SPLK-2003 Splunk SOAR Certified Automation Developer Exam Questions and Answers

The Splunk SOAR Automation Broker does not require inbound/ingress network connections from the Splunk SOAR (Cloud) or (On-premises) instance. Instead, it requires only outbound/egress connectivity. The Automation Broker is responsible for securely communicating with SOAR to execute actions, retrieve data, and send results, but this communication is initiated from the Automation Broker towards SOAR, using outbound connections (typically over TCP port 443). This ensures that no inbound connections need to be established, which simplifies firewall and security configurations.

Thus, option D is the incorrect statement, making it the right answer for this question.

References:

Splunk SOAR Documentation: Automation Broker Requirements.

Splunk SOAR Cloud and On-Premises Deployment Guide.

Selecting the New option under Sources in the Splunk SOAR menu typically initiates the New Data Ingestion wizard. This wizard guides users through the process of configuring new data sources for ingestion into the SOAR platform. It is designed to streamline the setup of various data inputs, such as event logs, threat intelligence feeds, or notifications from other security tools, ensuring that SOAR can receive and process relevant security data efficiently. This feature is crucial for expanding SOAR ' s monitoring and response capabilities by integrating diverse data sources. Options A, C, and D do not accurately describe what is displayed when the New option under Sources is selected, making option B the correct choice.

New Data Ingestion wizard allows you to create a new data source for Splunk SOAR (On-premises) by selecting the type of data, the ingestion method, and the configuration options. The other options are incorrect because they do not match the description of the New option under Sources on the menu. For example, option A refers to a list of new assets, which is not related to data ingestion. Option C refers to a list of new data sources, which is not what the New option does. Option D refers to a list of new events, which is not the same as creating a new data source.

  Upon enabling multi-tenancy in Splunk SOAR, the first step in configuration typically involves setting up the default tenant. This foundational step is critical as it establishes the primary operating environment under which subsequent tenants can be created and managed. The default tenant serves as the template for permissions, settings, and configurations that might be inherited or customized by additional tenants. Proper configuration of the default tenant ensures a stable and consistent framework for multi-tenancy operations, allowing for segregated environments within the same SOAR instance, each tailored to specific operational needs or organizational units.

In Splunk SOAR, a child playbook can access both the container data and the action result data from the parent playbook. This capability allows child playbooks to continue processing data or actions that were initiated by the parent playbook, ensuring smooth data flow and facilitating complex workflows across multiple playbooks. When a parent playbook calls a child playbook, the container (which holds the event and artifact data) and action results (which hold the outputs of previously executed actions) are passed to the child playbook.

This access enables more flexible and powerful automation by allowing the child playbook to build upon the work done by the parent.

References:

Splunk SOAR Playbook Documentation.

Splunk SOAR Playbook Development Best Practices.

To integrate Splunk Phantom with a Splunk Cloud instance, network communication over certain ports is necessary. The default ports for web traffic are TCP 80 for HTTP and TCP 443 for HTTPS. Since Splunk Cloud instances are accessed over the internet, ensuring that these ports are open is essential for Phantom to communicate with Splunk Cloud for various operations, such as running searches, sending data, and receiving results. It is important to note that TCP 8088 is typically used by Splunk ' s HTTP Event Collector (HEC), which may also be relevant depending on the integration specifics.

The primary objective of using the I2A2 playbook design methodology in Splunk SOAR is to create playbooks that are simple, reusable, and modular. This design philosophy emphasizes the creation of playbooks that can be easily understood and maintained, encourages the reuse of playbook components in different scenarios, and fosters the development of playbooks that can be modularly connected or used independently as needed.

I2A2 design methodology is a framework for designing playbooks that consists of four components:

• Inputs: The data that is required for the playbook to run, such as artifacts, parameters, or custom fields.

• Interactions: The blocks that allow the playbook to communicate with users or other systems, such as prompts, comments, or emails.

• Actions: The blocks that execute the core logic of the playbook, such as app actions, filters, decisions, or utilities.

• Artifacts: The data that is generated or modified by the playbook, such as new artifacts, container fields, or notes.

