XSOAR-Engineer Questions and Answers

Inline

Inband

None

Out of band

Run an automation script in the Playground to remove usernames from the incident.

Create a pre-processing rule that runs an automation script to remove usernames from the incident as it comes into XSOAR.

Run an automation script on the XSOAR server to remove usernames from the incident.

Create a playbook task to remove the usernames from the incident.

Revoke the relationship.

Update the relationship type.

Expire the IP address indicator.

Update the indicator relationship description.

Selma Moon.

Richardson Morales.

Hubbard Wilcox.

Michael Henderson.

The integration commands in a playbook can no longer be used

The integration commands can be used, but it is recommended to update to the latest content pack

The configuration settings will be lost and the integration will no longer function

The integration commands in a playbook can be used, but it will fail at runtime

DeleteContext

GenerateTest

PrintContext

SetContext

-status:closed -category:job type:Phishing created:>="30 days ago"

status:closed -category:jobandtype:Phishing created:>="30 days ago"

-status:closed -category:jobandtype:Phishing created:<="30 days ago"

-status:closed -category:job type:Phishing created:="30 days ago"

Settings > About > Troubleshooting, in the main host account. Each host has a System Diagnostics page.

Settings > Advanced > System Diagnostics, in the main host account. Each host has a System Diagnostics page.

Settings > Account Management > Hosts, in the main host account. Each host has a System Diagnostics page.

Settings > About > System Diagnostics, in the main host account. Each host has a System Diagnostics page.

Users defined in the platform (email or username)

Other organizations via the Marketplace

Users outside XSOAR via email invite

Roles defined in the platform

F - Reliability cannot be judged, A - Completely Reliable

F - Not reliable, A - Usually Reliable

F - Not usually reliable, A - Fairly Reliable

F - Unreliable, A - Completely Reliable

reputation-script

enrich

reputationScript

reputation

It still exists and can be searched.

It is immediately deleted from the database.

It still exists but is not searchable.

It is deleted from the database after seven days.

Process all alerts by running the respective playbook and link related incidents during post-processing

Ingest all raw events, run a custom script to find the relationship between them and proceed to link them together

Configure a pre-process rule to link related events as they are ingested

Manually go through the incidents created by the raw events and link related incidents

To track SLA breaches per playbook

To run a script that executes on SLA assignment

To automatically alert the analyst on SLA breach

To count the time between one or more tasks

Main Account

Tenants

Agent tools

Marketplace

Standard task

Conditional task

Section Header task

Data Collection task

Inputs and outputs

Through integration context

Automatically extracted by sub-playbooks

From context data, if context is shared globally

Create a new indicator type and disable the built-in IP indicator

Edit the regex of the default IP Indicator

Add a new server configuration key that will overwrite the default regex of the IP indicator

Delete the default IP indicator

!setIncident description="This is an updated description.".

!Set key="description" value="This is an updated description.".

!Set key-"description" value-This is an updated description.

!setIncident description=This is an updated description.

Define input key in the subplaybook task. Map context values to pull from parent playbook.

The output of the previous task automatically becomes the input of the subplaybook.

Map inputs and outputs to the parent playbook and the subplaybook will use the same values.

Open the subplaybook and add inputs or outputs in the Playbook triggered task.

SLA script.

Post-processing rule.

Field-change trigger script.

Server config.

Markdown

Grid Fields

DOC format

Javascript

Inputs are data pieces that are present in the playbook

Inputs are data pieces that are present in the task

Outputs are used as incident trigger for playbook

Outputs can be derived from the result of a task or command

Inputs are the data fields parsed by the Classifier

Fields can be used in playbooks and labels cannot

Fields are indexed in the database and labels are not

Labels can be used in queries and fields cannot

Labels are indexed in the database and fields are not

An automation script cannot execute an integration command and an integration command cannot execute an automation script

An automation script can execute an integration command and an integration command cannot execute an automation script

An automation script cannot execute an integration command and an integration command can execute an automation script

An automation script can execute an integration command and an integration command can execute an automation script

Using a debug statement

Using the demisto.debug() function

Using a print statement

Using the demisto.results() function

The new job form changes based on the threat intel feed integration configuration

The new job form can be edited from the Indicator Feed incident type editor

The new job form for a threat intel feed job cannot be edited

The new job form can be edited from the threat intel feeds integration settings

Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with no argument

Edit the incident layout to add a new button that calls the AssignToMeButton automation with argument assignBy={me}

Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with argument owner={me}

Edit the incident layout to add a new button that calls the AssignAnalystToIncident automation with argument assignBy=current

The post-processing tag must be added to the automation

Post-processing scripts must be added at the end of playbooks

Post-processing scripts must be added from the Incident Type editor

Post-processing scripts must be added from the Post-Process Rules editor

Use Shell installer and create a custom JSON configuration file.

