A SOAR developer is creating a playbook that needs to process a list of file hashes. For each hash, a child playbook is invoked to perform reputation analysis. The parent playbook must wait for all child playbooks to complete before aggregating the results. Which configuration in the parent playbook's 'Playbook' block is essential to achieve this requirement?
A custom function in a Splunk SOAR playbook is designed to parse a complex, nested JSON object from an API response. The developer needs to extract a specific value located at `results[0].indicators.domains[2].name`. Which is the most robust datapath to access this value?
A developer needs to write a custom function that enriches multiple artifacts and then adds a single, consolidated note to the container. Which TWO of the following `phantom` library calls are essential for this task? (Select TWO)
True or False: When a playbook uses a 'Manual Task' block, the entire playbook execution pauses and enters a 'pending' state until a user manually marks the task as complete.
A financial institution is using Splunk SOAR to automate responses to phishing alerts originating from Splunk Enterprise Security (ES). They need to ensure that when a notable event from ES creates a container in SOAR, the original notable event's urgency is mapped to the SOAR container's severity. Where is this mapping configured?
**Case Study:** A managed security service provider (MSSP) uses a single Splunk SOAR instance to serve multiple tenants. They have developed a standardized 'Threat Intel Enrichment' playbook that is used by all tenants. Recently, a new premium tenant requires a slightly different enrichment process that involves an additional, proprietary threat intelligence source. The MSSP wants to avoid duplicating the entire playbook for one minor change. The current playbook structure is a single, monolithic playbook. The MSSP wants to re-architect the solution to be more modular and maintainable. They need to create a solution where the core enrichment logic is shared, but the premium tenant's workflow includes the extra step. All tenants should use the same initial trigger. Which approach best meets the MSSP's requirements for modularity and minimal duplication?
A developer is building a playbook that queries a custom list containing network CIDR ranges and their corresponding business units. The playbook receives an IP address as an artifact and must find the correct business unit. The custom list is named `business_unit_cidrs`. Which block is best suited to perform this lookup directly within the visual playbook editor?
A SOAR administrator is tasked with retrieving all containers with a 'High' severity that were created in the last 7 days using the REST API. Which Django-style filter query should be used with the `/rest/container` endpoint?
A developer notices that a playbook designed to block an IP address fails intermittently. The playbook uses two parallel action blocks to add the IP to two different firewalls. The playbook then proceeds to a single 'add note' block. The developer suspects a race condition. The following diagram shows the playbook flow. What is the most effective way to ensure both firewall blocks complete before the note is added? ```mermaid graph TD A[Start] --> B{Get IP Artifact}; B --> C[Block IP on FW1]; B --> D[Block IP on FW2]; C --> E[Add Note]; D --> E; ```
When should a developer choose to use a Custom Function block over a series of native Visual Playbook Editor (VPE) blocks?