Without customizing container status within Phantom, what are the three types of status for a container?
Correct Answer: A
Within Splunk SOAR, containers (which represent incidents, cases, or events) have a lifecycle that is tracked through their status. The default statuses available without any customization are "New", "In Progress", and "Closed". These statuses help in organizing and managing the incident response process, allowing users to easily track the progress of investigations and responses from initial detection through to resolution.
SPLK-2003 Exam Question 52
Which Phantom VPE Nock S used to add information to custom lists?
Correct Answer: B
Explanation Filter blocks are used to add information to custom lists in Phantom VPE. Filter blocks allow the user to specify a list name and a filter expression to select the data to be added to the list. Action blocks are used to execute app actions, API blocks are used to make REST API calls, and decision blocks are used to evaluate conditions and branch the playbook execution. Reference, page 14.
SPLK-2003 Exam Question 53
What are the differences between cases and events?
Correct Answer: C
In Splunk SOAR, an event is a security occurrence that may require a response. It is ingested from a third-party source and can be labeled to group related events together. The default label for containers is "Events," which signifies potential threats13. A case, on the other hand, is a container that holds several containers, consolidating multiple events into one logical management unit. Cases can include artifacts and external evidence such as screen captures, analyst notes, and event data from third-party products22. They are used to manage and analyze investigation data tied to specific security events and incidents, providing a structured approach to incident response34. References: Manage the status, severity, and resolution of events in Splunk SOAR (Cloud) - Splunk Documentation Managing cases in SOAR - Splunk Lantern What is Splunk Phantom (Renamed to Splunk SOAR)? - BlueVoyant Overview of cases - Splunk Documentation
SPLK-2003 Exam Question 54
Which of the following are the default ports that must be configured on Splunk to allow connections from SOAR?
Correct Answer: C
For Splunk SOAR to connect with Splunk Enterprise, certain default ports must be configured to facilitate communication between the two platforms. Typically, SplunkWeb, which serves the Splunk Enterprise web interface, uses port 8000. SplunkD, the Splunk daemon that handles most of the back-end services, listens on port 8089. The HTTP Event Collector (HEC), which allows HTTP clients to send data to Splunk, typically uses port 8088. These ports are essential for the integration, allowing SOAR to send data to Splunk for indexing, searching, and visualization. Options A, B, and D list incorrect port configurations for this purpose, making option C the correct answer based on standard Splunk configurations. These are the default ports used by Splunk SOAR (On-premises) to communicate with the embedded Splunk Enterprise instance. SplunkWeb is the web interface for Splunk Enterprise, SplunkD is the management port for Splunk Enterprise, and HTTP Collector is the port for receiving data from HTTP Event Collector (HEC). The other options are either incorrect or not default ports. For example, option B has the SplunkWeb and SplunkD ports reversed, and option D has arbitrary port numbers that are not used by Splunk by default.
SPLK-2003 Exam Question 55
When working with complex datapaths, which operator is used to access a sub-element inside another element?
