Palo

Which two behaviors occur while an incident is closed? (Choose two.). Playbook is marked as complete. Commands cannot be executed in the War Room. Timers can no longer run.. Running timers are in a paused state.

An engineer must create a playbook task which asks a user a single question to determine the next step in the playbook flow. Which type of task will accomplish this goal?. Standard task using manual task settings. Data collection task using the task option. Conditional task using the ask option. Data collection task using the generated link option.

What determines the current verdict for an indicator when multiple sources provide different reliability scores and verdicts?. Verdict provided by the most recently updated source. Average verdict score from all sources. Verdict provided by the source with the highest reliability score. Highest severity verdict from all sources.

The code snippet below is from the fetch command of an integration instance configured to run on the server. demisto.debug(f"(len(incidents)} events fetched") Where is the output from the snippet located when the instance runs an automatic fetch?. Incident label. Platform Log bundle. Integration Logs table. War Room entry.

Which action will resolve the issue when an analyst upgrades a content pack from the Marketplace, and the new version has a code error?. Revert the content pack to a previous version. Uninstall and reinstall the content pack. Upgrade the dependencies of the content pack. Export and manually upload the content pack.

When using the playbook debugger, what may be the cause of a starred incident missing from the Test Data selections?. Closed incidents are not visible in the debugger. Starred incidents are not visible in the debugger. The incident type is set incorrectly. The incident has been restricted.

What is the unique identifier for a note in the incident War Room?. Incident ID. Entry ID. Field ID. Note ID.

Where does the mapping of user groups to SAML groups take place?. Cortex Gateway. Tenant. Customer Support Portal. Palo Alto Networks Hub.

When the verdict of an indicator is set manually, which source reliability does it receive?. F - reliability cannot be found. A. Undefined. A+++.

A breakpoint is added to a saved playbook to ensure that it pauses before running the task "ad-delete-user." However, it is later discovered that an Active Directory account was deleted by this playbook, and the playbook did not pause at the breakpoint. What is the cause of this issue?. The playbook does not stop at the breakpoint when run from an incident. The task was not set to "skip.". The task was not configured to override input. The playbook was not set to "quiet mode.".

When the "Only allow these dashboards" checkbox is selected for a user role, what is the primary effect on users assigned this role?. They are prompted to select their preferred dashboards upon login and can only modify these chosen dashboards. They can only view specified dashboards and make minor modifications. They will automatically have all dashboards that are shared with them added to their view. They will be restricted to viewing only the specified default dashboards and cannot make any modifications.

What is the result of an indicator being marked as expired?. It still exists and can be searched. It is immediately deleted from the database. It still exists but is not searchable. It is deleted from the database after seven days.

What must happen before a pre-process rule can be applied to a potential incident?. Mapping. Playbook execution. Ingestion. Classification.

Which set of trigger options is available to start a job when a new instance is created?. "Mapping" and "Classification". "Time" and "By delta in feed". "Cron View" and "Human View". "Script Start" and "CLI".

Based on the images below, what will be the result of the Filters and Transformers?. Selma Moon. Richardson Morales. Hubbard Wilcox. Michael Henderson.

Which feature is used to convert event data values into incident fields when an integration fetches an event?. Classification. Mapping. Field configuration. Layout configuration.

A SOC team must send a notification email to specific teams based on the severity of an incident. Which feature will accomplish this task each time the severity escalates?. SLA script. Post-processing rule. Field-change trigger script. Server config.

What is an outcome of using sections within a tab when customizing an incident layout?. Triggering specific automations or playbooks when data within that section is modified during an investigation. Enforcing mandatory fields that must be completed before an incident can be closed. Grouping related fields and information logically, improving readability and data entry efficiency. Restricting access to sensitive fields based on user roles, ensuring data privacy within the specific incident type.

Which Marketplace content pack will allow sharing of threat intelligence in STIX format?. External dynamic list. MISP Server. Generic Export Indicators Service. TAXII Server.

