New Year Sale Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Activedumpsnet Logo
  1. Home
  2. Paloalto Networks
  3. Security Operations
  4. XSOAR-Engineer
  5. XSOAR-Engineer - Palo Alto Networks XSOAR Engineer

Paloalto Networks XSOAR-Engineer Palo Alto Networks XSOAR Engineer Exam Practice Test

Page: 1 / 20
Total 204 questions
Get XSOAR-Engineer Full Access Download XSOAR-Engineer PDF

Palo Alto Networks XSOAR Engineer Questions and Answers

Question 1

What happens when an integration is deprecated?

Options:

A.

The integration commands in a playbook can no longer be used

B.

The integration commands can be used, but it is recommended to update to the latest content pack

C.

The configuration settings will be lost and the integration will no longer function

D.

The integration commands in a playbook can be used, but it will fail at runtime

Question 2

Previous playbook tasks have built out the context in the image below.

Question # 2

When specifying ${User.Name} as an input for a sub playbook task which has the default loop configuration, how many times will the sub-playbook be executed?.

Options:

A.

0.

B.

1.

C.

3.

D.

4.

Question 3

Which component can be part of a load balancing group?

Options:

A.

Distributed database

B.

D2 agent

C.

Engine

D.

Load balancing server

Question 4

By default, which components does an XSOAR implementation include?

Options:

A.

XSOAR server, XSOAR engine

B.

Application server, distributed DB server

C.

Application server, distributed DB server, Backup server

D.

All in one server

Question 5

Can an automation script execute an integration command and an integration command execute an automation script?

Options:

A.

An automation script cannot execute an integration command and an integration command cannot execute an automation script

B.

An automation script can execute an integration command and an integration command cannot execute an automation script

C.

An automation script cannot execute an integration command and an integration command can execute an automation script

D.

An automation script can execute an integration command and an integration command can execute an automation script

Question 6

Which three support types are included in the Marketplace Content Packs? (Choose three.)

Options:

A.

Customer supported

B.

Contex XSOAR supported

C.

Community supported

D.

Partner supported

E.

Prisma Cloud supported

Question 7

Incidents need to be filtered by all of the following criteria:

1.Status – Pending

2.Exclude Category – Job

3.Severity – High

4.Owner – None (No owner assigned)

5.Type – Phishing

6.Email Subject – “You have won a million dollars”

What is the correct query syntax for the above incident search filter?

Options:

A.

status==“Pending“andandcategory!=”job”andandseverity==”High”andandowner==”None”andandtype==”Phishing”andandemailsubject==”You have won a million dollars”

B.

Status:Pending and –Category:job and Severity:High and Owner:”” and Type:Phishing and Email Subject:You have won a million dollars

C.

status:Pending and –category:job and severity:High and owner:”” and type:Phishing and emailsubject:”You have won a million dollars”

D.

status:Pending or –category:job or severity:High or owner:”” or type:Phishing or emailsubject:”You have won a million dollars”

Question 8

Which of the following is a basic setting that can be configured in an automation?

Options:

A.

Summary

B.

Compiler

C.

Schedule

D.

Run On

Question 9

Which two options may be added when a content pack is being installed? (Choose two.)

Options:

A.

Lists

B.

Roles

C.

Other content packs

D.

Indicator layouts

Question 10

Question # 10

Given the following context data, what would be the expected output of the expression?

Options:

A.

1E56733826E5035233A097FCEA2046AF96EC616C

B.

E6EF5142E2553C1E442A0FFAC07636EAC61E6EDD

C.

8D193FA162A305E4859BA8C45F5121F7265E3ABB

D.

e6ef5142e2553c1e442a0ffac07636eac61e6edd

Question 11

A playbook needs to dynamically add an email sender's address to a Cortex XSOAR list named "BlockedSenders_Email."

Which built-in command should be used within the playbook to add this email address to the specified list?.

Options:

A.

!addToList listName="BlockedSenders_Email" listData="".

B.

!appendToListContext listPath="BlockedSenders Email" data="".

C.

!setIncident list.BlockedSenders_Emai1="".

D.

!createListItem listName="BlockedSenders_Email" itemValue="".

