Splunk SOAR Certified Automation Developer — Question 21

Which of the following describes enabling smart mode for an aggregation policy?

Answer options

• A. Configure –> Policies –> Smart Mode –> Enable, select “fields”, click “Save”
• B. Enable grouping in Notable Event Review, select “Smart Mode”, select “fields”, and click “Save”
• C. Edit the aggregation policy, enable smart mode, select fields to analyze, click “Save”
• D. Edit the notable event view, enable smart mode, select “fields”, and click “Save”

Correct answer: C

Explanation

The correct answer is C because it accurately describes the steps needed to enable smart mode within the aggregation policy, focusing on editing the policy itself. Options A, B, and D refer to unrelated procedures or incorrect contexts, thus failing to address the aggregation policy directly.