




























































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
A practice exam for the splunk soar certified automation developer certification. It includes multiple-choice questions covering various aspects of splunk soar, such as incident data storage, authentication methods, permission controls, app installation prerequisites, asset management, service level agreements (slas), and playbook development. Each question is followed by the correct answer and a brief explanation. The exam covers topics like container management, indicator views, investigation pages, and the use of spl commands for searching containers. It also tests knowledge of the i2a2 methodology and the visual playbook editor.
Typology: Exams
1 / 109
This page cannot be seen from the preview
Don't miss anything!





























































































Question 1. Which component of Splunk SOAR stores incident data and maintains relationships between containers, artifacts, and notes? A) Automation Engine B) Web Server C) Database D) Asset Manager Answer: C Explanation: The database is the persistent store that holds containers, artifacts, notes, and their inter‑relationships. Question 2. In a non‑containerized Splunk SOAR deployment, which service must be manually started after a system reboot? A) nginx B) Splunkd C) soarsvc D) postgresql Answer: C Explanation: The soarsvc service runs the SOAR platform and does not start automatically on non‑container installations. Question 3. Which authentication method allows users to log in using corporate Active Directory credentials without storing passwords in SOAR?
A) Local accounts B) LDAP C) SAML D) OAuth Answer: B Explanation: LDAP integration authenticates against AD directly, avoiding password storage in SOAR. Question 4. When creating a new role, which permission controls whether a user can delete containers? A) Manage Assets B) Delete Containers C) Edit Playbooks D) View Reports Answer: B Explanation: The “Delete Containers” permission explicitly grants the ability to remove containers. Question 5. Which of the following is a prerequisite before installing a Splunk SOAR app from the Marketplace? A) Enable SAML authentication B) Create an asset instance for the app
Answer: B Explanation: SOAR has built‑in automatic labeling for known indicator types such as phishing_email. Question 8. A Service Level Agreement (SLA) in Splunk SOAR is primarily used to: A) Encrypt container data at rest B) Track the time taken to meet a defined response deadline C) Assign a severity level to a container D) Define user access rights Answer: B Explanation: SLAs measure elapsed time against a target, helping monitor response performance. Question 9. Which view allows an analyst to run an app action on a single artifact without leaving the container page? A) Analyst Queue B) Indicator View C) Investigation Page – Action Tab D) Playbook Library Answer: C
Explanation: The Action tab on the Investigation page provides direct access to app actions for artifacts. Question 10. To locate containers that contain the word “ransomware” in the title, which SPL command should be used in the search bar? A) index=soar sourcetype=container title="ransomware" B) search container_title="ransomware" C) | where title like "%ransomware%" D) index=soar sourcetype=container | search title="ransomware" Answer: D Explanation: The proper search syntax filters the container sourcetype and then searches the title field. Question 11. Which filter option lets you view only containers that are currently assigned to you? A) Owner = * B) Status = Open C) Assigned To = current_user() D) Priority = High Answer: C Explanation: The “Assigned To” filter with the function current_user() returns containers assigned to the logged‑in analyst.
A) Duplicate B) Parent/Child C) Related D) Follow‑up Answer: C Explanation: The “Related” relationship is the default link type for case management associations. Question 15. A workbook in Splunk SOAR is primarily used to: A) Automate the creation of assets B) Define a structured, multi‑step investigation process for analysts C) Generate PDF reports of incidents D) Store custom Python libraries for playbooks Answer: B Explanation: Workbooks provide a guided, phase‑based workflow that analysts follow during an investigation. Question 16. Which action marks an artifact as evidence, preventing it from being accidentally deleted? A) Set Artifact Status = Evidence B) Add Tag = evidence
C) Lock Artifact D) Archive Artifact Answer: A Explanation: Changing the artifact’s status to “Evidence” locks it from deletion and highlights its importance. Question 17. To add a new severity level called “Critical” that appears above “High,” you must modify which setting? A) Custom Status Values B) Severity Configuration C) SLA Definitions D) Global Custom Fields Answer: B Explanation: Severity configuration defines the order and naming of severity levels. Question 18. Which CEF field is used by Splunk SOAR to map the source IP address of an event? A) src B) sourceAddress C) src_ip D) srcIp
Question 21. Which built‑in report provides a count of containers created per day over the past month? A) Container Activity Summary B) SLA Breach Report C) Daily Incident Volume D) Asset Utilization Report Answer: C Explanation: The “Daily Incident Volume” report aggregates container creation by day. Question 22. The System Health display shows the status of which component as “Ready” when the automation engine has no pending jobs? A) Database B) Scheduler C) Playbook Engine D) Action Queue Answer: C Explanation: The Playbook Engine (automation engine) reports “Ready” when idle. Question 23. Which log file would you examine to troubleshoot a failed app action due to authentication errors?
