PALO ALTO

NETWORKS
PCSAE
STUDY GUIDE

January 2021
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2021 Palo Alto Networks – all rights reserved.
Aperture, AutoFocus, GlobalProtect, Palo Alto Networks, PAN-OS, Panorama, Traps, and WildFire are trademarks of Palo Alto Networks, Inc. All other
trademarks are the property of their respective owners.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 2

Table of Contents
Palo Alto Networks PCSAE Study Guide........................................... 5
Overview ................................................................................................................ 5
Exam Format .......................................................................................................... 5
How to Take This Exam......................................................................................... 5
Preparation Resources ............................................................................................ 6
Exam Domains and Objectives ........................................................... 7
1 Playbook Development ....................................................................................... 7
1.1 Conceptualize text data. ............................................................................................................7
1.2 Summarize the difference between inputs, outputs, and results for playbook tasks. .......................9
1.3 Outline how to use loop sub-playbooks.................................................................................... 15
1.4 Differentiate between playbook task types. .............................................................................. 16
1.5 Use filters and transformers to manipulate data......................................................................... 19
2 Incident Types, Indicator Types, Layouts, and Fields ...................................... 22
2.1 Compare and contrast the different incident types. .................................................................... 22
2.2 Outline the different layout types............................................................................................. 26
2.3 Compare and contrast the different indicator types.................................................................... 30
2.4 Summarize field types, associated capabilities, and purpose. ..................................................... 34
3 Automations and Integration and Related Concepts ......................................... 38
3.1 Use automations to respond to incidents................................................................................... 38
3.2 Outline integration concepts.................................................................................................... 45
3.3 Configure integration instances. .............................................................................................. 48

4 Solution Architecture ........................................................................................ 51

4.1 Describe the components of the Cortex XSOAR system architecture. ........................................ 51
4.2 Assess system architecture and outline scalability opportunities. ............................................... 58
4.3 Create incidents using Cortex XSOAR..................................................................................... 61
5 Content Updates and Content Management ...................................................... 63
5.1 Outline Marketplace concepts. ................................................................................................ 63
5.2 Apply custom content and manage content updates................................................................... 66
6 Web Interface Workflow, Dashboards, and Reports......................................... 72

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 3

6.1 Navigate the web interface and query system data. ................................................................... 72
6.2 Summarize the workflow elements used during an investigation................................................ 76
6.3 Create dashboards and reports. ................................................................................................ 78
6.4 Apply the appropriate widget type. .......................................................................................... 82

Sample Questions .............................................................................. 83

1. Playbook Development ......................................................................................................... 83
2. Incident Types, Indicator Types, Layouts, and Fields .............................................................. 84
3. Automations and Integration and Related Concepts................................................................. 85
4. Solution Architecture ............................................................................................................ 87
5. Content Updates and Content Management ............................................................................ 91
6. Web Interface Workflow, Dashboards, and Reports ................................................................ 92

Answers to Sample Questions ........................................................... 94

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 4

Palo Alto Networks PCSAE Study Guide
Welcome to the Palo Alto Networks PCSAE Study Guide. The purpose of this guide is to help you prepare
for your Palo Alto Networks Certified Security Automation Engineer (PCSAE) exam and achieve your
PCSAE credential.

Overview
The PCSAE program is a formal, third-party proctored certification. Success on the PCSAE exam shows
that you possess the in-depth skills and knowledge to develop playbooks, manage incidents, create
automations and integrations, and demonstrate the highest standard of deployment methodology and
operational best practices associated with Palo Alto Networks Cortex XSOAR. The exam is not intended
to trick you with its questions or to test obscure detail. However, a nuanced understanding, and the ability
gained through significant experience to make subtle technical distinctions, will help you make better
answer choices.

More information is available from the Palo Alto Networks public page at:

https://www.paloaltonetworks.com/cortex/xsoar

Cortex XSOAR technical documentation is located at:

https://docs.paloaltonetworks.com/cortex/cortex-xsoar.html

Exam Format
The test format is 85 multiple-choice items. Candidates will have 5 minutes to complete the Non-
Disclosure Agreement (NDA), 80 minutes (1 hour, 20 minutes) to complete the questions, and 5 minutes
to complete a survey at the end of the exam.

The approximate distribution of items by topic (Exam Domain) and topic weightings is shown in the
following table.

This exam is based on Cortex XSOAR version 6.0.

Exam Domain Weight (%)

Playbook Development 25%
Incident Types, Indicator Types, Layouts, and Fields 20%
Automations and Integrations and Related Concepts 20%
Solution Architecture 15%
Content Updates and Content Management 10%
Web Interface Workflow, Dashboards, and Reports 10%
Total 100%

How to Take This Exam

The exam is available through the third-party Pearson VUE testing platform. To register for the exam,
visit https://home.pearsonvue.com/paloaltonetworks.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 5

Preparation Resources
The document is a compilation of key resources to guide exam preparation. These resources cover the
material designated by the exam objectives. To study efficiently, focus on the suggested topics listed for
each resource. Be sure that you have a clear and complete understanding of these topics before you take
the exam.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 6

Exam Domains and Objectives
1 Playbook Development
1.1 Conceptualize text data.
Context data is all the data gathered. Every incident and playbook has a place to store data called the
context. It stores the results from every integration command and every automation script that is run.

1.1.1 Query and use context data:

The context is a map or key-value pair dictionary, the values of which can nest additional structures. A
context is a JSON-formatted object that is created for each incident.

The context keys are strings, and the values can be strings, numbers, objects, and arrays. The context’s
primary use is to pass data between playbook tasks; one task stores its output in the context, and the other
task reads that output from the context and uses it.

The output result is stored into the JSON context in the incident or the playground, whether you run an
integration command from the CLI or a playbook task. For example, a command such as !whois
query="paloaltonetworks.com" would return the data and store the results into the context. The
following screen shows an example of JSON context data:

Another use is to capture the important structured data from automations and display that data in the
incident summary.

References:

• https://xsoar.pan.dev/docs/integrations/context-and-outputs
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/extend-
context.html

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 7

1.1.2 Differentiate between public and private concepts:
Sub-playbooks should be discussed before public (or global) and private concepts are explained. Sub-
playbooks are playbooks that can be nested into other playbooks that are referred to as parent playbooks.
Because sub-playbooks are building blocks that preferably will be usable in other playbooks and use
cases, you should define generic inputs for them.

Inputs can be passed into sub-playbooks from the parent playbook, used and processed in the sub-
playbook, and sent as output to the parent playbook.

The context of a sub-playbook can be either private or global.

You can use private context when you do not want the content to be affected by outside changes, only
from the inputs that this sub-playbook receives.

