Splunk Splunk Certifications SPLK-2003 Questions & Answers

• Question 31:

  A filter block with only one condition configured which states: artifact.*.cef .sourceAddress !- , would permit which of the following data to pass forward to the next block?

  A. Null IP addresses

  B. Non-null IP addresses

  C. Non-null destinationAddresses

  D. Null values

  Correct Answer: B

  A filter block with only one condition configured which states: artifact.*.cef .sourceAddress !- , would permit only non-null IP addresses to pass forward to the next block. The !- operator means "is not null". The other options are not valid because they either include null values or other fields than sourceAddress. See Filter block for more details. A filter block in Splunk SOAR that is configured with the condition artifact.*.cef.sourceAddress != (assuming the intention was to use "!=" to denote 'not equal to') is designed to allow data that has non-null sourceAddress values to pass through to subsequent blocks. This means that any artifact data within the container that includes a sourceAddress field with a defined value (i.e., an actual IP address) will be permitted to move forward in the playbook. The filter effectively screens out any artifacts that do not have a source address specified, focusing the playbook's actions on those artifacts that contain valid IP address information in the sourceAddress field.

• Question 32:

  Which of the following is a step when configuring event forwarding from Splunk to Phantom?

  A. Map CIM to CEF fields.

  B. Create a Splunk alert that uses the event_forward.py script to send events to Phantom.

  C. Map CEF to CIM fields.

  D. Create a saved search that generates the JSON for the new container on Phantom.

  Correct Answer: B

  A step when configuring event forwarding from Splunk to Phantom is to create a Splunk alert that uses the event_forward.py script to send events to Phantom. This script will convert the Splunk events to CEF format and send them to Phantom as containers. The other options are not valid steps for event forwarding. See Forwarding events from Splunk to Phantom for more details. Configuring event forwarding from Splunk to Phantom typically involves creating a Splunk alert that leverages a script (like event_forward.py) to automatically send triggered event data to Phantom. This setup enables Splunk to act as a detection mechanism that, upon identifying notable events based on predefined criteria, forwards these events to Phantom for further orchestration, automation, and response actions. This integration streamlines the process of incident management by connecting Splunk's powerful data analysis capabilities with Phantom's orchestration and automation framework.

• Question 33:

  What is the default embedded search engine used by SOAR?

  A. Embedded Splunk search engine.

  B. Embedded SOAR search engine.

  C. Embedded Django search engine.

  D. Embedded Elastic search engine.

  Correct Answer: B

  the default embedded search engine used by SOAR is the SOAR search engine, which is powered by the PostgreSQL database built-in to Splunk SOAR (Cloud). A Splunk SOAR (Cloud) Administrator can configure options for search from

  the Home menu, in Search Settings under Administration Settings. The SOAR search engine has been modified to accept the * wildcard and supports various operators and filters. For search syntax and examples, see Search within Splunk

  SOAR (Cloud)2.

  Option A is incorrect, because the embedded Splunk search engine was used in earlier releases of Splunk SOAR (Cloud), but not in the current version. Option C is incorrect, because Django is a web framework, not a search engine. Option

  D is incorrect, because Elastic is a separate search engine that is not embedded in Splunk SOAR (Cloud).

  Configure search in Splunk SOAR (Cloud) 2: Search within Splunk SOAR (Cloud)

  Splunk SOAR utilizes its own embedded search engine by default, which is tailored to its security orchestration and automation framework. While Splunk SOAR can integrate with other search engines, like the Embedded Splunk search

  engine, for advanced capabilities and log analytics, its default setup comes with an embedded search engine optimized for the typical data and search patterns encountered within the SOAR platform.

• Question 34:

  Configuring SOAR search to use an external Splunk server provides which of the following benefits?

  A. The ability to run more complex reports on SOAR activities.

  B. The ability to ingest Splunk notable events into SOAR.

  C. The ability to automate Splunk searches within SOAR.

  D. The ability to display results as Splunk dashboards within SOAR.

  Correct Answer: A

  Configuring Splunk SOAR to use an external Splunk server provides several benefits, one of which is the ability to run more complex reports on SOAR activities. Splunk's powerful search and reporting capabilities allow for deeper analysis and more sophisticated reporting on the data generated by SOAR activities, beyond what is possible with the built- in SOAR search engine.

• Question 35:

  Why is it good playbook design to create smaller and more focused playbooks? (select all that apply)

  A. Reduces amount of playbook data stored in each repo.

  B. Reduce large complex playbooks which become difficult to maintain.

  C. Encourages code reuse in a more compartmentalized form.

  D. To avoid duplication of code across multiple playbooks.

  Correct Answer: BCD

  Creating smaller and more focused playbooks in Splunk SOAR is considered good design practice for several reasons:

  B: It reduces complexity, making playbooks easier to maintain. Large, complex playbooks can become unwieldy and difficult to troubleshoot or update.

  C: Encourages code reuse, as smaller playbooks can be designed to handle specific tasks that can be reused across different scenarios.

  D: Avoids duplication of code, as common functionalities can be centralized within specific playbooks, rather than having the same code replicated across multiple playbooks.

  This approach has several benefits, such as:

  Reducing large complex playbooks which become difficult to maintain. Smaller playbooks are easier to read, debug, and update.

  Encouraging code reuse in a more compartmentalized form. Smaller playbooks can be used as building blocks for multiple scenarios, reducing the need to write duplicate code.

  Improving performance and scalability. Smaller playbooks can run faster and consume less resources than larger playbooks.

