Which field type provides an interactive and editable display of table-based data?

A. HTML

B. Grid (table)

C. Markdown

D. Multi Select

What is the most effective way to correlate multiple raw events coming from a SIEM and link them together?

A. Process all alerts by running the respective playbook and link related incidents during post-processing

B. Ingest all raw events, run a custom script to find the relationship between them and proceed to link them together

C. Configure a pre-process rule to link related events as they are ingested

D. Manually go through the incidents created by the raw events and link related incidents

What are recommended for placing a long text incident field value in an incident layout?

A. Section headers

B. Display filters

C. Cards

D. Rows

Which Cortex XSOAR feature assigns newly ingested event attributes to incident fields?

A. Playbooks

B. Classification

C. Mapping

D. Layouts

What does the outgoing mapper support?

A. Mirroring

B. Classification

C. Dynamic fields

D. Pre-processing

Which configuration is a valid distributed database (DB) implementation?

A. 2 main DBs, 1 application server, 2 node servers

B. 1 main DB, 1 application server, 3 node servers

C. 2 application servers, 1 main DB, 1 node server

D. 1 application server, 2 main DBs, 1 node server

While testing a custom integration, an XSOAR engineer noticed that the incident fetch interval is missing. How can this be fixed?

A. Define the Incident Fetch Interval when running the integration’s commands.

B. Duplicate the integration. Edit the resulting copy and add incidentFetchInterval as a parameter. Save the integration. Configure the new integration instance with the interval required.

C. Configure the application to send incidents on the required interval.

D. Duplicate the integration. Add the interval in the code. Save the integration and Configure the new integration instance with the interval required.

An administrator has noticed that an incident fetch has failed, causing several internal workflows to be backed up. The administrator would like to receive notifications the next time the incident fetch fails.
How can they achieve this?

A. Create a custom playbook that sends an email each time the fetch fails.

B. Create a new integration that monitors the incident fetch and sends an email if the fetch fails.

C. Schedule a job that runs and monitors incidents in XSOAR that will send an email if there are no new incidents.

D. Add a server config to notify when incident fetch fails.

Who is permitted to create and submit content to the Marketplace?

A. Only users with a valid Github account

B. Any user who has signed up through the dev portal

C. Any user who has a live.paloaltonetworks.com account

D. All users with the correct XSOAR Role and Permissions

What are two common use cases for conditional tasks? (Choose two.)

A. They are used for branching paths in a playbook

B. They are used to interact with users through survey functionality

C. They are used to determine which incident will be executed

D. They are used for sending a specific question to a person or team

Which of the following is a prerequisite to editing out-of-the-box (OOTB) content?

A. Download the content from the Marketplace.

B. Go to Settings > About >Troubleshooting and set a flag to allow custom content.

C. Register a user account with support.paloaltonetworks.com .

D. Detach the content item you want to edit from the Marketplace.

In which two locations can filters and transformers be used in XSOAR? (Choose two.)

A. Classification and Mapping

B. Playbook Tasks

C. Evidence Fields

D. Incident Fields

What is the function of timer SLA fields in Cortex XSOAR?

A. To track SLA breaches per playbook

B. To run a script that executes on SLA assignment

C. To automatically alert the analyst on SLA breach

D. To count the time between one or more tasks

Which two methods are used to add new content to the XSOAR Content Repository? (Choose two.)

A. Create content and add it to the standard content by contributing through the Marketplace

B. Use the XSOAR GitHub Contribution Guide to add the contribution to the standard content

C. Create a support ticket with the custom content for review by the support team

D. Any custom content will be automatically uploaded to the content repository

What is the default configuration for indicator auto-extraction when incidents are created?

A. Inline

B. Inband

C. None

D. Out of band

Which three authentication methods are supported when logging into XSOAR? (Choose three.)

A. OTP token

B. User name and password

C. SAML

D. Active Directory authentication

E. RADIUS

By default, automation written in which language will be executed in a Docker container?

A. Python

B. Go

C. JavaScript

D. Perl

What are three different loop types in a playbook? (Choose three.)

A. Automation

B. Built-in

C. Data collection

D. Conditional

E. For-each

A SOC manager built a dashboard and would like to share the dashboard with other team members.
How would the SOC manager create a dashboard that meets this requirement?