Global context is for when the context in the parent playbook should be considered and accessed. Note
that a change made to sub-playbook will impact the parent playbook at the next run of the parent
playbook.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/configure-a-sub-playbook-loop.html

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 8

1.2 Summarize the difference between inputs, outputs, and results for playbook tasks.
Depending on the task type you select and the script you are running, playbook tasks have inputs. Inputs
are data pieces that are present in the playbook or task. The inputs are often manipulated or enriched, and
they produce outputs. Outputs are the objects whose entries will serve the tasks throughout the playbook,
and they can be derived from the result of a task or command.

1.2.1 Describe inputs and outputs for playbook tasks:

The inputs might come from the incident itself, such the role to whom to assign the incident, or input can
be provided by integration, for example, when an Active Directory integration is used in a task to extract
a user’s credentials.

The following graphics show a playbook that is triggered based on context data, meaning an incident. The
first two inputs are the SrcIP, which comes from the incident.src key, and DstIP, which is retrieved from
incident.dest.

The playbook itself creates output objects whose entries will serve the tasks throughout the playbook.

Outputs can be data that was extracted or derived from the inputs. For example, the following images
show the user’s credentials being retrieved from Active Directory. Those credentials will be used to get
the user’s account name, email address, and any groups to which they belong:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 9

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/playbooks-overview.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/playbook-inputs-and-outputs.html

1.2.2 Describe inputs and outputs for sub-playbooks:

Playbooks can be divided into two categories, depending on their use. Technically, they are the same, but
in terms of use there are some differences.

“Parent” playbooks are playbooks that run as the main playbook of an incident. The other type is “sub-
playbooks” which are just playbooks that are being called by another playbook.

Sub-playbooks are playbooks that can be nested into other playbooks that are referred to as parent
playbooks. They appear as tasks in the flow and have a book icon, but they can contain a whole playbook.

Examples of parent playbooks can be “Phishing Investigation - Generic v2” or “Endpoint Malware
Investigation – Generic” because an incident starts with them. Examples of sub-playbooks are IP
“Enrichment - Generic v2” or “Retrieve File From Endpoint – Generic” because they are steps taken as
part of the bigger investigation.

Because sub-playbooks are used as part of a bigger investigation, they should have inputs and outputs.
Ensure that the data you want to get from a sub-playbook is defined in its outputs so that it can be used
outside of that playbook. Because sub-playbooks are building blocks that preferably will be usable in
other playbooks and use cases, you should define generic inputs for them.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 10

References:

• https://xsoar.pan.dev/docs/playbooks/playbook-contributions

1.2.3 Configure playbooks using the web interface (e.g., box of text that you fill in):
Cortex XSOAR has an advanced web-based interface that allows you to create playbooks easily. To
create a playbook, navigate to the Playbooks tab in Cortex XSOAR and click New Playbook:

Ensure that all third-party products and services you need for the playbook are configured and enabled for
your playbook to work properly. Configurations for the third-party products and services can be set under
Settings > Integrations > Servers & Services.

Playbooks run commands that are found in both an integration and in scripts. Playbooks comprise tasks,
each of which performs a specific action. Tasks either are manual or automatic. Manual tasks are actions
that are not associated with scripts. Automated tasks are associated with scripts written in Python,
JavaScript, or PowerShell. A key feature of playbooks is the ability to structure and automate security
responses previously handled manually. You can reuse playbook tasks as building blocks for new
playbooks, thus saving you time and streamlining knowledge retention.

A task is a step or a building block of a playbook that specifies an action within the playbook sequence. A
task can be extracting an IP address from a suspected phishing email, checking reputation, sending an
email, calling a manager, etc. A new task can be added to an existing playbook, or a series of tasks can be
connected to create a new playbook.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 11

Cortex XSOAR provides a Task Library, which is a library of predefined tasks so that you can reuse or
edit them in your playbooks, depending on your needs:

To add a new task from the Task Library, you can locate or search the task. Tasks are arranged in three
tabs:

• Automation, where tasks are arranged by the integrations they serve. You can scroll through the
integrations list and expand it to see the tasks by clicking the +. You can search for a task by
name, tag, or keyword in the search box above the list of integrations.
• Manual Tasks, where tasks are listed that are done manually by a user and are not automated.
You can group these tasks by playbook, the playbook they are used in, or by name for an
alphabetical list.
• Playbooks, where existing playbooks can be found and dragged into the new playbook, will be
used as a Sub-playbook. You should create small playbooks for the procedures used frequently
so that they can be called easily. Cortex XSOAR provides many predefined playbooks you can
use or copy and customize to your needs.

To create a new task, either you can click + Create Task or drag off a line from the default section
header Playbook Triggered:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 12

For a new task, you can choose three different types: Standard, Conditional, and Data Collection.

References:

• https://xsoar.pan.dev/docs/playbooks/playbooks

1.2.4 Read, troubleshoot, and respond to error conditions:

You should read, troubleshoot, and respond to error conditions while you are developing or using
playbooks. The Cortex XSOAR interface has a Work Plan feature that enables you to monitor and
manage a playbook workflow and add new tasks to customize the playbook to a specific investigation.

The use of color coding and symbols in the Work Plan helps you to understand the status of a task. The
color coding enables you to easily troubleshoot errors or respond to manual steps in the Work Plan. The
following table shows the color codes and their meanings:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 13

If you want to manage overdue tasks highlighted in orange and the tasks that threw an error highlighted in
red, click the Task to open the Task Details window to view and define the details:

While you create playbooks, you should have an environment to test automation scripts, APIs, and
commands. You can use the playground as the non-production environment to safely test and develop.
You also can use the playground to test integration commands, automations, and other tools from the
Cortex XSOAR CLI.

To erase a playground and create a new one, in the Cortex XSOAR CLI run the /playground_create

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 14

command.

References:

• https://xsoar.pan.dev/docs/integrations/test-playbooks
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/work-plan
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/cortex-xsoar-
overview/cortex-xsoar-concepts.html

1.3 Outline how to use loop sub-playbooks.

1.3.1 Differentiate between the three different loop types of playbooks:
You configure when to exit the loop by selecting one of the following options:

• For Each Input: The loop will exit automatically when the array it is looping over executes the
last item in the array. Note that the following:
• If the input is a single item, the sub-playbook will run one time. However, if the input is a list
of items, the sub-playbook will run as many times as items in the list. Each iteration of the
sub-playbook will use the next item in the list as the input.
• If there are multiple input lists with the same number of items, then the sub-playbook will run
once for each input set. For example, if you have “input1” and “input2”, “input1[i]” will run
with “input2[i]”.
• If there are multiple input lists with different amounts of items, the sub-playbook will run
once for each item in the input with more items. When the input with fewer items reaches its
last item, the subsequent runs will continue to use the last item in the shorter list until all
items in the largest list have run.
• Built-in or Choose Loop automation: The loop will exit based on a condition. The playbook
will not loop through the inputs, but it will take the inputs as a whole.

