Which two capabilities do Automation script settings include? (Choose two.)

A. Define ‘parameters’

B. Correlate to incident types

C. Define ‘outputs’

D. Set password protection

Which two causes may be occurring if an integration test is working, but the integration is not fetching incidents? (Choose two.)

A. The ‘Fetches Incidents’ option may not have been enabled

B. There are no new events from the external service

C. The first fetch should be manually triggered to start the fetching process

D. It can take up to 1-hour before incidents are initially fetched

Which of these would be the most operationally efficient repository for moving XSOAR custom content from a development server to a production environment?

A. A content repository specified in the Marketplace

B. Remote git repository specified in the dev-prod configuration parameters

C. The development server’s default repository

D. Cortex XSOAR public content repository

An administrator wants to run an automation in the War Room to set the incident field "Description" to "Confirmed Phishing". Which command should they enter in the War Room CLI?

A. !incidentSet description=”Confirmed Phishing”

B. /incidentSet description=Confirmed Phishing

C. !setIncident description=”Confirmed Phishing”

D. /setIncident description=Confirmed Phishing

Which two features does XSOAR offer to help recover from a server failure? (Choose two.)

A. Live backup (disaster recovery)

B. Distributed database

C. Backup data to XSOAR engines

D. Local backup

What are inputs and outputs in reference to a Playbook Development Lifecycle? (Choose three.)

A. Inputs are data pieces that are present in the playbook

B. Inputs are data pieces that are present in the task

C. Outputs are used as incident trigger for playbook

D. Outputs can be derived from the result of a task or command

E. Inputs are the data fields parsed by the Classifier

Which field type should be used to hold more than 60,000 characters of unformatted text?

A. Short Text

B. HTML

C. Long Text

D. Markdown

An engineer would like to add a custom field to the New Job form for a job triggered from a threat intel feed.
How would the engineer implement this?

A. The new job form changes based on the threat intel feed integration configuration

B. The new job form can be edited from the Indicator Feed incident type editor

C. The new job form for a threat intel feed job cannot be edited

D. The new job form can be edited from the threat intel feeds integration settings

Which two advanced attributes can be applied to incident fields when editing? (Choose two.)

A. Set a field trigger script

B. Associate to an incident type

C. Change field type

D. Change field name

In which three locations can an engineer try to find information, when troubleshooting a failed integration instance error produced by the test button? (Choose three.)

A. The audit log

B. The log bundle

C. The source code for an integration

D. The error message returned directly below the button

E. The playground war room

Which of the following is a prerequisite to editing out-of-the-box (OOTB) content?

A. Download the content from the Marketplace.

B. Go to Settings > About >Troubleshooting and set a flag to allow custom content.

C. Register a user account with support.paloaltonetworks.com .

D. Detach the content item you want to edit from the Marketplace.

What is the default landing page for a new user in XSOAR?

A. Dashboards

B. Threat Intel

C. Settings

D. Marketplace

What is a feature of the outgoing mapper in Cortex XSOAR?

A. Pre-processing rules

B. Classification

C. Indicator Extraction rules

D. Mirroring

Which tag is mandatory for an Indicator reputation Script while configuring an indicator type?

A. reputation-script

B. enrich

C. reputationScript

D. reputation

DRAG DROP -
Match the action with the most appropriate playbook task type.
Select and Place:
 

An engineer would like to present a trend using widgets to compare to a previous week's data.
Which two methods will allow the engineer to meet the requirement? (Choose two.)

A. Create widget of type Line, check ‘Display Trend’ and define as 7 days ago

B. Create a custom widget using a new incident query

C. Create widget of type Number, check ‘Display Trend’ and define as 7 days ago

D. Create a custom widget using a script

What does the outgoing mapper support?

A. Mirroring

B. Classification

C. Dynamic fields

D. Pre-processing

An XSOAR engineer has been tasked with exporting all indicators from the production environment in the last 90 days. The final report needs to be in CSV format containing all indicator fields. How can this task be achieved?

A. Run the command !GetIndicatorsByQuery in CLI with its default arguments and export all indicators in the last 90 days.

B. SSH into the server and copy the indicator’s database.

C. In the Threat Intel page, add query firstSeen:>=”90 days ago”, select All columns in Table View, and click Export to export as a CSV.

