PCSAE Flashcards

1
Q

Q1. What is the primary use of the context data?

a) sending data to related incidents
b) passing data between playbook tasks
c) storing data for use with integrations
d) mapping data to required fields

A

b) passing data between playbook tasks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Q2. Which statement is true about context data?

a) It is purged after each task in a playbook is run.
b) It must be transformed before a task can use it.
c) After it is written, it can be changed only by manual editing.
d) It does not necessarily include all data generated by the incident-related activity.

A

d) It does not necessarily include all data generated by the incident-related activity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Q3. Which option describes the structure of context data?

a) a key-value pair dictionary
b) a row-oriented data serialization framework
c) a node-graph hierarchy of multiple object types
d) a binary storage format front-ended by a Java interpreter

A

a) a key-value pair dictionary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Q4. Which type of task is used to interact with users through a survey?

a) conditional
b) standard
c) section header
d) data collection

A

d) data collection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Q5. Which option provides dynamic input to playbook tasks and automations?

a) incident tasks
b) context data
c) quick view
d) system

A

b) context data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Q6. Which is the first step in the playbook development process?

a) Create custom data fields.
b) Create a skeleton playbook.
c) Formalize the use-case definition.
d) Configure enrichment integrations

A

c) Formalize the use-case definition.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Q7. Which characteristic indicates that a playbook is a “skeleton playbook”?

a) installed from the Marketplace
b) unconfigured Inputs/Outputs options
c) incomplete task details for many tasks or all tasks
d) loaded in a development environment but not deployed to production

A

c) incomplete task details for many tasks or all tasks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Q8. What are two ways to create a new task in a playbook that is open for editing? (Choose two.)

a) Click Create Task on the Task Library fly-out panel.
b) Right-click an open area of the workspace and select New Task.
c) Double-click an open area of the workspace and click Yes in response to the prompt.
d) Click-and-drag the output node of an existing object to an open area of the workspace.

A

a) Click Create Task on the Task Library fly-out panel.

d) Click-and-drag the output node of an existing object to an open area of the workspace.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Q9. Which is the proper name for a “step” in a Cortex XSOAR playbook?

a) task
b) step
c) procedure
d) automation

A

a) task

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Q10. Which two types of actions can be specified with a Standard playbook task? (Choose two.)

a) manual
b) automated
c) conditional
d) data collection

A

a) manual

b) automated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Q11. How do playbooks and the War Room work together?

a) The War Room documents playbook tasks and related artifacts and evidence.
b) Each incident’s War Room activity is autodocumented into a playbook for that incident.
c) Playbooks provide a guide to the use of the War Room for information flow among analysts.
d) Playbooks document the activity and decisions made in the War Room.

A

a) The War Ro`w3om documents playbook tasks and related artifacts and evidence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Q12. What is a sub-playbook?

a) a playbook used as a task in another playbook
b) an obsolete playbook of inferior quality
c) an app that underlies a playbook to ensure it flows from task to task
d) an updated playbook that substitutes for an older playbook

A

a) a playbook used as a task in another playbook

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Q13. Which option describes the trigger of an incident?

a) specification of the name of the incident type
b) the application of enrichment tasks to a playbook
c) the point at which auto-extraction of indicators is performed
d) the action inside or outside the system that should generate an incident

A

d) the action inside or outside the system that should generate an incident

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Q14. How do incidents relate to indicators?

a) Incidents generate indicators as part of their automated response.
b) Indicators provide context to incidents.
c) Incidents determine the severity of indicators.
d) Indicators specify which incidents to ingest.

A

b) Indicators provide context to incidents.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Q15. Which three fields are available for querying indicators? (Choose three.)

a) expirationStatus
b) reputation
c) SLA
d) type
e) indicatorAge

A

a) expirationStatus
b) reputation
d) type

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Q16. Which two privileges are needed to create or customize an incident layout? (Choose two.)

a) page access privilege for the Settings page
b) read privilege for integrations
c) page access privilege for the Incidents page
d) read/write privilege for investigations

A

a) page access privilege for the Settings page

d) read/write privilege for investigations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Q17. What should you do if you want to keep a set of specific information for every event of a certain type?

a) Add that information in the Evidence Board when investigating the incident.
b) Add custom fields to incidents representing events of that type.
c) Chat about it in the War Room.
d) Use Remote Device Control to obtain the information.

