Survey Maker Survey Templates Contact Privacy & Security

Phantom SOAR

Configuring Phantom search to use an external Splunk server provides which of the following benefits?

The ability to run more complex reports on Phantom activities.

The ability to ingest Splunk notable events into Phantom.

The ability to automate Splunk searches within Phantom.

The ability to display results as Splunk dashboards within Phantom.

Within the 12A2 design methodology, which of the following most accurately describes the last step?

List of the apps used by the playbook.

List of the actions of the playbook design.

List of the outputs of the playbook design.

List of the data needed to run the playbook.

Which of the following are the steps required to complete a full backup of a Splunk Phantom deployment' Assume the commands are executed from /opt/phantom/bin and that no other backups have been made.

On the command line enter: rode sudo python ibackup.pyc --setup, then audo phenv python ibackup.pyc --backup.

On the command line enter: sudo phenv python ibackup.pyc --backup —backup-type full, then sudo phenv python ibackup.pyc --setup.

Within the UI: Select from the main menu Administration > System Health > Backup.

Within the UI: Select from the main menu Administration > Product Settings > Backup.

An active playbook can be configured to operate on all containers that share which attribute?

Artifact

Label

Tag

Severity

Which of the following applies to filter blocks?

Can select which blocks have access to container data.

Can select assets by tenant, approver, or app.

Can be used to select data for use by other blocks.

Can select containers by seventy or status.

A user has written a playbook that calls three other playbooks, one after the other. The user notices that the second playbook starts executing before the first one completes. What is the cause of this behavior?

Incorrect Join configuration on the second playbook.

The first playbook is performing poorly.

C. The steep option for the second playbook is not set to a long enough interval.

Synchronous execution has not been configured.

A customer wants to design a modular and reusable set of playbooks that all communicate with each other. Which of the following is a best practice for data sharing across playbooks?

Use the py-postgresq1 module to directly save the data in the Postgres database.

Cal the child playbooks getter function.

Create artifacts using one playbook and collect those artifacts in another playbook.

Use the Handle method to pass data directly between playbooks.

Which of the following are examples of things commonly done with the Phantom REST APP

Use Django queries; use curl to create a container and add artifacts to it; remove temporary lists.

Use Django queries; use Docker to create a container and add artifacts to it; remove temporary lists.

Use Django queries; use curl to create a container and add artifacts to it; add action blocks.

Use SQL queries; use curl to create a container and add artifacts to it; remove temporary lists.

Which of the following are the default ports that must be configured on Splunk to allow connections from Phantom?

SplunkWeb (8088), SplunkD (8089), HTTP Collector (8000)

SplunkWeb (8089), SplunkD (8088), HTTP Collector (8000)

SplunkWeb (8421), SplunkD (8061), HTTP Collector (8798)

SplunkWeb (8000), SplunkD (8089), HTTP Collector (8088)

Without customizing container status within Phantom, what are the three types of status for a container?

New, In Progress, Closed

Low, Medium, High

Mew, Open, Resolved

D. Low, Medium, Critical

Splunk user account(s) with which roles must be created to configure Phantom with an external Splunk Enterprise instance?

Superuser, administrator

Phantomcreate. phantomedit

Phantomsearch, phantomdelete

Admin,user

Phantom supports multiple user authentication methods such as LDAP and SAML2. What other user authentication method is supported?

SAML3

PIV/CAC

Biometrics

OpenID

During a second test of a playbook, a user receives an error that states: 'an empty parameters list was passed to phantom.act()." What does this indicate?

The container has artifacts not parameters.

The playbook is using an incorrect container.

The playbook debugger's scope is set to new.

The playbook debugger's scope is set to all.

What does a user need to do to have a container with an event from Splunk use context-aware actions designed for notable events?

Include the notable event's event_id field and set the artifacts label to aplunk notable event id.

Rename the event_id field from the notable event to splunkNotableEventld.

Include the event_id field in the search results and add a CEF definition to Phantom for event_id, datatype splunk notable event id.

Add a custom field to the container named event_id and set the custom field's data type to splunk notable event id.

After enabling multi-tenancy, which of the Mowing is the first configuration step?

Select the associated tenant artifacts.

Change the tenant permissions.

Set default tenant base address.

Configure the default tenant.

When configuring a Splunk asset for Phantom to connect to a SplunkC loud instance, the user discovers that they need to be able to run two different on_poll searches. How is this possible?

Enter the two queries in the asset as comma separated values.

Configure the second query in the Phantom app for Splunk.

Install a second Splunk app and configure the query in the second app.

Configure a second Splunk asset with the second query.

On a multi-tenant Phantom server, what is the default tenant's ID?