D. Run the command !findIndicators in CLI with the query firstSeen:>=”90 days ago” and export to CSV.

A SOC analyst needs to retrieve the list of all open phishing incidents in the last 30 days. What is the correct query to use?

A. -status:closed -category:job type:Phishing created:>=”30 days ago”

B. status:closed -category:job & type:Phishing created:>=”30 days ago”

C. -status:closed -category:job & type:Phishing created:<=”30 days ago”

D. -status:closed -category:job type:Phishing created:=”30 days ago”

An engineer's organization system is registered in the following manner: . The engineer created a new indicator type for detecting systems using regex. The engineer would now like the username to be created as a separate `˜User' indicator automatically once a system is found.
What is the most efficient way for the engineer to achieve this?

A. Create a custom indicator field named ‘username’ and link it to the internal system indicator

B. Change the reputation command for the internal system indicator type

C. Create a new indicator type of the internal username and set a formatting script to extract only the username

D. Create a new indicator type of the internal username and have the regex included on any string that has dash at the beginning

Given the following context data, what would be the expected output of the expression?

A. 1E56733826E5035233A097FCEA2046AF96EC616C

B. E6EF5142E2553C1E442A0FFAC07636EAC61E6EDD

C. 8D193FA162A305E4859BA8C45F5121F7265E3ABB

D. e6ef5142e2553c1e442a0ffac07636eac61e6edd

What are three loop types in a sub-playbook? (Choose three.)

A. For-each

B. Loop automation

C. Conditional

D. Built-in

E. Data collection

What are the three ways to add/mark entries as evidence inside the Evidence Board? (Choose three.)

A. Manually directly from the War Room with the Actions drop-down

B. From the Notes section (mark as entry icon)

C. Manually from the playbook task (mark as entry icon)

D. Automatically from playbook tasks when the option is selected on the Advanced tab

E. By running the command !MarkAsEvidence

Newly created subplaybooks do not have any inputs, or outputs. What is necessary to make them functional? (Choose two.)

A. Define input key in the subplaybook task. Map context values to pull from parent playbook.

B. The output of the previous task automatically becomes the input of the subplaybook.

C. Map inputs and outputs to the parent playbook and the subplaybook will use the same values.

D. Open the subplaybook and add inputs or outputs in the Playbook triggered task.

What are two of the actions available on the Version History tab of a content pack in the marketplace? (Choose two.)

A. Download content for offline installation

B. Uninstall content pack

C. Update to x version

D. Revert to x version

An engineer deployed two different instances of Active Directory for each organization site. As part of account enrichment use case, the engineer would like to delete a user from one specific site.
Which command will accomplish this?

A. run ‘ad-delete-user’ command with ‘user-dn’ arg and using-brand=ג€Active Directory Query v2ג€

B. run ‘ad-delete-user’ command with ‘user-dn’ arg and raw-response=true

C. run ‘ad-delete-user’ command with ‘user-dn’ arg and ignore-outputs=true

D. run ‘ad-delete-user’ command with ‘user-dn’ arg and using=ג€Active Directory Query v2_instance_1ג€

Which content type cannot be managed using remote repositories?

A. Lists

B. Jobs

C. Pre-processing rules

D. Exclusion List

Which two situations would an engineer consider when configuring classification and mapping for an incident type? (Choose two.)

A. When creating incidents from the XSOAR REST API

B. When manually creating an incident from the UI

C. When adding a new analyst account to XSOAR

D. When fetching many different incident types from a single mailbox

After executing the DeleteContext automation with all=yes argument, how would the context data of an incident present?

A. All the data, including the incident key will be deleted, and the context data will be completely empty.

B. No difference, the automation cannot be executed manually.

C. All context data, including custom incident fields will be deleted, system incident fields will remain.

D. All context data, except the incident key will be deleted.

An automation returned an output called: csvReport.
What filter would be used to check if the automation returned results?

A. Contains/Includes

B. Equals/Matches

C. In/In list

D. Is defined/Exist

An engineer is developing a playbook that will be run multiple times for testing purposes.
What is the recommended first task to be used in the playbook?

A. DeleteContext

B. GenerateTest

C. PrintContext

D. SetContext

What are three different loop types in a playbook? (Choose three.)

