SPLK-2003 Splunk SOAR Certified Automation Developer Exam Questions and Answers

The default embedded search engine used by Splunk SOAR (formerly known as Phantom) is the embedded Splunk search engine. Here’s a detailed explanation:

Embedded Splunk Search Engine:

Splunk SOAR uses an embedded, preconfigured version of Splunk Enterprise as its native search engine.

This integration allows for powerful searching capabilities within Splunk SOAR, leveraging Splunk’s robust search and indexing features.

Search Configuration:

While the embedded Splunk search engine is the default, organizations have the option to configure Splunk SOAR to use a different Splunk Enterprise deployment or an external Elasticsearch instance.

This flexibility allows organizations to tailor their search infrastructure to their specific needs and existing environments.

Search Capabilities:

The embedded Splunk search engine enables users to perform complex searches, analyze data, and generate reports directly within the Splunk SOAR platform.

It supports the full range of Splunk’s search processing language (SPL) commands, functions, and visualizations.

References:

Splunk SOAR Documentation: Configure search in Splunk Phantom1.

Splunk SOAR Documentation: Configure search in Splunk SOAR (On-premises)2.

In summary, the embedded Splunk search engine is the default search engine in Splunk SOAR, providing a seamless and powerful search experience for users within the platform. ????

To integrate Splunk Phantom with a Splunk Cloud instance, network communication over certain ports is necessary. The default ports for web traffic are TCP 80 for HTTP and TCP 443 for HTTPS. Since Splunk Cloud instances are accessed over the internet, ensuring that these ports are open is essential for Phantom to communicate with Splunk Cloud for various operations, such as running searches, sending data, and receiving results. It is important to note that TCP 8088 is typically used by Splunk's HTTP Event Collector (HEC), which may also be relevant depending on the integration specifics.

 A step when configuring event forwarding from Splunk to Phantom is to create a Splunk alert that uses the event_forward.py script to send events to Phantom. This script will convert the Splunk events to CEF format and send them to Phantom as containers. The other options are not valid steps for event forwarding. See Forwarding events from Splunk to Phantom for more details.

Configuring event forwarding from Splunk to Phantom typically involves creating a Splunk alert that leverages a script (like event_forward.py) to automatically send triggered event data to Phantom. This setup enables Splunk to act as a detection mechanism that, upon identifying notable events based on predefined criteria, forwards these events to Phantom for further orchestration, automation, and response actions. This integration streamlines the process of incident management by connecting Splunk's powerful data analysis capabilities with Phantom's orchestration and automation framework.

Django filter queries in Splunk SOAR are performed by appending filter parameters directly to the REST API URL. This allows users to refine their search and retrieve specific data. For example, to filter containers by tags containing the word "sumo", the following URL structure would be used: https:// /rest/container?_filter_tags_contains="sumo". This format enables users to construct dynamic queries that can filter results based on specified criteria within the Django framework used by Splunk SOAR.

The correct way to perform a Django filter query in Splunk SOAR is to add parameters to the URL similar to the following: phantom/rest/container?_filter_tags_contains=“sumo”. This will return a list of containers that have the tag “sumo” in them. You can use various operators and fields to filter the results according to your needs. For more details, see Query for Data and Use filters in your Splunk SOAR (Cloud) playbook to specify a subset of artifacts before further processing. The other options are either incorrect or irrelevant for this question. For example:

•phantom/rest/search/app/contains/“sumo” is not a valid URL for a Django filter query. It will return an error message saying “Invalid endpoint”.

•There is no Django Filter Query Editor in the Administration panel of Splunk SOAR. You can use the REST API Tester to test your queries, but not to edit them.

•There is no SOAR Django App that needs to be installed or configured for performing Django filter queries. Splunk SOAR uses the Django framework internally, but you do not need to install or use any additional apps for this purpose.

