PCSAE Exam - 20240324

2024/3/24 中午12:15 PCSAE Exam - Free Actual Q&As, Page 1 | ExamTopics
- Expert Verified, Online, Free.
 Custom View Settings
Topic 1 - Single Topic
Question #1 Topic 1
Which two advanced attributes can be applied to incident fields when editing? (Choose two.)
A. Set a field trigger script
B. Associate to an incident type
C. Change field type
D. Change field name
Correct Answer: AB
Reference:
https://docs.servicenow.com/bundle/quebec-it-service-management/page/product/incident-management/reference/incident-management-
properties.html
Community vote distribution

AB (100%)
  chucklepie 2 months, 2 weeks ago

You can also change the type under certain circumstances so while correct this question is bad
upvoted 1 times
  DammyTheD 4 months, 3 weeks ago

Recently I appeared in the Palo Alto PCSAE. I prepared for it by using study materials sourced through Pass4surehub. I was able to secure 91% in it.
https://rb.gy/081xk
upvoted 1 times
  jbender72 1 year, 2 months ago

correct
upvoted 2 times
  thorodp 1 year, 5 months ago
Selected Answer: AB
These are correct

upvoted 2 times
https://www.examtopics.com/exams/palo-alto-networks/pcsae/custom-view/ 1/98
Question #2 Topic 1
Given an incident with three files, how could the name of the second file be referenced?
A. ${Files.[2].Name}
B. ${Files.Name.[2]}
C. ${File.[1].Name}
D. ${File.Name.[1]}
Correct Answer: B

C (50%) D (50%)
  Branodn Highly Voted  2 years, 4 months ago
The answer is C ${File.[1].Name}

upvoted 13 times
  piipo Most Recent  1 week, 3 days ago
Selected Answer: C
C is Correct
upvoted 1 times

Why can't answers be changed? The answer is C
upvoted 2 times

Thanks to Pass4surehub I was able to pass my Palo Alto Networks PCSAE exam on my first attempt. The reason for relying on this site was that I
had done a long research and I found its study guide and Questions and Answers quite authentic and also the fee was most reasonable. I passed
my exam with 83% marks and recommended this site to others as well. https://rb.gy/081xk
upvoted 2 times
  TcanCmon 1 year, 2 months ago

I just tested, File.[1].Name it is. Therefore, C
(And the index is starting from 0)
upvoted 3 times
Selected Answer: D
D is correct, index starts from 0.

upvoted 1 times
  cptcoggsworth 10 months, 2 weeks ago

D is incorrect because it is not the correct JSON path
upvoted 1 times
  rmurugan 2 years, 5 months ago

A is the correct answer
upvoted 1 times
  rafemuhammed 1 year, 8 months ago

Could you please confirm it? Index starts with 0 right so second file means index 1.
upvoted 3 times
Question #3 Topic 1
Which component can be part of a load balancing group?
A. Distributed database
B. D2 agent
C. Engine
D. Load balancing server
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/engines/understand-demisto-engines.html

C (100%)

The most amazing feature of Pass4surehub’s study guide was that it was available in PDF format and I could download it on any handy device to
continue my studies. I spent only a few days on learning the content and aced the PCSAE exam with an outstanding percentage! Give it a try and
you’ll be a fan of Pass4surehub like me! https://rb.gy/081xk
upvoted 1 times
  MarcoS10 11 months, 3 weeks ago
Selected Answer: C
Engine is the correct answer

upvoted 1 times
Selected Answer: C
Correct
upvoted 2 times
Question #4 Topic 1
Which method accesses a field called `˜User Mail' in a playbook?
A. ${incident.usermail}
B. ${incident.User Mail}
C. ${incident.UserMail}
D. ${usermail}
Correct Answer: A

A (67%) C (33%)
Selected Answer: C
Pass4surehub has helped me to pin down my goals and achieve them successfully. With the help of knowledgeable staff and valid Study material, I
have passed my Palo Alto Networks PCSAE certification. Can’t explain my happiness in words. Thank a million!! https://rb.gy/081xk
upvoted 1 times
  john1208 10 months, 3 weeks ago

Selected Answer: C
i think its C
upvoted 1 times

Selected Answer: A
Correct
upvoted 4 times
Question #5 Topic 1
A SOC manager built a dashboard and would like to share the dashboard with other team members.
How would the SOC manager create a dashboard that meets this requirement?
A. Manually share the dashboard through user emails
B. Dashboard is shared to all XSOAR users
C. Propagate the dashboard based on SAML authentication
D. Dashboard is shared to all XSOAR users in a selected role
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/dashboards/share-a-dashboard.html

D (100%)
Selected Answer: D
Correct
upvoted 2 times
Question #6 Topic 1
Which two methods will allow data to be saved in incident fields within a playbook? (Choose two.)
A. setFields
B. Field mapping
C. setIncident
D. Layout inline editing
Correct Answer: BC

BC (100%)
Selected Answer: BC
correct
upvoted 1 times
Question #7 Topic 1
DRAG DROP -
Match the action with the most appropriate playbook task type.
Select and Place:
Correct Answer:
https://www.jaacostan.com/2021/02/palo-alto-cortex-xsoar-playbook-icons.html

correct
upvoted 1 times
Question #8 Topic 1
Which built-in automation/command cab be used to change an incident's type?
A. setIncident
B. Set
C. GetFieldsByIncidentType
D. modifyIncidentFields
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/incidents/incidents-management/incident-fields/field-trigger-
scripts.html
Question #9 Topic 1
An engineer notices that playbooks only start once the user clicks the `˜investigate' button and he/she would like the playbook to start
automatically.
How can this be implemented?
A. Add the playbook to the integration's settings
B. Select 'Run playbook automatically' from the incident type settings
C. Add the !startinvestigation automation to the beginning of the playbook
D. Select 'Run playbook automatically' from the integration settings
Correct Answer: A

B (100%)
  rmurugan Highly Voted  2 years, 5 months ago
B is the answer
upvoted 10 times
  john1208 Most Recent  10 months, 3 weeks ago
Selected Answer: B
B is the answer, dont mislead please

upvoted 1 times
  MarcoS10 11 months, 2 weeks ago

B is the correct answer, from Settings/Object Setup/Incident Types/select your own type and edit/flag the option "run automatically playbook"
upvoted 1 times
  momo_tree 1 year, 1 month ago

B as in Cardi B
upvoted 1 times
  Uggie 1 year, 2 months ago

Selected Answer: B
b it is
upvoted 2 times

B Indeed
upvoted 2 times
  jasminsurani 1 year, 3 months ago

B is the answer.
upvoted 4 times
Question #10 Topic 1
Which two causes may be occurring if an integration test is working, but the integration is not fetching incidents? (Choose two.)
A. The 'Fetches Incidents' option may not have been enabled
B. There are no new events from the external service
C. The first fetch should be manually triggered to start the fetching process
D. It can take up to 1-hour before incidents are initially fetched
Correct Answer: AC

AB (100%)
  randomnametester Highly Voted  1 year, 11 months ago
Pretty sure its AB

upvoted 14 times
  piipo Most Recent  1 week, 3 days ago
Selected Answer: AB
Answer is AB
upvoted 1 times

A as in Automation and B as in Cardi B
upvoted 2 times

Wrong answer. It's AB
upvoted 3 times
Which two capabilities do Automation script settings include? (Choose two.)
A. Define 'parameters'
B. Correlate to incident types
C. Define 'outputs'
D. Set password protection
Correct Answer: BD

CD (100%)
  Gab99 4 months, 3 weeks ago
Selected Answer: CD
CD is correct
upvoted 3 times
  PANW 8 months ago

please provide justification/links for answers
upvoted 1 times

C as in Cardi B and D as in Demisto
upvoted 1 times

CD is the answer, nothing to do for inc. types.
upvoted 2 times

SHOULD BE C AND D
upvoted 1 times
DRAG DROP -
Match the appropriate action to the layout type.
Select and Place:
Correct Answer:
What is a primary use case of data collection tasks?
A. To allow multi-question surveys without authentication restrictions
B. To automate tasks such as parsing a file or enriching indicators
C. To generate new widgets for a dashboard
D. To determine different paths in a playbook
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/playbook-tasks/communication-tasks/create-a-
data- collection-task.html

A (100%)
  piipo 1 week, 2 days ago
Selected Answer: A
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Administrator-Guide/Create-a-Data-Collection-Task
upvoted 1 times

Its A, regardless of auth, its the primary use-case. Also, authentication is supported on Xsoar starting from a 6.6ish version. Hence, all is good
upvoted 2 times

"The survey resides on an external site that does not require authentication, thereby allowing survey recipients to respond without restriction."
From XSOAR...This shows that A is not the correct answer. The above is not the primary use.
upvoted 1 times
In which three locations can an engineer try to find information, when troubleshooting a failed integration instance error produced by the test
button? (Choose three.)
A. The audit log
B. The log bundle
C. The source code for an integration
D. The error message returned directly below the button
E. The playground war room
Correct Answer: BCD

BDE (100%)
Selected Answer: BDE
Answer is BDE
upvoted 1 times
  Sarppp 7 months ago

BDE is correct, you may find it on War Room (after fetch incident command), you may also find it in log bundle as well.
upvoted 1 times
  appopay 8 months, 3 weeks ago

A-B-D is the correct answer
upvoted 1 times
Which two statements describe how timers are configured to start and stop automatically in a playbook? (Choose two.)
A. Use a field of Number to count the number of seconds elapsed between two tasks
B. After the playbook has run, calculate the total time taken and set the timer field with this value
C. To begin counting time taken, add a task in the playbook with automation startTimer. To end the counting, add a task with automation
stopTimer
D. From the Timers tab of the playbook task, choose the action for the timer and the timer field to perform the action on
Correct Answer: BD

CD (100%)
  samtron 11 months, 1 week ago
Selected Answer: CD
it should be CD
upvoted 1 times

C as in Cardi B and D as in DBot
upvoted 1 times

It should be CD
upvoted 2 times
How long is the trial period for paid content packs?
A. 30 days
B. 14 days
C. 7 days
D. 60 days
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/marketplace/marketplace-subscriptions.html
After enriching a username using Active Directory, an engineer would like to send an email to the user's manager. However, this functionality is not
part of the command output. The engineer checks with raw-response=true and notices that the manager's email is returned, but not saved in the
context.
How can the engineer save the data so it will be accessible?
A. Mark ignore output = true
B. Use extend-context
C. Use raw-response = save
D. Mark ignore input = true
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/extend-context/extend-context-using-the-
command-line.html
Where can engineers add the post-processing scripts to incidents?
A. The post-processing tag must be added to the automation
B. Post-processing scripts must be added at the end of playbooks
C. Post-processing scripts must be added from the Incident Type editor
D. Post-processing scripts must be added from the Post-Process Rules editor
Correct Answer: C

C (100%)
Selected Answer: C
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.12/Cortex-XSOAR-Administrator-Guide/Add-a-Post-Processing-Script-to-the-
Incident-Type
upvoted 1 times
An engineer would like to present a trend using widgets to compare to a previous week's data.
Which two methods will allow the engineer to meet the requirement? (Choose two.)
A. Create widget of type Line, check 'Display Trend' and define as 7 days ago
B. Create a custom widget using a new incident query
C. Create widget of type Number, check 'Display Trend' and define as 7 days ago
D. Create a custom widget using a script
Correct Answer: AD