A

b) Add custom fields to incidents representing events of that type.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Q18. Which statement is true regarding Indicator Extraction in Cortex XSOAR?

a) If you create an Extraction Rule where you select Extract all indicators from all fields, Cortex XSOAR will extract all fields including the Custom Field.
b) If you create an Extraction Rule where you select Extract all indicators from all fields, Cortex XSOAR will extract system default fields except for the Custom Field.
c) If you create an Extraction Rule where you select Extract specific indicators by default, Cortex XSOAR will set the indicator extraction for the new custom field to None.
d) If you create an Extraction Rule where you select Extract specific indicators by default, Cortex XSOAR will set the indicator extraction for the new custom field to Use System Default.

A

a) If you create an Extraction Rule where you select Extract all indicators from all fields, Cortex XSOAR will extract all fields including the Custom Field.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Q19. What are the two primary purposes for defining outputs of an automation script or integration command? (Choose two.)

a) Outputs are used to display data to users.
b) Outputs are used for sending data to third-party APIs.
c) Outputs are used to define data that is set into the incident context data.
d) Outputs are used for helping users to connect playbooks more easily.

A

c) Outputs are used to define data that is set into the incident context data.
d) Outputs are used for helping users to connect playbooks more easily.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Q20. What are two sources of alert enrichment for Cortex XSOAR? (Choose two.)

a) SIEMs
b) Cortex Data Lake
c) Cortex XSOAR dashboards
d) AutoFocus

A

a) SIEMs

d) AutoFocus

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Q21. Which command is used to retrieve lists to use in a playbook task?

a) /FetchList
b) !fetchList
c) /GetList
d) !getList

A

d) !getList

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Q22. What is a deprecated automation script?

a) an automation script that is not available in the system and is no longer supported by the script author
b) an automation script that still is available in the system but is no longer supported by the script author
c) an automation script that is available in the system but is outdated and needs to be updated
d) an automation script that was located in the system but it has been deleted manually by the analyst

A

b) an automation script that still is available in the system but is no longer supported by the script author

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Q23. Which action is required before a new integration can ingest a typed alert and automatically run a playbook for the resulting incident?

a) An instance of the integration must be created.
b) The integration must be primed with a test alert of that type.
c) The playbook must be run manually with that type of alert.
d) The alert source must be made aware through an API of the playbook to be run.

A

a) An instance of the integration must be created.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Q24. Which Cortex XSOAR functionality is always part of accessing external sources for alert enrichment?

a) incidents
b) playbooks
c) War Room
d) integrations

A

d) integrations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Q25. What are two ways used to classify events ingested from an integration? (Choose two.)

a) when configuring an integration
b) by fetching incidents
c) by setting a classification key
d) when setting incident layout

A

a) when configuring an integration

c) by setting a classification key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Q26. In Cortex XSOAR, what do integrations do?

a) They connect alerts with responses.
b) They enable real-time Cortex XSOAR software updates.
c) They map alerts to incidents and query third-party information sources.
d) They integrate the various components and functions that comprise Cortex XSOAR.

A

c) The instance of the integration and your configuration information will be retained.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Q27. What will happen if you click to disable an integration?

a) The integration code will be removed from the system.
b) The Marketplace no longer will report related content dependencies.
c) The instance of the integration and your configuration information will be retained.
d) The integration’s commands will be removed from display in the auto-suggestions of the CLI tool.

A

c) The instance of the integration and your configuration information will be retained.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Q28. What will happen if you configure an integration with inaccurate credentials and click Done?

a) The initial operational status will be set to “Disabled.”
b) A popup dialog box will prompt you for new credentials.
c) A failure message will appear at the bottom of the form.
d) The system will create a new instance of the integration.

A

d) The system will create a new instance of the integration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Q29. What must you do to modify the code for an integration that you have downloaded from the Marketplace?

a) Click to duplicate it.
b) Click the edit icon and enter the admin password.
c) Click to download the integration and give it a new name.
d) Click the view icon, click Save Version, and give it a new name.

