An administrator wants to run an automation in the War Room to set the incident field "Description" to "Confirmed Phishing". Which command should they enter in the War Room CLI?

A. !incidentSet description=”Confirmed Phishing”

B. /incidentSet description=Confirmed Phishing

C. !setIncident description=”Confirmed Phishing”

D. /setIncident description=Confirmed Phishing

In which two scenarios would it be appropriate to implement a loop for a sub-playbook? (Choose two.)

A. In repetitive process flows to iterate for each playbook input

B. When continuously ingesting incidents from third-party systems

C. In repetitive process flows with no more than 10 loops

D. In repetitive processes that requires sub-playbook re-execution

Which three authentication methods are supported when logging into XSOAR? (Choose three.)

A. OTP token

B. User name and password

C. SAML

D. Active Directory authentication

E. RADIUS

What can be added to offload integration instance processing from the main server?

A. Database node

B. Application server

C. Engine

D. Development server

What does the outgoing mapper support?

A. Mirroring

B. Classification

C. Dynamic fields

D. Pre-processing

An XSOAR engineer has been tasked with exporting all indicators from the production environment in the last 90 days. The final report needs to be in CSV format containing all indicator fields. How can this task be achieved?

A. Run the command !GetIndicatorsByQuery in CLI with its default arguments and export all indicators in the last 90 days.

B. SSH into the server and copy the indicator’s database.

C. In the Threat Intel page, add query firstSeen:>=”90 days ago”, select All columns in Table View, and click Export to export as a CSV.

D. Run the command !findIndicators in CLI with the query firstSeen:>=”90 days ago” and export to CSV.

Who is permitted to create and submit content to the Marketplace?

A. Only users with a valid Github account

B. Any user who has signed up through the dev portal

C. Any user who has a live.paloaltonetworks.com account

D. All users with the correct XSOAR Role and Permissions

Select the correct incident life cycle on XSOAR.

A. Planning > Incident Ingestion > Incident Creation > Mapping and Classification > Pre-processing > Playbook runs > Post-processing

B. Planning > Incident Ingestion > Pre-processing > Incident Creation > Mapping and Classification > Playbook runs > Post-processing

C. Planning > Incident Ingestion > Pre-processing > Mapping and Classification > Incident Creation > Playbook runs > Post-processing

D. Planning > Incident Ingestion > Mapping and Classification > Pre-processing > Incident Creation > Playbook runs > Post-processing

What are two primary uses of standard tasks? (Choose two.)

A. To highlight different paths in a playbook

B. To generate new widgets for a dashboard

C. To create an incident or escalate an existing incident

D. To automate tasks such as parsing a file or enriching indicators

When creating a new tab in the layout, which section cannot be added?

A. Retrieve widget chart based on script

B. Related incidents

C. War room entries picked by entry query

D. Incident team members

Which two options are the most effective for moving content between two environments? (Choose two.)

A. Remote repository based content sharing

B. UI based content import/export button

C. Copy the content backup from one environment file system (/var/lib/demisto/backup/content-backup-*) and move it to the other environment

D. Download the content items separately and upload them to the other environment

What can you use to assign a layout, field, and playbook to an incoming incident?

A. Playbook

B. Classification and mapping

C. Incident type

D. Pre-processing

An engineer is developing a playbook that will be run multiple times for testing purposes.
What is the recommended first task to be used in the playbook?

A. DeleteContext

B. GenerateTest

C. PrintContext

D. SetContext

In which two locations can filters and transformers be used in XSOAR? (Choose two.)

A. Classification and Mapping

B. Playbook Tasks

C. Evidence Fields

D. Incident Fields

What are inputs and outputs in reference to a Playbook Development Lifecycle? (Choose three.)

A. Inputs are data pieces that are present in the playbook

B. Inputs are data pieces that are present in the task

C. Outputs are used as incident trigger for playbook

D. Outputs can be derived from the result of a task or command

E. Inputs are the data fields parsed by the Classifier

Where are incident layouts customized?

A. Settings > Object Setup > Incidents > Layouts

B. Settings > Integrations > Instance configuration

C. Settings > Object Setup > Indicators > Layouts

D. Settings > Advanced > Incident Layouts

Which of the following is a prerequisite to editing out-of-the-box (OOTB) content?

