XSOAR-Engineer Palo Alto Networks XSOAR Engineer Questions and Answers

The XSOAR Incident State Model defines several system statuses: Pending, Active, In-Progress, Done, and Closed. When an incident is newly created and has not yet had a playbook assigned or started—and no analyst actions (such as commands or work plan steps) have been taken—it remains in the Pending state.

Pending indicates that the incident exists in the system but has not yet begun active investigation or automated processing. The Admin Guide clarifies that an incident becomes Active only when a playbook starts or an analyst interacts with it. In-Progress is a manually applied user state indicating active human processing. Waiting is used for blocked or paused tasks but does not apply at initial creation.

Because the War Room is available but unused, and no automation has begun, the incident fits the definition of Pending exactly. Once a playbook were attached or a command were executed, the state would transition to Active.

Therefore, the documented correct answer is B: Pending.

According to the Threat Intelligence section of the XSOAR Admin Guide, indicatorverdict resolutionuses two key rules:

If multiple sources have different reliability levels, the verdict from the highest-reliability source wins.

If multiple sources share the same reliability, XSOAR selects the “worst” (most severe) verdict among them.

Because both integrations have equal reliability (B – Usually reliable), XSOAR selects the more severe verdict. “Malicious” is more severe than “Benign,” so the resulting indicator verdict will beMalicious.

However, indicatorfield valuesfollow a different rule:

When multiple sources share the same reliability score,the most recently updated source overwrites the indicator fields, except for the verdict field.

Integration B updated the indicator after Integration A, so its field values overwrite Integration A’s fields. But its verdict does not override the malicious verdict because severity resolution rules take precedence.

Therefore, the correct combined logic yields:

Verdict: Benign? No → Because Malicious is the highest severity.

Other Fields: From the most recently updated feed → Integration B.

But the verdict is strictly the “worst” verdict, so:

Correct answer: C.

This filter will be used to check if the automation returned results, as it checks to see if the output variable called csvReport is defined and exists. If it is, then the automation returned results.

The XSOAR Playbook Debugger documentation states that breakpoints only apply when the playbook is run in Debug mode, not when an incident triggers the playbook normally.

Running from an incident executes the playbook without debugger controls, so breakpoints are ignored—leading to the deletion task running normally.

The Admin Guide states that layouts—representing how analysts view incident data, evidence, fields, and work plans—are attached directly toincident types. When configuring an incident type, the administrator can specify the layout for the “New,” “Editing,” and “Preview” modes. This ensures consistent presentation of data across the SOC, tailored to each use case (e.g., phishing, endpoint alerts, malware investigations).

Pre-process rules (option A) operate before incident creation and do not control the user interface layout. Incident playbooks (option B) automate response actions but have no effect on how the incident UI is presented. Integration instance settings (option C) define connection details and ingestion parameters but do not control UI layouts.

Only theIncident Type configuration pageincludes fields for selecting or assigning custom layouts. This aligns with XSOAR’s design principle: incident types define schema, workflows, and UI behavior, including which layout is displayed to analysts.

Thus, the correct answer isD, as incident layouts are configured and bound within theIncident Typesettings.

The XSOAR Timers/SLA documentation states that when an incident reaches the Closed state, all timers automatically stop and cannot continue unless manually reset. Timers do not pause — they terminate.

Additionally, when an incident is closed, its associated playbook completes, because closure marks the end of the investigation lifecycle.

The Threat Intelligence section specifies that XSOAR determines an indicator’s verdict by selecting the verdict from the source that has the highest reliability score.

Only when two sources have equal reliability does XSOAR choose the most severe (worst) verdict between them.

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/disaster-recovery-and-live-backup/backup-the-database.html

STIX/TAXII are industry-standard protocols for structured threat intelligence exchange. According to the Threat Intelligence section of the XSOAR documentation, TAXII servers and clients provide automated bidirectional sharing using STIX objects, supporting both ingestion and distribution of indicators, observables, relationships, and threat objects.

The TAXII Server content pack specifically enables an organization to expose its threat intelligence via a TAXII 2.0/2.1 compliant endpoint, where the transmitted data is formatted as STIX, making it the correct choice for sharing structured intelligence externally.

The Generic Export Indicators Service pack supports indicator export, but not in STIX format—it exports simple CSV, JSON, or list-based formats. MISP Server supports STIX ingestion and export but is considered a MISP-specific implementation and not the generic STIX distribution mechanism expected in the question. External dynamic lists are not related to STIX or TAXII at all.

Thus, the correct answer is D, as only the TAXII Server pack is designed explicitly for STIX-formatted intelligence sharing.

