Which tag is mandatory for an Indicator reputation Script while configuring an indicator type?

A. reputation-script

B. enrich

C. reputationScript

D. reputation

In which two locations can filters and transformers be used in XSOAR? (Choose two.)

A. Classification and Mapping

B. Playbook Tasks

C. Evidence Fields

D. Incident Fields

Select the correct incident life cycle on XSOAR.

A. Planning > Incident Ingestion > Incident Creation > Mapping and Classification > Pre-processing > Playbook runs > Post-processing

B. Planning > Incident Ingestion > Pre-processing > Incident Creation > Mapping and Classification > Playbook runs > Post-processing

C. Planning > Incident Ingestion > Pre-processing > Mapping and Classification > Incident Creation > Playbook runs > Post-processing

D. Planning > Incident Ingestion > Mapping and Classification > Pre-processing > Incident Creation > Playbook runs > Post-processing

Which two features does XSOAR offer to help recover from a server failure? (Choose two.)

A. Live backup (disaster recovery)

B. Distributed database

C. Backup data to XSOAR engines

D. Local backup

What is the correct expression to use when filtering only PDF files?

A. Use File.Extension that does not equal (string comparison) PDF

B. Use File.Name contains PDF

C. Use File.Extension contains (general) PDF

D. Use File.Extension equals (string comparison) PDF

What is the default landing page for a new user in XSOAR?

A. Dashboards

B. Threat Intel

C. Settings

D. Marketplace

Which field type should be used to hold more than 60,000 characters of unformatted text?

A. Short Text

B. HTML

C. Long Text

D. Markdown

Inside the Incidents table view, which actions can be performed on the selected incidents? (Choose two.)

A. Run Command, Export, and Close and Delete for all selected incidents regardless of their status

B. Assign, Edit, and Mark as Duplicate for all selected incidents regardless of their status

C. Run Command for all selected incidents having Active status

D. Export incidents as JSON and change incident status

Which three actions can an engineer take on the troubleshooting page? (Choose three.)
 

A. Download the debug log bundle

B. Put the XSOAR server in maintenance mode

C. View and modify server configuration settings

D. Export and import custom content

E. View a list of server administrators

Which content type cannot be managed using remote repositories?

A. Lists

B. Jobs

C. Pre-processing rules

D. Exclusion List

In Cortex XSOAR multi tenant setup, when content from a development server is pushed to the remote repository, where in the production server can the updates be found?

A. Main Account

B. Tenants

C. Agent tools

D. Marketplace

Given the following context data, what would be the expected output of the expression?

A. 1E56733826E5035233A097FCEA2046AF96EC616C

B. E6EF5142E2553C1E442A0FFAC07636EAC61E6EDD

C. 8D193FA162A305E4859BA8C45F5121F7265E3ABB

D. e6ef5142e2553c1e442a0ffac07636eac61e6edd

Which component can be part of a load balancing group?

A. Distributed database

B. D2 agent

C. Engine

D. Load balancing server

A large number of incidents were deleted by mistake.
Which two architecture components can be used to recover the lost data? (Choose two.)

A. Live backup

B. Engine

C. Distributed database

D. Local backup

While testing a custom integration, an XSOAR engineer noticed that the incident fetch interval is missing. How can this be fixed?

A. Define the Incident Fetch Interval when running the integration’s commands.

B. Duplicate the integration. Edit the resulting copy and add incidentFetchInterval as a parameter. Save the integration. Configure the new integration instance with the interval required.

C. Configure the application to send incidents on the required interval.

D. Duplicate the integration. Add the interval in the code. Save the integration and Configure the new integration instance with the interval required.

Which three authentication methods are supported when logging into XSOAR? (Choose three.)

A. OTP token

B. User name and password

C. SAML

D. Active Directory authentication

E. RADIUS

What happens when an integration is deprecated?

A. The integration commands in a playbook can no longer be used

B. The integration commands can be used, but it is recommended to update to the latest content pack

C. The configuration settings will be lost and the integration will no longer function

D. The integration commands in a playbook can be used, but it will fail at runtime

An engineer asked for a specific command in an integration but the capability does not exist. The engineer decided to edit the existing integration by copying the integration and adding the needed commands.
What is the main concern when adding these commands?