The following image shows the loop types for playbooks:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 15

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/configure-a-sub-playbook-loop.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/configure-a-sub-playbook-loop/sub-playbook-tutorial.html

1.4 Differentiate between playbook task types.

You have three different playbook types to use when you create playbooks.

1.4.1 Differentiate between manual, automatic, and conditional playbook tasks:

When you create a new task, you have three different options to choose for a type: Standard, Conditional,
Data Collection.

Standard tasks are used for classic manual or script-based tasks, such as closing an investigation,
escalating to another analyst, or using a script to enrich data.

Conditional tasks can be selected for decision trees or communicating with users through an Ask task.
Conditional tasks are used for determining different paths for your playbook. You can use conditional
tasks for something simple such as proceeding if a particular integration exists or determining whether a
user account has an email address.

Data Collection tasks can be selected for surveying users. Data collection tasks are multi-question

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 16

surveys or forms that survey recipient access from a link in the message. The survey resides on an
external site that does not require authentication, thereby allowing survey recipients to respond without
restriction.

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/playbook-tasks.html

1.4.2 Gather, analyze, and evaluate data to make decisions about specific playbook task types:
Ask Task: Communication tasks enable you to send surveys to users, both internal and external, to
collect data for an incident. The collected data can be used for incident analysis and also as input for
subsequent playbook tasks.

For example, you might want to send a single (standalone) question survey to determine how an issue was
handled:

Because this task is conditional, remember to create a condition for each answer. For example, if the
survey answers include Yes, No, and Maybe, there should be a corresponding condition (path) in the
playbook for each of these answers.

Your single question survey will look like the following:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 17

Data Collection Task: When you need to survey recipients with multi-question forms, use data
collection tasks. The survey hosts on an external site. All responses are collected and recorded in the
incident’s context data, whether you receive responses from a single or multiple users, thus enabling you
to use the survey questions and answers as input for subsequent playbook tasks:

Your multi-question survey on the web form will look like the following:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 18

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/playbook-tasks/communication-tasks.html

1.5 Use filters and transformers to manipulate data.

In Cortex XSOAR, data is extracted and collected from various sources such as playbook tasks, command
results, and fetched incidents, and it is presented in JSON format. The data can be manipulated by using
filters and transformers.

1.5.1 Explain the difference between filters and transformers:

You can add filters and transformers in a playbook task or when mapping an instance.

Filters enable you to extract relevant data that you can use elsewhere in Cortex XSOAR. For example, if
an incident has several files with varying file types and extensions, you can filter the files by file
extension or file type and use the filtered files in a detonation playbook.

Transformers enable you to take one value and transform or render it to another value, for example,
converting a date in non-Unix format to Unix format. Another example is applying the count transformer,
which renders the number of elements.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 19

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/filters-
and-transformers.html

1.5.2 Identify when filtering and transforming data is required:

You can create filters and transformers to manipulate context data when adding or editing a task in a
playbook or when mapping an instance.

You can filter as many nested objects as required. Cortex XSOAR automatically calculates the context
root to which to filter. For example, if you want to work with file extensions, Cortex XSOAR calculates
context root as File.Extension:

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/filters-
and-transformers/create-filters-and-transformers.html

1.5.3 Specify and explain different options of filters and transformers:

Filters enable you to extract relevant data for use elsewhere in Cortex XSOAR. For example, if an
incident has several files with varying file types and extensions, you can filter the files by file extension
or file type and use the filtered files in a detonation playbook.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 20

Filter categories are as follows:

• Boolean: Determines whether a Cortex XSOAR field is true or false, or whether the string
representation is true or false
• Date: Determines whether the left-side time value is earlier than, later than, or the same time as
the right-side time value. Different time and date formats are supported. For a detailed table,
please visit the following “References” section .
• General: Includes general filters such as contains, doesn’t contain, In, and empty
• String: Determines the relationship between the left-side string value and the right-side string
value such as starts with, includes, and in list. The string filter returns partial matches as True.
• Number: Determines the relationship between the left-side number value and the right-side
number value such as equals, greater than, and less than.
• Unknown: Miscellaneous filter category

Transformers enable you to take one value and transform or render it to another value. When you have
more than one transformer, you can reorder them using click-and-drag.

Transformer categories are as follows:

• Date: Transforms the date. For example, Date to string and Date to unix
• General: Includes general transformers such as join, sort, splice, and stringify
• String: Transforms strings. To make regex case non-sensitive, use the (?i) prefix (for example,
(?i)yourRegexText).
• Number: Transforms a number, for example, Round, Absolute, and To percent

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/filters-
and-transformers/filter-operators.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/filters-
and-transformers/transformers-operators.html

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 21

2 Incident Types, Indicator Types, Layouts, and Fields
2.1 Compare and contrast the different incident types.
Incident types are used to classify the events that are ingested into the Cortex XSOAR system. Each
incident type can be configured to work with a dedicated playbook, which can either run automatically
when an event is ingested or when triggered separately at a later point. You also can configure dedicated
SLA parameters for each incident type and run specific post-processing scripts for the given incident type.
The following images show an example for how to create an incident type:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 22

2.1.1 Outline the capabilities, functions, and features related to each incident type:
After you define the incident type, you can configure its layout using the Cortex XSOAR embedded
Incident Layout Builder. For example, your analysts that investigate a phishing incident will be
interested in different information from a ransomware incident. You can customize the layout for each
incident to be presented with exactly the information the analysts need. In a phishing incident example,
that information might include the email headers and the email body, whereas for the ransomware the
information would be the family to which the ransomware belongs. The following image depicts the
Incident Layout Builder menus:

After the configuration of layout for the incident type, you must map the different incident types that your
organization handles and the third-party integrations you have. For example, Cortex XSOAR comes with
ready-to-use incident types for phishing attacks. If you work with a different phishing integration product,
you can define an incident type specifically for those events. When you configure your phishing product
integration, you will associate it with your phishing product’s new incident type, which probably also will
have a dedicated phishing playbook.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 23

As is the case with the fields, definition of incident types should be an iterative process. As you plan your
deployment and begin working with your system, you will learn which incident types are missing. You
then can add the new incident types to your system and fine-tune the entire incident ingestion process.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management.html
• https://xsoar.pan.dev/docs/incidents/incident-types

2.1.2 Summarize the relationship between external data and the Cortex XSOAR incident type:
You can define integrations with your third-party security and incident management vendors. You then
can trigger events from these integrations to get their external data to become incidents in Cortex
XSOAR. The external data can include potential phishing emails, authentication attempts, and SIEM
events.

