XSOAR-Engineer Palo Alto Networks XSOAR Engineer Question and Answers

Cortex XDR Incident - Quasar.

Cortex XDR Incident.

Unclassified.

Default.

Create a new indicator type and disable the built-in IP indicator

Edit the regex of the default IP Indicator

Add a new server configuration key that will overwrite the default regex of the IP indicator

Delete the default IP indicator

Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with no argument

Edit the incident layout to add a new button that calls the AssignToMeButton automation with argument assignBy={me}

Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with argument owner={me}

Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with argument assignBy=current

30 days

14 days

7 days

60 days

By default, every 24 hours, the system closes any debugger sessions that have been open for more than 180 minutes.

The session must be stopped during 180 minutes manually by administrator, user will receive notification automatically.

The session will be running till stopped manually by administrator.

By default, the system closes automatically any debugger session that have been open 180 minutes.

Read/Write from context data

Over war room results

Input from the indicator page

Directly from a previous task

Classification and Mapping

Playbook Tasks

Evidence Fields

Incident Fields

Create content and add it to the standard content by contributing through the Marketplace

Use the XSOAR GitHub Contribution Guide to add the contribution to the standard content

Create a support ticket with the custom content for review by the support team

Any custom content will be automatically uploaded to the content repository

Dashboards

Threat Intel

Settings

Marketplace

Using a debug statement

Using the demisto.debug() function

Using a print statement

Using the demisto.results() function

Mirroring

Classification

Dynamic fields

Pre-processing

Python

Perl

Go

JavaScript

Powershell

Inputs are data pieces that are present in the playbook

Inputs are data pieces that are present in the task

Outputs are used as incident trigger for playbook

Outputs can be derived from the result of a task or command

Inputs are the data fields parsed by the Classifier

In repetitive process flows to iterate for each playbook input

When continuously ingesting incidents from third-party systems

In repetitive process flows with no more than 10 loops

In repetitive processes that requires sub-playbook re-execution

Database node

Application server

Engine

Development server

Section headers

Rows

Canvas

Cards

Closed incidents are not visible in the debugger.

Starred incidents are not visible in the debugger.

The incident type is set incorrectly.

The incident has been restricted.

Use a field trigger script

Use a field display script

Create a job that queries for incident severity changes

Change the SLA manually every time the severity changes

Using the demisto_error() function

Using a print statement

Using the demisto.debug() function

Using the return_error() function

Short Text

HTML

Long Text

Markdown

URL, API key, port

URL, certificate, image

Token, query, playbook

User-password, csv file, query

HTML

Grid (table)

Markdown

Multi Select

They are used for branching paths in a playbook

They are used to interact with users through survey functionality

They are used to determine which incident will be executed

They are used for sending a specific QUESTION NO: to a person or team

Data Collection.

Section Header task.

Conditional Ask.

Survey task.

Run an automation script in the Playground to remove usernames from the incident.

Create a pre-processing rule that runs an automation script to remove usernames from the incident as it comes into XSOAR.

Run an automation script on the XSOAR server to remove usernames from the incident.

Create a playbook task to remove the usernames from the incident.

Indicator Reputation from the feed is set to "Malicious.".

Source Reliability needs to be increased to "A - Completely reliable.".

The Indicator Expiration Method needs to be set to "Never Expire.".

The Traffic Light Protocol Color is empty.

Classification.

Inputs.

Extend context.

Mapping.

The commands must return a proper result to the war room for the analysts to understand

The code may not be written to XSOAR standards

The integrations are locked and cannot be edited with additional commands

The custom integration will not be maintained and updated by XSOAR content team

Create widget of type Line, check ‘Display Trend’ and define as 7 days ago

Create a custom widget using a new incident query

Create widget of type Number, check ‘Display Trend’ and define as 7 days ago

Create a custom widget using a script

Set of fields to present

Permission to view the tab based on ‘Users’

Permission to view the tab based on ‘Roles’

Delete built-in tabs including the war room

Dynamic sections

To allow multi-QUESTION NO: surveys without authentication restrictions

To automate tasks such as parsing a file or enriching indicators

To generate new widgets for a dashboard

To determine different paths in a playbook

Define ‘parameters’

Correlate to incident types

Define ‘outputs’

Set password protection

run ‘ad-delete-user’ command with ‘user-dn’ arg and using-brand=“Active Directory Query v2”

run ‘ad-delete-user’ command with ‘user-dn’ arg and raw-response=true

run ‘ad-delete-user’ command with ‘user-dn’ arg and ignore-outputs=true

run ‘ad-delete-user’ command with ‘user-dn’ arg and using=“Active DirectoryQuery v2_instance_1”