Question 12

During the regular maintenance of XSOAR a customer noticed that there was an update available for the Active Directory content pack (current version 1.4.6) and updated the content pack to the latest version (version 1.4.11). However, after the update the customer noticed that the Active Directory Query integration is not working properly and asked you to resolve the issue.

Which of the following set of steps can help to resolve the issue?

Options:

A.

Navigate to SettingsView the configured integrations and select Active Directory AuthenticationDelete all integration instances and add all integration instances again

B.

Navigate to MarketplaceView the installed content pack and select Active Directory content packSelect version 1.4.6 and click on "Revert to this version"

C.

Navigate to SettingsView the configured integrations and select Active Directory QueryDelete all integration instances and add all integration instances again

D.

Navigate to MarketplaceView the installed content pack and select Active Directory content packClick on uninstall content packNavigate to Marketplace browser and reinstall the Active Directory content pack

Question 13

What are two of the actions available on the Version History tab of a content pack in the marketplace? (Choose two.)

Options:

A.

Download content for offline installation

B.

Uninstall content pack

C.

Update to x version

D.

Revert to x version

Question 14

Which two components have their own context data? (Choose two.)

Options:

A.

Sub-playbook

B.

Task

C.

Field

D.

Incident

Question 15

If a known malicious domain is no longer associated with a specific IP address, which action will make the association inactive?.

Options:

A.

Revoke the relationship.

B.

Update the relationship type.

C.

Expire the IP address indicator.

D.

Update the indicator relationship description.

Question 16

An engineer’s organization system is registered in the following manner: . The engineer created a new indicator type for detecting systems using regex. The engineer would now like the username to be created as a separate ‘User’ indicator automatically once a system is found.

What is the most efficient way for the engineer to achieve this?

Options:

A.

Create a custom indicator field named ‘username’ and link it to the internal system indicator

B.

Change the reputation command for the internal system indicator type

C.

Create a new indicator type of the internal username and set a formatting script to extract only theusername

D.

Create a new indicator type of the internal username and have the regex included on any string that has dash at the beginning

Question 17

After executing the DeleteContext automation with all=yes argument, how would the context data of an incident present?

Options:

A.

All the data, including the incident key will be deleted, and the context data will be completely empty.

B.

No difference, the automation cannot be executed manually.

C.

All context data, including custom incident fields will be deleted, system incident fields will remain.

D.

All context data, except the incident key will be deleted.

Question 18

Which of the following is a prerequisite to editing out-of-the-box (OOTB) content?

Options:

A.

Download the content from the Marketplace.

B.

Go to Settings > About >Troubleshooting and set a flag to allow custom content.

C.

Register a user account with support.paloaltonetworks.com .

D.

Detach the content item you want to edit from the Marketplace.

Question 19

What will happen if a playbook debugger is left running for more than 24 hours?

Options:

A.

By default, every 24 hours, the system closes any debugger sessions that have been open for more than 180 minutes.

B.

The session must be stopped during 180 minutes manually by administrator, user will receive notification automatically.

C.

The session will be running till stopped manually by administrator.

D.

By default, the system closes automatically any debugger session that have been open 180 minutes.

Question 20

Which configuration is a valid distributed database (DB) implementation?

Options:

A.

2 main DBs, 1 application server, 2 node servers

B.

1 main DB, 1 application server, 3 node servers

C.

2 application servers, 1 main DB, 1 node server

D.

1 application server, 2 main DBs, 1 node server

Question 21

Which of the following does a XSOAR Admin need to create an integration with a third party cloud application?

Options:

A.

Marketplace access

B.

Application with API

C.

Private key/Public key integration

D.

Multitenant deployment

Question 22

Which task type would be used to verify/check that an integration was enabled?

Options:

A.

Standard task

B.

Conditional task

C.

Section Header task

D.

Data Collection task

Question 23

When creating an automation in XSOAR, what is the best way to create a log message?

Options:

A.

Using a debug statement

B.

Using the demisto.debug() function

C.

Using a print statement

D.

Using the demisto.results() function

Question 24

How would context data be filtered to receive only malicious indicator values with DBotScore?

Options:

A.

Get DBotScore.value where DBotScore.Score (Larger or equals) 4

B.

Get DBotScore.value where DBotScore.Score (equals (int)) 3

C.

