Questions

Question 1

Which two advanced attributes can be applied to incident fields when editing? (Choose two.)
A. Set a field trigger script
B. Associate to an incident type
C. Change field type
D. Change field name

Answer 1

A. Set a field trigger script
B. Associate to an incident type

Question 2

Given an incident with three files, how could the name of the second file be referenced?
A. ${Files.[2].Name}
B. ${Files.Name.[2]}
C. ${File.[1].Name}
D. ${File.Name.[1]}

Answer 2

C. ${File.[1].Name}

Question 3

Which component can be part of a load balancing group?
A. Distributed database
B. D2 agent
C. Engine
D. Load balancing server

Answer 3

C. Engine

Question 4

Which method accesses a field called `User Mail’ in a playbook?
A. ${incident.usermail}
B. ${incident.User Mail}
C. ${incident.UserMail}
D. ${usermail}

Answer 4

A. ${incident.usermail}

Question 5

A SOC manager built a dashboard and would like to share the dashboard with other team members.
How would the SOC manager create a dashboard that meets this requirement?
A. Manually share the dashboard through user emails
B. Dashboard is shared to all XSOAR users
C. Propagate the dashboard based on SAML authentication
D. Dashboard is shared to all XSOAR users in a selected role

Answer 5

D. Dashboard is shared to all XSOAR users in a selected role

Question 6

Which two methods will allow data to be saved in incident fields within a playbook? (Choose two.)
A. setFields
B. Field mapping
C. setIncident
D. Layout inline editing

Answer 6

B. Field mapping
C. setIncident

Question 7

Which built-in automation/command can be used to change an incident’s type?
A. setIncident
B. Set
C. GetFieldsByIncidentType
D. modifyIncidentFields

Answer 7

A. setIncident

Question 8

An engineer notices that playbooks only start once the user clicks the ‘investigate’ button and he/she would like the playbook to start automatically.
How can this be implemented?
A. Add the playbook to the integration’s settings
B. Select ‘Run playbook automatically’ from the incident type settings
C. Add the !startinvestigation automation to the beginning of the playbook
D. Select ‘Run playbook automatically’ from the integration settings

Answer 8

B. Select ‘Run playbook automatically’ from the incident type settings

Question 9

Which two causes may be occurring if an integration test is working, but the integration is not fetching incidents? (Choose two.)
A. The ‘Fetches Incidents’ option may not have been enabled
B. There are no new events from the external service
C. The first fetch should be manually triggered to start the fetching process
D. It can take up to 1-hour before incidents are initially fetched

Answer 9

A. The ‘Fetches Incidents’ option may not have been enabled
B. There are no new events from the external service

Question 10

Which two capabilities do Automation script settings include? (Choose two.)
A. Define ‘parameters’
B. Correlate to incident types
C. Define ‘outputs’
D. Set password protection

Answer 10

A. Define ‘parameters’
D. Set password protection

Question 11

What is a primary use case of data collection tasks?
A. To allow multi-question surveys without authentication restrictions
B. To automate tasks such as parsing a file or enriching indicators
C. To generate new widgets for a dashboard
D. To determine different paths in a playbook

Answer 11

A. To allow multi-question surveys without authentication restrictions

Question 12

In which three locations can an engineer try to find information, when troubleshooting a failed integration instance error produced by the test button? (Choose three.)
A. The audit log
B. The log bundle
C. The source code for an integration
D. The error message returned directly below the button
E. The playground war room

Answer 12

B. The log bundle
C. The source code for an integration
D. The error message returned directly below the button

Question 13

Which two statements describe how timers are configured to start and stop automatically in a playbook? (Choose two.)
A. Use a field of Number to count the number of seconds elapsed between two tasks
B. After the playbook has run, calculate the total time taken and set the timer field with this value
C. To begin counting time taken, add a task in the playbook with automation startTimer. To end the counting, add a task with automation stopTimer
D. From the Timers tab of the playbook task, choose the action for the timer and the timer field to perform the action on