An engineer creates a script to display data in markdown format for a layout. When configuring the layout, the new script is not listed. Which missed configuration step will cause this behavior?. Tagging the script with Dynamic Section. Ensuring the script has the necessary permissions. Adding the snippet as an integration command. Using a markdown output type.

An engineer adds a new "Forensics" tab that includes several sections for detailed artifact analysis to the "Malware Incident" layout. However, junior analysts report they cannot see this tab, while senior analysts can. Which configuration setting is the most likely reason for this discrepancy?. The underlying fields within the tab sections was incorrectly mapped. The tab was not added to the junior analyst role group. The tab was marked as read-only in the layout configuration for the junior analyst roles. A display filter was applied to the tab in the layout editor.

Based on the integration and classifier configuration images below, which incident type will be created for incidents ingested using this integration when the incoming "type" field is set to "url allowed"?. XSOAR ENGINEER- URL Alerts. Case. Access. URL Allowed.

What is the correct way to install different engines on the same Ubuntu machine for a Dev/Prod setup?. Use Shell installer and create a custom JSON configuration file. Use different docker instances in the machine to install each engine. Use Shell installer with "Allow running multiple engines.". Create a DEB installer and modify in the JSON configuration.

A playbook needs to dynamically add an email sender's address to a Cortex XSOAR list named "BlockedSenders_Email." Which built-in command should be used within the playbook to add this email address to the specified list?. !addToList listName="BlockedSenders_Email" listData="<email_address>". !appendToListContext listPath="BlockedSenders Email" data="<email_address>". !setIncident list.BlockedSenders_Emai1="<email_address>". !createListItem listName="BlockedSenders_Email" itemValue="<email_address>".

What is the primary effect on a new file hash when it is added to the indicator exclusion list?. It is not extracted, enriched, or given a new verdict. It is extracted and stored, but an "exclusion" tag is added, requiring manual review before it can affect any incidents. It is processed normally by enrichment automations, but the verdict is set to "benign.". It is excluded from intelligence feeds that have a reliability score lower than "B - Usually reliable.".

In a Dev/Prod deployment model, what is available only in the development tenant?. Marketplace. Content Repository page. Custom integration instances. "Export all custom content" feature.

If a known malicious domain is no longer associated with a specific IP address, which action will make the association inactive?. Revoke the relationship. Update the relationship type. Expire the IP address indicator. Update the indicator relationship description.

Where is a custom layout for an incident configured?. Pre-process rule. Incident playbook. Integration instance settings. Incident type.

When re-assigning an existing incident to a new incident type, an engineer is concerned about the preservation of critical data currently stored in fields that are only associated to the original incident type. Upon making the change, in which state will the critical data be in the now unassociated fields?. Hidden from the Context Data but accessible. Visible within Context Data and fully accessible. Visible with Context Data, grayed out, and fully accessible. Hidden from Context Data and no longer accessible.

Which two features can be used together to automatically execute a search on a remote SIEM for extracted IP Indicators? (Choose two.). Reputation script. Enhancement script. Integration command. Feed-triggered job.

Based on the image below, what will be the type of this new incident?. Cortex XDR Incident - Quasar. Cortex XDR Incident. Unclassified. Default.

Based on the image below, what will be the type of this new incident?. Cortex XDR Incident - Quasar. Cortex XDR Incident. Unclassified. Default.

An engineer wants to save a command output to a custom context key using "Extend Context" in a playbook task. To do this, the engineer needs the full context path of the command's output. Which common CLI argument or flag can help identify this full output and its correct path?. debug-mode. auto extract. raw-response. extend-parent-context.

A playbook task is set up to run an integration command that takes no input and which outputs information to the context. The integration has several instances configured. Which action will ensure the integration command only runs once?. Specify the using- parameter to target a specific integration instance to run. Click on Advanced Options  Limits to specify the minimum / maximum run limits for a command. Click on Performance  Run Limits to specify the maximum run count before the task exits. Specify the runlimit= parameter to limit the number of times a specific command will run.

