Weekend Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

When working with complex data paths, which operator is used to access a sub-element inside another element?

A.

!(pipe)

B.

*(asterisk)

C.

:(colon)

D.

.(dot)

Full Access
Question # 5

Within the 12A2 design methodology, which of the following most accurately describes the last step?

A.

List of the apps used by the playbook.

B.

List of the actions of the playbook design.

C.

List of the outputs of the playbook design.

D.

List of the data needed to run the playbook.

Full Access
Question # 6

Regarding the Splunk SOAR Automation Broker requirements, which of the following statements is not correct?

A.

The Splunk SOAR Automation Broker requires outbound/egress connectivity to the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance.

B.

The Splunk SOAR Automation Broker must be able to connect to TCP port 443 (HTTPS) on the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance.

C.

The Splunk SOAR Automation Broker requires both inbound/ingress and outbound/egress connectivity to the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance.

D.

The Splunk SOAR Automation Broker requires inbound/ingress network connection from the Splunk SOAR (Cloud) or Splunk SOAR (On-premises) instance.

Full Access
Question # 7

Where in SOAR can a user view the JSON data for a container?

A.

In the analyst queue.

B.

On the Investigation page.

C.

In the data ingestion display.

D.

In the audit log.

Full Access
Question # 8

Splunk user account(s) with which roles must be created to configure Phantom with an external Splunk Enterprise instance?

A.

superuser, administrator

B.

phantomcreate. phantomedit

C.

phantomsearch, phantomdelete

D.

admin,user

Full Access
Question # 9

What is the default log level for system health debug logs?

A.

INFO

B.

WARN

C.

ERROR

D.

DEBUG

Full Access
Question # 10

What is the main purpose of using a customized workbook?

A.

Workbooks automatically implement a customized processing of events using Python code.

B.

Workbooks guide user activity and coordination during event analysis and case operations.

C.

Workbooks apply service level agreements (SLAs) to containers and monitor completion status on the ROI dashboard.

D.

Workbooks may not be customized; only default workbooks are permitted within Phantom.

Full Access
Question # 11

How can parent and child playbooks pass information to each other?

A.

The parent can pass arguments to the child when called, and the child can return values from the end block.

B.

The parent can pass arguments to the child when called, but the child can only pass values back as new artifacts in the event.

C.

The parent must create a new artifact in the event named arg_xxx, and the child must return values by creating artifacts with the naming convention return_xxx.

D.

The parent must create a new artifact in the event named return_xxx, and the child must return values by creating artifacts with the naming convention arg_xxx.

Full Access
Question # 12

Which of the following can be configured in the ROl Settings?

A.

Analyst hours per month.

B.

Time lost.

C.

Number of full time employees (FTEs).

D.

Annual analyst salary.

Full Access
Question # 13

In this image, which container fields are searched for the text "Malware"?

A.

Event Name and Artifact Names.

B.

Event Name, Notes, Comments.

C.

Event Name or ID.

Full Access
Question # 14

An active playbook can be configured to operate on all containers that share which attribute?

A.

Artifact

B.

Label

C.

Tag

D.

Severity

Full Access
Question # 15

Phantom supports multiple user authentication methods such as LDAP and SAML2. What other user authentication method is supported?

A.

SAML3

B.

PIV/CAC

C.

Biometrics

D.

OpenID

Full Access
Question # 16

Which of the following is an advantage of using the Visual Playbook Editor?

A.

Eliminates any need to use Python code.

B.

The Visual Playbook Editor is the only way to generate user prompts.

C.

Supports Python or Javascript.

D.

Easier playbook maintenance.

Full Access
Question # 17

How can an individual asset action be manually started?

A.

With the > action button in the analyst queue page.

B.

By executing a playbook in the Playbooks section.

C.

With the > action button in the Investigation page.

D.

With the > asset button in the asset configuration section.

Full Access
Question # 18

When configuring a Splunk asset for SOAR to connect to a Splunk Cloud instance, the user discovers that they need to be able to run two different on_poll searches. How is this possible?

A.

Install a second Splunk app and configure the query in the second app.

B.

Configure the second query in the Splunk App for SOAR Export.

C.

Enter the two queries in the asset as comma separated values.

D.

Configure a second Splunk asset with the second query.

