Itfreedumps provides the latest online questions for all IT certifications,

such as IBM, Microsoft, CompTIA, Huawei, and so on.

Hot exams are available below.

AZ-204 Developing Solutions for Microsoft Azure

820-605 Cisco Customer Success Manager

MS-203 Microsoft 365 Messaging

HPE2-T37 Using HPE OneView

300-415 Implementing Cisco SD-WAN Solutions (ENSDWI)

DP-203 Data Engineering on Microsoft Azure

500-220 Engineering Cisco Meraki Solutions v1.0

NACE-CIP1-001 Coating Inspector Level 1

NACE-CIP2-001 Coating Inspector Level 2

200-301 Implementing and Administering Cisco Solutions

Share some SPLK-2003 exam online questions below.

1.Which app allows a user to send Splunk Enterprise Security notable events to Phantom?
A. Any of the integrated Splunk/Phantom Apps
B. Splunk App for Phantom Reporting.
C. Splunk App for Phantom.
D. Phantom App for Splunk.
Answer: C
Explanation:
The Splunk App for Phantom is designed to facilitate the integration between Splunk Enterprise
Security and Splunk SOAR (Phantom), enabling the seamless forwarding of notable events from
Splunk to Phantom. This app allows users to leverage the analytical and data processing capabilities
of Splunk ES and utilize Phantom for automated orchestration and response. The app typically
includes mechanisms for specifying which notable events to send to Phantom, formatting the data
appropriately, and ensuring secure communication between the two platforms. This integration is
crucial for organizations looking to combine the strengths of Splunk's SIEM capabilities with
Phantom's automation and orchestration features to enhance their security operations.

2.Which of the following can be configured in the ROI Settings?

A. Number of full time employees (FTEs).
B. Time lost.
C. Analyst hours per month.
D. Annual analyst salary.
Answer: C
Explanation:
ROI Settings dashboard allows you to configure the parameters used to estimate the data displayed
in the Automation ROI Summary dashboard. One of the settings that can be configured is the FTE
Gained, which is the number of full time employees (FTEs) that are freed up by automation. To
calculate this value, Splunk SOAR divides the number of actions run by automation by the number of
expected actions an analyst would take, based on minutes per action and analyst hours per day.
Therefore, option A is the correct answer, as it is one of the settings that can be configured in the ROI
Settings dashboard.
Option B is incorrect, because time lost is not a setting that can be configured in the ROI Settings
dashboard, but a metric that is calculated by Splunk SOAR based on the difference between the
analyst minutes per action and the actual minutes per action.
Option C is incorrect, because analyst hours per month is not a setting that can be configured in the
ROI Settings dashboard, but a value that is derived from the analyst hours per day setting.
Option D is incorrect, because annual analyst salary is a setting that can be configured in the ROI
Settings dashboard, but not the one that is asked in the question.
1: Configure the ROI Settings dashboard in Administer Splunk SOAR (On-premises) ROI (Return on
Investment) Settings within Splunk SOAR are used to estimate the efficiency and financial impact of
the SOAR platform. One of the configurable parameters in these settings is the 'Analyst hours per
month'. This parameter helps in calculating the time saved through automation, which in turn can be
translated into cost savings and efficiency gains. It reflects the direct contribution of the SOAR
platform to operational productivity.

3.Some of the playbooks on the Phantom server should only be executed by members of the admin
role.
How can this rule be applied?
A. Add a filter block to al restricted playbooks that Titters for runRole - "Admin''.
B. Add a tag with restricted access to the restricted playbooks.
C. Make sure the Execute Playbook capability is removed from al roles except admin.
D. Place restricted playbooks in a second source repository that has restricted access.
Answer: C
Explanation:
The correct answer is C because the best way to restrict the execution of playbooks to members of
the admin role is to make sure the Execute Playbook capability is removed from all roles except
admin. The Execute Playbook capability is a permission that allows a user to run any playbook on any
container. By default, all roles have this capability, but it can be removed or added in the Phantom UI
by going to Administration > User Management > Roles. Removing this capability from all roles
except admin will ensure that only admin users can execute playbooks. See Splunk SOAR
Documentation for more details. To ensure that only members of the admin role can execute specific
playbooks on the Phantom server, the most effective approach is to manage role-based access
controls (RBAC) directly. By configuring the system to remove the "Execute Playbook" capability from
all roles except for the admin role, you can enforce this rule. This method leverages Phantom's built-in
RBAC mechanisms to restrict playbook execution privileges. It is a straightforward and secure way to
ensure that only users with the necessary administrative privileges can initiate the execution of
sensitive or critical playbooks, thus maintaining operational security and control.

