PCSAE exam Flashcards

1
Q
Question #1Topic 1
Which two advanced attributes can be applied to incident fields when editing? (Choose two.)
A. Set a field trigger script
B. Associate to an incident type
C. Change field type
D. Change field name
A

Correct Answer: AB
Reference:
https://docs.servicenow.com/bundle/quebec-it-service-management/page/product/incident-management/reference/incident-management- properties.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
Question #2Topic 1
Given an incident with three files, how could the name of the second file be referenced?
A. ${Files.[2].Name}
B. ${Files.Name.[2]}
C. ${File.[1].Name}
D. ${File.Name.[1]}
A

Correct Answer: B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
Question #3Topic 1
Which component can be part of a load balancing group?
A. Distributed database
B. D2 agent
C. Engine
D. Load balancing server
A

Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/engines/understand-demisto-engines.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
Question #4Topic 1
Which method accesses a field called ג€˜User Mailג€™ in a playbook?
A. ${incident.usermail}
B. ${incident.User Mail}
C. ${incident.UserMail}
D. ${usermail}
A

Correct Answer: A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Question #5Topic 1
A SOC manager built a dashboard and would like to share the dashboard with other team members.
How would the SOC manager create a dashboard that meets this requirement?
A. Manually share the dashboard through user emails
B. Dashboard is shared to all XSOAR users
C. Propagate the dashboard based on SAML authentication
D. Dashboard is shared to all XSOAR users in a selected role

A

Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/dashboards/share-a-dashboard.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
Question #6Topic 1
Which two methods will allow data to be saved in incident fields within a playbook? (Choose two.)
A. setFields
B. Field mapping
C. setIncident
D. Layout inline editing
A

Correct Answer: BC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
Question #8Topic 1
Which built-in automation/command cab be used to change an incidentג€™s type?
A. setIncident
B. Set
C. GetFieldsByIncidentType
D. modifyIncidentFields
A

Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/incidents/incidents-management/incident-fields/field-trigger-scripts.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Question #9Topic 1
An engineer notices that playbooks only start once the user clicks the ג€˜investigateג€™ button and he/she would like the playbook to start automatically.
How can this be implemented?
A. Add the playbook to the integrationג€™s settings
B. Select ג€˜Run playbook automaticallyג€™ from the incident type settings
C. Add the !startinvestigation automation to the beginning of the playbook
D. Select ג€˜Run playbook automaticallyג€™ from the integration settings

A

Correct Answer: A
Seems: B is correct
B. Select ג€˜Run playbook automaticallyג€™ from the incident type settings

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Question #10Topic 1
Which two causes may be occurring if an integration test is working, but the integration is not fetching incidents? (Choose two.)
A. The ג€™Fetches Incidentsג€™ option may not have been enabled
B. There are no new events from the external service
C. The first fetch should be manually triggered to start the fetching process
D. It can take up to 1-hour before incidents are initially fetched

A

Correct Answer: AC

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
Question #11Topic 1
Which two capabilities do Automation script settings include? (Choose two.)
A. Define ג€˜parametersג€™
B. Correlate to incident types
C. Define ג€˜outputsג€™
D. Set password protection
A

Correct Answer: BD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Question #13Topic 1
What is a primary use case of data collection tasks?
A. To allow multi-question surveys without authentication restrictions
B. To automate tasks such as parsing a file or enriching indicators
C. To generate new widgets for a dashboard
D. To determine different paths in a playbook

A

Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/playbook-tasks/communication-tasks/create-a-data- collection-task.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Question #14Topic 1
In which three locations can an engineer try to find information, when troubleshooting a failed integration instance error produced by the test button? (Choose three.)
A. The audit log
B. The log bundle
C. The source code for an integration
D. The error message returned directly below the button
E. The playground war room

A

Correct Answer: BCD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Question #15Topic 1
Which two statements describe how timers are configured to start and stop automatically in a playbook? (Choose two.)
A. Use a field of Number to count the number of seconds elapsed between two tasks
B. After the playbook has run, calculate the total time taken and set the timer field with this value
C. To begin counting time taken, add a task in the playbook with automation startTimer. To end the counting, add a task with automation stopTimer
D. From the Timers tab of the playbook task, choose the action for the timer and the timer field to perform the action on