Full Access
Question # 19

When analyzing events, a working on a case, significant items can be marked as evidence. Where can ail of a case's evidence items be viewed together?

A.

Workbook page Evidence tab.

B.

Evidence report.

C.

Investigation page Evidence tab.

D.

At the bottom of the Investigation page widget panel.

Full Access
Question # 20

Which of the following applies to filter blocks?

A.

Can select which blocks have access to container data.

B.

Can select assets by tenant, approver, or app.

C.

Can be used to select data for use by other blocks.

D.

Can select containers by seventy or status.

Full Access
Question # 21

Which of the following are the default ports that must be configured on Splunk to allow connections from SOAR?

A.

SplunkWeb (8088), SplunkD (8089), HTTP Collector (8000)

B.

SplunkWeb (8089), SplunkD (8088), HTTP Collector (8000)

C.

SplunkWeb (8000), SplunkD (8089), HTTP Collector (8088)

D.

SplunkWeb (8469), SplunkD (8702), HTTP Collector (8864)

Full Access
Question # 22

On a multi-tenant Phantom server, what is the default tenant's ID?

A.

0

B.

Default

C.

1

D.

*

Full Access
Question # 23

A user has written a playbook that calls three other playbooks, one after the other. The user notices that the second playbook starts executing before the first one completes. What is the cause of this behavior?

A.

Synchronous execution has not been configured.

B.

The first playbook is performing poorly.

C.

The sleep option for the second playbook is not set to a long enough interval.

D.

Incorrect join configuration on the second playbook.

Full Access
Question # 24

What metrics can be seen from the System Health Display? (select all that apply)

A.

Playbook Usage

B.

Memory Usage

C.

Disk Usage

D.

Load Average

Full Access
Question # 25

Which Phantom VPE Nock S used to add information to custom lists?

A.

Action blocks

B.

Filter blocks

C.

API blocks

D.

Decision blocks

Full Access
Question # 26

Which of the following describes the use of labels in Phantom?

A.

Labels determine the service level agreement (SLA) for a container.

B.

Labels control the default seventy, ownership, and sensitivity for the container.

C.

Labels control which apps are allowed to execute actions on the container.

D.

Labels determine which playbook(s) are executed when a container is created.

Full Access
Question # 27

To limit the impact of custom code on the VPE, where should the custom code be placed?

A.

A custom container or a separate KV store.

B.

A separate code repository.

C.

A custom function block.

D.

A separate container.

Full Access
Question # 28

Some of the playbooks on the SOAR server should only be executed by members of the admin role. How can this rule be applied?

A.

Make sure the Execute Playbook capability is removed from all roles except admin.

B.

Place restricted playbooks in a second source repository that has restricted access.

C.

Add a filter block to all restricted playbooks that filters for runRole = "Admin".

D.

Add a tag with restricted access to the restricted playbooks.

Full Access
Question # 29

When writing a custom function that uses regex to extract the domain name from a URL, a user wants to create a new artifact for the extracted domain. Which of the following Python API calls will create a new artifact?

A.

phantom.new_artifact ()

B.

phantom. update ()

C.

phantom.create_artifact ()

D.

phantom.add_artifact ()

Full Access
Question # 30

Which Phantom API command is used to create a custom list?

A.

phantom.add_list()

B.

phantom.create_list()

C.

phantom.include_list()

D.

phantom.new_list()

Full Access
Question # 31

Which of the following is a reason to create a new role in SOAR?

A.

To define a set of users who have access to a special label.

B.

To define a set of users who have access to a restricted app.

C.

To define a set of users who have access to an event's reports.

D.

To define a set of users who have access to a sensitive tag.

Full Access
Question # 32

Which of the following can be done with the System Health Display?

A.

Create a temporary, edited version of a process and test the results.

B.

Partially rewind processes, which is useful for debugging.

C.

View a single column of status for SOAR processes. For metrics, click Details.

D.

Reset DECIDED to reset playbook environments back to at-start conditions.

Full Access
Question # 33

A user wants to use their Splunk Cloud instance as the external Splunk instance for Phantom. What ports need to be opened on the Splunk Cloud instance to facilitate this? Assume default ports are in use.

A.

TCP 8088 and TCP 8099.

B.

TCP 80 and TCP 443.

C.

Splunk Cloud is not supported.

D.

TCP 8080 and TCP 8191.

Full Access