PCSAE exam

Question 1

Question #1Topic 1
Which two advanced attributes can be applied to incident fields when editing? (Choose two.)
A. Set a field trigger script
B. Associate to an incident type
C. Change field type
D. Change field name

Answer 1

Correct Answer: AB
Reference:
https://docs.servicenow.com/bundle/quebec-it-service-management/page/product/incident-management/reference/incident-management- properties.html

Question 2

Question #2Topic 1
Given an incident with three files, how could the name of the second file be referenced?
A. ${Files.[2].Name}
B. ${Files.Name.[2]}
C. ${File.[1].Name}
D. ${File.Name.[1]}

Answer 2

Correct Answer: B

Question 3

Question #3Topic 1
Which component can be part of a load balancing group?
A. Distributed database
B. D2 agent
C. Engine
D. Load balancing server

Answer 3

Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/engines/understand-demisto-engines.html

Question 4

Question #4Topic 1
Which method accesses a field called ג€˜User Mailג€™ in a playbook?
A. ${incident.usermail}
B. ${incident.User Mail}
C. ${incident.UserMail}
D. ${usermail}

Answer 4

Correct Answer: A

Question 5

Question #5Topic 1
A SOC manager built a dashboard and would like to share the dashboard with other team members.
How would the SOC manager create a dashboard that meets this requirement?
A. Manually share the dashboard through user emails
B. Dashboard is shared to all XSOAR users
C. Propagate the dashboard based on SAML authentication
D. Dashboard is shared to all XSOAR users in a selected role

Answer 5

Correct Answer: D
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/dashboards/share-a-dashboard.html

Question 6

Question #6Topic 1
Which two methods will allow data to be saved in incident fields within a playbook? (Choose two.)
A. setFields
B. Field mapping
C. setIncident
D. Layout inline editing

Answer 6

Correct Answer: BC

Question 7

Question #8Topic 1
Which built-in automation/command cab be used to change an incidentג€™s type?
A. setIncident
B. Set
C. GetFieldsByIncidentType
D. modifyIncidentFields

Answer 7

Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/incidents/incidents-management/incident-fields/field-trigger-scripts.html

Question 8

Question #9Topic 1
An engineer notices that playbooks only start once the user clicks the ג€˜investigateג€™ button and he/she would like the playbook to start automatically.
How can this be implemented?
A. Add the playbook to the integrationג€™s settings
B. Select ג€˜Run playbook automaticallyג€™ from the incident type settings
C. Add the !startinvestigation automation to the beginning of the playbook
D. Select ג€˜Run playbook automaticallyג€™ from the integration settings

Answer 8

Correct Answer: A
Seems: B is correct
B. Select ג€˜Run playbook automaticallyג€™ from the incident type settings

Question 9

Question #10Topic 1
Which two causes may be occurring if an integration test is working, but the integration is not fetching incidents? (Choose two.)
A. The ג€™Fetches Incidentsג€™ option may not have been enabled
B. There are no new events from the external service
C. The first fetch should be manually triggered to start the fetching process
D. It can take up to 1-hour before incidents are initially fetched

Answer 9

Correct Answer: AC

Question 10

Question #11Topic 1
Which two capabilities do Automation script settings include? (Choose two.)
A. Define ג€˜parametersג€™
B. Correlate to incident types
C. Define ג€˜outputsג€™
D. Set password protection

Answer 10

Correct Answer: BD

Question 11

Question #13Topic 1
What is a primary use case of data collection tasks?
A. To allow multi-question surveys without authentication restrictions
B. To automate tasks such as parsing a file or enriching indicators
C. To generate new widgets for a dashboard
D. To determine different paths in a playbook

Answer 11

Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/playbook-tasks/communication-tasks/create-a-data- collection-task.html

Question 12

Question #14Topic 1
In which three locations can an engineer try to find information, when troubleshooting a failed integration instance error produced by the test button? (Choose three.)
A. The audit log
B. The log bundle
C. The source code for an integration
D. The error message returned directly below the button
E. The playground war room

Answer 12

Correct Answer: BCD

Question 13

Question #15Topic 1
Which two statements describe how timers are configured to start and stop automatically in a playbook? (Choose two.)
A. Use a field of Number to count the number of seconds elapsed between two tasks
B. After the playbook has run, calculate the total time taken and set the timer field with this value
C. To begin counting time taken, add a task in the playbook with automation startTimer. To end the counting, add a task with automation stopTimer
D. From the Timers tab of the playbook task, choose the action for the timer and the timer field to perform the action on

