PCSAE exam Flashcards
Question #1Topic 1 Which two advanced attributes can be applied to incident fields when editing? (Choose two.) A. Set a field trigger script B. Associate to an incident type C. Change field type D. Change field name
Correct Answer: AB
Reference:
https://docs.servicenow.com/bundle/quebec-it-service-management/page/product/incident-management/reference/incident-management- properties.html
Question #2Topic 1 Given an incident with three files, how could the name of the second file be referenced? A. ${Files.[2].Name} B. ${Files.Name.[2]} C. ${File.[1].Name} D. ${File.Name.[1]}
Correct Answer: B
Question #3Topic 1 Which component can be part of a load balancing group? A. Distributed database B. D2 agent C. Engine D. Load balancing server
Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/engines/understand-demisto-engines.html
Question #4Topic 1 Which method accesses a field called ג€˜User Mailג€™ in a playbook? A. ${incident.usermail} B. ${incident.User Mail} C. ${incident.UserMail} D. ${usermail}
Correct Answer: A
Question #5Topic 1
A SOC manager built a dashboard and would like to share the dashboard with other team members.
How would the SOC manager create a dashboard that meets this requirement?
A. Manually share the dashboard through user emails
B. Dashboard is shared to all XSOAR users
C. Propagate the dashboard based on SAML authentication
D. Dashboard is shared to all XSOAR users in a selected role
Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/dashboards/share-a-dashboard.html
Question #6Topic 1 Which two methods will allow data to be saved in incident fields within a playbook? (Choose two.) A. setFields B. Field mapping C. setIncident D. Layout inline editing
Correct Answer: BC
Question #8Topic 1 Which built-in automation/command cab be used to change an incidentג€™s type? A. setIncident B. Set C. GetFieldsByIncidentType D. modifyIncidentFields
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/incidents/incidents-management/incident-fields/field-trigger-scripts.html
Question #9Topic 1
An engineer notices that playbooks only start once the user clicks the ג€˜investigateג€™ button and he/she would like the playbook to start automatically.
How can this be implemented?
A. Add the playbook to the integrationג€™s settings
B. Select ג€˜Run playbook automaticallyג€™ from the incident type settings
C. Add the !startinvestigation automation to the beginning of the playbook
D. Select ג€˜Run playbook automaticallyג€™ from the integration settings
Correct Answer: A
Seems: B is correct
B. Select ג€˜Run playbook automaticallyג€™ from the incident type settings
Question #10Topic 1
Which two causes may be occurring if an integration test is working, but the integration is not fetching incidents? (Choose two.)
A. The ג€™Fetches Incidentsג€™ option may not have been enabled
B. There are no new events from the external service
C. The first fetch should be manually triggered to start the fetching process
D. It can take up to 1-hour before incidents are initially fetched
Correct Answer: AC
Question #11Topic 1 Which two capabilities do Automation script settings include? (Choose two.) A. Define ג€˜parametersג€™ B. Correlate to incident types C. Define ג€˜outputsג€™ D. Set password protection
Correct Answer: BD
Question #13Topic 1
What is a primary use case of data collection tasks?
A. To allow multi-question surveys without authentication restrictions
B. To automate tasks such as parsing a file or enriching indicators
C. To generate new widgets for a dashboard
D. To determine different paths in a playbook
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/playbook-tasks/communication-tasks/create-a-data- collection-task.html
Question #14Topic 1
In which three locations can an engineer try to find information, when troubleshooting a failed integration instance error produced by the test button? (Choose three.)
A. The audit log
B. The log bundle
C. The source code for an integration
D. The error message returned directly below the button
E. The playground war room
Correct Answer: BCD
Question #15Topic 1
Which two statements describe how timers are configured to start and stop automatically in a playbook? (Choose two.)
A. Use a field of Number to count the number of seconds elapsed between two tasks
B. After the playbook has run, calculate the total time taken and set the timer field with this value
C. To begin counting time taken, add a task in the playbook with automation startTimer. To end the counting, add a task with automation stopTimer
D. From the Timers tab of the playbook task, choose the action for the timer and the timer field to perform the action on
Correct Answer: BD
Correct: CD
Question #16Topic 1 How long is the trial period for paid content packs? A. 30 days B. 14 days C. 7 days D. 60 days
Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/marketplace/marketplace-subscriptions.html
Question #17Topic 1
After enriching a username using Active Directory, an engineer would like to send an email to the userג€™s manager. However, this functionality is not part of the command output. The engineer checks with raw-response=true and notices that the managerג€™s email is returned, but not saved in the context.
How can the engineer save the data so it will be accessible?
A. Mark ignore output = true
B. Use extend-context
C. Use raw-response = save
D. Mark ignore input = true
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/extend-context/extend-context-using-the-command-line.html
Question #18Topic 1
Where can engineers add the post-processing scripts to incidents?
A. The post-processing tag must be added to the automation
B. Post-processing scripts must be added at the end of playbooks
C. Post-processing scripts must be added from the Incident Type editor
D. Post-processing scripts must be added from the Post-Process Rules editor
Correct Answer: C
Question #19Topic 1
An engineer would like to present a trend using widgets to compare to a previous weekג€™s data.
Which two methods will allow the engineer to meet the requirement? (Choose two.)
