Skip to Content

Splunk SPLK-2003: Configure Decision Blocks in Splunk SOAR

By: Author Alex Lim

Posted on

Categories Exam

Learn how to correctly configure a decision block based on action results from geolocate_ip and file_reputation blocks in Splunk SOAR for the SPLK-2003 certification exam.

Table of Contents

Question

Two action blocks, geolocate_ip_1 and file_reputation_2, are connected to a decision block. Which of the following is a correct configuration for making a decision on the action results from one of the given blocks?

A. Select parameter set to: file_reputation_2:action_result.data.*.response_code; evaluation option set to: ==; and the Select Value set to: custom_list:Banned Countries.
B. Select parameter set to: geolocate_ip_1:action_result.data.*.country_iso_code; evaluation option set to: in; and the Select Value set to: custom_list:Banned Countries.
C. Select parameter set to: geolocate_ip_1:action_result.cef.*.country_iso_code; evaluation option set to: !=; and the Select Value box left empty.
D. Select parameter set to: file_reputation_2:action_result.cef.*.response_code; evaluation option set to: in; and the Select Value set to: United States.

Answer

B. Select parameter set to: geolocate_ip_1:action_result.data.*.country_iso_code; evaluation option set to: in; and the Select Value set to: custom_list:Banned Countries.

Explanation

To make a decision based on the country ISO code returned by the geolocate_ip_1 action block:

  1. Set the Select parameter to geolocate_ip_1:action_result.data.*.country_iso_code. This references the country ISO code in the action result data.
  2. Set the evaluation option to “in”. This will check if the returned country ISO code is in a specified list.
  3. Set the Select Value to custom_list:Banned Countries. This specifies the custom list of banned country ISO codes to check against.

This configuration will properly evaluate if the IP address geolocated by the geolocate_ip_1 block is in a country on the banned countries list.

The other options are incorrect:

A references the wrong action block (file_reputation_2 instead of geolocate_ip_1) and wrong data field (response_code instead of country_iso_code).

C uses the wrong data path (action_result.cef instead of action_result.data) and leaves the Select Value empty when a banned countries list needs to be specified.

D references the wrong action block and data field, uses “in” instead of “==” to check for an exact match, and checks for “United States” instead of a list of banned countries.

Splunk SPLK-2003 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Splunk SPLK-2003 exam and earn Splunk SPLK-2003 certification.