A

Correct Answer: BD

Correct: CD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
Question #16Topic 1
How long is the trial period for paid content packs?
A. 30 days
B. 14 days
C. 7 days
D. 60 days
A

Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/marketplace/marketplace-subscriptions.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Question #17Topic 1
After enriching a username using Active Directory, an engineer would like to send an email to the userג€™s manager. However, this functionality is not part of the command output. The engineer checks with raw-response=true and notices that the managerג€™s email is returned, but not saved in the context.
How can the engineer save the data so it will be accessible?
A. Mark ignore output = true
B. Use extend-context
C. Use raw-response = save
D. Mark ignore input = true

A

Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/extend-context/extend-context-using-the-command-line.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Question #18Topic 1
Where can engineers add the post-processing scripts to incidents?
A. The post-processing tag must be added to the automation
B. Post-processing scripts must be added at the end of playbooks
C. Post-processing scripts must be added from the Incident Type editor
D. Post-processing scripts must be added from the Post-Process Rules editor

A

Correct Answer: C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Question #19Topic 1
An engineer would like to present a trend using widgets to compare to a previous weekג€™s data.
Which two methods will allow the engineer to meet the requirement? (Choose two.)
A. Create widget of type Line, check ג€˜Display Trendג€™ and define as 7 days ago
B. Create a custom widget using a new incident query
C. Create widget of type Number, check ג€˜Display Trendג€™ and define as 7 days ago
D. Create a custom widget using a script

A

Correct Answer: AD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Question #20Topic 1
What happens when an integration is deprecated?
A. The integration commands in a playbook can no longer be used
B. The integration commands can be used, but it is recommended to update to the latest content pack
C. The configuration settings will be lost and the integration will no longer function
D. The integration commands in a playbook can be used, but it will fail at runtime

A

Correct Answer: C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
Question #21Topic 1
Which investigation element is best suited for collaboration among users?
A. Work Plan
B. Related Incidents
C. War Room
D. Context Data
A

Correct Answer: D

Comment: Correct: C

Reference:
https://blog.paloaltonetworks.com/2020/01/cortex-security-operations/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
Question #22Topic 1
Which three support types are included in the Marketplace Content Packs? (Choose three.)
A. Customer supported
B. Contex XSOAR supported
C. Community supported
D. Partner supported
E. Prisma Cloud supported
A

Correct Answer: BCD
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/marketplace/marketplace-overview/content-packs-support-types.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
Question #23Topic 1
Which three authentication methods are supported when logging into XSOAR? (Choose three.)
A. OTP token
B. User name and password
C. SAML
D. Active Directory authentication
E. RADIUS
A

Correct Answer: CDE

Seems: B,C,D
Comment: No radius but username / password instead

Reference:
https://www.paloguard.com/GlobalProtect.asp

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q
Question #24Topic 1
Which two components have their own context data? (Choose two.)
A. Sub-playbook
B. Task
C. Field
D. Incident
A

Correct Answer: AD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Question #25Topic 1
What are two main uses of context data? (Choose two.)
A. Store incident information in JSON format
B. Store incident information in XML format
C. Pass data between playbook tasks
D. Pass data between to-do tasks

A

Correct Answer: AC
Reference:
https://xsoar.pan.dev/docs/integrations/context-and-outputs#:~:text=The%20main%20use%20of%20the,the%20Context%20and%20uses%20it

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Question #26Topic 1
Multiple company assets were reported by vulnerability scanners as being vulnerable to CVE-2017-11882. This vulnerability affects applications installed on workstations. The SOC team needs to take action and apply the new vulnerability patch that was just released. The team must first create a cause for each of the identified assets in ServiceNow IT Service Management (ITSM), in order to notify the IT department. Next, the team creates a task in the main playbook, which extracts the list of assets from the scanner report.
After the list of assets are created, what are the two solutions that the SOC team could take so that a case could be created and a patch installed? (Choose two.)
A. Create a sub-playbook with a single input containing the computer names that will loop until the last item from the asset list (Condition: AreValuesEqual ג€” Exit on yes ג€” left:1, right 1) and perform the following tasks: - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
B. Create a sub-playbook with a single input containing the computer names that will loop ג€˜For Each Inputג€™ and perform the following tasks: - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
C. Set a key for storing the iteration number and create a sub-playbook with a single input containing the computer names that will loop until the last item from the asset list (Exit condition: iterator contains the count of the number of items in the list) and perform the following tasks: - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
D. Set a key for storing the iteration number and create a sub-playbook with a single input containing the computer names that will loop until the last item from the asset list (Exit condition: iterator equal to count of the number of item in the list) and perform the following tasks: - Increase the iterator value by one each time - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent

