XSOAR-Engineer Palo Alto Networks XSOAR Engineer Questions and Answers

Python

Go

JavaScript

Perl

/var/lib/demisto

/tmp/log/demisto

/usr/local/demisto

/var/log/demisto

Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.

Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are shared with other commands and must be present for each command.

Parameters are local variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.

Parameters are global variables which means that every command can use these configurable options in order to run. Arguments are specific to only one command.

A content repository specified in the Marketplace

Remote git repository specified in the dev-prod configuration parameters

The development server's default repository

Cortex XSOAR public content repository

Indicators

Incidents

Reports

Fields

Hidden from the Context Data but accessible.

Visible within Context Data and fully accessible.

Visible with Context Data, grayed out, and fully accessible.

Hidden from Context Data and no longer accessible.

The administrator will receive a notification that there is both a Classifier and Incident Type set for that integration instance.

The Incident Type will be ignored, and incoming incidents will be classified according to the Classifier.

The Classifier will be ignored, and incoming incidents will be classified according to the Incident Type.

Both the Classifier and Incident Type will classify incoming incidents.

Remote repository based content sharing

UI based content import/export button

Copy the content backup from one environment file system (/var/lib/demisto/backup/content- backup-*) and move it to the other environment

Download the content items separately and upload them to the other environment

Just after the incident is created

Just after the pre-processing is executed

Just after the playbook is executed

Just after the Close Incident button is clicked

Playbook

Classification and mapping

Incident type

Pre-processing

Mark ignore output = true

Use extend-context

Use raw-response = save

Mark ignore input = true

created:>=”7 days”

owner===admin

role is Analyst

status:closed –category:job

Navigate to SettingsView the configured integrations and select Active Directory AuthenticationDelete all integration instances and add all integration instances again

Navigate to MarketplaceView the installed content pack and select Active Directory content packSelect version 1.4.6 and click on "Revert to this version"

Navigate to SettingsView the configured integrations and select Active Directory QueryDelete all integration instances and add all integration instances again

Navigate to MarketplaceView the installed content pack and select Active Directory content packClick on uninstall content packNavigate to Marketplace browser and reinstall the Active Directory content pack

Use a field trigger script

Use a field display script

Create a job that queries for incident severity changes

Change the SLA manually every time the severity changes

Populate the custom indicator field with the built-in !SetIndicator command.

Add HTML to a list using !setList and use it as an HTML template to populate the custom indicator field.

Create a custom Indicator Mapper and populate the custom indicator field.

Use the Mapping option in the playbook task that generates the HTML report to populate the custom indicator field.

Closed incidents are not visible in the debugger.

Starred incidents are not visible in the debugger.

The incident type is set incorrectly.

The incident has been restricted.

It is not extracted, enriched, or given a new verdict.

It is extracted and stored, but an "exclusion" tag is added, requiring manual review before it can affect any incidents.

It is processed normally by enrichment automations, but the verdict is set to "benign.".

It is excluded from intelligence feeds that have a reliability score lower than "B - Usually reliable.".

Multi-region

Dev-Prod

Multi-tenant

Distributed database

Inputs and outputs

Through integration context

Automatically extracted by sub-playbooks

From context data, if context is shared globally

To visualize server configuration keys

To visualize XSOAR list data

To visualize complex incident data calculations

To visualize context data

To visualize a custom query

Manually directly from the War Room with the Actions drop-down

From the Notes section (mark as entry icon)

Manually from the playbook task (mark as entry icon)

Automatically from playbook tasks when the option is selected on the Advanced tab

By running the command !MarkAsEvidence

Use a field of Number to count the number of seconds elapsed between two tasks

After the playbook has run, calculate the total time taken and set the timer field with this value

To begin counting time taken, add a task in the playbook with automation startTimer. To end the counting, add a task with automation stopTimer

From the Timers tab of the playbook task, choose the action for the timer and the timer field to perform the action on

To highlight different paths in a playbook

To generate new widgets for a dashboard

To create an incident or escalate an existing incident

To automate tasks such as parsing a file or enriching indicators

Create a custom indicator field named ‘username’ and link it to the internal system indicator

Change the reputation command for the internal system indicator type

Create a new indicator type of the internal username and set a formatting script to extract only theusername

Create a new indicator type of the internal username and have the regex included on any string that has dash at the beginning