Answer 13

C. To begin counting time taken, add a task in the playbook with automation startTimer. To end the counting, add a task with automation stopTimer
D. From the Timers tab of the playbook task, choose the action for the timer and the timer field to perform the action on

Question 14

What is the default indicator expiration time?
3 days
30 days
7 days
1 year

Answer 14

3 days

Question 15

How long is the trial period for paid content packs?
A. 30 days
B. 14 days
C. 7 days
D. 60 days

Answer 15

A. 30 days

Question 16

After enriching a username using Active Directory, an engineer would like to send an email to the user’s manager. However, this functionality is not part of the command output. The engineer checks with raw-response=true and notices that the manager’s email is returned, but not saved in the context.
How can the engineer save the data so it will be accessible?
A. Mark ignore output = true
B. Use extend-context
C. Use raw-response = save
D. Mark ignore input = true

Answer 16

B. Use extend-context

Question 17

Where can engineers add the post-processing scripts to incidents?
A. The post-processing tag must be added to the automation
B. Post-processing scripts must be added at the end of playbooks
C. Post-processing scripts must be added from the Incident Type editor
D. Post-processing scripts must be added from the Post-Process Rules editor

Answer 17

C. Post-processing scripts must be added from the Incident Type editor

Question 18

An engineer would like to present a trend using widgets to compare to a previous week’s data.
Which two methods will allow the engineer to meet the requirement? (Choose two.)
A. Create widget of type Line, check ‘Display Trend’ and define as 7 days ago
B. Create a custom widget using a new incident query
C. Create widget of type Number, check ‘Display Trend’ and define as 7 days ago
D. Create a custom widget using a script

Answer 18

A. Create widget of type Line, check ‘Display Trend’ and define as 7 days ago
D. Create a custom widget using a script

Question 19

What happens when an integration is deprecated?
A. The integration commands in a playbook can no longer be used
B. The integration commands can be used, but it is recommended to update to the latest content pack
C. The configuration settings will be lost and the integration will no longer function
D. The integration commands in a playbook can be used, but it will fail at runtime

Answer 19

B. The integration commands can be used, but it is recommended to update to the latest content pack

Question 20

Which investigation element is best suited for collaboration among users?
A. Work Plan
B. Related Incidents
C. War Room
D. Context Data

Answer 20

C. War Room

Question 21

Which three support types are included in the Marketplace Content Packs? (Choose three.)
A. Customer supported
B. Cortex XSOAR supported
C. Community supported
D. Partner supported
E. Prisma Cloud supported

Answer 21

B. Cortex XSOAR supported
C. Community supported
D. Partner supported

Question 22

Which three authentication methods are supported when logging into XSOAR? (Choose three.)
A. OTP token
B. Username and password
C. SAML
D. Active Directory authentication
E. RADIUS

Answer 22

B. Username and password
C. SAML
D. Active Directory authentication

Question 23

Which two components have their own context data? (Choose two.)
A. Sub-playbook
B. Task
C. Field
D. Incident

Answer 23

A. Sub-playbook
D. Incident

Question 24

What are two main uses of context data? (Choose two.)
A. Store incident information in JSON format
B. Store incident information in XML format
C. Pass data between playbook tasks
D. Pass data between to-do tasks

Answer 24

A. Store incident information in JSON format
C. Pass data between playbook tasks

Question 25

Multiple company assets were reported by vulnerability scanners as being vulnerable to CVE-2017-11882. This vulnerability affects applications installed on workstations. The SOC team needs to take action and apply the new vulnerability patch that was just released. The team must first create a cause for each of the identified assets in ServiceNow IT Service Management (ITSM), in order to notify the IT department. Next, the team creates a task in the main playbook, which extracts the list of assets from the scanner report.
After the list of assets are created, what are the two solutions that the SOC team could take so that a case could be created and a patch installed? (Choose two.)
A. Create a sub-playbook with a single input containing the computer names that will loop until the last item from the asset list (Condition: AreValuesEqual “ Exit on yes “ left:1, right 1) and perform the following tasks: - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
B. Create a sub-playbook with a single input containing the computer names that will loop ‘For Each Input’ and perform the following tasks: - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
C. Set a key for storing the iteration number and create a sub-playbook with a single input containing the computer names that will loop until the last item from the asset list (Exit condition: iterator contains the count of the number of items in the list) and perform the following tasks: - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
D. Set a key for storing the iteration number and create a sub-playbook with a single input containing the computer names that will loop until the last item from the asset list (Exit condition: iterator equal to count of the number of item in the list) and perform the following tasks: - Increase the iterator value by one each time - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent

