PCSAE

Question 1

Q1. What is the primary use of the context data?

a) sending data to related incidents
b) passing data between playbook tasks
c) storing data for use with integrations
d) mapping data to required fields

Answer 1

b) passing data between playbook tasks

Question 2

Q2. Which statement is true about context data?

a) It is purged after each task in a playbook is run.
b) It must be transformed before a task can use it.
c) After it is written, it can be changed only by manual editing.
d) It does not necessarily include all data generated by the incident-related activity.

Answer 2

d) It does not necessarily include all data generated by the incident-related activity.

Question 3

Q3. Which option describes the structure of context data?

a) a key-value pair dictionary
b) a row-oriented data serialization framework
c) a node-graph hierarchy of multiple object types
d) a binary storage format front-ended by a Java interpreter

Answer 3

a) a key-value pair dictionary

Question 4

Q4. Which type of task is used to interact with users through a survey?

a) conditional
b) standard
c) section header
d) data collection

Answer 4

d) data collection

Question 5

Q5. Which option provides dynamic input to playbook tasks and automations?

a) incident tasks
b) context data
c) quick view
d) system

Answer 5

b) context data

Question 6

Q6. Which is the first step in the playbook development process?

a) Create custom data fields.
b) Create a skeleton playbook.
c) Formalize the use-case definition.
d) Configure enrichment integrations

Answer 6

c) Formalize the use-case definition.

Question 7

Q7. Which characteristic indicates that a playbook is a “skeleton playbook”?

a) installed from the Marketplace
b) unconfigured Inputs/Outputs options
c) incomplete task details for many tasks or all tasks
d) loaded in a development environment but not deployed to production

Answer 7

c) incomplete task details for many tasks or all tasks

Question 8

Q8. What are two ways to create a new task in a playbook that is open for editing? (Choose two.)

a) Click Create Task on the Task Library fly-out panel.
b) Right-click an open area of the workspace and select New Task.
c) Double-click an open area of the workspace and click Yes in response to the prompt.
d) Click-and-drag the output node of an existing object to an open area of the workspace.

Answer 8

a) Click Create Task on the Task Library fly-out panel.

d) Click-and-drag the output node of an existing object to an open area of the workspace.

Question 9

Q9. Which is the proper name for a “step” in a Cortex XSOAR playbook?

a) task
b) step
c) procedure
d) automation

Answer 9

a) task

Question 10

Q10. Which two types of actions can be specified with a Standard playbook task? (Choose two.)

a) manual
b) automated
c) conditional
d) data collection

Answer 10

a) manual

b) automated

Question 11

Q11. How do playbooks and the War Room work together?

a) The War Room documents playbook tasks and related artifacts and evidence.
b) Each incident’s War Room activity is autodocumented into a playbook for that incident.
c) Playbooks provide a guide to the use of the War Room for information flow among analysts.
d) Playbooks document the activity and decisions made in the War Room.

Answer 11

a) The War Ro`w3om documents playbook tasks and related artifacts and evidence.

Question 12

Q12. What is a sub-playbook?

a) a playbook used as a task in another playbook
b) an obsolete playbook of inferior quality
c) an app that underlies a playbook to ensure it flows from task to task
d) an updated playbook that substitutes for an older playbook

Answer 12

a) a playbook used as a task in another playbook

Question 13

Q13. Which option describes the trigger of an incident?

a) specification of the name of the incident type
b) the application of enrichment tasks to a playbook
c) the point at which auto-extraction of indicators is performed
d) the action inside or outside the system that should generate an incident

Answer 13

d) the action inside or outside the system that should generate an incident

Question 14

Q14. How do incidents relate to indicators?

a) Incidents generate indicators as part of their automated response.
b) Indicators provide context to incidents.
c) Incidents determine the severity of indicators.
d) Indicators specify which incidents to ingest.

Answer 14

b) Indicators provide context to incidents.

Question 15

Q15. Which three fields are available for querying indicators? (Choose three.)

a) expirationStatus
b) reputation
c) SLA
d) type
e) indicatorAge

Answer 15

a) expirationStatus
b) reputation
d) type

Question 16

Q16. Which two privileges are needed to create or customize an incident layout? (Choose two.)

a) page access privilege for the Settings page
b) read privilege for integrations
c) page access privilege for the Incidents page
d) read/write privilege for investigations

Answer 16

a) page access privilege for the Settings page

d) read/write privilege for investigations

Question 17

Q17. What should you do if you want to keep a set of specific information for every event of a certain type?

a) Add that information in the Evidence Board when investigating the incident.
b) Add custom fields to incidents representing events of that type.
c) Chat about it in the War Room.
d) Use Remote Device Control to obtain the information.