You can either poll or fetch third-party integration instances for the events to turn them into Cortex
XSOAR incidents that trigger automations.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/fetch-incidents-from-an-integration-instance.html
• https://xsoar.pan.dev/docs/incidents/incident-types

2.1.3 Assess the consequences of miscategorized incident types:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 24

While Cortex XSOAR polling integration instances, events received from integrations need to be mapped
to the Cortex XSOAR incident types. For example, Cortex XSOAR might generate alerts from Cortex
XDR, which you would classify according to the information in those events either as a dedicated XDR
incident type or maybe an Authentication or Malware incident type. Also, you might have EWS
configured to ingest both phishing and malware alerts, which you want to classify to their respective
incident types based on some information in the event. When you classify the events as different incident
types, you can process them with different playbooks suited to their requirements.

If you cannot properly classify and map a step, wrong automations and playbooks can trigger, and outputs
and whole investigation process will suffer.

References:

• https://xsoar.pan.dev/docs/incidents/incident-types
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/classification-and-mapping.html

2.1.4 Describe how to leverage machine learning in Cortex XSOAR:

Machine learning models enable Cortex XSOAR to analyze and predict behavior through incident types
and fields. The model uses past incidents that have already been classified to classify incoming events
automatically.

Machine learning models are used mainly for phishing incidents. You can train the Cortex XSOAR
machine learning engine to automatically recognize phishing emails, emails that are legitimate, and those
that contain spam, among other examples.

As you create a machine learning model, you must select the correct fields in the field mapping phase to
map the verdicts for malicious, legitimate, and spam emails.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/machine-learing-
models/machine-learning-models-overview.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/machine-learing-
models/create-a-machine-learning-model/machine-learning-model-example.html

2.1.5 Schedule a job to create a new incident to run a playbook:

You can create scheduled events in Cortex XSOAR using jobs. Jobs are triggered either by time-triggered
events or feed-triggered events.

For example, you can define a feed-triggered job to trigger a playbook when a specified Threat
Intelligence Management (TIM) feed finishes a fetch operation for new indicators. Or you can schedule a
time-triggered job that runs nightly and removes expired indicators.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 25

You can use the jobs feature for the following cases:

• Analyze from feeds

• Batch processing data
• Detect information
• Schedule process to move from folder to list for use
• Push indicator to SIEM products

Reference:

• https://xsoar.pan.dev/docs/incidents/incident-jobs

2.2 Outline the different layout types.

The two different layout types are incident layouts and indicator layouts. Layouts are used to show you
the required information in different views and tabs. The following image shows different layouts types in
Cortex XSOAR:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 26

For a phishing incident, you will want to see email headers, which would not be relevant for an access
incident or a file hash indicator; you might want to count how many times this hash is found in related
incidents.

2.2.1 Summarize the purpose of each layout type:

2.2.1.1 Incident layouts:
You must build or customize the layout to ensure that you see the information relevant to the incident
type.

You can customize almost every aspect of the layout, including the following:

• Which tabs appear

• The order in which the tabs appear
• Who has permission to view the tabs
• Which information appears and how is it displayed

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/customize-incident-view-layouts/customize-incident-layouts.html

2.2.1.2 Indicator layouts:

You must build or customize the layout to ensure that you see the information relevant to the indicator
type.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 27

You can customize almost every aspect of the layout, including the following:

• Which tabs appear

• The order in which the tabs appear
• Who has permission to view the tabs
• Which information appears and how it is displayed

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators/customize-indicator-view-layouts/customize-an-indicator-type-
layout.html

2.2.2 Specify the different incident layout special sections:

You can add dynamic sections to a layout, such as a graph of the number of bad indicators, their source,
and severity. You also can use queries to filter the information in the dynamic section to fit your exact
needs. The following image depicts a sample incident layout:

When you start to create or edit an incident layout by using Incident Layout Builder, you can use the
Library feature to add ready-to-use Sections, Fields and Buttons, and Tabs.

Reference:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 28

 • https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/customize-incident-view-layouts/customize-incident-layouts.html

2.2.3 Summarize the main layout options:

For incident layouts, each incident type has a unique set of data relevant to that specific incident type.
You must display the most relevant data for users at all the incident lifecycle stages.

The following views display for each incident type:

• Incident Summary
• “New”/“Edit” Form
• “Close” Form
• Incident Quick View
• Mobile

There are Cortex XSOAR system layout sections and fields that you cannot remove, but you can re-
arrange them in the layout and modify their queries and filters:

For indicator layouts, each indicator type has a unique set of data relevant to that specific indicator type.
You must display the most relevant data for users.

For each indicator type, there are two views:

• Indicator Summary
• Quick View

You can customize how the information is displayed for existing indicators by modifying the sections and
fields for each view. You can access the Indicator quick view when you click an indicator on an incident

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 29

page or the canvas:

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/customize-incident-view-layouts.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators/customize-indicator-view-layouts.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-investigation.html

2.3 Compare and contrast the different indicator types.

2.3.1 Outline the capabilities, functions, and features related to each indicator type:
Indicators are artifacts associated with incidents and are an essential part of the incident management and
remediation process. Indicators help to correlate incidents, create hunting operations, and enable you to
quickly analyze incidents and reduce mean time to recovery (MTTR).

Cortex XSOAR includes an Indicator repository, which collects and correlates indicators across all
incidents, alerts, and feeds flowing into Cortex XSOAR.

The indicators are categorized by type, which determines the indicator layout fields displayed, and which
scripts are run on indicators of that type. The several system-level (out-of-the-box) indicator types
include:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 30

 • CVE CVSS Score
• Domain
• Email
• File
• File Enhancement Scripts
• Hostname
• IP Address
• Registry Path Reputation
• Username

You can easily create custom indicator types by using the Settings > Advanced > Indicator Types >
New Indicator Type button:

If you need to customize the default indicators, select the indicator to activate the Edit link on top of the
table. Click Edit and use the Custom Fields tab to customize it.

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators.html

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 31

2.3.2 Explain how data is mapped to an indicator:
When you add an indicator type, you add regex, formatting, enhancement, and reputation scripts. Regex is
the regular expression by which to identify indicators for this indicator type:

Enhancement scripts are the scripts to run on an identified indicator, for example, a script that runs a
search in a SIEM for the indicator. After indicators are identified, you can go to the Indicator Quick
View, click the Actions button, and run an enhancement script directly on an indicator. These scripts need
the enhancement tag before they can be available in the drop-down menu.