Answer 25

B. Create a sub-playbook with a single input containing the computer names that will loop ‘For Each Input’ and perform the following tasks: - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent
D. Set a key for storing the iteration number and create a sub-playbook with a single input containing the computer names that will loop until the last item from the asset list (Exit condition: iterator equal to count of the number of item in the list) and perform the following tasks: - Increase the iterator value by one each time - Active Directory User Enrichment based on the computerName - Create the ServiceNow Record by adding the enrichment information - Mark the ticket severity as Urgent

Question 26

When creating a new tab in the layout, which section cannot be added?
A. Retrieve widget chart based on script
B. Related incidents
C. War room entries picked by entry query
D. Incident team members

Answer 26

B. Related incidents

Question 27

In which two ways can data be transferred between playbooks and sub-playbooks? (Choose two.)
A. Inputs and outputs
B. Through integration context
C. Automatically extracted by sub-playbooks
D. From context data, if context is shared globally

Answer 27

A. Inputs and outputs
D. From context data, if context is shared globally

Question 28

By default, which components does an XSOAR implementation include?
A. XSOAR server, XSOAR engine
B. Application server, distributed DB server
C. Application server, distributed DB server, Backup server
D. All in one server

Answer 28

D. All in one server

Question 29

Which three statements are true about the Marketplace? (Choose three.)
A. Allows reverting back to a previous version of a content pack
B. Enables users to participate in the community by sharing content
C. Publishes content without additional review from the Cortex XSOAR team
D. Allows uploading of content in additional languages
E. Offers granularity in installation through content packs

Answer 29

A. Allows reverting back to a previous version of a content pack
B. Enables users to participate in the community by sharing content
E. Offers granularity in installation through content packs

Question 30

What can be added to offload integration instance processing from the main server?
A. Database node
B. Application server
C. Engine
D. Development server

Answer 30

C. Engine

Question 31

Which XSOAR architecture would be recommended for Managed Security Service Providers (MSSP)?
A. Multi-region
B. Dev-Prod
C. Multi-tenant
D. Distributed database

Answer 31

C. Multi-tenant

Question 32

An incident field is created having the display name as Source_IP.
How can the field be accessed?
A. ${incident.sourceip}
B. ${incident.Source_IP}
C. ${incident.srcip}
D. ${incident.Source IP}

Answer 32

A. ${incident.sourceip}

Question 33

An engineer deployed two different instances of Active Directory for each organization site. As part of an account enrichment use case, the engineer would like to delete a user from one specific site.
Which command will accomplish this?
A. run ‘ad-delete-user’ command with ‘user-dn’ arg and using-brand=“Active Directory Query v2”
B. run ‘ad-delete-user’ command with ‘user-dn’ arg and raw-response=true
C. run ‘ad-delete-user’ command with ‘user-dn’ arg and ignore-outputs=true
D. run ‘ad-delete-user’ command with ‘user-dn’ arg and using=”Active Directory Query v2_instance_1”

Answer 33

D. run ‘ad-delete-user’ command with ‘user-dn’ arg and using=”Active Directory Query v2_instance_1”

Question 34

An engineer is developing a playbook that will be run multiple times for testing purposes.
What is the recommended first task to be used in the playbook?
A. DeleteContext
B. GenerateTest
C. PrintContext
D. SetContext

Answer 34

A. DeleteContext

Question 35

What is the most effective way to correlate multiple raw events coming from a SIEM and link them together?
A. Process all alerts by running the respective playbook and link related incidents during post-processing
B. Ingest all raw events, run a custom script to find the relationship between them and proceed to link them together
C. Configure a pre-process rule to link related events as they are ingested
D. Manually go through the incidents created by the raw events and link related incidents