Default

What are indicators?

Action result items that determine the flow of execution in a playbook.

Action results that may appear in multiple containers.

Artifact values that can appear in multiple containers.

Artifact values with special security significance.

Which app allows a user to send Splunk Enterprise Security notable events to Phantom?

Any of the integrated Splunk/Phantom Apps

Splunk App for Phantom Reporting.

Splunk App for Phantom.

Phantom App for Splunk.

Some of the playbooks on the Phantom server should only be executed by members of the admin role. How can this rule be applied?

Add a filter block to al restricted playbooks that Titters for runRole - "Admin''.

Add a tag with restricted access to the restricted playbooks.

Make sure the Execute Playbook capability is removed from al roles except admin.

Place restricted playbooks in a second source repository that has restricted access.

What values can be applied when creating Custom CEF field?

Name

Name, Data Type

Name, Value

Name, Data Type, Severity

What is enabled if the Logging option for a playbook's settings is enabled?

More detailed logging information Is available m the Investigation page.

All modifications to the playbook will be written to the audit log.

More detailed information is available in the debug window.

The playbook will write detailed execution information into the spawn.log.

Is it possible to import external Python libraries such as the time module?

No.

No, but this can be changed by setting the proper permissions.

Yes, in the global block.

Yes. From a drop down menu.

How can an individual asset action be manually started?

With the > action button in the analyst queue page.

By executing a playbook in the Playbooks section.

With the > action button in the Investigation page.

With the > asset button in the asset configuration section.

What is the default embedded search engine used by Phantom?

Embedded Splunk search engine.

Embedded Phantom search engine.

Embedded Elastic search engine.

Embedded Django search engine.

A filter block with only one condition configured which states: artifact.*.cef .sourceAddress !- , would permit which of the following data to pass forward to the next block?

Null IP addresses

Non-null IP addresses

Non-null destination Addresses

Null values

A user wants to get the playbook results for a single artifact. Which steps will accomplish this?

Use the contextual menu from the artifact and select run playbook.

Use the run playbook dialog and set the scope to the artifact.

Create a new container including Just the artifact in question.

Use the contextual menu from the artifact and select the actions.

What is the main purpose of using a customized workbook?

Workbooks automatically implement a customized processing of events using Python code.

Workbooks guide user activity and coordination during event analysis and case operations.

Workbooks apply service level agreements (SLAs) to containers and monitor completion status on the ROI dashboard.

Workbooks may not be customized; only default workbooks are permitted within Phantom.

Which of the following is a step when configuring event forwarding from Splunk to Phantom?

Map CIM to CEF fields.

Create a Splunk alert that uses the event_forward.py script to send events to Phantom.

Map CEF to CIM fields.

Create a saved search that generates the JSON for the new container on Phantom.

Which is the primary system requirement that should be increased with heavy usage of the file vault?

Amount of memory.

Number of processors.

Amount of storage.

Bandwidth of network.

Which of the following will show all artifacts that have the term results in a filePath CEF value?

.... /rest/artifact?_filter_cef_filePath_icontain=''results''

... rest/artifacts/filePath=''%results%''

... /result/artifacts/cef/filePath= '%results%''

.... /result/artifact?_query_cef_filepath_icontains=''results

Which of the following can be configured in the ROl Settings?

Analyst hours per month.

Time lost.

Number of full time employees (FTEs).

Annual analyst salary.

Which of the following expressions will output debug information to the debug window in the Visual Playbook Editor?

Phantom.debug()

Phantom.exception()

Phantom.print ()

Phantom.assert()

Which of the following supported approaches enables Phantom to run on a Windows server?

Install the Phantom RPM in a GNU Cygwin implementation.

Run the Phantom OVA as a cloud instance.

Install the Phantom RPM file in Windows Subsystem for Linux (WSL).

Run the Phantom OVA as a virtual machine.

Which of the following can the format block be used for?

To generate arrays for input into other functions.

To generate HTML or CSS content for output in email messages, user prompts, or comments.

To generate string parameters for automated action blocks.

To create text strings that merge state text with dynamic values for input or output.

When analyzing events a working on a case, significant items can be marked as evidence. Where can ail of a case's evidence items be viewed together?

Workbook page Evidence tab.

Evidence report.

Investigation page Evidence tab.

At the bottom of the Investigation page widget panel.

When working with complex data paths, which operator is used to access a sub-element inside another element?

!(pipe)

*(asterisk)

:(colon)

.(dot)

Which of the following is a best practice for use of the global block?

Execute code at the beginning of each run of the playbook.

Declare outputs which will be selectable within playbook blocks.

Import packages which will be used within the playbook.

Execute custom code after each run of the playbook.