The XSOAR Playbook Editor allows engineers to manipulate and transform context data dynamically. According to the XSOAR Admin and Playbook Development Guides,“Extend Context”is the dedicated mechanism that enables a task to save output values into new or existing context keys, including keys that correspond to incident fields. By defining a key under the “Extend Context” section, the playbook task can map specific outputs—such as JSON fields, strings, arrays, or nested objects—to a structured location within the incident context. These keys can then be used to populate incident fields through further playbook tasks, field mappings, or automated incident field updates.

Classification (option A) applies only during ingestion and cannot assign task outputs to incident fields. Inputs (option B) define what data a task receives, not how it is stored afterward. Mapping (option D) belongs to the ingestion pipeline and determines how event fields become incident fields during creation, not during playbook execution.

Therefore,Extend Contextis the correct feature that allows a task to associate its output with incident fields, making optionCthe correct answer based on documentation.

The SSO (SAML) configuration is performed inside each Cortex XSOAR tenant, under the Authentication settings.

Group mapping (SAML group → XSOAR role/group) is managed at the tenant level, not in the Hub, Gateway, or Support Portal.

The XSOAR RBAC documentation states that role-based permissions can restrict user access to dashboards. When the administrator selects“Only allow these dashboards”within a role, the platform enforces a strict limitation: users assigned to this role can viewonlythe dashboards explicitly listed in the role configuration. These dashboards become theirdefault and sole available dashboards. They cannot create new dashboards, modify existing ones, delete dashboards, or access any dashboard not included in the allowed list. This setting is typically used in regulated environments or SOC tiers where dashboard visibility must align with job function and least-privilege principles.

The documentation clarifies that this permission setting removes access to any dashboards not included, overriding normal dashboard-sharing behavior. Therefore, options suggesting the user can modify dashboards (A or B) or automatically gain access to shared dashboards (C) contradict RBAC restrictions. The correct behavior is complete restriction: users canonlyview the explicitly authorized dashboards, withno ability to modifythem. Thus, optionDreflects the exact enforced behavior per XSOAR’s role permissions model.

The XSOAR Layouts documentation states that scripts can appear inside incident layouts only when they are designated as Dynamic Section scripts. Dynamic Sections are special script types that run automatically within layouts to display enrichment data, contextual summaries, or markdown-rendered information.

When creating such a script, the developer must mark it with the "dynamic-section" tag; otherwise, XSOAR does not expose it as an option during layout configuration. Without this mandatory tag, the script is treated as an ordinary automation and therefore cannot be placed into layout components.

Permissions (option B) affect script execution but do not prevent it from appearing in the layout editor. Integration commands (option C) are unrelated—dynamic sections do not use integration command definitions. Markdown output type (option D) determines formatting only and does not affect whether the script is selectable within the layout editor.

Thus, the missing configuration step is failing to tag the script as a Dynamic Section, making option A the correct answer according to the official XSOAR documentation.

XSOAR’s built-inLists Servicesupports operations such as creating, updating, and appending items to lists using automation commands. The correct command for appending a value to an existing list is!addToList, which inserts the new string (in this case an email address) into the list array stored within the XSOAR Lists infrastructure.

The Admin Guide describes!addToListas the intended mechanism to add new elements to a named list while automatically handling JSON structure and avoiding duplication errors.

Option B, !appendToListContext, modifiescontext data, not persistent platform lists—therefore it will not update the BlockedSenders list. Option C misuses !setIncident, which updates incident fields only, not system lists. Option D, !createListItem, is used when an integration or automation script exposes a “create item” action, not for native XSOAR lists.

Thus, the correct and documented method of adding an email value to a persistent XSOAR list is!addToList, making optionAthe accurate choice.

https://www.jaacostan.com/2021/02/palo-alto-cortex-xsoar-playbook-icons.html

The Layout customization section of the XSOAR Admin Guide explains that incident layouts control how analysts view and interact with fields, evidence, and metadata. Within a layout tab, sections exist purely for the purpose of organizing related fields into structured blocks, improving clarity, readability, and workflow efficiency. This is essential in complex incident types where numerous fields must be grouped logically (e.g., “User Details,” “Endpoint Information,” “Alert Metadata”).

Sections do not trigger automations or playbooks; automation triggers are defined through playbooks, field-change scripts, or incident type settings. They also do not enforce field mandatory requirements—mandatory fields are defined in the incident type configuration, not within layout sections. Likewise, RBAC does not operate at the section level; access restrictions apply to fields or entire incident types, not layout sections.

Therefore, the only correct and documented result of using sections within tabs is enhanced logical grouping of fields, improving analyst usability and data-entry organization. This aligns with option C, matching the intended purpose described in the layout configuration documentation.