Reliability scores in XSOAR range from A through F.
What do A and F stand for?
- A . F – Reliability cannot be judged, A – Completely Reliable
- B . F – Not reliable, A – Usually Reliable
- C . F – Not usually reliable, A – Fairly Reliable
- D . F – Unreliable, A – Completely Reliable
Which two incident search queries are valid? (Choose two.)
- A . created:>=”7 days”
- B . owner===admin
- C . role is Analyst
- D . status:closed Ccategory:job
A,D
Explanation:
Reference: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/cortex-xsoar-overview/how-to-search-in-cortex-xsoar.html
Where can engineers add the post-processing scripts to incidents?
- A . The post-processing tag must be added to the automation
- B . Post-processing scripts must be added at the end of playbooks
- C . Post-processing scripts must be added from the Incident Type editor
- D . Post-processing scripts must be added from the Post-Process Rules editor
How would context data be filtered to receive only malicious indicator values with DBotScore?
- A . Get DBotScore.value where DBotScore.Score (Larger or equals) 4
- B . Get DBotScore.value where DBotScore.Score (equals (int)) 3
- C . Get DBotScore where DBotScore.Score (Larger than) 1
- D . Get DBotScore where DBotScore.Score (Larger or equals) 2
B
Explanation:
Reference: https://github.com/demisto/content/blob/master//Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/README.md
How is data transferred between playbook tasks?
- A . Read/Write from context data
- B . Over war room results
- C . Input from the indicator page
- D . Directly from a previous task
What are inputs and outputs in reference to a Playbook Development Lifecycle? (Choose three.)
- A . Inputs are data pieces that are present in the playbook
- B . Inputs are data pieces that are present in the task
- C . Outputs are used as incident trigger for playbook
- D . Outputs can be derived from the result of a task or command
- E . Inputs are the data fields parsed by the Classifier
Which two statements accurately describe layouts? (Choose two.)
- A . Layouts override classification and mapping
- B . New tabs can be added to the incident layout
- C . Layouts can display incident information and custom fields
- D . Layouts add or remove custom fields from an incident type
Which configuration is a valid distributed database (DB) implementation?
- A . 2 main DBs, 1 application server, 2 node servers
- B . 1 main DB, 1 application server, 3 node servers
- C . 2 application servers, 1 main DB, 1 node server
- D . 1 application server, 2 main DBs, 1 node server
Threat Intel search queries can be shared with which of the following? (Select 1)
- A . Users defined in the platform (email or username)
- B . Other organizations via the Marketplace
- C . Users outside XSOAR via email invite
- D . Roles defined in the platform
Which of these would be the most operationally efficient repository for moving XSOAR custom content from a development server to a production environment?
- A . A content repository specified in the Marketplace
- B . Remote git repository specified in the dev-prod configuration parameters
- C . The development server’s default repository
- D . Cortex XSOAR public content repository
Whar are possible war room result (entry) types?
- A . Context, file, error, image
- B . Note, indicator, error, image
- C . Video, file, error, image
- D . Note, file, error, image
An engineer asked for a specific command in an integration but the capability does not exist. The engineer decided to edit the existing integration by copying the integration and adding the needed commands.
What is the main concern when adding these commands?
- A . The commands must return a proper result to the war room for the analysts to understand
- B . The code may not be written to XSOAR standards
- C . The integrations are locked and cannot be edited with additional commands
- D . The custom integration will not be maintained and updated by XSOAR content team
You need to retrieve a list of all malicious hashes over the last 30 days.
What is the correct query to use?
- A . type:File reputation:Malicious sourcetimestamp:"30 days ago"
- B . type:File verdict:Malicious sourcetimestamp:<="30 days ago"
- C . type:File reputation:Malicious sourcetimestamp:="30 days ago"
- D . type:File verdict:Malicious sourcetimestamp:>="30 days ago"
When creating an automation in XSOAR, what is the best way to create a log message?
- A . Using a debug statement
- B . Using the demisto.debug() function
- C . Using a print statement
- D . Using the demisto.results() function
The XSOAR administrator is writing an automation and would like to return an error entry back into XSOAR if a particular command errors out.
How can this be achieved?
- A . Using the demisto_error() function
- B . Using a print statement
- C . Using the demisto.debug() function
- D . Using the return_error() function
Which two functions in XSOAR are incident types used for? (Choose two.)