A

a) Click to duplicate it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Q30. Which element enables Cortex XSOAR to automatically extract a custom indicator type from an unmapped key string?

a) regex
b) layout
c) structured query in Lucene syntax
d) valid data description in SRE syntax

A

a) regex

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Q31. What is required to display dev-prod configuration options?

a) access to the integrations page
b) use of a command in the graphical CLI
c) implementation of a custom server parameter
d) login credentials for the Linux command shell

A

c) implementation of a custom server parameter

32
Q

Q32. Which element of the Cortex XSOAR solution architecture supports the isolation of the development of new integrations, automations, and playbooks?

a) dev-prod
b) hybrid cloud
c) Cortex XSOAR engine
d) multitenant mode

A

a) dev-prod

33
Q

Q33. In a dev-prod configuration, from where does the prod server get updates authored by Palo Alto Networks?

a) Cortex XSOAR public content repository
b) remote repository specified in the dev-prod configuration parameters
c) content database on the local dev server
d) dev server default repository

A

b) remote repository specified in the dev-prod configuration parameters

34
Q

Q34. Which is a requirement of the remote, private repository in a dev-prod configuration?

a) The proxy server address of the prod server must be set to the IP address of the dev server.
b) Access from the dev server to the official public repository must be disabled.
c) Connections from the prod server to the private repository must be blocked.
d) The repository must have a minimum of one branch.

A

d) The repository must have a minimum of one branch.

35
Q

Q35. Which is an accurate description of a Docker image?

a) an open-source hypervisor for cloud-based machine images
b) a modular engine that runs multiple operating systems
c) a unit of software that packages everything required to run an application
d) an instance of a virtual machine that, when running, becomes a Docker image

A

c) a unit of software that packages everything required to run an application

36
Q

Q36. Which is the default global registry for Docker?

a) Docker Hub
b) Docker Engine
c) support.docker.com
d) support.paloaltonetworks.com

A

a) Docker Hub

37
Q

Q37. What is required to download the system’s Docker images manually?

a) access to Docker Hub
b) a user account on GitHub
c) root access to the command line on the target server
d) the installer download link from the email used to send your license file

A

d) the installer download link from the email used to send your license file

38
Q

Q38. Which two settings are recommended to harden or optimize the system’s use of Docker? (Choose two.)

a) setting imageless-mode flag
b) limiting the memory allowed for each container
c) limiting the number of CPUs a container may use
d) increasing the limit for the number of allowed process IDs (PIDs)

A

b) limiting the memory allowed for each container

c) limiting the number of CPUs a container may use

39
Q

Q39. What is the maximum number of servers supported for a Live Backup configuration?

a) 2
b) 3
c) 4
d) 8

A

a) 2

40
Q

Q40. Which path hosts the artifacts folder?

a) /etc/
b) /etc/demisto/
c) /var/lib/demisto/
d) /user/demisto/blobs

A

c) /var/lib/demisto/

41
Q

Q41. Which content is excluded from backup by the Automated Backups feature?

a) incidents
b) scripts and playbooks
c) artifacts and attachments
d) user-defined configurations

A

c) artifacts and attachments

42
Q

Q42. Which is the best option to manually back up artifacts and attachments?

a) Set Automated Backups to ON.
b) Export the master database in a supported plaintext file format.
c) Select target incidents and click Export.
d) Use the tar command.

A

d) Use the tar command.

43
Q

Q43. Where is incident data stored?

a) /var/log/demisto/
b) /var/lib/demisto/
c) /var/lib/private/Answer
d) /usr/local/demisto/

A

b) /var/lib/demisto/

44
Q

Q44. Which Live Backup configuration scheme can you deploy for disaster recovery?

a) active-active
b) active-standby
c) active-active or active-standby
d) DNS round-robin load balancing

A

b) active-standby

45
Q

Q45. Which three statements are true regarding live backup for distributed database environments? (Choose three.)

a) Live backup enables mirroring of active database servers to passive servers.
b) Active/active configuration is supported.
c) Live Backup converts passive servers to the active database servers in a disaster-recovery case.
d) The failover is dynamic.
e) Live Backup uses a single active server and a single standby server.

A

a) Live backup enables mirroring of active database servers to passive servers.
c) Live Backup converts passive servers to the active database servers in a disaster-recovery case.
e) Live Backup uses a single active server and a single standby server.