  The other options are not valid reasons for creating smaller and more focused playbooks. Reducing the amount of playbook data stored in each repo is not a significant benefit, as the playbook data is not very large compared to other types of

  data in Splunk SOAR. Avoiding duplication of code across multiple playbooks is a consequence of code reuse, not a separate goal.

• Question 36:

  What are the components of the I2A2 design methodology?

  A. Inputs, Interactions, Actions, Apps

  B. Inputs, Interactions, Actions, Artifacts

  C. Inputs, Interactions, Apps, Artifacts

  D. Inputs, Interactions, Actions, Assets

  Correct Answer: B

  I2A2 design methodology is a framework for designing playbooks that consists of four components:

  Inputs: The data that is required for the playbook to run, such as artifacts, parameters, or custom fields.

  Interactions: The blocks that allow the playbook to communicate with users or other systems, such as prompts, comments, or emails.

  Actions: The blocks that execute the core logic of the playbook, such as app actions, filters, decisions, or utilities.

  Artifacts: The data that is generated or modified by the playbook, such as new artifacts, container fields, or notes.

  The I2A2 design methodology helps you to plan, structure, and test your playbooks in a modular and efficient way. Therefore, option B is the correct answer, as it lists the correct components of the I2A2 design methodology. Option A is

  incorrect, because apps are not a component of the I2A2 design methodology, but a source of actions that can be used in the playbook. Option C is incorrect, for the same reason as option A. Option D is incorrect, because assets are not a

  component of the I2A2 design methodology, but a configuration of app credentials that can be used in the playbook.

  Use a playbook design methodology in Administer Splunk SOAR (Cloud) The I2A2 design methodology is an approach used in Splunk SOAR to structure and design playbooks. The acronym stands for Inputs, Interactions, Actions, and

  Artifacts. This methodology guides the creation of playbooks by focusing on these four key components, ensuring that all necessary aspects of an automated response are considered and effectively implemented within the platform.

• Question 37:

  Which is the primary system requirement that should be increased with heavy usage of the file vault?

  A. Amount of memory.

  B. Number of processors.

  C. Amount of storage.

  D. Bandwidth of network.

  Correct Answer: C

  The primary system requirement that should be increased with heavy usage of the file vault is the amount of storage. The file vault is a secure repository for storing files on Phantom. The more files are stored, the more storage space is needed. The other options are not directly related to the file vault usage. See [File vault] for more information. Heavy usage of the file vault in Splunk SOAR necessitates an increase in the amount of storage available. The file vault is used to securely store files associated with cases, such as malware samples, logs, and other artifacts relevant to an investigation. As the volume of files and the size of stored data grow, ensuring sufficient storage capacity becomes critical to maintain performance and ensure that all necessary data is retained for analysis and evidence.

• Question 38:

  Without customizing container status within Phantom, what are the three types of status for a container?

  A. New, In Progress, Closed

  B. Low, Medium, High

  C. Mew, Open, Resolved

  D. Low, Medium, Critical

  Correct Answer: A

  Within Splunk SOAR, containers (which represent incidents, cases, or events) have a lifecycle that is tracked through their status. The default statuses available without any customization are "New", "In Progress", and "Closed". These statuses help in organizing and managing the incident response process, allowing users to easily track the progress of investigations and responses from initial detection through to resolution.

• Question 39:

  What is the simplest way to pass data between playbooks?

  A. Action results

  B. File system

  C. Artifacts

  D. KV Store

  Correct Answer: A

  Passing data between playbooks in Splunk Phantom is most efficiently done through action results. Playbooks are composed of actions, which are individual steps that perform operations. When an action is executed, it generates results, which can include data like IP addresses, usernames, or any other relevant information. These results can be passed to subsequent playbooks as input, allowing for a seamless flow of information and enabling complex automation sequences. Other methods, like using the file system, artifacts, or KV Store, are less direct and can be more complex to implement for this purpose.

• Question 40:

  How is a Django filter query performed?

  A. By adding parameters to the URL similar to the following: phantom/rest/container?_filter_tags_contains="sumo".

  B. phantom/rest/search/app/contains/"sumo"

  C. Browse to the Django Filter Query Editor in the Administration panel.

  D. Install the SOAR Django App first, then configure the search query in the App editor.

  Correct Answer: A

  Django filter queries in Splunk SOAR are performed by appending filter parameters directly to the REST API URL. This allows users to refine their search and retrieve specific data. For example, to filter containers by tags containing the word

  "sumo", the following URL structure would be used:

  https:///rest/container?_filter_tags_contains="sumo". This format enables users to construct dynamic queries that can filter results based on specified criteria within the Django framework used by Splunk SOAR.

  The correct way to perform a Django filter query in Splunk SOAR is to add parameters to the URL similar to the following: phantom/rest/container?_filter_tags_contains="sumo". This will return a list of containers that have the tag "sumo" in

  them. You can use various operators and fields to filter the results according to your needs. For more details, see Query for Data and Use filters in your Splunk SOAR (Cloud) playbook to specify a subset of artifacts before further processing.

  The other options are either incorrect or irrelevant for this question. For example:

  Phantom/rest/search/app/contains/"sumo" is not a valid URL for a Django filter query. It will return an error message saying "Invalid endpoint".

  There is no Django Filter Query Editor in the Administration panel of Splunk SOAR. You can use the REST API Tester to test your queries, but not to edit them.

  There is no SOAR Django App that needs to be installed or configured for performing Django filter queries. Splunk SOAR uses the Django framework internally, but you do not need to install or use any additional apps for this purpose.