XSOAR-Engineer Palo Alto Networks XSOAR Engineer Questions and Answers

When an analyst manually sets an indicator’s verdict, XSOAR records the verdict with a source named "Manual", and assigns it a reliability of Undefined.

This is explicitly documented under Indicator Verdict + Reliability behavior when a manual override is applied.

The !setIncident command is the documented method for updating incident fields programmatically in Cortex XSOAR. The Admin Guide states that the syntax requires proper quoting for parameters, especially when assigning descriptive text that may include spaces. The correct syntax is:

!setIncident description="some text"

This updates the built-in description field at the incident level and allows widgets, dashboards, and reports to use the updated description because XSOAR widgets can read incident fields directly. Option A uses correct syntax with quotes included.

Option B incorrectly uses !Set, which modifies context keys , not incident fields. Option C is invalid due to incorrect parameter formatting (hyphens instead of equals signs). Option D omits quotation marks, causing parsing errors in cases where the value includes spaces, verbs, or punctuation.

Thus, the only correct and fully documented method to update an incident’s description so that it is available to widgets is A: !setIncident description="…" .

According to the Threat Intelligence section of the XSOAR Admin Guide, indicator verdict resolution uses two key rules:

If multiple sources have different reliability levels, the verdict from the highest-reliability source wins.

If multiple sources share the same reliability, XSOAR selects the “worst” (most severe) verdict among them.

Because both integrations have equal reliability ( B – Usually reliable ), XSOAR selects the more severe verdict. “Malicious” is more severe than “Benign,” so the resulting indicator verdict will be Malicious .

However, indicator field values follow a different rule:

When multiple sources share the same reliability score, the most recently updated source overwrites the indicator fields , except for the verdict field.

Integration B updated the indicator after Integration A, so its field values overwrite Integration A’s fields. But its verdict does not override the malicious verdict because severity resolution rules take precedence.

Therefore, the correct combined logic yields:

Verdict: Benign? No → Because Malicious is the highest severity.

Other Fields: From the most recently updated feed → Integration B.

But the verdict is strictly the “worst” verdict, so:

Correct answer: C .

The Threat Intelligence section specifies that XSOAR determines an indicator’s verdict by selecting the verdict from the source that has the highest reliability score.

Only when two sources have equal reliability does XSOAR choose the most severe (worst) verdict between them.

XSOAR’s built-in Lists Service supports operations such as creating, updating, and appending items to lists using automation commands. The correct command for appending a value to an existing list is !addToList , which inserts the new string (in this case an email address) into the list array stored within the XSOAR Lists infrastructure.

The Admin Guide describes !addToList as the intended mechanism to add new elements to a named list while automatically handling JSON structure and avoiding duplication errors.

Option B, !appendToListContext, modifies context data , not persistent platform lists—therefore it will not update the BlockedSenders list. Option C misuses !setIncident, which updates incident fields only, not system lists. Option D, !createListItem, is used when an integration or automation script exposes a “create item” action, not for native XSOAR lists.

Thus, the correct and documented method of adding an email value to a persistent XSOAR list is !addToList , making option A the accurate choice.

The Admin Guide states that layouts—representing how analysts view incident data, evidence, fields, and work plans—are attached directly to incident types . When configuring an incident type, the administrator can specify the layout for the “New,” “Editing,” and “Preview” modes. This ensures consistent presentation of data across the SOC, tailored to each use case (e.g., phishing, endpoint alerts, malware investigations).

Pre-process rules (option A) operate before incident creation and do not control the user interface layout. Incident playbooks (option B) automate response actions but have no effect on how the incident UI is presented. Integration instance settings (option C) define connection details and ingestion parameters but do not control UI layouts.

Only the Incident Type configuration page includes fields for selecting or assigning custom layouts. This aligns with XSOAR’s design principle: incident types define schema, workflows, and UI behavior, including which layout is displayed to analysts.

Thus, the correct answer is D , as incident layouts are configured and bound within the Incident Type settings.

The XSOAR Playbook Debugger documentation states that only open incidents can be selected as Test Data.

Closed incidents do not appear in the debugger’s incident selection list.

Starring an incident does not override this limitation; if it is closed, it will not appear.

XSOAR’s Threat Intelligence module represents connections between indicators—such as domain → IP mappings—using relationships . The Admin Guide explains that relationships have attributes including direction, type, and state , allowing analysts to mark them as active or inactive. When an observed association (such as a malicious domain pointing to a particular IP address) is no longer valid, the platform provides the ability to revoke the relationship , which sets its state to inactive without deleting the indicator or removing historical context.

Revoking is the correct method because it preserves historical intelligence for correlation, investigations, and audit trails while preventing outdated relationships from impacting enrichment or automated processes.

