In which three locations can an engineer try to find information, when troubleshooting a failed integration instance error produced by the test button? (Choose three.)

A. The audit log

B. The log bundle

C. The source code for an integration

D. The error message returned directly below the button

E. The playground war room

Which two functions in XSOAR are incident types used for? (Choose two.)

A. To run dedicated playbooks for different event types

B. To classify events ingested from various sources into the relevant types

C. To classify indicators extracted in XSOAR incidents to their respective types

D. To facilitate role based access to XSOAR incidents

When is the post-processing script executed in XSOAR?

A. Just after the incident is created

B. Just after the pre-processing is executed

C. Just after the playbook is executed

D. Just after the Close Incident button is clicked

In which two scenarios would it be appropriate to implement a loop for a sub-playbook? (Choose two.)

A. In repetitive process flows to iterate for each playbook input

B. When continuously ingesting incidents from third-party systems

C. In repetitive process flows with no more than 10 loops

D. In repetitive processes that requires sub-playbook re-execution

When mapping incoming data to incident fields, which statement is correct?

A. Data that is not mapped is placed under labels

B. Only text fields are classified

C. Classification cannot be used if mapping is enabled

D. Every incoming field must be mapped

An administrator has noticed that an incident fetch has failed, causing several internal workflows to be backed up. The administrator would like to receive notifications the next time the incident fetch fails.
How can they achieve this?

A. Create a custom playbook that sends an email each time the fetch fails.

B. Create a new integration that monitors the incident fetch and sends an email if the fetch fails.

C. Schedule a job that runs and monitors incidents in XSOAR that will send an email if there are no new incidents.

D. Add a server config to notify when incident fetch fails.

Can an automation script execute an integration command and an integration command execute an automation script?

A. An automation script cannot execute an integration command and an integration command cannot execute an automation script

B. An automation script can execute an integration command and an integration command cannot execute an automation script

C. An automation script cannot execute an integration command and an integration command can execute an automation script

D. An automation script can execute an integration command and an integration command can execute an automation script

You need to retrieve a list of all malicious hashes over the last 30 days. What is the correct query to use?

A. type:File reputation:Malicious sourcetimestamp:”30 days ago”

B. type:File verdict:Malicious sourcetimestamp:=”30 days ago”

When creating a new tab in the layout, which section cannot be added?

A. Retrieve widget chart based on script

B. Related incidents

C. War room entries picked by entry query

D. Incident team members

Who is permitted to create and submit content to the Marketplace?

A. Only users with a valid Github account

B. Any user who has signed up through the dev portal

C. Any user who has a live.paloaltonetworks.com account

D. All users with the correct XSOAR Role and Permissions

To avoid exceeding API quotas for third-party services, indicators are only updated after the indicator cache expiration period. What is the default cache expiration period for indicators in XSOAR (minutes/days)?

A. 10,080 minutes (7 days)

B. 20,160 minutes (14 days)

C. 21,600 minutes (15 days)

D. 4,320 minutes (3 days)

What are two of the actions available on the Version History tab of a content pack in the marketplace? (Choose two.)

A. Download content for offline installation

B. Uninstall content pack

C. Update to x version

D. Revert to x version

Which component can be part of a load balancing group?

A. Distributed database

B. D2 agent

C. Engine

D. Load balancing server

Where can engineers add the post-processing scripts to incidents?

A. The post-processing tag must be added to the automation

B. Post-processing scripts must be added at the end of playbooks

C. Post-processing scripts must be added from the Incident Type editor

D. Post-processing scripts must be added from the Post-Process Rules editor

An engineer defined a dashboard which allows important metrics to be displayed. The engineer would like to make this dashboard the default dashboard.
How can it be accomplished?

A. Default Dashboard can be defined by ‘Role’

B. Use the server configuration key: default.dashboards

C. Save the dashboard as a widget and apply it to all users

D. Right click on the dashboard tab and ‘Set as Default’

Which two input requirements are needed to train a machine learning model? (Choose two.)

A. 3000 Incidents

B. Incident Field

C. Verdict Label

D. Incident Type

After executing the DeleteContext automation with all=yes argument, how would the context data of an incident present?

A. All the data, including the incident key will be deleted, and the context data will be completely empty.

B. No difference, the automation cannot be executed manually.

C. All context data, including custom incident fields will be deleted, system incident fields will remain.

D. All context data, except the incident key will be deleted.

Which option is available in XSOAR to create the body of a Threat Intel Report?