39.In this image, which container fields are searched for the text "Malware"?

Event Name and Artifact Names.

Event Name, Notes, Comments.

Event Name or ID.

Which of the following is the complete list of the types of backups that are supported by Phantom?

Full backups.

Full, delta, and incremental backups.

Full and incremental backups.

Full and delta backups.

How can the debug log for a playbook execution be viewed?

On the Investigation page, select Debug Log from the playbook's action menu in the Recent Activity panel.

Click Expand Scope m the debug window.

In Administration > System Health > Playbook Run History, select the playbook execution entry, then select Log.

Open the playbook in the Visual Playbook Editor, and select Debug Logs in Settings.

Which of the following describes the use of labels m Phantom?

Labels determine the service level agreement (SLA) for a container.

Labels control the default seventy, ownership, and sensitivity for the container.

Labels control which apps are allowed to execute actions on the container.

Labels determine which playbook(s) are executed when a container is created.

What is the simplest way to pass data between playbooks?

Action results

File system

Artifacts

KV Store

What do assets provide for app functionality?

Assets provide location, credentials, and other parameters needed to run actions.

Assets provide hostnames, passwords, and other artifacts needed to run actions.

Assets provide Python code, REST API, and other capabilities needed to run actions.

Assets provide firewall, network, and data sources needed to run actions.

After a successful POST to a Phantom REST endpoint to create a new object what result is returned?

The new object ID.

The new object name.

The full CEF name.

The PostGres UUID.

After a playbook has run, where are the results stored?

Splunk Index

Case

Container

Log file

Severity can be set during ingestion and later changed manually. What other mechanism can change the severity or a container?

Notes

Actions

Service level agreement (SLA) expiration

Playbooks

In addition to full backups. Phantom supports what other backup type using backup?

Snapshot

Incremental

Partial

Differential

How can a child playbook access the parent playbook's action results?

Child playbooks can access parent playbook data while the parent Is still running.

By setting scope to ALL when starting the child.

When configuring the playbook block in the parent, add the desired results in the Scope parameter.

The parent can create an artifact with the data needed by the did.

How does a user determine which app actions are available?

Add an action block to a playbook canvas area.

Search the Apps category in the global search field.

From the Apps menu, click the supported actions dropdown for each app.

In the visual playbook editor, click Active and click the Available App Actions dropdown.

A user wants to use their Splunk Cloud instance as the external Splunk instance for Phantom. What ports need to be opened on the Splunk Cloud instance to facilitate this? Assume default ports are in use.

TCP 8088 and TCP 8099.

TCP 80 and TCP 443.

Splunk Cloud is not supported.

TCP 8080 and TCP 8191.

Which app allows a user to run Splunk queries from within Phantom?

Splunk App for Phantom.

The Integrated Splunk/Phantom app.

Phantom App for Splunk.

Splunk App for Phantom Reporting.

Which Phantom VPE Nock S used to add information to custom lists?

Action blocks

Filter blocks

API blocks

Decision blocks

How is it possible to evaluate user prompt results?

Set action_result.summary. Status to required.

Set the user prompt to reinvoke if it times out.

Set action_result. summary. Response to required.

Add a decision Mode

When is using decision blocks most useful?

When selecting one (or zero) possible paths in the playbook.

When processing different data in parallel.

When evaluating complex, multi-value results or artifacts.

When modifying downstream data hi one or more paths in the playbook.

Which of the following accurately describes the Files tab on the Investigate page?

A user can upload the output from a detonate action to the the files tab for further investigation.

Files tab items and artifacts are the only data sources that can populate active cases.

Files tab items cannot be added to investigations. Instead, add them to action blocks.

Phantom memory requirements remain static, regardless of Files tab usage.

What are the differences between cases and events?

Case: potential threats. Events: identified as a specific kind of problem and need a structured approach.

Cases: only include high-level incident artifacts. Events: only include low-level incident artifacts.

Cases: contain a collection of containers. Events: contain potential threats.

Cases: incidents with a known violation and a plan for correction. Events: occurrences in the system that may require a response.

Which Phantom API command is used to create a custom list?

Phantom.add_list()

Phantom.create_list()

Phantom.include_list()

Phantom.new_list()

{"name":"Phantom SOAR", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"Configuring Phantom search to use an external Splunk server provides which of the following benefits?, Within the 12A2 design methodology, which of the following most accurately describes the last step?, Which of the following are the steps required to complete a full backup of a Splunk Phantom deployment' Assume the commands are executed from \/opt\/phantom\/bin and that no other backups have been made.","img":"https://www.quiz-maker.com/3012/CDN/97-4766601/screenshot-2024-01-09-115730.png?sz=1200"}