Reputation scripts are the user-created scripts that either override the Cortex XSOAR command algorithm
or run on top of the data returned from the command. This script’s output is a reputation score, which is
used as the basis for the indicator reputation.

You use custom fields to map the required fields to the indicators. There is an option to load an Indicator
Sample to create the custom fields from the sample:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 32

References:

• https://xsoar.pan.dev/docs/concepts/concepts#indicators-and-indicator-types
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators/indicator-fields/map-indicator-custom-fields

2.3.3 Define criteria for exclusion list entries:

Indicators added to the exclusion list are ignored by the system and are not considered indicators. You
still can manually enrich IP addresses and URLs on the exclusion list, but the results are not posted to the
War Room.

You can add indicators to the exclusion list in several ways.

You can select one or more indicators from the Indicators table and click the Delete and Exclude button.
The indicators are deleted from the Indicators table and added to the exclusion list. You can associate
these indicators with one or more indicator types:

You can manually add a single indicator or define indicators using a regex) or CIDR from the Exclusion
List page:

• Regex: A regular expression enables you to identify a sequence of characters in an unknown

string. The following example would identify www.paloaltonetworks.com: [A-Za-z0-
9!@#$%\.&]*demisto[A-Za-z0-9!@#$%\.&]*.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 33

 • CIDR: Classless Inter-Domain Routing (CIDR) enables you to define a range of IP addresses. For
example, 192.168.100.14/24 represents the IPv4 address 192.168.100.14 and its associated
routing prefix 192.168.100.0, or equivalently, its subnet mask 255.255.255.0, which has 24
leading 1-bits. The IPv4 block 192.168.100.0/22 represents the 1,024 IPv4 addresses from
192.168.100.0 to 192.168.103.255.

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators/exclusion-list.html

2.4 Summarize field types, associated capabilities, and purpose.

You use the Settings > ADVANCED> Fields screen to see system fields and to add custom fields for
Incidents, Evidence, and Indicators.

2.4.1 Outline the different field types:

You use Incident Fields to accept or populate incident data coming from incidents. You create fields for
information that arrives from third-party integrations in which you want to insert information. The fields
are added to Incident Type layouts and are mapped using the Classification and Mapping feature.

Incident fields can be populated by the incident team members during an investigation, at the beginning
of the investigation, or before closing the investigation.

You use Indicator Fields to add specific indicator information to incidents. When you create an indicator
field, you can associate it with one particular incident type or all incident types.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-fields.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators/indicator-fields.html

2.4.2 Align appropriate field types to data types:

You can add the following field types when adding a new field.

• Attachments: Enables addition of an attachment such as .doc, malicious files, reports, and images
of an incident
• Boolean (check box)
• Date picker
• Grid (table): Includes an interactive, editable grid as a field type for selected incident types or all
incident types
• HTML: You can configure the HTML field.
• Long text
• Markdown

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 34

 • Multi select
• Number: It can contain any number. The default number is 0. Any quantity can be used.
• Role: Roles assigned to the incident determine which users (by the role to which they are
assigned) can view the incident.
• Short text: Maximum of 60,000 characters
• Single select
• Tags
• Timer/SLA: View how much time is left before an SLA becomes past due, and configure actions
to take if the SLA does pass.
• URL
• User: A user in the system

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-fields
• https://xsoar.pan.dev/docs/incidents/incident-fields#field-types

2.4.3 Summarize how fields are created and used:

Fields can be system fields and custom fields for the Incidents, Indicators, and Evidence. You use the
Settings > ADVANCED> Fields screen to see system fields and to add custom fields.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-fields/create-a-custom-incident-field.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators/indicator-fields/create-a-custom-indicator-field.html

2.4.4 Outline advanced field capabilities:

Different field types are used in different parts of the investigation and integrations. For example, the
Dest NT Domain incident field is assigned to the Access, Malware, and Brute Force incident types and
can be used with them:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 35

You can create fields, and you can assign them either to different incidents and indicators or to all types.
For example, the Detection Engines indicator field is assigned to all types of indicators:

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-fields.html

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 36

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators/indicator-fields.html

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 37

3 Automations and Integration and Related Concepts
3.1 Use automations to respond to incidents.
The Automation section is where you manage, create, and modify automations (commands and scripts):

3.1.1 Outline the different types of automation:

Single-purpose automations generally manipulate data in the system or wrap multiple integrations or
develop single-purpose tools that are not complete products.

Automation scripts perform specific actions and comprise commands associated with an integration
object. Scripts are used as part of tasks used in playbooks and commands in the War Room.

Scripts can access all Cortex XSOAR APIs, including access to incidents and investigations, and sharing
data to the War Room. Scripts can receive and access arguments, and you can password-protect scripts.

References:

• https://xsoar.pan.dev/docs/concepts/concepts#automations-scripts
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-de-duplication.html

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 38

 • https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-de-duplication/creating-pre-process-rules-for-
incidents.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/post-processing-for-incidents.html

3.1.2 Differentiate between inputs and outputs:

The inputs might come from the incident itself, such as the role of whom to assign the incident, or from
an input provided by an integration, for example, when an Active Directory integration is used in a
playbook task to extract a user’s credentials. The playbook itself creates output objects whose entries will
serve the tasks inside the playbook.

Outputs can be data that was extracted or derived from the inputs. For example, in the following images
we are retrieving the user’s credentials from Active Directory. We will use those credentials to get the
user’s account name, email address, and any groups they belong to.

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/playbook-inputs-and-outputs.html

3.1.3 Apply the script helper:

The Automation section includes a Script Helper, which provides an alphabetical list of available
commands and scripts:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 39

Reference:

• https://xsoar.pan.dev/docs/integrations/xsoar-ide#the-script-helper

3.1.4 Apply permission access:

Cortex XSOAR uses role-based access control (RBAC) for controlling user access. RBAC helps manage
access to Cortex XSOAR components so that users, based on their roles, are granted the minimal access
required to accomplish their tasks:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 40

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/users-and-
roles/integration-permissions

3.1.5 Differentiate automation objects:

Think of the Cortex XSOAR CLI like an operating system CLI that is built into the product and connects
to every tool that you need. It allows the user to test and run integration commands, run automations, and
more.