BC is correct, there is no display trend opiton in line type when you create a widget.
upvoted 1 times

CD will be correct sorry for the typo.
upvoted 3 times
What happens when an integration is deprecated?
A. The integration commands in a playbook can no longer be used
B. The integration commands can be used, but it is recommended to update to the latest content pack
C. The configuration settings will be lost and the integration will no longer function
D. The integration commands in a playbook can be used, but it will fail at runtime
Correct Answer: C

B (100%)
Selected Answer: B
B as in Cardi B
upvoted 3 times

It is B. Though, it just means that version is out of support from the developer
upvoted 1 times
  piipo 1 year, 11 months ago

Selected Answer: B
You can also use it with deprecated.

upvoted 4 times
Which investigation element is best suited for collaboration among users?
A. Work Plan
B. Related Incidents
C. War Room
D. Context Data
Correct Answer: D
Reference:
https://blog.paloaltonetworks.com/2020/01/cortex-security-operations/

C (100%)
  lucaboban Highly Voted  2 years, 8 months ago
C - Correct
upvoted 14 times
  appopay Most Recent  8 months, 3 weeks ago
C as in Cardi B
upvoted 2 times
Selected Answer: C
It is C
upvoted 2 times

War room - C
upvoted 3 times
Which three support types are included in the Marketplace Content Packs? (Choose three.)
A. Customer supported
B. Contex XSOAR supported
C. Community supported
D. Partner supported
E. Prisma Cloud supported
Correct Answer: BCD
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/marketplace/marketplace-overview/content-packs-support-
types.html
Which three authentication methods are supported when logging into XSOAR? (Choose three.)
A. OTP token
B. User name and password
C. SAML
D. Active Directory authentication
E. RADIUS
Correct Answer: CDE
Reference:
https://www.paloguard.com/GlobalProtect.asp

BCD (100%)
  zoinx Highly Voted  2 years, 7 months ago
No radius but username / password instead

upvoted 8 times
answer is BCD
upvoted 7 times
  samtron Most Recent  11 months, 1 week ago
Selected Answer: BCD
It is BCD
upvoted 2 times

BCD, no raidus
upvoted 4 times
Which two components have their own context data? (Choose two.)
A. Sub-playbook
B. Task
C. Field
D. Incident
Correct Answer: AD
What are two main uses of context data? (Choose two.)
A. Store incident information in JSON format
B. Store incident information in XML format
C. Pass data between playbook tasks
D. Pass data between to-do tasks
Correct Answer: AC
Reference:
https://xsoar.pan.dev/docs/integrations/context-and-outputs#:~:text=The%20main%20use%20of%20the,the%20Context%20and%20uses%20it
Multiple company assets were reported by vulnerability scanners as being vulnerable to CVE-2017-11882. This vulnerability affects applications
installed on workstations. The SOC team needs to take action and apply the new vulnerability patch that was just released. The team must first
create a cause for each of the identified assets in ServiceNow IT Service Management (ITSM), in order to notify the IT department. Next, the team
creates a task in the main playbook, which extracts the list of assets from the scanner report.
After the list of assets are created, what are the two solutions that the SOC team could take so that a case could be created and a patch installed?
(Choose two.)
A. Create a sub-playbook with a single input containing the computer names that will loop until the last item from the asset list (Condition:
AreValuesEqual ‫ג‬€" Exit on yes ‫ג‬€" left:1, right 1) and perform the following tasks: - Active Directory User Enrichment based on the
computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
B. Create a sub-playbook with a single input containing the computer names that will loop 'For Each Input' and perform the following tasks: -
Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark
the ticket severity as Urgent
C. Set a key for storing the iteration number and create a sub-playbook with a single input containing the computer names that will loop until
the last item from the asset list (Exit condition: iterator contains the count of the number of items in the list) and perform the following tasks:
- Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark
the ticket severity as Urgent
D. Set a key for storing the iteration number and create a sub-playbook with a single input containing the computer names that will loop until
the last item from the asset list (Exit condition: iterator equal to count of the number of item in the list) and perform the following tasks: -
Increase the iterator value by one each time - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record
by adding the enrichment information - Mark the ticket severity as Urgent
Correct Answer: BD
When creating a new tab in the layout, which section cannot be added?
A. Retrieve widget chart based on script
B. Related incidents
C. War room entries picked by entry query
D. Incident team members
Correct Answer: A

B (100%)
  piipo 1 week, 1 day ago
Selected Answer: B
Related incidents
upvoted 1 times

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.6/Cortex-XSOAR-Administrator-Guide/Customize-Incident-Layouts B is the answer.
upvoted 3 times
  yuvalhal 1 year, 11 months ago

B - Related Incidents
upvoted 3 times
  randomnametester 1 year, 11 months ago

You can retrieve a widget chart based on a script
upvoted 1 times

I don't think you can make another related incidents page
upvoted 1 times
In which two ways can data be transferred between playbooks and sub-playbooks? (Choose two.)
A. Inputs and outputs
B. Through integration context
C. Automatically extracted by sub-playbooks
D. From context data, if context is shared globally
Correct Answer: AD
By default, which components does an XSOAR implementation include?
A. XSOAR server, XSOAR engine
B. Application server, distributed DB server
C. Application server, distributed DB server, Backup server
D. All in one server
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/installation/install-demisto-on-a-physical-or-virtual-server.html

D (100%)
  piipo Highly Voted  1 year, 11 months ago
Selected Answer: D
All in One
upvoted 8 times
  momo_tree Most Recent  1 year, 1 month ago
D as in Distributed Databases
upvoted 1 times

D is correct
upvoted 2 times

Selected Answer: D
D is the correct.
upvoted 3 times
DRAG DROP -
Match the operations with the appropriate context.
Select and Place:
Correct Answer:
  news088 5 months, 2 weeks ago

from 3rd party system during fetch incidents....should be integration
Run generic polling playbook for checking status of a detonation process....should be global context.
upvoted 1 times
Which three statements are true about the Marketplace? (Choose three.)
A. Allows reverting back to a previous version of a content pack
B. Enables users to participate in the community by sharing content
C. Publishes content without additional review from the Cortex XSOAR team
D. Allows uploading of content in additional languages
E. Offers granularity in installation through content packs
Correct Answer: BCD

ABE (100%)
Selected Answer: ABE
languages are not supported, content always validated by XSOAR team.

upvoted 3 times
  zoinx 2 years, 7 months ago

C is not true, it should be A instead.
upvoted 4 times
What can be added to offload integration instance processing from the main server?
A. Database node
B. Application server
C. Engine
D. Development server
Correct Answer: A

C (100%)
  Max359 Highly Voted  2 years, 2 months ago
The answer should be C

upvoted 7 times
Engine
upvoted 5 times
  piipo Most Recent  1 week ago
Selected Answer: C
Offload is Engine
upvoted 1 times
Which XSOAR architecture would be recommended for Managed Security Service Providers (MSSP)?
A. Multi-region
B. Dev-Prod
C. Multi-tenant
D. Distributed database
Correct Answer: C
Reference:
https://www.ncsi.com/wp-content/uploads/2020/11/cortex-xsoar.pdf
Currently there are no comments in this discussion, be the first to comment!
An incident field is created having the display name as Source_IP.
How can the field be accessed?
A. ${incident.sourceip}
B. ${incident.Source_IP}
C. ${incident.srcip}
D. ${incident.Source IP}
Correct Answer: C

A (100%)
  piipo 1 week ago
Selected Answer: A
lowercase with no space

upvoted 1 times
  MarcoS10 11 months, 1 week ago

A is correct
upvoted 4 times

The correct answer is A. Machine name is lowercase with no space
upvoted 3 times
DRAG DROP -
Arrange these steps in the order that they occur during an incident fetch.
Select and Place:
Correct Answer:
  pawkers Highly Voted  1 year, 1 month ago
I do not think so. It should be like that:

Integration performs
Classification is applied
Mapping is applied
Incident is created (before incident creation it should be also pre-process rule step)
upvoted 11 times

the incident object is created right after the integration performs, after the mapping and pre-process, the incident is made to be available. but
in fact it is created right after the integration performs. source beacon: Palo Alto Networks Certified Security Automation Engineer (PCSAE) ->
Cortex XSOAR: SOAR Engineer Training -> Incident Classification and Mapping
upvoted 1 times

Wrong, when you just search 'lifecycle of an incident in xsoar' you will see that in order:
1)Event Data Ingestion
2)Incident-Object Creation
3)Classification
4)Mapping
5)Pre-Process
6)Incident Process
7)Incident Management
upvoted 1 times
  thorodp Highly Voted  1 year, 5 months ago
For future reference. This is wrong. The correct order is:
Integration performs
Incident is created
Classification is applied
Mapping is applied
upvoted 7 times
  PenguPC 1 year, 5 months ago

I agree
https://xsoar.pan.dev/docs/integrations/fetching-incidents
upvoted 2 times
  franko_72 Most Recent  8 months, 1 week ago

Stage One: Event-Data Ingestion
The incident lifecycle begins when an integration fetches an event. You can configure integrations in Cortex XSOAR to fetch event data from
various sources, such as a SIEM, EDR, a firewall, and other security systems and services.
Stage Two: Incident Object Creation

Cortex XSOAR uses the event data fetched by an integration to create an incident object and populates it with raw event data.
Stage Three: Classification

Cortex XSOAR identifies the type of incident based on the classifier object selected in the integration configuration settings. If you have not
selected any classifier, then the integration uses the default classifier of the integration. Cortex XSOAR will identify an incident as Unclassified if no
default classifier exists or if the type of an incident cannot be identified.
Stage Four: Mapping

The raw event data ingested by an integration gets mapped to existing fields in Cortex XSOAR. The fields display incident data to analysts in the
Cortex XSOAR graphical user interface (GUI).
Ingestion >> Incident Creation >> Classification >> Mapping is the 100% correct answer
upvoted 2 times

This is wrong
upvoted 1 times
An engineer deployed two different instances of Active Directory for each organization site. As part of account enrichment use case, the engineer
would like to delete a user from one specific site.
Which command will accomplish this?
A. run 'ad-delete-user' command with 'user-dn' arg and using-brand=‫ג‬€Active Directory Query v2‫ג‬€
B. run 'ad-delete-user' command with 'user-dn' arg and raw-response=true
C. run 'ad-delete-user' command with 'user-dn' arg and ignore-outputs=true
D. run 'ad-delete-user' command with 'user-dn' arg and using=‫ג‬€Active Directory Query v2_instance_1‫ג‬€
Correct Answer: A

D (100%)
  piipo 1 week ago
Selected Answer: D
D is the correct
upvoted 1 times
  franko_72 8 months, 1 week ago

D is correct, here is the command for a user names frank on my dummy Windows server
!ad-delete-user user-dn="CN=frank,CN=Users,DC=xsoar,DC=local" using="Active Directory Query v2_instance_1"
upvoted 4 times
  PANW 8 months ago

