PCSAE : Palo Alto Networks Certified Security Automation Engineer : Part 03

PCSAE : Palo Alto Networks Certified Security Automation Engineer : Part 03

  1. Whar are possible war room result (entry) types?

    • Context, file, error, image
    • Note, indicator, error, image
    • Video, file, error, image
    • Note, file, error, image

  2. An engineer asked for a specific command in an integration but the capability does not exist. The engineer decided to edit the existing integration by copying the integration and adding the needed commands.

    What is the main concern when adding these commands?

    • The commands must return a proper result to the war room for the analysts to understand
    • The code may not be written to XSOAR standards
    • The integrations are locked and cannot be edited with additional commands
    • The custom integration will not be maintained and updated by XSOAR content team

  3. How is data transferred between playbook tasks?

    • Read/Write from context data
    • Over war room results
    • Input from the indicator page
    • Directly from a previous task

  4. A large number of incidents were deleted by mistake.

    Which two architecture components can be used to recover the lost data? (Choose two.)

    • Live backup
    • Engine
    • Distributed database
    • Local backup

    Explanation:

    Reference:

    https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/disaster-recovery-and-live-backup/disaster-recovery-and-backup-overview.html

  5. Which two statements accurately describe layouts? (Choose two.)

    • Layouts override classification and mapping
    • New tabs can be added to the incident layout
    • Layouts can display incident information and custom fields
    • Layouts add or remove custom fields from an incident type

  6. An engineer’s organization system is registered in the following manner: <SiteName-SystemID-Username>. The engineer created a new indicator type for detecting systems using regex. The engineer would now like the username to be created as a separate ‘User’ indicator automatically once a system is found.

    What is the most efficient way for the engineer to achieve this?

    • Create a custom indicator field named ‘username’ and link it to the internal system indicator
    • Change the reputation command for the internal system indicator type
    • Create a new indicator type of the internal username and set a formatting script to extract only the username
    • Create a new indicator type of the internal username and have the regex included on any string that has dash at the beginning
    Explanation:
    Reference:
    https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-threat-intel-management-guide/manage-indicators/understand-indicators/indicator-types/indicator-type-profile

  7. Which two options are the most effective for moving content between two environments? (Choose two.)

    • Remote repository based content sharing
    • UI based content import/export button
    • Copy the content backup from one environment file system (/var/lib/demisto/backup/content-backup-*) and move it to the other environment
    • Download the content items separately and upload them to the other environment
    Explanation:
    Reference:
    https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-data/migrate-data-to-another-server-for-multi-tenant.html

  8. Which three options can be defined in the layout settings? (Choose three.)

    • Set of fields to present
    • Permission to view the tab based on ‘Users’
    • Permission to view the tab based on ‘Roles’
    • Delete built-in tabs including the war room
    • Dynamic sections
    Explanation:
    Reference:
    https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/incidents/customize-incident-view-layouts/customize-incident-layouts.html

  9. What can be used as integration parameters?

    • URL, API key, port
    • URL, certificate, image
    • Token, query, playbook
    • User-password, csv file, query

  10. Which two features does XSOAR offer to help recover from a server failure? (Choose two.)

    • Live backup (disaster recovery)
    • Distributed database
    • Backup data to XSOAR engines
    • Local backup

  11. When uploading content, which two options could the upload include? (Choose two.)

    • Indicators
    • Incidents
    • Reports
    • Fields

  12. An engineer defined a dashboard which allows important metrics to be displayed. The engineer would like to make this dashboard the default dashboard.

    How can it be accomplished?

    • Default Dashboard can be defined by ‘Role’
    • Use the server configuration key: default.dashboards
    • Save the dashboard as a widget and apply it to all users
    • Right click on the dashboard tab and ‘Set as Default’
    Explanation:
    Reference:
    https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/monitoring/cortex-xdr-dashboard/manage-dashboards.html

  13. How would context data be filtered to receive only malicious indicator values with DBotScore?

    • Get DBotScore.value where DBotScore.Score (Larger or equals) 4
    • Get DBotScore.value where DBotScore.Score (equals (int)) 3
    • Get DBotScore where DBotScore.Score (Larger than) 1
    • Get DBotScore where DBotScore.Score (Larger or equals) 2
    Explanation:
    Reference: https://github.com/demisto/content/blob/master//Packs/DeprecatedContent/Integrations/PaloAlto_MineMeld/README.md

  14. Can an automation script execute an integration command and an integration command execute an automation script?

    • An automation script cannot execute an integration command and an integration command cannot execute an automation script
    • An automation script can execute an integration command and an integration command cannot execute an automation script
    • An automation script cannot execute an integration command and an integration command can execute an automation script
    • An automation script can execute an integration command and an integration command can execute an automation script

  15. Which two options will troubleshoot an integration’s fetch incidents command? (Choose two.)

    • In the instance settings, enable the fetch incidents parameter and wait for one minute
    • Create a one task playbook with a fetch-incident command
    • execute !<integration_instance_name>-fetch
    • execute !<integration_name>-fetch
    Explanation:
    Reference:
    https://xsoar.pan.dev/docs/integrations/fetching-incidents

  16. DRAG DROP

    Match the corresponding action with the appropriate playbook tasks.

    PCSAE Palo Alto Networks Certified Security Automation Engineer Part 03 Q16 005 Question
    PCSAE Palo Alto Networks Certified Security Automation Engineer Part 03 Q16 005 Question
    PCSAE Palo Alto Networks Certified Security Automation Engineer Part 03 Q16 005 Answer
    PCSAE Palo Alto Networks Certified Security Automation Engineer Part 03 Q16 005 Answer

     
    Explanation:
    Reference:
    https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-admin/playbooks/playbooks-overview.html

  17. Incidents need to be filtered by all of the following criteria:

    1. Status – Pending
    2. Exclude Category – Job
    3. Severity – High
    4. Owner – None (No owner assigned)
    5. Type – Phishing
    6. Email Subject – “You have won a million dollars”

    What is the correct query syntax for the above incident search filter?

    • status==“Pending“ && category!=”job” && severity==”High” && owner==”None” && type==”Phishing” && emailsubject==”You have won a million dollars”
    • Status:Pending and –Category:job and Severity:High and Owner:”” and Type:Phishing and Email Subject:You have won a million dollars
    • status:Pending and –category:job and severity:High and owner:”” and type:Phishing and emailsubject:”You have won a million dollars”
    • status:Pending or –category:job or severity:High or owner:”” or type:Phishing or emailsubject:”You have won a million dollars”
    Explanation:
    Reference:
    https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-admin/cortex-xsoar-overview/how-to-search-in-cortex-xsoar.html#idcd7fe505-c1c1-42f5-a698-08b5710196d3

  18. What does Script helper contain?

    • Available commands
    • Permission settings
    • Automation version history
    • Automation timeout configuration
    Explanation:
    Reference:
    https://xsoar.pan.dev/docs/concepts/xsoar-ide

  19. When mapping incoming data to incident fields, which statement is correct?

    • Data that is not mapped is placed under labels
    • Only text fields are classified
    • Classification cannot be used if mapping is enabled
    • Every incoming field must be mapped
    Explanation:
    Reference:
    https://xsoar.pan.dev/docs/incidents/incident-classification-mapping

  20. Which two situations would an engineer consider when configuring classification and mapping for an incident type? (Choose two.)

    • When creating incidents from the XSOAR REST API
    • When manually creating an incident from the UI
    • When adding a new analyst account to XSOAR
    • When fetching many different incident types from a single mailbox
Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments