XSOAR-Engineer Palo Alto Networks XSOAR Engineer Questions and Answers

The XSOAR RBAC documentation states that role-based permissions can restrict user access to dashboards. When the administrator selects“Only allow these dashboards”within a role, the platform enforces a strict limitation: users assigned to this role can viewonlythe dashboards explicitly listed in the role configuration. These dashboards become theirdefault and sole available dashboards. They cannot create new dashboards, modify existing ones, delete dashboards, or access any dashboard not included in the allowed list. This setting is typically used in regulated environments or SOC tiers where dashboard visibility must align with job function and least-privilege principles.

The documentation clarifies that this permission setting removes access to any dashboards not included, overriding normal dashboard-sharing behavior. Therefore, options suggesting the user can modify dashboards (A or B) or automatically gain access to shared dashboards (C) contradict RBAC restrictions. The correct behavior is complete restriction: users canonlyview the explicitly authorized dashboards, withno ability to modifythem. Thus, optionDreflects the exact enforced behavior per XSOAR’s role permissions model.

https://www.jaacostan.com/2021/02/palo-alto-cortex-xsoar-playbook-icons.html

In XSOAR, every entry in the War Room (commands, notes, outputs, files) is stored with a unique Entry ID.

Notes do not have a separate “Note ID”; they are War Room entries, and therefore their unique ID is the Entry ID.

The Marketplace section states that administrators can revert any installed content pack to a previous version via the Version History → Revert to this version option.

This is the recommended method when a new release introduces a bug.

Reinstalling the same version does not fix the code error.

Pre-process rules allow XSOAR to evaluate incoming events before they are fully created as incidents. These rules can suppress, modify, or relate events based on defined criteria. According to the Admin Guide, when a pre-process rule uses theLinkaction, XSOAR links the incoming event to an existing incident without triggering the standard incident creation process or subsequent playbook execution. This preserves the data for correlation and investigation while preventing duplicate or unnecessary playbook runs.

TheCloseaction (A) suppresses incidents completely and is used to auto-close unwanted events; this prevents preservation of the event and does not trigger the playbook. TheDropaction (C) discards incoming events entirely, removing them from the system and not preserving them. TheUpdateaction (B) modifies or enriches existing incidents but does not stop the playbook from running on newly created incidents of that type.

Because the requirement is topreserve the incident while also preventing automatic playbook execution, the Link action is the only workflow that fulfills both requirements according to XSOAR’s pre-process rule architecture. Thus, optionDis correct.

Integration performs

Classification is applied

Mapping is applied

Incident is created (before incident creation it should be also pre-process rule step)

According to the Cortex XSOAR Admin Guide, visibility of layout tabs is controlled byrole-based access permissions (RBAC). When customizing layouts, administrators can assign tabs, fields, and components to specific user roles. If the “Forensics” tab appears for senior analysts but not junior analysts, this indicates that the tab has been assigned only to certain roles through the “Roles” field in the layout editor.

XSOAR does not hide layout tabs due to incorrect field mappings (option A). If a field is unmapped, it simply appears empty, not invisible. Likewise, marking a tab as “read-only” (option C) still makes it visible; it only restricts editing. Display filters (option D) apply to list widgets, dashboards, and incidents—not layout tab visibility.

The documentation clearly states thata tab will not appear to a user unless their assigned role is included in the tab’s role permissions. Therefore, junior analysts cannot view the tab becausethe tab was not assigned to their role, making optionBthe correct explanation based on XSOAR’s RBAC-controlled layout behavior.

In Cortex XSOAR,Reportsare constructed fromWidgets, which are modular visualization components that pull data from incidents, indicators, tasks, lists, and other system sources. The Admin Guide clarifies that widgets serve as the building blocks for dashboards and reports. When creating a report, users select widgets—such as pie charts, tables, statistics blocks, histograms, and custom scripts—and XSOAR aggregates the underlying data (incidents, indicators, evidence, etc.) into the report output.

Automations (option B) may generate data, but they do not perform the aggregation within a report. SQL queries (option C) are not used natively in XSOAR reporting; instead, widgets may embed queries through the platform’s data model. Playbooks (option D) execute response workflows and can generate additional context but are not used for aggregating report data.

Thus, the report-generation process relies entirely on widgets to extract, sort, count, and visualize information. XSOAR renders the report by collecting the aggregated values produced by each widget. This makes optionAthe correct and documented answer.

When an analyst manually sets an indicator’s verdict, XSOAR records the verdict with a source named "Manual", and assigns it a reliability of Undefined.

This is explicitly documented under Indicator Verdict + Reliability behavior when a manual override is applied.

XSOAR’s ingestion pipeline defines a strict order in which raw fetched data is processed, and the Admin Guide explains that Classification determines the incident type based on incoming fields, while Mapping performs the actual transformation of event data into structured incident fields. Mapping profiles define how each field from the integration’s raw JSON (for example, source_ip, username, alert_id) is converted into standard or custom incident fields.

The Mapping Editor allows administrators to select specific fields from the incoming event data and bind them to incident fields used throughout playbooks, layouts, and reports. This ensures normalization of data and consistent schema usage across the SOC.