Thanks Franko for adding a comment that makes sense and explain the answer
Too many people give answers without explanation, which isn't really useful
upvoted 1 times

D because you select instance by "Advanced tab in the task/Using"
upvoted 2 times

Using Brand would delete from both orgs
upvoted 1 times

D is the correct answer
upvoted 3 times
  amkoppad 2 years, 8 months ago

upvoted 3 times
An engineer is developing a playbook that will be run multiple times for testing purposes.
What is the recommended first task to be used in the playbook?
A. DeleteContext
B. GenerateTest
C. PrintContext
D. SetContext
Correct Answer: A
Reference:
https://xsoar.pan.dev/docs/integrations/test-playbooks
A - Correct
upvoted 5 times
What is the most effective way to correlate multiple raw events coming from a SIEM and link them together?
A. Process all alerts by running the respective playbook and link related incidents during post-processing
B. Ingest all raw events, run a custom script to find the relationship between them and proceed to link them together
C. Configure a pre-process rule to link related events as they are ingested
D. Manually go through the incidents created by the raw events and link related incidents
Correct Answer: A

C (100%)
  jasminsurani Highly Voted  1 year, 3 months ago
Selected Answer: C
C is a answer.
upvoted 5 times
  randomnametester Most Recent  1 year, 11 months ago
Answer is C
upvoted 4 times
Which two incident search queries are valid? (Choose two.)
A. created:>=€7‫ ג‬days‫ג‬€
B. owner===admin
C. role is Analyst
D. status:closed ‫ג‬€"category:job
Correct Answer: AD
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/cortex-xsoar-overview/how-to-search-in-cortex-xsoar.html
What is the correct expression to use when filtering only PDF files?
A. Use File.Extension that does not equal (string comparison) PDF
B. Use File.Name contains PDF
C. Use File.Extension contains (general) PDF
D. Use File.Extension equals (string comparison) PDF
Correct Answer: B

D (100%)
  amkoppad Highly Voted  2 years, 8 months ago
D is correct answer
upvoted 6 times
  piipo Most Recent  1 week ago
Selected Answer: D
D is correct
upvoted 1 times

D is the cotrrect
upvoted 1 times
  pawkers 1 year, 1 month ago

Most precise will be D but C also will be ok and do the work
upvoted 1 times

D is the best answer than B
upvoted 3 times
Whar are possible war room result (entry) types?
A. Context, file, error, image
B. Note, indicator, error, image
C. Video, file, error, image
D. Note, file, error, image
Correct Answer: B

D (100%)

upvoted 7 times
  DarioGabriel Highly Voted  2 years ago
Selected Answer: D
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/incident-management/war-room-overview
upvoted 5 times
An engineer asked for a specific command in an integration but the capability does not exist. The engineer decided to edit the existing integration
by copying the integration and adding the needed commands.
What is the main concern when adding these commands?
A. The commands must return a proper result to the war room for the analysts to understand
B. The code may not be written to XSOAR standards
C. The integrations are locked and cannot be edited with additional commands
D. The custom integration will not be maintained and updated by XSOAR content team
Correct Answer: C

D (90%) 10%
Selected Answer: D
Custom content are not supported

upvoted 8 times

upvoted 6 times
  franko_72 Most Recent  8 months, 3 weeks ago
Selected Answer: D
A, B and C don't really make much sense to me. The one that does is D as once an integration has been "detached" it cannot be updated by XSOAR
upvoted 1 times

Selected Answer: C
You can never edit and develop the command for any integration. Automations can only be developed or edited.
upvoted 1 times

D is the best answer
upvoted 3 times
How is data transferred between playbook tasks?
A. Read/Write from context data
B. Over war room results
C. Input from the indicator page
D. Directly from a previous task
Correct Answer: A
A large number of incidents were deleted by mistake.
Which two architecture components can be used to recover the lost data? (Choose two.)
A. Live backup
B. Engine
C. Distributed database
D. Local backup
Correct Answer: AB
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/disaster-recovery-and-live-backup/disaster-recovery-and-
backup- overview.html

AD (100%)
Selected Answer: AD
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/disaster-recovery-and-live-backup/backup-the-database.html
upvoted 6 times
  MarcoS10 Most Recent  11 months, 1 week ago
AD no other possibilities
upvoted 1 times

I could see AB or AD. Depending on if you consider the live backup server to be an engine. Which probably it should not be.
upvoted 1 times
Which two statements accurately describe layouts? (Choose two.)
A. Layouts override classification and mapping
B. New tabs can be added to the incident layout
C. Layouts can display incident information and custom fields
D. Layouts add or remove custom fields from an incident type
Correct Answer: BC
An engineer's organization system is registered in the following manner: <SiteName-SystemID-Username>. The engineer created a new indicator
type for detecting systems using regex. The engineer would now like the username to be created as a separate `˜User' indicator automatically
once a system is found.
What is the most efficient way for the engineer to achieve this?
A. Create a custom indicator field named 'username' and link it to the internal system indicator
B. Change the reputation command for the internal system indicator type
C. Create a new indicator type of the internal username and set a formatting script to extract only the username
D. Create a new indicator type of the internal username and have the regex included on any string that has dash at the beginning
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-threat-intel-management-guide/manage-indicators/understand-
indicators/ indicator-types/indicator-type-profile

C (100%)
C is best answer. System message does not start with dash so it will not come up in regex of D
upvoted 7 times
  piipo Most Recent  6 days, 17 hours ago
Selected Answer: C
C is Correct
upvoted 1 times

D seems the best answer
upvoted 3 times
Which two options are the most effective for moving content between two environments? (Choose two.)
A. Remote repository based content sharing
B. UI based content import/export button
C. Copy the content backup from one environment file system (/var/lib/demisto/backup/content-backup-*) and move it to the other
environment
D. Download the content items separately and upload them to the other environment
Correct Answer: AC
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-data/migrate-data-to-another-server-for-multi-
tenant.html
A,B is correct.
upvoted 6 times
  franko_72 Most Recent  8 months, 1 week ago
A,C surely?
upvoted 1 times

Why you tell a,b? i think it is righ, AC
upvoted 2 times
Which three options can be defined in the layout settings? (Choose three.)
A. Set of fields to present
B. Permission to view the tab based on 'Users'
C. Permission to view the tab based on 'Roles'
D. Delete built-in tabs including the war room
E. Dynamic sections
Correct Answer: ACE
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/incidents/customize-incident-view-layouts/customize-
incident- layouts.html
What can be used as integration parameters?
A. URL, API key, port
B. URL, certificate, image
C. Token, query, playbook
D. User-password, csv file, query
Correct Answer: A
Which two features does XSOAR offer to help recover from a server failure? (Choose two.)
A. Live backup (disaster recovery)
B. Distributed database
C. Backup data to XSOAR engines
D. Local backup
Correct Answer: AC

AD (100%)
A,D is the correct answer

upvoted 8 times
Selected Answer: AD
Seems like A and D are correct. I Engines are used to off-load processing not to backup as far as I know.
upvoted 2 times
When uploading content, which two options could the upload include? (Choose two.)
A. Indicators
B. Incidents
C. Reports
D. Fields
Correct Answer: AB

AC (100%)
  piipo 5 days, 19 hours ago
Selected Answer: AC
A and C
upvoted 1 times

AC. you have upload option for these two. ignore the others that do not say AC
upvoted 1 times

think it's B and D. indicators aren't considered "content" in xsoar
upvoted 1 times

C and D , appologies for the typo
upvoted 3 times
  Deepu2710 8 months, 3 weeks ago

A,C in reports it's showing upload option and inside threat intel in xsoar indicators tab also there is upload option. Correct me if I am wrong. I
verified this from xsoar
upvoted 3 times

A,D is correct
upvoted 3 times
An engineer defined a dashboard which allows important metrics to be displayed. The engineer would like to make this dashboard the default
dashboard.
How can it be accomplished?
A. Default Dashboard can be defined by 'Role'
B. Use the server configuration key: default.dashboards
C. Save the dashboard as a widget and apply it to all users
D. Right click on the dashboard tab and 'Set as Default'
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/monitoring/cortex-xdr-dashboard/manage-dashboards.html

A (100%)
Correct answer is A
upvoted 6 times
  kunalgupta 2 years, 6 months ago

D is right as per the reference link
upvoted 3 times

Link is for Cortex XDR, not for XSOAR.
upvoted 2 times
Yep, when you create a Dashboard, you Share it, specify who to share it with and Read/Write or Read Only and once shared, you can add it to a
Default Dashboard. Answer is 100% A
upvoted 3 times
  franko_72 8 months, 3 weeks ago

Having trouble finding the answer but A would be the most logical. Under Settings >> Users and Roles >> Scroll down to Default Dashboards and
select the default dashboard for that role. You can choose the positions for all dashboards by clicking on them in the order you want them.
However, I don't see custom dashboards in this field.
upvoted 1 times

B is correct
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.6/Cortex-XSOAR-Administrator-Guide/Automation-Server-Configurations
upvoted 1 times

Selected Answer: A
In Production, you can do define default dashboard under the roles.

upvoted 2 times
  yuvalhal 1 year, 11 months ago

Correct answer is B.
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/dashboards/configure-a-default-dashboard
upvoted 2 times
How would context data be filtered to receive only malicious indicator values with DBotScore?
A. Get DBotScore.value where DBotScore.Score (Larger or equals) 4
B. Get DBotScore.value where DBotScore.Score (equals (int)) 3
C. Get DBotScore where DBotScore.Score (Larger than) 1
D. Get DBotScore where DBotScore.Score (Larger or equals) 2
Correct Answer: B
Reference:
https://github.com/demisto/content/blob/master//Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/README.md

This question makes no sense. 'Malicious' is not a dbotscore. Bad is so if you equate malicious to bad it is '3'. However there is no property 'value'
for DBotScore. So there are no answers correct. So the question is just badly worded. So A if you think dbotscore.value (which does not exist) or D
but value 2 equates to 'Suspicious'...
upvoted 1 times

Whoops, B if you want to use '3' as the answer and D for Suspicious.
upvoted 1 times

some info about dbot score. 0-1-2-3
https://xsoar.pan.dev/docs/integrations/dbot
upvoted 1 times
Can an automation script execute an integration command and an integration command execute an automation script?
A. An automation script cannot execute an integration command and an integration command cannot execute an automation script
B. An automation script can execute an integration command and an integration command cannot execute an automation script
C. An automation script cannot execute an integration command and an integration command can execute an automation script
D. An automation script can execute an integration command and an integration command can execute an automation script
Correct Answer: B

Correct answer is D.
upvoted 1 times
  duduic 6 months ago

go and try it. You'll see that it's B
upvoted 3 times
Which two options will troubleshoot an integration's fetch incidents command? (Choose two.)
A. In the instance settings, enable the fetch incidents parameter and wait for one minute
B. Create a one task playbook with a fetch-incident command
C. execute !<integration_instance_name>-fetch
D. execute !<integration_name>-fetch
Correct Answer: AC
Reference:
https://xsoar.pan.dev/docs/integrations/fetching-incidents