The I2A2 design methodology helps you to plan, structure, and test your playbooks in a modular and efficient way. The primary objective of using the I2A2 design methodology is to create simple, reusable, modular playbooks that can be easily maintained, shared, and customized. Therefore, option D is the correct answer, as it states the primary objective of using the I2A2 design methodology. Option A is incorrect, because creating detailed playbooks is not the primary objective of using the I2A2 design methodology, but rather a possible outcome of following the framework. Option B is incorrect, because creating playbooks that customers will not edit is not the primary objective of using the I2A2 design methodology, but rather a potential risk of not following the framework. Option C is incorrect, because meeting customer requirements using a single playbook is not the primary objective of using the I2A2 design methodology, but rather a challenge that can be overcome by using the framework.

1: Use a playbook design methodology in Administer Splunk SOAR (Cloud).

DECIDED process is a core component of the SOAR automation engine that handles the execution of playbooks and actions. The DECIDED process can be restarted by restarting the automation service, which can be done from the command line using the service phantom restart command2. Restarting the automation service also restarts the playbook daemon, which is another core component of the SOAR automation engine that handles the loading and unloading of playbooks3. Therefore, option D is the correct answer, as it restarts both the DECIDED process and the playbook daemon. Option A is incorrect, because restarting the playbook daemon alone does not restart the DECIDED process. Option B is incorrect, because the System Health page does not provide an option to restart the DECIDED process or the automation service. Option C is incorrect, because the Administration > Server Settings page does not provide an option to restart the DECIDED process or the automation service.

In Splunk SOAR, if the DECIDED process, which is responsible for playbook execution, needs to be restarted, this can typically be done by restarting the automation (or phantom) service. This service manages the automation processes, including playbook execution. Restarting it can reset the DECIDED process, resolving issues related to playbook execution or process hangs.

Filter blocks are used to add information to custom lists in Phantom VPE. Filter blocks allow the user to specify a list name and a filter expression to select the data to be added to the list. Action blocks are used to execute app actions, API blocks are used to make REST API calls, and decision blocks are used to evaluate conditions and branch the playbook execution.  In the Phantom Visual Playbook Editor (VPE), an API block is used to interact with various external APIs, including custom lists within Phantom. Custom lists are key-value stores that can be used to maintain state, aggregate data, or track information across multiple playbook runs. API blocks allow the playbook to make GET, POST, PUT, and DELETE requests to these lists, facilitating the addition, retrieval, update, or removal of information. This makes API blocks a versatile tool in managing custom list data within playbooks.

The best option for an analyst who wants to run a single action on an event is to open the event and run the action directly from the Investigation View . The Investigation View allows users to interact with events directly, and provides the ability to execute specific actions without the need for playbook development or debugging. This is the most straightforward and efficient way to execute a single action on an event, without the overhead of creating or editing playbooks.

While creating a playbook and using the Playbook Debugger are viable options, they introduce unnecessary complexity for running just one action. The goal is to allow the analyst to act quickly and efficiently within the Investigation View.

References:

Splunk SOAR Documentation: Investigation View Overview.

Splunk SOAR Best Practices for Running Actions on Events.

To get playbook results for a single artifact, a user can utilize the contextual menu option directly from the artifact itself. This method allows for targeted execution of a playbook on just that artifact, facilitating a focused analysis or action based on the data within that specific artifact. This approach is particularly useful when a user needs to drill down into the details of an individual piece of evidence or data point within a larger incident or case, allowing for granular control and execution of playbooks in the Splunk SOAR environment.

  When configuring Splunk Phantom to integrate with an external Splunk Enterprise instance, it is typically required to have user accounts with sufficient privileges to access data and perform necessary actions. The roles of " superuser " and " administrator " in Splunk provide the broad set of permissions needed for such integration, enabling comprehensive access to data, management capabilities, and the execution of searches or actions that Phantom may require as part of its automated playbooks or investigations.

 The correct answer is B because an active playbook can be configured to operate on all containers that share a label. A label is a user-defined attribute that can be applied to containers to group them by a common characteristic, such as source, type, severity, etc. Labels can be used to filter containers and trigger active playbooks based on the label value. See  Splunk SOAR Documentation  for more details.