When creating incidents from the XSOAR REST API

When manually creating an incident from the UI

When adding a new analyst account to XSOAR

When fetching many different incident types from a single mailbox

1E56733826E5035233A097FCEA2046AF96EC616C

E6EF5142E2553C1E442A0FFAC07636EAC61E6EDD

8D193FA162A305E4859BA8C45F5121F7265E3ABB

e6ef5142e2553c1e442a0ffac07636eac61e6edd

Playbook

Classification and mapping

Incident type

Pre-processing

In the instance settings, enable the fetch incidents parameter and wait for one minute

Create a one task playbook with a fetch-incident command

execute !-fetch

execute !-fetch

!addToList listName="BlockedSenders_Email" listData="".

!appendToListContext listPath="BlockedSenders Email" data="".

!setIncident list.BlockedSenders_Emai1="".

!createListItem listName="BlockedSenders_Email" itemValue="".

The ’Fetches Incidents’ option may not have been enabled

There are no new events from the external service

The first fetch should be manually triggered to start the fetching process

It can take up to 1-hour before incidents are initially fetched

Store incident information in JSON format

Store incident information in XML format

Pass data between playbook tasks

Pass data between to-do tasks

Fields can be used in playbooks and labels cannot

Fields are indexed in the database and labels are not

Labels can be used in queries and fields cannot

Labels are indexed in the database and fields are not

The administrator will receive a notification that there is both a Classifier and Incident Type set for that integration instance.

The Incident Type will be ignored, and incoming incidents will be classified according to the Classifier.

The Classifier will be ignored, and incoming incidents will be classified according to the Incident Type.

Both the Classifier and Incident Type will classify incoming incidents.

The playbook does not stop at the breakpoint when run from an incident.

The task was not set to "skip.".

The task was not configured to override input.

The playbook was not set to "quiet mode.".

All the data, including the incident key will be deleted, and the context data will be completely empty.

No difference, the automation cannot be executed manually.

All context data, including custom incident fields will be deleted, system incident fields will remain.

All context data, except the incident key will be deleted.

Marketplace access

Application with API

Private key/Public key integration

Multitenant deployment

setFields

Field mapping

setIncident

Layout inline editing

The Debugger panel to test data with one of last five incidents. This will affect the incident’s original incident data.

Context data from existing incidents by exporting the YAML data from incidents and importing it to playbook editor.

Debugger panel and XML data from a similar incident with New Mock Incident. This will not affect the incidents original incident data.

The Debugger panel to test data with one of last fifty incidents. This will not affect the incident’s original incident data.

Indicators and relationships

Timeline information

Evidence Board

Context data

Incident severity

SLA script.

Post-processing rule.

Field-change trigger script.

Server config.

Settings > About > Troubleshooting, in the main host account. Each host has a System Diagnostics page.

Settings > Advanced > System Diagnostics, in the main host account. Each host has a System Diagnostics page.

Settings > Account Management > Hosts, in the main host account. Each host has a System Diagnostics page.

Settings > About > System Diagnostics, in the main host account. Each host has a System Diagnostics page.

Create a custom playbook that sends an email each time the fetch fails.

Create a new integration that monitors the incident fetch and sends an email if the fetch fails.

Schedule a job that runs and monitors incidents in XSOAR that will send an email if there are no new incidents.

Add a server config to notify when incident fetch fails.

Create a custom indicator field named ‘username’ and link it to the internal system indicator

Change the reputation command for the internal system indicator type

Create a new indicator type of the internal username and set a formatting script to extract only theusername

Create a new indicator type of the internal username and have the regex included on any string that has dash at the beginning

Lists

Roles

Other content packs

Indicator layouts

Get csvList.value where csvList.value equals test [from previous tasks]

Get csvList.value where csvList.value equals ${test} [from previous tasks]

Get csvList.value where csvList.value equals test {}[from previous tasks]

Get csvList.value where csvList.value equals test [as value]

Get csvList.value where csvList.value equals ${test} [as value]

Inputs and outputs

Through integration context

Automatically extracted by sub-playbooks

From context data, if context is shared globally

${Files.[2].Name}

${Files.Name.[2]}

${File.[1].Name}

${File.Name.[1]}

2MB

3MB

1MB

5MB