XSOAR-ENGINEER Exam Questions

A breakpoint is added to a saved playbook to ensure that it pauses before running the task "ad- delete-user." However, it is later discovered that an Active Directory account was d...

What is the result of an indicator being marked as expired?

When the "Only allow these dashboards" checkbox is selected for a user role, what is the primary effect on users assigned this role?

What must happen before a pre-process rule can be applied to a potential incident?

Which set of trigger options is available to start a job when a new instance is created?

Based on the images below, what will be the result of the Filters and Transformers?

Which feature is used to convert event data values into incident fields when an integration fetches an event?

A SOC team must send a notification email to specific teams based on the severity of an incident. Which feature will accomplish this task each time the severity escalates?

What is an outcome of using sections within a tab when customizing an incident layout?

Which Marketplace content pack will allow sharing of threat intelligence in STIX format?

An engineer creates a script to display data in markdown format for a layout. When configuring the layout, the new script is not listed. Which missed configuration step will cause...

An engineer adds a new "Forensics" tab that includes several sections for detailed artifact analysis to the "Malware Incident" layout. However, junior analysts report they cannot s...

Based on the integration and classifier configuration images below, which incident type will be created for incidents ingested using this integration when the incoming "type" field...

What is the correct way to install different engines on the same Ubuntu machine for a Dev/Prod setup?

Which Cortex XSOAR built-in command directly updates an incident's core properties, such as severity or status?

A playbook needs to dynamically add an email sender's address to a Cortex XSOAR list named "BlockedSenders_Email." Which built-in command should be used within the playbook to add...

What is the primary effect on a new file hash when it is added to the indicator exclusion list?

In a Dev/Prod deployment model, what is available only in the development tenant?

If a known malicious domain is no longer associated with a specific IP address, which action will make the association inactive?

Where is a custom layout for an incident configured?

When re-assigning an existing incident to a new incident type, an engineer is concerned about the preservation of critical data currently stored in fields that are only associated...

Which two features can be used together to automatically execute a search on a remote SIEM for extracted IP Indicators? (Choose two.)

Based on the image below, what will be the type of this new incident?

An engineer wants to save a command output to a custom context key using "Extend Context" in a playbook task. To do this, the engineer needs the full context path of the command's...

A playbook task is set up to run an integration command that takes no input and which outputs information to the context. The integration has several instances configured. Which ac...

An incident has been created in the following state: - There is no playbook attached. - The War Room is available, but no commands have been run yet. What is the status of the inci...

Within the playbook editor, which function allows a user to associate a task output to an incident field?

What aggregates data from incidents and indicators into a Cortex XSOAR report?

Based on the image below, what is the output when "Test" is clicked?

A feed has the highest configured reliability; however, even when it sets an indicator as suspicious or benign, it has a different final verdict in Cortex XSOAR. Based on the image...

Two feed integrations with the same source reliability (B - Usually reliable) fetch the same indicator with the following verdicts: - Integration A - Malicious - Integration B - Be...

Previous playbook tasks have built out the context in the image below. When specifying ${User.Name} as an input for a sub playbook task which has the default loop configuration, ho...

Based on the image below, which key from the context points to the string GOGL?

What is needed to send a survey with multiple questions to a customer?

A temporary integration issue causes a scheduled job to fail continuously. Which action will ensure the job continues to run after future failures?

Which two actions will group similar incidents that share a common root cause or represent different aspects of a larger problem? (Choose two.)

Assuming an incident type configuration runs the associated playbook automatically, which pre- process rule action can preserve matching incidents without triggering the playbook?

Which command adds or updates a description to an incident that can be used within widgets?

A playbook loop that interacts with Active Directory for user details (yielding extensive data) is altered to extract newly acquired indicators of compromise (IOCs). This change re...

Which two behaviors occur while an incident is closed? (Choose two.)

An engineer must create a playbook task which asks a user a single question to determine the next step in the playbook flow. Which type of task will accomplish this goal?

What determines the current verdict for an indicator when multiple sources provide different reliability scores and verdicts?

The code snippet below is from the fetch command of an integration instance configured to run on the server. demisto.debug(f"(len(incidents)} events fetched") Where is the output f...

Which action will resolve the issue when an analyst upgrades a content pack from the Marketplace, and the new version has a code error?

When using the playbook debugger, what may be the cause of a starred incident missing from the Test Data selections?

What is the unique identifier for a note in the incident War Room?

Where does the mapping of user groups to SAML groups take place?

When the verdict of an indicator is set manually, which source reliability does it receive?

When planning a Cortex XSOAR engine deployment, which factor is most important?

Which two tasks are essential when planning a dev/prod XSOAR deployment? (Choose two)