In Splunk SOAR, labels are used to categorize containers (such as incidents or events) based on their characteristics or the type of security issue they represent. An active playbook can be configured to trigger on all containers that share a specific label, enabling targeted automation based on the nature of the incident. This functionality allows for efficient and relevant playbook execution, ensuring that the automated response is tailored to the specific requirements of the container ' s category. Labels serve as a powerful organizational tool within SOAR, guiding the automated response framework to act on incidents that meet predefined criteria, thus streamlining the security operations process.

In Splunk SOAR, tasks within workbooks can be performed by any user whose role has the ' Perform Task ' capability enabled. This capability is assigned within the role configuration and allows users with the appropriate permissions to execute tasks. It is not limited to users with write access or the container owner; rather, it is based on the specific permissions granted to the role with which the user is associated.

When building a playbook in Splunk SOAR, if the desired artifact value does not appear in the auto-populated list of input parameters for an action, users have the option to manually enter the Common Event Format (CEF) datapath for that value. This allows for greater flexibility and customization in playbook design, ensuring that specific data points can be targeted even if they ' re not immediately visible in the interface. This manual entry of CEF datapaths allows users to directly reference the necessary data within artifacts, bypassing limitations of the auto-populated list. Options B, C, and D suggest alternative methods that are not typically used for this purpose, making option A the correct and most direct approach to entering an unlisted artifact value in a playbook action.

When assigning an input parameter to an action while building a playbook, a user can use the auto-populated list of artifact values that match the expected data type for the parameter. The auto-populated list is based on the contains parameter of the action inputs and outputs, which enables contextual actions in the SOAR user interface. However, the auto-populated list may not include all the possible artifact values that can be used as parameters, especially if the artifact values are nested or have uncommon data types. In that case, the user can type the CEF datapath in manually, using the syntax artifact. < field > . < key > , where field is the name of the artifact field, such as cef, and key is the name of the subfield within the artifact field, such as sourceAddress. Typing the CEF datapath in manually allows the user to enter the unlisted artifact value as an input parameter to the action. Therefore, option A is the correct answer, as it states how it is possible to enter the unlisted artifact value. Option B is incorrect, because deleting and recreating the artifact is not a way to enter the unlisted artifact value, but rather a way to lose the existing artifact data. Option C is incorrect, because editing the artifact to enable the List as Parameter option for the CEF value is not a way to enter the unlisted artifact value, but rather a way to make the artifact value appear in the auto-populated list. Option D is incorrect, because editing the container to allow CEF parameters is not a way to enter the unlisted artifact value, but rather a way to modify the container properties, which are not related to the action parameters.

To return all artifacts that contain a SHA1 file hash using the Splunk SOAR REST API, the correct query would use the  _filter_cef_Shal_contains  parameter. This parameter filters the artifacts to only those that contain a value in the SHA1 field within the Common Event Format (CEF) data structure.  The  contains  operator is used to match any artifacts that have a SHA1 hash present 1 .

References:

Understanding artifacts - Splunk Documentation

The ROI (Return on Investment) Settings within Splunk SOAR are designed to help organizations assess the value derived from their use of the platform, particularly in terms of resource allocation and efficiency gains. The setting mentioned in the question, " Number of full time employees (FTEs), " relates directly to measuring this efficiency.

Answer " C " is correct because configuring the number of full-time employees (FTEs) in the ROI settings allows an organization to input and monitor how many personnel are dedicated to security operations managed through SOAR. This setting is crucial for calculating the labor cost associated with incident response and routine security tasks. By understanding the number of FTEs involved, organizations can better assess the labor cost savings provided by automation and orchestration in SOAR. This data helps in quantifying the operational efficiency and the overall impact of SOAR on resource optimization.

In contrast, other options like " Analyst hours per month, " " Time lost, " and " Annual analyst salary " might seem relevant but are not directly configurable within the ROI settings of Splunk SOAR. These aspects could be indirectly calculated or estimated based on the number of FTEs and other operational metrics but are not directly input as settings in the system.

This use of FTEs in ROI calculations is often discussed in materials related to cybersecurity efficiency metrics and SOAR platform utilization. Official Splunk documentation and best practices guides typically provide insights into how to set up and interpret ROI settings, highlighting the importance of accurate configuration for meaningful analytics.