A. Manually share the dashboard through user emails

B. Dashboard is shared to all XSOAR users

C. Propagate the dashboard based on SAML authentication

D. Dashboard is shared to all XSOAR users in a selected role

An engineer deployed two different instances of Active Directory for each organization site. As part of account enrichment use case, the engineer would like to delete a user from one specific site.
Which command will accomplish this?

A. run ‘ad-delete-user’ command with ‘user-dn’ arg and using-brand=ג€Active Directory Query v2ג€

B. run ‘ad-delete-user’ command with ‘user-dn’ arg and raw-response=true

C. run ‘ad-delete-user’ command with ‘user-dn’ arg and ignore-outputs=true

D. run ‘ad-delete-user’ command with ‘user-dn’ arg and using=ג€Active Directory Query v2_instance_1ג€

Which two input requirements are needed to train a machine learning model? (Choose two.)

A. 3000 Incidents

B. Incident Field

C. Verdict Label

D. Incident Type

What is the correct definition regarding integration parameters and command arguments?

A. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.

B. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.

C. Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.

D. Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.

By default, which components does an XSOAR implementation include?

A. XSOAR server, XSOAR engine

B. Application server, distributed DB server

C. Application server, distributed DB server, Backup server

D. All in one server

Which three scripting languages can an engineer use to write XSOAR automations? (Choose three.)

A. Python

B. Perl

C. Go

D. JavaScript

E. Powershell

Where are incident layouts customized?

A. Settings > Object Setup > Incidents > Layouts

B. Settings > Integrations > Instance configuration

C. Settings > Object Setup > Indicators > Layouts

D. Settings > Advanced > Incident Layouts

An engineer's organization system is registered in the following manner: . The engineer created a new indicator type for detecting systems using regex. The engineer would now like the username to be created as a separate `˜User' indicator automatically once a system is found.
What is the most efficient way for the engineer to achieve this?

A. Create a custom indicator field named ‘username’ and link it to the internal system indicator

B. Change the reputation command for the internal system indicator type

C. Create a new indicator type of the internal username and set a formatting script to extract only the username

D. Create a new indicator type of the internal username and have the regex included on any string that has dash at the beginning

Which three actions can an engineer take on the troubleshooting page? (Choose three.)
 

A. Download the debug log bundle

B. Put the XSOAR server in maintenance mode

C. View and modify server configuration settings

D. Export and import custom content

E. View a list of server administrators

DRAG DROP -
Arrange these steps in the order that they occur during an incident fetch.
Select and Place:
 

Given the following context data, what would be the expected output of the expression?

A. 1E56733826E5035233A097FCEA2046AF96EC616C

B. E6EF5142E2553C1E442A0FFAC07636EAC61E6EDD

C. 8D193FA162A305E4859BA8C45F5121F7265E3ABB

D. e6ef5142e2553c1e442a0ffac07636eac61e6edd

Given an incident with three files, how could the name of the second file be referenced?

A. ${Files.[2].Name}

B. ${Files.Name.[2]}

C. ${File.[1].Name}

D. ${File.Name.[1]}

What is the difference between labels and fields?

A. Fields can be used in playbooks and labels cannot

B. Fields are indexed in the database and labels are not

C. Labels can be used in queries and fields cannot

D. Labels are indexed in the database and fields are not

Which two solutions are available to scale an overloaded XSOAR environment? (Choose two.)

A. Add a distributed database server

B. Add an indexing server

C. Add a live backup server (disaster recovery)

D. Add an engine

When mapping incoming data to incident fields, which statement is correct?

A. Data that is not mapped is placed under labels

B. Only text fields are classified

C. Classification cannot be used if mapping is enabled

D. Every incoming field must be mapped

An organization has recently acquired another company as its subsidiary. The subsidiary has its infrastructure on AWS cloud as illustrated in the image below:
 
The organization wants to use the mail server location on the subsidiary's cloud to send emails. Without acquiring additional licenses, which XSOAR component can fulfill the requirement?

