Phantom

Question 1

What is Splunk Phantom?

Answer 1

An intelligent nexus of connections to your security appliances and infrastructure

Question 2

What does Splunk Phantom do?

Answer 2

Ingests and anlyses data for security issues
Automates some or all incident response decisions
Takes action to contain or eliminate threats
provides tools to SOC personnel to investigate, respond and co-ordinate incident response activities

Question 3

where can Phantom documentation be found?

Answer 3

Administration>? Documentation

docs.splunk.com

Question 4

What platforms can Phantom be installed on

Answer 4

• Virtual Applaince
• In the cloud as Amazon AMI
• Red Hat or CentOS servers

Question 5

True or False all install platforms support:

• scaling up with clustered servers
• externalizing compoinents
• warm failover

Answer 5

True

Question 6

where do you download the ova?

Answer 6

my.phantom.us

Question 7

true or false

.OVA and Amazon AMI run as as a root user account?

Answer 7

False
they run as non-root with user name phantom
Linux platform both root or Non Root installs are options

Question 8

What are the methods to ingest data? Select all that apply.

a) manually
b) ingest over email
c) timer app
d) script-based ingestion over REST

Answer 8

d) script-based ingestion over RES

Question 9

What are the automated methods for getting data into Phantom? Select all that apply.

a) manually
b) push from a source
c) use a TA
d) All of the above

Answer 9

push from a source
use a TA
Poll

Question 10

What are the primary components for the Phantom system configuration?

a) playbooks, reports, cases, queues
b) apps, playbooks, assets, data sources, actions, owners
c) mission control, visual playbook editor, assets apps, actions
d) decided, ingestd, watchdogd, actiond, postgres, nginx, uwsgi

Answer 10

apps, playbooks, assets, data sources, actions, owners

Question 11

What’s your primary source for documentation on the Phantom platform?

a) Call a Splunk sales engineer
b) www.phantom.us
c) Phantom-Community Slack
d) VM/Platform

Answer 11

VM/Platform

docs.splunk.com

Question 12

The Phantom initial setup assigns a password to which two accounts?

a) phantom | admin
b) root | admin
c) phantom | sudo
d) user | root

Answer 12

user | root

Question 13

Phantom provides the following mediums for the platform. Select all that apply.

a) OVA
b) AMI
c) RPMs
d) AWS

Answer 13

OVA

RPMs

Question 14

Enable email notifications from the Phantom platform by ________.

a) configuring an SMTP asset
b) navigating to Administration, and select the SMTP source
c) configuring an SMTP in administration under Email settings
d) configuring an action to send an email via Python

Answer 14

configuring an SMTP asset

Question 15

True or false: The Analyst queue is where you can reference all the artifacts for a container.

a) True
b) False

Answer 15

False

Question 16

In Mission Control, how do you get Ralph to help you?

a) Create a note and call Ralph
b) Send an email to Ralph
c) Use a mention to @ralph
d) Tag Ralph using Facebook

Answer 16

Use a mention to @ralph

Question 17

True or false: You can only use SSH for git source code repositories.

a) True
b) False

Answer 17

False

Question 18

Where can you create custom fields?

a) Product settings > Tags
b) Product settings > Environment
c) Product settings > Event settings
d) Company settings > Global settings

Answer 18

Product settings > Event settings

Question 19

True or false: SLA settings use high, medium, and low severity levels for tracking response.

a) True
b) False

Answer 19

True

Question 20

In Python, a properly coded dictionary statement is __________.

a) [‘sourceAddresss’, ‘192.168.1.1’]
b) (‘sourceAddresss’, ‘192.168.1.1’)
c) sourceAddress(192.168.1.1)
d) {“sourceAddress” : “192.168.1.1”}

Answer 20

{“sourceAddress” : “192.168.1.1”}

Question 21

Where can you configure proxy settings?

a) Product settings > Apps
b) In the Application configuration
c) Administration > Product settings > Environment
d) Global settings

Answer 21

Administration > Product settings > Environment

Question 22

Which statement is the correct use of IN for a Decision block?

a) sourceAddress IN ‘192.168.1.1’
b) artifact:*.cef.sourceAddress IN custom_black_list
c) action: Ralph_is IN the_house
d) None of the above

Answer 22

artifact:*.cef.sourceAddress IN custom_black_list

Question 23

True or false: Assets performing on poll can only be assigned to one tenant.

a) True
b) False

Answer 23

True

Question 24

What type of custom fields can you create?

