SPLK-2003: Splunk SOAR Certified Automation Developer

DECIDED process is a core component of the SOAR automation engine that handles the execution of playbooks and actions. The DECIDED process can be restarted by restarting the automation service, which can be done from the command line using the service phantom restart command2. Restarting the automation service also restarts the playbook daemon, which is another core component of the SOAR automation engine that handles the loading and unloading of playbooks3. Therefore, option D is the correct answer, as it restarts both the DECIDED process and the playbook daemon. Option A is incorrect, because restarting the playbook daemon alone does not restart the DECIDED process. Option B is incorrect, because the System Health page does not provide an option to restart the DECIDED process or the automation service. Option C is incorrect, because the Administration > Server Settings page does not provide an option to restart the DECIDED process or the automation service.

In Splunk SOAR, if the DECIDED process, which is responsible for playbook execution, needs to be restarted, this can typically be done by restarting the automation (or phantom) service. This service manages the automation processes, including playbook execution. Restarting it can reset the DECIDED process, resolving issues related to playbook execution or process hangs.

The Phantom API command to create a custom list is phantom.create_list(). This commandtakes a list name and an optional description as parameters and returns a list ID if successful.The other commands are not valid Phantom API commands. phantom.add_list() is a Pythonfunction that can be used in custom code blocks to add data to an existing list. To create acustom list in Splunk Phantom, the appropriate API command used is phantom.create_list().This function allows for the creation of a new list that can be used to store data such as IPaddresses, file hashes, or any other information that you want to track or reference acrossmultiple playbooks or within different parts of the Phantom platform. The custom list is aflexible data structure that can be leveraged for various use cases within Phantom, includingdata enrichment, persistent storage of information, and cross-playbook data sharing.

I2A2 design methodology is a framework for designing playbooks that consists of four components:

* Inputs: The data that is required for the playbook to run, such as artifacts, parameters, or custom fields.

* Interactions: The blocks that allow the playbook to communicate with users or other systems, such as prompts, comments, or emails.

* Actions: The blocks that execute the core logic of the playbook, such as app actions, filters, decisions, or utilities.

* Artifacts: The data that is generated or modified by the playbook, such as new artifacts, container fields, or notes.

The I2A2 design methodology helps you to plan, structure, and test your playbooks in a modular and efficient way. Therefore, option B is the correct answer, as it lists the correct components of the I2A2 design methodology. Option A is incorrect, because apps are not a component of the I2A2 design methodology, but a source of actions that can be used in the playbook. Option C is incorrect, for the same reason as option A. Option D is incorrect, because assets are not a component of the I2A2 design methodology, but a configuration of app credentials that can be used in the playbook.

1: Use a playbook design methodology in Administer Splunk SOAR (Cloud)

The I2A2 design methodology is an approach used in Splunk SOAR to structure and design playbooks. The acronym stands for Inputs, Interactions, Actions, and Artifacts. This methodology guides the creation of playbooks by focusing on these four key components, ensuring that all necessary aspects of an automated response are considered and effectively implemented within the platform.

ROI Settings dashboard allows you to configure the parameters used to estimate the data displayed in the Automation ROI Summary dashboard. One of the settings that can be configured is the FTE Gained, which is the number of full time employees (FTEs) that are freed up by automation. To calculate this value, Splunk SOAR divides the number of actions run by automation by the number of expected actions an analyst would take, based on minutes per action and analyst hours per day. Therefore, option A is the correct answer, as it is one of the settings that can be configured in the ROI Settings dashboard. Option B is incorrect, because time lost is not a setting that can be configured in the ROI Settings dashboard, but a metric that is calculated by Splunk SOAR based on the difference between the analyst minutes per action and the actual minutes per action. Option C is incorrect, because analyst hours per month is not a setting that can be configured in the ROI Settings dashboard, but a value that is derived from the analyst hours per day setting. Option D is incorrect, because annual analyst salary is a setting that can be configured in the ROI Settings dashboard, but not the one that is asked in the question.

1: Configure the ROI Settings dashboard in Administer Splunk SOAR (On-premises)

ROI (Return on Investment) Settings within Splunk SOAR are used to estimate the efficiency and financial impact of the SOAR platform. One of the configurable parameters in these settings is the 'Analyst hours per month'. This parameter helps in calculating the time saved through automation, which in turn can be translated into cost savings and efficiency gains. It reflects the direct contribution of the SOAR platform to operational productivity.