A. XSOAR D2 Agents, to send the required emails.

B. An XSOAR engine that is downloaded from the XSOAR server and installed within the subsidiary.

C. Another XSOAR server that uses the same license as their primary XSOAR server.

D. A Linux server connected with an XSOAR server using SSH integration. Commands can be run remotely to access the mail server.

An administrator wants to run an automation in the War Room to set the incident field "Description" to "Confirmed Phishing". Which command should they enter in the War Room CLI?

A. !incidentSet description=”Confirmed Phishing”

B. /incidentSet description=Confirmed Phishing

C. !setIncident description=”Confirmed Phishing”

D. /setIncident description=Confirmed Phishing

What is the default landing page for a new user in XSOAR?

A. Dashboards

B. Threat Intel

C. Settings

D. Marketplace

An engineer asked for a specific command in an integration but the capability does not exist. The engineer decided to edit the existing integration by copying the integration and adding the needed commands.
What is the main concern when adding these commands?

A. The commands must return a proper result to the war room for the analysts to understand

B. The code may not be written to XSOAR standards

C. The integrations are locked and cannot be edited with additional commands

D. The custom integration will not be maintained and updated by XSOAR content team

An incident field is created having the display name as Source_IP.
How can the field be accessed?

A. ${incident.sourceip}

B. ${incident.Source_IP}

C. ${incident.srcip}

D. ${incident.Source IP}

Which investigation element is best suited for collaboration among users?

A. Work Plan

B. Related Incidents

C. War Room

D. Context Data

Which two options are the most effective for moving content between two environments? (Choose two.)

A. Remote repository based content sharing

B. UI based content import/export button

C. Copy the content backup from one environment file system (/var/lib/demisto/backup/content-backup-*) and move it to the other environment

D. Download the content items separately and upload them to the other environment

You can customize most aspects of the incident layout, including which three of the following? (Choose three.)

A. Which users have permissions to view the tabs

B. Which roles have permissions to view the tabs

C. Which dashboard settings are applied

D. The information and how is it displayed

E. Which tabs appear and in which order

Which option is available in XSOAR to create the body of a Threat Intel Report?

A. Markdown

B. Grid Fields

C. DOC format

D. Javascript

In Cortex XSOAR multi tenant setup, when content from a development server is pushed to the remote repository, where in the production server can the updates be found?

A. Main Account

B. Tenants

C. Agent tools

D. Marketplace

A Cortex XSOAR Administrator is tasked with building a button for an analyst in order for the analyst to be assigned to the incident as an owner. What is the process?

A. Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with no argument

B. Edit the incident layout to add a new button that calls the AssignToMeButton automation with argument assignBy={me}

C. Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with argument owner={me}

D. Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with argument assignBy=current

What is a feature of the outgoing mapper in Cortex XSOAR?

A. Pre-processing rules

B. Classification

C. Indicator Extraction rules

D. Mirroring

Which two capabilities do Automation script settings include? (Choose two.)

A. Define ‘parameters’

B. Correlate to incident types

C. Define ‘outputs’

D. Set password protection

A SOC analyst needs to retrieve the list of all open phishing incidents in the last 30 days. What is the correct query to use?

A. -status:closed -category:job type:Phishing created:>=”30 days ago”

B. status:closed -category:job & type:Phishing created:>=”30 days ago”

C. -status:closed -category:job & type:Phishing created:<=”30 days ago”

D. -status:closed -category:job type:Phishing created:=”30 days ago”

Reliability scores in XSOAR range from A through F. What do A and F stand for?

A. F – Reliability cannot be judged, A – Completely Reliable

B. F – Not reliable, A – Usually Reliable

C. F – Not usually reliable, A – Fairly Reliable

D. F – Unreliable, A – Completely Reliable

After executing the DeleteContext automation with all=yes argument, how would the context data of an incident present?

A. All the data, including the incident key will be deleted, and the context data will be completely empty.

B. No difference, the automation cannot be executed manually.

C. All context data, including custom incident fields will be deleted, system incident fields will remain.

D. All context data, except the incident key will be deleted.

Management would like to get an incident report automatically following an incident's closure.
How would this be accomplished?

A. Define a task in a playbook to generate an incident report before the closure occurs

B. Manually create an ‘Incident Report’

C. Configure post-processing using a script

D. Create an ‘Incident Report’ from the Reports page