You can customize most aspects of the incident layout, including which three of the following? (Choose three.)

A. Which users have permissions to view the tabs

B. Which roles have permissions to view the tabs

C. Which dashboard settings are applied

D. The information and how is it displayed

E. Which tabs appear and in which order

An engineer is developing a playbook that will be run multiple times for testing purposes.
What is the recommended first task to be used in the playbook?

A. DeleteContext

B. GenerateTest

C. PrintContext

D. SetContext

An Engineer wants to filter a csvList value according to a dynamic value saved under the context key named “test”. Refer to the image below.
 
Which two values would save the “test” context key? (Choose two.)

A. Get csvList.value where csvList.value equals test [as value]

B. Get csvList.value where csvList.value equals test {}[from previous tasks]

C. Get csvList.value where csvList.value equals test [from previous tasks]

D. Get csvList.value where csvList.value equals ${test} [as value]

What are three different loop types in a playbook? (Choose three.)

A. Automation

B. Built-in

C. Data collection

D. Conditional

E. For-each

Which two solutions are available to scale an overloaded XSOAR environment? (Choose two.)

A. Add a distributed database server

B. Add an indexing server

C. Add a live backup server (disaster recovery)

D. Add an engine

When browsing the Marketplace for new content packs, which details about each pack are you able to view?

A. The integration’s source code

B. A summary of each version history

C. A test instance for the content pack

D. The source code of each playbook

What are two primary uses of standard tasks? (Choose two.)

A. To highlight different paths in a playbook

B. To generate new widgets for a dashboard

C. To create an incident or escalate an existing incident

D. To automate tasks such as parsing a file or enriching indicators

A playbook task generates a report as HTML in the context data.
An engineer creates a custom indicator field of type "HTML" and adds the field to a section in a custom indicator layout. How can the engineer populate the HTML field in the indicator layout?

A. Populate the custom indicator field with the built-in !SetIndicator command.

B. Add HTML to a list using !setList and use it as an HTML template to populate the custom indicator field.

C. Create a custom Indicator Mapper and populate the custom indicator field.

D. Use the Mapping option in the playbook task that generates the HTML report to populate the custom indicator field.

Which option is available in XSOAR to create the body of a Threat Intel Report?

A. Markdown

B. Grid Fields

C. DOC format

D. Javascript

To avoid exceeding API quotas for third-party services, indicators are only updated after the indicator cache expiration period. What is the default cache expiration period for indicators in XSOAR (minutes/days)?

A. 10,080 minutes (7 days)

B. 20,160 minutes (14 days)

C. 21,600 minutes (15 days)

D. 4,320 minutes (3 days)

Reliability scores in XSOAR range from A through F. What do A and F stand for?

A. F – Reliability cannot be judged, A – Completely Reliable

B. F – Not reliable, A – Usually Reliable

C. F – Not usually reliable, A – Fairly Reliable

D. F – Unreliable, A – Completely Reliable

An engineer's organization system is registered in the following manner: . The engineer created a new indicator type for detecting systems using regex. The engineer would now like the username to be created as a separate `˜User' indicator automatically once a system is found.
What is the most efficient way for the engineer to achieve this?

A. Create a custom indicator field named ‘username’ and link it to the internal system indicator

B. Change the reputation command for the internal system indicator type

C. Create a new indicator type of the internal username and set a formatting script to extract only the username

D. Create a new indicator type of the internal username and have the regex included on any string that has dash at the beginning

Which two options are the most effective for moving content between two environments? (Choose two.)

A. Remote repository based content sharing

B. UI based content import/export button

C. Copy the content backup from one environment file system (/var/lib/demisto/backup/content-backup-*) and move it to the other environment

D. Download the content items separately and upload them to the other environment

What is the difference between labels and fields?

A. Fields can be used in playbooks and labels cannot

B. Fields are indexed in the database and labels are not

C. Labels can be used in queries and fields cannot

D. Labels are indexed in the database and fields are not

Given the following context data, what would be the expected output of the expression?

A. 1E56733826E5035233A097FCEA2046AF96EC616C

B. E6EF5142E2553C1E442A0FFAC07636EAC61E6EDD

C. 8D193FA162A305E4859BA8C45F5121F7265E3ABB

D. e6ef5142e2553c1e442a0ffac07636eac61e6edd

An engineer asked for a specific command in an integration but the capability does not exist. The engineer decided to edit the existing integration by copying the integration and adding the needed commands.
What is the main concern when adding these commands?

