Spring Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Pass the Paloalto Networks Security Operations XSOAR-Engineer Questions and answers with Dumpstech

Home
Paloalto Networks
Security Operations
XSOAR-Engineer
XSOAR-Engineer Questions and Answers

Exam XSOAR-Engineer Premium Access

View all detail and faqs for the XSOAR-Engineer exam

Go to Exam

Practice at least 50% of the questions to maximize your chances of passing.

Viewing page 6 out of 7 pages

Viewing questions 51-60 out of questions

Questions # 51:

Which two solutions are available to scale an overloaded XSOAR environment? (Choose two.)

Options:

Add a distributed database server

Add an indexing server

Add a live backup server (disaster recovery)

Add an engine

Answer

A, C

Questions # 52:

In Cortex XSOAR multi tenant setup, when content from a development server is pushed to the remote repository, where in the production server can the updates be found?

Options:

Main Account

Tenants

Agent tools

Marketplace

Answer

Explanation

[Reference: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.6/Cortex-XSOAR-Multi-Tenant-Guide/Configure-a-Remote-Repository-on-the-Main-Account, , ]

Questions # 53:

An engineer must create a playbook task which asks a user a single question to determine the next step in the playbook flow.

Which type of task will accomplish this goal?.

Options:

Standard task using manual task settings.

Data collection task using the task option.

Conditional task using the ask option.

Data collection task using the generated link option.

Answer

Explanation

The XSOAR Admin Guide explains that the Ask task is created inside a Conditional Task, and is specifically used when the system needs to prompt the analyst with a single question to determine the playbook path.

Data collection tasks are used for multi-question forms, not conditional branching.

Questions # 54:

Which two options may be added when a content pack is being installed? (Choose two.)

Options:

Lists

Roles

Options:

Live backup (disaster recovery)

Distributed database

Backup data to XSOAR engines

Local backup

Answer

A, C

Questions # 56:

An incident field is created having the display name as Source_IP. How can the field be accessed?

Options:

${incident.sourceip}

${incident.Source_IP}

${incident.srcip}

${incident.Source IP}

Answer

Questions # 57:

What is the correct expression to use when filtering only PDF files?

Options:

Use File.Extension that does not equal (string comparison) PDF

Use File.Name contains PDF

Use File.Extension contains (general) PDF

Use File.Extension equals (string comparison) PDF

Answer

Questions # 58:

Management would like to get an incident report automatically following an incident’s closure. How would this be accomplished?

Options:

Define a task in a playbook to generate an incident report before the closure occurs

Manually create an ‘Incident Report’

Configure post-processing using a script

Create an ‘Incident Report’ from the Reports page

Answer

Questions # 59:

When browsing the Marketplace for new content packs, which details about each pack are you able to view?

Options:

The integration’s source code

A summary of each version history

A test instance for the content pack

The source code of each playbook

Answer

Questions # 60:

Two feed integrations with the same source reliability (B - Usually reliable) fetch the same indicator with the following verdicts:

Integration A - Malicious

Integration B - Benign

Indicator data from Integration B was fetched after Integration A.

What will be the values of the fields associated with the indicator?.

Options:

Verdict: Malicious

Other Fields: Values from Integration A.

Verdict: Malicious

Other Fields: Values from Integration B.

Verdict: Benign

Other Fields: Values from Integration A.

Verdict: Benign

Other Fields: Values from Integration B.

Answer

Explanation

According to the Threat Intelligence section of the XSOAR Admin Guide, indicatorverdict resolutionuses two key rules:

If multiple sources have different reliability levels, the verdict from the highest-reliability source wins.

If multiple sources share the same reliability, XSOAR selects the “worst” (most severe) verdict among them.

Because both integrations have equal reliability (B – Usually reliable), XSOAR selects the more severe verdict. “Malicious” is more severe than “Benign,” so the resulting indicator verdict will beMalicious.

However, indicatorfield valuesfollow a different rule:

When multiple sources share the same reliability score,the most recently updated source overwrites the indicator fields, except for the verdict field.

Integration B updated the indicator after Integration A, so its field values overwrite Integration A’s fields. But its verdict does not override the malicious verdict because severity resolution rules take precedence.

Therefore, the correct combined logic yields:

Verdict: Benign? No → Because Malicious is the highest severity.

Other Fields: From the most recently updated feed → Integration B.

But the verdict is strictly the “worst” verdict, so:

Correct answer: C.

Viewing page 6 out of 7 pages

Viewing questions 51-60 out of questions

Modal title

Registered Required

In order to participate in the comments you need to be logged-in.
You can sign-up or login (it's free).