Cortex XSOAR has two different kinds of commands:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 41

 • System commands: Commands that enable you to perform Cortex XSOAR operations such
as clearing the playground or closing an incident. These commands are not specific to an
integration. System commands are entered in the command line using a slash mark (/), for
example, /playground_create:

• External commands: Integration-specific commands that enable you to perform actions

specific to an integration. For example, you can quickly check the reputation of an IP address.
External commands are entered in the command line using an exclamation point (!), for
example, !ip:

References:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 42

 • https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/common-scripts-to-use-in-automations
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/cortex-xsoar-
overview/cortex-xsoar-concepts

3.1.6 Apply appropriate automation commands:

Integrations may contain automation scripts and commands. You can differentiate them by looking at the
first letter. A script’s first letter always is in uppercase, and the command’s first letter is in lowercase.
According to the type of letter you search for, you will start to see scripts and commands.

Integration commands are located in the integrations, and if you enable the required integration by
creating a new instance, you can start to use those commands. Otherwise, they are not ready to use. The
following image shows an example to call automation scripts and commands which is located inside an
integration:

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/common-scripts-to-use-in-automations
• https://xsoar.pan.dev/docs/concepts/concepts#commands

3.1.7 Identify how to build and test automations:

The Cortex XSOAR Bring Your Own Integration (BYOI) feature enables you to create integrations using
a simple Cortex XSOAR SDK (JavaScript, Python, or PowerShell) from the Cortex XSOAR management
console.

To create your own integration, navigate to Settings > Integrations > +BYOI:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 43

The playground is a non-production environment where you can safely develop and test automation
scripts, APIs, commands, and more. It is an investigation area that is not connected to a live (active)
investigation. Go to the playground to test integration commands, automations, and other tools from the
Cortex XSOAR CLI:

To erase a playground and create a new one, in the Cortex XSOAR CLI run the /playground_create
command.

References:

• https://xsoar.pan.dev/docs/concepts/concepts#playground
• https://xsoar.pan.dev/docs/tutorials/tut-integration-ui
• https://xsoar.pan.dev/docs/integrations/unit-testing

3.1.8 Use automations for incidents and playbook tasks:

War Room commands are commands that can be entered manually in the CLI, at the bottom of the screen.

The automation scripts that can be used with an integration can be found in several ways. You choose the
one best for you and the specific scenario you are in:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 44

 • Start by typing “!” and continue writing the name of automation script or an integration
command from an enabled integration in the CLI. Cortex XSOAR will autocomplete and show
possible commands or scripts for that integration.
• Start typing “!” and the CLI will autocomplete possible commands you can execute and provide
tips for using the command. For example, ,!whois paloaltonetworks.com will return
registration information for the paloaltonetworks.com domain.

To see all possible commands for an enabled integration, open the integration in Settings > Integrations
> Servers & Services and click the Show Commands link.

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-tasks.html

3.2 Outline integration concepts.

3.2.1 Differentiate between parameters and arguments:
Parameters are global variables that mean that every command can or will use these configurable options
to run. Some common parameters are API keys, Usernames, Endpoints, and Proxy options:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 45

Arguments are similar to parameters in that they are configurable by a user. But unlike parameters,
arguments are single-use only and specific to only one command. Arguments are not shared with other
commands and must be present for each command:

References:

• https://xsoar.pan.dev/docs/integrations/parameter-types
• https://xsoar.pan.dev/docs/tutorials/tut-integration-ui#parameters
• https://xsoar.pan.dev/docs/tutorials/tut-integration-ui#command-settings

3.2.2 Implement RBACs:

You can use RBAC to assign commands at the integration instance level. If you have multiple instances
of the same integration, you can assign different roles (permission levels) for the same command in each
instance.

If you want to view or edit integration permissions, go to Settings > Users and Roles > Integration
Permissions. You can see a list of all the enabled integrations in Cortex XSOAR. Under each integration,
you can see the following:

• Commands: A list of all commands for the integration

• Instance: A list of all instances for the integration

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 46

 • Permitted roles: A drop-down list of roles you can assign to the command

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/users-and-
roles/integration-permissions
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/users-and-
roles/roles.html

3.2.3 Define integration types:

Product integrations or automations are codes that allow Cortex XSOAR to communicate with other
products. These integrations can be executed through REST APIs, webhooks, and other techniques.

An integration can be unidirectional or bidirectional, with the latter allowing both products to execute
cross-console actions. Integrations enable connections with third-party tools and services for the Cortex
XSOAR platform to help orchestrate and automate SOC functions. In addition to third-party tools, you
can create your own integration using the BYOI feature.

The following list of integration categories available in Cortex XSOAR is not exhaustive and highlights
the main categories:

• Analytics and SIEM

• Authentication
• Case Management
• Data Enrichment and Threat Intelligence
• Database
• Deception
• Email Gateway
• Endpoint
• Forensics and Malware Analysis
• IT Services
• Messaging
• Network Security
• Threat Intel Feeds
• Utilities
• Vulnerability Management

Reference:

• https://xsoar.pan.dev/docs/concepts/concepts#integrations

3.2.4 Describe capabilities related to custom integrations:

An integration instance is the configuration of an integration. You can have multiple instances of an
integration, for example, to connect to different environments. If you are an MSSP and have multiple
tenants, you also could configure a separate instance for each tenant.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 47

References:

• https://xsoar.pan.dev/docs/tutorials/tut-integration-ui#navigating-to-byoi
• https://xsoar.pan.dev/docs/integrations/code-conventions

3.2.5 Describe the process of contributing integrations to the marketplace:

Contributions are Content Packs that you create that are sent to Cortex XSOAR for review and approval.
After approval, these Content Packs are uploaded to the Marketplace, shared, and installed as would be
any other Content Pack.

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/content-pack-contributions.html

3.3 Configure integration instances.

3.3.1 Apply basic troubleshooting if the integration is not performing:
Throughout development of integrations and scripts, at some point your code likely will cause something
to break. One of the most significant features of Cortex XSOAR is its use of machine learning to better
time these crashes so they occur on your time off.

You can check logs and War Room entries. You can use the Demistomock library.

There is another option to debug your integration. The Cortex XSOAR plugin for the PyCharm IDE
enables you to design and author scripts and integrations for Cortex XSOAR directly from PyCharm. The
plugin adds a sidebar with Automation and Integration Settings, just like the Settings sidebar in the
Cortex XSOAR script editor. When you write code, the plugin provides you with autocomplete of Cortex
XSOAR and Python functions and allows you to debug your code easily.

References:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 48

 • https://xsoar.pan.dev/docs/integrations/debugging
• https://xsoar.pan.dev/docs/integrations/pycharm-plugin#local-runlocal-debug-advanced

3.3.2 Apply the appropriate classification and mapping technique:

The classification and mapping feature enables you to take the events and event information that Cortex
XSOAR ingests from integrations or REST API and classify the event as a type of Cortex XSOAR
incident.

