Updated Nov-2023 Exam SPLK-2003 Dumps - Pass Your Certification Exam [Q15-Q34]

Updated Nov-2023 Exam SPLK-2003 Dumps – Pass Your Certification Exam [Q15-Q34]

November 22, 2023 admin 0 Comments

4.7/5 - (3 votes)

Updated Nov-2023 Exam SPLK-2003 Dumps – Pass Your Certification Exam

Latest Real Splunk SPLK-2003 Exam Dumps Questions

Successful completion of the SPLK-2003 exam leads to the Splunk Phantom Certified Admin certification, which validates the knowledge and skills required to effectively manage and administer Splunk Phantom in a production environment. Splunk Phantom Certified Admin certification is recognized by employers and organizations worldwide, and demonstrates an individual’s commitment to staying up-to-date with the latest security automation and orchestration technologies.

NO.15 Splunk user account(s) with which roles must be created to configure Phantom with an external Splunk Enterprise instance?

superuser, administrator

phantomcreate. phantomedit

phantomsearch, phantomdelete

admin,user

NO.16 Which of the following can be configured in the ROl Settings?

Analyst hours per month.

Time lost.

Number of full time employees (FTEs).

Annual analyst salary.

Explanation
The correct answer is C because the number of full time employees (FTEs) is one of the settings that can be configured in the Return on Investment (ROI) Settings page. This setting is used to calculate the ROI metrics based on the number of analysts in the organization. The answer A is incorrect because the analyst hours per month is not a configurable setting, but a calculated metric based on the FTEs and the average hours per month. The answer B is incorrect because the time lost is not a configurable setting, but a calculated metric based on the number of incidents and the average time lost per incident. The answer D is incorrect because the annual analyst salary is not a configurable setting, but a calculated metric based on the FTEs and the average salary per analyst. Reference: Splunk SOAR Admin Guide, page 131.

NO.17 Which of the following applies to filter blocks?

Can select which blocks have access to container data.

Can select assets by tenant, approver, or app.

Can be used to select data for use by other blocks.

Can select containers by seventy or status.

NO.18 Which of the following is a best practice for use of the global block?

Execute code at the beginning of each run of the playbook.

Declare outputs which will be selectable within playbook blocks.

Import packages which will be used within the playbook.

Execute custom code after each run of the playbook.

NO.19 Which of the following are the default ports that must be configured on Splunk to allow connections from Phantom?

SplunkWeb (8088), SplunkD (8089), HTTP Collector (8000)

SplunkWeb (8089), SplunkD (8088), HTTP Collector (8000)

SplunkWeb (8421), SplunkD (8061), HTTP Collector (8798)

SplunkWeb (8000), SplunkD (8089), HTTP Collector (8088)

NO.20 Which Phantom VPE Nock S used to add information to custom lists?

Action blocks

Filter blocks

API blocks

Decision blocks

NO.21 What do assets provide for app functionality?

Assets provide location, credentials, and other parameters needed to run actions.

Assets provide hostnames, passwords, and other artifacts needed to run actions.

Assets provide Python code, REST API, and other capabilities needed to run actions.

Assets provide firewall, network, and data sources needed to run actions.

Explanation
The correct answer is A because assets provide location, credentials, and other parameters needed to run actions. Assets are configurations that define how Phantom connects to external systems or devices, such as firewalls, endpoints, or threat intelligence sources. Assets specify the app, the IP address or hostname, the username and password, and any other settings required to run actions on the target system or device. The answer B is incorrect because assets do not provide hostnames, passwords, and other artifacts needed to run actions, which are data objects that can be created or retrieved by playbooks. The answer C is incorrect because assets do not provide Python code, REST API, and other capabilities needed to run actions, which are provided by apps. The answer D is incorrect because assets do not provide firewall, network, and data sources needed to run actions, which are external systems or devices that can be connected to by assets.
Reference: Splunk SOAR Admin Guide, page 45.

NO.22 Which of the following is a best practice for use of the global block?

Execute code at the beginning of each run of the playbook.

Declare outputs which will be selectable within playbook blocks.

Import packages which will be used within the playbook.

Execute custom code after each run of the playbook.

