SPLK-2003 Practice Exam — 89 Free Splunk Questions

Join Us Among the Stars

Sign Up & unlock 100% of Exam Questions

Log in / Sign up

No Strings Attached!

89Practice Questions

3Study Modes

Free

TopicSort

Question 1

Detection Engineering

Which of the following can be edited or deleted in the Investigation page?

A Action results
B Comments
C Artifact values
D Approval records

Question 2

Automation and Efficiency

Question 3

Building Effective Security Processes and Programs

Question 4

Automation and Efficiency

Question 5

Automation and Efficiency

Question 6

Detection Engineering

Question 7

Detection Engineering

Question 8

Data Engineering

Question 9

Detection Engineering

Question 10

Automation and Efficiency

Question 11

Auditing and Reporting on Security Programs

Question 12

Data Engineering

Question 13

Auditing and Reporting on Security Programs

Question 14

Data Engineering

Question 15

Automation and Efficiency

Question 16

Detection Engineering

Question 17

Data Engineering

Question 18

Automation and Efficiency

Question 19

Detection Engineering

Question 20

Detection Engineering

Question 21

Detection Engineering

Question 22

Automation and Efficiency

Question 23

Automation and Efficiency

Question 24

Auditing and Reporting on Security Programs

Question 25

Detection Engineering

Page 1 of 4 • Questions 1-25 of 89

1 2 3 4

→

Know a question that should be here? Contribute to this exam

How can the DECIDED process be restarted?

A By restarting the automation service.
B By restarting the playbook daemon.
C In Administration > Server Settings.
D On the System Health page.

How does a user determine which app actions are available?

A Add an action block to a playbook canvas area.
B In the visual playbook editor, click Active and click the Available App Actions dropdown.
C From the Apps menu, click the supported actions dropdown for each app.
D Search the Apps category in the global search field.

Which of the following roles is appropriate for a Splunk SOAR account that will only be used to execute automated tasks?

A Service Account
B Automation Engineer
C Non-Human
D Automation

Which of the following items cannot be modified once entered into SOAR?

A A comment.
B A note.
C A container.
D An artifact.

Question 6

Detection Engineering

Question 7

Detection Engineering

Question 8

Data Engineering

Question 9

Detection Engineering

Question 10

Automation and Efficiency

Question 11

Auditing and Reporting on Security Programs

Question 12

Data Engineering

Question 13

Auditing and Reporting on Security Programs

Question 14

Data Engineering

Question 15

Automation and Efficiency

Question 16

Detection Engineering

Question 17

Data Engineering

Question 18

Automation and Efficiency

Question 19

Detection Engineering

Question 20

Detection Engineering

Question 21

Detection Engineering

Question 22

Automation and Efficiency

Question 23

Automation and Efficiency

Question 24

Auditing and Reporting on Security Programs

Question 25

Detection Engineering

Which Splunk search command is used to send a notable event to SOAR?

A sendtophantom
B param.phantom
C sendevent
D cim_modactions

Which of the following is a step when configuring event forwarding from Splunk to SOAR?

A Create a saved search that generates the JSON for the new container on SOAR.
B Map CIM to CEF fields.
C Map CEF to CIM fields.
D Create a Splunk alert that uses the event_forward.py script to send events to SOAR.

Which of the following are tabs of an asset configuration?

A Asset Info, Asset Settings, Approval Settings, Access Control
B Asset Name, Asset IP, Asset URL, Asset Nickname
C Tags, Asset Name, Asset Date, Asset Order
D App Name, App Order, App Expiry, App Version

Two action blocks, geolocate_ip_1 and file_reputation_2, are connected to a decision block. Which of the following is a correct configuration for making a decision on the action results from one of the given blocks?

