Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Splunk
  5. SPLK-2003

Splunk SPLK-2003 Exam
Splunk SOAR Certified Automation Developer (Page 3 )

Updated On: 7-Feb-2026
Page 3 of 23
PDF with 110 Questions

A user has written a playbook that calls three other playbooks, one after the other. The user notices that the second playbook starts executing before the first one completes.
What is the cause of this behavior?

  1. Incorrect Join configuration on the second playbook.
  2. The first playbook is performing poorly.
  3. The steep option for the second playbook is not set to a long enough interval.
  4. Synchronous execution has not been configured.

Answer(s): D

Explanation:

The correct answer is D because synchronous execution has not been configured. Synchronous execution is a feature that allows you to control the order of execution of playbook blocks. By default, Phantom executes playbook blocks asynchronously, meaning that it does not wait for one block to finish before starting the next one. This can cause problems when you have dependencies between blocks or when you call other playbooks. To enable synchronous execution, you need to use the sync action in the run playbook block and specify the name of the next block to run after the called playbook completes. See Splunk SOAR Documentation for more details.

In Splunk SOAR, playbooks can be executed either synchronously or asynchronously. Synchronous execution ensures that a playbook waits for a called playbook to complete before proceeding to the next step. If the second playbook starts executing before the first one completes, it indicates that synchronous execution was not configured for the playbooks. Without synchronous execution, playbooks will execute independently of each other's completion status, leading to potential overlaps in execution. This behavior can be controlled by properly configuring the playbook execution settings to ensure that dependent playbooks complete their tasks in the desired order.



A customer wants to design a modular and reusable set of playbooks that all communicate with each other.
Which of the following is a best practice for data sharing across playbooks?

  1. Use the py-postgresq1 module to directly save the data in the Postgres database.
  2. Cal the child playbooks getter function.
  3. Create artifacts using one playbook and collect those artifacts in another playbook.
  4. Use the Handle method to pass data directly between playbooks.

Answer(s): C

Explanation:

The correct answer is C because creating artifacts using one playbook and collecting those artifacts in another playbook is a best practice for data sharing across playbooks. Artifacts are data objects that are associated with a container and can be used to store information such as IP addresses, URLs, file hashes, etc. Artifacts can be created using the add artifact action in any playbook block and can be collected using the get artifacts action in the filter block. Artifacts can also be used to trigger active playbooks based on their label or type. See Splunk SOAR Documentation for more details.

In the context of Splunk SOAR, one of the best practices for data sharing across playbooks is to create artifacts in one playbook and use another playbook to collect and utilize those artifacts. Artifacts in Splunk SOAR are structured data related to security incidents (containers) that playbooks can act upon. By creating artifacts in one playbook, you can effectively pass data and context to subsequent playbooks, allowing for modular, reusable, and interconnected playbook designs. This approach promotes efficiency, reduces redundancy, and enhances the playbook's ability to handle complex workflows.



Which of the following are examples of things commonly done with the Phantom REST APP

  1. Use Django queries; use curl to create a container and add artifacts to it; remove temporary lists.
  2. Use Django queries; use Docker to create a container and add artifacts to it; remove temporary lists.
  3. Use Django queries; use curl to create a container and add artifacts to it; add action blocks.
  4. Use SQL queries; use curl to create a container and add artifacts to it; remove temporary lists.

Answer(s): C

Explanation:

The Phantom REST API, often interacted with through the Phantom REST APP, is a powerful tool for automating and integrating Splunk SOAR with other systems. Common uses of the Phantom REST APP include using Django queries to interact with the SOAR database, using curl commands to programmatically create containers and add artifacts to them, and configuring action blocks within playbooks for automated actions. This flexibility allows for a wide range of automation and integration possibilities, enhancing the SOAR platform's capability to respond to security incidents and manage data.



Which of the following are the default ports that must be configured on Splunk to allow connections from Phantom?

  1. SplunkWeb (8088), SplunkD (8089), HTTP Collector (8000)
  2. SplunkWeb (8089), SplunkD (8088), HTTP Collector (8000)
  3. SplunkWeb (8421), SplunkD (8061), HTTP Collector (8798)
  4. SplunkWeb (8000), SplunkD (8089), HTTP Collector (8088)

Answer(s): D

Explanation:

The correct answer is D because the default ports that must be configured on Splunk to allow connections from Phantom are SplunkWeb (8000), SplunkD (8089), and HTTP Collector (8088). SplunkWeb is the port used to access the Splunk web interface. SplunkD is the port used to communicate with the Splunk server. HTTP Collector is the port used to send data to Splunk using the HTTP Event Collector (HEC). These ports must be configured on Splunk and Phantom to enable the integration between the two products. See Splunk SOAR Documentation for more details.

To allow connections from Splunk Phantom to Splunk, certain default ports need to be open and properly configured. The default ports include SplunkWeb (8000) for web access, SplunkD (8089) for Splunk's management port, and the HTTP Event Collector (HEC) on port 8088, which is used for ingesting data into Splunk. These ports are essential for the communication between Splunk Phantom and Splunk, facilitating data exchange, search capabilities, and the integration of various functionalities between the two platforms.



Without customizing container status within Phantom, what are the three types of status for a container?

  1. New, In Progress, Closed
  2. Low, Medium, High
  3. Mew, Open, Resolved
  4. Low, Medium, Critical

Answer(s): A

Explanation:

Within Splunk SOAR, containers (which represent incidents, cases, or events) have a lifecycle that is tracked through their status. The default statuses available without any customization are "New", "In Progress", and "Closed". These statuses help in organizing and managing the incident response process, allowing users to easily track the progress of investigations and responses from initial detection through to resolution.



Viewing page 3 of 23
Viewing questions 11 - 15 out of 110 questions



Post your Comments and Discuss Splunk SPLK-2003 exam prep with other Community members:

Join the SPLK-2003 Discussion