4.Which of the following accurately describes the Files tab on the Investigate page?
A. A user can upload the output from a detonate action to the the files tab for further investigation.
B. Files tab items and artifacts are the only data sources that can populate active cases.
C. Files tab items cannot be added to investigations. Instead, add them to action blocks.
D. Phantom memory requirements remain static, regardless of Files tab usage.
Answer: A
Explanation:
The Files tab on the Investigate page allows the user to upload, download, and view files related to an
investigation. A user can upload the output from a detonate action to the Files tab for further
investigation, such as analyzing the file metadata, content, or hash. Files tab items and artifacts are
not the only data sources that can populate active cases, as cases can also include events, tasks,
notes, and comments. Files tab items can be added to investigations by using the add file action
block or the Add File button on the Files tab. Phantom memory requirements may increase depending
on the Files tab usage, as files are stored in the Phantom database.
The Files tab on the Investigate page in Splunk Phantom is an area where users can manage and
analyze files related to an investigation. Users can upload files, such as outputs from a 'detonate file'
action which analyzes potentially malicious files in a sandbox environment. The files tab allows users
to store and further investigate these outputs, which can include reports, logs, or any other file types
that have been generated or are relevant to the investigation. The Files tab is an integral part of the
investigation process, providing easy access to file data for analysis and correlation with other
incident data.

5.Under Asset Ingestion Settings, how many labels must be applied when configuring an asset?
A. Labels are not configured under Asset Ingestion Settings.
B. One.
C. One or more.
D. Zero or more.
Answer: D
Explanation:
Under Asset Ingestion Settings in Splunk SOAR, when configuring an asset, the number of labels that
must be applied can be zero or more. Labels are optional and are used to categorize data and control
access. They are not a requirement under Asset Ingestion Settings, but they can be used to enhance
organization and filtering if chosen.

6.A user wants to get the playbook results for a single artifact.
Which steps will accomplish the?
A. Use the contextual menu from the artifact and select run playbook.
B. Use the run playbook dialog and set the scope to the artifact.
C. Create a new container including Just the artifact in question.
D. Use the contextual menu from the artifact and select the actions.
Answer: A
Explanation:
To get playbook results for a single artifact, a user can utilize the contextual menu option directly from
the artifact itself. This method allows for targeted execution of a playbook on just that artifact,
facilitating a focused analysis or action based on the data within that specific artifact. This approach is
particularly useful when a user needs to drill down into the details of an individual piece of evidence or
data point within a larger incident or case, allowing for granular control and execution of playbooks in
the Splunk SOAR environment.

7.In addition to full backups. Phantom supports what other backup type using backup?
A. Snapshot
B. Incremental
C. Partial
D. Differential
Answer: B
Explanation:
Splunk Phantom supports incremental backups in addition to full backups. An incremental backup is a
type of backup that only copies the data that has changed since the last backup (whether that was a
full backup or another incremental backup). This method is more storage-efficient than a full backup
because it does not repeatedly back up the same data, reducing the amount of storage required and
speeding up the backup process. Differential backups, which record the changes since the last full
backup, and partial backups, which allow the selection of specific data to back up, are not standard
backup types offered by Splunk Phantom according to its documentation.

8.Which of the following queries would return all artifacts that contain a SHA1 file hash?
A. https://<PHANTOM_URL>/rest/artifact?_filter_cef_md5_insull=false
B. https://<PHANTOM_URL>/rest/artifact?_filter_cef_Shal_contains=””
C. https://<PHANTOM_URL>/rest/artifact?_filter_cef_shal_insull=False
D. https://<PHANTOM_URL>/rest/artifact?_filter_shal__insull=False
Answer: B
Explanation:
To return all artifacts that contain a SHA1 file hash using the Splunk SOAR REST API, the correct
query would use the _filter_cef_Shal_contains parameter. This parameter filters the artifacts to only
those that contain a value in the SHA1 field within the Common Event Format (CEF) data structure.
The contains operator is used to match any artifacts that have a SHA1 hash present1.
Reference: Understanding artifacts - Splunk Documentation

9.How can a child playbook access the parent playbook's action results?
A. Child playbooks can access parent playbook data while the parent Is still running.
B. By setting scope to ALL when starting the child.
C. When configuring the playbook block in the parent, add the desired results in the Scope
parameter.
D. The parent can create an artifact with the data needed by the did.
Answer: C
Explanation:
In Splunk Phantom, child playbooks can access the action results of a parent playbook through the
use of the Scope parameter. When a parent playbook calls a child playbook, it can pass certain data
along by setting the Scope parameter to include the desired action results. This parameter is
configured within the playbook block that initiates the child playbook. By specifying the appropriate
scope, the parent playbook effectively determines what data the child playbook will have access to,
allowing for a more modular and organized flow of information between playbooks.