The correct answer is A because assets provide location, credentials, and other parameters needed to run actions. Assets are configurations that define how Phantom connects to external systems or devices, such as firewalls, endpoints, or threat intelligence sources. Assets specify the app, the IP address or hostname, the username and password, and any other settings required to run actions on the target system or device. The answer B is incorrect because assets do not provide hostnames, passwords, and other artifacts needed to run actions, which are data objects that can be created or retrieved by playbooks. The answer C is incorrect because assets do not provide Python code, REST API, and other capabilities needed to run actions, which are provided by apps. The answer D is incorrect because assets do not provide firewall, network, and data sources needed to run actions, which are external systems or devices that can be connected to by assets. Reference: Splunk SOAR Admin Guide, page 45. Assets in Splunk Phantom are configurations that contain the necessary information for apps to connect to external systems and services. This information can include IP addresses, domain names, credentials like usernames and passwords, and other necessary parameters such as API keys or tokens. These parameters enable the apps to perform actions like running queries, executing commands, or gathering data. Assets do not provide the actual Python code, REST API capabilities, or network infrastructure; they are the bridge between the apps and the external systems with the configuration data needed for successful communication and action execution

The format block in Splunk SOAR is utilized to construct text strings by merging static text with dynamic values, which can then be used for both input to other playbook blocks and output for reports, emails, or other forms of communication. This capability is essential for customizing messages, commands, or data processing tasks within a playbook, allowing for the dynamic insertion of variable data into predefined text templates. This feature enhances the playbook's ability to present information clearly and to execute actions that require specific parameter formats.

In Splunk Phantom, child playbooks can access the action results of a parent playbook through the use of the Scope parameter. When a parent playbook calls a child playbook, it can pass certain data along by setting the Scope parameter to include the desired action results. This parameter is configured within the playbook block that initiates the child playbook. By specifying the appropriate scope, the parent playbook effectively determines what data the child playbook will have access to, allowing for a more modular and organized flow of information between playbooks.

 The correct answer is A because the _filter parameter is used to filter the results based on a field value, and the icontain operator is used to perform a case-insensitive substring match. The filePath field is part of the Common Event Format (CEF) standard, and the cef_ prefix is used to access CEF fields in the REST API. The answer B is incorrect because it uses the wrong syntax for the REST API. The answer C is incorrect because it uses the wrong endpoint (result instead of artifact) and the wrong syntax for the REST API. The answer D is incorrect because it uses the wrong syntax for the REST API and the wrong spelling for the icontains operator. Reference: Splunk SOAR REST API Guide, page 18.

To query and display all artifacts that contain the term "results" in a filePath CEF (Common Event Format) value, using the REST API endpoint with a filter parameter is effective. The filter _filter_cef_filePath_icontain="results" is applied to search within the artifact data for filePath fields that contain the term "results", disregarding case sensitivity. This method allows users to precisely locate and work with artifacts that meet specific criteria, aiding in the investigation and analysis processes within Splunk SOAR.

 The main purpose of using a customized workbook is to guide user activity and coordination during event analysis and case operations. Workbooks can be customized to include different phases, tasks, and instructions for the users. The other options are not valid purposes of using a customized workbook. See Workbooks for more information.

Customized workbooks in Splunk SOAR are designed to guide users through the process of analyzing events and managing cases. They provide a structured framework for documenting investigations, tracking progress, and ensuring that all necessary steps are followed during incident response and case management. This helps in coordinating team efforts, maintaining consistency in response activities, and ensuring that all aspects of an incident are thoroughly investigated and resolved. Workbooks can be customized to fit the specific processes and procedures of an organization, making them a versatile tool for managing security operations.

A filter block with only one condition configured which states: artifact.*.cef .sourceAddress !- , would permit only non-null IP addresses to pass forward to the next block. The !- operator means “is not null”. The other options are not valid because they either include null values or other fields than sourceAddress. See Filter block for more details. A filter block in Splunk SOAR that is configured with the condition artifact.*.cef.sourceAddress != (assuming the intention was to use "!=" to denote 'not equal to') is designed to allow data that has non-null sourceAddress values to pass through to subsequent blocks. This means that any artifact data within the container that includes a sourceAddress field with a defined value (i.e., an actual IP address) will be permitted to move forward in the playbook. The filter effectively screens out any artifacts that do not have a source address specified, focusing the playbook's actions on those artifacts that contain valid IP address information in the sourceAddress field.

Decision blocks are most useful when selecting one (or zero) possible paths in the playbook. Decision blocks allow the user to define one or more conditions based on action results, artifacts, or custom expressions, and execute the corresponding path if the condition is met. If none of the conditions are met, the playbook execution ends. Decision blocks are not used for processing different data in parallel, evaluating complex, multi-value results or artifacts, or modifying downstream data in one or more paths in the playbook. Decision blocks within Splunk Phantom playbooks are used to control the flow of execution based on certain criteria. They are most useful when you need to select one or potentially no paths for the playbook to follow, based on the evaluation of specified conditions. This is akin to an if-else or switch-case logic in programming where depending on the conditions met, a particular path is chosen for further actions. Decision blocks evaluate the data and direct the playbook to different paths accordingly, making them a fundamental component for creating dynamic and responsive automation workflows.