46
Q

Q46. Which installation file is required to install Live Backup on a target backup server?

a) the same file that you use to install Cortex XSOAR on a primary server
b) the Live Backup installer available on the Integrations > Agent Tools page
c) the engine installer that you download from the Integrations > Engines page
d) the live-bckp-server-xxxx.sh file that you download by use of a link sent to DR-Group members

A

a) the same file that you use to install Cortex XSOAR on a primary server

47
Q

Q47. How do you export all the custom content from a Cortex XSOAR instance?

a) Run a detailed content report.
b) Click Export at the bottom of the Settings > About > Troubleshooting page.
c) Use the !scp custom-all @: command in the graphical CLI.
d) Execute with sudo privileges the send-non-vendor-files.sh script from the Linux command shell.

A

b) Click Export at the bottom of the Settings > About > Troubleshooting page.

48
Q

Q48. What are two limitations of multitenancy architectures? (Choose two.)

a) Tenants can change the definitions that were set by the main account.
b) Troubleshooting often is very complex.
c) Multitenancy architectures are more complex than Cortex XSOAR Enterprise server architectures.
d) There is complete isolation between tenants.

A

b) Troubleshooting often is very complex.

d) There is complete isolation between tenants.

49
Q

Q49. Which two indicator types should have an indicator expiration applied when they are consumed from threat intel feeds? (Choose two.)

a) IP address
b) domain
c) file hash
d) ssdeep

A

a) IP address

b) domain

50
Q

Q50. What are two use cases for analyzing indicators via playbooks? (Choose two.)

a) indicator enrichment
b) pushing indicators to third-party products for enhanced alerting and detection
c) generating finished threat intelligence products
d) static analysis of malware samples

A

a) indicator enrichment

b) pushing indicators to third-party products for enhanced alerting and detection

51
Q

Q51. Which two configurations are available for threat intel feeds? (Choose two.)

a) fetch incidents
b) source reliability
c) indicator expiration method
d) incident type

A

b) source reliability

c) indicator expiration method

52
Q

Q52. Which Cortex XSOAR feature enables playbooks to execute against new indicators from threat intel feeds?

a) Feed Triggered Jobs
b) Mapping
c) bring your own integration
d) Export Indicators Service

A

a) Feed Triggered Jobs

53
Q

Q53. Mapping of threat intel feeds enables which two abilities? (Choose two.)

a) assigning attributes from a threat intel feed to indicator fields
b) applying transforms (e.g., Uppercase) to attributes from threat intel feeds
c) running playbooks against new indicators of compromise
d) integrating threat intel feeds into other Palo Alto Networks products, such as Cortex XDR

A

a) assigning attributes from a threat intel feed to indicator fields
b) applying transforms (e.g., Uppercase) to attributes from threat intel feeds

54
Q

Q54. How do you change the log level?

a) Edit the /etc/demisto.conf file.
b) Use the Log Level drop-down menu on the Troubleshooting page.
c) Stop the server process and restart it with a –log-level= parameter.
d) Add a custom server parameter services.log.detail with a value of 0, 1, or 2.

A

b) Use the Log Level drop-down menu on the Troubleshooting page.

55
Q

Q55. When is the basic system configuration information generated for log files in the log bundle?

a) at 00:05 for the current day
b) at the time the log bundle is requested
c) at five minutes past every hour
d) at the same time as the last automatic backup

A

b) at the time the log bundle is requested

56
Q

Q56. Which type of deployment involves the use of one or more Cortex XSOAR engines?

a) hosted cloud
b) hybrid cloud
c) private cloud
d) protective enclave

A

b) hybrid cloud

57
Q

Q57. Which Cortex XSOAR infrastructure component do you deploy in a protected network to extend the core server’s capabilities?

a) Live Backup server
b) Cortex XSOAR engine
c) distributed database
d) dev server

A

b) Cortex XSOAR engine

58
Q

Q58. Incidents are created in which three ways? (Choose three.)

a) manually by a privileged user
b) fetching from other products with the help of integrations
c) using playbooks
d) using the REST API
e) using remote connection feature

A

a) manually by a privileged user
b) fetching from other products with the help of integrations
d) using the REST API

59
Q

Q59. Which three types of content packs can be downloaded from Marketplace? (Choose three.)

a) playbooks
b) system settings
c) automations
d) use cases
e) integrations

A

a) playbooks
c) automations
e) integrations

60
Q

Q60. Which type of update is included in Content Pack updates?

a) playbooks
b) incident data
c) core binaries for Cortex XSOAR
d) image files for the web interface

A

a) playbooks

61
Q

Q61. Which is the distribution point for content-update packages?

a) Marketplace
b) Docker Hub
c) www.demisto.com
d) support.demisto.com

A

a) Marketplace

62
Q

Q62. What does “installed” status mean for content related to an item listed in the Marketplace?

a) One or more associated integrations are in active use.
b) One or more associated content elements are in active use.
c) The content is downloaded for potential use on the local system.
d) The content is configured for use but could be enabled or disabled.

