Splunk SOAR Certified Automation Developer
Splunk SOAR Certified Automation Developer Exam enhances your expertise by mastering skills from SOAR server installation and configuration to SOAR playbook planning, design, development, and troubleshooting. This certification validates your advanced SOAR solution capabilities and showcases an individual’s expertise in installing and configuring a SOAR server, integrating it with Splunk, and effectively planning, designing, building, and troubleshooting playbooks previously known as the Splunk Phantom Certified Admin.
The exam expands your knowledge in setting up and configuring a SOAR server, integrating it seamlessly with the Splunk platform, and creating diverse SOAR playbooks using custom coding and REST APIs.
Who Should Pursue This Certification?
- Cybersecurity Professionals: Strengthen your skills and demonstrate proficiency in one of the fastest-growing fields by mastering the Splunk SOAR platform.
- SOC Analysts: Elevate your career and establish yourself as a cybersecurity authority with advanced SOAR expertise.
- Splunk Enterprise Security Administrators: Stay competitive in the industry as more organizations adopt comprehensive cybersecurity tools alongside their Splunk Enterprise Security setups.
Exam Details
The Splunk SOAR Certified Automation Developer Exam is a professional-level certification exam with no prerequisites. It consists of 45 multiple-choice questions and lasts 60 minutes. The exam is administered by Pearson VUE, a testing partner.
Course Outline
The topics listed below serve as general guidelines for the exam content; however, additional related subjects may also be included in any specific exam version.
1.0 Deployment, Installation, and Initial Configuration 5%
1.1 Describe SOAR operating concepts (Splunk Documentation: Use Splunk SOAR (Cloud))
1.2 Identify documentation and community resources (Splunk Documentation: Resources)
1.3 Identify installation and upgrade options
1.4 Describe SOAR architecture (Splunk Documentation: Splunk SOAR (Cloud))
1.5 Configure licenses, administration, and product settings (Splunk Documentation: Configure license)
2.0 User Management 5%
2.1 Configure authentication options (Splunk Documentation: authentication.conf)
2.2 Add users (Splunk Documentation: Add or remove users)
2.3 Add roles (Splunk Documentation: Configure users and roles)
3.0 Apps, Assets, and Playbooks 5%
3.1 Configure apps
3.2 Configure assets (Splunk Documentation: Configure assets)
3.3 Configure data ingestion assets (Splunk Documentation: Configure data ingestion with the Splunk Add-on for OPC)
3.4 Configure labels and SLAs (Splunk Documentation: Configure labels to apply to containers, Configure the response times for service level agreements)
3.5 Manage playbooks (Splunk Documentation: Manage settings for a playbook in Splunk SOAR (Cloud))
4.0 Analyst Queue 5%
4.1 Use the Analyst Queue (Splunk Documentation: Configure the settings for the analyst queue)
4.2 Use search features (Splunk Documentation: search)
4.3 Create filters
4.4 Use the indicator view
5.0 The Investigation Page 10%
5.1 Use the Investigation page to work on events (Splunk Documentation: Use Splunk Enterprise Security)
5.2 Manually run actions and examine action results (Splunk Documentation: Automate incident response with playbooks and actions)
5.3 Manually run playbooks (Splunk Documentation: Run a playbook in Splunk SOAR (On-premises))
5.4 Use the file tab to store related files
6.0 Case Management and Workbooks 5%
6.1 Use case management for complex investigations (Splunk Documentation: Managing cases in SOAR)
6.2 Use workbooks (Splunk Documentation: Administer Splunk SOAR (Cloud))
6.3 Mark items as evidence (Splunk Documentation: Mark files and events as evidence in Splunk SOAR (Cloud))
7.0 Customizations 5%
7.1 Customize severity levels (Splunk Documentation: Create custom severity names and control severity inheritance)
7.2 Customize CEF fields (Splunk Documentation: Create custom CEF fields in)
7.3 Customize status values
7.4 Customize workbooks (Splunk Documentation: Define tasks using workbooks)
7.5 Add global custom fields to containers (Splunk Documentation: Create custom fields to filter Splunk SOAR (Cloud) events)
8.0 System Maintenance 5%
8.1 Run reports
8.2 Use system health displays (Splunk Documentation: Monitor system health)
8.3 Examine health logs (Splunk Documentation: Investigate feature health status changes)
