Splunk IT Service Intelligence Certified Admin — Question 6

Which of the following is a step when configuring event forwarding from Splunk to SOAR?

Answer options

• A. Create a saved search that generates the JSON for the new container on SOAR.
• B. Map CIM to CEF fields.
• C. Map CEF to CIM fields.
• D. Create a Splunk alert that uses the event_forward.py script to send events to SOAR.

Correct answer: A

Explanation

The correct answer, A, is right because creating a saved search that generates the JSON format is essential for proper configuration of event forwarding to SOAR. Options B and C are incorrect as they pertain to mapping fields, which is not a direct step in the event forwarding process. Option D is also incorrect because it suggests using an alert rather than a saved search for event forwarding.