Answer 17

b) Add custom fields to incidents representing events of that type.

Question 18

Q18. Which statement is true regarding Indicator Extraction in Cortex XSOAR?

a) If you create an Extraction Rule where you select Extract all indicators from all fields, Cortex XSOAR will extract all fields including the Custom Field.
b) If you create an Extraction Rule where you select Extract all indicators from all fields, Cortex XSOAR will extract system default fields except for the Custom Field.
c) If you create an Extraction Rule where you select Extract specific indicators by default, Cortex XSOAR will set the indicator extraction for the new custom field to None.
d) If you create an Extraction Rule where you select Extract specific indicators by default, Cortex XSOAR will set the indicator extraction for the new custom field to Use System Default.

Answer 18

a) If you create an Extraction Rule where you select Extract all indicators from all fields, Cortex XSOAR will extract all fields including the Custom Field.

Question 19

Q19. What are the two primary purposes for defining outputs of an automation script or integration command? (Choose two.)

a) Outputs are used to display data to users.
b) Outputs are used for sending data to third-party APIs.
c) Outputs are used to define data that is set into the incident context data.
d) Outputs are used for helping users to connect playbooks more easily.

Answer 19

c) Outputs are used to define data that is set into the incident context data.
d) Outputs are used for helping users to connect playbooks more easily.

Question 20

Q20. What are two sources of alert enrichment for Cortex XSOAR? (Choose two.)

a) SIEMs
b) Cortex Data Lake
c) Cortex XSOAR dashboards
d) AutoFocus

Answer 20

a) SIEMs

d) AutoFocus

Question 21

Q21. Which command is used to retrieve lists to use in a playbook task?

a) /FetchList
b) !fetchList
c) /GetList
d) !getList

Answer 21

d) !getList

Question 22

Q22. What is a deprecated automation script?

a) an automation script that is not available in the system and is no longer supported by the script author
b) an automation script that still is available in the system but is no longer supported by the script author
c) an automation script that is available in the system but is outdated and needs to be updated
d) an automation script that was located in the system but it has been deleted manually by the analyst

Answer 22

b) an automation script that still is available in the system but is no longer supported by the script author

Question 23

Q23. Which action is required before a new integration can ingest a typed alert and automatically run a playbook for the resulting incident?

a) An instance of the integration must be created.
b) The integration must be primed with a test alert of that type.
c) The playbook must be run manually with that type of alert.
d) The alert source must be made aware through an API of the playbook to be run.

Answer 23

a) An instance of the integration must be created.

Question 24

Q24. Which Cortex XSOAR functionality is always part of accessing external sources for alert enrichment?

a) incidents
b) playbooks
c) War Room
d) integrations

Answer 24

d) integrations

Question 25

Q25. What are two ways used to classify events ingested from an integration? (Choose two.)

a) when configuring an integration
b) by fetching incidents
c) by setting a classification key
d) when setting incident layout

Answer 25

a) when configuring an integration

c) by setting a classification key

Question 26

Q26. In Cortex XSOAR, what do integrations do?

a) They connect alerts with responses.
b) They enable real-time Cortex XSOAR software updates.
c) They map alerts to incidents and query third-party information sources.
d) They integrate the various components and functions that comprise Cortex XSOAR.

Answer 26

c) The instance of the integration and your configuration information will be retained.

Question 27

Q27. What will happen if you click to disable an integration?

a) The integration code will be removed from the system.
b) The Marketplace no longer will report related content dependencies.
c) The instance of the integration and your configuration information will be retained.
d) The integration’s commands will be removed from display in the auto-suggestions of the CLI tool.

Answer 27

c) The instance of the integration and your configuration information will be retained.

Question 28

Q28. What will happen if you configure an integration with inaccurate credentials and click Done?

a) The initial operational status will be set to “Disabled.”
b) A popup dialog box will prompt you for new credentials.
c) A failure message will appear at the bottom of the form.
d) The system will create a new instance of the integration.

Answer 28

d) The system will create a new instance of the integration.

Question 29

Q29. What must you do to modify the code for an integration that you have downloaded from the Marketplace?

a) Click to duplicate it.
b) Click the edit icon and enter the admin password.
c) Click to download the integration and give it a new name.
d) Click the view icon, click Save Version, and give it a new name.

Answer 29

a) Click to duplicate it.