Cortex XSOAR can generate alerts from Cortex XDR that you then can classify according to their
information as either dedicated XDR incident types or maybe authentication or malware incident types.
You might have Exchange Web Services (EWS) configured to ingest both phishing and malware alerts
that you want to classify to their respective incident types based on the information in the event. You have
more control of the incident type by classifying the events differently, and you can run multiple
playbooks for the events coming from one source.

After you classify the incident, you then can map the fields from the third-party integration to the fields
that you defined in the incident layout. Any fields that you do not map are automatically mapped to
Cortex XSOAR labels.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/classification-and-mapping.html

3.3.3 Classify and map a set of data to different types of fields:

After an integration fetches the incidents, it populates the rawJSON object in the incident object. The
rawJSON object contains all attributes for the event, for example, source, when the event was created, and
the priority that was designated by the integration. When you classify the event, you want to select an
attribute that can determine the event type.

Mappers enable you to map the information from incoming events to the incident or indicator layouts you
have in your system.

Mapping of event attributes or indicator fields now takes place in two stages. First you map all of the
common fields to all incident or indicator types in the default mapping. Then you can map the additional
fields specific for each incident or indicator type or overwrite the mapping you used in the default
mapping. The following image shows the classifier and mapper as different types:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 49

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/classification-and-mapping/create-a-mapper.html
• https://xsoar.pan.dev/docs/incidents/incident-classification-mapping#map-event-attributes-to-
fields

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 50

4 Solution Architecture
4.1 Describe the components of the Cortex XSOAR system architecture.
The following illustration represents the basic components of the Cortex XSOAR:

4.1.1 Describe the relationship between servers, live backup, Devprod, and other available
components:
The Cortex XSOAR server system provides a centralized server function for all system operations. The
server includes the Cortex XSOAR centralized database to store incident data.

SOAR engineers may connect the Cortex XSOAR server to any number of incident sources, tools, or
infrastructure devices located at the main site or otherwise, within the intranet using Cortex XSOAR
integrations.

The Cortex XSOAR database solution itself uses files stored in the standard file system of the Linux-
based server.

The Cortex XSOAR platform integrates with SIEM systems, IT ticketing systems, vulnerability-
management systems, and other products, on-premises or in the cloud, such as Cortex XDR , Prisma
Cloud and Prisma SaaS by Palo Alto Networks. Cortex XSOAR can ingest data from integrated systems
to auto-generate incidents, or cases.

For activities such as data enrichment, the Cortex XSOAR server also may connect via integrations to any
number of internet-based threat-intelligence services or other cloud-based tools, including sandboxes such
as Palo Alto Networks WildFire® malware prevention service.

You can create and install Cortex XSOAR dissoluble agents (D2 agents) on machines under investigation

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 51

to unobtrusively perform forensic tasks on those machines. After the agents complete the forensic tasks,
they dissolve and leave no trace. D2 agents are designed to assist you when you perform an investigation
in the War Room and for a specific incident only. If you want to create agents for more than one incident,
you can create a shared agent.

Cortex XSOAR also provides you a mobile phone app for lightweight access to the dashboard and case
management and monitoring functions.

Deployment considerations:

• A minimalist deployment of the Cortex XSOAR platform can comprise a standalone server. The
use of one or more instances of a Cortex XSOAR Engine is entirely optional.
• Other extended installation types of the Cortex XSOAR platform include a high-availability or
disaster-recovery solution named Live Backup. Deployment of a Live Backup server provides an
active-passive, manual, failover option for high availability. Suppose you want to offload
database functions from the main server to expand the platform’s storage and data-handling
capacity for incident-related data. In that case, you can deploy one or more dedicated database
servers.
• You can deploy and connect a dedicated dev server to a custom repository to manage your own
content repository and to support a formal development, testing, acceptance, and deployment
process for custom content. The following image shows an example of content repository
configuration options:

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/installation/system-requirements.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/disaster-recovery-
and-live-backup/disaster-recovery-and-backup-overview.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/distributed-
database/distributed-database-deployment.html

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 52

 • https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/remote-
repository/remote-repositories-overview
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/engines/understand-demisto-engines.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-
images-in-demisto.html

4.1.2 Summarize how Cortex XSOAR uses the Docker component:

Cortex XSOAR primarily uses Docker to run Python scripts and integrations in a controlled environment.
They run isolated from the server to prevent someone from accidentally damaging the server. By
packaging libraries and dependencies, you can prevent unknown issues from occurring because the
environment is all the same.

Palo Alto Networks maintains a large repository of Docker images. All Docker images are available via
the Docker Hub under the Demisto organization at https://hub.docker.com/u/demisto/.

The Docker image creation process is managed via the open-source project “demisto/dockerfiles”. Before
you try to create a new Docker image, check if one already is available. You can search the repository-
info branch updated nightly with image metadata and os/python packages used in the images.

Note: For security reasons, Cortex XSOAR cannot accept images that are not part of the Docker Hub Palo
Alto Networks (Demisto) organization.

If you cannot find an existing image, see the article about creating a Docker image for testing and
production use at https://xsoar.pan.dev/docs/integrations/docker#docker-image-creation.

Suppose you need to install Docker images in air-gapped environments. In that case, you can download
Docker images by appending &downloadName=dockerimages to the Cortex XSOAR server download
link you received from Cortex XSOAR and read the required instructions in the related reference
documents in the “References” section.

References:

• https://xsoar.pan.dev/docs/integrations/docker
• https://github.com/demisto/dockerfiles/blob/master/README.md
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-
images-in-demisto.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/install-
docker-images-offline.html

4.1.3 Specify the benefits and differences between backup types:

Cortex XSOAR backs up the database daily by storing the entire database of incidents, playbooks, scripts,
and user-defined configurations.

You can define whether you want Cortex XSOAR to create automatic backups and the location to store
the backups on the Settings > ADVANCED > Backups page. The database backup files are located in
/var/lib/demisto/backup by default, and you can change this configuration.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 53

To have a full local backup, in addition to the database, the following directories must be backed up and
restored manually:

• /etc/demisto.conf
• /var/lib/demisto/artifacts
• /var/lib/demisto/attachments
• /var/lib/demisto/d2_server.key
• /var/lib/demisto/tools
• /var/lib/demisto/versionControlRepo
• /usr/local/demisto

Another option for backup is the Live Backup, which enables you to mirror your production server to a
backup server. In a disaster recovery situation, you can easily convert your backup server to be the
production server.

Server actions are mirrored in real-time. If a server failover, engines dynamically reconnect to the active
host.

