100+ Free Splunk SOAR Automation Developer Practice Questions

Pass your Splunk SOAR Certified Automation Developer (SPLK-2003) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

~70% Pass Rate

100+ Questions

100% Free

1 / 100

Question 1

Score: 0/0

Which Splunk SOAR component is required to run automated actions on assets that sit inside a customer network when the SOAR instance is hosted in Splunk Cloud?

Search head cluster

Automation broker

Heavy forwarder

License manager

to track

2026 Statistics

Key Facts: Splunk SOAR Automation Developer Exam

Questions

Splunk SPLK-2003 exam page

90 min

Exam Time

Splunk SPLK-2003 exam page

~70%

Pass Mark

Industry estimate

7 days

Retake Wait

Splunk certification policy

3 years

Cert Valid

Splunk certification policy

$130

Exam Fee

Splunk / Pearson VUE

The SPLK-2003 exam contains 60 multiple-choice questions in a 90-minute window with an approximate 70% passing mark, a 7-day retake wait, and a 3-year certification validity. It targets automation developers who design playbooks in the visual playbook editor, build custom code blocks, configure assets and connectors such as Splunk, ServiceNow, VirusTotal, Cisco ISE, and Active Directory, and integrate SOAR Cloud with on-prem networks via the automation broker.

Sample Splunk SOAR Automation Developer Practice Questions

Try these sample questions to test your Splunk SOAR Automation Developer exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which Splunk SOAR component is required to run automated actions on assets that sit inside a customer network when the SOAR instance is hosted in Splunk Cloud?

A.Search head cluster

B.Automation broker

C.Heavy forwarder

D.License manager

Explanation: Splunk SOAR Cloud cannot reach internal customer assets directly, so an automation broker is installed inside the customer network to execute actions and proxy traffic back to the SOAR Cloud tenant. Search head clusters and heavy forwarders are Splunk Enterprise components, and the license manager only tracks license usage.

2Splunk SOAR was previously sold under which product name before Splunk acquired and rebranded it?

A.Splunk UBA

B.Splunk ITSI

C.Phantom

D.Splunk Mission Control

Explanation: Splunk SOAR is the rebranded name for the Phantom security orchestration platform, which Splunk acquired in 2018. UBA and ITSI are separate Splunk premium products, and Mission Control is a different Splunk Cloud security operations interface.

3In a Splunk SOAR clustered deployment, which type of database stores configuration and case data shared across all cluster nodes?

A.Embedded SQLite

B.External PostgreSQL

C.MongoDB

D.Microsoft SQL Server

Explanation: Splunk SOAR clusters require an externally managed PostgreSQL database so every cluster node reads and writes the same configuration, container, and case data. The single-instance default uses an embedded PostgreSQL but a cluster removes the embedded database in favor of a shared external one.

4A Splunk SOAR administrator wants to keep tenant data fully isolated so each business unit only sees its own containers, assets, and playbooks. Which feature should they enable?

A.Custom severity levels

B.Multi-tenancy

C.Workbooks

D.Role-based dashboards

Explanation: Multi-tenancy in SOAR creates separate tenants where containers, assets, and playbooks are scoped to each tenant. Custom severity levels and workbooks are case-management features and role-based dashboards control views, not data isolation.

5Which statement best describes the purpose of an asset in Splunk SOAR?

A.It stores events that have been enriched by playbooks

B.It provides the connection details and credentials a connector uses to talk to an external system

C.It is the visual canvas for designing playbooks

D.It is a copy of indexed data forwarded from Splunk Enterprise

Explanation: Assets configure the endpoint information, authentication, and tuning parameters a connector needs to communicate with an external product such as Splunk, ServiceNow, or VirusTotal. Containers store events, the visual playbook editor is the canvas, and indexed Splunk data lives in indexes, not assets.

6An analyst is configuring two Splunk SOAR assets that point to different VirusTotal API keys for two different business units. What asset configuration property determines which credentials are used at action time?

A.The asset name only

B.The action_result tag

C.The asset configuration values plus optional approver lists

D.The default container label

Explanation: Each asset stores configuration values such as base URL, API key, and timeouts, and can also define approver lists for actions that require manual approval. The connector picks the matching asset at action runtime based on those configuration values and any constraints. Asset name alone, action_result tags, and container labels do not select credentials.

7When a Splunk SOAR connector exposes an action that polls a third-party system on a schedule and creates new containers from the results, that action is known as which type of action?

A.test connectivity

B.on poll

C.investigate

D.generic

Explanation: The on poll action is the dedicated ingestion action that connectors implement to pull events from a source on a schedule and create containers and artifacts. Test connectivity verifies credentials, investigate actions enrich data, and generic is not a defined SOAR action type.

8Which Splunk SOAR app is typically used to run an SPL search against an external Splunk Enterprise or Splunk Cloud instance and return events to a playbook?

A.HTTP

B.JSON Parser

C.Splunk

D.ThreatStream

Explanation: The Splunk app provides actions such as run query that execute SPL searches on a Splunk Enterprise or Splunk Cloud asset and return events to the playbook. The HTTP app makes generic REST calls, JSON Parser only parses payloads, and ThreatStream is a threat intelligence connector.

