PCSAE Flashcards
Q1. What is the primary use of the context data?
a) sending data to related incidents
b) passing data between playbook tasks
c) storing data for use with integrations
d) mapping data to required fields
b) passing data between playbook tasks
Q2. Which statement is true about context data?
a) It is purged after each task in a playbook is run.
b) It must be transformed before a task can use it.
c) After it is written, it can be changed only by manual editing.
d) It does not necessarily include all data generated by the incident-related activity.
d) It does not necessarily include all data generated by the incident-related activity.
Q3. Which option describes the structure of context data?
a) a key-value pair dictionary
b) a row-oriented data serialization framework
c) a node-graph hierarchy of multiple object types
d) a binary storage format front-ended by a Java interpreter
a) a key-value pair dictionary
Q4. Which type of task is used to interact with users through a survey?
a) conditional
b) standard
c) section header
d) data collection
d) data collection
Q5. Which option provides dynamic input to playbook tasks and automations?
a) incident tasks
b) context data
c) quick view
d) system
b) context data
Q6. Which is the first step in the playbook development process?
a) Create custom data fields.
b) Create a skeleton playbook.
c) Formalize the use-case definition.
d) Configure enrichment integrations
c) Formalize the use-case definition.
Q7. Which characteristic indicates that a playbook is a “skeleton playbook”?
a) installed from the Marketplace
b) unconfigured Inputs/Outputs options
c) incomplete task details for many tasks or all tasks
d) loaded in a development environment but not deployed to production
c) incomplete task details for many tasks or all tasks
Q8. What are two ways to create a new task in a playbook that is open for editing? (Choose two.)
a) Click Create Task on the Task Library fly-out panel.
b) Right-click an open area of the workspace and select New Task.
c) Double-click an open area of the workspace and click Yes in response to the prompt.
d) Click-and-drag the output node of an existing object to an open area of the workspace.
a) Click Create Task on the Task Library fly-out panel.
d) Click-and-drag the output node of an existing object to an open area of the workspace.
Q9. Which is the proper name for a “step” in a Cortex XSOAR playbook?
a) task
b) step
c) procedure
d) automation
a) task
Q10. Which two types of actions can be specified with a Standard playbook task? (Choose two.)
a) manual
b) automated
c) conditional
d) data collection
a) manual
b) automated
Q11. How do playbooks and the War Room work together?
a) The War Room documents playbook tasks and related artifacts and evidence.
b) Each incident’s War Room activity is autodocumented into a playbook for that incident.
c) Playbooks provide a guide to the use of the War Room for information flow among analysts.
d) Playbooks document the activity and decisions made in the War Room.
a) The War Ro`w3om documents playbook tasks and related artifacts and evidence.
Q12. What is a sub-playbook?
a) a playbook used as a task in another playbook
b) an obsolete playbook of inferior quality
c) an app that underlies a playbook to ensure it flows from task to task
d) an updated playbook that substitutes for an older playbook
a) a playbook used as a task in another playbook
Q13. Which option describes the trigger of an incident?
a) specification of the name of the incident type
b) the application of enrichment tasks to a playbook
c) the point at which auto-extraction of indicators is performed
d) the action inside or outside the system that should generate an incident
d) the action inside or outside the system that should generate an incident
Q14. How do incidents relate to indicators?
a) Incidents generate indicators as part of their automated response.
b) Indicators provide context to incidents.
c) Incidents determine the severity of indicators.
d) Indicators specify which incidents to ingest.
b) Indicators provide context to incidents.
Q15. Which three fields are available for querying indicators? (Choose three.)
a) expirationStatus
b) reputation
c) SLA
d) type
e) indicatorAge
a) expirationStatus
b) reputation
d) type
Q16. Which two privileges are needed to create or customize an incident layout? (Choose two.)
a) page access privilege for the Settings page
b) read privilege for integrations
c) page access privilege for the Incidents page
d) read/write privilege for investigations
a) page access privilege for the Settings page
d) read/write privilege for investigations
Q17. What should you do if you want to keep a set of specific information for every event of a certain type?
a) Add that information in the Evidence Board when investigating the incident.
b) Add custom fields to incidents representing events of that type.
c) Chat about it in the War Room.
d) Use Remote Device Control to obtain the information.
b) Add custom fields to incidents representing events of that type.
