5 tips to pass the Splunk Phantom Certified Admin exam

This blog gives you five exam tips for the Splunk Phantom Certified Admin exam. This is based on my experience following the courses and passing the exam earlier this year. I hope this will help you prepare and pass the exam yourself!

To become a Splunk Phantom Certified Admin there are three courses that you can follow:

• Administering Phantom
• Developing Phantom Playbooks
• Advanced Phantom Implementation

The courses are not required but I highly recommend you do them, they give great insights in how to use Splunk Phantom. More detailed information about the Splunk Phantom certification track can be found on the Splunk website.

1.    Use the provided lab instances

During the courses you are provided with virtual instances for the practical labs. If you finished the lab you can use the remaining time to check out what Splunk Phantom has to offer. And here is the good thing: Between the training days the instances stay up so if you have an hour to spare log in and retake the steps from some of the more complex labs to make sure you are familiar with the interface.

2.    Splunk apps

There are several apps on Splunk Base that have Phantom in the name:

• Phantom App for Splunk
• Splunk App for Phantom Reporting
• Phantom Remote Search
• Splunk Add-on for Phantom
• Phantom Internal Add-on

In the Advanced Phantom Implementation course most of these apps are discussed and implemented. It is good to know what each of the apps is used for. So give them a try and know what they are about for the exam.

3.    Run the OVA at home

If you did not have the time to experiment on the instances provided during the labs, you can easily set up a virtual machine at home using the provided OVA. An OVA is an Open Virtualization Format which you can use to install a virtual instance of Phantom.

To install it you can follow the steps provided by the documentation: https://docs.splunk.com/Documentation/Phantom/4.10.6/Install/InstallOVA

If you also want to use Splunk you could install it yourself or use the containerised version with Docker: https://docs.splunk.com/Documentation/Splunk/8.2.1/Installation/Chooseyourplatform

4.    Know the steps to develop a playbook

In the Developing Playbooks course they share some of the best practices to develop a playbook, try and think of a real world scenario and follow the steps in the I2A2 process. This will help you with questions in the exam and will help you prepare for your first playbook.

5.    Study the provided playbooks

In the Developing Playbooks and Advanced Phantom Implementation Splunk provides Playbooks for some of the labs. Make sure you import these examples and study these, they might have used different steps than what you did during the labs. They are also handy as reference material if you need to format data before it can be used in an email for example.

By following these courses and trying Phantom out you should have enough knowledge to pass the exam. You should also be able to create a Proof of Concept to see if Phantom is the right solution for your company.
You should know that Splunk is currently actively working towards cloud driven solutions and that is why they announced Splunk SOAR, which essentially is Splunk Phantom in the cloud.