Question 30

Q30. Which element enables Cortex XSOAR to automatically extract a custom indicator type from an unmapped key string?

a) regex
b) layout
c) structured query in Lucene syntax
d) valid data description in SRE syntax

Answer 30

a) regex

Question 31

Q31. What is required to display dev-prod configuration options?

a) access to the integrations page
b) use of a command in the graphical CLI
c) implementation of a custom server parameter
d) login credentials for the Linux command shell

Answer 31

c) implementation of a custom server parameter

Question 32

Q32. Which element of the Cortex XSOAR solution architecture supports the isolation of the development of new integrations, automations, and playbooks?

a) dev-prod
b) hybrid cloud
c) Cortex XSOAR engine
d) multitenant mode

Answer 32

a) dev-prod

Question 33

Q33. In a dev-prod configuration, from where does the prod server get updates authored by Palo Alto Networks?

a) Cortex XSOAR public content repository
b) remote repository specified in the dev-prod configuration parameters
c) content database on the local dev server
d) dev server default repository

Answer 33

b) remote repository specified in the dev-prod configuration parameters

Question 34

Q34. Which is a requirement of the remote, private repository in a dev-prod configuration?

a) The proxy server address of the prod server must be set to the IP address of the dev server.
b) Access from the dev server to the official public repository must be disabled.
c) Connections from the prod server to the private repository must be blocked.
d) The repository must have a minimum of one branch.

Answer 34

d) The repository must have a minimum of one branch.

Question 35

Q35. Which is an accurate description of a Docker image?

a) an open-source hypervisor for cloud-based machine images
b) a modular engine that runs multiple operating systems
c) a unit of software that packages everything required to run an application
d) an instance of a virtual machine that, when running, becomes a Docker image

Answer 35

c) a unit of software that packages everything required to run an application

Question 36

Q36. Which is the default global registry for Docker?

a) Docker Hub
b) Docker Engine
c) support.docker.com
d) support.paloaltonetworks.com

Answer 36

a) Docker Hub

Question 37

Q37. What is required to download the system’s Docker images manually?

a) access to Docker Hub
b) a user account on GitHub
c) root access to the command line on the target server
d) the installer download link from the email used to send your license file

Answer 37

d) the installer download link from the email used to send your license file

Question 38

Q38. Which two settings are recommended to harden or optimize the system’s use of Docker? (Choose two.)

a) setting imageless-mode flag
b) limiting the memory allowed for each container
c) limiting the number of CPUs a container may use
d) increasing the limit for the number of allowed process IDs (PIDs)

Answer 38

b) limiting the memory allowed for each container

c) limiting the number of CPUs a container may use

Question 39

Q39. What is the maximum number of servers supported for a Live Backup configuration?

a) 2
b) 3
c) 4
d) 8

Answer 39

a) 2

Question 40

Q40. Which path hosts the artifacts folder?

a) /etc/
b) /etc/demisto/
c) /var/lib/demisto/
d) /user/demisto/blobs

Answer 40

c) /var/lib/demisto/

Question 41

Q41. Which content is excluded from backup by the Automated Backups feature?

a) incidents
b) scripts and playbooks
c) artifacts and attachments
d) user-defined configurations

Answer 41

c) artifacts and attachments

Question 42

Q42. Which is the best option to manually back up artifacts and attachments?

a) Set Automated Backups to ON.
b) Export the master database in a supported plaintext file format.
c) Select target incidents and click Export.
d) Use the tar command.

Answer 42

d) Use the tar command.

Question 43

Q43. Where is incident data stored?

a) /var/log/demisto/
b) /var/lib/demisto/
c) /var/lib/private/Answer
d) /usr/local/demisto/

Answer 43

b) /var/lib/demisto/

Question 44

Q44. Which Live Backup configuration scheme can you deploy for disaster recovery?

a) active-active
b) active-standby
c) active-active or active-standby
d) DNS round-robin load balancing

Answer 44

b) active-standby

Question 45

Q45. Which three statements are true regarding live backup for distributed database environments? (Choose three.)

a) Live backup enables mirroring of active database servers to passive servers.
b) Active/active configuration is supported.
c) Live Backup converts passive servers to the active database servers in a disaster-recovery case.
d) The failover is dynamic.
e) Live Backup uses a single active server and a single standby server.

Answer 45

a) Live backup enables mirroring of active database servers to passive servers.
c) Live Backup converts passive servers to the active database servers in a disaster-recovery case.
e) Live Backup uses a single active server and a single standby server.