Updating the relationship type (option B) merely changes classification, not the state. Expiring the IP address indicator (option C) affects the indicator itself—not the relationship—and does not correctly mark that the specific association has ended. Updating the description (option D) is cosmetic only and does not change operational behavior.

Thus, revoking the relationship (option A) is the documented and proper way to inactivate a domain–IP connection in XSOAR.

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/disaster-recovery-and-live-backup/backup-the-database.html

Pre-process rules allow XSOAR to evaluate incoming events before they are fully created as incidents. These rules can suppress, modify, or relate events based on defined criteria. According to the Admin Guide, when a pre-process rule uses the Link action, XSOAR links the incoming event to an existing incident without triggering the standard incident creation process or subsequent playbook execution. This preserves the data for correlation and investigation while preventing duplicate or unnecessary playbook runs.

The Close action (A) suppresses incidents completely and is used to auto-close unwanted events; this prevents preservation of the event and does not trigger the playbook. The Drop action (C) discards incoming events entirely, removing them from the system and not preserving them. The Update action (B) modifies or enriches existing incidents but does not stop the playbook from running on newly created incidents of that type.

Because the requirement is to preserve the incident while also preventing automatic playbook execution , the Link action is the only workflow that fulfills both requirements according to XSOAR’s pre-process rule architecture. Thus, option D is correct.

The XSOAR Playbook Editor allows engineers to manipulate and transform context data dynamically. According to the XSOAR Admin and Playbook Development Guides, “Extend Context” is the dedicated mechanism that enables a task to save output values into new or existing context keys, including keys that correspond to incident fields. By defining a key under the “Extend Context” section, the playbook task can map specific outputs—such as JSON fields, strings, arrays, or nested objects—to a structured location within the incident context. These keys can then be used to populate incident fields through further playbook tasks, field mappings, or automated incident field updates.

Classification (option A) applies only during ingestion and cannot assign task outputs to incident fields. Inputs (option B) define what data a task receives, not how it is stored afterward. Mapping (option D) belongs to the ingestion pipeline and determines how event fields become incident fields during creation, not during playbook execution.

Therefore, Extend Context is the correct feature that allows a task to associate its output with incident fields, making option C the correct answer based on documentation.

According to the Cortex XSOAR Indicator Lifecycle documentation, when an indicator reaches its expiration date or is manually set to Expired , the platform does not delete it. Instead, the indicator remains fully stored within the Indicator Store and can still be searched, viewed, and referenced within the system. Expiration affects how the indicator behaves operationally , not whether it still exists in the database. Specifically, an expired indicator no longer participates in active enrichment, matching, or classification workflows. It will not trigger rules, correlation, or alerting functionality, and enrichment engines stop providing updates.

The system retains expired indicators for historical accuracy, audit trail completeness, and investigation continuity. Deleting indicators automatically would compromise incident history and threat intelligence analytics, which XSOAR explicitly avoids. Furthermore, the documentation states that indicator deletion is always manual unless automated cleanup is configured, and even then, expiration alone does not initiate deletion.

Thus, the correct statement is option A : the indicator still exists and remains searchable , maintaining its presence in XSOAR’s intelligence repository while no longer influencing automated processes. Options B, C, and D contradict documented indicator-retention behavior.

The XSOAR Incident Relationships model provides multiple ways to connect related incidents for correlation and hierarchical investigation. The Admin Guide details how Relate Incidents creates a logical link between two or more incidents, identifying them as connected without altering their internal data. This is commonly used when incidents share a common threat, indicator, or root cause.

Join Incidents allows analysts to group multiple incidents under a single parent investigation while keeping them technically separate. Joined incidents appear together in correlation views and analytics dashboards, enabling SOC teams to assess broader attack patterns. Joining does not merge content or overwrite fields; it simply binds multiple incidents under a shared investigative umbrella.

“Add Child Incidents” (option B) is used for parent–child hierarchical workflows, not grouping related violations. “Merge Incidents” (option D) consolidates multiple incidents into one and deletes the originals, which is not the intended function for grouping related but distinct events.

The XSOAR Admin Guide specifies that field-change trigger scripts allow automations to run whenever a designated incident field changes. Severity is a standard incident field, and when its value increases due to analyst action, a playbook, enrichment script, or correlation event, a field-change trigger can automatically run a script to notify teams.

Post-processing rules only run after an incident closes, making them unsuitable for real-time severity escalation alerts. SLA scripts respond to timer conditions, not field changes, and are used for SLA violations or deadline tracking. Server configuration does not provide automation behavior tied to field modifications.

Field-change triggers are explicitly documented as the mechanism to automate workflows for “reacting to changes in incident fields such as owner, severity, status, or custom fields.” When severity is updated, XSOAR evaluates matching triggers and runs the associated automation immediately.

Thus, only a field-change trigger script can reliably detect a severity escalation and execute a notification action the moment the field changes, making option C the correct and documented solution.