Q18. Which statement is true regarding Indicator Extraction in Cortex XSOAR?
a) If you create an Extraction Rule where you select Extract all indicators from all fields, Cortex XSOAR will extract all fields including the Custom Field.
b) If you create an Extraction Rule where you select Extract all indicators from all fields, Cortex XSOAR will extract system default fields except for the Custom Field.
c) If you create an Extraction Rule where you select Extract specific indicators by default, Cortex XSOAR will set the indicator extraction for the new custom field to None.
d) If you create an Extraction Rule where you select Extract specific indicators by default, Cortex XSOAR will set the indicator extraction for the new custom field to Use System Default.
a) If you create an Extraction Rule where you select Extract all indicators from all fields, Cortex XSOAR will extract all fields including the Custom Field.
Q19. What are the two primary purposes for defining outputs of an automation script or integration command? (Choose two.)
a) Outputs are used to display data to users.
b) Outputs are used for sending data to third-party APIs.
c) Outputs are used to define data that is set into the incident context data.
d) Outputs are used for helping users to connect playbooks more easily.
c) Outputs are used to define data that is set into the incident context data.
d) Outputs are used for helping users to connect playbooks more easily.
Q20. What are two sources of alert enrichment for Cortex XSOAR? (Choose two.)
a) SIEMs
b) Cortex Data Lake
c) Cortex XSOAR dashboards
d) AutoFocus
a) SIEMs
d) AutoFocus
Q21. Which command is used to retrieve lists to use in a playbook task?
a) /FetchList
b) !fetchList
c) /GetList
d) !getList
d) !getList
Q22. What is a deprecated automation script?
a) an automation script that is not available in the system and is no longer supported by the script author
b) an automation script that still is available in the system but is no longer supported by the script author
c) an automation script that is available in the system but is outdated and needs to be updated
d) an automation script that was located in the system but it has been deleted manually by the analyst
b) an automation script that still is available in the system but is no longer supported by the script author
Q23. Which action is required before a new integration can ingest a typed alert and automatically run a playbook for the resulting incident?
a) An instance of the integration must be created.
b) The integration must be primed with a test alert of that type.
c) The playbook must be run manually with that type of alert.
d) The alert source must be made aware through an API of the playbook to be run.
a) An instance of the integration must be created.
Q24. Which Cortex XSOAR functionality is always part of accessing external sources for alert enrichment?
a) incidents
b) playbooks
c) War Room
d) integrations
d) integrations
Q25. What are two ways used to classify events ingested from an integration? (Choose two.)
a) when configuring an integration
b) by fetching incidents
c) by setting a classification key
d) when setting incident layout
a) when configuring an integration
c) by setting a classification key
Q26. In Cortex XSOAR, what do integrations do?
a) They connect alerts with responses.
b) They enable real-time Cortex XSOAR software updates.
c) They map alerts to incidents and query third-party information sources.
d) They integrate the various components and functions that comprise Cortex XSOAR.
c) The instance of the integration and your configuration information will be retained.
Q27. What will happen if you click to disable an integration?
a) The integration code will be removed from the system.
b) The Marketplace no longer will report related content dependencies.
c) The instance of the integration and your configuration information will be retained.
d) The integration’s commands will be removed from display in the auto-suggestions of the CLI tool.
c) The instance of the integration and your configuration information will be retained.
Q28. What will happen if you configure an integration with inaccurate credentials and click Done?
a) The initial operational status will be set to “Disabled.”
b) A popup dialog box will prompt you for new credentials.
c) A failure message will appear at the bottom of the form.
d) The system will create a new instance of the integration.
d) The system will create a new instance of the integration.
Q29. What must you do to modify the code for an integration that you have downloaded from the Marketplace?
a) Click to duplicate it.
b) Click the edit icon and enter the admin password.
c) Click to download the integration and give it a new name.
d) Click the view icon, click Save Version, and give it a new name.
a) Click to duplicate it.
Q30. Which element enables Cortex XSOAR to automatically extract a custom indicator type from an unmapped key string?
a) regex
b) layout
c) structured query in Lucene syntax
d) valid data description in SRE syntax
a) regex