Question 46

Q46. Which installation file is required to install Live Backup on a target backup server?

a) the same file that you use to install Cortex XSOAR on a primary server
b) the Live Backup installer available on the Integrations > Agent Tools page
c) the engine installer that you download from the Integrations > Engines page
d) the live-bckp-server-xxxx.sh file that you download by use of a link sent to DR-Group members

Answer 46

a) the same file that you use to install Cortex XSOAR on a primary server

Question 47

Q47. How do you export all the custom content from a Cortex XSOAR instance?

a) Run a detailed content report.
b) Click Export at the bottom of the Settings > About > Troubleshooting page.
c) Use the !scp custom-all @: command in the graphical CLI.
d) Execute with sudo privileges the send-non-vendor-files.sh script from the Linux command shell.

Answer 47

b) Click Export at the bottom of the Settings > About > Troubleshooting page.

Question 48

Q48. What are two limitations of multitenancy architectures? (Choose two.)

a) Tenants can change the definitions that were set by the main account.
b) Troubleshooting often is very complex.
c) Multitenancy architectures are more complex than Cortex XSOAR Enterprise server architectures.
d) There is complete isolation between tenants.

Answer 48

b) Troubleshooting often is very complex.

d) There is complete isolation between tenants.

Question 49

Q49. Which two indicator types should have an indicator expiration applied when they are consumed from threat intel feeds? (Choose two.)

a) IP address
b) domain
c) file hash
d) ssdeep

Answer 49

a) IP address

b) domain

Question 50

Q50. What are two use cases for analyzing indicators via playbooks? (Choose two.)

a) indicator enrichment
b) pushing indicators to third-party products for enhanced alerting and detection
c) generating finished threat intelligence products
d) static analysis of malware samples

Answer 50

a) indicator enrichment

b) pushing indicators to third-party products for enhanced alerting and detection

Question 51

Q51. Which two configurations are available for threat intel feeds? (Choose two.)

a) fetch incidents
b) source reliability
c) indicator expiration method
d) incident type

Answer 51

b) source reliability

c) indicator expiration method

Question 52

Q52. Which Cortex XSOAR feature enables playbooks to execute against new indicators from threat intel feeds?

a) Feed Triggered Jobs
b) Mapping
c) bring your own integration
d) Export Indicators Service

Answer 52

a) Feed Triggered Jobs

Question 53

Q53. Mapping of threat intel feeds enables which two abilities? (Choose two.)

a) assigning attributes from a threat intel feed to indicator fields
b) applying transforms (e.g., Uppercase) to attributes from threat intel feeds
c) running playbooks against new indicators of compromise
d) integrating threat intel feeds into other Palo Alto Networks products, such as Cortex XDR

Answer 53

a) assigning attributes from a threat intel feed to indicator fields
b) applying transforms (e.g., Uppercase) to attributes from threat intel feeds

Question 54

Q54. How do you change the log level?

a) Edit the /etc/demisto.conf file.
b) Use the Log Level drop-down menu on the Troubleshooting page.
c) Stop the server process and restart it with a –log-level= parameter.
d) Add a custom server parameter services.log.detail with a value of 0, 1, or 2.

Answer 54

b) Use the Log Level drop-down menu on the Troubleshooting page.

Question 55

Q55. When is the basic system configuration information generated for log files in the log bundle?

a) at 00:05 for the current day
b) at the time the log bundle is requested
c) at five minutes past every hour
d) at the same time as the last automatic backup

Answer 55

b) at the time the log bundle is requested

Question 56

Q56. Which type of deployment involves the use of one or more Cortex XSOAR engines?

a) hosted cloud
b) hybrid cloud
c) private cloud
d) protective enclave

Answer 56

b) hybrid cloud

Question 57

Q57. Which Cortex XSOAR infrastructure component do you deploy in a protected network to extend the core server’s capabilities?

a) Live Backup server
b) Cortex XSOAR engine
c) distributed database
d) dev server

Answer 57

b) Cortex XSOAR engine

Question 58

Q58. Incidents are created in which three ways? (Choose three.)

a) manually by a privileged user
b) fetching from other products with the help of integrations
c) using playbooks
d) using the REST API
e) using remote connection feature

Answer 58

a) manually by a privileged user
b) fetching from other products with the help of integrations
d) using the REST API

Question 59

Q59. Which three types of content packs can be downloaded from Marketplace? (Choose three.)

a) playbooks
b) system settings
c) automations
d) use cases
e) integrations

Answer 59

a) playbooks
c) automations
e) integrations

Question 60

Q60. Which type of update is included in Content Pack updates?

a) playbooks
b) incident data
c) core binaries for Cortex XSOAR
d) image files for the web interface

Answer 60

a) playbooks

Question 61

Q61. Which is the distribution point for content-update packages?

a) Marketplace
b) Docker Hub
c) www.demisto.com
d) support.demisto.com

Answer 61

a) Marketplace

Question 62

Q62. What does “installed” status mean for content related to an item listed in the Marketplace?

a) One or more associated integrations are in active use.
b) One or more associated content elements are in active use.
c) The content is downloaded for potential use on the local system.
d) The content is configured for use but could be enabled or disabled.

