PCSAE Palo Alto Networks Certified Security Automation Engineer Questions and Answers

${Files.[2].Name}

${Files.Name.[2]}

${File.[1].Name}

${File.Name.[1]}

Standard task

Conditional task

Section Header task

Data Collection task

Manually directly from the War Room with the Actions drop-down

From the Notes section (mark as entry icon)

Manually from the playbook task (mark as entry icon)

Automatically from playbook tasks when the option is selected on the Advanced tab

By running the command !MarkAsEvidence

Get DBotScore.value where DBotScore.Score (Larger or equals) 4

Get DBotScore.value where DBotScore.Score (equals (int)) 3

Get DBotScore where DBotScore.Score (Larger than) 1

Get DBotScore where DBotScore.Score (Larger or equals) 2

Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with no argument

Edit the incident layout to add a new button that calls the AssignToMeButton automation with argument assignBy={me}

Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with argument owner={me}

Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with argument assignBy=current

Define input key in the subplaybook task. Map context values to pull from parent playbook.

The output of the previous task automatically becomes the input of the subplaybook.

Map inputs and outputs to the parent playbook and the subplaybook will use the same values.

Open the subplaybook and add inputs or outputs in the Playbook triggered task.

The commands must return a proper result to the war room for the analysts to understand

The code may not be written to XSOAR standards

The integrations are locked and cannot be edited with additional commands

The custom integration will not be maintained and updated by XSOAR content team

In repetitive process flows to iterate for each playbook input

When continuously ingesting incidents from third-party systems

In repetitive process flows with no more than 10 loops

In repetitive processes that requires sub-playbook re-execution

Run the command !GetIndicatorsByQuery in CLI with its default arguments and export all indicators in the last 90 days.

SSH into the server and copy the indicator's database.

In the Threat Intel page, add query firstSeen:>="90 days ago", select All columns in Table View, and click Export to export as a CSV.

Run the command !findIndicators in CLI with the query firstSeen:>="90 days ago" and export to CSV.

Add a distributed database server

Add an indexing server

Add a live backup server (disaster recovery)

Add an engine

Create widget of type Line, check ‘Display Trend’ and define as 7 days ago

Create a custom widget using a new incident query

Create widget of type Number, check ‘Display Trend’ and define as 7 days ago

Create a custom widget using a script

30 days

14 days

7 days

60 days

Create a new indicator type and disable the built-in IP indicator

Edit the regex of the default IP Indicator

Add a new server configuration key that will overwrite the default regex of the IP indicator

Delete the default IP indicator

Populate the custom indicator field with the built-in !SetIndicator command.

Add HTML to a list using !setList and use it as an HTML template to populate the custom indicator field.

Create a custom Indicator Mapper and populate the custom indicator field.

Use the Mapping option in the playbook task that generates the HTML report to populate the custom indicator field.

Multi-region

Dev-Prod

Multi-tenant

Distributed database

Submit content directly through feature requests

Private GitHub repository submission for premium content

A Github pull request on the public XSOAR Content Repository

Using the marketplace interface to upload the content

Using the content submission tool on live.paloaltonetworks.com

Work Plan

Related Incidents

War Room

Context Data

Customer supported

Contex XSOAR supported

Community supported

Partner supported

Prisma Cloud supported

Data that is not mapped is placed under labels

Only text fields are classified

Classification cannot be used if mapping is enabled

Every incoming field must be mapped