10.How can an individual asset action be manually started?

A. With the > action button in the analyst queue page.
B. By executing a playbook in the Playbooks section.
C. With the > action button in the Investigation page.
D. With the > asset button in the asset configuration section.
Answer: C
Explanation:
An individual asset action can be manually started with the > action button in the Investigation page.
This allows the user to select an asset and an action to perform on it. The other options are not valid
ways to start an asset action manually. See Performing asset actions for more information. Individual
asset actions in Splunk SOAR can be manually initiated from the Investigation page of a container.
The "> action" button on this page allows users to execute specific actions associated with assets
directly, enabling on-the-fly operations on artifacts or indicators within a container. This feature is
particularly useful for ad-hoc analysis and actions, allowing analysts to respond to or investigate
specific aspects of an incident without the need for a full playbook.

11.Which of the following can be done with the System Health Display?
A. Create a temporary, edited version of a process and test the results.
B. Partially rewind processes, which is useful for debugging.
C. View a single column of status for SOAR processes. For metrics, click Details.
D. Reset DECIDED to reset playbook environments back to at-start conditions.
Answer: C
Explanation:
System Health Display is a dashboard that shows the status and performance of the SOAR
processes and components, such as the automation service, the playbook daemon, the DECIDED
process, and the REST API. One of the things that can be done with the System Health Display is to
reset DECIDED, which is a core component of the SOAR automation engine that handles the
execution of playbooks and actions. Resetting DECIDED can be useful for troubleshooting or
debugging purposes, as it resets the playbook environments back to at-start conditions, meaning that
any changes made by the playbooks are discarded and the playbooks are reloaded. To reset
DECIDED, you need to click on the Reset DECIDED button on the System Health Display dashboard.
Therefore, option D is the correct answer, as it is the only option that can be done with the System
Health Display.
Option A is incorrect, because creating a temporary, edited version of a process and testing the
results is not something that can be done with the System Health Display, but rather with the
Debugging dashboard, which allows you to modify and run a process in a sandbox environment.
Option B is incorrect, because partially rewinding processes, which is useful for debugging, is not
something that can be done with the System Health Display, but rather with the Rewind feature,
which allows you to go back to a previous state of a process and resume the execution from there.
Option C is incorrect, because viewing a single column of status for SOAR processes is not
something that can be done with the System Health Display, but rather with the Status Display
dashboard, which shows a simplified view of the SOAR processes and their status.
12.What is the default embedded search engine used by Phantom?
A. Embedded Splunk search engine.
B. Embedded Phantom search engine.
C. Embedded Elastic search engine.
D. Embedded Django search engine.
Answer: A
Explanation:
The default embedded search engine used by Splunk SOAR (formerly known as Phantom) is the
embedded Splunk search engine.
Here’s a detailed explanation:
Embedded Splunk Search Engine:
Splunk SOAR uses an embedded, preconfigured version of Splunk Enterprise as its native search
engine.
This integration allows for powerful searching capabilities within Splunk SOAR, leveraging Splunk’s
robust search and indexing features.
Search Configuration:
While the embedded Splunk search engine is the default, organizations have the option to configure
Splunk SOAR to use a different Splunk Enterprise deployment or an external Elasticsearch instance.
This flexibility allows organizations to tailor their search infrastructure to their specific needs and
existing environments.
Search Capabilities:
The embedded Splunk search engine enables users to perform complex searches, analyze data, and
generate reports directly within the Splunk SOAR platform.
It supports the full range of Splunk’s search processing language (SPL) commands, functions, and
visualizations.
Reference: Splunk SOAR Documentation: Configure search in Splunk Phantom1.
Splunk SOAR Documentation: Configure search in Splunk SOAR (On-premises)2.
In summary, the embedded Splunk search engine is the default search engine in Splunk SOAR,
providing a seamless and powerful search experience for users within the platform.