In Splunk Phantom, child playbooks can access the action results of a parent playbook through the use of the Scope parameter. When a parent playbook calls a child playbook, it can pass certain data along by setting the Scope parameter to include the desired action results. This parameter is configured within the playbook block that initiates the child playbook. By specifying the appropriate scope, the parent playbook effectively determines what data the child playbook will have access to, allowing for a more modular and organized flow of information between playbooks.

 An individual asset action can be manually started with the > action button in the Investigation page. This allows the user to select an asset and an action to perform on it. The other options are not valid ways to start an asset action manually. See  Performing asset actions  for more information. Individual asset actions in Splunk SOAR can be manually initiated from the Investigation page of a container. The " > action " button on this page allows users to execute specific actions associated with assets directly, enabling on-the-fly operations on artifacts or indicators within a container. This feature is particularly useful for ad-hoc analysis and actions, allowing analysts to respond to or investigate specific aspects of an incident without the need for a full playbook.

The simplest way to pass data between playbooks in Splunk SOAR is through the use of artifacts. Artifacts are objects that can store data and are associated with containers. When multiple playbooks work on a single container, they can access and manipulate the same set of artifacts, allowing for seamless data transfer between playbooks.  This method is straightforward and does not require additional setup or management of external storage systems, making it the most direct and efficient way to pass data within the Splunk SOAR environment 1 .

References:

Passing data between SOAR playbooks - Splunk Lantern

A filter block with only one condition configured which states: artifact.*.cef .sourceAddress !- , would permit only non-null IP addresses to pass forward to the next block. The !- operator means “is not null”. The other options are not valid because they either include null values or other fields than sourceAddress. See  Filter block  for more details. A filter block in Splunk SOAR that is configured with the condition artifact.*.cef.sourceAddress != (assuming the intention was to use " != " to denote ' not equal to ' ) is designed to allow data that has non-null sourceAddress values to pass through to subsequent blocks. This means that any artifact data within the container that includes a sourceAddress field with a defined value (i.e., an actual IP address) will be permitted to move forward in the playbook. The filter effectively screens out any artifacts that do not have a source address specified, focusing the playbook ' s actions on those artifacts that contain valid IP address information in the sourceAddress field.

In Splunk SOAR, playbooks can execute actions either synchronously (waiting for one action to complete before starting the next) or asynchronously (allowing actions to run concurrently). If a playbook starts executing before the previous one has completed, it indicates that synchronous execution has not been properly configured between these playbooks. This is crucial when the output of one playbook is a dependency for the subsequent playbook. Options B, C, and D do not directly address the observed behavior of concurrent playbook execution, making option A the most accurate explanation for why the second playbook starts before the completion of the first.

synchronous execution is a feature of the SOAR automation engine that allows you to control the order of execution of playbook blocks. Synchronous execution ensures that a playbook block waits for the completion of the previous block before starting its execution. Synchronous execution can be enabled or disabled for each playbook block in the playbook editor, by toggling the Synchronous Execution switch in the block settings. Therefore, option A is the correct answer, as it states the cause of the behavior where the second playbook starts executing before the first one completes. Option B is incorrect, because the first playbook performing poorly is not the cause of the behavior, but rather a possible consequence of the behavior. Option C is incorrect, because the sleep option for the second playbook is not the cause of the behavior, but rather a workaround that can be used to delay the execution of the second playbook. Option D is incorrect, because the join configuration on the second playbook is not the cause of the behavior, but rather a way of merging multiple paths of execution into one.

The correct answer is C because the best way to restrict the execution of playbooks to members of the admin role is to make sure the Execute Playbook capability is removed from all roles except admin. The Execute Playbook capability is a permission that allows a user to run any playbook on any container. By default, all roles have this capability, but it can be removed or added in the Phantom UI by going to Administration > User Management > Roles. Removing this capability from all roles except admin will ensure that only admin users can execute playbooks. See  Splunk SOAR Documentation  for more details. To ensure that only members of the admin role can execute specific playbooks on the Phantom server, the most effective approach is to manage role-based access controls (RBAC) directly. By configuring the system to remove the " Execute Playbook " capability from all roles except for the admin role, you can enforce this rule. This method leverages Phantom ' s built-in RBAC mechanisms to restrict playbook execution privileges. It is a straightforward and secure way to ensure that only users with the necessary administrative privileges can initiate the execution of sensitive or critical playbooks, thus maintaining operational security and control.