Use different docker instances in the machine to install each engine.

Use Shell installer with "Allow running multiple engines.".

Create a DEB installer and modify in the JSON configuration.

Go to the Marketplace > Download the Fix my XSOAR playbook pack > Run the playbook > Download logs from War Room

Settings > About > Troubleshooting > Set Log Level to Debug > Download Logs

DashboardsandReports > System Health

Settings > About > System Diagnostics

Live backup (disaster recovery)

Distributed database

Backup data to XSOAR engines

Local backup

Get DBotScore.value where DBotScore.Score (Larger or equals) 4

Get DBotScore.value where DBotScore.Score (equals (int)) 3

Get DBotScore where DBotScore.Score (Larger than) 1

Get DBotScore where DBotScore.Score (Larger or equals) 2

Triggering specific automations or playbooks when data within that section is modified during an investigation.

Enforcing mandatory fields that must be completed before an incident can be closed.

Grouping related fields and information logically, improving readability and data entry efficiency.

Restricting access to sensitive fields based on user roles, ensuring data privacy within the specific incident type.

Summary

Compiler

Schedule

Run On

Data that is not mapped is placed under labels

Only text fields are classified

Classification cannot be used if mapping is enabled

Every incoming field must be mapped

In the instance settings, enable the fetch incidents parameter and wait for one minute

Create a one task playbook with a fetch-incident command

execute !-fetch

execute !-fetch

Available commands

Permission settings

Automation version history

Automation timeout configuration

Set of fields to present

Permission to view the tab based on ‘Users’

Permission to view the tab based on ‘Roles’

Delete built-in tabs including the war room

Dynamic sections

To visualize server configuration keys

To visualize XSOAR list data

To visualize complex incident data calculations

To visualize context data

To visualize a custom query

Download the content from the Marketplace.

Go to Settings > About >Troubleshooting and set a flag to allow custom content.

Register a user account with support.paloaltonetworks.com .

Detach the content item you want to edit from the Marketplace.

Closed incidents are not visible in the debugger.

The incident has been restricted.

Starred incidents are not visible in the debugger.

The incident type is set incorrectly.

Default Dashboard can be defined by ‘Role’

Use the server configuration key: default.dashboards

Save the dashboard as a widget and apply it to all users

Right click on the dashboard tab and ‘Set as Default’

Every 24 hours

Every 5 minutes

Every 8 hours

Every 1 hour

OTP token

User name and password

SAML

Active Directory authentication

RADIUS

2 main DBs, 1 application server, 2 node servers

1 main DB, 1 application server, 3 node servers

2 application servers, 1 main DB, 1 node server

1 application server, 2 main DBs, 1 node server

XSOAR server, XSOAR engine

Application server, distributed DB server

Application server, distributed DB server, Backup server

All in one server

Submit content directly through feature requests

Private GitHub repository submission for premium content

A Github pull request on the public XSOAR Content Repository

Using the marketplace interface to upload the content

Using the content submission tool on live.paloaltonetworks.com

Marketplace.

Content Repository page.

Custom integration instances.

"Export all custom content" feature.

Only users with a valid Github account

Any user who has signed up through the dev portal

Any user who has a live.paloaltonetworks.com account

All users with the correct XSOAR Role and Permissions

Just after the incident is created

Just after the pre-processing is executed

Just after the playbook is executed

Just after the Close Incident button is clicked

Cron job

Time triggered job

Feed triggered job

REST API job

/var/lib/demisto

/tmp/log/demisto

/usr/local/demisto

/var/log/demisto

type:File reputation:Malicious sourcetimestamp:"30 days ago"

type:File verdict:Malicious sourcetimestamp:<="30 days ago"

type:File reputation:Malicious sourcetimestamp:="30 days ago"

type:File verdict:Malicious sourcetimestamp:>="30 days ago"