A. Download the content from the Marketplace.

B. Go to Settings > About >Troubleshooting and set a flag to allow custom content.

C. Register a user account with support.paloaltonetworks.com .

D. Detach the content item you want to edit from the Marketplace.

What is the difference between labels and fields?

A. Fields can be used in playbooks and labels cannot

B. Fields are indexed in the database and labels are not

C. Labels can be used in queries and fields cannot

D. Labels are indexed in the database and fields are not

Which content type can be managed using remote repositories?

A. Exclusion List

B. Canvas

C. Pre-processing rules

D. Jobs

Which content type cannot be managed using remote repositories?

A. Lists

B. Jobs

C. Pre-processing rules

D. Exclusion List

When mapping incoming data to incident fields, which statement is correct?

A. Data that is not mapped is placed under labels

B. Only text fields are classified

C. Classification cannot be used if mapping is enabled

D. Every incoming field must be mapped

At what stage during the incident lifecycle is an incident type assigned?

A. Pre-processing

B. Incident creation

C. Classification

D. Playbook execution

Which option is available in XSOAR to create the body of a Threat Intel Report?

A. Markdown

B. Grid Fields

C. DOC format

D. Javascript

During configuration of the inputs of a sub-playbook in the main playbook, there is an option under the Loop tab called "For Each Input". What is this option used to?

A. To loop the sub-playbook over all context values present in the investigation

B. To loop the sub-playbook over all incident fields for the given incident

C. To loop the sub-playbook over all the fields marked as important

D. To loop the sub-playbook over all defined sub-playbook inputs

Which two situations would an engineer consider when configuring classification and mapping for an incident type? (Choose two.)

A. When creating incidents from the XSOAR REST API

B. When manually creating an incident from the UI

C. When adding a new analyst account to XSOAR

D. When fetching many different incident types from a single mailbox

Which method accesses a field called `˜User Mail' in a playbook?

A. ${incident.usermail}

B. ${incident.User Mail}

C. ${incident.UserMail}

D. ${usermail}

What is a feature of the outgoing mapper in Cortex XSOAR?

A. Pre-processing rules

B. Classification

C. Indicator Extraction rules

D. Mirroring

A large number of incidents were deleted by mistake.
Which two architecture components can be used to recover the lost data? (Choose two.)

A. Live backup

B. Engine

C. Distributed database

D. Local backup

DRAG DROP -
Match the action with the most appropriate playbook task type.
Select and Place:
 

Inside the Incidents table view, which actions can be performed on the selected incidents? (Choose two.)

A. Run Command, Export, and Close and Delete for all selected incidents regardless of their status

B. Assign, Edit, and Mark as Duplicate for all selected incidents regardless of their status

C. Run Command for all selected incidents having Active status

D. Export incidents as JSON and change incident status

When developing the playbook, which of the following can be used by a XSOAR Administrator?

A. The Debugger panel to test data with one of last five incidents. This will affect the incident’s original incident data.

B. Context data from existing incidents by exporting the YAML data from incidents and importing it to playbook editor.

C. Debugger panel and XML data from a similar incident with New Mock Incident. This will not affect the incidents original incident data.

D. The Debugger panel to test data with one of last fifty incidents. This will not affect the incident’s original incident data.

When is the post-processing script executed in XSOAR?

A. When the incident is closed

B. When the incident is created

C. After the post processing task is executed

D. After the pre-processing is executed

Which two components have their own context data? (Choose two.)

A. Sub-playbook

B. Task

C. Field

D. Incident

Which two statements describe how timers are configured to start and stop automatically in a playbook? (Choose two.)

A. Use a field of Number to count the number of seconds elapsed between two tasks

B. After the playbook has run, calculate the total time taken and set the timer field with this value

C. To begin counting time taken, add a task in the playbook with automation startTimer. To end the counting, add a task with automation stopTimer

D. From the Timers tab of the playbook task, choose the action for the timer and the timer field to perform the action on

You can customize most aspects of the incident layout, including which three of the following? (Choose three.)

A. Which users have permissions to view the tabs

B. Which roles have permissions to view the tabs

C. Which dashboard settings are applied

D. The information and how is it displayed

E. Which tabs appear and in which order

Which tag is mandatory for an Indicator reputation Script while configuring an indicator type?