Get DBotScore where DBotScore.Score (Larger than) 1

D.

Get DBotScore where DBotScore.Score (Larger or equals) 2

Question 25

Select the correct incident life cycle on XSOAR.

Options:

A.

Planning > Incident Ingestion > Incident Creation > Mapping and Classification > Pre-processing > Playbook runs > Post-processing

B.

Planning > Incident Ingestion > Pre-processing > Incident Creation > Mapping and Classification > Playbook runs > Post-processing

C.

Planning > Incident Ingestion > Pre-processing > Mapping and Classification > Incident Creation > Playbook runs > Post-processing

D.

Planning > Incident Ingestion > Mapping and Classification > Pre-processing > Incident Creation > Playbook runs > Post-processing

Question 26

Which content type cannot be managed using remote repositories?

Options:

A.

Lists

B.

Jobs

C.

Pre-processing rules

D.

Exclusion List

Question 27

An administrator has noticed that an incident fetch has failed, causing several internal workflows to be backed up. The administrator would like to receive notifications the next time the incident fetch fails.

How can they achieve this?

Options:

A.

Create a custom playbook that sends an email each time the fetch fails.

B.

Create a new integration that monitors the incident fetch and sends an email if the fetch fails.

C.

Schedule a job that runs and monitors incidents in XSOAR that will send an email if there are no new incidents.

D.

Add a server config to notify when incident fetch fails.

Question 28

Which two situations would an engineer consider when configuring classification and mapping for an incident type? (Choose two.)

Options:

A.

When creating incidents from the XSOAR REST API

B.

When manually creating an incident from the UI

C.

When adding a new analyst account to XSOAR

D.

When fetching many different incident types from a single mailbox

Question 29

An engineer notices that playbooks only start once the user clicks the ‘investigate’ button and he/she would like the playbook to start automatically.

How can this be implemented?

Options:

A.

Add the playbook to the integration’s settings

B.

Select ‘Run playbook automatically’ from the incident type settings

C.

Add the !startinvestigation automation to the beginning of the playbook

D.

Select ‘Run playbook automatically’ from the integration settings

Question 30

An administrator wants to run an automation in the War Room to set the incident field "Description" to "Confirmed Phishing". Which command should they enter in the War Room CLI?

Options:

A.

!incidentSet description="Confirmed Phishing"

B.

/incidentSet description=Confirmed Phishing

C.

!setIncident description="Confirmed Phishing"

D.

/setIncident description=Confirmed Phishing

Question 31

Which three statements are true about the Marketplace? (Choose three.)

Options:

A.

Allows reverting back to a previous version of a content pack

B.

Enables users to participate in the community by sharing content

C.

Publishes content without additional review from the Cortex XSOAR team

D.

Allows uploading of content in additional languages

E.

Offers granularity in installation through content packs

Question 32

What is the correct way to install different engines on the same Ubuntu machine for a Dev/Prod setup?.

Options:

A.

Use Shell installer and create a custom JSON configuration file.

B.

Use different docker instances in the machine to install each engine.

C.

Use Shell installer with "Allow running multiple engines.".

D.

Create a DEB installer and modify in the JSON configuration.

Question 33

An engineer adds a new "Forensics" tab that includes several sections for detailed artifact analysis to the "Malware Incident" layout. However, junior analysts report they cannot see this tab, while senior analysts can.

Which configuration setting is the most likely reason for this discrepancy?.

Options:

A.

The underlying fields within the tab sections was incorrectly mapped.

B.

The tab was not added to the junior analyst role group.

C.

The tab was marked as read-only in the layout configuration for the junior analyst roles.

D.

A display filter was applied to the tab in the layout editor.

Question 34

What is the result of an indicator being marked as expired?.

Options:

A.

It still exists and can be searched.

B.

It is immediately deleted from the database.

C.

It still exists but is not searchable.

D.

It is deleted from the database after seven days.

Question 35

Which Marketplace content pack will allow sharing of threat intelligence in STIX format?.

Options:

A.

External dynamic list.

B.

MISP Server.

C.

Generic Export Indicators Service.

D.

TAXII Server.

Question 36

Which feature is used to convert event data values into incident fields when an integration fetches an event?.