Answer 35

C. Configure a pre-process rule to link related events as they are ingested

Question 36

Which two incident search queries are valid? (Choose two.)
A. created:>=”7 days”
B. owner===admin
C. role is Analyst
D. status:closed & category:job

Answer 36

A. created:>=”7 days”
D. status:closed & category:job

Question 37

What is the correct expression to use when filtering only PDF files?
A. Use File.Extension that does not equal (string comparison) PDF
B. Use File.Name contains PDF
C. Use File.Extension contains (general) PDF
D. Use File.Extension equals (string comparison) PDF

Answer 37

D. Use File.Extension equals (string comparison) PDF

Question 38

What are possible war room result (entry) types?
A. Context, file, error, image
B. Note, indicator, error, image
C. Video, file, error, image
D. Note, file, error, image

Answer 38

D. Note, file, error, image

Question 39

An engineer asked for a specific command in an integration but the capability does not exist. The engineer decided to edit the existing integration by copying the integration and adding the needed commands.
What is the main concern when adding these commands?
A. The commands must return a proper result to the war room for the analysts to understand
B. The code may not be written to XSOAR standards
C. The integrations are locked and cannot be edited with additional commands
D. The custom integration will not be maintained and updated by XSOAR content team

Answer 39

D. The custom integration will not be maintained and updated by XSOAR content team

Question 40

How is data transferred between playbook tasks?
A. Read/Write from context data
B. Over war room results
C. Input from the indicator page
D. Directly from a previous task

Answer 40

A. Read/Write from context data

Question 41

A large number of incidents were deleted by mistake.
Which two architecture components can be used to recover the lost data? (Choose two.)
A. Live backup
B. Engine
C. Distributed database
D. Local backup

Answer 41

A. Live backup
B. Engine

Question 42

Which two statements accurately describe layouts? (Choose two.)
A. Layouts override classification and mapping
B. New tabs can be added to the incident layout
C. Layouts can display incident information and custom fields
D. Layouts add or remove custom fields from an incident type

Answer 42

B. New tabs can be added to the incident layout
C. Layouts can display incident information and custom fields

Question 43

An engineer’s organization system is registered in the following manner: <SiteName-SystemID-Username>. The engineer created a new indicator type for detecting systems using regex. The engineer would now like the username to be created as a separate `User' indicator automatically once a system is found.
What is the most efficient way for the engineer to achieve this?
A. Create a custom indicator field named 'username' and link it to the internal system indicator
B. Change the reputation command for the internal system indicator type
C. Create a new indicator type of the internal username and set a formatting script to extract only the username
D. Create a new indicator type of the internal username and have the regex included on any string that has dash at the beginning</SiteName-SystemID-Username>

Answer 43

C. Create a new indicator type of the internal username and set a formatting script to extract only the username

Question 44

Which two options are the most effective for moving content between two environments? (Choose two.)
A. Remote repository based content sharing
B. UI based content import/export button
C. Copy the content backup from one environment file system (/var/lib/demisto/backup/content-backup-*) and move it to the other environment
D. Download the content items separately and upload them to the other environment

Answer 44

B. UI based content import/export button
D. Download the content items separately and upload them to the other environment

Question 45

Which three options can be defined in the layout settings? (Choose three.)
A. Set of fields to present
B. Permission to view the tab based on ‘Users’
C. Permission to view the tab based on ‘Roles’
D. Delete built-in tabs including the war room
E. Dynamic sections

Answer 45

A. Set of fields to present
C. Permission to view the tab based on ‘Roles’
E. Dynamic sections

Question 46

What can be used as integration parameters?
A. URL, API key, port
B. URL, certificate, image
C. Token, query, playbook
D. User-password, csv file, query

Answer 46

A. URL, API key, port

Question 47

Which two features does XSOAR offer to help recover from a server failure? (Choose two.)
A. Live backup (disaster recovery)
B. Distributed database
C. Backup data to XSOAR engines
D. Local backup