A

Correct Answer: BD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Question #27Topic 1
When creating a new tab in the layout, which section cannot be added?
A. Retrieve widget chart based on script
B. Related incidents
C. War room entries picked by entry query
D. Incident team members

A

Correct Answer: A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Question #28Topic 1
In which two ways can data be transferred between playbooks and sub-playbooks? (Choose two.)
A. Inputs and outputs
B. Through integration context
C. Automatically extracted by sub-playbooks
D. From context data, if context is shared globally

A

Correct Answer: AD

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Question #29Topic 1
By default, which components does an XSOAR implementation include?
A. XSOAR server, XSOAR engine
B. Application server, distributed DB server
C. Application server, distributed DB server, Backup server
D. All in one server

A

Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/installation/install-demisto-on-a-physical-or-virtual-server.html

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Question #31Topic 1
Which three statements are true about the Marketplace? (Choose three.)
A. Allows reverting back to a previous version of a content pack
B. Enables users to participate in the community by sharing content
C. Publishes content without additional review from the Cortex XSOAR team
D. Allows uploading of content in additional languages
E. Offers granularity in installation through content packs

A

Correct Answer: BCD

Comment: C is not true, it should be A instead.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q
Question #32Topic 1
What can be added to offload integration instance processing from the main server?
A. Database node
B. Application server
C. Engine
D. Development server
A

Correct Answer: A

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q
Question #33Topic 1
Which XSOAR architecture would be recommended for Managed Security Service Providers (MSSP)?
A. Multi-region
B. Dev-Prod
C. Multi-tenant
D. Distributed database
A

Correct Answer: C
Reference:
https://www.ncsi.com/wp-content/uploads/2020/11/cortex-xsoar.pdf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q
Question #34Topic 1
An incident field is created having the display name as Source_IP.
How can the field be accessed?
A. ${incident.sourceip}
B. ${incident.Source_IP}
C. ${incident.srcip}
D. ${incident.Source IP}
A

Correct Answer: C

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Question #36Topic 1
An engineer deployed two different instances of Active Directory for each organization site. As part of account enrichment use case, the engineer would like to delete a user from one specific site.
Which command will accomplish this?
A. run ג€˜ad-delete-userג€™ command with ג€˜user-dnג€™ arg and using-brand=ג€Active Directory Query v2ג€
B. run ג€˜ad-delete-userג€™ command with ג€˜user-dnג€™ arg and raw-response=true
C. run ג€˜ad-delete-userג€™ command with ג€˜user-dnג€™ arg and ignore-outputs=true
D. run ג€˜ad-delete-userג€™ command with ג€˜user-dnג€™ arg and using=ג€Active Directory Query v2_instance_1ג€

A

Correct Answer: A

Comment: D is the correct answer

33
Q

Question #37Topic 1
An engineer is developing a playbook that will be run multiple times for testing purposes.
What is the recommended first task to be used in the playbook?
A. DeleteContext
B. GenerateTest
C. PrintContext
D. SetContext

A

Correct Answer: A
Comment: A - Correct
Reference:
https://xsoar.pan.dev/docs/integrations/test-playbooks

34
Q

Question #38Topic 1
What is the most effective way to correlate multiple raw events coming from a SIEM and link them together?
A. Process all alerts by running the respective playbook and link related incidents during post-processing
B. Ingest all raw events, run a custom script to find the relationship between them and proceed to link them together
C. Configure a pre-process rule to link related events as they are ingested
D. Manually go through the incidents created by the raw events and link related incidents