The severity of a container in Splunk Phantom can be set manually or automatically during the ingestion process. In addition to these methods, playbooks can also change the severity of a container. Playbooks are automated workflows that define a series of actions based on certain triggers and conditions. Within a playbook, actions can be defined to adjust the severity level of a container depending on the analysis of the event data, the outcome of actions taken, or other contextual factors. This dynamic adjustment allows for a more accurate and responsive incident prioritization as new information becomes available during the investigation process.

In Splunk SOAR (formerly known as Phantom), enabling the Logging option for a playbook ' s settings primarily affects how logging information is displayed on the Investigation page. When this option is enabled, more detailed logging information is made available on the Investigation page, which can be crucial for troubleshooting and under standing the execution flow of the playbook. This detailed information can include execution steps, actions taken, and conditional logic paths followed during the playbook run.

It ' s important to note that enabling logging does not affect the audit logs or the debug window directly, nor does it write execution details to the spawn.log. Instead, it enhances the visibility and granularity of logs displayed on the specific Investigation page related to the playbook ' s execution.

References:

Splunk Documentation and SOAR User Guides typically outline the impacts of enabling various settings within the playbook configurations, explaining how these settings affect the operation and logging within the system. For specific references, consulting the latest Splunk SOAR documentation would provide the most accurate and detailed guidance.

Enabling the Logging option for a playbook’s settings in Splunk SOAR indeed affects the level of detail provided on the Investigation page. Here’s a comprehensive explanation of its impact:

Investigation Page Logging :

The Investigation page serves as a centralized location for reviewing all activities related to an incident or event within Splunk SOAR.

When the Logging option is enabled, it enhances the level of detail available on this page, providing a granular view of the playbook’s execution.

This includes detailed information about each action’s execution, such as parameters used, results obtained, and any conditional logic that was evaluated.

Benefits of Detailed Logging :

Troubleshooting : It becomes easier to diagnose issues within a playbook when you can see a detailed log of its execution.

Incident Analysis : Analysts can better understand the sequence of events and the decisions made by the playbook during an incident.

Playbook Optimization : Developers can use the detailed logs to refine and improve the playbook’s logic and performance.

Non-Impacted Areas :

The audit log, which tracks changes to the playbook itself, is not affected by the Logging option.

The debug window, used for real-time debugging during playbook development, also remains unaffected.

The spawn.log file, which contains internal operational logs for the Splunk SOAR platform, does not receive detailed execution information from playbooks.

Best Practices :

Enable detailed logging during the development and testing phases of a playbook to ensure thorough analysis and debugging.

Consider the potential impact on storage and performance when enabling detailed logging in a production environment.

References :

For the most accurate and up-to-date guidance on playbook settings and their effects, I recommend consulting the latest Splunk SOAR documentation and user guides. These resources provide in-depth information on configuring playbooks and understanding the implications of various settings within the Splunk SOAR platform.

In summary, the Logging option is a powerful feature that enhances the visibility of playbook operations on the Investigation page, aiding in incident analysis and ensuring that playbooks are functioning correctly. It is an essential tool for security teams to effectively manage and respond to incidents within their environment. ????

the default embedded search engine used by SOAR is the SOAR search engine, which is powered by the PostgreSQL database built-in to Splunk SOAR (Cloud). A Splunk SOAR (Cloud) Administrator can configure options for search from the Home menu, in Search Settings under Administration Settings. The SOAR search engine has been modified to accept the * wildcard and supports various operators and filters. For search syntax and examples, see Search within Splunk SOAR (Cloud)2.

Option A is incorrect, because the embedded Splunk search engine was used in earlier releases of Splunk SOAR (Cloud), but not in the current version. Option C is incorrect, because Django is a web framework, not a search engine. Option D is incorrect, because Elastic is a separate search engine that is not embedded in Splunk SOAR (Cloud).