Planning > Incident Ingestion > Incident Creation > Mapping and Classification > Pre-processing > Playbook runs > Post-processing

Planning > Incident Ingestion > Pre-processing > Incident Creation > Mapping and Classification > Playbook runs > Post-processing

Planning > Incident Ingestion > Pre-processing > Mapping and Classification > Incident Creation > Playbook runs > Post-processing

Planning > Incident Ingestion > Mapping and Classification > Pre-processing > Incident Creation > Playbook runs > Post-processing

They are used for branching paths in a playbook

They are used to interact with users through survey functionality

They are used to determine which incident will be executed

They are used for sending a specific QUESTION NO: to a person or team

Use Shell installer and create a custom JSON configuration file.

Use different docker instances in the machine to install each engine.

Use Shell installer with "Allow running multiple engines.".

Create a DEB installer and modify in the JSON configuration.

Contains/Includes

Equals/Matches

In/In list

Is defined/Exist

Inline

Inband

None

Out of band

Closed incidents are not visible in the debugger.

The incident has been restricted.

Starred incidents are not visible in the debugger.

The incident type is set incorrectly.

Marketplace access

Application with API

Private key/Public key integration

Multitenant deployment

Standard (Manual)

Conditional

Section header

Standard (Automated)

30 days

14 days

7 days

60 days

An automation script cannot execute an integration command and an integration command cannot execute an automation script

An automation script can execute an integration command and an integration command cannot execute an automation script

An automation script cannot execute an integration command and an integration command can execute an automation script

An automation script can execute an integration command and an integration command can execute an automation script

Create widget of type Line, check ‘Display Trend’ and define as 7 days ago

Create a custom widget using a new incident query

Create widget of type Number, check ‘Display Trend’ and define as 7 days ago

Create a custom widget using a script

Pre-process rule.

Incident playbook.

Integration instance settings.

Incident type.

setFields

Field mapping

setIncident

Layout inline editing

The underlying fields within the tab sections was incorrectly mapped.

The tab was not added to the junior analyst role group.

The tab was marked as read-only in the layout configuration for the junior analyst roles.

A display filter was applied to the tab in the layout editor.

Specify the using- parameter to target a specific integration instance to run.

Click on Advanced Options → Limits to specify the minimum / maximum run limits for a command.

Click on Performance → Run Limits to specify the maximum run count before the task exits.

Specify the runlimit= parameter to limit the number of times a specific command will run.

Data that is not mapped is placed under labels

Only text fields are classified

Classification cannot be used if mapping is enabled

Every incoming field must be mapped

${incident.usermail}

${incident.User Mail}

${incident.UserMail}

${usermail}

OTP token

User name and password

SAML

Active Directory authentication

RADIUS

Selma Moon.

Richardson Morales.

Hubbard Wilcox.

Michael Henderson.

!incidentSet description="Confirmed Phishing"

/incidentSet description=Confirmed Phishing

!setIncident description="Confirmed Phishing"

/setIncident description=Confirmed Phishing

Set AD-Analysis incident creation extraction to "Extract specific indicators.”

Set ad-get-user indicator extraction mode to None.

Set servicenow-update-ticket indicator extraction mode to Inline.

Disable the feature that allows marking task outputs as notes.

Cron job

Time triggered job

Feed triggered job

REST API job

!ip

!getReputation

!reputation

!enrichIndicator

Work Plan

Related Incidents

War Room

Context Data

XSOAR D2 Agents, to send the required emails.

An XSOAR engine that is downloaded from the XSOAR server and installed within the subsidiary.

Another XSOAR server that uses the same license as their primary XSOAR server.

A Linux server connected with an XSOAR server using SSH integration. Commands can be run remotely to access the mail server.

Users defined in the platform (email or username)

Other organizations via the Marketplace

Users outside XSOAR via email invite

Roles defined in the platform

Classification and Mapping

Playbook Tasks

Evidence Fields

Incident Fields

Layouts override classification and mapping

New tabs can be added to the incident layout

Layouts can display incident information and custom fields

Layouts add or remove custom fields from an incident type

Section headers

Rows

Canvas

Cards

10,080 minutes (7 days)

20,160 minutes (14 days)

21,600 minutes (15 days)

4,320 minutes (3 days)

2MB

3MB

1MB

5MB

Cortex XDR Incident - Quasar.

Cortex XDR Incident.

Unclassified.

Default.