Answer 13

Correct Answer: BD

Correct: CD

Question 14

Question #16Topic 1
How long is the trial period for paid content packs?
A. 30 days
B. 14 days
C. 7 days
D. 60 days

Answer 14

Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/marketplace/marketplace-subscriptions.html

Question 15

Question #17Topic 1
After enriching a username using Active Directory, an engineer would like to send an email to the userג€™s manager. However, this functionality is not part of the command output. The engineer checks with raw-response=true and notices that the managerג€™s email is returned, but not saved in the context.
How can the engineer save the data so it will be accessible?
A. Mark ignore output = true
B. Use extend-context
C. Use raw-response = save
D. Mark ignore input = true

Answer 15

Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/extend-context/extend-context-using-the-command-line.html

Question 16

Question #18Topic 1
Where can engineers add the post-processing scripts to incidents?
A. The post-processing tag must be added to the automation
B. Post-processing scripts must be added at the end of playbooks
C. Post-processing scripts must be added from the Incident Type editor
D. Post-processing scripts must be added from the Post-Process Rules editor

Answer 16

Correct Answer: C

Question 17

Question #19Topic 1
An engineer would like to present a trend using widgets to compare to a previous weekג€™s data.
Which two methods will allow the engineer to meet the requirement? (Choose two.)
A. Create widget of type Line, check ג€˜Display Trendג€™ and define as 7 days ago
B. Create a custom widget using a new incident query
C. Create widget of type Number, check ג€˜Display Trendג€™ and define as 7 days ago
D. Create a custom widget using a script

Answer 17

Correct Answer: AD

Question 18

Question #20Topic 1
What happens when an integration is deprecated?
A. The integration commands in a playbook can no longer be used
B. The integration commands can be used, but it is recommended to update to the latest content pack
C. The configuration settings will be lost and the integration will no longer function
D. The integration commands in a playbook can be used, but it will fail at runtime

Answer 18

Correct Answer: C

Question 19

Question #21Topic 1
Which investigation element is best suited for collaboration among users?
A. Work Plan
B. Related Incidents
C. War Room
D. Context Data

Answer 19

Correct Answer: D

Comment: Correct: C

Reference:
https://blog.paloaltonetworks.com/2020/01/cortex-security-operations/

Question 20

Question #22Topic 1
Which three support types are included in the Marketplace Content Packs? (Choose three.)
A. Customer supported
B. Contex XSOAR supported
C. Community supported
D. Partner supported
E. Prisma Cloud supported

Answer 20

Correct Answer: BCD
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/marketplace/marketplace-overview/content-packs-support-types.html

Question 21

Question #23Topic 1
Which three authentication methods are supported when logging into XSOAR? (Choose three.)
A. OTP token
B. User name and password
C. SAML
D. Active Directory authentication
E. RADIUS

Answer 21

Correct Answer: CDE

Seems: B,C,D
Comment: No radius but username / password instead

Reference:
https://www.paloguard.com/GlobalProtect.asp

Question 22

Question #24Topic 1
Which two components have their own context data? (Choose two.)
A. Sub-playbook
B. Task
C. Field
D. Incident

Answer 22

Correct Answer: AD

Question 23

Question #25Topic 1
What are two main uses of context data? (Choose two.)
A. Store incident information in JSON format
B. Store incident information in XML format
C. Pass data between playbook tasks
D. Pass data between to-do tasks

Answer 23

Correct Answer: AC
Reference:
https://xsoar.pan.dev/docs/integrations/context-and-outputs#:~:text=The%20main%20use%20of%20the,the%20Context%20and%20uses%20it