- A . To run dedicated playbooks for different event types
- B . To classify events ingested from various sources into the relevant types
- C . To classify indicators extracted in XSOAR incidents to their respective types
- D . To facilitate role based access to XSOAR incidents
Which of the following is a prerequisite to editing out-of-the-box (OOTB) content?
- A . Download the content from the Marketplace.
- B . Go to Settings > About >Troubleshooting and set a flag to allow custom content.
- C . Register a user account with support.paloaltonetworks.com .
- D . Detach the content item you want to edit from the Marketplace.
Which field type provides an interactive and editable display of table-based data?
- A . HTML
- B . Grid (table)
- C . Markdown
- D . Multi Select
An incident field is created having the display name as Source_IP.
How can the field be accessed?
- A . ${incident.sourceip}
- B . ${incident.Source_IP}
- C . ${incident.srcip}
- D . ${incident.Source IP}
Which three options can be defined in the layout settings? (Choose three.)
- A . Set of fields to present
- B . Permission to view the tab based on ‘Users’
- C . Permission to view the tab based on ‘Roles’
- D . Delete built-in tabs including the war room
- E . Dynamic sections
A,C,E
Explanation:
Reference: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/incidents/customize-incident-view-layouts/customize-incident-layouts.html
Can an automation script execute an integration command and an integration command execute an automation script?
- A . An automation script cannot execute an integration command and an integration command cannot execute an automation script
- B . An automation script can execute an integration command and an integration command cannot execute an automation script
- C . An automation script cannot execute an integration command and an integration command can execute an automation script
- D . An automation script can execute an integration command and an integration command can execute an automation script
DRAG DROP
Arrange these steps in the order that they occur during an incident fetch.
Explanation:
Integration performs
Classification is applied
Mapping is applied
Incident is created (before incident creation it should be also pre-process rule step)
What are two common use cases for conditional tasks? (Choose two.)
- A . They are used for branching paths in a playbook
- B . They are used to interact with users through survey functionality
- C . They are used to determine which incident will be executed
- D . They are used for sending a specific QUESTION NO: to a person or team
A,D
Explanation:
Reference: https://docs-new.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/cortex-xsoar-overview/use-cases.html#id7b31e50b-5aca-4d65-bdb5-ba61b4eac0b4
A playbook task generates a report as HTML in the context data.
An engineer creates a custom indicator field of type "HTML" and adds the field to a section in a custom indicator layout.
How can the engineer populate the HTML field in the indicator layout?
- A . Populate the custom indicator field with the built-in !SetIndicator command.
- B . Add HTML to a list using !setList and use it as an HTML template to populate the custom indicator field.
- C . Create a custom Indicator Mapper and populate the custom indicator field.
- D . Use the Mapping option in the playbook task that generates the HTML report to populate the custom indicator field.
A
Explanation:
Reference: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.6/Cortex-XSOAR-Administrator-Guide/Configure-the-HTML-Field
Which three actions can an engineer take on the troubleshooting page? (Choose three.)
- A . Download the debug log bundle
- B . Put the XSOAR server in maintenance mode
- C . View and modify server configuration settings
- D . Export and import custom content
- E . View a list of server administrators
Which method accesses a field called ‘User Mail’ in a playbook?
- A . ${incident.usermail}
- B . ${incident.User Mail}
- C . ${incident.UserMail}
- D . ${usermail}
Which two causes may be occurring if an integration test is working, but the integration is not fetching incidents? (Choose two.)
- A . The ’Fetches Incidents’ option may not have been enabled
- B . There are no new events from the external service
- C . The first fetch should be manually triggered to start the fetching process
- D . It can take up to 1-hour before incidents are initially fetched
An administrator wants to send an email via the Mail Sender integration.
Which of the following out of the box methods would be used for that?
- A . XSOAR D2 agent
- B . external integration command
- C . XSOAR shared agent
- D . common automation script
How long is the trial period for paid content packs?
- A . 30 days
- B . 14 days
- C . 7 days
- D . 60 days
A
Explanation:
Reference: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/marketplace/marketplace-subscriptions.html
In which two scenarios would it be appropriate to implement a loop for a sub-playbook? (Choose two.)
- A . In repetitive process flows to iterate for each playbook input
- B . When continuously ingesting incidents from third-party systems
- C . In repetitive process flows with no more than 10 loops
- D . In repetitive processes that requires sub-playbook re-execution
What is the default landing page for a new user in XSOAR?