9Which Splunk SOAR app should be used when a developer needs to invoke an arbitrary REST endpoint that does not yet have a dedicated connector?

A.HTTP

B.Splunk_search

C.Phishing

D.Active Directory

Explanation: The HTTP app is purpose-built for ad-hoc REST calls, supporting GET, POST, PUT, PATCH, and DELETE with custom headers and body. Splunk_search is for SPL queries, Phishing is for email triage helpers, and Active Directory is for AD account actions.

10Which connector action would you use to disable a user's Active Directory account from a containment playbook?

A.lookup user

B.unlock account

C.disable user

D.reset password

Explanation: The Active Directory app provides a disable user action that sets the userAccountControl flag to disable the account, which is the standard containment step for compromised credentials. Lookup user only reads attributes, unlock account undoes a lockout, and reset password rotates the credential without disabling the account.

About the Splunk SOAR Automation Developer Exam

The Splunk SOAR Certified Automation Developer (SPLK-2003) exam validates the skills needed to develop, deploy, and maintain Splunk SOAR (formerly Phantom) automation. It covers SOAR architecture, assets and connectors, the visual playbook editor, modern playbook blocks, custom code with phantom.act and phantom.collect2, containers, artifacts, CEF, the REST API, and incident response patterns including containment, eradication, and recovery.

Assessment

60 multiple-choice questions

Time Limit

90 minutes

Passing Score

Approximately 70% (Splunk reports pass/fail and does not publish an exact cut score)

Exam Fee

$130 USD (Splunk / Pearson VUE)

Splunk SOAR Automation Developer Exam Content Outline

20%

SOAR Architecture and Deployment

Single-instance, multi-instance, and cluster deployments, multi-tenancy, automation broker for SOAR Cloud, RBAC, and source control.

20%

Assets, Apps, and Connectors

Asset configuration, on poll ingestion, and core connectors including Splunk, HTTP, ServiceNow, VirusTotal, Phishing, Cisco ISE, Active Directory, and ThreatStream.

25%

Visual Playbook Editor and Block Types

Modern vs classic playbooks, action, decision, filter, format, prompt, manual review, custom code, custom functions, scope, version history, and replay debugging.

15%

Custom Code and Datapaths

phantom.act, phantom.collect2, phantom.format, phantom.add_artifact, phantom.create_container, phantom.debug, datapaths, Vault APIs, and run-data sharing.

10%

Containers, Artifacts, and CEF

Event vs case containers, artifact labels and CEF fields, Vault file storage, severity rules, and incident lifecycle from new to closed.

10%

Response Automation and IR Patterns

Containment, eradication, recovery patterns; safe automation gating, scheduled playbooks, comments, notifications, and the action panel.

How to Pass the Splunk SOAR Automation Developer Exam

What You Need to Know

Passing score: Approximately 70% (Splunk reports pass/fail and does not publish an exact cut score)
Assessment: 60 multiple-choice questions
Time limit: 90 minutes
Exam fee: $130 USD

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

Splunk SOAR Automation Developer Study Tips from Top Performers

1Master the visual playbook editor block-by-block: action, decision, filter, format, prompt, manual review, custom code, and custom functions.

2Read the Splunk SOAR REST API guide for /rest/container, /rest/artifact, and ph-auth-token authentication patterns.

3Build a phishing playbook end to end so you can describe parse, enrich, decide, contain, notify, and close from memory.

4Practice with phantom.act, phantom.collect2, phantom.format, phantom.add_artifact, and phantom.debug in a custom code block until the patterns feel natural.

5Know how the automation broker routes actions from SOAR Cloud into an on-prem network and what an asset's automation_broker setting changes.

6Memorize the standard CEF fields used by SOAR: sourceAddress, destinationAddress, fileHash, destinationUserName, and how datapaths read them as artifact.cef.<field>.

Frequently Asked Questions

How many questions are on the Splunk SOAR Automation Developer exam?

Splunk's official SPLK-2003 exam page lists 60 multiple-choice questions delivered in a 90-minute window through Pearson VUE.

What is the passing score for SPLK-2003?

Splunk reports the result as pass or fail and does not publish an exact cut score, but candidate guidance and community sources indicate the pass mark sits near 70 percent.

What is the retake policy for SPLK-2003?

Splunk requires a 7-day wait between attempts on the same exam version, and each retake requires a new voucher purchase or scheduling fee.

How long is the SPLK-2003 certification valid?

Splunk certifications under the current policy are valid for 3 years from the date the exam is passed, after which a recertification path applies.

Is Splunk SOAR the same as Splunk Phantom?

Yes. Splunk SOAR is the rebranded name for Splunk Phantom. Splunk acquired Phantom in 2018, kept the same automation engine, and now ships it as Splunk SOAR with additional cloud and broker features.

What experience does Splunk recommend before SPLK-2003?

Splunk recommends hands-on experience writing playbooks in the visual playbook editor, working with assets and connectors, writing custom code with phantom.act and phantom.collect2, and integrating SOAR with Splunk Enterprise Security.