The severity of a container in Splunk Phantom can be set manually or automatically during the ingestion process. In addition to these methods, playbooks can also change the severity of a container. Playbooks are automated workflows that define a series of actions based on certain triggers and conditions. Within a playbook, actions can be defined to adjust the severity level of a container depending on the analysis of the event data, the outcome of actions taken, or other contextual factors. This dynamic adjustment allows for a more accurate and responsive incident prioritization as new information becomes available during the investigation process.

Within Splunk SOAR, containers (which represent incidents, cases, or events) have a lifecycle that is tracked through their status. The default statuses available without any customization are "New", "In Progress", and "Closed". These statuses help in organizing and managing the incident response process, allowing users to easily track the progress of investigations and responses from initial detection through to resolution.

Filter blocks are used to add information to custom lists in Phantom VPE. Filter blocks allow the user to specify a list name and a filter expression to select the data to be added to the list. Action blocks are used to execute app actions, API blocks are used to make REST API calls, and decision blocks are used to evaluate conditions and branch the playbook execution. In the Phantom Visual Playbook Editor (VPE), an API block is used to interact with various external APIs, including custom lists within Phantom. Custom lists are key-value stores that can be used to maintain state, aggregate data, or track information across multiple playbook runs. API blocks allow the playbook to make GET, POST, PUT, and DELETE requests to these lists, facilitating the addition, retrieval, update, or removal of information. This makes API blocks a versatile tool in managing custom list data within playbooks.

Splunk SOAR supports multiple user authentication methods to ensure secure access to the platform. Apart from LDAP (Lightweight Directory Access Protocol) and SAML2 (Security Assertion Markup Language 2.0), SOAR also supports PIV (Personal Identity Verification) and CAC (Common Access Card) as authentication methods. These are particularly used in government and military organizations for secure and authenticated access to systems, providing a high level of security through physical tokens or cards that contain encrypted user credentials.

To limit the impact of custom code on the Visual Playbook Editor (VPE) in Splunk SOAR, custom code should be placed within a custom function block. Custom function blocks are designed to encapsulate code within a playbook, allowing users to input their own Python code and execute it as part of the playbook run. By confining custom code to these blocks, it maintains the VPE's performance and stability by isolating the custom code from the core functions of the playbook.

A custom function block is a way of adding custom Python code to your playbook, which can expand the functionality and processing of your playbook logic. Custom functions can also interact with the REST API in a customizable way. You can share custom functions across your team and across multiple playbooks to increase collaboration and efficiency. To create custom functions, you must have Edit Code permissions, which can be configured by an Administrator in Administration > User Management > Roles and Permissions. Therefore, option C is the correct answer, as it is the recommended way of placing custom code on the VPE, which limits the impact of custom code on the VPE performance and security. Option A is incorrect, because a custom container or a separate KV store are not valid ways of placing custom code on the VPE, but rather ways of storing data or artifacts. Option B is incorrect, because a separate code repository is not a way of placing custom code on the VPE, but rather a way of managing and versioning your code outside of Splunk SOAR. Option D is incorrect, because a separate container is not a way of placing custom code on the VPE, but rather a way of creating a new event or case.

1: Add custom code to your Splunk SOAR (Cloud) playbook with the custom function block using the classic playbook editor

Indicators in Splunk SOAR (formerly Phantom) are crucial elements used to detect and respond to security incidents. Let’s break down what indicators are and their significance:

Definition of Indicators:

Indicators are data points or patterns that suggest the presence of malicious activity or potential security threats.

They can be anything from IP addresses, domain names, file hashes, URLs, email addresses, or other observable artifacts.

Indicators help security teams identify and correlate events across different sources to understand the scope and impact of an incident.

Types of Indicators:

Observable Indicators: These are directly observable artifacts, such as IP addresses, domain names, or file hashes.

Behavioral Indicators: These describe patterns of behavior, such as failed login attempts, lateral movement, or suspicious network traffic.

Contextual Indicators: These provide additional context around an event, such as the user account associated with an action or the time of occurrence.