Question 24

Question #26Topic 1
Multiple company assets were reported by vulnerability scanners as being vulnerable to CVE-2017-11882. This vulnerability affects applications installed on workstations. The SOC team needs to take action and apply the new vulnerability patch that was just released. The team must first create a cause for each of the identified assets in ServiceNow IT Service Management (ITSM), in order to notify the IT department. Next, the team creates a task in the main playbook, which extracts the list of assets from the scanner report.
After the list of assets are created, what are the two solutions that the SOC team could take so that a case could be created and a patch installed? (Choose two.)
A. Create a sub-playbook with a single input containing the computer names that will loop until the last item from the asset list (Condition: AreValuesEqual ג€” Exit on yes ג€” left:1, right 1) and perform the following tasks: - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
B. Create a sub-playbook with a single input containing the computer names that will loop ג€˜For Each Inputג€™ and perform the following tasks: - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
C. Set a key for storing the iteration number and create a sub-playbook with a single input containing the computer names that will loop until the last item from the asset list (Exit condition: iterator contains the count of the number of items in the list) and perform the following tasks: - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
D. Set a key for storing the iteration number and create a sub-playbook with a single input containing the computer names that will loop until the last item from the asset list (Exit condition: iterator equal to count of the number of item in the list) and perform the following tasks: - Increase the iterator value by one each time - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent

Answer 24

Correct Answer: BD

Question 25

Question #27Topic 1
When creating a new tab in the layout, which section cannot be added?
A. Retrieve widget chart based on script
B. Related incidents
C. War room entries picked by entry query
D. Incident team members

Answer 25

Correct Answer: A

Question 26

Question #28Topic 1
In which two ways can data be transferred between playbooks and sub-playbooks? (Choose two.)
A. Inputs and outputs
B. Through integration context
C. Automatically extracted by sub-playbooks
D. From context data, if context is shared globally

Answer 26

Correct Answer: AD

Question 27

Question #29Topic 1
By default, which components does an XSOAR implementation include?
A. XSOAR server, XSOAR engine
B. Application server, distributed DB server
C. Application server, distributed DB server, Backup server
D. All in one server

Answer 27

Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/installation/install-demisto-on-a-physical-or-virtual-server.html

Question 28

Question #31Topic 1
Which three statements are true about the Marketplace? (Choose three.)
A. Allows reverting back to a previous version of a content pack
B. Enables users to participate in the community by sharing content
C. Publishes content without additional review from the Cortex XSOAR team
D. Allows uploading of content in additional languages
E. Offers granularity in installation through content packs

Answer 28

Correct Answer: BCD

Comment: C is not true, it should be A instead.

Question 29

Question #32Topic 1
What can be added to offload integration instance processing from the main server?
A. Database node
B. Application server
C. Engine
D. Development server

Answer 29

Correct Answer: A

Question 30

Question #33Topic 1
Which XSOAR architecture would be recommended for Managed Security Service Providers (MSSP)?
A. Multi-region
B. Dev-Prod
C. Multi-tenant
D. Distributed database

Answer 30

Correct Answer: C
Reference:
https://www.ncsi.com/wp-content/uploads/2020/11/cortex-xsoar.pdf

Question 31

Question #34Topic 1
An incident field is created having the display name as Source_IP.
How can the field be accessed?
A. ${incident.sourceip}
B. ${incident.Source_IP}
C. ${incident.srcip}
D. ${incident.Source IP}

Answer 31

Correct Answer: C

Question 32

Question #36Topic 1
An engineer deployed two different instances of Active Directory for each organization site. As part of account enrichment use case, the engineer would like to delete a user from one specific site.
Which command will accomplish this?
A. run ג€˜ad-delete-userג€™ command with ג€˜user-dnג€™ arg and using-brand=ג€Active Directory Query v2ג€
B. run ג€˜ad-delete-userג€™ command with ג€˜user-dnג€™ arg and raw-response=true
C. run ג€˜ad-delete-userג€™ command with ג€˜user-dnג€™ arg and ignore-outputs=true
D. run ג€˜ad-delete-userג€™ command with ג€˜user-dnג€™ arg and using=ג€Active Directory Query v2_instance_1ג€

Answer 32

Correct Answer: A

Comment: D is the correct answer

Question 33

Question #37Topic 1
An engineer is developing a playbook that will be run multiple times for testing purposes.
What is the recommended first task to be used in the playbook?
A. DeleteContext
B. GenerateTest
C. PrintContext
D. SetContext

Answer 33

Correct Answer: A
Comment: A - Correct
Reference:
https://xsoar.pan.dev/docs/integrations/test-playbooks

Question 34

Question #38Topic 1
What is the most effective way to correlate multiple raw events coming from a SIEM and link them together?
A. Process all alerts by running the respective playbook and link related incidents during post-processing
B. Ingest all raw events, run a custom script to find the relationship between them and proceed to link them together
C. Configure a pre-process rule to link related events as they are ingested
D. Manually go through the incidents created by the raw events and link related incidents

