B.

Rename the event_id field from the notable event to splunkNotableEventld.

C.

Include the event_id field in the search results and add a CEF definition to Phantom for event_id, datatype splunk notable event id.

D.

Add a custom field to the container named event_id and set the custom field's data type to splunk notable event id.

Buy Now
Questions 12

During a second test of a playbook, a user receives an error that states: 'an empty parameters list was passed to phantom.act()." What does this indicate?

Options:

A.

The container has artifacts not parameters.

B.

The playbook is using an incorrect container.

C.

The playbook debugger's scope is set to new.

D.

The playbook debugger's scope is set to all.

Buy Now
Questions 13

When assigning an input parameter to an action while building a playbook, a user notices the artifact value they are looking for does not appear in the auto-populated list.

How is it possible to enter the unlisted artifact value?

Options:

A.

Type the CEF datapath in manually.

B.

Delete and recreate the artifact.

C.

Edit the artifact to enable the List as Parameter option for the CEF value.

D.

Edit the container to allow CEF parameters.

Buy Now
Questions 14

Some of the playbooks on the SOAR server should only be executed by members of the admin role. How can this rule be applied?

Options:

A.

Make sure the Execute Playbook capability is removed from all roles except admin.

B.

Place restricted playbooks in a second source repository that has restricted access.

C.

Add a filter block to all restricted playbooks that filters for runRole = "Admin".

D.

Add a tag with restricted access to the restricted playbooks.

Buy Now
Questions 15

How can more than one user perform tasks in a workbook?

Options:

A.

Any user in a role with write access to the case's workbook can be assigned to tasks.

B.

Add the required users to the authorized list for the container.

C.

Any user with a role that has Perform Task enabled can execute tasks for workbooks.

D.

The container owner can assign any authorized user to any task in a workbook.

Buy Now
Questions 16

A user wants to use their Splunk Cloud instance as the external Splunk instance for Phantom. What ports need to be opened on the Splunk Cloud instance to facilitate this? Assume default ports are in use.

Options:

A.

TCP 8088 and TCP 8099.

B.

TCP 80 and TCP 443.

C.

Splunk Cloud is not supported.

D.

TCP 8080 and TCP 8191.

Buy Now
Questions 17

Which two playbook blocks can discern which path in the playbook to take next?

Options:

A.

Prompt and decision blocks.

B.

Decision and action blocks.

C.

Filter and decision blocks.

D.

Filter and prompt blocks.

Buy Now
Questions 18

What users are included in a new installation of SOAR?

Options:

A.

The admin and automation users are included by default.

B.

The admin, power, and user users are included by default.

C.

Only the admin user is included by default.

D.

No users are included by default.

Buy Now
Questions 19

Which of the following is the best option for an analyst who wants to run a single action on an event?

Options:

A.

Open the event and run this single action from the Investigation View.

B.

Create a playbook with a single action then use the Playbook Debugger on the event ID.

C.

Create a playbook with the action and run it from the Investigation View.

D.

Open a playbook with a single action, mark it active, and then use the Playbook Debugger on the event ID.

Buy Now
Questions 20

A customer wants to design a modular and reusable set of playbooks that all communicate with each other. Which of the following is a best practice for data sharing across playbooks?

Options:

A.

Use the py-postgresq1 module to directly save the data in the Postgres database.

B.

Cal the child playbooks getter function.

C.

Create artifacts using one playbook and collect those artifacts in another playbook.

D.

Use the Handle method to pass data directly between playbooks.

Buy Now
Questions 21

Which of the following can the format block be used for?

Options:

A.

To generate arrays for input into other functions.

B.

To generate HTML or CSS content for output in email messages, user prompts, or comments.

C.

To generate string parameters for automated action blocks.

D.

To create text strings that merge state text with dynamic values for input or output.

Buy Now
Questions 22

What values can be applied when creating Custom CEF field?

Options:

A.

Name

B.

Name, Data Type

C.

Name, Value

D.

Name, Data Type, Severity

Buy Now
Questions 23

Which of the following is a best practice for use of the global block?

Options:

A.

Execute code at the beginning of each run of the playbook.

B.

Declare outputs which will be selectable within playbook blocks.

C.

Import packages which will be used within the playbook.

D.

Execute custom code after each run of the playbook.

Buy Now
Questions 24

Which Phantom API command is used to create a custom list?

Options:

A.

phantom.add_list()

B.

phantom.create_list()

C.

phantom.include_list()

D.

phantom.new_list()

Buy Now
Questions 25

What is the default embedded search engine used by SOAR?

Options:

A.

Embedded Splunk search engine.

B.

Embedded SOAR search engine.

C.

Embedded Django search engine.

D.

Embedded Elastic search engine.

Buy Now
Questions 26

Which of the following views provides a holistic view of an incident - providing event metadata, Service Level Agreement status, Severity, sensitivity of an event, and other detailed event info?

Options:

A.

Executive

B.

Investigation

C.

Technical

D.

Analyst

Buy Now
Questions 27

Configuring Phantom search to use an external Splunk server provides which of the following benefits?

Options:

A.

The ability to run more complex reports on Phantom activities.

B.

The ability to ingest Splunk notable events into Phantom.

C.

The ability to automate Splunk searches within Phantom.

D.

The ability to display results as Splunk dashboards within Phantom.

Buy Now
Questions 28

Which of the following can be done with the System Health Display?

Options:

A.

Create a temporary, edited version of a process and test the results.

B.

Partially rewind processes, which is useful for debugging.

C.

View a single column of status for SOAR processes. For metrics, click Details.

D.

Reset DECIDED to reset playbook environments back to at-start conditions.

Buy Now
Questions 29

What is the default log level for system health debug logs?

Options:

A.

INFO

B.

WARN

C.

ERROR

D.

DEBUG

Buy Now
Questions 30

Which app allows a user to run Splunk queries from within Phantom?

Options:

A.

Splunk App for Phantom

B.

The Integrated Splunk/Phantom app.

C.

Phantom App for Splunk.

D.

Splunk App for Phantom Reporting.

Buy Now
Questions 31

A user selects the New option under Sources on the menu. What will be displayed?

Options:

A.

A list of new assets.

B.

The New Data Ingestion wizard.

C.

A list of new data sources.

D.

A list of new events.

Buy Now
Questions 32

Is it possible to import external Python libraries such as the time module?

Options:

A.

No.

B.

No, but this can be changed by setting the proper permissions.

C.

Yes, in the global block.

D.

Yes. from a drop-down menu.

Buy Now
Exam Code: SPLK-2003
Exam Name: Splunk SOAR Certified Automation Developer Exam
Last Update: Dec 9, 2024
Questions: 110

PDF + Testing Engine

$57.75  $164.99

Testing Engine

$43.75  $124.99
buy now SPLK-2003 testing engine

PDF (Q&A)

$36.75  $104.99
buy now SPLK-2003 pdf