A Select parameter set to: file_reputation_2:action_result.data.*.response_code; evaluation option set to: ==; and the Select Value set to: custom_list:Banned Countries.
B Select parameter set to: geolocate_ip_1:action_result.data.*.country_iso_code; evaluation option set to: in; and the Select Value set to: custom_list:Banned Countries.
C Select parameter set to: geolocate_ip_1:action_result.cef.*.country_iso_code; evaluation option set to: !=; and the Select Value box left empty.
D Select parameter set to: file_reputation_2:action_result.cef.*.response_code; evaluation option set to: in; and the Select Value set to: United States.

What is enabled if the Logging option for a playbook' s settings is enabled?

A The playbook will write detailed execution information into the spawn.loq.
B More detailed information is available in the debug window.
C All modifications to the playbook will be written to the audit log.
D More detailed logging information is available in the Investigation page.

Which of the following can be done with the System Health Display?

A Partially rewind processes, which is useful for debugging.
B Create a temporary, edited version of a process and test the results.
C Reset DECIDED to reset playbook environments back to at-start conditions.
D View a single column of status for SOAR processes. For metrics, click Details.

What values can be applied when creating Custom CEF fields?

A Name, Data Type
B Name
C Name, Value
D Name, Data Type, Severity

Which of the following is accurate?

A Phantom.debug() is the same as phantom.error() except it prints in red text.
B Phantom.debug() outputs to the VPE debugger display.
C System.Out.Prinln() outputs to the VPE debugger display.
D Users can output debug info using the print() or print "" syntax.

Which of the following will show all artifacts that have the term =results in a filePath CEF value?

A .../rest/artifact?_query_cef__filepath__icontains="results"
B .../rest/artifacts/filePath="%results%"
C .../rest/artifacts/cef/filePath="%results%"
D .../rest/artifact?_filter_cef__filePath__icontains="results"

Splunk user account(s) with which roles must be created to configure SOAR with an external Splunk Enterprise instance?

A phantomsearch, phantomdelete
B phantomcreate, phantomedit
C superuser, administrator
D admin, user

What are indicators?

A Artifact values that can appear in multiple containers.
B Action results that may appear in multiple containers.
C Artifact values with special security significance.
D Action result items that determine the flow of execution in a playbook.

When working with complex datapaths, which operator is used to access a sub-element inside another element?

A | (pipe)
B : (colon)
C . (dot)
D
- (asterisk)

On the Splunk search head, when configuring the app to search SOAR searchable content, what are the two requirements to complete the app setup?

A User accounts and REST API.
B User accounts and syslog.
C User accounts and an HTTP Event Collector token.
D User accounts and universal forwarder.

Which of the following cannot be marked as evidence in a container?

A Action result
B Comment
C Note
D Artifact

Which set of steps will show the most detailed information for action results on the Investigation page?

A Viewing the evidence tab within the main display area.
B Viewing the action widget within the main display area.
C Clicking on the action within the recent activity pane.
D Clicking the arrow next to the action within the recent activities pane.

Which of the following applies to filter blocks?

A Can select containers by severity or status.
B Can select assets by tenant, approver, or app.
C Can select which blocks have access to container data.
D Can be used to select data for use by other blocks.

Which of the following is a reason to create a new role in SOAR?

A To define a set of users who have access to a special label.
B To define a set of users who have access to a restricted app.
C To define a set of users who have access to a sensitive tag.
D To define a set of users who have access to an event's reports.

What primary integrations does Splunk SOAR provide for Role administration? (Choose all that apply.)

A LDAP
B SAML
C Local Authentication
D OpenID

Which of the following can be configured in the ROI Settings?

A Number of full time employees (FTEs).
B Annual analyst salary.
C Analyst hours per month.
D Time lost.

What is the default log level for system health debug logs?

A INFO
B WARN
C DEBUG
D ERROR

Join Us Among the Stars

SPLK-2003Preview

About the SPLK-2003 Exam

Mode Selection

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25

Question 6

Question 7

Question 8

Question 9

Question 10

Question 11

Question 12

Question 13

Question 14

Question 15

Question 16

Question 17

Question 18

Question 19

Question 20

Question 21

Question 22

Question 23

Question 24

Question 25