PCSAE Palo Alto Networks Certified Security Automation Engineer Questions and Answers

To visualize server configuration keys

To visualize XSOAR list data

To visualize complex incident data calculations

To visualize context data

To visualize a custom query

Add the playbook to the integration’s settings

Select ‘Run playbook automatically’ from the incident type settings

Add the !startinvestigation automation to the beginning of the playbook

Select ‘Run playbook automatically’ from the integration settings

Run Command, Export, and Close and Delete for all selected incidents regardless of their status

Assign, Edit, and Mark as Duplicate for all selected incidents regardless of their status

Run Command for all selected incidents having Active status

Export incidents as JSON and change incident status

Create a custom playbook that sends an email each time the fetch fails.

Create a new integration that monitors the incident fetch and sends an email if the fetch fails.

Schedule a job that runs and monitors incidents in XSOAR that will send an email if there are no new incidents.

Add a server config to notify when incident fetch fails.

Indicators

Incidents

Reports

Fields

Cron job

Time triggered job

Feed triggered job

REST API job

Lists

Jobs

Pre-processing rules

Exclusion List

The integration commands in a playbook can no longer be used

The integration commands can be used, but it is recommended to update to the latest content pack

The configuration settings will be lost and the integration will no longer function

The integration commands in a playbook can be used, but it will fail at runtime

Allows reverting back to a previous version of a content pack

Enables users to participate in the community by sharing content

Publishes content without additional review from the Cortex XSOAR team

Allows uploading of content in additional languages

Offers granularity in installation through content packs

They are used for branching paths in a playbook

They are used to interact with users through survey functionality

They are used to determine which incident will be executed

They are used for sending a specific QUESTION NO: to a person or team

Data that is not mapped is placed under labels

Only text fields are classified

Classification cannot be used if mapping is enabled

Every incoming field must be mapped

Set of fields to present

Permission to view the tab based on ‘Users’

Permission to view the tab based on ‘Roles’

Delete built-in tabs including the war room

Dynamic sections

Settings > Object Setup > Incidents > Layouts

Settings > Integrations > Instance configuration

Settings > Object Setup > Indicators > Layouts

Settings > Advanced > Incident Layouts

1E56733826E5035233A097FCEA2046AF96EC616C

E6EF5142E2553C1E442A0FFAC07636EAC61E6EDD

8D193FA162A305E4859BA8C45F5121F7265E3ABB

e6ef5142e2553c1e442a0ffac07636eac61e6edd

Live backup

Engine

Distributed database

Local backup

Retrieve widget chart based on script

Related incidents

War room entries picked by entry query

Incident team members

Short Text

HTML

Long Text

Markdown

Read/Write from context data

Over war room results

Input from the indicator page

Directly from a previous task

A content repository specified in the Marketplace

Remote git repository specified in the dev-prod configuration parameters

The development server ' s default repository

Cortex XSOAR public content repository

Set a field trigger script

Associate to an incident type

Change field type

Change field name

Define input key in the subplaybook task. Map context values to pull from parent playbook.

The output of the previous task automatically becomes the input of the subplaybook.

Map inputs and outputs to the parent playbook and the subplaybook will use the same values.

Open the subplaybook and add inputs or outputs in the Playbook triggered task.

Use a field of Number to count the number of seconds elapsed between two tasks

After the playbook has run, calculate the total time taken and set the timer field with this value

To begin counting time taken, add a task in the playbook with automation startTimer. To end the counting, add a task with automation stopTimer

From the Timers tab of the playbook task, choose the action for the timer and the timer field to perform the action on

Distributed database

D2 agent

Engine

Load balancing server

-status:closed -category:job type:Phishing created: > = " 30 days ago "

status:closed -category:job & type:Phishing created: > = " 30 days ago "

-status:closed -category:job & type:Phishing created: < = " 30 days ago "

-status:closed -category:job type:Phishing created:= " 30 days ago "

Remote repository based content sharing

UI based content import/export button

Copy the content backup from one environment file system (/var/lib/demisto/backup/content- backup-*) and move it to the other environment

Download the content items separately and upload them to the other environment

The commands must return a proper result to the war room for the analysts to understand

The code may not be written to XSOAR standards

The integrations are locked and cannot be edited with additional commands

The custom integration will not be maintained and updated by XSOAR content team

Run an automation script in the Playground to remove usernames from the incident.

Create a pre-processing rule that runs an automation script to remove usernames from the incident as it comes into XSOAR.

Run an automation script on the XSOAR server to remove usernames from the incident.

Create a playbook task to remove the usernames from the incident.

Add a distributed database server

Add an indexing server

Add a live backup server (disaster recovery)

Add an engine

Min, Max, Count, Average, Custom Transformers

Min, Max, Count, Average, Custom Group By

Count, Average, Sum, Min, Max

Count, Sum, Min, Max, Transformers

Define the Incident Fetch Interval when running the integration’s commands.

Duplicate the integration. Edit the resulting copy and add incidentFetchInterval as a parameter. Save the integration. Configure the new integration instance with the interval required.

Configure the application to send incidents on the required interval.

Duplicate the integration. Add the interval in the code. Save the integration and Configure the new integration instance with the interval required.

type:File reputation:Malicious sourcetimestamp: " 30 days ago "

type:File verdict:Malicious sourcetimestamp: < = " 30 days ago "

type:File reputation:Malicious sourcetimestamp:= " 30 days ago "

type:File verdict:Malicious sourcetimestamp: > = " 30 days ago "

Engine

Integration

War room

Playbook

Only users with a valid Github account

Any user who has signed up through the dev portal

Any user who has a live.paloaltonetworks.com account

All users with the correct XSOAR Role and Permissions

Playbooks

Classification

Mapping

Layouts

Download the content from the Marketplace.

Go to Settings > About > Troubleshooting and set a flag to allow custom content.

Register a user account with support.paloaltonetworks.com .

Detach the content item you want to edit from the Marketplace.

Multi-region

Dev-Prod

Multi-tenant

Distributed database

Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with no argument

Edit the incident layout to add a new button that calls the AssignToMeButton automation with argument assignBy={me}

Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with argument owner={me}

Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with argument assignBy=current

created: > =”7 days”

owner===admin

role is Analyst

status:closed –category:job

Indicators and relationships

Timeline information

Evidence Board

Context data

Incident severity

In repetitive process flows to iterate for each playbook input

When continuously ingesting incidents from third-party systems

In repetitive process flows with no more than 10 loops

In repetitive processes that requires sub-playbook re-execution

HTML

Grid (table)

Markdown

Multi Select

When creating incidents from the XSOAR REST API

When manually creating an incident from the UI

When adding a new analyst account to XSOAR

When fetching many different incident types from a single mailbox