A. The commands must return a proper result to the war room for the analysts to understand

B. The code may not be written to XSOAR standards

C. The integrations are locked and cannot be edited with additional commands

D. The custom integration will not be maintained and updated by XSOAR content team

Which Cortex XSOAR feature assigns newly ingested event attributes to incident fields?

A. Playbooks

B. Classification

C. Mapping

D. Layouts

In which two scenarios would it be appropriate to implement a loop for a sub-playbook? (Choose two.)

A. In repetitive process flows to iterate for each playbook input

B. When continuously ingesting incidents from third-party systems

C. In repetitive process flows with no more than 10 loops

D. In repetitive processes that requires sub-playbook re-execution

Which of these would be the most operationally efficient repository for moving XSOAR custom content from a development server to a production environment?

A. A content repository specified in the Marketplace

B. Remote git repository specified in the dev-prod configuration parameters

C. The development server’s default repository

D. Cortex XSOAR public content repository

DRAG DROP -
Match the operations with the appropriate context.
Select and Place:
 

An engineer would like to change an incident's SLA according to the severity field changes.
How can the engineer achieve this task?

A. Use a field trigger script

B. Use a field display script

C. Create a job that queries for incident severity changes

D. Change the SLA manually every time the severity changes

On the System Diagnostics page, what is the default minimum size for a Work Plan to be considered big?

A. 2MB

B. 3MB

C. 1MB

D. 5MB

What is the default configuration for indicator auto-extraction when incidents are created?

A. Inline

B. Inband

C. None

D. Out of band

DRAG DROP -
Match the action with the most appropriate playbook task type.
Select and Place:
 

During configuration of the inputs of a sub-playbook in the main playbook, there is an option under the Loop tab called "For Each Input". What is this option used to?

A. To loop the sub-playbook over all context values present in the investigation

B. To loop the sub-playbook over all incident fields for the given incident

C. To loop the sub-playbook over all the fields marked as important

D. To loop the sub-playbook over all defined sub-playbook inputs

What are recommended for placing a long text incident field value in an incident layout?

A. Section headers

B. Display filters

C. Cards

D. Rows

Which two capabilities do Automation script settings include? (Choose two.)

A. Define ‘parameters’

B. Correlate to incident types

C. Define ‘outputs’

D. Set password protection

The XSOAR administrator is writing an automation and would like to return an error entry back into XSOAR if a particular command errors out. How can this be achieved?

A. Using the demisto_error() function

B. Using a print statement

C. Using the demisto.debug() function

D. Using the return_error() function

Which two functions in XSOAR are incident types used for? (Choose two.)

A. To run dedicated playbooks for different event types

B. To classify events ingested from various sources into the relevant types

C. To classify indicators extracted in XSOAR incidents to their respective types

D. To facilitate role based access to XSOAR incidents

What is the correct definition regarding integration parameters and command arguments?

A. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.

B. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.

C. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.

D. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.

Which of the following are valid methods to contribute custom content? (Choose three.)

A. Submit content directly through feature requests

B. Private GitHub repository submission for premium content

C. A Github pull request on the public XSOAR Content Repository

D. Using the marketplace interface to upload the content

E. Using the content submission tool on live.paloaltonetworks.com

When developing the playbook, which of the following can be used by a XSOAR Administrator?

A. The Debugger panel to test data with one of last five incidents. This will affect the incident’s original incident data.

B. Context data from existing incidents by exporting the YAML data from incidents and importing it to playbook editor.

C. Debugger panel and XML data from a similar incident with New Mock Incident. This will not affect the incidents original incident data.

D. The Debugger panel to test data with one of last fifty incidents. This will not affect the incident’s original incident data.

When creating an automation in XSOAR, what is the best way to create a log message?

A. Using a debug statement

B. Using the demisto.debug() function

C. Using a print statement

D. Using the demisto.results() function

At what stage during the incident lifecycle is an incident type assigned?

A. Pre-processing

B. Incident creation

C. Classification

D. Playbook execution

When creating an incident layout section, it is best to place long field values within which of the following?

A. Section headers

B. Rows

C. Canvas

D. Cards

Which two advanced attributes can be applied to incident fields when editing? (Choose two.)

