Splunk SOAR Certified Automation Developer Practice Exam, Exams of Technology

A practice exam for the splunk soar certified automation developer certification. It includes multiple-choice questions covering various aspects of splunk soar, such as incident data storage, authentication methods, permission controls, app installation prerequisites, asset management, service level agreements (slas), and playbook development. Each question is followed by the correct answer and a brief explanation. The exam covers topics like container management, indicator views, investigation pages, and the use of spl commands for searching containers. It also tests knowledge of the i2a2 methodology and the visual playbook editor.

Typology: Exams

2024/2025

Available from 12/02/2025

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 109

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
SPLK 2003 Splunk SOAR Certified Automation Developer
Practice Exam
**Question 1.** Which component of Splunk SOAR stores incident data and
maintains relationships between containers, artifacts, and notes?
A) Automation Engine
B) Web Server
C) Database
D) Asset Manager
Answer: C
Explanation: The database is the persistent store that holds containers, artifacts,
notes, and their interrelationships.
**Question 2.** In a noncontainerized Splunk SOAR deployment, which service
must be manually started after a system reboot?
A) nginx
B) Splunkd
C) soarsvc
D) postgresql
Answer: C
Explanation: The soarsvc service runs the SOAR platform and does not start
automatically on noncontainer installations.
**Question 3.** Which authentication method allows users to log in using
corporate Active Directory credentials without storing passwords in SOAR?
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download Splunk SOAR Certified Automation Developer Practice Exam and more Exams Technology in PDF only on Docsity!

Practice Exam

Question 1. Which component of Splunk SOAR stores incident data and maintains relationships between containers, artifacts, and notes? A) Automation Engine B) Web Server C) Database D) Asset Manager Answer: C Explanation: The database is the persistent store that holds containers, artifacts, notes, and their inter‑relationships. Question 2. In a non‑containerized Splunk SOAR deployment, which service must be manually started after a system reboot? A) nginx B) Splunkd C) soarsvc D) postgresql Answer: C Explanation: The soarsvc service runs the SOAR platform and does not start automatically on non‑container installations. Question 3. Which authentication method allows users to log in using corporate Active Directory credentials without storing passwords in SOAR?

Practice Exam

A) Local accounts B) LDAP C) SAML D) OAuth Answer: B Explanation: LDAP integration authenticates against AD directly, avoiding password storage in SOAR. Question 4. When creating a new role, which permission controls whether a user can delete containers? A) Manage Assets B) Delete Containers C) Edit Playbooks D) View Reports Answer: B Explanation: The “Delete Containers” permission explicitly grants the ability to remove containers. Question 5. Which of the following is a prerequisite before installing a Splunk SOAR app from the Marketplace? A) Enable SAML authentication B) Create an asset instance for the app

Practice Exam

Answer: B Explanation: SOAR has built‑in automatic labeling for known indicator types such as phishing_email. Question 8. A Service Level Agreement (SLA) in Splunk SOAR is primarily used to: A) Encrypt container data at rest B) Track the time taken to meet a defined response deadline C) Assign a severity level to a container D) Define user access rights Answer: B Explanation: SLAs measure elapsed time against a target, helping monitor response performance. Question 9. Which view allows an analyst to run an app action on a single artifact without leaving the container page? A) Analyst Queue B) Indicator View C) Investigation Page – Action Tab D) Playbook Library Answer: C

Practice Exam

Explanation: The Action tab on the Investigation page provides direct access to app actions for artifacts. Question 10. To locate containers that contain the word “ransomware” in the title, which SPL command should be used in the search bar? A) index=soar sourcetype=container title="ransomware" B) search container_title="ransomware" C) | where title like "%ransomware%" D) index=soar sourcetype=container | search title="ransomware" Answer: D Explanation: The proper search syntax filters the container sourcetype and then searches the title field. Question 11. Which filter option lets you view only containers that are currently assigned to you? A) Owner = * B) Status = Open C) Assigned To = current_user() D) Priority = High Answer: C Explanation: The “Assigned To” filter with the function current_user() returns containers assigned to the logged‑in analyst.

Practice Exam

A) Duplicate B) Parent/Child C) Related D) Follow‑up Answer: C Explanation: The “Related” relationship is the default link type for case management associations. Question 15. A workbook in Splunk SOAR is primarily used to: A) Automate the creation of assets B) Define a structured, multi‑step investigation process for analysts C) Generate PDF reports of incidents D) Store custom Python libraries for playbooks Answer: B Explanation: Workbooks provide a guided, phase‑based workflow that analysts follow during an investigation. Question 16. Which action marks an artifact as evidence, preventing it from being accidentally deleted? A) Set Artifact Status = Evidence B) Add Tag = evidence

Practice Exam

C) Lock Artifact D) Archive Artifact Answer: A Explanation: Changing the artifact’s status to “Evidence” locks it from deletion and highlights its importance. Question 17. To add a new severity level called “Critical” that appears above “High,” you must modify which setting? A) Custom Status Values B) Severity Configuration C) SLA Definitions D) Global Custom Fields Answer: B Explanation: Severity configuration defines the order and naming of severity levels. Question 18. Which CEF field is used by Splunk SOAR to map the source IP address of an event? A) src B) sourceAddress C) src_ip D) srcIp

Practice Exam

Question 21. Which built‑in report provides a count of containers created per day over the past month? A) Container Activity Summary B) SLA Breach Report C) Daily Incident Volume D) Asset Utilization Report Answer: C Explanation: The “Daily Incident Volume” report aggregates container creation by day. Question 22. The System Health display shows the status of which component as “Ready” when the automation engine has no pending jobs? A) Database B) Scheduler C) Playbook Engine D) Action Queue Answer: C Explanation: The Playbook Engine (automation engine) reports “Ready” when idle. Question 23. Which log file would you examine to troubleshoot a failed app action due to authentication errors?