Answer 34

Correct Answer: A

Question 35

Question #39Topic 1
Which two incident search queries are valid? (Choose two.)
A. created:>=ג€7 daysג€
B. owner===admin
C. role is Analyst
D. status:closed ג€"category:job

Answer 35

Correct Answer: AD
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/cortex-xsoar-overview/how-to-search-in-cortex-xsoar.html

Question 36

Question #40Topic 1
What is the correct expression to use when filtering only PDF files?
A. Use File.Extension that does not equal (string comparison) PDF
B. Use File.Name contains PDF
C. Use File.Extension contains (general) PDF
D. Use File.Extension equals (string comparison) PDF

Answer 36

Correct Answer: B

Comment: D is correct answer

Question 37

Question #41Topic 1
Whar are possible war room result (entry) types?
A. Context, file, error, image
B. Note, indicator, error, image
C. Video, file, error, image
D. Note, file, error, image

Answer 37

Correct Answer: B

Comment: D is the correct answer

Question 38

Question #42Topic 1
An engineer asked for a specific command in an integration but the capability does not exist. The engineer decided to edit the existing integration by copying the integration and adding the needed commands.
What is the main concern when adding these commands?
A. The commands must return a proper result to the war room for the analysts to understand
B. The code may not be written to XSOAR standards
C. The integrations are locked and cannot be edited with additional commands
D. The custom integration will not be maintained and updated by XSOAR content team

Answer 38

Correct Answer: C

Comment: D is the correct answer

Question 39

Question #43Topic 1
How is data transferred between playbook tasks?
A. Read/Write from context data
B. Over war room results
C. Input from the indicator page
D. Directly from a previous task

Answer 39

Correct Answer: A

Question 40

A large number of incidents were deleted by mistake.
Which two architecture components can be used to recover the lost data? (Choose two.)
A. Live backup
B. Engine
C. Distributed database
D. Local backup

Answer 40

Correct Answer: AD

Question 41

Question #45Topic 1
Which two statements accurately describe layouts? (Choose two.)
A. Layouts override classification and mapping
B. New tabs can be added to the incident layout
C. Layouts can display incident information and custom fields
D. Layouts add or remove custom fields from an incident type

Answer 41

Correct Answer: BC

Question 42

An engineerג€™s organization system is registered in the following manner: . The engineer created a new indicator type for detecting systems using regex. The engineer would now like the username to be created as a separate ג€˜Userג€™ indicator automatically once a system is found.
What is the most efficient way for the engineer to achieve this?
A. Create a custom indicator field named ג€˜usernameג€™ and link it to the internal system indicator
B. Change the reputation command for the internal system indicator type
C. Create a new indicator type of the internal username and set a formatting script to extract only the username
D. Create a new indicator type of the internal username and have the regex included on any string that has dash at the beginning

Answer 42

Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-threat-intel-management-guide/manage-indicators/understand-indicators/ indicator-types/indicator-type-profile

Question 43

Question #47Topic 1
Which two options are the most effective for moving content between two environments? (Choose two.)
A. Remote repository based content sharing
B. UI based content import/export button
C. Copy the content backup from one environment file system (/var/lib/demisto/backup/content-backup-*) and move it to the other environment
D. Download the content items separately and upload them to the other environment

Answer 43

Correct Answer: AC
Seems AC is correct
Comment: A,B is correct.
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-data/migrate-data-to-another-server-for-multi-tenant.html

Question 44

Question #48Topic 1
Which three options can be defined in the layout settings? (Choose three.)
A. Set of fields to present
B. Permission to view the tab based on ג€˜Usersג€™
C. Permission to view the tab based on ג€˜Rolesג€™
D. Delete built-in tabs including the war room
E. Dynamic sections

Answer 44

Correct Answer: ACE
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/incidents/customize-incident-view-layouts/customize-incident- layouts.html

Question 45

Question #49Topic 1
What can be used as integration parameters?
A. URL, API key, port
B. URL, certificate, image
C. Token, query, playbook
D. User-password, csv file, query

Answer 45

Correct Answer: A

Question 46

Question #50Topic 1
Which two features does XSOAR offer to help recover from a server failure? (Choose two.)
A. Live backup (disaster recovery)
B. Distributed database
C. Backup data to XSOAR engines
D. Local backup