13.What metrics can be seen from the System Health Display? (select all that apply)
A. Playbook Usage
B. Memory Usage
C. Disk Usage
D. Load Average
Answer: BCD
Explanation:
System Health Display is a dashboard that shows the status and performance of the SOAR
processes and components, such as the automation service, the playbook daemon, the DECIDED
process, and the REST API.
Some of the metrics that can be seen from the System Health Display are:
• Memory Usage: The percentage of memory used by the system and the processes.
• Disk Usage: The percentage of disk space used by the system and the processes.
• Load Average: The average number of processes in the run queue or waiting for disk I/O over a
period of time.
Therefore, options B, C, and D are the correct answers, as they are the metrics that can be seen from
the System Health Display.
Option A is incorrect, because Playbook Usage is not a metric that can be seen from the System
Health Display, but rather a metric that can be seen from the Playbook Usage dashboard, which
shows the number of playbooks and actions run over a period of time.
1: Web search results from search_web(query="Splunk SOAR Automation Developer System Health
Display")
The System Health Display in Splunk SOAR provides several metrics to help monitor and manage the
health of the system.
These typically include:
• B: Memory Usage - This metric shows the amount of memory being used by the SOAR platform,
which is important for ensuring that the system does not exceed available resources.
• C: Disk Usage - This metric indicates the amount of storage space being utilized, which is crucial for
maintaining adequate storage resources and for planning capacity.
• D: Load Average - This metric provides an indication of the overall load on the system over a period
of time, which helps in understanding the system's performance and in identifying potential
bottlenecks or issues.
Playbook Usage is generally not a metric displayed on the System Health page; instead, it's more
related to the usage analytics of playbooks rather than system health metrics.

14.Within the 12A2 design methodology, which of the following most accurately describes the last
step?
A. List of the apps used by the playbook.
B. List of the actions of the playbook design.
C. List of the outputs of the playbook design.
D. List of the data needed to run the playbook.
Answer: C
Explanation:
The correct answer is C because the last step of the 12A2 design methodology is to list the outputs of
the playbook design. The outputs are the expected results or outcomes of the playbook execution,
such as sending an email, creating a ticket, blocking an IP, etc. The outputs should be aligned with
the objectives and goals of the playbook. See Splunk SOAR Certified Automation Developer for more
details.
The 12A2 design methodology in the context of Splunk SOAR (formerly Phantom) refers to a
structured approach to developing playbooks. The last step in this methodology focuses on defining
the outputs of the playbook design. This step is crucial as it outlines what the expected results or
actions the playbook should achieve upon its completion. These outputs can vary widely, from
sending notifications, creating tickets, updating statuses, to generating reports. Defining the outputs is
essential for understanding the playbook's impact on the security operation workflows and how it
contributes to resolving security incidents or automating tasks.

15.What are indicators?

A. Action result items that determine the flow of execution in a playbook.
B. Action results that may appear in multiple containers.
C. Artifact values that can appear in multiple containers.
D. Artifact values with special security significance.
Answer: C
Explanation:
Indicators in Splunk SOAR (formerly Phantom) are crucial elements used to detect and respond to
security incidents. Let’s break down what indicators are and their significance:
Definition of Indicators:
Indicators are data points or patterns that suggest the presence of malicious activity or potential
security threats.
They can be anything from IP addresses, domain names, file hashes, URLs, email addresses, or
other observable artifacts.
Indicators help security teams identify and correlate events across different sources to understand the
 scope and impact of an incident.
Types of Indicators:
Observable Indicators: These are directly observable artifacts, such as IP addresses, domain names,
or file hashes.
Behavioral Indicators: These describe patterns of behavior, such as failed login attempts, lateral
movement, or suspicious network traffic.
Contextual Indicators: These provide additional context around an event, such as the user account
associated with an action or the time of occurrence.
Use Cases for Indicators:
Threat Detection: Security analysts create rules or playbooks that trigger based on specific indicators.
For example, an indicator like a known malicious IP address can trigger an alert.
Incident Response: During an incident, indicators help identify affected systems, track lateral
movement, and prioritize response efforts.
Threat Intelligence Sharing: Organizations share indicators with each other to improve collective
security posture.
Multiple Containers:
Indicators can appear in multiple containers (playbooks, actions, etc.) within Splunk SOAR.
For example, an IP address associated with a suspicious domain might appear in both a threat
intelligence playbook and an incident response playbook.
Artifact Values vs. Indicators:
While artifact values are related, they are not the same as indicators.
Artifact values represent specific data extracted from an artifact (e.g., extracting an IP address from
an email header).
Indicators encompass a broader range of data points and are used for detection and correlation.
Reference: Splunk SOAR Documentation: Indicators
Splunk SOAR Community: Understanding Indicators

Get SPLK-2003 exam dumps full version.

Powered by TCPDF (www.tcpdf.org)