A

Correct Answer: A

35
Q
Question #39Topic 1
Which two incident search queries are valid? (Choose two.)
A. created:>=ג€7 daysג€
B. owner===admin
C. role is Analyst
D. status:closed ג€"category:job
A

Correct Answer: AD
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/cortex-xsoar-overview/how-to-search-in-cortex-xsoar.html

36
Q

Question #40Topic 1
What is the correct expression to use when filtering only PDF files?
A. Use File.Extension that does not equal (string comparison) PDF
B. Use File.Name contains PDF
C. Use File.Extension contains (general) PDF
D. Use File.Extension equals (string comparison) PDF

A

Correct Answer: B

Comment: D is correct answer

37
Q
Question #41Topic 1
Whar are possible war room result (entry) types?
A. Context, file, error, image
B. Note, indicator, error, image
C. Video, file, error, image
D. Note, file, error, image
A

Correct Answer: B

Comment: D is the correct answer

38
Q

Question #42Topic 1
An engineer asked for a specific command in an integration but the capability does not exist. The engineer decided to edit the existing integration by copying the integration and adding the needed commands.
What is the main concern when adding these commands?
A. The commands must return a proper result to the war room for the analysts to understand
B. The code may not be written to XSOAR standards
C. The integrations are locked and cannot be edited with additional commands
D. The custom integration will not be maintained and updated by XSOAR content team

A

Correct Answer: C

Comment: D is the correct answer

39
Q
Question #43Topic 1
How is data transferred between playbook tasks?
A. Read/Write from context data
B. Over war room results
C. Input from the indicator page
D. Directly from a previous task
A

Correct Answer: A

40
Q

A large number of incidents were deleted by mistake.
Which two architecture components can be used to recover the lost data? (Choose two.)
A. Live backup
B. Engine
C. Distributed database
D. Local backup

A

Correct Answer: AD

41
Q

Question #45Topic 1
Which two statements accurately describe layouts? (Choose two.)
A. Layouts override classification and mapping
B. New tabs can be added to the incident layout
C. Layouts can display incident information and custom fields
D. Layouts add or remove custom fields from an incident type

A

Correct Answer: BC

42
Q

An engineerג€™s organization system is registered in the following manner: . The engineer created a new indicator type for detecting systems using regex. The engineer would now like the username to be created as a separate ג€˜Userג€™ indicator automatically once a system is found.
What is the most efficient way for the engineer to achieve this?
A. Create a custom indicator field named ג€˜usernameג€™ and link it to the internal system indicator
B. Change the reputation command for the internal system indicator type
C. Create a new indicator type of the internal username and set a formatting script to extract only the username
D. Create a new indicator type of the internal username and have the regex included on any string that has dash at the beginning

A

Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-threat-intel-management-guide/manage-indicators/understand-indicators/ indicator-types/indicator-type-profile

43
Q

Question #47Topic 1
Which two options are the most effective for moving content between two environments? (Choose two.)
A. Remote repository based content sharing
B. UI based content import/export button
C. Copy the content backup from one environment file system (/var/lib/demisto/backup/content-backup-*) and move it to the other environment
D. Download the content items separately and upload them to the other environment

A
Correct Answer: AC
Seems AC is correct
Comment: A,B is correct.
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-data/migrate-data-to-another-server-for-multi-tenant.html
44
Q

Question #48Topic 1
Which three options can be defined in the layout settings? (Choose three.)
A. Set of fields to present
B. Permission to view the tab based on ג€˜Usersג€™
C. Permission to view the tab based on ג€˜Rolesג€™
D. Delete built-in tabs including the war room
E. Dynamic sections

A

Correct Answer: ACE
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/incidents/customize-incident-view-layouts/customize-incident- layouts.html

45
Q
Question #49Topic 1
What can be used as integration parameters?
A. URL, API key, port
B. URL, certificate, image
C. Token, query, playbook
D. User-password, csv file, query
A

Correct Answer: A

46
Q
Question #50Topic 1
Which two features does XSOAR offer to help recover from a server failure? (Choose two.)
A. Live backup (disaster recovery)
B. Distributed database
C. Backup data to XSOAR engines
D. Local backup
A