Probably AC. When you run an instance to fetch, assuming it's set for 1 minute and not days etc, when it "attempts" to fetch it will show a result on
the integrations page which you can click on to determine if successful or not.
upvoted 2 times
DRAG DROP -
Match the corresponding action with the appropriate playbook tasks.
Select and Place:
Correct Answer:
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/playbooks-overview.html
Incidents need to be filtered by all of the following criteria:
1. Status `" Pending
2. Exclude Category `" Job
3. Severity `" High
4. Owner `" None (No owner assigned)
5. Type `" Phishing
6. Email Subject `" `You have won a million dollars`
What is the correct query syntax for the above incident search filter?
A. status==‫ג‬€Pending‫ג‬€ && category!=‫ג‬€job‫ג‬€ && severity==‫ג‬€High‫ג‬€ && owner==‫ג‬€None‫ג‬€ && type==‫ג‬€Phishing‫ג‬€ && emailsubject==‫ג‬€You
have won a million dollars‫ג‬€
B. Status:Pending and ‫ג‬€"Category:job and Severity:High and Owner:‫ג‬€‫ג‬€ and Type:Phishing and Email Subject:You have won a million dollars
C. status:Pending and ‫ג‬€"category:job and severity:High and owner:‫ג‬€‫ג‬€ and type:Phishing and emailsubject:‫ג‬€You have won a million
dollars‫ג‬€
D. status:Pending or ‫ג‬€"category:job or severity:High or owner:‫ג‬€‫ג‬€ or type:Phishing or emailsubject:‫ג‬€You have won a million dollars‫ג‬€
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/cortex-xsoar-overview/how-to-search-in-cortex-
xsoar.html#idcd7fe505- c1c1-42f5-a698-08b5710196d3

I think it should look something like this:
status:Pending -category:job and severity:High owner: type:Phishing emailsubject:"You have won a million dollars"
upvoted 3 times
What does Script helper contain?
A. Available commands
B. Permission settings
C. Automation version history
D. Automation timeout configuration
Correct Answer: A
Reference:
https://xsoar.pan.dev/docs/concepts/xsoar-ide

To see this, go to Automation, New Automation, Slick on Script Helper, choose the section/commands/script you need help with, for example, ad-
add-to-group, click on it and select Copy to Script and >>demisto.executeCommand("ad-add-to-group", {"group-cn":"<group-cn>"})<< will be
copied over, this can assist in building out your script!
upvoted 1 times
  lucaboban 2 years, 8 months ago

A - Correct
upvoted 3 times
When mapping incoming data to incident fields, which statement is correct?
A. Data that is not mapped is placed under labels
B. Only text fields are classified
C. Classification cannot be used if mapping is enabled
D. Every incoming field must be mapped
Correct Answer: D
Reference:
https://xsoar.pan.dev/docs/incidents/incident-classification-mapping

A (100%)
A is correct answer
upvoted 8 times
  duduic Most Recent  5 months, 4 weeks ago
Selected Answer: A
a is the answer. I really don't know who pickes those answers...

upvoted 1 times

A is correct
upvoted 1 times
Which two situations would an engineer consider when configuring classification and mapping for an incident type? (Choose two.)
A. When creating incidents from the XSOAR REST API
B. When manually creating an incident from the UI
C. When adding a new analyst account to XSOAR
D. When fetching many different incident types from a single mailbox
Correct Answer: AB

upvoted 6 times
Which two options may be added when a content pack is being installed? (Choose two.)
A. Lists
B. Roles
C. Other content packs
D. Indicator layouts
Correct Answer: AB

CD (100%)
  duduic 5 months, 4 weeks ago
Selected Answer: CD
c as in cardy and D as in not B

upvoted 3 times

CD is correct
upvoted 1 times

Lol, C,D is the correct answer
upvoted 4 times
Which three scripting languages can an engineer use to write XSOAR automations? (Choose three.)
A. Python
B. Perl
C. Go
D. JavaScript
E. Powershell
Correct Answer: ADE
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/automations.html

ADE (100%)
  piipo 4 days, 1 hour ago

Selected Answer: ADE
Correct
upvoted 1 times

ADE - Correct
upvoted 1 times
What are two primary uses of standard tasks? (Choose two.)
A. To highlight different paths in a playbook
B. To generate new widgets for a dashboard
C. To create an incident or escalate an existing incident
D. To automate tasks such as parsing a file or enriching indicators
Correct Answer: BD
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/playbooks-overview.html

CD (100%)
C,D is correct
upvoted 5 times
  piipo Most Recent  4 days, 1 hour ago
Selected Answer: CD
CD is correct
upvoted 1 times
An engineer would like to change an incident's SLA according to the severity field changes.
How can the engineer achieve this task?
A. Use a field trigger script
B. Use a field display script
C. Create a job that queries for incident severity changes
D. Change the SLA manually every time the severity changes
Correct Answer: B
Reference:
https://xsoar.pan.dev/docs/incidents/incident-fields

A (100%)
A is correct
upvoted 8 times
  news088 Most Recent  5 months, 2 weeks ago
A is correct. https://www.youtube.com/watch?v=UgkEVkdP5iY
upvoted 2 times
Selected Answer: A
A is correct
upvoted 2 times

A is correct
upvoted 2 times
What are three different loop types in a playbook? (Choose three.)
A. Automation
B. Built-in
C. Data collection
D. Conditional
E. For-each
Correct Answer: CDE

ABE (100%)
  Deepu2710 8 months, 3 weeks ago

ABE IS CORRECT
upvoted 3 times
ABE is correct
upvoted 2 times
  Eruza89 1 year, 9 months ago

Agreed with lucaboban. ABE the answer
upvoted 3 times

B,D,E is the correct answer
upvoted 1 times

ABE - Correct
upvoted 3 times
What are two common use cases for conditional tasks? (Choose two.)
A. They are used for branching paths in a playbook
B. They are used to interact with users through survey functionality
C. They are used to determine which incident will be executed
D. They are used for sending a specific question to a person or team
Correct Answer: AC
Reference:
https://docs-new.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/cortex-xsoar-overview/use-cases.html#id7b31e50b-5aca-
4d65- bdb5-ba61b4eac0b4

AD (100%)
Selected Answer: AD
AD is correct
upvoted 1 times

Yep, A,D
Conditional tasks can also be used to communicate with users through a **single** question survey, the answer to which determines how a
playbook will proceed.
upvoted 1 times

Agreed. A,D
upvoted 1 times

upvoted 2 times
An engineer wants to customize the regex for the default IP indicator type.
How can this change be implemented?
A. Create a new indicator type and disable the built-in IP indicator
B. Edit the regex of the default IP Indicator
C. Add a new server configuration key that will overwrite the default regex of the IP indicator
D. Delete the default IP indicator
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-indicators/understand-indicators/indicator-
types/indicator-type- profile.html
In which two scenarios would it be appropriate to implement a loop for a sub-playbook? (Choose two.)
A. In repetitive process flows to iterate for each playbook input
B. When continuously ingesting incidents from third-party systems
C. In repetitive process flows with no more than 10 loops
D. In repetitive processes that requires sub-playbook re-execution
Correct Answer: AB

AD (100%)
A,D is correct
upvoted 9 times
  MarcoS10 Most Recent  11 months, 1 week ago
Selected Answer: AD
AD is correct
upvoted 3 times
Which configuration is a valid distributed database (DB) implementation?
A. 2 main DBs, 1 application server, 2 node servers
B. 1 main DB, 1 application server, 3 node servers
C. 2 application servers, 1 main DB, 1 node server
D. 1 application server, 2 main DBs, 1 node server
Correct Answer: C

B (100%)
B is correct
upvoted 6 times
  piipo Most Recent  4 days, 1 hour ago
Selected Answer: B
B is correct
upvoted 1 times

B is correct. https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.6/Cortex-XSOAR-Administrator-Guide/Best-Practices
upvoted 1 times

Answer is B. Not matter how many node servers you have there is always ONE app server. There only ever ONE main database server and the rest
are NODE servers.
Search for Admin Guide 6.0-1.pdf page 79
upvoted 1 times
An engineer would like to add a custom field to the New Job form for a job triggered from a threat intel feed.
How would the engineer implement this?
A. The new job form changes based on the threat intel feed integration configuration
B. The new job form can be edited from the Indicator Feed incident type editor
C. The new job form for a threat intel feed job cannot be edited
D. The new job form can be edited from the threat intel feeds integration settings
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-threat-intel-management-guide/manage-indicators/understand-
indicators/ create-a-feed-based-job.html

B (100%)
Selected Answer: B
B is correct
upvoted 1 times
  news088 5 months ago

B is correct:
You can customize the new job form by editing the Indicator Feed incident type.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.5/Cortex-XSOAR-Threat-Intel-Management-Guide/Feed-Integrations
upvoted 2 times
  nitishpop8895 6 months, 3 weeks ago

b is correct
upvoted 2 times

I think the answer is actually C. From the link below "The following table lists the fields available when defining a job, and their descriptions"
There is no option to create a custom field.
https://xsoar.pan.dev/docs/incidents/incident-jobs
upvoted 2 times
An automation returned an output called: csvReport.
What filter would be used to check if the automation returned results?
A. Contains/Includes
B. Equals/Matches
C. In/In list
D. Is defined/Exist
Correct Answer: B

D (100%)
D is correct.
upvoted 6 times
Selected Answer: D
D Exist
upvoted 1 times

D, outputs only exist if they return something
upvoted 1 times
What is the difference between labels and fields?
A. Fields can be used in playbooks and labels cannot
B. Fields are indexed in the database and labels are not
C. Labels can be used in queries and fields cannot
D. Labels are indexed in the database and fields are not
Correct Answer: C

B (100%)

Selected Answer: B

this is correct
upvoted 2 times

this is correct
upvoted 2 times
What is the default task type when creating an empty task?
A. Standard (Manual)
B. Conditional
C. Section header
D. Standard (Automated)
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/playbook-tasks/playbook-task-fields.html

A (100%)
A is the correct answer.

upvoted 11 times
  chucklepie Most Recent  2 months, 2 weeks ago
Who is putting in these answers and why can't they be changed. this answer given is ridiculous
upvoted 1 times
Selected Answer: A
A - Standard (Manual)
upvoted 2 times
  SYZZY 6 months, 3 weeks ago

A is correct
upvoted 1 times

It's A - Standard (Manual)
A new task is Standard and unless you choose an automation, by default, the task when created has Manual Task Settings therefore it is Standard
(Manual)
upvoted 2 times

Is there a reference to which answer would be right?
upvoted 1 times

B - Correct
upvoted 1 times
Which two methods are used to add new content to the XSOAR Content Repository? (Choose two.)
A. Create content and add it to the standard content by contributing through the Marketplace
B. Use the XSOAR GitHub Contribution Guide to add the contribution to the standard content
C. Create a support ticket with the custom content for review by the support team
D. Any custom content will be automatically uploaded to the content repository
Correct Answer: AD

AB (100%)
A,B is correct
upvoted 8 times
  duduic Most Recent  6 months ago
Selected Answer: AB
A,B is correct
upvoted 3 times
In which two options can an automation script be executed? (Choose two.)
A. Engine
B. Integration
C. War room
D. Playbook
Correct Answer: CD
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/automations.html

CD (100%)

CD are correct, but there is nothing stopping you running an executeCommand inside an integration...
upvoted 1 times

