Palo Alto Networks XSOAR-Engineer Exam Questions Instant Access

Question 1

An engineer deployed two different instances of Active Directory for each organization site. As part of account enrichment use case, the engineer would like to delete a user from one specific site.

Which command will accomplish this?

Arun 'ad-delete-user' command with 'user-dn' arg and using-brand=''Active Directory Query v2''

Brun 'ad-delete-user' command with 'user-dn' arg and raw-response=true

Crun 'ad-delete-user' command with 'user-dn' arg and ignore-outputs=true

Drun 'ad-delete-user' command with 'user-dn' arg and using=''Active DirectoryQuery v2_instance_1''

Answer : D

Question 2

An engineer would like to change an incident's SLA according to the severity field changes. How can the engineer achieve this task?

AUse a field trigger script

BUse a field display script

CCreate a job that queries for incident severity changes

DChange the SLA manually every time the severity changes

Answer : A

Question 3

What is the unique identifier for a note in the incident War Room?.

AIncident ID.

BEntry ID.

CField ID.

DNote ID.

Answer : B

In XSOAR, every entry in the War Room (commands, notes, outputs, files) is stored with a unique Entry ID.

Notes do not have a separate ''Note ID''; they are War Room entries, and therefore their unique ID is the Entry ID.

Question 4

Which two actions will group similar incidents that share a common root cause or represent different aspects of a larger problem? (Choose two.).

ARelate Incidents.

BAdd Child Incidents.

CJoin Incidents.

DMerge Incidents.

Answer : A, C

The XSOAR Incident Relationships model provides multiple ways to connect related incidents for correlation and hierarchical investigation. The Admin Guide details how Relate Incidents creates a logical link between two or more incidents, identifying them as connected without altering their internal data. This is commonly used when incidents share a common threat, indicator, or root cause.

Join Incidents allows analysts to group multiple incidents under a single parent investigation while keeping them technically separate. Joined incidents appear together in correlation views and analytics dashboards, enabling SOC teams to assess broader attack patterns. Joining does not merge content or overwrite fields; it simply binds multiple incidents under a shared investigative umbrella.

''Add Child Incidents'' (option B) is used for parent--child hierarchical workflows, not grouping related violations. ''Merge Incidents'' (option D) consolidates multiple incidents into one and deletes the originals, which is not the intended function for grouping related but distinct events.

Question 5

When developing the playbook, which of the following can be used by a XSOAR Administrator?

AThe Debugger panel to test data with one of last five incidents. This will affect the incident's original incident data.

BContext data from existing incidents by exporting the YAML data from incidents and importing it to playbook editor.

CDebugger panel and XML data from a similar incident with New Mock Incident. This will not affect the incidents original incident data.

DThe Debugger panel to test data with one of last fifty incidents. This will not affect the incident's original incident data.

Answer : C

Question 6

Management would like to get an incident report automatically following an incident's closure. How would this be accomplished?

ADefine a task in a playbook to generate an incident report before the closure occurs

BManually create an 'Incident Report'

CConfigure post-processing using a script

DCreate an 'Incident Report' from the Reports page

Answer : C

Question 7

When mapping incoming data to incident fields, which statement is correct?

AData that is not mapped is placed under labels

BOnly text fields are classified

CClassification cannot be used if mapping is enabled

DEvery incoming field must be mapped

Answer : A

Palo Alto Networks XSOAR Engineer XSOAR-Engineer Exam Questions