- A . Dashboards
- B . Threat Intel
- C . Settings
- D . Marketplace
Which of the following are valid methods to contribute custom content? (Choose three.)
- A . Submit content directly through feature requests
- B . Private GitHub repository submission for premium content
- C . A Github pull request on the public XSOAR Content Repository
- D . Using the marketplace interface to upload the content
- E . Using the content submission tool on live.paloaltonetworks.com
An automation returned an output called: csvReport.
What filter would be used to check if the automation returned results?
- A . Contains/Includes
- B . Equals/Matches
- C . In/In list
- D . Is defined/Exist
D
Explanation:
This filter will be used to check if the automation returned results, as it checks to see if the output variable called csvReport is defined and exists. If it is, then the automation returned results.
You can customize most aspects of the incident layout, including which three of the following? (Choose three.)
- A . Which users have permissions to view the tabs
- B . Which roles have permissions to view the tabs
- C . Which dashboard settings are applied
- D . The information and how is it displayed
- E . Which tabs appear and in which order
An engineer would like to change an incident’s SLA according to the severity field changes.
How can the engineer achieve this task?
- A . Use a field trigger script
- B . Use a field display script
- C . Create a job that queries for incident severity changes
- D . Change the SLA manually every time the severity changes
A
Explanation:
Reference: https://xsoar.pan.dev/docs/incidents/incident-fields
Where do you navigate to monitor and improve the system performance and resilience for hosts in a multitenant environment?
- A . Settings > About > Troubleshooting, in the main host account. Each host has a System
Diagnostics page. - B . Settings > Advanced > System Diagnostics, in the main host account. Each host has a System Diagnostics page.
- C . Settings > Account Management > Hosts, in the main host account. Each host has a System Diagnostics page.
- D . Settings > About > System Diagnostics, in the main host account. Each host has a System Diagnostics page.
During configuration of the inputs of a sub-playbook in the main playbook, there is an option under the Loop tab called "For Each Input".
What is this option used to?
- A . To loop the sub-playbook over all context values present in the investigation
- B . To loop the sub-playbook over all incident fields for the given incident
- C . To loop the sub-playbook over all the fields marked as important
- D . To loop the sub-playbook over all defined sub-playbook inputs
Where are incident layouts customized?
- A . Settings > Object Setup > Incidents > Layouts
- B . Settings > Integrations > Instance configuration
- C . Settings > Object Setup > Indicators > Layouts
- D . Settings > Advanced > Incident Layouts
A
Explanation:
Reference: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.6/Cortex-XSOAR-Administrator-Guide/Customize-Incident-Layouts
Which tag must be applied to an Automation Script in order for it to be available when configuring an Indicator Type?
- A . reputation-script
- B . enrich
- C . reputationScript
- D . reputation
Which of the following is a feature of XSOAR automations?
- A . can run on multiple docker containers
- B . can be set to run on a scheduled basis in the automation settings
- C . can be password protected
- D . can be written in C++
Which two methods are used to add new content to the XSOAR Content Repository? (Choose two.)
- A . Create content and add it to the standard content by contributing through the Marketplace
- B . Use the XSOAR GitHub Contribution Guide to add the contribution to the standard content
- C . Create a support ticket with the custom content for review by the support team
- D . Any custom content will be automatically uploaded to the content repository
Which two capabilities do Automation script settings include? (Choose two.)
- A . Define ‘parameters’
- B . Correlate to incident types
- C . Define ‘outputs’
- D . Set password protection
When mapping incoming data to incident fields, which statement is correct?
- A . Data that is not mapped is placed under labels
- B . Only text fields are classified
- C . Classification cannot be used if mapping is enabled
- D . Every incoming field must be mapped
A
Explanation:
Reference: https://xsoar.pan.dev/docs/incidents/incident-classification-mapping
When browsing the Marketplace for new content packs, which details about each pack are you able to view?
- A . The integration’s source code
- B . A summary of each version history
- C . A test instance for the content pack
- D . The source code of each playbook
DRAG DROP
Match the action with the most appropriate playbook task type.
Explanation:
https://www.jaacostan.com/2021/02/palo-alto-cortex-xsoar-playbook-icons.html
What is the default configuration for indicator auto-extraction when incidents are created?
- A . Inline
- B . Inband
- C . None
- D . Out of band
Inside the Incidents table view, which actions can be performed on the selected incidents? (Choose two.)
