Spring Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = getmirror

Home
Paloalto Networks
Security Operations
XSOAR-Engineer
Palo Alto Networks XSOAR Engineer Questions and Answers

Pass the Paloalto Networks Security Operations XSOAR-Engineer Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam XSOAR-Engineer Premium Access

View all detail and faqs for the XSOAR-Engineer exam

Go to Exam

510 Students Passed

93% Average Score

92% Same Questions

Viewing page 3 out of 7 pages

Viewing questions 21-30 out of questions

Questions # 21:

An engineer would like to change an incident’s SLA according to the severity field changes. How can the engineer achieve this task?

Options:

Use a field trigger script

Use a field display script

Create a job that queries for incident severity changes

Change the SLA manually every time the severity changes

Answer

Explanation

[Reference: https://xsoar.pan.dev/docs/incidents/incident-fields, , ]

Questions # 22:

An analyst wants to run a script to remove usernames from an incident before the incident becomes active in XSOAR. How can this be achieved?

Options:

Run an automation script in the Playground to remove usernames from the incident.

Create a pre-processing rule that runs an automation script to remove usernames from the incident as it comes into XSOAR.

Run an automation script on the XSOAR server to remove usernames from the incident.

Create a playbook task to remove the usernames from the incident.

Answer

Explanation

[Reference: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.6/Cortex-XSOAR-Administrator-Guide/Incident-Management, , ]

Questions # 23:

When the "Only allow these dashboards" checkbox is selected for a user role, what is the primary effect on users assigned this role?.

Options:

They are prompted to select their preferred dashboards upon login and can only modify these chosen dashboards.

They can only view specified dashboards and make minor modifications.

They will automatically have all dashboards that are shared with them added to their view.

They will be restricted to viewing only the specified default dashboards and cannot make any modifications.

Answer

Explanation

The XSOAR RBAC documentation states that role-based permissions can restrict user access to dashboards. When the administrator selects“Only allow these dashboards”within a role, the platform enforces a strict limitation: users assigned to this role can viewonlythe dashboards explicitly listed in the role configuration. These dashboards become theirdefault and sole available dashboards. They cannot create new dashboards, modify existing ones, delete dashboards, or access any dashboard not included in the allowed list. This setting is typically used in regulated environments or SOC tiers where dashboard visibility must align with job function and least-privilege principles.

The documentation clarifies that this permission setting removes access to any dashboards not included, overriding normal dashboard-sharing behavior. Therefore, options suggesting the user can modify dashboards (A or B) or automatically gain access to shared dashboards (C) contradict RBAC restrictions. The correct behavior is complete restriction: users canonlyview the explicitly authorized dashboards, withno ability to modifythem. Thus, optionDreflects the exact enforced behavior per XSOAR’s role permissions model.

Questions # 24:

Which playbook will a job run by default?

Options:

The playbook assigned to the incident type

The playbook assigned to the indicator type

The playbook assigned during pre-processing

The playbook assigned by the integration

Answer

Questions # 25:

For troubleshooting, after a log bundle is created, where do the logs appear on the XCSOAR server?

Options:

/var/lib/demisto

/tmp/log/demisto

/usr/local/demisto

/var/log/demisto

Answer

Questions # 26:

What is the function of timer SLA fields in Cortex XSOAR?

Options:

To track SLA breaches per playbook

To run a script that executes on SLA assignment

To automatically alert the analyst on SLA breach

To count the time between one or more tasks

Answer

Explanation

[Reference: https://docs-cortex.paloaltonetworks.com/cortex/cortex-xsoar//6-2/cortex-xsoar-admin/work-with-slas/create-an-sla-field, , ]

Questions # 27:

Which two actions will group similar incidents that share a common root cause or represent different aspects of a larger problem? (Choose two.).

Options:

Relate Incidents.

Add Child Incidents.

Join Incidents.

Merge Incidents.

Answer

A, C

Explanation

The XSOAR Incident Relationships model provides multiple ways to connect related incidents for correlation and hierarchical investigation. The Admin Guide details howRelate Incidentscreates a logical link between two or more incidents, identifying them as connected without altering their internal data. This is commonly used when incidents share a common threat, indicator, or root cause.

Join Incidentsallows analysts to group multiple incidents under a single parent investigation while keeping them technically separate. Joined incidents appear together in correlation views and analytics dashboards, enabling SOC teams to assess broader attack patterns. Joining does not merge content or overwrite fields; it simply binds multiple incidents under a shared investigative umbrella.

“Add Child Incidents” (option B) is used for parent–child hierarchical workflows, not grouping related violations. “Merge Incidents” (option D) consolidates multiple incidents into one and deletes the originals, which is not the intended function for grouping related but distinct events.

Questions # 28:

What is used to trigger playbooks automatically based on the classification of an incident?