Selected Answer: CD
C,D Correct.
finally a correct answer...
upvoted 2 times

C,D Correct.
upvoted 2 times
By default, automation written in which language will be executed in a Docker container?
A. Python
B. Go
C. JavaScript
D. Perl
Correct Answer: B

A (100%)
A - Correct
upvoted 7 times
  duduic Most Recent  6 months ago
Selected Answer: A
A - Correct
GO isn't even supported
upvoted 3 times
  asett 6 months ago

Selected Answer: A
Go is not a supported XSOAR automation language

upvoted 2 times
  SYZZY 6 months, 3 weeks ago

A. Python
upvoted 2 times

A. Python
https://xsoar.pan.dev/docs/integrations/docker
upvoted 3 times
What is the correct definition regarding integration parameters and command arguments?
A. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are
shared with other commands and must be present for each command.
B. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are shared
with other commands and must be present for each command.
C. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are
specific to only one command.
D. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are
specific to only one command.
Correct Answer: A
Reference:
https://xsoar.pan.dev/docs/tutorials/tut-integration-ui

D (100%)
Selected Answer: D
D is the correct option.

upvoted 3 times

D - Correct
upvoted 4 times
In which two locations can filters and transformers be used in XSOAR? (Choose two.)
A. Classification and Mapping
B. Playbook Tasks
C. Evidence Fields
D. Incident Fields
Correct Answer: BD
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/filters-and-transformers.html

AB (100%)
A, B seems correct to me.

upvoted 9 times
  Youngsheldon Most Recent  5 months ago
Selected Answer: AB
(AB) is correct: https://shorturl.at/cdj02

The facilitating team of IT experts at Pass4surehub were so helpful and patient - I couldn't have passed without them.
upvoted 2 times
  news088 5 months, 1 week ago

A, B test it on lab. No filter options for incidents fields nor evidence fields. Only under classification and mappings options.
upvoted 2 times
Which three actions can an engineer take on the troubleshooting page? (Choose three.)
A. Download the debug log bundle
B. Put the XSOAR server in maintenance mode
C. View and modify server configuration settings
D. Export and import custom content
E. View a list of server administrators
Correct Answer: ABC

ACD (100%)
A,C,D is the correct answer

upvoted 7 times
  franko_72 Highly Voted  8 months, 3 weeks ago
Yep A,C,D for sure.

upvoted 5 times
Selected Answer: ACD
ACD is correct
upvoted 1 times
An XSOAR Engineer has developed a playbook and would like to contribute it to the XSOAR Marketplace to share with other users.
Which two options are available to the Engineer for contributing to the Marketplace? (Choose two.)
A. Open a ticket with the XSOAR support team
B. Create a pull request directly on Github
C. Contribute through the XSOAR UI
D. Send an email to contributions@xsoar.com
Correct Answer: BC

BC (100%)
  piipo 2 days, 21 hours ago
Selected Answer: BC
BC is Correct
upvoted 1 times

B and C
https://xsoar.pan.dev/docs/contributing/contributing
upvoted 3 times

B and C|
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/marketplace/content-pack-contributions
upvoted 2 times
Which two input requirements are needed to train a machine learning model? (Choose two.)
A. 3000 Incidents
B. Incident Field
C. Verdict Label
D. Incident Type
Correct Answer: BD
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/machine-learing-models/machine-learning-models-
overview.html

BD (100%)
B&D - Correct
upvoted 6 times
  piipo Most Recent  1 day, 17 hours ago
Selected Answer: BD
Incident Field & Type

upvoted 1 times

It's B & D. In XSOAR click on Settings >> Advanced >> ML Models >> New Model >> and you need to specify the Incident Type and the Incident
field which is B,D
upvoted 2 times

B, C is correct
upvoted 1 times
Which two solutions are available to scale an overloaded XSOAR environment? (Choose two.)
A. Add a distributed database server
B. Add an indexing server
C. Add a live backup server (disaster recovery)
D. Add an engine
Correct Answer: AC

AD (100%)
A,D are the correct answers.

upvoted 7 times
Selected Answer: AD
AD is correct
upvoted 1 times
Management would like to get an incident report automatically following an incident's closure.
How would this be accomplished?
A. Define a task in a playbook to generate an incident report before the closure occurs
B. Manually create an 'Incident Report'
C. Configure post-processing using a script
D. Create an 'Incident Report' from the Reports page
Correct Answer: D

C (100%)
C is the correct answer

upvoted 6 times
Selected Answer: C
post-processing
upvoted 1 times
Which two reasons would lead an engineer to create a custom widget? (Choose two.)
A. To visualize server configuration keys
B. To visualize XSOAR list data
C. To visualize complex incident data calculations
D. To visualize context data
E. To visualize a custom query
Correct Answer: DE
Reference:
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/cortex-xsoar-
admin.pdf/cortex-xsoar- admin.pdf

CE (100%)
  piipo 1 day, 17 hours ago
Selected Answer: CE
CE is correct
upvoted 1 times
  Sarppp 7 months, 1 week ago

Answer is C,E
Admin guide page 6.0 329
you can create dynamic widgets using automation scripts for more complex
calculations, such as calculating the percentage of incidents that DBot close
upvoted 3 times
While testing a custom integration, an XSOAR engineer noticed that the incident fetch interval is missing. How can this be fixed?
A. Define the Incident Fetch Interval when running the integration’s commands.
B. Duplicate the integration. Edit the resulting copy and add incidentFetchInterval as a parameter. Save the integration. Configure the new
integration instance with the interval required.
C. Configure the application to send incidents on the required interval.
D. Duplicate the integration. Add the interval in the code. Save the integration and Configure the new integration instance with the interval
required.
Correct Answer: A

B (100%)
Selected Answer: B
B is correct
upvoted 1 times

B. should be correct
If the integration instance does not have the Incidents Fetch Interval field, you need to add this field by editing the integration settings. If the
integration is from a content pack, you need to create a copy of the integration. Any future updates to this integration will not be applied to the
copy integration.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Administrator-Guide/Fetch-Incidents-From-an-Integration-Instance
upvoted 2 times
What is the default landing page for a new user in XSOAR?
A. Dashboards
B. Threat Intel
C. Settings
D. Marketplace
Correct Answer: A
  Youngsheldon 5 months ago

A is correct: https://shorturl.at/euyIR
Recently I appeared in the Palo Alto PCSAE. I prepared for it by using study materials sourced through Pass4surehub. I was able to secure 91% in it.
upvoted 1 times

A tested on lab
upvoted 1 times
On the System Diagnostics page, what is the default minimum size for a Work Plan to be considered big?
A. 2MB
B. 3MB
C. 1MB
D. 5MB
Correct Answer: C

B (100%)
Selected Answer: B
B is correct, 3MB.
upvoted 1 times

Answer is B, 3MB
upvoted 1 times

Yes, it's B
upvoted 1 times
  felipeee_mg 9 months, 2 weeks ago

B. 3MB
upvoted 1 times
Which development languages are supported when creating XSOAR automation scripts?
A. C++, Python, Powershell
B. Ruby, C++, Python
C. Javascript, Powershell, C++
D. Python, Powershell, Javascript
Correct Answer: D
What will happen if a playbook debugger is left running for more than 24 hours?
A. By default, every 24 hours, the system closes any debugger sessions that have been open for more than 180 minutes.
B. The session must be stopped during 180 minutes manually by administrator, user will receive notification automatically.
C. The session will be running till stopped manually by administrator.
D. By default, the system closes automatically any debugger session that have been open 180 minutes.
Correct Answer: D

A (100%)
Selected Answer: A
A is correct
upvoted 1 times

Answer is A, here is why:
Terminate Debugger Sessions
By default, every 24 hours, the system closes any debugger sessions that have been open for more than 180 minutes. You can change the
frequency of the automatic terminations and also the length of time a debugger session can remain open. To change the default from 24 hours, go
to Settings → About → Troubleshooting → Server Configuration and add the server configuration clean.playbook.debug.sessions.interval. The unit
is hours.. To change the maximum time a debugger session can remain open, add the server configuration playbook.debug.sessions.duration.max.
The unit is minutes.
upvoted 1 times
  KaiW 10 months, 2 weeks ago

should be A
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.6/Cortex-XSOAR-Administrator-Guide/Debug-a-Playbook
upvoted 2 times
You need to retrieve a list of all malicious hashes over the last 30 days. What is the correct query to use?
A. type:File reputation:Malicious sourcetimestamp:"30 days ago"
B. type:File verdict:Malicious sourcetimestamp:<="30 days ago"
C. type:File reputation:Malicious sourcetimestamp:="30 days ago"
D. type:File verdict:Malicious sourcetimestamp:>="30 days ago"
Correct Answer: A

D (100%)
  omitsan 5 months, 1 week ago
Selected Answer: D
Correct is D
upvoted 3 times
What is the default configuration for indicator auto-extraction when incidents are created?
A. Inline
B. Inband
C. None
D. Out of band
Correct Answer: A

This settings is found here >>> Under Settings >> Object Setup >> Types >> Edit a custom Type or Duplicate an existing one. Then under
Indicators Extraction Rules you can select Use System default (inline), None, Inline or Out of Band
upvoted 2 times
What are the out-of-the-box aggregate values that can be applied on widgets data?
A. Min, Max, Count, Average, Custom Transformers
B. Min, Max, Count, Average, Custom Group By
C. Count, Average, Sum, Min, Max
D. Count, Sum, Min, Max, Transformers
Correct Answer: C
What assigns newly ingested event attributes to incident fields?
A. Playbooks
B. Classification
C. Mapping
D. Layouts
Correct Answer: C
The XSOAR administrator is writing an automation and would like to return an error entry back into XSOAR if a particular command errors out.
How can this be achieved?
A. Using the demisto_error() function
B. Using a print statement
C. Using the demisto.debug() function
D. Using the return_error() function
Correct Answer: C

D (100%)
  piipo 14 hours, 40 minutes ago
Selected Answer: D
return_error()
upvoted 1 times
  Iceman1 7 months, 1 week ago

D
"To properly handle exceptions, wrap the commands with try/except in the main. The return_error() function receives error message and returns
error entry back into Cortex XSOAR"
https://xsoar.pan.dev/docs/integrations/code-conventions
upvoted 3 times
  hassan1978 8 months, 4 weeks ago

Should be D
upvoted 3 times
An organization has recently acquired another company as its subsidiary. The subsidiary has its infrastructure on AWS cloud as illustrated in the
image below:
The organization wants to use the mail server location on the subsidiary's cloud to send emails. Without acquiring additional licenses, which
XSOAR component can fulfill the requirement?
A. XSOAR D2 Agents, to send the required emails.
B. An XSOAR engine that is downloaded from the XSOAR server and installed within the subsidiary.
C. Another XSOAR server that uses the same license as their primary XSOAR server.
D. A Linux server connected with an XSOAR server using SSH integration. Commands can be run remotely to access the mail server.
Correct Answer: D
A playbook task generates a report as HTML in the context data.
An engineer creates a custom indicator field of type "HTML" and adds the field to a section in a custom indicator layout. How can the engineer
populate the HTML field in the indicator layout?
A. Populate the custom indicator field with the built-in !SetIndicator command.
B. Add HTML to a list using !setList and use it as an HTML template to populate the custom indicator field.
C. Create a custom Indicator Mapper and populate the custom indicator field.
D. Use the Mapping option in the playbook task that generates the HTML report to populate the custom indicator field.
Correct Answer: D