Answer 47

A. Live backup (disaster recovery)
C. Backup data to XSOAR engines

Question 48

When uploading content, which two options could the upload include? (Choose two.)
A. Indicators
B. Incidents
C. Reports
D. Fields

Answer 48

A. Indicators
B. Incidents

Question 49

An engineer defined a dashboard which allows important metrics to be displayed. The engineer would like to make this dashboard the default dashboard.
How can it be accomplished?
A. Default Dashboard can be defined by ‘Role’
B. Use the server configuration key: default.dashboards
C. Save the dashboard as a widget and apply it to all users
D. Right click on the dashboard tab and ‘Set as Default’

Answer 49

A. Default Dashboard can be defined by ‘Role’

Question 50

How would context data be filtered to receive only malicious indicator values with DBotScore?
A. Get DBotScore.value where DBotScore.Score (Larger or equals) 4
B. Get DBotScore.value where DBotScore.Score (equals (int)) 3
C. Get DBotScore where DBotScore.Score (Larger than) 1
D. Get DBotScore where DBotScore.Score (Larger or equals) 2

Answer 50

B. Get DBotScore.value where DBotScore.Score (equals (int)) 3

Question 51

Can an automation script execute an integration command and an integration command execute an automation script?
A. An automation script cannot execute an integration command and an integration command cannot execute an automation script
B. An automation script can execute an integration command and an integration command cannot execute an automation script
C. An automation script cannot execute an integration command and an integration command can execute an automation script
D. An automation script can execute an integration command and an integration command can execute an automation script

Answer 51

B. An automation script can execute an integration command and an integration command cannot execute an automation script

Question 52

Which two options will troubleshoot an integration’s fetch incidents command? (Choose two.)
A. In the instance settings, enable the fetch incidents parameter and wait for one minute
B. Create a one task playbook with a fetch-incident command
C. execute !<integration_instance_name>-fetch
D. execute !<integration_name>-fetch</integration_name></integration_instance_name>

Answer 52

A. In the instance settings, enable the fetch incidents parameter and wait for one minute
C. execute !<integration_instance_name>-fetch</integration_instance_name>

Question 53

Incidents need to be filtered by all of the following criteria:
1. Status : Pending
2. Exclude Category : Job
3. Severity : High
4. Owner : None (No owner assigned)
5. Type : Phishing
6. Email Subject : You have won a million dollars

What is the correct query syntax for the above incident search filter?
A. status==”Pending” && category!=”job” && severity==”High” && owner==”None” && type==”Phishing” && emailsubject==”You have won a million dollars”
B. Status:Pending and “Category:job and Severity:High and Owner:”” and Type:Phishing and Email Subject:You have won a million dollars
C. status:Pending and -category:job and severity:High and owner:”” and type:Phishing and emailsubject:”You have won a million dollars”
D. status:Pending or “category:job or severity:High or owner:”” or type:Phishing or emailsubject:”You have won a million dollars”
status:Pending -category:job severity:high

Answer 53

C. status:Pending and -category:job and severity:High and owner:”” and type:Phishing and emailsubject:”You have won a million dollars”

Question 54

What does Script helper contain?
A. Available commands
B. Permission settings
C. Automation version history
D. Automation timeout configuration

Answer 54

A. Available commands

Question 55

When mapping incoming data to incident fields, which statement is correct?
A. Data that is not mapped is placed under labels
B. Only text fields are classified
C. Classification cannot be used if mapping is enabled
D. Every incoming field must be mapped

Answer 55

A. Data that is not mapped is placed under labels

Question 56

Which two situations would an engineer consider when configuring classification and mapping for an incident type? (Choose two.)
A. When creating incidents from the XSOAR REST API
B. When manually creating an incident from the UI
C. When adding a new analyst account to XSOAR
D. When fetching many different incident types from a single mailbox