Answer 46

Correct Answer: AC

Comment: A,D is the correct answer

Question 47

Question #51Topic 1
When uploading content, which two options could the upload include? (Choose two.)
A. Indicators
B. Incidents
C. Reports
D. Fields

Answer 47

Correct Answer: AB

Comment: A,D is correct

Question 48

Question #52Topic 1
An engineer defined a dashboard which allows important metrics to be displayed. The engineer would like to make this dashboard the default dashboard.
How can it be accomplished?
A. Default Dashboard can be defined by ג€˜Roleג€™
B. Use the server configuration key: default.dashboards
C. Save the dashboard as a widget and apply it to all users
D. Right click on the dashboard tab and ג€˜Set as Defaultג€™

Answer 48

Correct Answer: D
Comment: Correct answer is A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/monitoring/cortex-xdr-dashboard/manage-dashboards.html

Question 49

Question #53Topic 1
How would context data be filtered to receive only malicious indicator values with DBotScore?
A. Get DBotScore.value where DBotScore.Score (Larger or equals) 4
B. Get DBotScore.value where DBotScore.Score (equals (int)) 3
C. Get DBotScore where DBotScore.Score (Larger than) 1
D. Get DBotScore where DBotScore.Score (Larger or equals) 2

Answer 49

Correct Answer: B
Reference:
https://github.com/demisto/content/blob/master//Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/README.md

Question 50

Question #54Topic 1
Can an automation script execute an integration command and an integration command execute an automation script?
A. An automation script cannot execute an integration command and an integration command cannot execute an automation script
B. An automation script can execute an integration command and an integration command cannot execute an automation script
C. An automation script cannot execute an integration command and an integration command can execute an automation script
D. An automation script can execute an integration command and an integration command can execute an automation script

Answer 50

Correct Answer: B

Question 51

Question #55Topic 1
Which two options will troubleshoot an integrationג€™s fetch incidents command? (Choose two.)
A. In the instance settings, enable the fetch incidents parameter and wait for one minute
B. Create a one task playbook with a fetch-incident command
C. execute !-fetch
D. execute !-fetch

Answer 51

Correct Answer: AC

if demisto.command() == ‘fetch-incidents’:

Reference:
https://xsoar.pan.dev/docs/integrations/fetching-incidents

Question 52

Question #57Topic 1
Incidents need to be filtered by all of the following criteria:
1. Status ג€” Pending
2. Exclude Category ג€” Job
3. Severity ג€” High
4. Owner ג€” None (No owner assigned)
5. Type ג€” Phishing
6. Email Subject ג€” ג€You have won a million dollarsג€
What is the correct query syntax for the above incident search filter?
A. status==ג€Pendingג€ && category!=ג€jobג€ && severity==ג€Highג€ && owner==ג€Noneג€ && type==ג€Phishingג€ && emailsubject==ג€You have won a million dollarsג€
B. Status:Pending and ג€”Category:job and Severity:High and Owner:ג€ג€ and Type:Phishing and Email Subject:You have won a million dollars
C. status:Pending and ג€”category:job and severity:High and owner:ג€ג€ and type:Phishing and emailsubject:ג€You have won a million dollarsג€
D. status:Pending or ג€”category:job or severity:High or owner:ג€ג€ or type:Phishing or emailsubject:ג€You have won a million dollarsג€

Answer 52

Correct Answer: C
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/cortex-xsoar-overview/how-to-search-in-cortex-xsoar.html#idcd7fe505- c1c1-42f5-a698-08b5710196d3

Question 53

Question #58Topic 1
What does Script helper contain?
A. Available commands
B. Permission settings
C. Automation version history
D. Automation timeout configuration

Answer 53

Correct Answer: A
Reference:
https://xsoar.pan.dev/docs/concepts/xsoar-ide

Question 54

Question #59Topic 1
When mapping incoming data to incident fields, which statement is correct?
A. Data that is not mapped is placed under labels
B. Only text fields are classified
C. Classification cannot be used if mapping is enabled
D. Every incoming field must be mapped

Answer 54

Correct Answer: D
Comment: A is correct answer
Reference:
https://xsoar.pan.dev/docs/incidents/incident-classification-mapping