A (100%)
Selected Answer: A
!setindicator
upvoted 1 times

!setindicator command is needed to pull context data and move it to the indicator.
upvoted 1 times
What are the three ways to add/mark entries as evidence inside the Evidence Board? (Choose three.)
A. Manually directly from the War Room with the Actions drop-down
B. From the Notes section (mark as entry icon)
C. Manually from the playbook task (mark as entry icon)
D. Automatically from playbook tasks when the option is selected on the Advanced tab
E. By running the command !MarkAsEvidence
Correct Answer: ABD

ADE (100%)
Selected Answer: ADE
ADE is correct
upvoted 1 times

Answer should be A,D,E.
upvoted 2 times
Which tag must be applied to an Automation Script in order for it to be available when configuring an Indicator Type?
A. reputation-script
B. enrich
C. reputationScript
D. reputation
Correct Answer: C

D (100%)
Selected Answer: D
reputation
upvoted 1 times

Should be D
upvoted 1 times
  Arist69 1 year ago

reputation is correct
upvoted 3 times
Which playbook will a job run by default?
A. The playbook assigned to the incident type
B. The playbook assigned to the indicator type
C. The playbook assigned during pre-processing
D. The playbook assigned by the integration
Correct Answer: A
Which of the following is a feature of XSOAR automations?
A. can run on multiple docker containers
B. can be set to run on a scheduled basis in the automation settings
C. can be password protected
D. can be written in C++
Correct Answer: B

C (100%)

C >. Click on Automations from the main screen, Click New Automation, scroll down, Permissions >> Password Protect (also roles here as well)
upvoted 2 times
Selected Answer: C
Should be C:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.6/Cortex-XSOAR-Administrator-Guide/Automations
upvoted 4 times

Should be C:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.6/Cortex-XSOAR-Administrator-Guide/Automations
upvoted 3 times
An administrator wants to send an email via the Mail Sender integration. Which of the following out of the box methods would be used for that?
A. XSOAR D2 agent
B. external integration command
C. XSOAR shared agent
D. common automation script
Correct Answer: B
When is the post-processing script executed in XSOAR?
A. Just after the incident is created
B. Just after the pre-processing is executed
C. Just after the playbook is executed
D. Just after the Close Incident button is clicked
Correct Answer: C

D should be D
Postprocess is executed at the close phase
upvoted 2 times
Which option is available in XSOAR to create the body of a Threat Intel Report?
A. Markdown
B. Grid Fields
C. DOC format
D. Javascript
Correct Answer: A

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.6/Cortex-XSOAR-Administrator-Guide/How-to-Use-Markdown
upvoted 1 times
Given the following context data, what would be the expected output of the expression?
A. 1E56733826E5035233A097FCEA2046AF96EC616C
B. E6EF5142E2553C1E442A0FFAC07636EAC61E6EDD
C. 8D193FA162A305E4859BA8C45F5121F7265E3ABB
D. e6ef5142e2553c1e442a0ffac07636eac61e6edd
Correct Answer: D

B because of file size and file type and uppercase
upvoted 2 times

Should be B because transformed to upper case
upvoted 3 times
Where are incident layouts customized?
A. Settings > Object Setup > Incidents > Layouts
B. Settings > Integrations > Instance configuration
C. Settings > Object Setup > Indicators > Layouts
D. Settings > Advanced > Incident Layouts
Correct Answer: A
How can Cortex XSOAR administrators prevent junior analysts from viewing a senior analyst dashboard?
A. Share the dashboard in Read and Edit mode for senior analysts.
B. Share the dashboard in Read & Edit mode for senior analysts and Read Only for juniors analysts.
C. Share the dashboard in Read and Write mode for senior analysts.
D. Share the dashboard in Read Only mode for junior analysts and senior analysts.
Correct Answer: B

A. https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Share-a-Dashboard
upvoted 1 times

A - There is no read/write mode, there is Read & Edit or Read Only.
upvoted 1 times

Should be A because B allows junior analysts to view the dashboard
upvoted 1 times
Which content type cannot be managed using remote repositories?
A. Lists
B. Jobs
C. Pre-processing rules
D. Exclusion List
Correct Answer: A

The answer should be B - Jobs
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.5/Cortex-XSOAR-Administrator-Guide/Remote-Repositories-Overview
upvoted 2 times
An analyst wants to run a script to remove usernames from an incident before the incident becomes active in XSOAR. How can this be achieved?
A. Run an automation script in the Playground to remove usernames from the incident.
B. Create a pre-processing rule that runs an automation script to remove usernames from the incident as it comes into XSOAR.
C. Run an automation script on the XSOAR server to remove usernames from the incident.
D. Create a playbook task to remove the usernames from the incident.
Correct Answer: B
Which task type would be used to verify/check that an integration was enabled?
A. Standard task
B. Conditional task
C. Section Header task
D. Data Collection task
Correct Answer: D
  appopay Highly Voted  8 months, 3 weeks ago

B as in CardiB . Check => if true then this if not then that
upvoted 7 times
  KaiW Most Recent  10 months, 2 weeks ago

The answer should be A, standard task
upvoted 2 times
What is used to trigger playbooks automatically based on the classification of an incident?
A. Indicator type
B. Incoming mapper
C. Incident types
D. Integration configuration
Correct Answer: C
After executing the DeleteContext automation with all=yes argument, how would the context data of an incident present?
A. All the data, including the incident key will be deleted, and the context data will be completely empty.
B. No difference, the automation cannot be executed manually.
C. All context data, including custom incident fields will be deleted, system incident fields will remain.
D. All context data, except the incident key will be deleted.
Correct Answer: D
An XSOAR engineer has been tasked with exporting all indicators from the production environment in the last 90 days. The final report needs to be
in CSV format containing all indicator fields. How can this task be achieved?
A. Run the command !GetIndicatorsByQuery in CLI with its default arguments and export all indicators in the last 90 days.
B. SSH into the server and copy the indicator's database.
C. In the Threat Intel page, add query firstSeen:>="90 days ago", select All columns in Table View, and click Export to export as a CSV.
D. Run the command !findIndicators in CLI with the query firstSeen:>="90 days ago" and export to CSV.
Correct Answer: C
An administrator has noticed that an incident fetch has failed, causing several internal workflows to be backed up. The administrator would like to
receive notifications the next time the incident fetch fails.
How can they achieve this?
A. Create a custom playbook that sends an email each time the fetch fails.
B. Create a new integration that monitors the incident fetch and sends an email if the fetch fails.
C. Schedule a job that runs and monitors incidents in XSOAR that will send an email if there are no new incidents.
D. Add a server config to notify when incident fetch fails.
Correct Answer: B

D
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.6/Cortex-XSOAR-Administrator-Guide/Receive-Notification-on-an-Incident-Fetch-
Error
upvoted 1 times

In the integration instance, ensure that you select the Fetch Incidents checkbox.
Select Settings → About → Troubleshooting → Add Server Configuration.
Add the following keys and values:
Key: module.health.notification.users
List of names in CSV format, for example
Value: user1,user2,user3.
Key: message.ignore.failedFetchIncidents
Value: false
upvoted 3 times

Should be D
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.6/Cortex-XSOAR-Administrator-Guide/Fetch-Incidents-From-an-Integration-Instance
upvoted 4 times
An analyst runs the following command in a playbook task:
!ip ip=1.1.1.1
Which extraction mode needs to be enabled on the Advanced tab of the playbook task to synchronously extract indicators from the results of this
command?
A. Synchronous
B. Extract
C. Out of band
D. Inline
Correct Answer: D
Threat Intel search queries can be shared with which of the following? (Select 1)
A. Users defined in the platform (email or username)
B. Other organizations via the Marketplace
C. Users outside XSOAR via email invite
D. Roles defined in the platform
Correct Answer: B

Should be D. Tested on lab options are roles all or custom roles
upvoted 1 times
An administrator wants to run an automation in the War Room to set the incident field "Description" to "Confirmed Phishing". Which command
should they enter in the War Room CLI?
A. !incidentSet description="Confirmed Phishing"
B. /incidentSet description=Confirmed Phishing
C. !setIncident description="Confirmed Phishing"
D. /setIncident description=Confirmed Phishing
Correct Answer: A

C (100%)

Yep C, you go into the incident from the Incidents View/Tab, down the bottom, type !setIncident description="test" and hit enter. This works.
upvoted 3 times
  inmymind84 10 months ago
Selected Answer: C
Should be C (checked in XSOAR)

upvoted 4 times
Select the correct incident life cycle on XSOAR.
A. Planning > Incident Ingestion > Incident Creation > Mapping and Classification > Pre-processing > Playbook runs > Post-processing
B. Planning > Incident Ingestion > Pre-processing > Incident Creation > Mapping and Classification > Playbook runs > Post-processing
C. Planning > Incident Ingestion > Pre-processing > Mapping and Classification > Incident Creation > Playbook runs > Post-processing
D. Planning > Incident Ingestion > Mapping and Classification > Pre-processing > Incident Creation > Playbook runs > Post-processing
Correct Answer: D

D
https://xsoar.pan.dev/docs/incidents/incident-xsoar-incident-lifecycle
upvoted 4 times

Sorry, it's A - Here is why:
Stage 1 - Event Ingestion
Stage Two: Incident Object Creation
Cortex XSOAR uses the event data fetched by an integration to create an incident object and populates it with raw event data.
upvoted 1 times

I think it is D - The pre-processing rule defines what to do if incident is of type X, therefore there has to be an incident for this to occur.
Planning > Incident Ingestion > Mapping and Classification > Pre-processing > Incident Creation > Playbook runs > Post-processing
upvoted 2 times
Which of the following does a XSOAR Admin need to create an integration with a third party cloud application?
A. Marketplace access
B. Application with API
C. Private key/Public key integration
D. Multitenant deployment
Correct Answer: B
Which of the following is a prerequisite to editing out-of-the-box (OOTB) content?
A. Download the content from the Marketplace.
B. Go to Settings > About >Troubleshooting and set a flag to allow custom content.
C. Register a user account with support.paloaltonetworks.com .
D. Detach the content item you want to edit from the Marketplace.
Correct Answer: B
  KaiW Highly Voted  10 months, 2 weeks ago
Should be D
upvoted 6 times
At what stage during the incident lifecycle is an incident type assigned?
A. Pre-processing
B. Incident creation
C. Classification
D. Playbook execution
Correct Answer: C

B
Incident Created#
Based on the definitions you provided in the Classification and Mapping stage, as well as the rules you created for pre-processing events, incidents
of various types are created. The incidents all appear in the Incidents page of the Cortex XSOAR user interface, where you can start the process of
investigating.
https://xsoar.pan.dev/docs/incidents/incident-xsoar-incident-lifecycle
upvoted 1 times

