Splunk SPLK-2003 Exam Questions

Question 6 of 55

Which visual playbook editor block is used to assemble commands and data into a valid Splunk search within a SOAR playbook?

An action block.

A filter block.

A prompt block.

A format block.

Correct Answer: A

Question 7 of 55

Which of the following contains official SOAR documentation for the latest releases?

Slack and Github.

Splunk Server and docs.splunk.com.

SOAR Server and soar.splunk.com.

SOAR Server and docs.splunk.com.

Correct Answer: D

Question 8 of 55

Two action blocks, geolocate_ip_1 and file_reputation_2, are connected to a decision block. Which of the following is a correct configuration for making a decision on the action results from one of the given blocks?

Select parameter set to: file_reputation_2:action_result.data.*.response_code; evaluation option set to: ==; and the Select Value set to: custom_list:Banned Countries.

Select parameter set to: geolocate_ip_1:action_result.data.*.country_iso_code; evaluation option set to: in; and the Select Value set to: custom_list:Banned Countries.

Select parameter set to: geolocate_ip_1:action_result.cef.*.country_iso_code; evaluation option set to: !=; and the Select Value box left empty.

Select parameter set to: file_reputation_2:action_result.cef.*.response_code; evaluation option set to: in; and the Select Value set to: United States.

Correct Answer: B

The correct configuration involves checking the country code obtained from the geolocate_ip_1 action block against a list of banned countries. Therefore, the Select parameter should be set to geolocate_ip_1:action_result.data.*.country_iso_code, the evaluation option should be set to 'in,' and the Select Value should be set to custom_list:Banned Countries. This configuration accurately assesses whether the IP address falls within a banned country based on the geolocation data.

Question 9 of 55

What is enabled if the Logging option for a playbook' s settings is enabled?

The playbook will write detailed execution information into the spawn.loq.

More detailed information is available in the debug window.

All modifications to the playbook will be written to the audit log.

More detailed logging information is available in the Investigation page.

Correct Answer: D

Enabling the Logging option for a playbook's settings means that more detailed logging information is available in the Investigation page. This aids in thorough inspection and understanding of each step executed, helping in investigating any issues or actions taken by the playbook.

Question 10 of 55

Which of the following items cannot be modified once entered into SOAR?

A comment.

A note.

A container.

An artifact.

Correct Answer: C

A container in a SOAR (Security Orchestration, Automation, and Response) system refers to the core structure that holds the data related to incidents or events. Once a container is created, its basic properties, such as ID and initial metadata, cannot be modified. This is essential for maintaining the integrity and traceability of incident data. Other elements, like comments, notes, and artifacts, can typically be modified to allow for updates and additional context as an incident evolves.