Options:

A.

Classification.

B.

Mapping.

C.

Field configuration.

D.

Layout configuration.

Question 37

An automation returned an output called: csvReport.

What filter would be used to check if the automation returned results?

Options:

A.

Contains/Includes

B.

Equals/Matches

C.

In/In list

D.

Is defined/Exist

Question 38

An organization has recently acquired another company as its subsidiary. The subsidiary has its infrastructure on AWS cloud as illustrated in the image below:

Question # 38

The organization wants to use the mail server location on the subsidiary's cloud to send emails. Without acquiring additional licenses, which XSOAR component can fulfill the requirement?

Options:

A.

XSOAR D2 Agents, to send the required emails.

B.

An XSOAR engine that is downloaded from the XSOAR server and installed within the subsidiary.

C.

Another XSOAR server that uses the same license as their primary XSOAR server.

D.

A Linux server connected with an XSOAR server using SSH integration. Commands can be run remotely to access the mail server.

Question 39

What can you use to assign a layout, field, and playbook to an incoming incident?

Options:

A.

Playbook

B.

Classification and mapping

C.

Incident type

D.

Pre-processing

Question 40

Where would you look to find a personalized view of your own incidents and tasks?

Options:

A.

Incident Summary View

B.

My Incidents

C.

My Threat Landscape

D.

My Dashboard

Question 41

Which development languages are supported when creating XSOAR automation scripts?

Options:

A.

C++, Python, Powershell

B.

Ruby, C++, Python

C.

Javascript, Powershell, C++

D.

Python, Powershell, Javascript

Question 42

Which two features does XSOAR offer to help recover from a server failure? (Choose two.)

Options:

A.

Live backup (disaster recovery)

B.

Distributed database

C.

Backup data to XSOAR engines

D.

Local backup

Question 43

When creating a new tab in the layout, which section cannot be added?

Options:

A.

Retrieve widget chart based on script

B.

Related incidents

C.

War room entries picked by entry query

D.

Incident team members

Question 44

In order to automatically run a playbook on the indicators fetched by an integration, what would an XSOAR Administrator setup?

Options:

A.

Cron job

B.

Time triggered job

C.

Feed triggered job

D.

REST API job

Question 45

Which three authentication methods are supported when logging into XSOAR? (Choose three.)

Options:

A.

OTP token

B.

User name and password

C.

SAML

D.

Active Directory authentication

E.

RADIUS

Question 46

What are two common use cases for conditional tasks? (Choose two.)

Options:

A.

They are used for branching paths in a playbook

B.

They are used to interact with users through survey functionality

C.

They are used to determine which incident will be executed

D.

They are used for sending a specific QUESTION NO: to a person or team

Question 47

What are the three ways to add/mark entries as evidence inside the Evidence Board? (Choose three.)

Options:

A.

Manually directly from the War Room with the Actions drop-down

B.

From the Notes section (mark as entry icon)

C.

Manually from the playbook task (mark as entry icon)

D.

Automatically from playbook tasks when the option is selected on the Advanced tab

E.

By running the command !MarkAsEvidence

Question 48

An engineer asked for a specific command in an integration but the capability does not exist. The engineer decided to edit the existing integration by copying the integration and adding the needed commands.

What is the main concern when adding these commands?

Options:

A.

The commands must return a proper result to the war room for the analysts to understand

B.

The code may not be written to XSOAR standards

C.

The integrations are locked and cannot be edited with additional commands

D.

The custom integration will not be maintained and updated by XSOAR content team

Question 49

An engineer wants to customize the regex for the default IP indicator type. How can this change be implemented?

Options:

A.

Create a new indicator type and disable the built-in IP indicator

B.

Edit the regex of the default IP Indicator

C.

Add a new server configuration key that will overwrite the default regex of the IP indicator

D.

Delete the default IP indicator

Question 50

What are two primary uses of standard tasks? (Choose two.)

Options:

A.

To highlight different paths in a playbook

B.

To generate new widgets for a dashboard

C.

To create an incident or escalate an existing incident

D.

To automate tasks such as parsing a file or enriching indicators

Question 51

The default expiration method for non-feed indicators is either to never expire or to expire after a specific period of time. How frequently does XSOAR check tor newly expired indicators?