A. reputation-script

B. enrich

C. reputationScript

D. reputation

Given the following context data, what would be the expected output of the expression?

A. 1E56733826E5035233A097FCEA2046AF96EC616C

B. E6EF5142E2553C1E442A0FFAC07636EAC61E6EDD

C. 8D193FA162A305E4859BA8C45F5121F7265E3ABB

D. e6ef5142e2553c1e442a0ffac07636eac61e6edd

An engineer would like to change an incident's SLA according to the severity field changes.
How can the engineer achieve this task?

A. Use a field trigger script

B. Use a field display script

C. Create a job that queries for incident severity changes

D. Change the SLA manually every time the severity changes

An incident field is created having the display name as Source_IP.
How can the field be accessed?

A. ${incident.sourceip}

B. ${incident.Source_IP}

C. ${incident.srcip}

D. ${incident.Source IP}

An engineer would like to add a custom field to the New Job form for a job triggered from a threat intel feed.
How would the engineer implement this?

A. The new job form changes based on the threat intel feed integration configuration

B. The new job form can be edited from the Indicator Feed incident type editor

C. The new job form for a threat intel feed job cannot be edited

D. The new job form can be edited from the threat intel feeds integration settings

Which two solutions are available to scale an overloaded XSOAR environment? (Choose two.)

A. Add a distributed database server

B. Add an indexing server

C. Add a live backup server (disaster recovery)

D. Add an engine

During the regular maintenance of XSOAR a customer noticed that there was an update available for the Active Directory content pack (current version 1.4.6) and updated the content pack to the latest version (version 1.4.11). However, after the update the customer noticed that the Active Directory Query integration is not working properly and asked you to resolve the issue.
Which of the following set of steps can help to resolve the issue?

A. a) Navigate to Settingsb) View the configured integrations and select Active Directory Authentication c) Delete all integration instances and add all integration instances again

B. a) Navigate to Marketplaceb) View the installed content pack and select Active Directory content pack c) Select version 1.4.6 and click on “Revert to this version”

C. a) Navigate to Settingsb) View the configured integrations and select Active Directory Query c) Delete all integration instances and add all integration instances again

D. a) Navigate to Marketplaceb) View the installed content pack and select Active Directory content pack c) Click on uninstall content pack d) Navigate to Marketplace browser and reinstall the Active Directory content pack

An automation returned an output called: csvReport.
What filter would be used to check if the automation returned results?

A. Contains/Includes

B. Equals/Matches

C. In/In list

D. Is defined/Exist

Which investigation element is best suited for collaboration among users?

A. Work Plan

B. Related Incidents

C. War Room

D. Context Data

Where do you navigate to monitor and improve the system performance and resilience for hosts in a multitenant environment?

A. Settings > About > Troubleshooting, in the main host account. Each host has a System Diagnostics page.

B. Settings > Advanced > System Diagnostics, in the main host account. Each host has a System Diagnostics page.

C. Settings > Account Management > Hosts, in the main host account. Each host has a System Diagnostics page.

D. Settings > About > System Diagnostics, in the main host account. Each host has a System Diagnostics page.

Management would like to get an incident report automatically following an incident's closure.
How would this be accomplished?

A. Define a task in a playbook to generate an incident report before the closure occurs

B. Manually create an ‘Incident Report’

C. Configure post-processing using a script

D. Create an ‘Incident Report’ from the Reports page

Which three scripting languages can an engineer use to write XSOAR automations? (Choose three.)

A. Python

B. Perl

C. Go

D. JavaScript

E. Powershell

Which of the following are valid methods to contribute custom content? (Choose three.)

A. Submit content directly through feature requests

B. Private GitHub repository submission for premium content

C. A Github pull request on the public XSOAR Content Repository

D. Using the marketplace interface to upload the content

E. Using the content submission tool on live.paloaltonetworks.com

Which task type would be used to verify/check that an integration was enabled?

A. Standard task

B. Conditional task

C. Section Header task

D. Data Collection task

For troubleshooting, after a log bundle is created, where do the logs appear on the XCSOAR server?

A. /var/lib/demisto

B. /tmp/log/demisto

C. /usr/local/demisto

D. /var/log/demisto