An engineer creates a script to display data in markdown format for a layout. When configuring the layout, the new script is not listed.
Which missed configuration step will cause this behavior?.
Answer : A
The XSOAR Layouts documentation states that scripts can appear inside incident layouts only when they are designated as Dynamic Section scripts. Dynamic Sections are special script types that run automatically within layouts to display enrichment data, contextual summaries, or markdown-rendered information.
When creating such a script, the developer must mark it with the 'dynamic-section' tag; otherwise, XSOAR does not expose it as an option during layout configuration. Without this mandatory tag, the script is treated as an ordinary automation and therefore cannot be placed into layout components.
Permissions (option B) affect script execution but do not prevent it from appearing in the layout editor. Integration commands (option C) are unrelated---dynamic sections do not use integration command definitions. Markdown output type (option D) determines formatting only and does not affect whether the script is selectable within the layout editor.
Thus, the missing configuration step is failing to tag the script as a Dynamic Section, making option A the correct answer according to the official XSOAR documentation.
Which Marketplace content pack will allow sharing of threat intelligence in STIX format?.
Answer : D
STIX/TAXII are industry-standard protocols for structured threat intelligence exchange. According to the Threat Intelligence section of the XSOAR documentation, TAXII servers and clients provide automated bidirectional sharing using STIX objects, supporting both ingestion and distribution of indicators, observables, relationships, and threat objects.
The TAXII Server content pack specifically enables an organization to expose its threat intelligence via a TAXII 2.0/2.1 compliant endpoint, where the transmitted data is formatted as STIX, making it the correct choice for sharing structured intelligence externally.
The Generic Export Indicators Service pack supports indicator export, but not in STIX format---it exports simple CSV, JSON, or list-based formats. MISP Server supports STIX ingestion and export but is considered a MISP-specific implementation and not the generic STIX distribution mechanism expected in the question. External dynamic lists are not related to STIX or TAXII at all.
Thus, the correct answer is D, as only the TAXII Server pack is designed explicitly for STIX-formatted intelligence sharing.
Based on the integration and classifier configuration images below,

which incident type will be created for incidents ingested using this integration when the incoming "type" field is set to "url allowed"?.
Answer : A
What is the default configuration for indicator auto-extraction when incidents are created?
Answer : A
If a known malicious domain is no longer associated with a specific IP address, which action will make the association inactive?.
Answer : A
XSOAR's Threat Intelligence module represents connections between indicators---such as domain IP mappings---using relationships. The Admin Guide explains that relationships have attributes including direction, type, and state, allowing analysts to mark them as active or inactive. When an observed association (such as a malicious domain pointing to a particular IP address) is no longer valid, the platform provides the ability to revoke the relationship, which sets its state to inactive without deleting the indicator or removing historical context.
Revoking is the correct method because it preserves historical intelligence for correlation, investigations, and audit trails while preventing outdated relationships from impacting enrichment or automated processes.
Updating the relationship type (option B) merely changes classification, not the state. Expiring the IP address indicator (option C) affects the indicator itself---not the relationship---and does not correctly mark that the specific association has ended. Updating the description (option D) is cosmetic only and does not change operational behavior.
Thus, revoking the relationship (option A) is the documented and proper way to inactivate a domain--IP connection in XSOAR.
What is an outcome of using sections within a tab when customizing an incident layout?.
Answer : C
The Layout customization section of the XSOAR Admin Guide explains that incident layouts control how analysts view and interact with fields, evidence, and metadata. Within a layout tab, sections exist purely for the purpose of organizing related fields into structured blocks, improving clarity, readability, and workflow efficiency. This is essential in complex incident types where numerous fields must be grouped logically (e.g., ''User Details,'' ''Endpoint Information,'' ''Alert Metadata'').
Sections do not trigger automations or playbooks; automation triggers are defined through playbooks, field-change scripts, or incident type settings. They also do not enforce field mandatory requirements---mandatory fields are defined in the incident type configuration, not within layout sections. Likewise, RBAC does not operate at the section level; access restrictions apply to fields or entire incident types, not layout sections.
Therefore, the only correct and documented result of using sections within tabs is enhanced logical grouping of fields, improving analyst usability and data-entry organization. This aligns with option C, matching the intended purpose described in the layout configuration documentation.
Which playbook will a job run by default?
Answer : A