A. Create widget of type Line, check ג€˜Display Trendג€™ and define as 7 days ago
B. Create a custom widget using a new incident query
C. Create widget of type Number, check ג€˜Display Trendג€™ and define as 7 days ago
D. Create a custom widget using a script
Correct Answer: AD
Question #20Topic 1
What happens when an integration is deprecated?
A. The integration commands in a playbook can no longer be used
B. The integration commands can be used, but it is recommended to update to the latest content pack
C. The configuration settings will be lost and the integration will no longer function
D. The integration commands in a playbook can be used, but it will fail at runtime
Correct Answer: C
Question #21Topic 1 Which investigation element is best suited for collaboration among users? A. Work Plan B. Related Incidents C. War Room D. Context Data
Correct Answer: D
Comment: Correct: C
Reference:
https://blog.paloaltonetworks.com/2020/01/cortex-security-operations/
Question #22Topic 1 Which three support types are included in the Marketplace Content Packs? (Choose three.) A. Customer supported B. Contex XSOAR supported C. Community supported D. Partner supported E. Prisma Cloud supported
Correct Answer: BCD
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/marketplace/marketplace-overview/content-packs-support-types.html
Question #23Topic 1 Which three authentication methods are supported when logging into XSOAR? (Choose three.) A. OTP token B. User name and password C. SAML D. Active Directory authentication E. RADIUS
Correct Answer: CDE
Seems: B,C,D
Comment: No radius but username / password instead
Reference:
https://www.paloguard.com/GlobalProtect.asp
Question #24Topic 1 Which two components have their own context data? (Choose two.) A. Sub-playbook B. Task C. Field D. Incident
Correct Answer: AD
Question #25Topic 1
What are two main uses of context data? (Choose two.)
A. Store incident information in JSON format
B. Store incident information in XML format
C. Pass data between playbook tasks
D. Pass data between to-do tasks
Correct Answer: AC
Reference:
https://xsoar.pan.dev/docs/integrations/context-and-outputs#:~:text=The%20main%20use%20of%20the,the%20Context%20and%20uses%20it
Question #26Topic 1
Multiple company assets were reported by vulnerability scanners as being vulnerable to CVE-2017-11882. This vulnerability affects applications installed on workstations. The SOC team needs to take action and apply the new vulnerability patch that was just released. The team must first create a cause for each of the identified assets in ServiceNow IT Service Management (ITSM), in order to notify the IT department. Next, the team creates a task in the main playbook, which extracts the list of assets from the scanner report.
After the list of assets are created, what are the two solutions that the SOC team could take so that a case could be created and a patch installed? (Choose two.)
A. Create a sub-playbook with a single input containing the computer names that will loop until the last item from the asset list (Condition: AreValuesEqual ג€” Exit on yes ג€” left:1, right 1) and perform the following tasks: - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
B. Create a sub-playbook with a single input containing the computer names that will loop ג€˜For Each Inputג€™ and perform the following tasks: - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
C. Set a key for storing the iteration number and create a sub-playbook with a single input containing the computer names that will loop until the last item from the asset list (Exit condition: iterator contains the count of the number of items in the list) and perform the following tasks: - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
D. Set a key for storing the iteration number and create a sub-playbook with a single input containing the computer names that will loop until the last item from the asset list (Exit condition: iterator equal to count of the number of item in the list) and perform the following tasks: - Increase the iterator value by one each time - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
Correct Answer: BD
Question #27Topic 1
When creating a new tab in the layout, which section cannot be added?
A. Retrieve widget chart based on script
B. Related incidents
C. War room entries picked by entry query
D. Incident team members
Correct Answer: A
Question #28Topic 1
In which two ways can data be transferred between playbooks and sub-playbooks? (Choose two.)
A. Inputs and outputs
B. Through integration context
C. Automatically extracted by sub-playbooks
D. From context data, if context is shared globally
Correct Answer: AD
Question #29Topic 1
By default, which components does an XSOAR implementation include?
A. XSOAR server, XSOAR engine
B. Application server, distributed DB server
C. Application server, distributed DB server, Backup server
D. All in one server
Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/installation/install-demisto-on-a-physical-or-virtual-server.html
Question #31Topic 1
Which three statements are true about the Marketplace? (Choose three.)
A. Allows reverting back to a previous version of a content pack
B. Enables users to participate in the community by sharing content
C. Publishes content without additional review from the Cortex XSOAR team
D. Allows uploading of content in additional languages
E. Offers granularity in installation through content packs
Correct Answer: BCD
Comment: C is not true, it should be A instead.
Question #32Topic 1 What can be added to offload integration instance processing from the main server? A. Database node B. Application server C. Engine D. Development server
Correct Answer: A
Question #33Topic 1 Which XSOAR architecture would be recommended for Managed Security Service Providers (MSSP)? A. Multi-region B. Dev-Prod C. Multi-tenant D. Distributed database
Correct Answer: C
Reference:
https://www.ncsi.com/wp-content/uploads/2020/11/cortex-xsoar.pdf
Question #34Topic 1 An incident field is created having the display name as Source_IP. How can the field be accessed? A. ${incident.sourceip} B. ${incident.Source_IP} C. ${incident.srcip} D. ${incident.Source IP}
Correct Answer: C