PCSAE
Free trial
Verified
Question 1
Which two advanced attributes can be applied to incident fields when editing? (Choose two.)
- A: Set a field trigger script
- B: Associate to an incident type
- C: Change field type
- D: Change field name
Question 2
Which two causes may be occurring if an integration test is working, but the integration is not fetching incidents? (Choose two.)
- A: The 'Fetches Incidents' option may not have been enabled
- B: There are no new events from the external service
- C: The first fetch should be manually triggered to start the fetching process
- D: It can take up to 1-hour before incidents are initially fetched
Question 3
Which of the following is a feature of XSOAR automations?
- A: can run on multiple docker containers
- B: can be set to run on a scheduled basis in the automation settings
- C: can be password protected
- D: can be written in C++
Question 4
When is the post-processing script executed in XSOAR?
- A: Just after the incident is created
- B: Just after the pre-processing is executed
- C: Just after the playbook is executed
- D: Just after the Close Incident button is clicked
Question 5
Which option is available in XSOAR to create the body of a Threat Intel Report?
- A: Markdown
- B: Grid Fields
- C: DOC format
- D: Javascript
Question 6
Given the following context data, what would be the expected output of the expression?
- A: 1E56733826E5035233A097FCEA2046AF96EC616C
- B: E6EF5142E2553C1E442A0FFAC07636EAC61E6EDD
- C: 8D193FA162A305E4859BA8C45F5121F7265E3ABB
- D: e6ef5142e2553c1e442a0ffac07636eac61e6edd
Question 7
Where are incident layouts customized?
- A: Settings > Object Setup > Incidents > Layouts
- B: Settings > Integrations > Instance configuration
- C: Settings > Object Setup > Indicators > Layouts
- D: Settings > Advanced > Incident Layouts
Question 8
How can Cortex XSOAR administrators prevent junior analysts from viewing a senior analyst dashboard?
- A: Share the dashboard in Read and Edit mode for senior analysts.
- B: Share the dashboard in Read & Edit mode for senior analysts and Read Only for juniors analysts.
- C: Share the dashboard in Read and Write mode for senior analysts.
- D: Share the dashboard in Read Only mode for junior analysts and senior analysts.
Question 9
Which content type cannot be managed using remote repositories?
- A: Lists
- B: Jobs
- C: Pre-processing rules
- D: Exclusion List
Question 10
Which task type would be used to verify/check that an integration was enabled?
- A: Standard task
- B: Conditional task
- C: Section Header task
- D: Data Collection task
Question 11
Which two capabilities do Automation script settings include? (Choose two.)
- A: Define 'parameters'
- B: Correlate to incident types
- C: Define 'outputs'
- D: Set password protection
Question 12
After executing the DeleteContext automation with all=yes argument, how would the context data of an incident present?
- A: All the data, including the incident key will be deleted, and the context data will be completely empty.
- B: No difference, the automation cannot be executed manually.
- C: All context data, including custom incident fields will be deleted, system incident fields will remain.
- D: All context data, except the incident key will be deleted.
Question 13
An XSOAR engineer has been tasked with exporting all indicators from the production environment in the last 90 days. The final report needs to be in CSV format containing all indicator fields. How can this task be achieved?
- A: Run the command !GetIndicatorsByQuery in CLI with its default arguments and export all indicators in the last 90 days.
- B: SSH into the server and copy the indicator's database.
- C: In the Threat Intel page, add query firstSeen:>="90 days ago", select All columns in Table View, and click Export to export as a CSV.
- D: Run the command !findIndicators in CLI with the query firstSeen:>="90 days ago" and export to CSV.
Question 14
An administrator has noticed that an incident fetch has failed, causing several internal workflows to be backed up. The administrator would like to receive notifications the next time the incident fetch fails.
How can they achieve this?
- A: Create a custom playbook that sends an email each time the fetch fails.
- B: Create a new integration that monitors the incident fetch and sends an email if the fetch fails.
- C: Schedule a job that runs and monitors incidents in XSOAR that will send an email if there are no new incidents.
- D: Add a server config to notify when incident fetch fails.
Question 15
Threat Intel search queries can be shared with which of the following? (Select 1)
- A: Users defined in the platform (email or username)
- B: Other organizations via the Marketplace
- C: Users outside XSOAR via email invite
- D: Roles defined in the platform
Question 16
An administrator wants to run an automation in the War Room to set the incident field "Description" to "Confirmed Phishing". Which command should they enter in the War Room CLI?
- A: !incidentSet description="Confirmed Phishing"
- B: /incidentSet description=Confirmed Phishing
- C: !setIncident description="Confirmed Phishing"
- D: /setIncident description=Confirmed Phishing
Question 17
Select the correct incident life cycle on XSOAR.
- A: Planning > Incident Ingestion > Incident Creation > Mapping and Classification > Pre-processing > Playbook runs > Post-processing
- B: Planning > Incident Ingestion > Pre-processing > Incident Creation > Mapping and Classification > Playbook runs > Post-processing
- C: Planning > Incident Ingestion > Pre-processing > Mapping and Classification > Incident Creation > Playbook runs > Post-processing
- D: Planning > Incident Ingestion > Mapping and Classification > Pre-processing > Incident Creation > Playbook runs > Post-processing
Question 18
Which of the following is a prerequisite to editing out-of-the-box (OOTB) content?
- A: Download the content from the Marketplace.
- B: Go to Settings > About >Troubleshooting and set a flag to allow custom content.
- C: Register a user account with support.paloaltonetworks.com .
- D: Detach the content item you want to edit from the Marketplace.
Question 19
At what stage during the incident lifecycle is an incident type assigned?
- A: Pre-processing
- B: Incident creation
- C: Classification
- D: Playbook execution
Question 20
What can you use to assign a layout, field, and playbook to an incoming incident?
- A: Playbook
- B: Classification and mapping
- C: Incident type
- D: Pre-processing
Question 21
For troubleshooting, after a log bundle is created, where do the logs appear on the XCSOAR server?
- A: /var/lib/demisto
- B: /tmp/log/demisto
- C: /usr/local/demisto
- D: /var/log/demisto
Question 22
Which three types of information are displayed on the incident Quick View? (Choose three.)
- A: Indicators and relationships
- B: Timeline information
- C: Evidence Board
- D: Context data
- E: Incident severity
Question 23
Where do you navigate to monitor and improve the system performance and resilience for hosts in a multitenant environment?
- A: Settings > About > Troubleshooting, in the main host account. Each host has a System Diagnostics page.
- B: Settings > Advanced > System Diagnostics, in the main host account. Each host has a System Diagnostics page.
- C: Settings > Account Management > Hosts, in the main host account. Each host has a System Diagnostics page.
- D: Settings > About > System Diagnostics, in the main host account. Each host has a System Diagnostics page.
Question 24
When creating an automation in XSOAR, what is the best way to create a log message?
- A: Using a debug statement
- B: Using the demisto.debug() function
- C: Using a print statement
- D: Using the demisto.results() function
Question 25
What is an example of a generic reputation command?
- A: !ip
- B: !getReputation
- C: !reputation
- D: !enrichIndicator
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!