An incident has been created in the following state: There is no playbook attached. The War Room is available, but no commands have been run yet. What is the status of the incident?. Active. Pending. Waiting. In-progress.

Within the playbook editor, which function allows a user to associate a task output to an incident field?. Classification. Inputs. Extend context. Mapping.

What aggregates data from incidents and indicators into a Cortex XSOAR report?. Widgets. Automations al-. SQL queries. Playbooks.

Based on the image below, what is the output when "Test" is clicked?. Orange. Blue. Yellow. Red.

Based on the image below, what could be the reason for this behavior?. Indicator Reputation from the feed is set to "Malicious.". Source Reliability needs to be increased to "A - Completely reliable.". The Indicator Expiration Method needs to be set to "Never Expire.". The Traffic Light Protocol Color is empty.

Two feed integrations with the same source reliability (B - Usually reliable) fetch the same indicator with the following verdicts: Integration A - Malicious - Integration B - Benign - Indicator data from Integration B was fetched after Integration A. What will be the values of the fields associated with the indicator?. Verdict: Malicious - Other Fields: Values from Integration A. Verdict: Malicious - Other Fields: Values from Integration B. Verdict: Benign - Other Fields: Values from Integration A. Verdict: Benign - Other Fields: Values from Integration B.

Previous playbook tasks have built out the context in the image below. When specifying ${User.Name} as an input for a sub playbook task which has the default loop configuration, how many times will the sub-playbook be executed?. 0. 1. 3. 4.

Based on the image below, which key from the context points to the string GOGL?. Whois.IP.asn_registry.entities. Whois.IP.[0].network.name. Whois.IP.network.name. Whois.IP.entities.

What is needed to send a survey with multiple questions to a customer?. Data Collection. Section Header task. Conditional Ask. Survey task.

A temporary integration issue causes a scheduled job to fail continuously. Which action will ensure the job continues to run after future failures?. Edit Queue Handling settings of the job. Verify that the "Continue on Error" box is checked in the job. Adjust the Role-Based Access Control (RBAC) of the incident type. Ensure the last playbook task runs closeInvestigation.

Which two actions will group similar incidents that share a common root cause or represent different aspects of a larger problem? (Choose two.). Relate Incidents. Add Child Incidents. Join Incidents. Merge Incidents.

Assuming an incident type configuration runs the associated playbook automatically, which pre-process rule action can preserve matching incidents without triggering the playbook?. Close. Update. Drop. Link.

Which command adds or updates a description to an incident that can be used within widgets?Which command adds or updates a description to an incident that can be used within widgets?. !setIncident description="This is an updated description.". !Set key="description" value="This is an updated description.". !Set key-"description" value-This is an updated description. !setIncident description=This is an updated description.

A playbook loop that interacts with Active Directory for user details (yielding extensive data) is altered to extract newly acquired indicators of compromise (IOCs). This change results in two critical issues: Rate limits being hit on integrated reputation services Incidents associated with hundreds of indicators Given the settings below, what would prevent the issues in this use case? Incident Type: AD-Analysis - Extract Indicators on Incident Creation: Use System Default (None) Extract Indicators on Field Change: Inline Task 1: ad-get-user - Mark results as note: False - Indicator Extract Mode: Inline - Quiet Mode: False - Task 2: ad-disable-account - Mark results as note: True – Indicator Extract Mode: None - Quiet Mode: True - Task 3: servicenow-update-Lickel. Mark results as note: False - Indicator Extract Mode: Use System Default Quiet Mode: False. SetAD-Analysis incident creation extraction to "Extract specific indicators. Set ad-get-user indicator extraction mode to None. Set servicenow-update-ticket indicator extraction mode to Inline. Disable the feature that allows marking task outputs as notes.

When using the playbook debugger, what may be the cause of a starred incident missing from the Test Data selections?. Closed incidents are not visible in the debugger. The incident has been restricted. Starred incidents are not visible in the debugger. The incident type is set incorrectly.