Use Cases for Indicators:

Threat Detection: Security analysts create rules or playbooks that trigger based on specific indicators. For example, an indicator like a known malicious IP address can trigger an alert.

Incident Response: During an incident, indicators help identify affected systems, track lateral movement, and prioritize response efforts.

Threat Intelligence Sharing: Organizations share indicators with each other to improve collective security posture.

Multiple Containers:

Indicators can appear in multiple containers (playbooks, actions, etc.) within Splunk SOAR.

For example, an IP address associated with a suspicious domain might appear in both a threat intelligence playbook and an incident response playbook.

Artifact Values vs. Indicators:

While artifact values are related, they are not the same as indicators.

Artifact values represent specific data extracted from an artifact (e.g., extracting an IP address from an email header).

Indicators encompass a broader range of data points and are used for detection and correlation.

References:

Splunk SOAR Documentation: Indicators

Splunk SOAR Community: Understanding Indicators

In the Splunk SOAR platform, when writing a custom function in Python to handle data such as extracting a domain name from a URL, you can create a new artifact using the Python API call phantom.create_artifact(). This function allows you to specify the details of the new artifact, such as the type, CEF (Common Event Format) data, container it belongs to, and other relevant information necessary to create an artifact within the system.

To get playbook results for a single artifact, a user can utilize the contextual menu option directly from the artifact itself. This method allows for targeted execution of a playbook on just that artifact, facilitating a focused analysis or action based on the data within that specific artifact. This approach is particularly useful when a user needs to drill down into the details of an individual piece of evidence or data point within a larger incident or case, allowing for granular control and execution of playbooks in the Splunk SOAR environment.

The Splunk SOAR Automation Broker does not require inbound/ingress network connections from the Splunk SOAR (Cloud) or (On-premises) instance. Instead, it requires only outbound/egress connectivity. The Automation Broker is responsible for securely communicating with SOAR to execute actions, retrieve data, and send results, but this communication is initiated from the Automation Broker towards SOAR, using outbound connections (typically over TCP port 443). This ensures that no inbound connections need to be established, which simplifies firewall and security configurations.

Thus, option D is the incorrect statement, making it the right answer for this question.

References:

Splunk SOAR Documentation: Automation Broker Requirements.

Splunk SOAR Cloud and On-Premises Deployment Guide.

Under Asset Ingestion Settings in Splunk SOAR, when configuring an asset, the number of labels that must be applied can be zero or more. Labels are optional and are used to categorize data and control access. They are not a requirement under Asset Ingestion Settings, but they can be used to enhance organization and filtering if chosen.

The image shows a user interface of “splunk>phantom” with a search bar at the top, where a search for “Malware” has been initiated. The tabs labeled “Events,” “Indicators,” “Cases,” and “Tasks” suggest that the search functionality could span across various container fields within the Splunk SOAR environment. Typically, the search would include fields that are most relevant to the user’s query, which in this case, are likely to be the Event Name and Artifact Names. These fields are central to identifying and categorizing events and artifacts within Splunk SOAR, making them primary targets for a search term like “Malware” which is commonly associated with security events and indicators17.

References:

Understanding containers - Splunk Documentation

Configuring SOAR search to use an external Splunk server allows for the automation of Splunk searches within SOAR. This integration enables Splunk SOAR to leverage the powerful search capabilities of an external Splunk Cloud Platform or Enterprise instance, thereby enhancing the ability to search for Splunk SOAR data using Splunk’s search language (SPL). It also facilitates the use of universal forwarders to send SOAR data to your Splunk deployment12. While the other options may be benefits of using Splunk in general, the specific advantage of configuring SOAR search with an external Splunk server is the automation of searches, which can streamline the process of querying and analyzing SOAR data within the Splunk environment12.

References:

Splunk SOAR documentation on configuring search in Splunk SOAR1.

Splunk SOAR documentation on understanding the remote-search service in Splunk App for SOAR2

In Splunk SOAR, once an artifact is entered, it cannot be modified. An artifact refers to a piece of data associated with a specific container, such as log files, emails, or other relevant information in an incident. The immutable nature of artifacts ensures the integrity and forensic value of the data. By preventing modification after creation, SOAR maintains a secure and audit-compliant environment, ensuring that data remains trustworthy throughout the incident's lifecycle. However, containers, comments, and notes can be updated or modified, making artifacts unique in their immutability.