Answer 56

A. When creating incidents from the XSOAR REST API
D. When fetching many different incident types from a single mailbox

Question 57

Which two options may be added when a content pack is being installed? (Choose two.)
A. Lists
B. Roles
C. Other content packs
D. Indicator layouts

Answer 57

C. Other content packs
D. Indicator layouts

Question 58

Which three scripting languages can an engineer use to write XSOAR automations? (Choose three.)
A. Python
B. Perl
C. Go
D. JavaScript
E. Powershell

Answer 58

A. Python
D. JavaScript
E. Powershell

Question 59

What are two primary uses of standard tasks? (Choose two.)
A. To highlight different paths in a playbook
B. To generate new widgets for a dashboard
C. To create an incident or escalate an existing incident
D. To automate tasks such as parsing a file or enriching indicators

Answer 59

C. To create an incident or escalate an existing incident
D. To automate tasks such as parsing a file or enriching indicators

Question 60

An engineer would like to change an incident’s SLA according to the severity field changes.
How can the engineer achieve this task?
A. Use a field trigger script
B. Use a field display script
C. Create a job that queries for incident severity changes
D. Change the SLA manually every time the severity changes

Answer 60

A. Use a field trigger script

Question 61

What are three different loop types in a playbook? (Choose three.)
A. Automation
B. Built-in
C. Data collection
D. Conditional
E. For-each

Answer 61

A. Automation
B. Built-in
E. For-each

Question 62

What are two common use cases for conditional tasks? (Choose two.)
A. They are used for branching paths in a playbook
B. They are used to interact with users through survey functionality
C. They are used to determine which incident will be executed
D. They are used for sending a specific question to a person or team

Answer 62

A. They are used for branching paths in a playbook
D. They are used for sending a specific question to a person or team

Question 63

An engineer wants to customize the regex for the default IP indicator type.
How can this change be implemented?
A. Create a new indicator type and disable the built-in IP indicator
B. Edit the regex of the default IP Indicator
C. Add a new server configuration key that will overwrite the default regex of the IP indicator
D. Delete the default IP indicator

Answer 63

A. Create a new indicator type and disable the built-in IP indicator

Question 64

In which two scenarios would it be appropriate to implement a loop for a sub-playbook? (Choose two.)
A. In repetitive process flows to iterate for each playbook input
B. When continuously ingesting incidents from third-party systems
C. In repetitive process flows with no more than 10 loops
D. In repetitive processes that requires sub-playbook re-execution

Answer 64

A. In repetitive process flows to iterate for each playbook input
D. In repetitive processes that requires sub-playbook re-execution

Question 65

Which configuration is a valid distributed database (DB) implementation?
A. 2 main DBs, 1 application server, 2 node servers
B. 1 main DB, 1 application server, 3 node servers
C. 2 application servers, 1 main DB, 1 node server
D. 1 application server, 2 main DBs, 1 node server

Answer 65

B. 1 main DB, 1 application server, 3 node servers

Question 66

An engineer would like to add a custom field to the New Job form for a job triggered from a threat intel feed.
How would the engineer implement this?
A. The new job form changes based on the threat intel feed integration configuration
B. The new job form can be edited from the Indicator Feed incident type editor
C. The new job form for a threat intel feed job cannot be edited
D. The new job form can be edited from the threat intel feeds integration settings

Answer 66

B. The new job form can be edited from the Indicator Feed incident type editor

Question 67

An automation returned an output called: csvReport.
What filter would be used to check if the automation returned results?
A. Contains/Includes
B. Equals/Matches
C. In/In list
D. Is defined/Exist

Answer 67

D. Is defined/Exist

Question 68

What is the difference between labels and fields?
A. Fields can be used in playbooks and labels cannot
B. Fields are indexed in the database and labels are not
C. Labels can be used in queries and fields cannot
D. Labels are indexed in the database and fields are not

Answer 68

C. Labels can be used in queries and fields cannot

Question 69

What is the default task type when creating an empty task?
A. Standard (Manual)
B. Conditional
C. Section header
D. Standard (Automated)