Correct Answer: AC

Comment: A,D is the correct answer

47
Q
Question #51Topic 1
When uploading content, which two options could the upload include? (Choose two.)
A. Indicators
B. Incidents
C. Reports
D. Fields
A

Correct Answer: AB

Comment: A,D is correct

48
Q

Question #52Topic 1
An engineer defined a dashboard which allows important metrics to be displayed. The engineer would like to make this dashboard the default dashboard.
How can it be accomplished?
A. Default Dashboard can be defined by ג€˜Roleג€™
B. Use the server configuration key: default.dashboards
C. Save the dashboard as a widget and apply it to all users
D. Right click on the dashboard tab and ג€˜Set as Defaultג€™

A

Correct Answer: D
Comment: Correct answer is A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/monitoring/cortex-xdr-dashboard/manage-dashboards.html

49
Q

Question #53Topic 1
How would context data be filtered to receive only malicious indicator values with DBotScore?
A. Get DBotScore.value where DBotScore.Score (Larger or equals) 4
B. Get DBotScore.value where DBotScore.Score (equals (int)) 3
C. Get DBotScore where DBotScore.Score (Larger than) 1
D. Get DBotScore where DBotScore.Score (Larger or equals) 2

A

Correct Answer: B
Reference:
https://github.com/demisto/content/blob/master//Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/README.md

50
Q

Question #54Topic 1
Can an automation script execute an integration command and an integration command execute an automation script?
A. An automation script cannot execute an integration command and an integration command cannot execute an automation script
B. An automation script can execute an integration command and an integration command cannot execute an automation script
C. An automation script cannot execute an integration command and an integration command can execute an automation script
D. An automation script can execute an integration command and an integration command can execute an automation script

A

Correct Answer: B

51
Q

Question #55Topic 1
Which two options will troubleshoot an integrationג€™s fetch incidents command? (Choose two.)
A. In the instance settings, enable the fetch incidents parameter and wait for one minute
B. Create a one task playbook with a fetch-incident command
C. execute !-fetch
D. execute !-fetch

A

Correct Answer: AC

if demisto.command() == ‘fetch-incidents’:

Reference:
https://xsoar.pan.dev/docs/integrations/fetching-incidents

52
Q

Question #57Topic 1
Incidents need to be filtered by all of the following criteria:
1. Status ג€” Pending
2. Exclude Category ג€” Job
3. Severity ג€” High
4. Owner ג€” None (No owner assigned)
5. Type ג€” Phishing
6. Email Subject ג€” ג€You have won a million dollarsג€
What is the correct query syntax for the above incident search filter?
A. status==ג€Pendingג€ && category!=ג€jobג€ && severity==ג€Highג€ && owner==ג€Noneג€ && type==ג€Phishingג€ && emailsubject==ג€You have won a million dollarsג€
B. Status:Pending and ג€”Category:job and Severity:High and Owner:ג€ג€ and Type:Phishing and Email Subject:You have won a million dollars
C. status:Pending and ג€”category:job and severity:High and owner:ג€ג€ and type:Phishing and emailsubject:ג€You have won a million dollarsג€
D. status:Pending or ג€”category:job or severity:High or owner:ג€ג€ or type:Phishing or emailsubject:ג€You have won a million dollarsג€

A

Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/cortex-xsoar-overview/how-to-search-in-cortex-xsoar.html#idcd7fe505- c1c1-42f5-a698-08b5710196d3

53
Q
Question #58Topic 1
What does Script helper contain?
A. Available commands
B. Permission settings
C. Automation version history
D. Automation timeout configuration
A

Correct Answer: A
Reference:
https://xsoar.pan.dev/docs/concepts/xsoar-ide

54
Q

Question #59Topic 1
When mapping incoming data to incident fields, which statement is correct?
A. Data that is not mapped is placed under labels
B. Only text fields are classified
C. Classification cannot be used if mapping is enabled
D. Every incoming field must be mapped

A

Correct Answer: D
Comment: A is correct answer
Reference:
https://xsoar.pan.dev/docs/incidents/incident-classification-mapping

55
Q

Question #60Topic 1
Which two situations would an engineer consider when configuring classification and mapping for an incident type? (Choose two.)
A. When creating incidents from the XSOAR REST API
B. When manually creating an incident from the UI
C. When adding a new analyst account to XSOAR
D. When fetching many different incident types from a single mailbox