Answer 62

c) The content is downloaded for potential use on the local system.

Question 63

Q63. What is required to upload content update packages manually?

a) access to Docker Hub
b) use of the tar utility
c) access to the web console of the target server
d) root access to the command line on the target server

Answer 63

c) access to the web console of the target server

Question 64

Q64. Which manual action can you perform by use of the Cortex XSOAR web console to support air-gapped deployments?

a) installation of Docker images
b) execution of the tar command to decompress platform-content archives
c) update of the content repository
d) download of Docker images

Answer 64

c) update of the content repository

Question 65

Q65. Which feature requires you migrate your database to support Cortex XSOAR High Availability (HA)?

a) multitenancy
b) Elasticsearch
c) Network File Share (NFS)
d) HTTP proxy

Answer 65

b) Elasticsearch

Question 66

Q66. While reviewing the d.1log file, you notice the following error message:
Listen tcp :443 bind: permission denied
What is most likely the solution to resolve this error?
a. Change the Cortex XSOAR configuration to allow binding to lower port numbers.
b. Update firewall proxy to allow port 443.
c. Change the URL port number to the correct Cortex XSOAR management port.
d. Enable Apache service on Cortex XSOAR. 6 Web Interface Workflow, Dashboards, and Reports

Answer 66

a. Change the Cortex XSOAR configuration to allow binding to lower port numbers.

Question 67

Q67. Where can the entire history of group interactions involving an attack response be seen?

a) Cortex XSOAR War Room
b) Cortex XDR Incident page
c) AutoFocus
d) WildFire

Answer 67

a) Cortex XSOAR War Room

Question 68

Q68. Which is the correct search query for “incidents that are not jobs and are not closed”?

a) -status:closed -category:job
b) Status is not closed and Category is not job
c) Status!:closed or Category!:job
d) status!=job and category!=job

Answer 68

a) -status:closed -category:job

Question 69

Q69. Which incidents are displayed for the search string owner:””?

a) all incidents
b) all unassigned incidents
c) all incidents with a named owner
d) all incidents that are jobs and thus owned by the system

Answer 69

b) all unassigned incidents

Question 70

Q70. Which permission is required for the display of Dashboard widgets?

a) read permission for investigation data
b) read/write permission for investigations
c) page-access permission for the Reports page
d) no permission required

Answer 70

a) read permission for investigation data

Question 71

Q71. Which two options describe dashboard widgets? (Choose two.)

a) A widget’s display layout cannot be changed.
b) A widget’s timeframe can be edited.
c) A widget’s data query can be set.
d) A widget’s size cannot be set.

Answer 71

b) A widget’s timeframe can be edited.

c) A widget’s data query can be set.

Question 72

Q72. How do you specify the data to use in a widget applied to a dashboard or a report?

a) Enter a custom or an out-of-the-box automation script.
b) Select one or more incident fields from drop-down menus.
c) Drag and drop data fields, filtered by the context of the widget.
d) Use the same query syntax that is supported on the Incidents page.

Answer 72

d) Use the same query syntax that is supported on the Incidents page.

Question 73

Q73. What is the process for dashboard creation and modification in Cortex XSOAR?

a) Cortex XSOAR includes tools to make dashboard creation and modification easy.
b) Dashboard creation and modification can be achieved only through the partner support website.
c) Integrations create and modify dashboards depending on the API capabilities of third-party products.
d) Automated tasks in playbooks create and modify dashboards as appropriate, depending on the incidents they are associated with.

Answer 73

a) Cortex XSOAR includes tools to make dashboard creation and modification easy.

Question 74

Q74. If disk use is 45 percent, which color is the disk status indicator on the System Health dashboard?

a) green
b) yellow
c) red
d) black

Answer 74

a) green

Question 75

Q75. Which two statements are true regarding preconfigured system reports? (Choose two.)

a) They cannot be directly modified.
b) They can be modified by creating a copy.
c) They cannot be exported.
d) They cannot be run by an analyst directly.

Answer 75

a) They cannot be directly modified.

b) They can be modified by creating a copy.