A) system.log B) action_results.log C) app_execution.log D) health.log Answer: C Explanation: app_execution.log records details of each app action, including authentication failures. Question 24. The I2A2 methodology stands for Inputs, Interactions, Actions, and __________. A) Artifacts B) Alerts C) Audits D) Analytics Answer: A Explanation: I2A2 emphasizes the flow from inputs to artifacts generated by the playbook. Question 25. In the Visual Playbook Editor, which block type is used to pause execution and request user input? A) Decision Block B) Prompt Block
Explanation: The debugger provides step‑by‑step execution and data inspection. Question 28. Which block type would you use to filter artifacts that contain a file hash ending with “abc123”? A) Decision Block B) Filter Block C) Join Block D) Format Block Answer: B Explanation: Filter blocks evaluate a list and keep only items meeting the specified condition. Question 29. In a Decision Block, the expression “{{artifact.type}} == 'file'” evaluates to true when: A) The container type is file B) The artifact’s type field equals the string “file” C) Any artifact contains the word “file” in its description D) The playbook’s input parameter is named file Answer: B Explanation: The Jinja expression accesses the artifact’s type attribute and compares it.
Question 30. The “All” join option in a Join Block proceeds when: A) At least one incoming path returns data B) All incoming paths have completed, regardless of data presence C) Every incoming path returns at least one result item D) The first path finishes execution Answer: C Explanation: “All” requires each incoming branch to produce at least one result before continuing. Question 31. Which block is appropriate for sending an email notification that includes the container’s title and severity? A) Action Block B) Format Block C) Utility Block D) Prompt Block Answer: B Explanation: Format blocks construct templated text (e.g., email bodies) using Jinja. Question 32. When an app action returns a JSON object with a field “response.status”, how would you reference the value in a downstream block? A) {{action.results.response.status}}
D) A Join Block that merges high and critical paths Answer: B Explanation: A Filter block can directly evaluate the container’s severity list. Question 35. Which of the following is NOT a supported deployment option for Splunk SOAR? A) Docker container on Linux B) Kubernetes Helm chart C) Virtual Appliance on VMware D) Azure Functions serverless instance Answer: D Explanation: Azure Functions is not an official deployment method for SOAR. Question 36. During an upgrade, which command backs up the SOAR database before applying the new version? A) soarsvc backup-db B) sudo soarsvc backup C) soarsvc --export-db D) soarsvc backup-db Answer: D Explanation: The “soarsvc backup-db” command creates a database snapshot.
Question 37. Which license type allows unlimited playbook executions but limits the number of containers stored? A) Enterprise B) Capacity‑Based C) Execution‑Only D) Evaluation Answer: C Explanation: Execution‑Only licenses focus on run count while capping storage. Question 38. When configuring LDAP, which attribute maps the LDAP group “SOAR_Admins” to the SOAR role “admin”? A) roleMapping B) groupSearchBase C) roleAttribute D) groupToRoleMap Answer: D Explanation: “groupToRoleMap” defines how LDAP groups translate to SOAR roles. Question 39. Adding a user via the UI requires which of the following mandatory fields?
C) The external products the app integrates with D) The programming language used to build the app Answer: C Explanation: “Supported Platforms” lists third‑party technologies the app connects to. Question 42. Which asset type would you select to ingest events directly from a Splunk Enterprise instance? A) Splunk Search API Asset B) Splunk Forwarder Asset C) Splunk HTTP Event Collector (HEC) Asset D) Splunk Indexer Asset Answer: A Explanation: The Splunk Search API asset pulls data via REST searches from Splunk Enterprise. Question 43. To automatically tag containers that contain a malicious IP, which feature should you configure? A) Auto‑Labeling Rule B) SLA Alert C) Playbook Trigger D) Asset Scheduler
Answer: A Explanation: Auto‑Labeling rules evaluate incoming data and apply labels such as “malicious_ip”. Question 44. Which built‑in field can be used to sort containers by the time they were last updated? A) created_time B) modified_time C) last_seen D) updated_at Answer: B Explanation: “modified_time” records the most recent update timestamp. Question 45. When a playbook fails at an Action Block, which status is shown on the block in the VPE? A) Completed B) Skipped C) Error D) Pending Answer: C Explanation: The block displays “Error” when the action returns a failure.