Practice Exam

A) system.log B) action_results.log C) app_execution.log D) health.log Answer: C Explanation: app_execution.log records details of each app action, including authentication failures. Question 24. The I2A2 methodology stands for Inputs, Interactions, Actions, and __________. A) Artifacts B) Alerts C) Audits D) Analytics Answer: A Explanation: I2A2 emphasizes the flow from inputs to artifacts generated by the playbook. Question 25. In the Visual Playbook Editor, which block type is used to pause execution and request user input? A) Decision Block B) Prompt Block

Practice Exam

Explanation: The debugger provides step‑by‑step execution and data inspection. Question 28. Which block type would you use to filter artifacts that contain a file hash ending with “abc123”? A) Decision Block B) Filter Block C) Join Block D) Format Block Answer: B Explanation: Filter blocks evaluate a list and keep only items meeting the specified condition. Question 29. In a Decision Block, the expression “{{artifact.type}} == 'file'” evaluates to true when: A) The container type is file B) The artifact’s type field equals the string “file” C) Any artifact contains the word “file” in its description D) The playbook’s input parameter is named file Answer: B Explanation: The Jinja expression accesses the artifact’s type attribute and compares it.

Practice Exam

Question 30. The “All” join option in a Join Block proceeds when: A) At least one incoming path returns data B) All incoming paths have completed, regardless of data presence C) Every incoming path returns at least one result item D) The first path finishes execution Answer: C Explanation: “All” requires each incoming branch to produce at least one result before continuing. Question 31. Which block is appropriate for sending an email notification that includes the container’s title and severity? A) Action Block B) Format Block C) Utility Block D) Prompt Block Answer: B Explanation: Format blocks construct templated text (e.g., email bodies) using Jinja. Question 32. When an app action returns a JSON object with a field “response.status”, how would you reference the value in a downstream block? A) {{action.results.response.status}}

Practice Exam

D) A Join Block that merges high and critical paths Answer: B Explanation: A Filter block can directly evaluate the container’s severity list. Question 35. Which of the following is NOT a supported deployment option for Splunk SOAR? A) Docker container on Linux B) Kubernetes Helm chart C) Virtual Appliance on VMware D) Azure Functions serverless instance Answer: D Explanation: Azure Functions is not an official deployment method for SOAR. Question 36. During an upgrade, which command backs up the SOAR database before applying the new version? A) soarsvc backup-db B) sudo soarsvc backup C) soarsvc --export-db D) soarsvc backup-db Answer: D Explanation: The “soarsvc backup-db” command creates a database snapshot.

Practice Exam

Question 37. Which license type allows unlimited playbook executions but limits the number of containers stored? A) Enterprise B) Capacity‑Based C) Execution‑Only D) Evaluation Answer: C Explanation: Execution‑Only licenses focus on run count while capping storage. Question 38. When configuring LDAP, which attribute maps the LDAP group “SOAR_Admins” to the SOAR role “admin”? A) roleMapping B) groupSearchBase C) roleAttribute D) groupToRoleMap Answer: D Explanation: “groupToRoleMap” defines how LDAP groups translate to SOAR roles. Question 39. Adding a user via the UI requires which of the following mandatory fields?

Practice Exam

C) The external products the app integrates with D) The programming language used to build the app Answer: C Explanation: “Supported Platforms” lists third‑party technologies the app connects to. Question 42. Which asset type would you select to ingest events directly from a Splunk Enterprise instance? A) Splunk Search API Asset B) Splunk Forwarder Asset C) Splunk HTTP Event Collector (HEC) Asset D) Splunk Indexer Asset Answer: A Explanation: The Splunk Search API asset pulls data via REST searches from Splunk Enterprise. Question 43. To automatically tag containers that contain a malicious IP, which feature should you configure? A) Auto‑Labeling Rule B) SLA Alert C) Playbook Trigger D) Asset Scheduler

Practice Exam

Answer: A Explanation: Auto‑Labeling rules evaluate incoming data and apply labels such as “malicious_ip”. Question 44. Which built‑in field can be used to sort containers by the time they were last updated? A) created_time B) modified_time C) last_seen D) updated_at Answer: B Explanation: “modified_time” records the most recent update timestamp. Question 45. When a playbook fails at an Action Block, which status is shown on the block in the VPE? A) Completed B) Skipped C) Error D) Pending Answer: C Explanation: The block displays “Error” when the action returns a failure.