The documentation makes clear that Mapping is responsible for populating incident field values, whereas Classification only chooses the incident type. Field configuration defines field metadata but does not map values. Layout configuration controls visual presentation only and does not populate fields.

Thus, option B (Mapping) is the function that converts event data into incident field values and is the correct answer according to the ingestion architecture documented in the XSOAR Admin Guide.

The XSOAR Playbook Editor allows engineers to manipulate and transform context data dynamically. According to the XSOAR Admin and Playbook Development Guides,“Extend Context”is the dedicated mechanism that enables a task to save output values into new or existing context keys, including keys that correspond to incident fields. By defining a key under the “Extend Context” section, the playbook task can map specific outputs—such as JSON fields, strings, arrays, or nested objects—to a structured location within the incident context. These keys can then be used to populate incident fields through further playbook tasks, field mappings, or automated incident field updates.

Classification (option A) applies only during ingestion and cannot assign task outputs to incident fields. Inputs (option B) define what data a task receives, not how it is stored afterward. Mapping (option D) belongs to the ingestion pipeline and determines how event fields become incident fields during creation, not during playbook execution.

Therefore,Extend Contextis the correct feature that allows a task to associate its output with incident fields, making optionCthe correct answer based on documentation.

In Cortex XSOAR’s documented Dev/Prod deployment model, thedevelopment tenantis designed to be the workspace where engineers create, modify, test, and validate content before promoting it into production. As part of this workflow, the development tenant includes the“Export all custom content”feature, which generates a structured content bundle containing custom playbooks, integrations, fields, layouts, lists, and other artifacts. This bundle is then imported into the production tenant to ensure controlled, versioned, and tested promotion of content.

The Admin Guide highlights that this export capability isrestricted to the development environmentto preserve the integrity and stability of the production tenant. Production systems are intentionally limited, allowing only the import (not export) of custom content to prevent accidental overwriting, drift, or unintended modifications.

Marketplace access (A) exists in both tenants. Custom integration instances (C) can be created in either tenant. The Content Repository page (B) is also available across both environments.

Therefore, the only feature exclusive to the development tenant isD: “Export all custom content.”This ensures a safe, repeatable Dev→Prod promotion model aligned with enterprise change-control requirements.

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/disaster-recovery-and-live-backup/backup-the-database.html

The !setIncident command is the documented method for updating incident fields programmatically in Cortex XSOAR. The Admin Guide states that the syntax requires proper quoting for parameters, especially when assigning descriptive text that may include spaces. The correct syntax is:

!setIncident description="some text"

This updates the built-in description field at the incident level and allows widgets, dashboards, and reports to use the updated description because XSOAR widgets can read incident fields directly. OptionAuses correct syntax with quotes included.

Option B incorrectly uses !Set, which modifiescontext keys, not incident fields. Option C is invalid due to incorrect parameter formatting (hyphens instead of equals signs). Option D omits quotation marks, causing parsing errors in cases where the value includes spaces, verbs, or punctuation.

Thus, the only correct and fully documented method to update an incident’s description so that it is available to widgets isA: !setIncident description="…".

The core issue described isexcessive indicator extraction, causing rate-limit exhaustion on reputation services and overpopulation of indicators within the incident. According to XSOAR’s Indicator Extraction documentation, task-level extraction settings override incident-level defaults. Here, Task 1 (ad-get-user) is configured withIndicator Extract Mode: Inline, meaning every attribute returned by Active Directory—often extremely large datasets—triggers automatic IOC extraction. This leads to unnecessary extraction of usernames, metadata, and system fields that are not threat indicators, resulting in inflated indicator counts and reputation lookups.

Setting Task 1’s extraction mode toNoneprevents extraction of indicators from this verbose command, preventing both rate limiting and IOC bloating.

Changing incident-type defaults (A) does not override explicit task-level extraction. Setting extraction to inline on ServiceNow (C) worsens the problem. Disabling “mark results as notes” (D) has no effect on extraction; notes only influence whether context is stored.

Therefore, per XSOAR’s documented extraction hierarchy, the correct mitigation is to setad-get-user → Indicator Extract Mode = None, makingBthe correct answer.

According to the Cortex XSOAR Indicator Lifecycle documentation, when an indicator reaches its expiration date or is manually set toExpired, the platform doesnotdelete it. Instead, the indicator remains fully stored within the Indicator Store and can still be searched, viewed, and referenced within the system. Expiration affectshow the indicator behaves operationally, not whether it still exists in the database. Specifically, an expired indicatorno longer participates in active enrichment, matching, or classificationworkflows. It will not trigger rules, correlation, or alerting functionality, and enrichment engines stop providing updates.

The system retains expired indicators for historical accuracy, audit trail completeness, and investigation continuity. Deleting indicators automatically would compromise incident history and threat intelligence analytics, which XSOAR explicitly avoids. Furthermore, the documentation states that indicator deletion is alwaysmanualunless automated cleanup is configured, and even then, expiration alone does not initiate deletion.

Thus, the correct statement is optionA: the indicatorstill exists and remains searchable, maintaining its presence in XSOAR’s intelligence repository while no longer influencing automated processes. Options B, C, and D contradict documented indicator-retention behavior.