Splunk Splunk SOAR Certified Automation Developer SPLK-2003 Questions & Answers

• Question 1:

  What is the default log level for system health debug logs?

  A. INFO

  B. WARN

  C. ERROR

  D. DEBUG

  Correct Answer: A

  The default log level for system health debug logs in Splunk SOAR is typically set to INFO. This log level provides a balance between verbosity and relevance, offering insights into the operational status of the system without the detailed granularity of DEBUG or the limited scope of WARN and ERROR levels.

  The default log level for system health debug logs is INFO. This means that only informational messages and higher severity messages (such as WARN, ERROR, or CRITICAL) are written to the log files. You can adjust the logging level for each daemon running in Splunk SOAR to help debug or troubleshoot issues. For more details, see Configure the logging levels for Splunk SOAR (On-premises) daemons.

• Question 2:

  What is enabled if the Logging option for a playbook's settings is enabled?

  A. More detailed logging information Is available m the Investigation page.

  B. All modifications to the playbook will be written to the audit log.

  C. More detailed information is available in the debug window.

  D. The playbook will write detailed execution information into the spawn.log.

  Correct Answer: C

  Enabling the Logging option for a playbook's settings in Splunk SOAR enhances the level of detail provided in the debug window when the playbook is executed. This feature is particularly useful for development and troubleshooting purposes, as it allows playbook authors and analysts to see more granular information about how each action within the playbook operates, including inputs, outputs, and any errors or warnings. This detailed logging aids in identifying issues, understanding the playbook's flow, and optimizing performance.

• Question 3:

  How can the debug log for a playbook execution be viewed?

  A. On the Investigation page, select Debug Log from the playbook's action menu in the Recent Activity panel.

  B. Click Expand Scope m the debug window.

  C. In Administration > System Health > Playbook Run History, select the playbook execution entry, then select Log.

  D. Open the playbook in the Visual Playbook Editor, and select Debug Logs in Settings.

  Correct Answer: A

  Debug logs are essential for troubleshooting and understanding the execution flow of a playbook in Splunk Phantom. The debug log for a playbook execution can be viewed by navigating to the Investigation page of a specific event or container. Within the Recent Activity panel, there is an action menu associated with each playbook run. Selecting "Debug Log" from this menu will display the detailed execution log, showing each action taken, the results of those actions, and any errors or messages generated during the playbook run.

• Question 4:

  What metrics can be seen from the System Health Display? (select all that apply)

  A. Playbook Usage

  B. Memory Usage

  C. Disk Usage

  D. Load Average

  Correct Answer: BCD

  System Health Display is a dashboard that shows the status and performance of the SOAR processes and components, such as the automation service, the playbook daemon, the DECIDED process, and the REST API. Some of the metrics

  that can be seen from the System Health Display are:

  稭emory Usage: The percentage of memory used by the system and the processes. 稤isk Usage: The percentage of disk space used by the system and the processes. 稬oad Average: The average number of processes in the run queue or

  waiting for disk I/O over a period of time.

  Therefore, options B, C, and D are the correct answers, as they are the metrics that can be seen from the System Health Display. Option A is incorrect, because Playbook Usage is not a metric that can be seen from the System Health

  Display, but rather a metric that can be seen from the Playbook Usage dashboard, which shows the number of playbooks and actions run over a period of time.

  Web search results from search_web(query="Splunk SOAR Automation Developer System Health Display")

  The System Health Display in Splunk SOAR provides several metrics to help monitor and manage the health of the system. These typically include:

  B: Memory Usage - This metric shows the amount of memory being used by the SOAR platform, which is important for ensuring that the system does not exceed available resources.

  C: Disk Usage - This metric indicates the amount of storage space being utilized, which is crucial for maintaining adequate storage resources and for planning capacity.

  D: Load Average - This metric provides an indication of the overall load on the system over a period of time, which helps in understanding the system's performance and in identifying potential bottlenecks or issues. Playbook Usage is generally not a metric displayed on the System Health page; instead, it's more related to the usage analytics of playbooks rather than system health metrics.

• Question 5:

  Which Phantom API command is used to create a custom list?

  A. phantom.add_list()

  B. phantom.create_list()

  C. phantom.include_list()

  D. phantom.new_list()

  Correct Answer: B

  The Phantom API command to create a custom list is phantom.create_list(). This command takes a list name and an optional description as parameters and returns a list ID if successful. The other commands are not valid Phantom API commands. phantom.add_list() is a Python function that can be used in custom code blocks to add data to an existing list. To create a custom list in Splunk Phantom, the appropriate API command used is phantom.create_list(). This function allows for the creation of a new list that can be used to store data such as IP addresses, file hashes, or any other information that you want to track or reference across multiple playbooks or within different parts of the Phantom platform. The custom list is a flexible data structure that can be leveraged for various use cases within Phantom, including data enrichment, persistent storage of information, and cross-playbook data sharing.

