Splunk SPLK-2003 Splunk SOAR Certified Automation Developer Exam Online Training

Question #21

What values can be applied when creating Custom CEF field?

A . Name
B . Name, Data Type
C . Name, Value
D . Name, Data Type, Severity

Question #22

What is enabled if the Logging option for a playbook’s settings is enabled?

A . More detailed logging information Is available m the Investigation page.
B . All modifications to the playbook will be written to the audit log.
C . More detailed information is available in the debug window.
D . The playbook will write detailed execution information into the spawn.log.

Correct Answer: A
A

Explanation:

In Splunk SOAR (formerly known as Phantom), enabling the Logging option for a playbook’s settings primarily affects how logging information is displayed on the Investigation page. When this option is enabled, more detailed logging information is made available on the Investigation page, which can be crucial for troubleshooting and understanding the execution flow of the playbook. This detailed information can include execution steps, actions taken, and conditional logic paths followed during the playbook run.

It’s important to note that enabling logging does not affect the audit logs or the debug window directly, nor does it write execution details to the spawn.log. Instead, it enhances the visibility and granularity of logs displayed on the specific Investigation page related to the playbook’s execution.

Reference: Splunk Documentation and SOAR User Guides typically outline the impacts of enabling various

settings within the playbook configurations, explaining how these settings affect the operation and logging within the system. For specific references, consulting the latest Splunk SOAR documentation would provide the most accurate and detailed guidance.

Enabling the Logging option for a playbook’s settings in Splunk SOAR indeed affects the level of detail provided on the Investigation page.

Here’s a comprehensive explanation of its impact:

Investigation Page Logging:

The Investigation page serves as a centralized location for reviewing all activities related to an incident or event within Splunk SOAR.

When the Logging option is enabled, it enhances the level of detail available on this page, providing a granular view of the playbook’s execution.

This includes detailed information about each action’s execution, such as parameters used, results obtained, and any conditional logic that was evaluated.

Benefits of Detailed Logging:

Troubleshooting: It becomes easier to diagnose issues within a playbook when you can see a detailed log of its execution.

Incident Analysis: Analysts can better understand the sequence of events and the decisions made by the playbook during an incident.

Playbook Optimization: Developers can use the detailed logs to refine and improve the playbook’s logic and performance.

Non-Impacted Areas:

The audit log, which tracks changes to the playbook itself, is not affected by the Logging option.

The debug window, used for real-time debugging during playbook development, also remains unaffected.

The spawn.log file, which contains internal operational logs for the Splunk SOAR platform, does not receive detailed execution information from playbooks.

Best Practices:

Enable detailed logging during the development and testing phases of a playbook to ensure thorough analysis and debugging.

Consider the potential impact on storage and performance when enabling detailed logging in a

production environment.

Reference: For the most accurate and up-to-date guidance on playbook settings and their effects, I recommend consulting the latest Splunk SOAR documentation and user guides. These resources provide in-depth information on configuring playbooks and understanding the implications of various settings within the Splunk SOAR platform.

In summary, the Logging option is a powerful feature that enhances the visibility of playbook operations on the Investigation page, aiding in incident analysis and ensuring that playbooks are functioning correctly. It is an essential tool for security teams to effectively manage and respond to incidents within their environment.

Question #23

Is it possible to import external Python libraries such as the time module?

A . No.
B . No, but this can be changed by setting the proper permissions.
C . Yes, in the global block.
D . Yes. from a drop-down menu.

Reveal Solution Hide Solution

Question #24

How can an individual asset action be manually started?

A . With the > action button in the analyst queue page.
B . By executing a playbook in the Playbooks section.
C . With the > action button in the Investigation page.
D . With the > asset button in the asset configuration section.

Reveal Solution Hide Solution

Question #25

What is the default embedded search engine used by Phantom?

A . Embedded Splunk search engine.
B . Embedded Phantom search engine.
C . Embedded Elastic search engine.
D . Embedded Django search engine.

Reveal Solution Hide Solution

Question #26

A filter block with only one condition configured which states: artifact.*.cef .sourceAddress !- , would permit which of the following data to pass forward to the next block?

A . Null IP addresses
B . Non-null IP addresses
C . Non-null destinationAddresses
D . Null values

Reveal Solution Hide Solution

Question #27

A user wants to get the playbook results for a single artifact.

Which steps will accomplish the?

A . Use the contextual menu from the artifact and select run playbook.
B . Use the run playbook dialog and set the scope to the artifact.
C . Create a new container including Just the artifact in question.
D . Use the contextual menu from the artifact and select the actions.

Reveal Solution Hide Solution

Question #28

What is the main purpose of using a customized workbook?

A . Workbooks automatically implement a customized processing of events using Python code.
B . Workbooks guide user activity and coordination during event analysis and case operations.
C . Workbooks apply service level agreements (SLAs) to containers and monitor completion status on the ROI dashboard.
D . Workbooks may not be customized; only default workbooks are permitted within Phantom.

Reveal Solution Hide Solution

Question #29

Which of the following is a step when configuring event forwarding from Splunk to Phantom?

A . Map CIM to CEF fields.
B . Create a Splunk alert that uses the event_forward.py script to send events to Phantom.
C . Map CEF to CIM fields.
D . Create a saved search that generates the JSON for the new container on Phantom.

Reveal Solution Hide Solution

Question #30

Which is the primary system requirement that should be increased with heavy usage of the file vault?

A . Amount of memory.
B . Number of processors.
C . Amount of storage.
D . Bandwidth of network.

Reveal Solution Hide Solution