Below is a comprehensive, structured, and psychology-informed study plan for the SPLK-2003: Splunk SOAR Certified Automation Developer exam, incorporating:

• Clear goals and milestones

• Pomodoro Technique for focus and time management

• Forgetting Curve principles for spaced repetition

• Balanced mix of reading, practice, and review

• Emphasis on the 18 key knowledge areas

Study Plan Overview

Duration: 4 Weeks (28 Days)

• Daily Time Commitment: ~2 hours per day (can adjust based on your availability)

• Study Sessions: 4 Pomodoros per day (25 min study + 5 min break)

• Review Sessions: Every 5th day and weekly summary review on Sundays

• Mock Exams: After Week 2 and Week 4

Weekly Learning Objectives

Week	Focus	Output Goals
1	Fundamentals + Playbook Core (Topics 1–6)	Understand architecture, install SOAR, build your first playbook
2	Visual & Logical Playbook Skills (Topics 7–12)	Build modular logic and format data efficiently
3	Advanced Automation & Integration (Topics 13–16)	Learn modular design, routing, Splunk & SOAR integration
4	Development & API Practice (Topics 17–18) + Final Review & Mocks	Apply coding, REST, app building; full simulated exams

Week 1: System Foundation and Core Workflow

Weekly Learning Goal:

By the end of this week, you should be able to:

• Understand and differentiate between Splunk SOAR deployment models.

• Successfully install and configure a SOAR environment.

• Set up users and roles using role-based access control (RBAC).

• Navigate key interfaces such as the Analyst Queue, Investigation Page, and Case Management.

• Create and use your first simple playbook.

Day 1 – Deployment, Installation, and Initial Configuration

Focus Topic: Deployment, Installation, and Initial Configuration

Learning Objectives:

• Compare deployment options.

• Perform a basic installation using your preferred method.

• Complete essential post-install configuration.

Tasks:

1. Study and summarize the three deployment models: standalone, distributed, and cloud.

2. Install SOAR using either the OVA image or the Linux installer in a test environment (virtual machine or cloud).

3. Complete initial configuration via the web interface:

   • Set static IP or hostname.

   • Create an administrator account.

   • Configure time zone, SSL certificate, SMTP, and license.

4. Write a summary of the installation process and key configuration settings used.

Day 2 – User Management

Focus Topic: User Management

Learning Objectives:

• Set up and manage user accounts and roles.

• Understand available authentication methods and how to configure them.

Tasks:

1. Create three user types in SOAR:

   • One with Administrator access.

   • One Analyst account.

   • One custom user with restricted access.

2. Explore and simulate integration with LDAP or SAML if applicable.

3. Enable two-factor authentication (2FA) for one of the user accounts using a TOTP-based app such as Google Authenticator.

4. Document the configuration steps and summarize the difference between local, LDAP, and SAML authentication options.

Day 3 – Apps, Assets, and Playbooks

Focus Topic: Apps, Assets, and Playbooks

Learning Objectives:

• Install and configure apps and assets.

• Understand how assets enable integration with external services.

• Build and test a simple playbook using an asset.

Tasks:

1. Install three apps (for example, VirusTotal, Splunk, and AWS) from the App Store.

2. Create and configure two assets with valid or simulated credentials (such as API keys).

3. Create a basic playbook that:

   • Is triggered manually.

   • Performs a reputation check on an IP address using the VirusTotal app.

4. Run the playbook on a test event and observe the output in the timeline.

Day 4 – Analyst Queue

Focus Topic: Analyst Queue

Learning Objectives:

• Learn how to use the Analyst Queue to manage events.

• Understand both manual and automated event assignments.

Tasks:

1. Explore the event queue and observe how events are ordered by severity and time.

2. Manually assign one event to a test analyst account.

3. Create a rule to automatically assign events tagged with “malware” to a specific user or role.

4. Apply filters to display only high-severity events related to phishing or malware.

5. Document how filtering and assignment logic can help balance workloads.

Day 5 – The Investigation Page

Focus Topic: The Investigation Page

Learning Objectives:

• Navigate the Investigation Page and understand its key panels.

• Use the page to take manual actions and collaborate with team members.

Tasks:

1. Open a real or simulated case in the Investigation Page.

2. Follow the timeline view and understand each recorded event or action.

3. View the Artifacts panel and manually run an enrichment action on an IP or domain.

4. Add a note describing the action you took and simulate collaboration by adding a second note from a different analyst.

5. Reflect on how the Investigation Page supports traceability and decision-making.

Day 6 – Case Management and Workbooks

Focus Topic: Case Management and Workbooks

Learning Objectives:

• Use SOAR's case system to manage security investigations.

• Create and use structured workflows through workbooks.