a) Text boxes and multiple-select lists
b) Multiple-line text boxes
c) Select lists and text boxes
d) Radio buttons, select lists, and text boxes

Answer 24

Select lists and text boxes

Question 25

True or false: Restrict access to sources using labels.

a) True
b) False

Answer 25

True

Question 26

What are the three types of user accounts?

a) Generic, REST, Administrator
b) Local, Automation, Authentication method
c) SAML, User, OpenID
d) OpenID, CyberArk, Due

Answer 26

Local, Automation, Authentication method

Question 27

True or false: You can use Google authenticator with multi-factor authentication.

a) True
b) False

Answer 27

False

Question 28

True or false: You can restrict access to an action using asset configuration.

a) True
b) False

Answer 28

True

Question 29

Phantom uses multiple daemons. Select all that apply.

a) decided
b) splunkd
c) watchdogd
d) actiond

Answer 29

decided
watchdogd
actiond

Question 30

What does the daemon workflowd do?

a) Ingests alarms and notifies containers
b) Receives notifications from ingestd and processes playbooks
c) Interfaces with external resources to gather and format response data
d) Provides user notifications and holds any system delay processing

Answer 30

Provides user notifications and holds any system delay processing

Question 31

Which daemon or process normalizes data and puts in the proper format?

a) actiond
b) ingestd
c) REST
d) applications

Answer 31

ingestd

Question 32

Playbooks run based on the ______.

a) ID
b) list name
c) tag
d) label

Answer 32

label

Question 33

What does the OODA acronym stand for?

a) Observe Open Drive Arrange
b) Orient Observe Delight Assess
c) Observe Orient Decide Act
d) Open Observe Deliver Apply

Answer 33

Observe Orient Decide Act

Question 34

Automation strategies work best when they are __________.

a) Not documented but well known and understood
b) Easy to remember
c) Well documented, procedural and intuitive
d) Documented with decision points and procedures

Answer 34

Documented with decision points and procedures

Question 35

Select the primary tools for helping you build playbooks? Select all that apply.

a) Documentation
b) Visual Playbook Editor
c) Whiteboard
d) Google

Answer 35

Documentation
Visual Playbook Editor
Whiteboard

Question 36

Which block would you use to prepare data for an action?

a) format
b) filter
c) decision
d) action

Answer 36

format

Question 37

Which block would you use to create selective data items?

a) playbook
b) decision
c) filter
d) format

Answer 37

filter

Question 38

Which block would you use for customized code?

a) format
b) decision
c) Playbook Code Editor
d) API

Answer 38

API

Question 39

Decision blocks use which python module to execute decisions?

a) if then:
b) phantom.case()
c) if () elseif ()
d) phantom.conditions()

Answer 39

phantom.case()

Question 40

Custom lists can be used to store data in Phantom for data comparison. Select all that apply.

a) external EBL
b) list of procedures for reuse
c) various data sets
d) All of the above

Answer 40

external EBL

various data sets

Question 41

REST API allows automation developers to ___________. Select all that apply.

a) interact with Phantom daemons
b) customize Phantom APIs
c) review platform data and system health
d) customize data in the platform

Answer 41

review platform data and system health

customize data in the platform

Question 42

what is required as part of browser support?

Answer 42

HTML 5
SVG graphics
TLS Security

Question 43

True or False

a Static IP address is not required for the installation of the OVA

Answer 43

False

it is required

Question 44

what is the default user for the OVA CLI

Answer 44

phantom and password is password

Question 45

what OS are supported

Answer 45

Red Hat Enterprise and CentOs

Question 46

what are the default user name and password for the UI

Answer 46

admim/password

Question 47

what is the community License

Answer 47

• 1 tenant
• 5 new or open cases
• 100 actions executed in each 24hr period

Question 48

what is the standard licensing format

Answer 48

Seat based on the number of users configured in Phantom, come in sets of 5

Question 49

What does the mobile app allow you to do

Answer 49

view events, respond to notifications, run playbooks

Question 50

what is the default global number of current actions for assets?

Answer 50

10

Question 51

true or False?

Users must have a user Account and role membership?

Answer 51

True

Question 52

How can user accounts be created?

Answer 52

Manually in Phantom or automatically via directory integration (LDAP etc,)

Question 53

Can role assignment be automated?

Answer 53

Yes

by mapping to directory service group membership

Question 54

Is 2 factor authentication supported?

Answer 54

Yes via DUO

Question 55

what is the default inactive timeout?

Answer 55

24hrs