A. The commands must return a proper result to the war room for the analysts to understand

B. The code may not be written to XSOAR standards

C. The integrations are locked and cannot be edited with additional commands

D. The custom integration will not be maintained and updated by XSOAR content team

To avoid exceeding API quotas for third-party services, indicators are only updated after the indicator cache expiration period. What is the default cache expiration period for indicators in XSOAR (minutes/days)?

A. 10,080 minutes (7 days)

B. 20,160 minutes (14 days)

C. 21,600 minutes (15 days)

D. 4,320 minutes (3 days)

What is the most effective way to correlate multiple raw events coming from a SIEM and link them together?

A. Process all alerts by running the respective playbook and link related incidents during post-processing

B. Ingest all raw events, run a custom script to find the relationship between them and proceed to link them together

C. Configure a pre-process rule to link related events as they are ingested

D. Manually go through the incidents created by the raw events and link related incidents

A playbook task generates a report as HTML in the context data.
An engineer creates a custom indicator field of type "HTML" and adds the field to a section in a custom indicator layout. How can the engineer populate the HTML field in the indicator layout?

A. Populate the custom indicator field with the built-in !SetIndicator command.

B. Add HTML to a list using !setList and use it as an HTML template to populate the custom indicator field.

C. Create a custom Indicator Mapper and populate the custom indicator field.

D. Use the Mapping option in the playbook task that generates the HTML report to populate the custom indicator field.

Which three statements are true about the Marketplace? (Choose three.)

A. Allows reverting back to a previous version of a content pack

B. Enables users to participate in the community by sharing content

C. Publishes content without additional review from the Cortex XSOAR team

D. Allows uploading of content in additional languages

E. Offers granularity in installation through content packs

What is the correct definition regarding integration parameters and command arguments?

A. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.

B. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.

C. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.

D. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.

A Cortex XSOAR Administrator is tasked with building a button for an analyst in order for the analyst to be assigned to the incident as an owner. What is the process?

A. Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with no argument

B. Edit the incident layout to add a new button that calls the AssignToMeButton automation with argument assignBy={me}

C. Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with argument owner={me}

D. Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with argument assignBy=current

Which of these would be the most operationally efficient repository for moving XSOAR custom content from a development server to a production environment?

A. A content repository specified in the Marketplace

B. Remote git repository specified in the dev-prod configuration parameters

C. The development server’s default repository

D. Cortex XSOAR public content repository

At what stage during the incident lifecycle is an incident type assigned?

A. Pre-processing

B. Incident creation

C. Classification

D. Playbook execution

An automation returned an output called: csvReport.
What filter would be used to check if the automation returned results?

A. Contains/Includes

B. Equals/Matches

C. In/In list

D. Is defined/Exist

Which two capabilities do Automation script settings include? (Choose two.)

A. Define ‘parameters’

B. Correlate to incident types

C. Define ‘outputs’

D. Set password protection

Which method accesses a field called `˜User Mail' in a playbook?

A. ${incident.usermail}

B. ${incident.User Mail}

C. ${incident.UserMail}

D. ${usermail}

Which two solutions are available to scale an overloaded XSOAR environment? (Choose two.)

A. Add a distributed database server

B. Add an indexing server

C. Add a live backup server (disaster recovery)

D. Add an engine

An XSOAR Engineer has developed a playbook and would like to contribute it to the XSOAR Marketplace to share with other users.
Which two options are available to the Engineer for contributing to the Marketplace? (Choose two.)

A. Open a ticket with the XSOAR support team

B. Create a pull request directly on Github

C. Contribute through the XSOAR UI

D. Send an email to contributions@xsoar.com

An engineer would like to present a trend using widgets to compare to a previous week's data.
Which two methods will allow the engineer to meet the requirement? (Choose two.)

A. Create widget of type Line, check ‘Display Trend’ and define as 7 days ago

B. Create a custom widget using a new incident query

C. Create widget of type Number, check ‘Display Trend’ and define as 7 days ago

D. Create a custom widget using a script

What does the outgoing mapper support?