Tasks:

1. Create a new case from an existing event.

2. Fill out all standard case fields: title, severity, tags, owner.

3. Link at least one additional related event to the same case.

4. Build a new workbook template with three stages (such as Detection, Triage, Containment).

5. Add at least two tasks per stage (one manual and one automated).

6. Attach the workbook to your case and mark tasks as completed as appropriate.

Day 7 – Weekly Review and Practice

Purpose: Reinforce and review material from Days 1 through 6 using active recall and applied testing.

Tasks:

1. Review your notes and flashcards covering deployment, users, apps, queue, investigation, and case management.

2. Take a 20-question multiple-choice quiz covering all six topics studied this week.

3. Review your quiz answers and write explanations for each incorrect or uncertain answer.

4. Summarize what you learned this week, what was most challenging, and what concepts you want to revisit in Week 2.

Week 2: Playbook Design, Logic, and Automation Fluency

Weekly Learning Goal:

By the end of this week, you should be able to:

• Build complete playbooks using the visual editor with logic, filters, and user prompts.

• Use custom fields and layout changes to tailor the interface.

• Format outputs clearly for communication and record-keeping.

• Understand how to maintain system health and troubleshoot basic issues.

• Apply the Pomodoro and Forgetting Curve methods to retain playbook development skills.

Day 8 – Customizations

Focus Topic: Customizations

Learning Objectives:

• Modify the SOAR interface and fields to fit organizational needs.

• Understand how customization affects user experience and workflow clarity.

Tasks:

1. Create two custom fields (for example, Business Unit and Region) for events or artifacts.

2. Design a custom layout for the case view that reorganizes default panels and adds the new fields.

3. Apply branding changes to the interface (update logo, login message, and theme color).

4. Document how these customizations could support your organization's specific incident response process.

Day 9 – System Maintenance

Focus Topic: System Maintenance

Learning Objectives:

• Monitor SOAR system performance and health.

• Perform basic backup and recovery operations.

Tasks:

1. Explore the Health Dashboard and note real-time CPU, memory, and disk usage.

2. Locate log files in /var/log/phantom/ and identify which logs are associated with playbooks, API calls, and errors.

3. Use the command line to:

   • Restart the phantomd service.

   • Perform a full system backup.

4. Simulate a restore operation using a backup file.

5. Create a system maintenance checklist based on your testing.

Day 10 – Introduction to Playbooks

Focus Topic: Introduction to Playbooks

Learning Objectives:

• Understand the core building blocks of a playbook.

• Create a functional playbook using basic automation steps.

Tasks:

1. Build a playbook that is triggered manually from an event.

2. Add the following blocks:

   • One action block (for example, check IP reputation).

   • One decision block (such as if reputation score > threshold).

   • One format block (to generate a message).

   • One note block (to write to the timeline).

3. Run the playbook on a test event and review the output.

4. Save a diagram of your playbook design and annotate each block’s role.

Day 11 – Visual Playbook Editor

Focus Topic: Visual Playbook Editor

Learning Objectives:

• Use the drag-and-drop interface to build playbooks.

• Document playbook logic clearly for future maintenance.

Tasks:

1. Recreate your Day 10 playbook using only the Visual Playbook Editor.

2. Label each block and use comments to explain the logic of each branch.

3. Organize blocks in a linear top-down flow to improve readability.

4. Save a screenshot of your playbook layout and write a short reflection on the user experience of the editor.

Day 12 – Logic, Filters, and User Interaction

Focus Topic: Logic, Filters, and User Interaction

Learning Objectives:

• Apply decision-making, filtering, and user prompts in playbook logic.

• Simulate real-world analyst interaction in the automation flow.

Tasks:

1. Build a playbook that contains:

   • Two decision blocks: one nested inside the other, using conditions like risk score or data type.

   • A filter block to act only on artifacts that match specific types (for example, URLs or IPs).

   • A user prompt asking whether to isolate a host, with Yes/No responses.

2. Test the playbook with different event types and simulate analyst responses.

3. Write a flowchart describing how data flows through the decision points and filters.

Day 13 – Formatted Output and Data Access

Focus Topic: Formatted Output and Data Access

Learning Objectives:

• Generate human-readable messages from playbook data.

• Access data from action results using code and visual methods.

Tasks:

1. Use a Format Block to generate a case summary message using variables such as container name, severity, and source IP.

2. Use phantom.collect2() in a code block to extract and log the output of an earlier action.

3. Use phantom.debug() to log information to the playbook run log.

4. Review JSON data from a real action result and identify which fields you would need to access in a playbook script.

Day 14 – Weekly Review and Practice

Purpose: Review and consolidate all knowledge learned this week.