Question 55

Question #60Topic 1
Which two situations would an engineer consider when configuring classification and mapping for an incident type? (Choose two.)
A. When creating incidents from the XSOAR REST API
B. When manually creating an incident from the UI
C. When adding a new analyst account to XSOAR
D. When fetching many different incident types from a single mailbox

Answer 55

Correct Answer: AB

Comment: A,D is the correct answer

Question 56

Question #61Topic 1
Which two options may be added when a content pack is being installed? (Choose two.)
A. Lists
B. Roles
C. Other content packs
D. Indicator layouts

Answer 56

Correct Answer: AB

Comment: Lol, C,D is the correct answer

Question 57

Question #62Topic 1
Which three scripting languages can an engineer use to write XSOAR automations? (Choose three.)
A. Python
B. Perl
C. Go
D. JavaScript
E. Powershell

Answer 57

Correct Answer: ADE
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/automations.html

Question 58

Question #63Topic 1
What are two primary uses of standard tasks? (Choose two.)
A. To highlight different paths in a playbook
B. To generate new widgets for a dashboard
C. To create an incident or escalate an existing incident
D. To automate tasks such as parsing a file or enriching indicators

Answer 58

Correct Answer: BD
Comment: C,D is correct
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/playbooks-overview.html

Question 59

Question #64Topic 1
An engineer would like to change an incidentג€™s SLA according to the severity field changes.
How can the engineer achieve this task?
A. Use a field trigger script
B. Use a field display script
C. Create a job that queries for incident severity changes
D. Change the SLA manually every time the severity changes

Answer 59

Correct Answer: B
Comment: A is correct
Reference:
https://xsoar.pan.dev/docs/incidents/incident-fields

Question 60

Question #65Topic 1
What are three different loop types in a playbook? (Choose three.)
A. Automation
B. Built-in
C. Data collection
D. Conditional
E. For-each

Answer 60

Correct Answer: ABE - Correct

Question 61

Question #66Topic 1
What are two common use cases for conditional tasks? (Choose two.)
A. They are used for branching paths in a playbook
B. They are used to interact with users through survey functionality
C. They are used to determine which incident will be executed
D. They are used for sending a specific question to a person or team

Answer 61

Correct Answer: AC
Comment: A,D is the correct answer

Reference:
https://docs-new.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/cortex-xsoar-overview/use-cases.html#id7b31e50b-5aca-4d65- bdb5-ba61b4eac0b4

Question 62

Question #67Topic 1
An engineer wants to customize the regex for the default IP indicator type.
How can this change be implemented?
A. Create a new indicator type and disable the built-in IP indicator
B. Edit the regex of the default IP Indicator
C. Add a new server configuration key that will overwrite the default regex of the IP indicator
D. Delete the default IP indicator

Answer 62

Correct Answer: A
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-indicators/understand-indicators/indicator-types/indicator-type- profile.html

Question 63

Question #68Topic 1
In which two scenarios would it be appropriate to implement a loop for a sub-playbook? (Choose two.)
A. In repetitive process flows to iterate for each playbook input
B. When continuously ingesting incidents from third-party systems
C. In repetitive process flows with no more than 10 loops
D. In repetitive processes that requires sub-playbook re-execution

Answer 63

Correct Answer: AB

Comment: A,D is correct

Question 64

Which configuration is a valid distributed database (DB) implementation?
A. 2 main DBs, 1 application server, 2 node servers
B. 1 main DB, 1 application server, 3 node servers
C. 2 application servers, 1 main DB, 1 node server
D. 1 application server, 2 main DBs, 1 node server

Answer 64

Correct Answer: C

Comment: B is correct

Question 65

Question #70Topic 1
An engineer would like to add a custom field to the New Job form for a job triggered from a threat intel feed.
How would the engineer implement this?
A. The new job form changes based on the threat intel feed integration configuration
B. The new job form can be edited from the Indicator Feed incident type editor
C. The new job form for a threat intel feed job cannot be edited
D. The new job form can be edited from the threat intel feeds integration settings

Answer 65

Correct Answer: B
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-threat-intel-management-guide/manage-indicators/understand-indicators/ create-a-feed-based-job.html

Question 66

Question #71Topic 1
An automation returned an output called: csvReport.
What filter would be used to check if the automation returned results?
A. Contains/Includes
B. Equals/Matches
C. In/In list
D. Is defined/Exist

Answer 66

Correct Answer: B

Comment: D is correct.