1: Configure search in Splunk SOAR (Cloud) 2: Search within Splunk SOAR (Cloud)

Splunk SOAR utilizes its own embedded search engine by default, which is tailored to its security orchestration and automation framework. While Splunk SOAR can integrate with other search engines, like the Embedded Splunk search engine, for advanced capabilities and log analytics, its default setup comes with an embedded search engine optimized for the typical data and search patterns encountered within the SOAR platform.

Wildcards are used within artifact data paths in Splunk SOAR playbooks to simplify the process of accessing data. They allow playbooks to reference dynamic or variable data structures without needing to specify exact paths, which can vary between artifacts. This flexibility makes it easier to write playbooks that work across different events and scenarios, without hard-coding data paths.

SOAR uses wildcards within artifact data paths to make data access in playbooks easier. A data path is a way of specifying the location of a piece of data within an artifact. For example, artifact.cef.sourceAddress is a data path that refers to the source address field of the artifact. A wildcard is a special character that can match any value or subfield within a data path. For example, artifact.*.cef.sourceAddress is a data path that uses a wildcard to match any field name before the cef subfield. This allows the playbook to access the source address data regardless of the field name, which can vary depending on the app or source that generated the artifact. Therefore, option C is the correct answer, as it explains why SOAR uses wildcards within artifact data paths. Option A is incorrect, because wildcards do not make playbooks more specific, but more flexible and adaptable. Option B is incorrect, because wildcards do not make playbooks filter out nulls, but match any value or subfield. Option D is incorrect, because wildcards do not make decision execution in playbooks run faster, but make data access in playbooks easier.

1: Understanding datapaths in Administer Splunk SOAR (Cloud)

In scenarios where there ' s a need to run different on_poll searches for a Splunk Cloud instance from Splunk SOAR, configuring a second Splunk asset for the additional query is a practical solution. Splunk SOAR ' s architecture allows for multiple assets of the same type to be configured with distinct settings. By setting up a second Splunk asset specifically for the second on_poll search query, users can maintain separate configurations and ensure that each query is executed in its intended context without interference. This approach provides flexibility in managing different data collection or monitoring needs within the same SOAR environment.

 A step when configuring event forwarding from Splunk to Phantom is to create a Splunk alert that uses the event_forward.py script to send events to Phantom. This script will convert the Splunk events to CEF format and send them to Phantom as containers. The other options are not valid steps for event forwarding. See  Forwarding events from Splunk to Phantom  for more details.

Configuring event forwarding from Splunk to Phantom typically involves creating a Splunk alert that leverages a script (like event_forward.py) to automatically send triggered event data to Phantom. This setup enables Splunk to act as a detection mechanism that, upon identifying notable events based on predefined criteria, forwards these events to Phantom for further orchestration, automation, and response actions. This integration streamlines the process of incident management by connecting Splunk ' s powerful data analysis capabilities with Phantom ' s orchestration and automation framework.

If, after configuring an external Splunk search head for search in SOAR, the search results do not include content that was previously returned, one possible issue could be that the user account configured on the SOAR side does not have the required permissions (such as the ' phantomsearch ' capability) enabled on the Splunk side. This capability is necessary for the SOAR server to execute searches and retrieve results from the Splunk search head.

The correct answer is C because the last step of the 12A2 design methodology is to list the outputs of the playbook design. The outputs are the expected results or outcomes of the playbook execution, such as sending an email, creating a ticket, blocking an IP, etc. The outputs should be aligned with the objectives and goals of the playbook. See  Splunk SOAR Certified Automation Developer  for more details.

The 12A2 design methodology in the context of Splunk SOAR (formerly Phantom) refers to a structured approach to developing playbooks. The last step in this methodology focuses on defining the outputs of the playbook design. This step is crucial as it outlines what the expected results or actions the playbook should achieve upon its completion. These outputs can vary widely, from sending notifications, creating tickets, updating statuses, to generating reports. Defining the outputs is essential for understanding the playbook ' s impact on the security operation workflows and how it contributes to resolving security incidents or automating tasks.