Tasks:

1. Flashcard review of the following concepts:

   • Visual playbook blocks

   • Format block syntax

   • Decision and filter logic

   • User prompt structure

2. Build a mini playbook from memory with three logic steps and one user prompt.

3. Complete a 25-question multiple-choice quiz covering Days 8 through 13.

4. Review quiz answers and write explanations for each incorrect or guessed question.

5. Reflect on the week:

   • What was the most difficult logic concept?

   • What part of playbook building do you feel most confident about?

Week 3: Modular Automation, Routing Logic, and Splunk Integration

Weekly Learning Goal:

By the end of this week, you will be able to:

• Develop modular, maintainable playbooks using the parent-child structure.

• Use custom lists and data routing techniques to filter and classify data dynamically.

• Connect SOAR with Splunk for real-time search and bi-directional integration.

• Simulate a complete end-to-end security automation workflow.

• Identify and explain integration best practices.

Day 15 – Modular Playbook Development

Focus Topic: Modular Playbook Development

Learning Objectives:

• Understand the architecture of modular playbooks.

• Implement parent-child structures and pass data between them.

Tasks:

1. Build two child playbooks:

   • One for data enrichment (e.g., domain reputation).

   • One for writing a formatted note to a case.

2. Build a parent playbook that:

   • Calls the enrichment child playbook.

   • Based on the output, decides whether to call the second child playbook.

3. Define input parameters and output variables for each child.

4. Simulate error handling in the parent playbook when a child fails.

5. Document the logic and reusability benefits of this structure.

Day 16 – Custom Lists and Data Routing

Focus Topic: Custom Lists and Data Routing

Learning Objectives:

• Manage and apply custom lists to drive logic and classification.

• Control data routing based on tags, labels, and filters.

Tasks:

1. Create two custom lists:

   • One for internal IP ranges.

   • One for high-risk countries.

2. Build a playbook that:

   • Filters IPs against internal IPs.

   • Tags external addresses.

   • Checks country of origin against the high-risk list.

   • Routes accordingly.

3. Apply routing tags (e.g., phishing, malware, high-priority).

4. Test auto-assignment rules based on tag combinations.

5. Write a short explanation of how list-driven logic supports scalability.

Day 17 – Configuring External Splunk Search

Focus Topic: Configuring External Splunk Search

Learning Objectives:

• Configure and test an asset for external Splunk search.

• Run dynamic searches within a playbook using SPL.

Tasks:

1. Install and configure the Splunk app in SOAR.

2. Create and test a Splunk asset with a valid REST connection.

3. In a playbook, use the Search block to:

   • Query Splunk using a value from an artifact.

   • Retrieve and format the result (e.g., recent logins, network activity).

4. Format the result using a Format Block and log it in a case note.

5. Summarize how Splunk search results can enhance investigations.

Day 18 – Integrating SOAR into Splunk

Focus Topic: Integrating SOAR into Splunk

Learning Objectives:

• Use Splunk to trigger SOAR automation.

• Understand the Adaptive Response Framework and Splunk App for SOAR.

Tasks:

1. Install the SOAR App for Splunk in a test Splunk environment.

2. Configure an alert action to send a notable event to SOAR.

3. From Splunk:

   • Select a field from search results (e.g., suspicious IP).

   • Trigger a SOAR playbook using Adaptive Response.

4. In SOAR:

   • Verify the incoming event.

   • Confirm that the correct playbook was triggered.

5. Document the flow and timing of this integration.

Day 19 – End-to-End Automation Scenario

Purpose: Combine modular development, filtering, and Splunk integration into one full automation case.

Use Case Simulation: Suspicious login alert from Splunk triggers a containment workflow in SOAR.

Tasks:

1. From Splunk, generate a simulated alert (e.g., user login from two countries).

2. Forward the event to SOAR as a container.

3. In SOAR, use a parent playbook to:

   • Run enrichment.

   • Confirm with the analyst via a prompt.

   • Trigger a containment action.

   • Write a case summary using a Format Block.

4. Review timeline logs, enrichment results, and final actions.

5. Write an after-action report summarizing steps and automation effectiveness.

Day 20 – Review: Modularization and Integration

Focus Topics: All Week 3 content

Learning Objectives:

• Reinforce modular playbook logic, list usage, Splunk search, and SOAR integration.

Tasks:

1. Flashcard review:

   • Child vs. parent playbooks

   • Tags vs. labels

   • Custom lists and filtering logic

   • SPL syntax for SOAR queries

2. Practice: Build a mini-playbook from memory with modular logic and a Splunk query.

3. Complete a 25-question multiple-choice quiz on Days 15–19.

4. Review each incorrect answer, identify misunderstanding, and explain the correct option.

5. Reflect on the most useful integration or technique learned this week.

Day 21 – Practice and Mock Exam Preparation

Purpose: Apply Week 3 content under test conditions and reflect on problem areas.