I'd say it was B
3. Classification and Mapping
Cortex XSOAR will take fetched data and the events ingested from integrations—classified into incident types—and map them to existing fields.
4. Pre-processing
Specific actions are performed, such as linking incoming events to an existing incident during the incident ingestion.
5. Create an Incident <<HERE>>
Based on Classification and preprocessing rules applied to the ingested events, incident of various types are created and listed on the Incidents
page.
upvoted 1 times
What can you use to assign a layout, field, and playbook to an incoming incident?
A. Playbook
B. Classification and mapping
C. Incident type
D. Pre-processing
Correct Answer: B

C (100%)

From KaiWs link: Once you define the incident type, you can configure its layout, therefore it's C
upvoted 2 times
Selected Answer: C
Should be "C"
https://xsoar.pan.dev/docs/incidents/incident-types
upvoted 4 times
For troubleshooting, after a log bundle is created, where do the logs appear on the XCSOAR server?
A. /var/lib/demisto
B. /tmp/log/demisto
C. /usr/local/demisto
D. /var/log/demisto
Correct Answer: D

Logs Overview
D
The Cortex XSOAR logs provide information about events that occur in the system. These logs are a valuable tool in troubleshooting issues that
might arise in your Cortex XSOAR environment. The Cortex XSOAR logs are located in /var/log/demisto/
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.6/Cortex-XSOAR-Administrator-Guide/Transform-a-List-into-an-Array
upvoted 1 times

/var/lib/demisto
when you create troubleshooting logs it is created at that point.
upvoted 1 times

Most Linux logs end up in /var/log
upvoted 1 times
Which three types of information are displayed on the incident Quick View? (Choose three.)
A. Indicators and relationships
B. Timeline information
C. Evidence Board
D. Context data
E. Incident severity
Correct Answer: ABC

ABE (100%)
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.8/Cortex-XSOAR-Administrator-Guide/Dbot-Suggestions-Quick-View-Window
upvoted 2 times
Where do you navigate to monitor and improve the system performance and resilience for hosts in a multitenant environment?
A. Settings > About > Troubleshooting, in the main host account. Each host has a System Diagnostics page.
B. Settings > Advanced > System Diagnostics, in the main host account. Each host has a System Diagnostics page.
C. Settings > Account Management > Hosts, in the main host account. Each host has a System Diagnostics page.
D. Settings > About > System Diagnostics, in the main host account. Each host has a System Diagnostics page.
Correct Answer: D

Answer is C, you may directly see account management right after the settings. Each host is providing a URL that directs you to its diagnostics
page, which gives you information about number of containers, disk storage usage, podman, etc.
upvoted 1 times
  pumafil 8 months, 1 week ago

D ? i think that it would be C
upvoted 2 times
When creating an automation in XSOAR, what is the best way to create a log message?
A. Using a debug statement
B. Using the demisto.debug() function
C. Using a print statement
D. Using the demisto.results() function
Correct Answer: B

D
Printing to the War Room#
Let's face it, a mountain of print statements are often useful in figuring out what the issue is. To do this, simply add the following:
error_msg = "Here's your completely broken code"

demisto.results(error_msg)
This will print the statement in the War Room, where you will be able to see it. Just remember to remove these statements so you can maintain the
illusion of your bug never happening.
https://xsoar.pan.dev/docs/integrations/debugging
upvoted 1 times

Answer should be D, you may see an error message with demisto.results() function.
For instance:
you may create a variable, myautomationmessage="This is an error msg", then I can return it via results command,
demisto.results(myautomationmessage)
upvoted 1 times
What is an example of a generic reputation command?
A. !ip
B. !getReputation
C. !reputation
D. !enrichIndicator
Correct Answer: C

Should be A:
https://xsoar.pan.dev/docs/integrations/generic-commands-reputation
upvoted 1 times
During the regular maintenance of XSOAR a customer noticed that there was an update available for the Active Directory content pack (current
version 1.4.6) and updated the content pack to the latest version (version 1.4.11). However, after the update the customer noticed that the Active
Directory Query integration is not working properly and asked you to resolve the issue.
Which of the following set of steps can help to resolve the issue?
A. a) Navigate to Settings
b) View the configured integrations and select Active Directory Authentication c) Delete all integration instances and add all integration
instances again
B. a) Navigate to Marketplace
b) View the installed content pack and select Active Directory content pack c) Select version 1.4.6 and click on "Revert to this version"
C. a) Navigate to Settings
b) View the configured integrations and select Active Directory Query c) Delete all integration instances and add all integration instances
again
D. a) Navigate to Marketplace
b) View the installed content pack and select Active Directory content pack c) Click on uninstall content pack d) Navigate to Marketplace
browser and reinstall the Active Directory content pack
Correct Answer: C

Go to: Marketplace >> find integration >> click on it >> select Version History >> choose which version to roll-back to > click on Downgrade
button but otherwise B is correct yes
upvoted 2 times

B is corect
- C is useless
upvoted 3 times
When developing the playbook, which of the following can be used by a XSOAR Administrator?
A. The Debugger panel to test data with one of last five incidents. This will affect the incident’s original incident data.
B. Context data from existing incidents by exporting the YAML data from incidents and importing it to playbook editor.
C. Debugger panel and XML data from a similar incident with New Mock Incident. This will not affect the incidents original incident data.
D. The Debugger panel to test data with one of last fifty incidents. This will not affect the incident’s original incident data.
Correct Answer: C

D (100%)

Should be C . Tested on labs. options are : new mock incident, playground, and 5 incidents list.
upvoted 1 times

should be D.
as inmymind84 said
upvoted 1 times

Selected Answer: D
Mock incident is also in JSON NOT XML. i vote for D.

upvoted 3 times
Which field type provides an interactive and editable display of table-based data?
A. HTML
B. Grid (table)
C. Markdown
D. Multi Select
Correct Answer: B
What is the function of timer SLA fields in Cortex XSOAR?
A. To track SLA breaches per playbook
B. To run a script that executes on SLA assignment
C. To automatically alert the analyst on SLA breach
D. To count the time between one or more tasks
Correct Answer: C

should be D
https://xsoar.pan.dev/docs/reference/scripts/timers-on-owner-change
upvoted 1 times
What are inputs and outputs in reference to a Playbook Development Lifecycle? (Choose three.)
A. Inputs are data pieces that are present in the playbook
B. Inputs are data pieces that are present in the task
C. Outputs are used as incident trigger for playbook
D. Outputs can be derived from the result of a task or command
E. Inputs are the data fields parsed by the Classifier
Correct Answer: ADE

ABD (100%)

Selected Answer: ABD
Should be A, B, D
upvoted 4 times
Inside the Incidents table view, which actions can be performed on the selected incidents? (Choose two.)
A. Run Command, Export, and Close and Delete for all selected incidents regardless of their status
B. Assign, Edit, and Mark as Duplicate for all selected incidents regardless of their status
C. Run Command for all selected incidents having Active status
D. Export incidents as JSON and change incident status
Correct Answer: AB
An administrator has noticed that an integration has failed to fetch incidents. Where would they go to download logs to troubleshoot the error?
A. Go to the Marketplace > Download the Fix my XSOAR playbook pack > Run the playbook > Download logs from War Room
B. Settings > About > Troubleshooting > Set Log Level to Debug > Download Logs
C. Dashboards & Reports > System Health
D. Settings > About > System Diagnostics
Correct Answer: B
In Cortex XSOAR multi tenant setup, when content from a development server is pushed to the remote repository, where in the production server
can the updates be found?
A. Main Account
B. Tenants
C. Agent tools
D. Marketplace
Correct Answer: B

The pushed content should be first found in the main account before the tenants. Thus, the answer should be A.
upvoted 1 times
To avoid exceeding API quotas for third-party services, indicators are only updated after the indicator cache expiration period. What is the default
cache expiration period for indicators in XSOAR (minutes/days)?
A. 10,080 minutes (7 days)
B. 20,160 minutes (14 days)
C. 21,600 minutes (15 days)
D. 4,320 minutes (3 days)
Correct Answer: D
When browsing the Marketplace for new content packs, which details about each pack are you able to view?
A. The integration’s source code
B. A summary of each version history
C. A test instance for the content pack
D. The source code of each playbook
Correct Answer: B
A SOC analyst needs to retrieve the list of all open phishing incidents in the last 30 days. What is the correct query to use?
A. -status:closed -category:job type:Phishing created:>="30 days ago"
B. status:closed -category:job & type:Phishing created:>="30 days ago"
C. -status:closed -category:job & type:Phishing created:<="30 days ago"
D. -status:closed -category:job type:Phishing created:="30 days ago"
Correct Answer: C

Answer is A for my XSOAR
upvoted 3 times

Not sure if any of these answers are correct. On my XSOAR this query works:
-status:Closed -category:job and type:Phishing created:>="30 days ago"
Notice the 'and' and not '&' and the >= not <= operators
So, the -status closed means NOT closed as the - means the opposite.
The -category job means anything but jobs as again the - means 'not'
The greater than or equal to is a weird one, I just created a test phishing incident so I would of thought all Phishing incidents greater than or equal
to 30 days ago.
upvoted 2 times
During configuration of the inputs of a sub-playbook in the main playbook, there is an option under the Loop tab called "For Each Input". What is
this option used to?
A. To loop the sub-playbook over all context values present in the investigation
B. To loop the sub-playbook over all incident fields for the given incident
C. To loop the sub-playbook over all the fields marked as important
D. To loop the sub-playbook over all defined sub-playbook inputs
Correct Answer: D
What are two of the actions available on the Version History tab of a content pack in the marketplace? (Choose two.)
A. Download content for offline installation
B. Uninstall content pack
C. Update to x version
D. Revert to x version
Correct Answer: CD

From lab
Should be B and C
upvoted 1 times
Which of these would be the most operationally efficient repository for moving XSOAR custom content from a development server to a production
environment?
A. A content repository specified in the Marketplace
B. Remote git repository specified in the dev-prod configuration parameters
C. The development server's default repository
D. Cortex XSOAR public content repository
Correct Answer: B
Where would you look to find a personalized view of your own incidents and tasks?
A. Incident Summary View
B. My Incidents
C. My Threat Landscape
D. My Dashboard
Correct Answer: D
Which of the following is a basic setting that can be configured in an automation?
A. Summary
B. Compiler
C. Schedule
D. Run On
Correct Answer: C

should be D.
As the time you create an automation there is no schedule option. To schedule an automation create a job.
upvoted 1 times
Which of the following are valid methods to contribute custom content? (Choose three.)
A. Submit content directly through feature requests
B. Private GitHub repository submission for premium content
C. A Github pull request on the public XSOAR Content Repository
D. Using the marketplace interface to upload the content
E. Using the content submission tool on live.paloaltonetworks.com
Correct Answer: CDE

Answer should be BCD.
upvoted 2 times
What does the outgoing mapper support?
A. Mirroring
B. Classification
C. Dynamic fields
D. Pre-processing
Correct Answer: D

A - mirroring, checked in documentation
upvoted 2 times
What happens if both a Classifier and Incident Type are configured in an integration instance's settings?
A. The administrator will receive a notification that there is both a Classifier and Incident Type set for that integration instance.
B. The Incident Type will be ignored, and incoming incidents will be classified according to the Classifier.
C. The Classifier will be ignored, and incoming incidents will be classified according to the Incident Type.
D. Both the Classifier and Incident Type will classify incoming incidents.
Correct Answer: D

