March Sale Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: netbudy65

SPLK-2003 Splunk SOAR Certified Automation Developer Exam Questions and Answers

Questions 4

Which of the following can be edited or deleted in the Investigation page?

Options:

A.

Action results

B.

Comments

C.

Approval records

D.

Artifact values

Buy Now
Questions 5

Without customizing container status within Phantom, what are the three types of status for a container?

Options:

A.

New, In Progress, Closed

B.

Low, Medium, High

C.

Mew, Open, Resolved

D.

Low, Medium, Critical

Buy Now
Questions 6

Seventy can be set during ingestion and later changed manually. What other mechanism can change the severity or a container?

Options:

A.

Notes

B.

Actions

C.

Service level agreement (SLA) expiration

D.

Playbooks

Buy Now
Questions 7

An active playbook can be configured to operate on all containers that share which attribute?

Options:

A.

Artifact

B.

Label

C.

Tag

D.

Severity

Buy Now
Questions 8

A filter block with only one condition configured which states: artifact.*.cef .sourceAddress !- , would permit which of the following data to pass forward to the next block?

Options:

A.

Null IP addresses

B.

Non-null IP addresses

C.

Non-null destinationAddresses

D.

Null values

Buy Now
Questions 9

On a multi-tenant Phantom server, what is the default tenant's ID?

Options:

A.

0

B.

Default

C.

1

D.

*

Buy Now
Questions 10

Why does SOAR use wildcards within artifact data paths?

Options:

A.

To make playbooks more specific.

B.

To make playbooks filter out nulls.

C.

To make data access in playbooks easier.

D.

To make decision execution in playbooks run faster.

Buy Now
Questions 11

Which of the following can be done with the System Health Display?

Options:

A.

Create a temporary, edited version of a process and test the results.

B.

Partially rewind processes, which is useful for debugging.

C.

View a single column of status for SOAR processes. For metrics, click Details.

D.

Reset DECIDED to reset playbook environments back to at-start conditions.

Buy Now
Questions 12

What is the default log level for system health debug logs?

Options:

A.

INFO

B.

WARN

C.

ERROR

D.

DEBUG

Buy Now
Questions 13

A user has written a playbook that calls three other playbooks, one after the other. The user notices that the second playbook starts executing before the first one completes. What is the cause of this behavior?

Options:

A.

Synchronous execution has not been configured.

B.

The first playbook is performing poorly.

C.

The sleep option for the second playbook is not set to a long enough interval.

D.

Incorrect join configuration on the second playbook.

Buy Now
Questions 14

When analyzing events, a working on a case, significant items can be marked as evidence. Where can ail of a case's evidence items be viewed together?

Options:

A.

Workbook page Evidence tab.

B.

Evidence report.

C.

Investigation page Evidence tab.

D.

At the bottom of the Investigation page widget panel.

Buy Now
Questions 15

Which app allows a user to send Splunk Enterprise Security notable events to Phantom?

Options:

A.

Any of the integrated Splunk/Phantom Apps

B.

Splunk App for Phantom Reporting.

C.

Splunk App for Phantom.

D.

Phantom App for Splunk.

Buy Now
Questions 16

During a second test of a playbook, a user receives an error that states: 'an empty parameters list was passed to phantom.act()." What does this indicate?

Options:

A.

The container has artifacts not parameters.

B.

The playbook is using an incorrect container.

C.

The playbook debugger's scope is set to new.

D.

The playbook debugger's scope is set to all.

Buy Now
Questions 17

What is the simplest way to pass data between playbooks?

Options:

A.

Action results

B.

File system

C.

Artifacts

D.

KV Store

Buy Now
Questions 18

How can an individual asset action be manually started?

Options:

A.

With the > action button in the analyst queue page.

B.

By executing a playbook in the Playbooks section.

C.

With the > action button in the Investigation page.

D.

With the > asset button in the asset configuration section.

Buy Now
Questions 19

When assigning an input parameter to an action while building a playbook, a user notices the artifact value they are looking for does not appear in the auto-populated list.

How is it possible to enter the unlisted artifact value?

Options:

A.

Type the CEF datapath in manually.

B.

Delete and recreate the artifact.

C.

Edit the artifact to enable the List as Parameter option for the CEF value.

D.

Edit the container to allow CEF parameters.

Buy Now
Questions 20

What does a user need to do to have a container with an event from Splunk use context-aware actions designed for notable events?

Options:

A.

Include the notable event's event_id field and set the artifacts label to aplunk notable event id.

B.

Rename the event_id field from the notable event to splunkNotableEventld.

C.

Include the event_id field in the search results and add a CEF definition to Phantom for event_id, datatype splunk notable event id.

D.

Add a custom field to the container named event_id and set the custom field's data type to splunk notable event id.

Buy Now
Questions 21

When is using decision blocks most useful?

Options:

A.

When selecting one (or zero) possible paths in the playbook.

B.

When processing different data in parallel.

C.

When evaluating complex, multi-value results or artifacts.

D.

When modifying downstream data hi one or more paths in the playbook.

Buy Now
Questions 22

A customer wants to design a modular and reusable set of playbooks that all communicate with each other. Which of the following is a best practice for data sharing across playbooks?

Options:

A.

Use the py-postgresq1 module to directly save the data in the Postgres database.

B.

Cal the child playbooks getter function.

C.

Create artifacts using one playbook and collect those artifacts in another playbook.

D.

Use the Handle method to pass data directly between playbooks.

Buy Now
Questions 23

To limit the impact of custom code on the VPE, where should the custom code be placed?

Options:

A.

A custom container or a separate KV store.

B.

A separate code repository.

C.

A custom function block.

D.

A separate container.

Buy Now
Questions 24

Splunk user account(s) with which roles must be created to configure Phantom with an external Splunk Enterprise instance?

Options:

A.

superuser, administrator

B.

phantomcreate. phantomedit

C.

phantomsearch, phantomdelete

D.

admin,user

Buy Now
Questions 25

What metrics can be seen from the System Health Display? (select all that apply)

Options:

A.

Playbook Usage

B.

Memory Usage

C.

Disk Usage

D.

Load Average

Buy Now
Questions 26

When configuring a Splunk asset for Phantom to connect to a SplunkC loud instance, the user discovers that they need to be able to run two different on_poll searches. How is this possible

Options:

A.

Enter the two queries in the asset as comma separated values.

B.

Configure the second query in the Phantom app for Splunk.

C.

Install a second Splunk app and configure the query in the second app.

D.

Configure a second Splunk asset with the second query.

Buy Now
Questions 27

When the Splunk App for SOAR Export executes a Splunk search, which activities are completed?

Options:

A.

CEF fields are mapped to CIM flelds and a container is created on the SOAR server.

B.

CIM fields are mapped to CEF fields and a container is created on the SOAR server.

C.

CEF fields are mapped to CIM and a container is created on the Splunk server.

D.

CIM fields are mapped to CEF and a container is created on the Splunk server.

Buy Now
Questions 28

When writing a custom function that uses regex to extract the domain name from a URL, a user wants to create a new artifact for the extracted domain. Which of the following Python API calls will create a new artifact?

Options:

A.

phantom.new_artifact ()

B.

phantom. update ()

C.

phantom.create_artifact ()

D.

phantom.add_artifact ()

Buy Now
Exam Code: SPLK-2003
Exam Name: Splunk SOAR Certified Automation Developer Exam
Last Update: Mar 28, 2024
Questions: 96

PDF + Testing Engine

$130

Testing Engine

$95

PDF (Q&A)

$80