9.0 Introduction to Playbooks 5%
9.1 Understand automation best practices
9.2 Describe playbook capabilities (Splunk Documentation: Use playbooks to automate analyst workflows in Splunk SOAR (Cloud))
9.3 Determine available app actions (Splunk Documentation: Add and configure apps and assets to provide actions in Splunk SOAR (Cloud))
9.4 Use I2A2 design methodology
10.0 Visual Playbook Editor 5%
10.1 Use the visual playbook editor (Splunk Documentation: Create a new playbook in Splunk SOAR)
10.2 Execute actions from a playbook (Splunk Documentation: Automate incident response with playbooks and actions in Splunk Mission Control)
10.3 Test new playbooks (Splunk Documentation: Develop, test, and deploy playbooks in Splunk SOAR (Cloud))
11.0 Logic, Filters, and User Interaction 5%
11.1 Use decision blocks (Splunk Documentation: Use decisions to send Splunk SOAR (Cloud) artifacts)
11.2 Use filter blocks to process data (Splunk Documentation: Use filters to separate Splunk SOAR (Cloud) artifacts)
11.3 Describe the use of different join options (Splunk Documentation: join)
11.4 Interact with users during playbook execution (Splunk Documentation: Playbook automation API)
12.0 Formatted Output and Data Access 5%
12.1 Use Format blocks to structure data
12.2 Understand the structure of action results (Splunk Documentation: Understanding datapaths)
12.3 Compose datapaths to access data (Splunk Documentation: Specify a datapath in your playbook)
12.4 Use the utility block to modify containers (Splunk Documentation: Add functionality to your playbook in Splunk SOAR (Cloud) using the Utility block)
13.0 Modular Playbook Development 5%
13.1 Design modular solutions with interacting playbooks
13.2 Invoke child playbooks from a parent (Splunk Documentation: Run other playbooks inside your playbook in Splunk SOAR (Cloud))
13.3 Exchange data between playbooks (Splunk Documentation: Specify data in your playbook)
14.0 Custom Lists and Data Routing 5%
14.1 Create custom lists (Splunk Documentation: Create custom lists for use in Splunk SOAR)
14.2 Access lists from playbooks (Splunk Documentation: Use Splunk SOAR (On-premises))
14.3 Use filters to control data flow (Splunk Documentation: Route and filter data)
15.0 Configuring External Splunk Search 5%
15.1 Describe the benefits of externalizing search to Splunk
15.2 Configure the SOAR instance for externalization (Splunk Documentation: Install and Upgrade Splunk SOAR)
15.3 Configure the Splunk instance for externalization (Splunk Documentation: Ways you can configure Splunk software)
15.4 Use reindex to push existing content to the Splunk instance
15.5 Use the Splunk app for Phantom Reporting (Splunk Documentation: About the Splunk Phantom App for Splunk)
16.0 Integrating SOAR into Splunk 10%
16.1 Install the Splunk App for SOAR Export (Splunk Documentation: Install the Splunk App for SOAR Export)
16.2 Send Enterprise Security notables to SOAR (Splunk Documentation: Run adaptive response actions in Splunk ES)
16.3 Install and configure the Splunk app in SOAR (Splunk Documentation: Configure the service with Splunk App for SOAR)
16.4 Use Splunk search from playbooks (Splunk Documentation: Search with action and playbook data in Splunk Mission Control)
17.0 Custom Coding 5%
17.1 Describe when and when not to use the global block (Splunk Documentation: Add a new block to your Splunk SOAR)
17.2 Use custom function blocks
17.3 Write and test custom SOAR code (Splunk Documentation: Add custom code to your Splunk SOAR)
18.0 Using REST 5%
18.1 Describe the capabilities of SOAR REST API (Splunk Documentation: Using the REST API reference for Splunk SOAR (Cloud))
18.2 Use Django queries to search for data in SOAR
18.3 Use SOAR REST from other systems to access SOAR data (Splunk Documentation: Using the REST API reference for Splunk SOAR (Cloud))
Splunk SOAR Certified Automation Developer: FAQs
Splunk Certification Candidate Handbook
The Splunk Certification Candidate Handbook is an essential guide for anyone aiming to earn a Splunk certification. It covers all aspects of the certification journey, from exam formats and eligibility requirements to important policies. This handbook provides clear insights into what candidates should expect before, during, and after the exam, helping them feel well-prepared. It also details guidelines on exam retakes, recertification, and scheduling steps, offering valuable support for a smooth and confident certification experience.