Tasks:

1. Take a 30-question practice test based on modular design and integration topics.

2. Track your answers and time.

3. Review incorrect answers and revisit source materials for any missed concepts.

4. Write down:

   • Three topics you feel confident in.

   • Two areas you still find confusing.

   • One action plan for improving before the final review week.

Week 4: Custom Development, API Integration, and Final Exam Preparation

Weekly Learning Goal:

By the end of this week, you will be able to:

• Write and troubleshoot custom code and functions in SOAR.

• Understand the structure of a custom app and create one.

• Use the REST API to create and manage events, artifacts, and playbooks programmatically.

• Review and reinforce all 18 knowledge areas.

• Simulate exam conditions and pass a mock exam confidently.

Day 22 – Custom Coding in SOAR Playbooks

Focus Topic: Custom Coding

Learning Objectives:

• Build and apply custom Python code blocks and functions.

• Use logging and debugging tools for validation and testing.

Tasks:

1. Create a Python Code Block in a playbook to:

   • Loop through a list of IP addresses.

   • Identify private IP ranges and store them in a new list.

2. Write a reusable Custom Function to clean a domain name list (strip whitespace, convert to lowercase).

3. Use phantom.collect2() to extract action result data and use it in conditional logic.

4. Use phantom.debug() to log output and verify your logic at each step.

5. Document the difference between inline Code Blocks and reusable Custom Functions.

Day 23 – Building a Simple Custom App

Focus Topic: App Development (Introduction)

Learning Objectives:

• Understand the file structure of a SOAR custom app.

• Develop a working action handler in Python.

Tasks:

1. Set up a development folder for your custom app.

2. Create a app.json (YAML metadata) file that:

   • Defines an action (e.g., "ping target URL").

   • Includes parameters (e.g., URL).

3. Write a Python script for the action handler.

   • Simulate a basic action using a return message like "Ping successful".

4. Use the Developer tab in SOAR to register and install your app.

5. Run the action and view results in SOAR logs.

Day 24 – REST API Basics with Postman

Focus Topic: Using REST – Part 1

Learning Objectives:

• Authenticate and interact with the SOAR platform using API requests.

Tasks:

1. Generate an API token via the SOAR Web UI.

2. Use Postman to:

   • Authenticate using Bearer Token.

   • Send a POST /rest/container request to create a new event.

   • Send a GET /rest/artifact request to retrieve artifacts from a container.

   • Trigger a playbook using POST /rest/playbook_run.

3. Save each request-response pair in Postman.

4. Record how long each request takes and note error codes and messages if any.

Day 25 – REST API Automation with Python

Focus Topic: Using REST – Part 2

Learning Objectives:

• Write a Python script using the requests library to automate SOAR tasks via API.

Tasks:

1. Use Python to:

   • Authenticate to SOAR using a static token.

   • Send a container creation request using POST /rest/container.

   • Retrieve artifacts from the new container.

   • Trigger a predefined playbook on that container.

2. Use error handling (try/except) to catch and report request failures.

3. Log the response status, body, and runtime for each request.

4. Compare this method to Postman in terms of speed, control, and flexibility.

Day 26 – Review and Reinforcement: Development and API Skills

Focus Topics: Days 22 to 25

Learning Objectives:

• Review custom development and REST integration concepts and tools.

Tasks:

1. Review and annotate all scripts and Postman calls from earlier this week.

2. Create a table of the most important REST endpoints, with methods, purposes, and usage tips.

3. Flashcard review:

   • Key Python functions: phantom.debug(), phantom.collect2()

   • API authentication formats

   • YAML structure for SOAR apps

4. Complete a 20-question multiple-choice quiz focused on development and API use.

Day 27 – Full Mock Exam Simulation

Purpose: Test readiness under timed, exam-like conditions.

Tasks:

1. Take a full 50-question SPLK-2003 mock exam.

2. Time yourself strictly (maximum 90 minutes).

3. Record each answer and mark any uncertain questions.

4. After completion:

   • Score your results.

   • Review every incorrect or uncertain question.

   • Write an explanation for each missed concept and link it to the corresponding topic.

Day 28 – Final Flash Review and Exam Strategy

Purpose: Solidify knowledge, identify final weak points, and boost exam confidence.

Tasks:

1. Flashcard sprint:

   • Review all 18 knowledge points using your own notes or flashcard deck.

   • Focus especially on weak areas from Day 27.

2. Redraw one complex playbook from memory using modular structure, decision logic, and outputs.

3. Review:

   • Your personal top strengths and weak points.

   • Your most effective learning method (e.g., visual diagrams, coding, quizzes).

4. Write your final strategy:

   • What to do first during the exam (e.g., time box each question).

   • How to flag and return to hard questions.

   • How to stay calm and focused under time pressure.