A. Automation

B. Built-in

C. Data collection

D. Conditional

E. For-each

An XSOAR Engineer has developed a playbook and would like to contribute it to the XSOAR Marketplace to share with other users.
Which two options are available to the Engineer for contributing to the Marketplace? (Choose two.)

A. Open a ticket with the XSOAR support team

B. Create a pull request directly on Github

C. Contribute through the XSOAR UI

D. Send an email to contributions@xsoar.com

The default expiration method for non-feed indicators is either to never expire or to expire after a specific period of time. How frequently does XSOAR check tor newly expired indicators?

A. Every 24 hours

B. Every 5 minutes

C. Every 8 hours

D. Every 1 hour

Where would you look to find a personalized view of your own incidents and tasks?

A. Incident Summary View

B. My Incidents

C. My Threat Landscape

D. My Dashboard

Which option is available in XSOAR to create the body of a Threat Intel Report?

A. Markdown

B. Grid Fields

C. DOC format

D. Javascript

Reliability scores in XSOAR range from A through F. What do A and F stand for?

A. F – Reliability cannot be judged, A – Completely Reliable

B. F – Not reliable, A – Usually Reliable

C. F – Not usually reliable, A – Fairly Reliable

D. F – Unreliable, A – Completely Reliable

What is the most effective way to correlate multiple raw events coming from a SIEM and link them together?

A. Process all alerts by running the respective playbook and link related incidents during post-processing

B. Ingest all raw events, run a custom script to find the relationship between them and proceed to link them together

C. Configure a pre-process rule to link related events as they are ingested

D. Manually go through the incidents created by the raw events and link related incidents

During configuration of the inputs of a sub-playbook in the main playbook, there is an option under the Loop tab called "For Each Input". What is this option used to?

A. To loop the sub-playbook over all context values present in the investigation

B. To loop the sub-playbook over all incident fields for the given incident

C. To loop the sub-playbook over all the fields marked as important

D. To loop the sub-playbook over all defined sub-playbook inputs

Where are incident layouts customized?

A. Settings > Object Setup > Incidents > Layouts

B. Settings > Integrations > Instance configuration

C. Settings > Object Setup > Indicators > Layouts

D. Settings > Advanced > Incident Layouts

Which of the following is a basic setting that can be configured in an automation?

A. Summary

B. Compiler

C. Schedule

D. Run On

Inside the Incidents table view, which actions can be performed on the selected incidents? (Choose two.)

A. Run Command, Export, and Close and Delete for all selected incidents regardless of their status

B. Assign, Edit, and Mark as Duplicate for all selected incidents regardless of their status

C. Run Command for all selected incidents having Active status

D. Export incidents as JSON and change incident status

DRAG DROP -
Match the operations with the appropriate context.
Select and Place:
 

How would context data be filtered to receive only malicious indicator values with DBotScore?

A. Get DBotScore.value where DBotScore.Score (Larger or equals) 4

B. Get DBotScore.value where DBotScore.Score (equals (int)) 3

C. Get DBotScore where DBotScore.Score (Larger than) 1

D. Get DBotScore where DBotScore.Score (Larger or equals) 2

What happens if both a Classifier and Incident Type are configured in an integration instance's settings?

A. The administrator will receive a notification that there is both a Classifier and Incident Type set for that integration instance.

B. The Incident Type will be ignored, and incoming incidents will be classified according to the Classifier.

C. The Classifier will be ignored, and incoming incidents will be classified according to the Incident Type.

D. Both the Classifier and Incident Type will classify incoming incidents.

What is the function of timer SLA fields in Cortex XSOAR?

A. To track SLA breaches per playbook

B. To run a script that executes on SLA assignment

C. To automatically alert the analyst on SLA breach

D. To count the time between one or more tasks

When uploading content, which two options could the upload include? (Choose two.)

A. Indicators

B. Incidents

C. Reports

D. Fields

Which content type can be managed using remote repositories?

A. Exclusion List

B. Canvas

C. Pre-processing rules

D. Jobs

Which field type provides an interactive and editable display of table-based data?

A. HTML

B. Grid (table)

C. Markdown

D. Multi Select

What is the default configuration for indicator auto-extraction when incidents are created?

A. Inline

B. Inband

C. None

D. Out of band