A. Markdown

B. Grid Fields

C. DOC format

D. Javascript

Which content type can be managed using remote repositories?

A. Exclusion List

B. Canvas

C. Pre-processing rules

D. Jobs

Management would like to get an incident report automatically following an incident's closure.
How would this be accomplished?

A. Define a task in a playbook to generate an incident report before the closure occurs

B. Manually create an ‘Incident Report’

C. Configure post-processing using a script

D. Create an ‘Incident Report’ from the Reports page

Which of the following is a feature of XSOAR automations?

A. can run on multiple docker containers

B. can be set to run on a scheduled basis in the automation settings

C. can be password protected

D. can be written in C++

Whar are possible war room result (entry) types?

A. Context, file, error, image

B. Note, indicator, error, image

C. Video, file, error, image

D. Note, file, error, image

In which two options can an automation script be executed? (Choose two.)

A. Engine

B. Integration

C. War room

D. Playbook

Which of the following are valid methods to contribute custom content? (Choose three.)

A. Submit content directly through feature requests

B. Private GitHub repository submission for premium content

C. A Github pull request on the public XSOAR Content Repository

D. Using the marketplace interface to upload the content

E. Using the content submission tool on live.paloaltonetworks.com

An organization has recently acquired another company as its subsidiary. The subsidiary has its infrastructure on AWS cloud as illustrated in the image below:
 
The organization wants to use the mail server location on the subsidiary's cloud to send emails. Without acquiring additional licenses, which XSOAR component can fulfill the requirement?

A. XSOAR D2 Agents, to send the required emails.

B. An XSOAR engine that is downloaded from the XSOAR server and installed within the subsidiary.

C. Another XSOAR server that uses the same license as their primary XSOAR server.

D. A Linux server connected with an XSOAR server using SSH integration. Commands can be run remotely to access the mail server.

A playbook task generates a report as HTML in the context data.
An engineer creates a custom indicator field of type "HTML" and adds the field to a section in a custom indicator layout. How can the engineer populate the HTML field in the indicator layout?

A. Populate the custom indicator field with the built-in !SetIndicator command.

B. Add HTML to a list using !setList and use it as an HTML template to populate the custom indicator field.

C. Create a custom Indicator Mapper and populate the custom indicator field.

D. Use the Mapping option in the playbook task that generates the HTML report to populate the custom indicator field.

When is the post-processing script executed in XSOAR?

A. When the incident is closed

B. When the incident is created

C. After the post processing task is executed

D. After the pre-processing is executed

Which two features does XSOAR offer to help recover from a server failure? (Choose two.)

A. Live backup (disaster recovery)

B. Distributed database

C. Backup data to XSOAR engines

D. Local backup

What is the correct definition regarding integration parameters and command arguments?

A. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.

B. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.

C. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.

D. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.

Where are incident layouts customized?

A. Settings > Object Setup > Incidents > Layouts

B. Settings > Integrations > Instance configuration

C. Settings > Object Setup > Indicators > Layouts

D. Settings > Advanced > Incident Layouts

Which two options will troubleshoot an integration's fetch incidents command? (Choose two.)

A. In the instance settings, enable the fetch incidents parameter and wait for one minute

B. Create a one task playbook with a fetch-incident command

C. execute !-fetch

D. execute !-fetch

What is the difference between labels and fields?

A. Fields can be used in playbooks and labels cannot

B. Fields are indexed in the database and labels are not

C. Labels can be used in queries and fields cannot

D. Labels are indexed in the database and fields are not

What is an example of a generic reputation command?

A. !ip

B. !getReputation

C. !reputation

D. !enrichIndicator

Which two options may be added when a content pack is being installed? (Choose two.)

A. Lists

B. Roles

C. Other content packs

D. Indicator layouts

Which two methods are used to add new content to the XSOAR Content Repository? (Choose two.)

A. Create content and add it to the standard content by contributing through the Marketplace

B. Use the XSOAR GitHub Contribution Guide to add the contribution to the standard content

C. Create a support ticket with the custom content for review by the support team

D. Any custom content will be automatically uploaded to the content repository

By default, which components does an XSOAR implementation include?

A. XSOAR server, XSOAR engine

B. Application server, distributed DB server

C. Application server, distributed DB server, Backup server

D. All in one server

On the System Diagnostics page, what is the default minimum size for a Work Plan to be considered big?