A. Set a field trigger script

B. Associate to an incident type

C. Change field type

D. Change field name

Which tag is mandatory for an Indicator reputation Script while configuring an indicator type?

A. reputation-script

B. enrich

C. reputationScript

D. reputation

An engineer would like to add a custom field to the New Job form for a job triggered from a threat intel feed.
How would the engineer implement this?

A. The new job form changes based on the threat intel feed integration configuration

B. The new job form can be edited from the Indicator Feed incident type editor

C. The new job form for a threat intel feed job cannot be edited

D. The new job form can be edited from the threat intel feeds integration settings

What happens when an integration is deprecated?

A. The integration commands in a playbook can no longer be used

B. The integration commands can be used, but it is recommended to update to the latest content pack

C. The configuration settings will be lost and the integration will no longer function

D. The integration commands in a playbook can be used, but it will fail at runtime

Where do you navigate to monitor and improve the system performance and resilience for hosts in a multitenant environment?

A. Settings > About > Troubleshooting, in the main host account. Each host has a System Diagnostics page.

B. Settings > Advanced > System Diagnostics, in the main host account. Each host has a System Diagnostics page.

C. Settings > Account Management > Hosts, in the main host account. Each host has a System Diagnostics page.

D. Settings > About > System Diagnostics, in the main host account. Each host has a System Diagnostics page.

An XSOAR engineer has been tasked with exporting all indicators from the production environment in the last 90 days. The final report needs to be in CSV format containing all indicator fields. How can this task be achieved?

A. Run the command !GetIndicatorsByQuery in CLI with its default arguments and export all indicators in the last 90 days.

B. SSH into the server and copy the indicator’s database.

C. In the Threat Intel page, add query firstSeen:>=”90 days ago”, select All columns in Table View, and click Export to export as a CSV.

D. Run the command !findIndicators in CLI with the query firstSeen:>=”90 days ago” and export to CSV.

What will happen if a playbook debugger is left running for more than 24 hours?

A. By default, every 24 hours, the system closes any debugger sessions that have been open for more than 180 minutes.

B. The session must be stopped during 180 minutes manually by administrator, user will receive notification automatically.

C. The session will be running till stopped manually by administrator.

D. By default, the system closes automatically any debugger session that have been open 180 minutes.

Which field type should be used to hold more than 60,000 characters of unformatted text?

A. Short Text

B. HTML

C. Long Text

D. Markdown

Which two features does XSOAR offer to help recover from a server failure? (Choose two.)

A. Live backup (disaster recovery)

B. Distributed database

C. Backup data to XSOAR engines

D. Local backup

What is the default task type when creating an empty task?

A. Standard (Manual)

B. Conditional

C. Section header

D. Standard (Automated)

Which two options will troubleshoot an integration's fetch incidents command? (Choose two.)

A. In the instance settings, enable the fetch incidents parameter and wait for one minute

B. Create a one task playbook with a fetch-incident command

C. execute !-fetch

D. execute !-fetch

An incident field is created having the display name as Source_IP.
How can the field be accessed?

A. ${incident.sourceip}

B. ${incident.Source_IP}

C. ${incident.srcip}

D. ${incident.Source IP}

What are three loop types in a sub-playbook? (Choose three.)

A. For-each

B. Loop automation

C. Conditional

D. Built-in

E. Data collection

Incidents need to be filtered by all of the following criteria:
1. Status `" Pending
2. Exclude Category `" Job
3. Severity `" High
4. Owner `" None (No owner assigned)
5. Type `" Phishing
6. Email Subject `" `You have won a million dollars`
What is the correct query syntax for the above incident search filter?

A. status==ג€Pendingג€ && category!=ג€jobג€ && severity==ג€Highג€ && owner==ג€Noneג€ && type==ג€Phishingג€ && emailsubject==ג€You have won a million dollarsג€

B. Status:Pending and ג€”Category:job and Severity:High and Owner:ג€ג€ and Type:Phishing and Email Subject:You have won a million dollars

C. status:Pending and ג€”category:job and severity:High and owner:ג€ג€ and type:Phishing and emailsubject:ג€You have won a million dollarsג€

D. status:Pending or ג€”category:job or severity:High or owner:ג€ג€ or type:Phishing or emailsubject:ג€You have won a million dollarsג€

When creating a new tab in the layout, which section cannot be added?

A. Retrieve widget chart based on script

B. Related incidents

C. War room entries picked by entry query

D. Incident team members