A. Mirroring

B. Classification

C. Dynamic fields

D. Pre-processing

A SOC analyst needs to retrieve the list of all open phishing incidents in the last 30 days. What is the correct query to use?

A. -status:closed -category:job type:Phishing created:>=”30 days ago”

B. status:closed -category:job & type:Phishing created:>=”30 days ago”

C. -status:closed -category:job & type:Phishing created:<=”30 days ago”

D. -status:closed -category:job type:Phishing created:=”30 days ago”

After executing the DeleteContext automation with all=yes argument, how would the context data of an incident present?

A. All the data, including the incident key will be deleted, and the context data will be completely empty.

B. No difference, the automation cannot be executed manually.

C. All context data, including custom incident fields will be deleted, system incident fields will remain.

D. All context data, except the incident key will be deleted.

Where would you look to find a personalized view of your own incidents and tasks?

A. Incident Summary View

B. My Incidents

C. My Threat Landscape

D. My Dashboard

For troubleshooting, after a log bundle is created, where do the logs appear on the XCSOAR server?

A. /var/lib/demisto

B. /tmp/log/demisto

C. /usr/local/demisto

D. /var/log/demisto

What are two primary uses of standard tasks? (Choose two.)

A. To highlight different paths in a playbook

B. To generate new widgets for a dashboard

C. To create an incident or escalate an existing incident

D. To automate tasks such as parsing a file or enriching indicators

Which task type would be used to verify/check that an integration was enabled?

A. Standard task

B. Conditional task

C. Section Header task

D. Data Collection task

Which field type provides an interactive and editable display of table-based data?

A. HTML

B. Grid (table)

C. Markdown

D. Multi Select

Where do you navigate to monitor and improve the system performance and resilience for hosts in a multitenant environment?

A. Settings > About > Troubleshooting, in the main host account. Each host has a System Diagnostics page.

B. Settings > Advanced > System Diagnostics, in the main host account. Each host has a System Diagnostics page.

C. Settings > Account Management > Hosts, in the main host account. Each host has a System Diagnostics page.

D. Settings > About > System Diagnostics, in the main host account. Each host has a System Diagnostics page.

What can be added to offload integration instance processing from the main server?

A. Database node

B. Application server

C. Engine

D. Development server

When uploading content, which two options could the upload include? (Choose two.)

A. Indicators

B. Incidents

C. Reports

D. Fields

When mapping incoming data to incident fields, which statement is correct?

A. Data that is not mapped is placed under labels

B. Only text fields are classified

C. Classification cannot be used if mapping is enabled

D. Every incoming field must be mapped

Which two functions in XSOAR are incident types used for? (Choose two.)

A. To run dedicated playbooks for different event types

B. To classify events ingested from various sources into the relevant types

C. To classify indicators extracted in XSOAR incidents to their respective types

D. To facilitate role based access to XSOAR incidents

An engineer is developing a playbook that will be run multiple times for testing purposes.
What is the recommended first task to be used in the playbook?

A. DeleteContext

B. GenerateTest

C. PrintContext

D. SetContext

When creating an incident layout section, it is best to place long field values within which of the following?

A. Section headers

B. Rows

C. Canvas

D. Cards

On the System Diagnostics page, what is the default minimum size for a Work Plan to be considered big?

A. 2MB

B. 3MB

C. 1MB

D. 5MB

An XSOAR engineer has been tasked with exporting all indicators from the production environment in the last 90 days. The final report needs to be in CSV format containing all indicator fields. How can this task be achieved?

A. Run the command !GetIndicatorsByQuery in CLI with its default arguments and export all indicators in the last 90 days.

B. SSH into the server and copy the indicator’s database.

C. In the Threat Intel page, add query firstSeen:>=”90 days ago”, select All columns in Table View, and click Export to export as a CSV.

D. Run the command !findIndicators in CLI with the query firstSeen:>=”90 days ago” and export to CSV.

Which two components have their own context data? (Choose two.)

A. Sub-playbook

B. Task

C. Field

D. Incident