Which of the following is a step when configuring event forwarding from Splunk to Phantom?
A.
Map CIM to CEF fields.
B.
Create a Splunk alert that uses the event_forward.py script to send events to Phantom.
C.
Map CEF to CIM fields.
D.
Create a saved search that generates the JSON for the new container on Phantom.
The Answer Is:
B
This question includes an explanation.
Explanation:
A step when configuring event forwarding from Splunk to Phantom is to create a Splunk alert that uses the event_forward.py script to send events to Phantom. This script will convert the Splunk events to CEF format and send them to Phantom as containers. The other options are not valid steps for event forwarding. See Forwarding events from Splunk to Phantom for more details.
Configuring event forwarding from Splunk to Phantom typically involves creating a Splunk alert that leverages a script (like event_forward.py) to automatically send triggered event data to Phantom. This setup enables Splunk to act as a detection mechanism that, upon identifying notable events based on predefined criteria, forwards these events to Phantom for further orchestration, automation, and response actions. This integration streamlines the process of incident management by connecting Splunk's powerful data analysis capabilities with Phantom's orchestration and automation framework.
SPLK-2003 PDF/Engine
Printable Format
Value of Money
100% Pass Assurance
Verified Answers
Researched by Industry Experts
Based on Real Exams Scenarios
100% Real Questions
Get 60% Discount on All Products,
Use Coupon: "8w52ceb345"