New Year Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = simple70

Pass the Paloalto Networks Security Operations XSOAR-Engineer Questions and answers with Dumpstech

Home
Paloalto Networks
Security Operations
XSOAR-Engineer
XSOAR-Engineer Questions and Answers

Exam XSOAR-Engineer Premium Access

View all detail and faqs for the XSOAR-Engineer exam

Go to Exam

Practice at least 50% of the questions to maximize your chances of passing.

Viewing page 1 out of 7 pages

Viewing questions 1-10 out of questions

Questions # 1:

Which Marketplace content pack will allow sharing of threat intelligence in STIX format?.

Options:

External dynamic list.

MISP Server.

Generic Export Indicators Service.

TAXII Server.

Answer

Explanation

STIX/TAXII are industry-standard protocols for structured threat intelligence exchange. According to the Threat Intelligence section of the XSOAR documentation, TAXII servers and clients provide automated bidirectional sharing using STIX objects, supporting both ingestion and distribution of indicators, observables, relationships, and threat objects.

The TAXII Server content pack specifically enables an organization to expose its threat intelligence via a TAXII 2.0/2.1 compliant endpoint, where the transmitted data is formatted as STIX, making it the correct choice for sharing structured intelligence externally.

The Generic Export Indicators Service pack supports indicator export, but not in STIX format—it exports simple CSV, JSON, or list-based formats. MISP Server supports STIX ingestion and export but is considered a MISP-specific implementation and not the generic STIX distribution mechanism expected in the question. External dynamic lists are not related to STIX or TAXII at all.

Thus, the correct answer is D, as only the TAXII Server pack is designed explicitly for STIX-formatted intelligence sharing.

Questions # 2:

An organization has recently acquired another company as its subsidiary. The subsidiary has its infrastructure on AWS cloud as illustrated in the image below:

Question # 2

The organization wants to use the mail server location on the subsidiary's cloud to send emails. Without acquiring additional licenses, which XSOAR component can fulfill the requirement?

Options:

XSOAR D2 Agents, to send the required emails.

An XSOAR engine that is downloaded from the XSOAR server and installed within the subsidiary.

Another XSOAR server that uses the same license as their primary XSOAR server.

A Linux server connected with an XSOAR server using SSH integration. Commands can be run remotely to access the mail server.

Answer

Questions # 3:

Where would you look to find a personalized view of your own incidents and tasks?

Options:

Incident Summary View

My Incidents

My Threat Landscape

My Dashboard

Answer

Questions # 4:

An engineer is developing a playbook that will be run multiple times for testing purposes. What is the recommended first task to be used in the playbook?

Options:

DeleteContext

GenerateTest

PrintContext

SetContext

Answer

Explanation

[Reference: https://xsoar.pan.dev/docs/integrations/test-playbooks, , ]

Questions # 5:

An XSOAR Engineer has developed a playbook and would like to contribute it to the XSOAR Marketplace to share with other users.

Which two options are available to the Engineer for contributing to the Marketplace? (Choose two.)

Options:

Open a ticket with the XSOAR support team

Create a pull request directly on Github

Contribute through the XSOAR UI

Send an email to contributions@xsoar.com

Answer

B, C

Questions # 6:

Which two advanced attributes can be applied to incident fields when editing? (Choose two.)

Options:

Set a field trigger script

Associate to an incident type

Change field type

Change field name

Answer

A, B

Explanation

[Reference: https://docs.servicenow.com/bundle/quebec-it-service-management/page/product/incident- management/reference/incident-management-properties.html, , ]

Questions # 7:

Which configuration is a valid distributed database (DB) implementation?

Options:

2 main DBs, 1 application server, 2 node servers

1 main DB, 1 application server, 3 node servers

2 application servers, 1 main DB, 1 node server

1 application server, 2 main DBs, 1 node server

Answer

Questions # 8:

Which two behaviors occur while an incident is closed? (Choose two.).

Options:

Playbook is marked as complete.

Commands cannot be executed in the War Room.

Timers can no longer run.

Running timers are in a paused state.

Answer

A, C

Explanation

The XSOAR Timers/SLA documentation states that when an incident reaches the Closed state, all timers automatically stop and cannot continue unless manually reset. Timers do not pause — they terminate.

Additionally, when an incident is closed, its associated playbook completes, because closure marks the end of the investigation lifecycle.

Questions # 9:

When uploading content, which two options could the upload include? (Choose two.)

Options:

Indicators

Incidents

Reports

Fields

Answer

A, B

Questions # 10:

What are inputs and outputs in reference to a Playbook Development Lifecycle? (Choose three.)

Options:

Inputs are data pieces that are present in the playbook

Inputs are data pieces that are present in the task

Outputs are used as incident trigger for playbook

Outputs can be derived from the result of a task or command

Inputs are the data fields parsed by the Classifier

Answer

A, D, E

Viewing page 1 out of 7 pages

Viewing questions 1-10 out of questions

Modal title

Registered Required

In order to participate in the comments you need to be logged-in.
You can sign-up or login (it's free).