- A . Run Command, Export, and Close and Delete for all selected incidents regardless of their status
- B . Assign, Edit, and Mark as Duplicate for all selected incidents regardless of their status
- C . Run Command for all selected incidents having Active status
- D . Export incidents as JSON and change incident status
A SOC analyst needs to retrieve the list of all open phishing incidents in the last 30 days.
What is the correct query to use?
- A . -status:closed -category:job type:Phishing created:>="30 days ago"
- B . status:closed -category:job & type:Phishing created:>="30 days ago"
- C . -status:closed -category:job & type:Phishing created:<="30 days ago"
- D . -status:closed -category:job type:Phishing created:="30 days ago"
In which three locations can an engineer try to find information, when troubleshooting a failed integration instance error produced by the test button? (Choose three.)
- A . The audit log
- B . The log bundle
- C . The source code for an integration
- D . The error message returned directly below the button
- E . The playground war room
In Cortex XSOAR multi tenant setup, when content from a development server is pushed to the remote repository, where in the production server can the updates be found?
- A . Main Account
- B . Tenants
- C . Agent tools
- D . Marketplace
Newly created subplaybooks do not have any inputs, or outputs.
What is necessary to make them functional? (Choose two.)
- A . Define input key in the subplaybook task. Map context values to pull from parent playbook.
- B . The output of the previous task automatically becomes the input of the subplaybook.
- C . Map inputs and outputs to the parent playbook and the subplaybook will use the same
values. - D . Open the subplaybook and add inputs or outputs in the Playbook triggered task.
Which two components have their own context data? (Choose two.)
- A . Sub-playbook
- B . Task
- C . Field
- D . Incident
Which built-in automation/command cab be used to change an incident’s type?
- A . setIncident
- B . Set
- C . GetFieldsByIncidentType
- D . modifyIncidentFields
A
Explanation:
Reference: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/incidents/incidents- management/incident-fields/field-trigger-scripts.html
Which built-in automation/command cab be used to change an incident’s type?
- A . setIncident
- B . Set
- C . GetFieldsByIncidentType
- D . modifyIncidentFields
A
Explanation:
Reference: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/incidents/incidents- management/incident-fields/field-trigger-scripts.html
Which built-in automation/command cab be used to change an incident’s type?
- A . setIncident
- B . Set
- C . GetFieldsByIncidentType
- D . modifyIncidentFields
A
Explanation:
Reference: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/incidents/incidents- management/incident-fields/field-trigger-scripts.html
Which built-in automation/command cab be used to change an incident’s type?
- A . setIncident
- B . Set
- C . GetFieldsByIncidentType
- D . modifyIncidentFields
A
Explanation:
Reference: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/incidents/incidents- management/incident-fields/field-trigger-scripts.html
Which built-in automation/command cab be used to change an incident’s type?
- A . setIncident
- B . Set
- C . GetFieldsByIncidentType
- D . modifyIncidentFields
A
Explanation:
Reference: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/incidents/incidents- management/incident-fields/field-trigger-scripts.html
Which built-in automation/command cab be used to change an incident’s type?
- A . setIncident
- B . Set
- C . GetFieldsByIncidentType
- D . modifyIncidentFields
A
Explanation:
Reference: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/incidents/incidents- management/incident-fields/field-trigger-scripts.html
Which built-in automation/command cab be used to change an incident’s type?
- A . setIncident
- B . Set
- C . GetFieldsByIncidentType
- D . modifyIncidentFields
A
Explanation:
Reference: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/incidents/incidents- management/incident-fields/field-trigger-scripts.html
Email Subject C “You have won a million dollars”
What is the correct query syntax for the above incident search filter?
- A . status==“Pending“ && category!=”job” && severity==”High” && owner==”None” && type==”Phishing” && emailsubject==”You have won a million dollars”
- B . Status:Pending and CCategory:job and Severity:High and Owner:”” and Type:Phishing and Email Subject:You have won a million dollars
- C . status:Pending and Ccategory:job and severity:High and owner:”” and type:Phishing and emailsubject:”You have won a million dollars”
- D . status:Pending or Ccategory:job or severity:High or owner:”” or type:Phishing or emailsubject:”You have won a million dollars”
C
Explanation:
Reference: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/cortex-xsoar- overview/how-to-search-in-cortex-xsoar.html#idcd7fe505-c1c1-42f5-a698-08b5710196d3