A. 2MB

B. 3MB

C. 1MB

D. 5MB

When browsing the Marketplace for new content packs, which details about each pack are you able to view?

A. The integration’s source code

B. A summary of each version history

C. A test instance for the content pack

D. The source code of each playbook

Which three types of information are displayed on the incident Quick View? (Choose three.)

A. Indicators and relationships

B. Timeline information

C. Evidence Board

D. Context data

E. Incident severity

Which field type should be used to hold more than 60,000 characters of unformatted text?

A. Short Text

B. HTML

C. Long Text

D. Markdown

What will happen if a playbook debugger is left running for more than 24 hours?

A. By default, every 24 hours, the system closes any debugger sessions that have been open for more than 180 minutes.

B. The session must be stopped during 180 minutes manually by administrator, user will receive notification automatically.

C. The session will be running till stopped manually by administrator.

D. By default, the system closes automatically any debugger session that have been open 180 minutes.

Which two methods will allow data to be saved in incident fields within a playbook? (Choose two.)

A. setFields

B. Field mapping

C. setIncident

D. Layout inline editing

During the regular maintenance of XSOAR a customer noticed that there was an update available for the Active Directory content pack (current version 1.4.6) and updated the content pack to the latest version (version 1.4.11). However, after the update the customer noticed that the Active Directory Query integration is not working properly and asked you to resolve the issue.
Which of the following set of steps can help to resolve the issue?

A. a) Navigate to Settingsb) View the configured integrations and select Active Directory Authentication c) Delete all integration instances and add all integration instances again

B. a) Navigate to Marketplaceb) View the installed content pack and select Active Directory content pack c) Select version 1.4.6 and click on “Revert to this version”

C. a) Navigate to Settingsb) View the configured integrations and select Active Directory Query c) Delete all integration instances and add all integration instances again

D. a) Navigate to Marketplaceb) View the installed content pack and select Active Directory content pack c) Click on uninstall content pack d) Navigate to Marketplace browser and reinstall the Active Directory content pack

Which two causes may be occurring if an integration test is working, but the integration is not fetching incidents? (Choose two.)

A. The ‘Fetches Incidents’ option may not have been enabled

B. There are no new events from the external service

C. The first fetch should be manually triggered to start the fetching process

D. It can take up to 1-hour before incidents are initially fetched

Which of these would be the most operationally efficient repository for moving XSOAR custom content from a development server to a production environment?

A. A content repository specified in the Marketplace

B. Remote git repository specified in the dev-prod configuration parameters

C. The development server’s default repository

D. Cortex XSOAR public content repository

Which two statements describe how timers are configured to start and stop automatically in a playbook? (Choose two.)

A. Use a field of Number to count the number of seconds elapsed between two tasks

B. After the playbook has run, calculate the total time taken and set the timer field with this value

C. To begin counting time taken, add a task in the playbook with automation startTimer. To end the counting, add a task with automation stopTimer

D. From the Timers tab of the playbook task, choose the action for the timer and the timer field to perform the action on

What is the default landing page for a new user in XSOAR?

A. Dashboards

B. Threat Intel

C. Settings

D. Marketplace

Incidents need to be filtered by all of the following criteria:
1. Status `" Pending
2. Exclude Category `" Job
3. Severity `" High
4. Owner `" None (No owner assigned)
5. Type `" Phishing
6. Email Subject `" `You have won a million dollars`
What is the correct query syntax for the above incident search filter?

A. status==ג€Pendingג€ && category!=ג€jobג€ && severity==ג€Highג€ && owner==ג€Noneג€ && type==ג€Phishingג€ && emailsubject==ג€You have won a million dollarsג€

B. Status:Pending and ג€”Category:job and Severity:High and Owner:ג€ג€ and Type:Phishing and Email Subject:You have won a million dollars

C. status:Pending and ג€”category:job and severity:High and owner:ג€ג€ and type:Phishing and emailsubject:ג€You have won a million dollarsג€

D. status:Pending or ג€”category:job or severity:High or owner:ג€ג€ or type:Phishing or emailsubject:ג€You have won a million dollarsג€

Which three authentication methods are supported when logging into XSOAR? (Choose three.)

A. OTP token

B. User name and password

C. SAML

D. Active Directory authentication

E. RADIUS

The XSOAR administrator is writing an automation and would like to return an error entry back into XSOAR if a particular command errors out. How can this be achieved?

A. Using the demisto_error() function

B. Using a print statement

C. Using the demisto.debug() function

D. Using the return_error() function