2022 Realistic ExamcollectionPass SPLK-2003 Dumps PDF - 100% Passing Guarantee [Q17-Q39] : Free Exam Dumps Collection : http://free.examcollectionpass.com

Q17. How does a user determine which app actions are available?

Add an action block to a playbook canvas area.

Search the Apps category in the global search field.

From the Apps menu, click the supported actions dropdown for each app.

In the visual playbook editor, click Active and click the Available App Actions dropdown.

Q18. Which of the following describes the use of labels m Phantom?

Labels determine the service level agreement (SLA) for a container.

Labels control the default seventy, ownership, and sensitivity for the container.

Labels control which apps are allowed to execute actions on the container.

Labels determine which playbook(s) are executed when a container is created.

Q19. When working with complex datapaths, which operator is used to access a sub-element inside another element?

!(pipe)

*(asterisk)

:(colon)

.(dot)

Q20. When configuring a Splunk asset for Phantom to connect to a SplunkC loud instance, the user discovers that they need to be able to run two different on_poll searches. How is this possible

Enter the two queries in the asset as comma separated values.

Configure the second query in the Phantom app for Splunk.

Install a second Splunk app and configure the query in the second app.

Configure a second Splunk asset with the second query.

Q21. Which app allows a user to run Splunk queries from within Phantom?

Splunk App for Phantom?

The Integrated Splunk/Phantom app.

Phantom App for Splunk.

Splunk App for Phantom Reporting.

Q22. Which of the following can be configured in the ROl Settings?

Analyst hours per month.

Time lost.

Number of full time employees (FTEs).

Annual analyst salary.

Q23. Some of the playbooks on the Phantom server should only be executed by members of the admin role. How can this rule be applied?

Add a filter block to al restricted playbooks that Titters for runRole – “Admin”.

Add a tag with restricted access to the restricted playbooks.

Make sure the Execute Playbook capability is removed from al roles except admin.

Place restricted playbooks in a second source repository that has restricted access.

Q24. Without customizing container status within Phantom, what are the three types of status for a container?

New, In Progress, Closed

Low, Medium, High

Mew, Open, Resolved

Low, Medium, Critical

Q25. Which of the following accurately describes the Files tab on the Investigate page?

A user can upload the output from a detonate action to the the files tab for further investigation.

Files tab items and artifacts are the only data sources that can populate active cases.

Files tab items cannot be added to investigations. Instead, add them to action blocks.

Phantom memory requirements remain static, regardless of Files tab usage.

Q26. Splunk user account(s) with which roles must be created to configure Phantom with an external Splunk Enterprise instance?

superuser, administrator

phantomcreate. phantomedit

phantomsearch, phantomdelete

admin,user

Q27. What is enabled if the Logging option for a playbook’s settings is enabled?

More detailed logging information Is available m the Investigation page.

All modifications to the playbook will be written to the audit log.

More detailed information is available in the debug window.

The playbook will write detailed execution information into the spawn.log.

Q28. Which of the following is a step when configuring event forwarding from Splunk to Phantom?

Map CIM to CEF fields.

Create a Splunk alert that uses the event_forward.py script to send events to Phantom.

Map CEF to CIM fields.

Create a saved search that generates the JSON for the new container on Phantom.

Q29. Which of the following are the default ports that must be configured on Splunk to allow connections from Phantom?

SplunkWeb (8088), SplunkD (8089), HTTP Collector (8000)

SplunkWeb (8089), SplunkD (8088), HTTP Collector (8000)

SplunkWeb (8421), SplunkD (8061), HTTP Collector (8798)

SplunkWeb (8000), SplunkD (8089), HTTP Collector (8088)

Q30. On a multi-tenant Phantom server, what is the default tenant’s ID?

Default

Q31. A user wants to get the playbook results for a single artifact. Which steps will accomplish the?

Use the contextual menu from the artifact and select run playbook.

Use the run playbook dialog and set the scope to the artifact.

Create a new container including Just the artifact in question.

Use the contextual menu from the artifact and select the actions.

Q32. Which is the primary system requirement that should be increased with heavy usage of the file vault?

Amount of memory.

Number of processors.

Amount of storage.

Bandwidth of network.

Q33. Within the 12A2 design methodology, which of the following most accurately describes the last step?

List of the apps used by the playbook.

List of the actions of the playbook design.

List of the outputs of the playbook design.

List of the data needed to run the playbook.

Q34. In this image, which container fields are searched for the text “Malware”?

Event Name and Artifact Names.

Event Name, Notes, Comments.

Event Name or ID.

Q35. What does a user need to do to have a container with an event from Splunk use context-aware actions designed for notable events?

Include the notable event’s event_id field and set the artifacts label to aplunk notable event id.

Rename the event_id field from the notable event to splunkNotableEventld.

Include the event_id field in the search results and add a CEF definition to Phantom for event_id, datatype splunk notable event id.

Add a custom field to the container named event_id and set the custom field’s data type to splunk notable event id.

Q36. How can an individual asset action be manually started?

With the > action button in the analyst queue page.

By executing a playbook in the Playbooks section.

With the > action button in the Investigation page.

With the > asset button in the asset configuration section.

Q37. A user has written a playbook that calls three other playbooks, one after the other. The user notices that the second playbook starts executing before the first one completes. What is the cause of this behavior?

Incorrect Join configuration on the second playbook.

The first playbook is performing poorly.

The steep option for the second playbook is not set to a long enough interval.

Synchronous execution has not been configured.

Q38. When is using decision blocks most useful?

When selecting one (or zero) possible paths in the playbook.

When processing different data in parallel.

When evaluating complex, multi-value results or artifacts.

When modifying downstream data hi one or more paths in the playbook.

Q39. Which app allows a user to send Splunk Enterprise Security notable events to Phantom?

Any of the integrated Splunk/Phantom Apps

Splunk App for Phantom Reporting.

Splunk App for Phantom.

Phantom App for Splunk.