Answer 69

A. Standard (Manual)

Question 70

Which two methods are used to add new content to the XSOAR Content Repository? (Choose two.)
A. Create content and add it to the standard content by contributing through the Marketplace
B. Use the XSOAR GitHub Contribution Guide to add the contribution to the standard content
C. Create a support ticket with the custom content for review by the support team
D. Any custom content will be automatically uploaded to the content repository

Answer 70

A. Create content and add it to the standard content by contributing through the Marketplace
D. Any custom content will be automatically uploaded to the content repository

Question 71

In which two options can an automation script be executed? (Choose two.)
A. Engine
B. Integration
C. War room
D. Playbook

Answer 71

A. Engine
C. War room

Question 72

By default, automation written in which language will be executed in a Docker container?
A. Python
B. Go
C. JavaScript
D. Perl

Answer 72

A. Python

Question 73

What is the correct definition regarding integration parameters and command arguments?
A. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.
B. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.
C. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.
D. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.

Answer 73

D. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.

Question 74

In which two locations can filters and transformers be used on XSOAR? (Choose two.)
A. Classification and Mapping
B. Playbook Tasks
C. Evidence Fields
D. Incident Fields

Answer 74

A. Classification and Mapping
B. Playbook Tasks

Question 75

Which three actions can an engineer take on the troubleshooting page? (Choose three.)
A. Download the debug log bundle
B. Put the XSOAR server in maintenance mode
C. View and modify server configuration settings
D. Export and import custom content
E. View a list of server administrators

Answer 75

A. Download the debug log bundle
C. View and modify server configuration settings
D. Export and import custom content

Question 76

XSOAR Engineer has developed a playbook and would like to contribute it to the XSOAR Marketplace to share with other users.
Which two options are available to the Engineer for contributing to the Marketplace? (Choose two.)
A. Open a ticket with the XSOAR support team
B. Create a pull request directly on Github
C. Contribute through the XSOAR UI
D. Send an email to contributions@xsoar.com

Answer 76

B. Create a pull request directly on Github
C. Contribute through the XSOAR UI

Question 77

Which two input requirements are needed to train a machine learning model? (Choose two.)
A. 3000 Incidents
B. Incident Field
C. Verdict Label
D. Incident Type

Answer 77

B. Incident Field
D. Incident Type

Question 78

Which two solutions are available to scale an overloaded XSOAR environment? (Choose two.)
A. Add a distributed database server
B. Add an indexing server
C. Add a live backup server (disaster recovery)
D. Add an engine

Answer 78

A. Add a distributed database server
D. Add an engine

Question 79

Management would like to get an incident report automatically following an incident’s closure.
How would this be accomplished?
A. Define a task in a playbook to generate an incident report before the closure occurs
B. Manually create an ‘Incident Report’
C. Configure post-processing using a script
D. Create an ‘Incident Report’ from the Reports page

Answer 79

C. Configure post-processing using a script

Question 80

Which two reasons would lead an engineer to create a custom widget? (Choose two.)
A. To visualize server configuration keys
B. To visualize XSOAR list data
C. To visualize complex incident data calculations
D. To visualize context data
E. To visualize a custom query

Answer 80

D. To visualize context data
E. To visualize a custom query

Question 81

Which port should a security team use to pull data from Console’s API?
A. 53
B. 25
C. 8084
D. 8083

Answer 81

D. 8083

Question 82

When developing the playbook, which of the following can be used by a XSOAR Administrator?
A. The Debugger panel to test data with one of the last five incidents. This will affect the incident’s original incident data.
B. Context data from existing incidents by exporting the YAML data from incidents and importing it to the playbook editor.
C. Debugger panel and XML data from a similar incident with New Mock Incident. This will not affect the incident’s original incident data.
D. The Debugger panel to test data with one of the last fifty incidents. This will not affect the incident’s original incident data.

Answer 82

D. The Debugger panel to test data with one of the last fifty incidents. This will not affect the incident’s original incident data.

Question 83

What does the outgoing mapper support?
A. Mirroring
B. Classification
C. Dynamic fields
D. Pre-processing

Answer 83

A. Mirroring