A

Correct Answer: AB

Comment: A,D is the correct answer

56
Q
Question #61Topic 1
Which two options may be added when a content pack is being installed? (Choose two.)
A. Lists
B. Roles
C. Other content packs
D. Indicator layouts
A

Correct Answer: AB

Comment: Lol, C,D is the correct answer

57
Q
Question #62Topic 1
Which three scripting languages can an engineer use to write XSOAR automations? (Choose three.)
A. Python
B. Perl
C. Go
D. JavaScript
E. Powershell
A

Correct Answer: ADE
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/automations.html

58
Q

Question #63Topic 1
What are two primary uses of standard tasks? (Choose two.)
A. To highlight different paths in a playbook
B. To generate new widgets for a dashboard
C. To create an incident or escalate an existing incident
D. To automate tasks such as parsing a file or enriching indicators

A

Correct Answer: BD
Comment: C,D is correct
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/playbooks-overview.html

59
Q

Question #64Topic 1
An engineer would like to change an incidentג€™s SLA according to the severity field changes.
How can the engineer achieve this task?
A. Use a field trigger script
B. Use a field display script
C. Create a job that queries for incident severity changes
D. Change the SLA manually every time the severity changes

A

Correct Answer: B
Comment: A is correct
Reference:
https://xsoar.pan.dev/docs/incidents/incident-fields

60
Q
Question #65Topic 1
What are three different loop types in a playbook? (Choose three.)
A. Automation
B. Built-in
C. Data collection
D. Conditional
E. For-each
A

Correct Answer: ABE - Correct

61
Q

Question #66Topic 1
What are two common use cases for conditional tasks? (Choose two.)
A. They are used for branching paths in a playbook
B. They are used to interact with users through survey functionality
C. They are used to determine which incident will be executed
D. They are used for sending a specific question to a person or team

A

Correct Answer: AC
Comment: A,D is the correct answer

Reference:
https://docs-new.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/cortex-xsoar-overview/use-cases.html#id7b31e50b-5aca-4d65- bdb5-ba61b4eac0b4

62
Q

Question #67Topic 1
An engineer wants to customize the regex for the default IP indicator type.
How can this change be implemented?
A. Create a new indicator type and disable the built-in IP indicator
B. Edit the regex of the default IP Indicator
C. Add a new server configuration key that will overwrite the default regex of the IP indicator
D. Delete the default IP indicator

A

Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-indicators/understand-indicators/indicator-types/indicator-type- profile.html

63
Q

Question #68Topic 1
In which two scenarios would it be appropriate to implement a loop for a sub-playbook? (Choose two.)
A. In repetitive process flows to iterate for each playbook input
B. When continuously ingesting incidents from third-party systems
C. In repetitive process flows with no more than 10 loops
D. In repetitive processes that requires sub-playbook re-execution

A

Correct Answer: AB

Comment: A,D is correct

64
Q

Which configuration is a valid distributed database (DB) implementation?
A. 2 main DBs, 1 application server, 2 node servers
B. 1 main DB, 1 application server, 3 node servers
C. 2 application servers, 1 main DB, 1 node server
D. 1 application server, 2 main DBs, 1 node server

A

Correct Answer: C

Comment: B is correct

65
Q

Question #70Topic 1
An engineer would like to add a custom field to the New Job form for a job triggered from a threat intel feed.
How would the engineer implement this?
A. The new job form changes based on the threat intel feed integration configuration
B. The new job form can be edited from the Indicator Feed incident type editor
C. The new job form for a threat intel feed job cannot be edited
D. The new job form can be edited from the threat intel feeds integration settings

A

Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-threat-intel-management-guide/manage-indicators/understand-indicators/ create-a-feed-based-job.html

66
Q

Question #71Topic 1
An automation returned an output called: csvReport.
What filter would be used to check if the automation returned results?
A. Contains/Includes
B. Equals/Matches
C. In/In list
D. Is defined/Exist

A

Correct Answer: B

Comment: D is correct.