References:

Splunk SOAR User Guide: Artifacts and Containers.

Splunk SOAR Best Practices for Incident Management.

The Investigation view in Splunk SOAR provides a comprehensive and holistic view of an incident. This view includes vital details such as event metadata, Service Level Agreement (SLA) status, severity, sensitivity of the event, and other relevant information. It allows analysts to track and manage incidents effectively by presenting a clear picture of all aspects of the investigation process. This view is designed to help users take timely actions based on critical data points, making it a pivotal feature for incident response teams.

Other views like Executive or Analyst may focus on specific reporting or technical details, but the Investigation view provides the most complete perspective on the incident and its progress.

References:

Splunk SOAR Documentation: Investigation View Overview.

Splunk SOAR Incident Response Best Practices.

The correct answer is C because creating artifacts using one playbook and collecting those artifacts in another playbook is a best practice for data sharing across playbooks. Artifacts are data objects that are associated with a container and can be used to store information such as IP addresses, URLs, file hashes, etc. Artifacts can be created using the add artifact action in any playbook block and can be collected using the get artifacts action in the filter block. Artifacts can also be used to trigger active playbooks based on their label or type. See Splunk SOAR Documentation for more details.

In the context of Splunk SOAR, one of the best practices for data sharing across playbooks is to create artifacts in one playbook and use another playbook to collect and utilize those artifacts. Artifacts in Splunk SOAR are structured data related to security incidents (containers) that playbooks can act upon. By creating artifacts in one playbook, you can effectively pass data and context to subsequent playbooks, allowing for modular, reusable, and interconnected playbook designs. This approach promotes efficiency, reduces redundancy, and enhances the playbook's ability to handle complex workflows.

When the Splunk App for SOAR Export executes a Splunk search, it typically involves mapping Common Information Model (CIM) fields from Splunk to the Common Event Format (CEF) used by SOAR, after which a container is created on the SOAR server to house the related artifacts and information. This process allows for the integration of data between Splunk, which uses CIM for data normalization, and Splunk SOAR, which uses CEF as its data format for incidents and events.

Splunk App for SOAR Export is responsible for sending data from your Splunk Enterprise or Splunk Cloud instances to Splunk SOAR. The Splunk App for SOAR Export acts as a translation service between the Splunk platform and Splunk SOAR by performing the following tasks:

•Mapping fields from Splunk platform alerts, such as saved searches and data models, to CEF fields.

•Translating CIM fields from Splunk Enterprise Security (ES) notable events to CEF fields.

•Forwarding events in CEF format to Splunk SOAR, which are stored as artifacts.

Therefore, option B is the correct answer, as it states the activities that are completed when the Splunk App for SOAR Export executes a Splunk search. Option A is incorrect, because CEF fields are not mapped to CIM fields, but the other way around. Option C is incorrect, because a container is not created on the Splunk server, but on the SOAR server. Option D is incorrect, because a container is not created on the Splunk server, but on the SOAR server.

The simplest way to pass data between playbooks in Splunk SOAR is through the use of artifacts. Artifacts are objects that can store data and are associated with containers. When multiple playbooks work on a single container, they can access and manipulate the same set of artifacts, allowing for seamless data transfer between playbooks. This method is straightforward and does not require additional setup or management of external storage systems, making it the most direct and efficient way to pass data within the Splunk SOAR environment1.

References:

Passing data between SOAR playbooks - Splunk Lantern

Splunk Phantom supports incremental backups in addition to full backups. An incremental backup is a type of backup that only copies the data that has changed since the last backup (whether that was a full backup or another incremental backup). This method is more storage-efficient than a full backup because it does not repeatedly back up the same data, reducing the amount of storage required and speeding up the backup process. Differential backups, which record the changes since the last full backup, and partial backups, which allow the selection of specific data to back up, are not standard backup types offered by Splunk Phantom according to its documentation.

In scenarios where there's a need to run different on_poll searches for a Splunk Cloud instance from Splunk SOAR, configuring a second Splunk asset for the additional query is a practical solution. Splunk SOAR's architecture allows for multiple assets of the same type to be configured with distinct settings. By setting up a second Splunk asset specifically for the second on_poll search query, users can maintain separate configurations and ensure that each query is executed in its intended context without interference. This approach provides flexibility in managing different data collection or monitoring needs within the same SOAR environment.