A

c) The content is downloaded for potential use on the local system.

63
Q

Q63. What is required to upload content update packages manually?

a) access to Docker Hub
b) use of the tar utility
c) access to the web console of the target server
d) root access to the command line on the target server

A

c) access to the web console of the target server

64
Q

Q64. Which manual action can you perform by use of the Cortex XSOAR web console to support air-gapped deployments?

a) installation of Docker images
b) execution of the tar command to decompress platform-content archives
c) update of the content repository
d) download of Docker images

A

c) update of the content repository

65
Q

Q65. Which feature requires you migrate your database to support Cortex XSOAR High Availability (HA)?

a) multitenancy
b) Elasticsearch
c) Network File Share (NFS)
d) HTTP proxy

A

b) Elasticsearch

66
Q

Q66. While reviewing the d.1log file, you notice the following error message:
Listen tcp :443 bind: permission denied
What is most likely the solution to resolve this error?
a. Change the Cortex XSOAR configuration to allow binding to lower port numbers.
b. Update firewall proxy to allow port 443.
c. Change the URL port number to the correct Cortex XSOAR management port.
d. Enable Apache service on Cortex XSOAR. 6 Web Interface Workflow, Dashboards, and Reports

A

a. Change the Cortex XSOAR configuration to allow binding to lower port numbers.

67
Q

Q67. Where can the entire history of group interactions involving an attack response be seen?

a) Cortex XSOAR War Room
b) Cortex XDR Incident page
c) AutoFocus
d) WildFire

A

a) Cortex XSOAR War Room

68
Q

Q68. Which is the correct search query for “incidents that are not jobs and are not closed”?

a) -status:closed -category:job
b) Status is not closed and Category is not job
c) Status!:closed or Category!:job
d) status!=job and category!=job

A

a) -status:closed -category:job

69
Q

Q69. Which incidents are displayed for the search string owner:””?

a) all incidents
b) all unassigned incidents
c) all incidents with a named owner
d) all incidents that are jobs and thus owned by the system

A

b) all unassigned incidents

70
Q

Q70. Which permission is required for the display of Dashboard widgets?

a) read permission for investigation data
b) read/write permission for investigations
c) page-access permission for the Reports page
d) no permission required

A

a) read permission for investigation data

71
Q

Q71. Which two options describe dashboard widgets? (Choose two.)

a) A widget’s display layout cannot be changed.
b) A widget’s timeframe can be edited.
c) A widget’s data query can be set.
d) A widget’s size cannot be set.

A

b) A widget’s timeframe can be edited.

c) A widget’s data query can be set.

72
Q

Q72. How do you specify the data to use in a widget applied to a dashboard or a report?

a) Enter a custom or an out-of-the-box automation script.
b) Select one or more incident fields from drop-down menus.
c) Drag and drop data fields, filtered by the context of the widget.
d) Use the same query syntax that is supported on the Incidents page.

A

d) Use the same query syntax that is supported on the Incidents page.

73
Q

Q73. What is the process for dashboard creation and modification in Cortex XSOAR?

a) Cortex XSOAR includes tools to make dashboard creation and modification easy.
b) Dashboard creation and modification can be achieved only through the partner support website.
c) Integrations create and modify dashboards depending on the API capabilities of third-party products.
d) Automated tasks in playbooks create and modify dashboards as appropriate, depending on the incidents they are associated with.

A

a) Cortex XSOAR includes tools to make dashboard creation and modification easy.

74
Q

Q74. If disk use is 45 percent, which color is the disk status indicator on the System Health dashboard?

a) green
b) yellow
c) red
d) black

A

a) green

75
Q

Q75. Which two statements are true regarding preconfigured system reports? (Choose two.)

a) They cannot be directly modified.
b) They can be modified by creating a copy.
c) They cannot be exported.
d) They cannot be run by an analyst directly.

A

a) They cannot be directly modified.

b) They can be modified by creating a copy.