Explanation
The correct answer is C because the global block can be used to import packages that will be used within the playbook. This can be useful for importing external libraries or custom modules that provide additional functionality or logic for the playbook. The answer A is incorrect because the global block cannot be used to execute code at the beginning of each run of the playbook, as the global block is only executed once when the playbook is loaded. The answer B is incorrect because the global block cannot be used to declare outputs that will be selectable within playbook blocks, as the outputs are declared in the individual blocks that produce them. The answer D is incorrect because the global block cannot be used to execute custom code after each run of the playbook, as the global block is only executed once when the playbook is loaded. Reference: Splunk SOAR Playbook Development Guide, page 34.

NO.23 Which Phantom VPE Nock S used to add information to custom lists?

Action blocks

Filter blocks

API blocks

Decision blocks

Explanation
Filter blocks are used to add information to custom lists in Phantom VPE. Filter blocks allow the user to specify a list name and a filter expression to select the data to be added to the list. Action blocks are used to execute app actions, API blocks are used to make REST API calls, and decision blocks are used to evaluate conditions and branch the playbook execution. Reference, page 14.

NO.24 A filter block with only one condition configured which states: artifact.*.cef .sourceAddress !- , would permit which of the following data to pass forward to the next block?

Null IP addresses

Non-null IP addresses

Non-null destinationAddresses

Null values

Explanation
A filter block with only one condition configured which states: artifact.*.cef .sourceAddress !- , would permit only non-null IP addresses to pass forward to the next block. The !- operator means “is not null”. The other options are not valid because they either include null values or other fields than sourceAddress. See Filter block for more details.

NO.25 Which of the following describes the use of labels m Phantom?

Labels determine the service level agreement (SLA) for a container.

Labels control the default seventy, ownership, and sensitivity for the container.

Labels control which apps are allowed to execute actions on the container.

Labels determine which playbook(s) are executed when a container is created.

Explanation
The correct answer is D because labels determine which playbook(s) are executed when a container is created.
Labels are tags that can be applied to containers to categorize them and trigger playbook automation. Labels can be added manually or automatically based on rules or ingestion settings. The answer A is incorrect because labels do not determine the service level agreement (SLA) for a container, which is a metric that measures the time taken to resolve a case. The answer B is incorrect because labels do not control the default severity, ownership, and sensitivity for the container, which are attributes that can be set independently of labels. The answer C is incorrect because labels do not control which apps are allowed to execute actions on the container, which are determined by the asset configuration and the playbook logic. Reference: Splunk SOAR User Guide, page 23.

NO.26 When working with complex datapaths, which operator is used to access a sub-element inside another element?

!(pipe)

*(asterisk)

:(colon)

.(dot)

NO.27 Without customizing container status within Phantom, what are the three types of status for a container?

New, In Progress, Closed

Low, Medium, High

Mew, Open, Resolved

Low, Medium, Critical

Explanation
The correct answer is C because without customizing container status within Phantom, the three types of status for a container are New, Open, and Resolved. A container is a data object that represents an event or incident that needs to be investigated or remediated. A container has a status attribute that indicates its current state. The default values for the status attribute are New, Open, and Resolved. New means that the container has been created but not yet processed. Open means that the container is being processed by a playbook or a user. Resolved means that the container has been processed and closed. You can customize the container status values in the Phantom UI by going to Administration > Product Settings > Container Status. See Splunk SOAR Documentation for more details.

NO.28 A user wants to use their Splunk Cloud instance as the external Splunk instance for Phantom. What ports need to be opened on the Splunk Cloud instance to facilitate this? Assume default ports are in use.

TCP 8088 and TCP 8099.

TCP 80 and TCP 443.

Splunk Cloud is not supported.

TCP 8080 and TCP 8191.

Explanation
A user who wants to use their Splunk Cloud instance as the external Splunk instance for Phantom needs to open TCP 8088 and TCP 8099 ports on the Splunk Cloud instance. TCP 8088 is used for the HTTP Event Collector (HEC) service, which allows Phantom to send data to Splunk Cloud. TCP 8099 is used for the Splunk REST API service, which allows Phantom to query data from Splunk Cloud. The other port combinations are not valid for this scenario. Splunk Cloud is supported as an external Splunk instance for Phantom. Reference, page 6.

NO.29 In this image, which container fields are searched for the text “Malware”?