Correct response should be B: classifier will take precedence. Only one config apply.
upvoted 1 times
You can customize most aspects of the incident layout, including which three of the following? (Choose three.)
A. Which users have permissions to view the tabs
B. Which roles have permissions to view the tabs
C. Which dashboard settings are applied
D. The information and how is it displayed
E. Which tabs appear and in which order
Correct Answer: CDE

B,D,E should be
upvoted 4 times
Who is permitted to create and submit content to the Marketplace?
A. Only users with a valid Github account
B. Any user who has signed up through the dev portal
C. Any user who has a live.paloaltonetworks.com account
D. All users with the correct XSOAR Role and Permissions
Correct Answer: D
Reliability scores in XSOAR range from A through F. What do A and F stand for?
A. F - Reliability cannot be judged, A - Completely Reliable
B. F - Not reliable, A - Usually Reliable
C. F - Not usually reliable, A - Fairly Reliable
D. F - Unreliable, A - Completely Reliable
Correct Answer: D

A (100%)
  samtron Highly Voted  11 months, 1 week ago
Selected Answer: A
Answer is A: https://xsoar.pan.dev/docs/integrations/dbot
A+ - 3rd party enrichment
A - Completely reliable
B - Usually reliable
C - Fairly reliable
D - Not usually reliable
E - Unreliable
F - Reliability cannot be judged
upvoted 5 times
Newly created subplaybooks do not have any inputs, or outputs. What is necessary to make them functional? (Choose two.)
A. Define input key in the subplaybook task. Map context values to pull from parent playbook.
B. The output of the previous task automatically becomes the input of the subplaybook.
C. Map inputs and outputs to the parent playbook and the subplaybook will use the same values.
D. Open the subplaybook and add inputs or outputs in the Playbook triggered task.
Correct Answer: AD
A Cortex XSOAR Administrator is tasked with building a button for an analyst in order for the analyst to be assigned to the incident as an owner.
What is the process?
A. Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with no argument
B. Edit the incident layout to add a new button that calls the AssignToMeButton automation with argument assignBy={me}
C. Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with argument owner={me}
D. Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with argument assignBy=current
Correct Answer: C

D (100%)

D as Sarpp description.
https://xsoar.pan.dev/docs/reference/scripts/assign-analyst-to-incident
upvoted 1 times

Since assigntome automation's button does not have any arguments, the proper answer would be assignanalysttoincident script with
assignby=current argument. Thus, answer will be D.
upvoted 2 times

A would be the closest
upvoted 1 times

All wrong. Edit layout, add new button, click on it and select a Button Script, search for AssignToMeButton and save it. That's it.
upvoted 1 times

Selected Answer: D
https://xsoar.pan.dev/docs/reference/scripts/assign-analyst-to-incident
upvoted 2 times
Which field type should be used to hold more than 60,000 characters of unformatted text?
A. Short Text
B. HTML
C. Long Text
D. Markdown
Correct Answer: C

In Settings >> Objects Setup >> New Incident Field >> Field Type >> Select from
Boolean, Date Picker, Grid (table) HTML, Long Text, Markdown, Multi-select/Array, number, role, Short Text, Tags, Timer/SLA, URL or user. In this
instance, Short Text (maximum of 60,000 characters) does not suit so long text it is!
upvoted 1 times
In order to automatically run a playbook on the indicators fetched by an integration, what would an XSOAR Administrator setup?
A. Cron job
B. Time triggered job
C. Feed triggered job
D. REST API job
Correct Answer: C
Which two functions in XSOAR are incident types used for? (Choose two.)
A. To run dedicated playbooks for different event types
B. To classify events ingested from various sources into the relevant types
C. To classify indicators extracted in XSOAR incidents to their respective types
D. To facilitate role based access to XSOAR incidents
Correct Answer: BC
  hassan1978 Highly Voted  8 months, 4 weeks ago
Should be A,B
upvoted 6 times
When creating an incident layout section, it is best to place long field values within which of the following?
A. Section headers
B. Rows
C. Canvas
D. Cards
Correct Answer: B

B.
define section properties.You can determine how a section in the layout appears in the layout. For example, does the section include the section
header or not. You can also configure the fields to appear in rows or as cards. For example, if you know that some of the field values will be very
long, you are better off using rows. If you know that the field values are short, you might want to use cards so you can fit more fields in a section. If
a field label is very long, you can select to wrap the label so that you can see the full name of the field.
upvoted 1 times
The default expiration method for non-feed indicators is either to never expire or to expire after a specific period of time. How frequently does
XSOAR check tor newly expired indicators?
A. Every 24 hours
B. Every 5 minutes
C. Every 8 hours
D. Every 1 hour
Correct Answer: D

should be D based on franko_72
As of today the exam version is about 6.6 version.
upvoted 1 times

D
Indicator Expiration
Indicators can have the Expiration Status field set to Active or Expired, which is determined by the Expiration field. When indicators expire, they still
exist in Cortex XSOAR, meaning they are still displayed and you can still search for them. A job that runs every hour checks for newly expired
indicators and updates the Expiration Status field.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.5/Cortex-XSOAR-Administrator-Guide/Disable-Indicator-Extraction-for-Automations-
or-Integrations
upvoted 1 times

A job that runs weekly checks for newly expired indicators and updates the Expiration Status field. So it's weekly? This is for version 6.10
Version 6.6 - A job that runs every hour checks for newly expired indicators and updates the Expiration Status field.
upvoted 2 times
An Engineer wants to filter a csvList value according to a dynamic value saved under the test context key.
Which three values would save the test context key? (Choose three.)
A. Get csvList.value where csvList.value equals test [from previous tasks]
B. Get csvList.value where csvList.value equals ${test} [from previous tasks]
C. Get csvList.value where csvList.value equals test {}[from previous tasks]
D. Get csvList.value where csvList.value equals test [as value]
E. Get csvList.value where csvList.value equals ${test} [as value]
Correct Answer: ABE
Which content type can be managed using remote repositories?
A. Exclusion List
B. Canvas
C. Pre-processing rules
D. Jobs
Correct Answer: C
Which tag is mandatory for an Indicator reputation Script while configuring an indicator type?
A. reputation-script
B. enrich
C. reputationScript
D. reputation
Correct Answer: A
A Cortex XSOAR engineer is building an automation in Python and wants to return the error back in the war room.
How can this be achieved?
A. Use the return_error() function.
B. Use the demisto.debug() function.
C. Use a print statement.
D. Use the demisto_error() function.
Correct Answer: A
In which two Cortex XSOAR functions are incident types used? (Choose two.)
A. Classifying indicators extracted from incidents to their respective types
B. Facilitating role-based access to incidents
C. Running dedicated playbooks for different event types
D. Classifying events ingested from various sources into the relevant types
Correct Answer: CD
When is the post-processing script executed in XSOAR?
A. When the incident is closed
B. When the incident is created
C. After the post processing task is executed
D. After the pre-processing is executed
Correct Answer: A
An Engineer wants to filter a csvList value according to a dynamic value saved under the context key named “test”. Refer to the image below.
Which two values would save the “test” context key? (Choose two.)
A. Get csvList.value where csvList.value equals test [as value]
B. Get csvList.value where csvList.value equals test {}[from previous tasks]
C. Get csvList.value where csvList.value equals test [from previous tasks]
D. Get csvList.value where csvList.value equals ${test} [as value]
Correct Answer: BD
Which action would enable notifications of incident fetch fails?
A. Create a new integration that monitors the incident fetch and sends an email if the fetch fails.
B. Schedule a job that runs and monitors incidents in Cortex XSOAR that will send an email if there are no new incidents.
C. Add a server config to notify when incident fetch fails.
D. Create a custom playbook that sends an email each time the fetch fails.
Correct Answer: C
Which Cortex XSOAR feature assigns newly ingested event attributes to incident fields?
A. Playbooks
B. Classification
C. Mapping
D. Layouts
Correct Answer: C
Which task type will verify that an integration was enabled?
A. Standard
B. Conditional
C. Section Header
D. Data Collection
Correct Answer: B
What is a feature of the outgoing mapper in Cortex XSOAR?
A. Pre-processing rules
B. Classification
C. Indicator Extraction rules
D. Mirroring
Correct Answer: D
What are recommended for placing a long text incident field value in an incident layout?
A. Section headers
B. Display filters
C. Cards
D. Rows
Correct Answer: C
What are three loop types in a sub-playbook? (Choose three.)
A. For-each
B. Loop automation
C. Conditional
D. Built-in
E. Data collection
Correct Answer: ABC

PCSAE Exam - 20240324

Uploaded by

Copyright:

Available Formats

You might also like

PCSAE Exam - 20240324

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PCSAE Exam - 20240324

Uploaded by

Copyright:

Available Formats

2024/3/24 中午12:15 PCSAE Exam - Free Actual Q&As, Page 1 | ExamTopics

- Expert Verified, Online, Free.

 Custom View Settings

Topic 1 - Single Topic

A. Set a field trigger script

B. Associate to an incident type

C. Change field type

D. Change field name

Community vote distribution

  chucklepie 2 months, 2 weeks ago

  DammyTheD 4 months, 3 weeks ago

  jbender72 1 year, 2 months ago

  thorodp 1 year, 5 months ago

These are correct

Community vote distribution

  Branodn Highly Voted  2 years, 4 months ago

The answer is C ${File.[1].Name}

  piipo Most Recent  1 week, 3 days ago

  chucklepie 2 months, 2 weeks ago

  DammyTheD 4 months, 3 weeks ago

  TcanCmon 1 year, 2 months ago

  thorodp 1 year, 5 months ago

D is correct, index starts from 0.

  cptcoggsworth 10 months, 2 weeks ago

  rmurugan 2 years, 5 months ago

  rafemuhammed 1 year, 8 months ago

Which component can be part of a load balancing group?

D. Load balancing server

Community vote distribution

  DammyTheD 4 months, 3 weeks ago

  MarcoS10 11 months, 3 weeks ago

Engine is the correct answer

  thorodp 1 year, 5 months ago

Which method accesses a field called `˜User Mail' in a playbook?

Community vote distribution

  DammyTheD 4 months, 3 weeks ago

  john1208 10 months, 3 weeks ago

  thorodp 1 year, 5 months ago

A. Manually share the dashboard through user emails

B. Dashboard is shared to all XSOAR users

C. Propagate the dashboard based on SAML authentication

D. Dashboard is shared to all XSOAR users in a selected role

Community vote distribution

  thorodp 1 year, 5 months ago

D. Layout inline editing

Community vote distribution

  john1208 10 months, 3 weeks ago

Select and Place:

  john1208 10 months, 3 weeks ago

Which built-in automation/command cab be used to change an incident's type?

How can this be implemented?

A. Add the playbook to the integration's settings

B. Select 'Run playbook automatically' from the incident type settings

C. Add the !startinvestigation automation to the beginning of the playbook

D. Select 'Run playbook automatically' from the integration settings

Community vote distribution

  rmurugan Highly Voted  2 years, 5 months ago

  john1208 Most Recent  10 months, 3 weeks ago

B is the answer, dont mislead please