Question 67

Question #72Topic 1
What is the difference between labels and fields?
A. Fields can be used in playbooks and labels cannot
B. Fields are indexed in the database and labels are not
C. Labels can be used in queries and fields cannot
D. Labels are indexed in the database and fields are not

Answer 67

Correct Answer: C

Question 68

Question #73Topic 1
What is the default task type when creating an empty task?
A. Standard (Manual)
B. Conditional
C. Section header
D. Standard (Automated)

Answer 68

Correct Answer: B
Comment: A is the correct answer. (Seems this one is correct)
Comment: B - Correct

Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/playbook-tasks/playbook-task-fields.html

Question 69

Question #74Topic 1
Which two methods are used to add new content to the XSOAR Content Repository? (Choose two.)
A. Create content and add it to the standard content by contributing through the Marketplace
B. Use the XSOAR GitHub Contribution Guide to add the contribution to the standard content
C. Create a support ticket with the custom content for review by the support team
D. Any custom content will be automatically uploaded to the content repository

Answer 69

Correct Answer: AD

Comment: A,B is correct

Question 70

Question #75Topic 1
In which two options can an automation script be executed? (Choose two.)
A. Engine
B. Integration
C. War room
D. Playbook

Answer 70

Correct Answer: CD
Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/automations.html

Question 71

Question #76Topic 1
By default, automation written in which language will be executed in a Docker container?
A. Python
B. Go
C. JavaScript
D. Perl

Answer 71

Correct Answer: B

Comment: A - Correct

Question 72

Question #77Topic 1
What is the correct definition regarding integration parameters and command arguments?
A. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.
B. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.
C. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.
D. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.

Answer 72

Correct Answer: A
Comment: D - Correct

Reference:
https://xsoar.pan.dev/docs/tutorials/tut-integration-ui

Question 73

Question #78Topic 1
In which two locations can filters and transformers be used in XSOAR? (Choose two.)
A. Classification and Mapping
B. Playbook Tasks
C. Evidence Fields
D. Incident Fields

Answer 73

Correct Answer: BD
Comment: A, B seems correct to me.

Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/filters-and-transformers.html

Question 74

Question #79Topic 1
Which three actions can an engineer take on the troubleshooting page? (Choose three.)
A. Download the debug log bundle
B. Put the XSOAR server in maintenance mode
C. View and modify server configuration settings
D. Export and import custom content
E. View a list of server administrators

Answer 74

Correct Answer: ABC

Question 75

Question #80Topic 1
An XSOAR Engineer has developed a playbook and would like to contribute it to the XSOAR Marketplace to share with other users.
Which two options are available to the Engineer for contributing to the Marketplace? (Choose two.)
A. Open a ticket with the XSOAR support team
B. Create a pull request directly on Github
C. Contribute through the XSOAR UI
D. Send an email to contributions@xsoar.com

Answer 75

Correct Answer: BC

Question 76

Question #81Topic 1
Which two input requirements are needed to train a machine learning model? (Choose two.)
A. 3000 Incidents
B. Incident Field
C. Verdict Label
D. Incident Type

Answer 76

Correct Answer: BD
Comment: B, C is correct
Comment: B&D - Correct

Reference:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/machine-learing-models/machine-learning-models-overview.html

Question 77

Question #82Topic 1
Which two solutions are available to scale an overloaded XSOAR environment? (Choose two.)
A. Add a distributed database server
B. Add an indexing server
C. Add a live backup server (disaster recovery)
D. Add an engine

Answer 77

Correct Answer: AC

Comment: A,D are the correct answers.

Question 78

Question #83Topic 1
Management would like to get an incident report automatically following an incidentג€™s closure.
How would this be accomplished?
A. Define a task in a playbook to generate an incident report before the closure occurs
B. Manually create an ג€˜Incident Reportג€™
C. Configure post-processing using a script
D. Create an ג€˜Incident Reportג€™ from the Reports page

Answer 78

Correct Answer: D

Comment: C is the correct answer

Question 79

Question #84Topic 1
Which two reasons would lead an engineer to create a custom widget? (Choose two.)
A. To visualize server configuration keys
B. To visualize XSOAR list data
C. To visualize complex incident data calculations
D. To visualize context data
E. To visualize a custom query

Answer 79

Correct Answer: DE
Reference:
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/cortex-xsoar-admin.pdf/cortex-xsoar- admin.pdf