PCSAE Sample Questions Answers

Live backup (disaster recovery)

Distributed database

Backup data to XSOAR engines

Local backup

Indicators

Incidents

Reports

Fields

Mark ignore output = true

Use extend-context

Use raw-response = save

Mark ignore input = true

Indicator type

Incoming mapper

Incident types

Integration configuration

!ip

!getReputation

!reputation

!enrichIndicator

Populate the custom indicator field with the built-in !SetIndicator command.

Add HTML to a list using !setList and use it as an HTML template to populate the custom indicator field.

Create a custom Indicator Mapper and populate the custom indicator field.

Use the Mapping option in the playbook task that generates the HTML report to populate the custom indicator field.

The audit log

The log bundle

The source code for an integration

The error message returned directly below the button

The playground war room

Default Dashboard can be defined by ‘Role’

Use the server configuration key: default.dashboards

Save the dashboard as a widget and apply it to all users

Right click on the dashboard tab and ‘Set as Default’

Planning > Incident Ingestion > Incident Creation > Mapping and Classification > Pre-processing > Playbook runs > Post-processing

Planning > Incident Ingestion > Pre-processing > Incident Creation > Mapping and Classification > Playbook runs > Post-processing

Planning > Incident Ingestion > Pre-processing > Mapping and Classification > Incident Creation > Playbook runs > Post-processing

Planning > Incident Ingestion > Mapping and Classification > Pre-processing > Incident Creation > Playbook runs > Post-processing

To run dedicated playbooks for different event types

To classify events ingested from various sources into the relevant types

To classify indicators extracted in XSOAR incidents to their respective types

To facilitate role based access to XSOAR incidents

Standard task

Conditional task

Section Header task

Data Collection task

Retrieve widget chart based on script

Related incidents

War room entries picked by entry query

Incident team members

${Files.[2].Name}

${Files.Name.[2]}

${File.[1].Name}

${File.Name.[1]}

To allow multi-QUESTION NO: surveys without authentication restrictions

To automate tasks such as parsing a file or enriching indicators

To generate new widgets for a dashboard

To determine different paths in a playbook

Lists

Jobs

Pre-processing rules

Exclusion List

They are used for branching paths in a playbook

They are used to interact with users through survey functionality

They are used to determine which incident will be executed

They are used for sending a specific QUESTION NO: to a person or team

The playbook assigned to the incident type

The playbook assigned to the indicator type

The playbook assigned during pre-processing

The playbook assigned by the integration

Work Plan

Related Incidents

War Room

Context Data

created:>=”7 days”

owner===admin

role is Analyst

status:closed –category:job

To highlight different paths in a playbook

To generate new widgets for a dashboard

To create an incident or escalate an existing incident

To automate tasks such as parsing a file or enriching indicators

Add a distributed database server

Add an indexing server

Add a live backup server (disaster recovery)

Add an engine

Create a custom indicator field named ‘username’ and link it to the internal system indicator

Change the reputation command for the internal system indicator type

Create a new indicator type of the internal username and set a formatting script to extract only the

username

Create a new indicator type of the internal username and have the regex included on any string that has dash at the beginning

In repetitive process flows to iterate for each playbook input

When continuously ingesting incidents from third-party systems

In repetitive process flows with no more than 10 loops

In repetitive processes that requires sub-playbook re-execution

Lists

Roles

Other content packs

Indicator layouts

Navigate to Settings

View the configured integrations and select Active Directory Authentication

Delete all integration instances and add all integration instances again

Navigate to Marketplace

View the installed content pack and select Active Directory content pack

Select version 1.4.6 and click on "Revert to this version"

Navigate to Settings

View the configured integrations and select Active Directory Query

Delete all integration instances and add all integration instances again

Navigate to Marketplace

View the installed content pack and select Active Directory content pack

Click on uninstall content pack

Navigate to Marketplace browser and reinstall the Active Directory content pack

Go to the Marketplace > Download the Fix my XSOAR playbook pack > Run the playbook > Download logs from War Room

Settings > About > Troubleshooting > Set Log Level to Debug > Download Logs

Dashboards & Reports > System Health

Settings > About > System Diagnostics

To track SLA breaches per playbook

To run a script that executes on SLA assignment

To automatically alert the analyst on SLA breach

To count the time between one or more tasks

XSOAR D2 agent

external integration command

XSOAR shared agent

common automation script

Download the debug log bundle

Put the XSOAR server in maintenance mode

View and modify server configuration settings

Export and import custom content

View a list of server administrators

Define input key in the subplaybook task. Map context values to pull from parent playbook.

The output of the previous task automatically becomes the input of the subplaybook.

Map inputs and outputs to the parent playbook and the subplaybook will use the same values.

Open the subplaybook and add inputs or outputs in the Playbook triggered task.

3000 Incidents

Incident Field

Verdict Label

Incident Type

Manually directly from the War Room with the Actions drop-down

From the Notes section (mark as entry icon)

Manually from the playbook task (mark as entry icon)

Automatically from playbook tasks when the option is selected on the Advanced tab

By running the command !MarkAsEvidence

Run Command, Export, and Close and Delete for all selected incidents regardless of their status

Assign, Edit, and Mark as Duplicate for all selected incidents regardless of their status

Run Command for all selected incidents having Active status

Export incidents as JSON and change incident status

Just after the incident is created

Just after the pre-processing is executed

Just after the playbook is executed

Just after the Close Incident button is clicked

Get DBotScore.value where DBotScore.Score (Larger or equals) 4

Get DBotScore.value where DBotScore.Score (equals (int)) 3

Get DBotScore where DBotScore.Score (Larger than) 1

Get DBotScore where DBotScore.Score (Larger or equals) 2

Process all alerts by running the respective playbook and link related incidents during post-processing

Ingest all raw events, run a custom script to find the relationship between them and proceed to link them together

Configure a pre-process rule to link related events as they are ingested

Manually go through the incidents created by the raw events and link related incidents

Incident Summary View

My Incidents

My Threat Landscape

My Dashboard

XSOAR D2 Agents, to send the required emails.

An XSOAR engine that is downloaded from the XSOAR server and installed within the subsidiary.

Another XSOAR server that uses the same license as their primary XSOAR server.

A Linux server connected with an XSOAR server using SSH integration. Commands can be run remotely to access the mail server.

Python

Perl

Go

JavaScript

Powershell

Classification and Mapping

Playbook Tasks

Evidence Fields

Incident Fields

Using the demisto_error() function

Using a print statement

Using the demisto.debug() function

Using the return_error() function

The administrator will receive a notification that there is both a Classifier and Incident Type set for that integration instance.

The Incident Type will be ignored, and incoming incidents will be classified according to the Classifier.

The Classifier will be ignored, and incoming incidents will be classified according to the Incident Type.

Both the Classifier and Incident Type will classify incoming incidents.