Options:

A.

Every 24 hours

B.

Every 5 minutes

C.

Every 8 hours

D.

Every 1 hour

Question 52

Assuming an incident type configuration runs the associated playbook automatically, which pre-process rule action can preserve matching incidents without triggering the playbook?.

Options:

A.

Close.

B.

Update.

C.

Drop.

D.

Link.

Question 53

What is the difference between labels and fields?

Options:

A.

Fields can be used in playbooks and labels cannot

B.

Fields are indexed in the database and labels are not

C.

Labels can be used in queries and fields cannot

D.

Labels are indexed in the database and fields are not

Question 54

A playbook loop that interacts with Active Directory for user details (yielding extensive data) is altered to extract newly acquired indicators of compromise (IOCs). This change results in two critical issues:

• Rate limits being hit on integrated reputation services

• Incidents associated with hundreds of indicators

Given the settings below, what would prevent the issues in this use case?

Incident Type: AD-Analysis –

Extract Indicators on Incident Creation: Use System Default (None)

Extract Indicators on Field Change: Inline

Task 1: ad-get-user –

Mark results as note: False –

Indicator Extract Mode: Inline –

Quiet Mode: False –

Task 2: ad-disable-account –

Mark results as note: True –

Indicator Extract Mode: None –

Quiet Mode: True –

Task 3: servicenow-update-ticket –

Mark results as note: False –

Indicator Extract Mode: Use System Default

Quiet Mode: False

Options:

A.

Set AD-Analysis incident creation extraction to "Extract specific indicators.”

B.

Set ad-get-user indicator extraction mode to None.

C.

Set servicenow-update-ticket indicator extraction mode to Inline.

D.

Disable the feature that allows marking task outputs as notes.

Question 55

When developing the playbook, which of the following can be used by a XSOAR Administrator?

Options:

A.

The Debugger panel to test data with one of last five incidents. This will affect the incident’s original incident data.

B.

Context data from existing incidents by exporting the YAML data from incidents and importing it to playbook editor.

C.

Debugger panel and XML data from a similar incident with New Mock Incident. This will not affect the incidents original incident data.

D.

The Debugger panel to test data with one of last fifty incidents. This will not affect the incident’s original incident data.

Question 56

Which two options will troubleshoot an integration’s fetch incidents command? (Choose two.)

Options:

A.

In the instance settings, enable the fetch incidents parameter and wait for one minute

B.

Create a one task playbook with a fetch-incident command

C.

execute !-fetch

D.

execute !-fetch

Question 57

In which two ways can data be transferred between playbooks and sub-playbooks? (Choose two.)

Options:

A.

Inputs and outputs

B.

Through integration context

C.

Automatically extracted by sub-playbooks

D.

From context data, if context is shared globally

Question 58

Which of the following are valid methods to contribute custom content? (Choose three.)

Options:

A.

Submit content directly through feature requests

B.

Private GitHub repository submission for premium content

C.

A Github pull request on the public XSOAR Content Repository

D.

Using the marketplace interface to upload the content

E.

Using the content submission tool on live.paloaltonetworks.com

Question 59

What is the correct expression to use when filtering only PDF files?

Options:

A.

Use File.Extension that does not equal (string comparison) PDF

B.

Use File.Name contains PDF

C.

Use File.Extension contains (general) PDF

D.

Use File.Extension equals (string comparison) PDF

Question 60

What is an outcome of using sections within a tab when customizing an incident layout?.

Options:

A.

Triggering specific automations or playbooks when data within that section is modified during an investigation.

B.

Enforcing mandatory fields that must be completed before an incident can be closed.

C.

Grouping related fields and information logically, improving readability and data entry efficiency.

D.

Restricting access to sensitive fields based on user roles, ensuring data privacy within the specific incident type.

Question 61

An incident field is created having the display name as Source_IP. How can the field be accessed?

Options:

A.

${incident.sourceip}

B.

${incident.Source_IP}

C.

${incident.srcip}

D.

${incident.Source IP}

Load More XSOAR-Engineer Questions 
Page: 1 / 20
Total 204 questions
Get XSOAR-Engineer Full Access Download XSOAR-Engineer PDF