67
Q

Question #72Topic 1
What is the difference between labels and fields?
A. Fields can be used in playbooks and labels cannot
B. Fields are indexed in the database and labels are not
C. Labels can be used in queries and fields cannot
D. Labels are indexed in the database and fields are not

A

Correct Answer: C

68
Q
Question #73Topic 1
What is the default task type when creating an empty task?
A. Standard (Manual)
B. Conditional
C. Section header
D. Standard (Automated)
A

Correct Answer: B
Comment: A is the correct answer. (Seems this one is correct)
Comment: B - Correct

Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/playbook-tasks/playbook-task-fields.html

69
Q

Question #74Topic 1
Which two methods are used to add new content to the XSOAR Content Repository? (Choose two.)
A. Create content and add it to the standard content by contributing through the Marketplace
B. Use the XSOAR GitHub Contribution Guide to add the contribution to the standard content
C. Create a support ticket with the custom content for review by the support team
D. Any custom content will be automatically uploaded to the content repository

A

Correct Answer: AD

Comment: A,B is correct

70
Q
Question #75Topic 1
In which two options can an automation script be executed? (Choose two.)
A. Engine
B. Integration
C. War room
D. Playbook
A

Correct Answer: CD
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/automations.html

71
Q
Question #76Topic 1
By default, automation written in which language will be executed in a Docker container?
A. Python
B. Go
C. JavaScript
D. Perl
A

Correct Answer: B

Comment: A - Correct

72
Q

Question #77Topic 1
What is the correct definition regarding integration parameters and command arguments?
A. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.
B. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.
C. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.
D. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.

A

Correct Answer: A
Comment: D - Correct

Reference:
https://xsoar.pan.dev/docs/tutorials/tut-integration-ui

73
Q
Question #78Topic 1
In which two locations can filters and transformers be used in XSOAR? (Choose two.)
A. Classification and Mapping
B. Playbook Tasks
C. Evidence Fields
D. Incident Fields
A

Correct Answer: BD
Comment: A, B seems correct to me.

Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/filters-and-transformers.html

74
Q

Question #79Topic 1
Which three actions can an engineer take on the troubleshooting page? (Choose three.)
A. Download the debug log bundle
B. Put the XSOAR server in maintenance mode
C. View and modify server configuration settings
D. Export and import custom content
E. View a list of server administrators

A

Correct Answer: ABC

75
Q

Question #80Topic 1
An XSOAR Engineer has developed a playbook and would like to contribute it to the XSOAR Marketplace to share with other users.
Which two options are available to the Engineer for contributing to the Marketplace? (Choose two.)
A. Open a ticket with the XSOAR support team
B. Create a pull request directly on Github
C. Contribute through the XSOAR UI
D. Send an email to contributions@xsoar.com

A

Correct Answer: BC

76
Q
Question #81Topic 1
Which two input requirements are needed to train a machine learning model? (Choose two.)
A. 3000 Incidents
B. Incident Field
C. Verdict Label
D. Incident Type
A

Correct Answer: BD
Comment: B, C is correct
Comment: B&D - Correct

Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/machine-learing-models/machine-learning-models-overview.html

77
Q

Question #82Topic 1
Which two solutions are available to scale an overloaded XSOAR environment? (Choose two.)
A. Add a distributed database server
B. Add an indexing server
C. Add a live backup server (disaster recovery)
D. Add an engine

A

Correct Answer: AC

Comment: A,D are the correct answers.

78
Q

Question #83Topic 1
Management would like to get an incident report automatically following an incidentג€™s closure.
How would this be accomplished?
A. Define a task in a playbook to generate an incident report before the closure occurs
B. Manually create an ג€˜Incident Reportג€™
C. Configure post-processing using a script
D. Create an ג€˜Incident Reportג€™ from the Reports page

A

Correct Answer: D

Comment: C is the correct answer

79
Q

Question #84Topic 1
Which two reasons would lead an engineer to create a custom widget? (Choose two.)
A. To visualize server configuration keys
B. To visualize XSOAR list data
C. To visualize complex incident data calculations
D. To visualize context data
E. To visualize a custom query

A

Correct Answer: DE
Reference:
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/cortex-xsoar-admin.pdf/cortex-xsoar- admin.pdf