Event Name and Artifact Names.

Event Name, Notes, Comments.

Event Name or ID.

Explanation
The correct answer is A because the image shows the search interface of the Splunk SOAR product, where the user can search for events and artifacts based on various criteria. The image shows that the user has entered the text “Malware” in the search bar, which means that the search will look for events and artifacts that have the term “Malware” in their name. The answer B is incorrect because the search interface does not search for notes or comments, which are separate entities in the Splunk SOAR product. The answer C is incorrect because the search interface does not search for event ID, which is a unique identifier for each event. Reference: Splunk SOAR User Guide, page 21.

NO.30 Which of the following are the steps required to complete a full backup of a Splunk Phantom deployment’ Assume the commands are executed from /opt/phantom/bin and that no other backups have been made.

On the command line enter: rode sudo python ibackup.pyc –setup, then audo phenv python ibackup.pyc
–backup.

On the command line enter: sudo phenv python ibackup.pyc –backup -backup-type full, then sudo phenv python ibackup.pyc –setup.

Within the UI: Select from the main menu Administration > System Health > Backup.

Within the UI: Select from the main menu Administration > Product Settings > Backup.

NO.31 Which of the following are examples of things commonly done with the Phantom REST APP

Use Django queries; use curl to create a container and add artifacts to it; remove temporary lists.

Use Django queries; use Docker to create a container and add artifacts to it; remove temporary lists.

Use Django queries; use curl to create a container and add artifacts to it; add action blocks.

Use SQL queries; use curl to create a container and add artifacts to it; remove temporary lists.

NO.32 When working with complex data paths, which operator is used to access a sub-element inside another element?

!(pipe)

*(asterisk)

:(colon)

.(dot)

Explanation
The correct answer is D because the dot (.) operator is used to access a sub-element inside another element when working with complex datapaths. For example, if the datapath is container[‘artifacts’][0][‘cef’][‘sourceAddress’], the dot operator is used to access the sourceAddress sub-element inside the cef element. The answer A is incorrect because the pipe (!) operator is used to chain multiple filters or functions when working with complex datapaths. For example, if the datapath is container[‘artifacts’][0][‘cef’][‘sourceAddress’]!startswith(’10.’), the pipe operator is used to apply the startswith function to the sourceAddress element. The answer B is incorrect because the asterisk (*) operator is used to iterate over all the elements of an array when working with complex datapaths. For example, if the datapath is container[‘artifacts’][*][‘cef’][‘sourceAddress’], the asterisk operator is used to access the sourceAddress element of all the artifacts in the container. The answer C is incorrect because the colon (:) operator is used to specify a range of elements in an array when working with complex datapaths. For example, if the datapath is container[‘artifacts’][0:5][‘cef’][‘sourceAddress’], the colon operator is used to access the sourceAddress element of the first five artifacts in the container. Reference: Splunk SOAR Playbook Development Guide, page 28.

NO.33 Which of the following is a step when configuring event forwarding from Splunk to Phantom?

Map CIM to CEF fields.

Create a Splunk alert that uses the event_forward.py script to send events to Phantom.

Map CEF to CIM fields.

Create a saved search that generates the JSON for the new container on Phantom.

NO.34 Splunk user account(s) with which roles must be created to configure Phantom with an external Splunk Enterprise instance?

superuser, administrator

phantomcreate. phantomedit

phantomsearch, phantomdelete

admin,user

Explanation
The correct answer is B because Splunk user account(s) with the roles phantomcreate and phantomedit must be created to configure Phantom with an external Splunk Enterprise instance. These roles grant the necessary permissions to create and edit Phantom containers and artifacts from Splunk events. The superuser and administrator roles are not required for this integration. See Splunk SOAR Documentation for more details.

Loading …

SPLK-2003 Dumps To Pass Splunk SOAR Certified Automation Developer Exam in One Day: https://www.topexamcollection.com/SPLK-2003-vce-collection.html

SPLK-2003 Practice Tests

Updated Nov-2023 Exam SPLK-2003 Dumps – Pass Your Certification Exam [Q15-Q34]

Related Certifications

SPLK-1003
SPLK-1001
SPLK-2001
SPLK-1002
SPLK-3001
SPLK-2003