• Question 6:

  Which of the following is the complete list of the types of backups that are supported by Phantom?

  A. Full backups.

  B. Full, delta, and incremental backups.

  C. Full and incremental backups.

  D. Full and delta backups.

  Correct Answer: C

  Splunk Phantom supports different types of backups to safeguard data. Full backups create a complete copy of the current state of the system, while incremental backups only save the changes made since the last backup. This approach allows for efficient use of storage space and faster backups after the initial full backup. Delta backups, which would save changes since the last full or incremental backup, are not a standard part of Phantom's backup capabilities according to available documentation. Therefore, the complete list of backups supported by Phantom would be Full and Incremental backups.

• Question 7:

  The SOAR server has been configured to use an external Splunk search head for search and searching on SOAR works; however, the search results don't include content that was being returned by search before configuring external search. Which of the following could be the problem?

  A. The existing content indexes on the SOAR server need to be re-indexed to migrate them to Splunk.

  B. The user configured on the SOAR side with Phantomsearch capability is not enabled on Splunk.

  C. The remote Splunk search head is currently offline.

  D. Content that existed before configuring external search must be backed up on SOAR and restored on the Splunk search head.

  Correct Answer: B

  If, after configuring an external Splunk search head for search in SOAR, the search results do not include content that was previously returned, one possible issue could be that the user account configured on the SOAR side does not have the required permissions (such as the 'phantomsearch' capability) enabled on the Splunk side. This capability is necessary for the SOAR server to execute searches and retrieve results from the Splunk search head.

• Question 8:

  How can a child playbook access the parent playbook's action results?

  A. Child playbooks can access parent playbook data while the parent Is still running.

  B. By setting scope to ALL when starting the child.

  C. When configuring the playbook block in the parent, add the desired results in the Scope parameter.

  D. The parent can create an artifact with the data needed by the did.

  Correct Answer: C

  In Splunk Phantom, child playbooks can access the action results of a parent playbook through the use of the Scope parameter. When a parent playbook calls a child playbook, it can pass certain data along by setting the Scope parameter to include the desired action results. This parameter is configured within the playbook block that initiates the child playbook. By specifying the appropriate scope, the parent playbook effectively determines what data the child playbook will have access to, allowing for a more modular and organized flow of information between playbooks.

• Question 9:

  Why does SOAR use wildcards within artifact data paths?

  A. To make playbooks more specific.

  B. To make playbooks filter out nulls.

  C. To make data access in playbooks easier.

  D. To make decision execution in playbooks run faster.

  Correct Answer: C

  Wildcards are used within artifact data paths in Splunk SOAR playbooks to simplify the process of accessing data. They allow playbooks to reference dynamic or variable data structures without needing to specify exact paths, which can vary

  between artifacts. This flexibility makes it easier to write playbooks that work across different events and scenarios, without hard-coding data paths.

  SOAR uses wildcards within artifact data paths to make data access in playbooks easier. A data path is a way of specifying the location of a piece of data within an artifact. For example, artifact.cef.sourceAddress is a data path that refers to

  the source address field of the artifact. A wildcard is a special character that can match any value or subfield within a data path. For example, artifact.*.cef.sourceAddress is a data path that uses a wildcard to match any field name before the

  cef subfield. This allows the playbook to access the source address data regardless of the field name, which can vary depending on the app or source that generated the artifact. Therefore, option C is the correct answer, as it explains why

  SOAR uses wildcards within artifact data paths. Option A is incorrect, because wildcards do not make playbooks more specific, but more flexible and adaptable. Option B is incorrect, because wildcards do not make playbooks filter out nulls,

  but match any value or subfield. Option D is incorrect, because wildcards do not make decision execution in playbooks run faster, but make data access in playbooks easier.

  Understanding datapaths in Administer Splunk SOAR (Cloud)

• Question 10:

  Which two playbook blocks can discern which path in the playbook to take next?

  A. Prompt and decision blocks.

  B. Decision and action blocks.

  C. Filter and decision blocks.

  D. Filter and prompt blocks.

  Correct Answer: C

  In Splunk SOAR playbooks, filter and decision blocks are used to discern which path in the playbook to take next. Filter blocks evaluate data against specified criteria and direct the flow based on whether the data matches the filter. Decision blocks use logical conditions to determine the path that the playbook execution should follow. Together, they enable the playbook to dynamically respond to different situations and data inputs.