Splunk SOAR Certified Automation Developer Exam Study Guide
1. Understanding Core Concepts
A solid grasp of core SOAR concepts is crucial for success in the Splunk SOAR Certified Automation Developer exam. This includes understanding the SOAR architecture, the role of playbooks and actions, and the incident response and investigation processes. By mastering these foundational concepts, you’ll be able to effectively design, develop, and implement automated workflows to streamline security operations.
2. Gaining Practical Skills
To solidify your understanding of SOAR concepts and prepare for the exam, practical experience is indispensable. Set up a SOAR environment, whether on-premises or in a cloud-based platform, to experiment with real-world scenarios. Create and test various playbooks, actions, and integrations with different security tools. By actively engaging with the platform, you’ll develop hands-on skills in:
- Playbook Design and Development: Constructing complex playbooks with multiple actions, conditions, and flows to automate incident response, threat hunting, and other security tasks.
- Action Development: Crafting custom actions to interact with diverse systems and APIs, including REST API, script-based actions, and integrations with SIEM, EDR, and other security tools.
- Incident Response and Investigation: Leveraging SOAR to streamline incident response processes, automate triage, and accelerate investigations through the use of playbooks and integrations.
- Troubleshooting and Debugging: Identifying and resolving issues in playbooks and actions, such as errors, unexpected behavior, and performance bottlenecks.
3. Hands-on Practice: The Key to Mastery
Hands-on practice is the cornerstone of mastering Splunk SOAR. By actively engaging with the platform, you’ll solidify your understanding of concepts and develop practical skills. Set up a SOAR environment, whether on-premises or cloud-based, to simulate real-world scenarios. Experiment with creating and testing various playbooks, actions, and integrations with different security tools. Use playbook design and development, constructing complex workflows with multiple actions, conditions, and flows to automate incident response, threat hunting, and other security tasks. Practice creating custom actions to interact with diverse systems and APIs, including REST API, script-based actions, and integrations with SIEM, EDR, and other security tools.
4. Use Official Documentation and Training
To gain a comprehensive understanding of Splunk SOAR, it’s essential to use the official documentation and training resources provided by Splunk. The official documentation serves as a valuable reference, providing detailed explanations of SOAR features, functionalities, and best practices. By carefully studying the documentation, you’ll gain insights into the underlying architecture, playbook design principles, and action development techniques.
In addition to the official documentation, consider enrolling in Splunk’s training courses. These courses offer structured learning experiences, hands-on exercises, and expert guidance from Splunk-certified instructors. By participating in these training programs, you’ll gain practical experience and develop the skills necessary to effectively utilize SOAR in real-world scenarios.
5. Engaging with the Splunk Community
The Splunk community is a valuable resource for learning and problem-solving. By actively participating in forums and online communities, you can connect with experienced SOAR users, seek advice, and share your knowledge. Engaging with the community allows you to stay updated on the latest trends, best practices, and potential challenges in SOAR implementation. You can also explore various online resources, such as blogs, tutorials, and webinars, to gain additional insights and practical tips. By leveraging the collective knowledge and experience of the Splunk community, you can enhance your understanding of SOAR and accelerate your learning process.
6. Take Practice Exams
To assess your knowledge and identify areas for improvement, taking practice exams is crucial. Practice exams simulate the actual exam environment, helping you familiarize yourself with the question format, time constraints, and exam-taking strategies. By analyzing your performance on practice exams, you can pinpoint your strengths and weaknesses and focus your study efforts accordingly.
Look for practice exams that cover a wide range of topics, including SOAR architecture, playbook design, action development, and incident response. As you work through the practice exams, pay attention to the time allotted for each question and practice effective time management. By consistently practicing with practice exams, you’ll gain confidence in your abilities and be better prepared to succeed on the Splunk SOAR Certified Automation Developer exam.