The following image depicts an example of Live Backup configuration for the web interface:

There might be pending actions due to high server load, connectivity issues, and so on. Note the
following:

• You must install the same Cortex XSOAR version and build number on all servers.
• Live Backup uses a single main server and a single standby server. Additional servers are not
supported as of version 6.0.
• Active/active configuration is not supported as of version 6.0.
• Each host retains its distinct IP address and hostname.
• Neither host has any awareness of which node is truly active. Therefore, failover is not dynamic,
which means that a node must be made active manually by an administrator.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 54

Consider the following information about hostnames, DNS, and DR:

• When you configure Live Backup, each Cortex XSOAR server should have its own unique
hostname and IP address.
• You may require analysts to always navigate to the same hostname when they access Cortex
XSOAR. In this scenario, configure a separate DNS record that points to the active Cortex
XSOAR server. If a server fails over, you must manually repoint this DNS record to the IP of the
newly active Cortex XSOAR server.
• The TTL of the DNS record must be set to a zero value. If the value is higher, analysts cannot
access the active server using the shared hostname until the TTL of the record expires and the
DNS record is refreshed in the cache. The refresh of DNS records may take more than an hour.
• If you do not require a single URL to access Cortex XSOAR, you might point your browser to the
URL of the newly active Cortex XSOAR server when a server failover occurs.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/disaster-recovery-
and-live-backup/backup-the-database.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/disaster-recovery-
and-live-backup/disaster-recovery-and-backup-overview.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/disaster-recovery-
and-live-backup/configure-the-live-backup-environment.html

4.1.4 Differentiate between a standalone tenant and multi-tenant:

Cortex XSOAR multi-tenant deployments are designed for MSSPs that require strict data segregation
between tenant accounts and the flexibility to easily share critical security data such as known malicious
or /benign indicators to those tenant accounts.

Multi-tenancy also enables MSSPs to manage many tenants from a single console. You can easily switch
between tenant environments from a tenant environment to the main environment, where the MSSP can
get a high-level overview and global view status, for example, of all open incidents and indicators across
all tenants.

Scalability features allow you to deploy multiple servers on-premises or via the hosted cloud and across
multiple geographies. The multi-tenant scheme allows multiple tenants on each server and multiple
additional host servers that operate like the standard Cortex XSOAR server-engine communication
model. In MSSP networks, engines often are used to enable the network connectivity between the
MSSP’s network and the customer’s local network. The system scales to enable support for more than
100 tenants.

When you use Cortex XSOAR multi-tenancy in an enterprise, several limitations can negatively impact
enterprise productivity:

• There is complete isolation among tenants. The data is not easily shared between tenants. For
example, collaboration on an incident requires extra steps such as mirroring the data between
tenants.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 55

 • Tenants cannot change definitions set by the main account (e.g., playbooks).
• Multi-tenancy architecture is more complicated than Cortex XSOAR Enterprise server
architecture. It requires more massive IT and computing resources. In general, server
maintenance is more complicated and requires a strong IT team. For example, re-indexing of a
single tenant is a complicated procedure, and troubleshooting often is very complex.
• Backup and restore, and the DR mechanism, are more complex than single-server deployments.
• Because multi-tenancy environments are more complex, some infrastructure features are
introduced only after being introduced in enterprise environments.

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-multi-tenant-guide/multi-
tenant-deployments/multi-tenant-overview.html

4.1.5 Describe threat intelligence management capabilities:

The Cortex XSOAR native threat intel management capabilities provide you with the ability to unify the
core components of threat intel, including threat intel aggregation, scoring, and sharing.

Cortex XSOAR automates threat intel management by ingesting and processing indicator sources, such as
feeds and lists, and exporting the enriched intelligence data to the SIEMs, firewalls, and any other system
that can benefit from the data. These capabilities enable you to sort through millions of indicators daily
and take automated steps to make those indicators actionable in your security posture.

The threat intel capabilities of Cortex XSOAR are closely associated with indicators. You can find the
essential concepts related to threat intel management in the following bullets:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 56

 • Common indicator data model: When indicators are ingested, regardless of their source, they
have a unified, standard set of indicator fields, including traffic light protocol (TLP), expiration,
and tags.
• Export indicators: You can export indicators as a hosted list, an EDL, or a TAXII collection.
Export of indicators enables your SIEM or firewall to ingest or pull the indicator list to update
policy rules. Examples of supported file types are JSON, CSV, and TXT.
• Exclusion list: The exclusion list prevents indicators from being extracted and created in the
system. For example, to prevent google.com from being flagged as a malicious indicator, add it to
the exclusion list.
• Feed-based job: You can define a job to trigger a playbook when the specified feeds identify a
modification in the feed. The modification can be a new indicator, a modified indicator, or a
removed indicator.
• Fetch indicators: Cortex XSOAR includes integrations that fetch indicators from either a vendor-
specific source such as AutoFocus or a generic source such as a CSV or JSON file.
• Indicator expiration: When millions of indicators are ingested and processed daily, two practices
are essential:
• Control whether they are Active or Expired
• Define how and when indicators are Expired

The indicator field Expiration Status displays the indicator status, Active or Expired. The
indicator field Expiration displays the method by which and when that indicator is expired.

Indicator expiration is applied at the indicator type level. Indicators assigned to a specific
indicator type inherit the indicator type’s expiration method.

• Indicator smart merge: The same indicator can originate from multiple sources and be enriched
with various methods (integrations, scripts, playbooks, and so on). Cortex XSOAR employs
smart merge logic to make sure indicators are accurately scored and aggregated.
• Indicator timeline: The indicator timeline is the default section in the indicator summary layout.
The timeline is in table format and displays an indicator’s complete history, including the first
seen timestamp and last seen timestamp and changes made to indicator fields.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-threat-intel-management-
guide/threat-intelligence-management-overview.html
• https://www.paloaltonetworks.com/resources/videos/cortex-xsoar-threat-intelligence

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 57

4.2 Assess system architecture and outline scalability opportunities.
4.2.1 Review the system diagram and summarize the flow of data:
The following diagram depicts the Cortex XSOAR database architectures:

The Cortex XSOAR platform supports two multi-tier server configurations:

• One app server and one database server running on separate machines
• One app server and multiple database servers running on separate machines

When you work with one database server, all content is stored on the one database server. When you
work with multiple database servers, the first database you install is considered the main database, and
any secondary database that you install is considered a node.

The main database server maintains all content that is not an incident or related to an incident, such as
playbooks, automations, integrations, and layouts. The nodes maintain all incidents and incident-related
data, including a copy of the playbook used to process the specific incident, indicators extracted from the
incident, and all other context data created. The Cortex XSOAR server distributes incidents among
secondary nodes using a round-robin method.

Backup options for the main database and each node for disaster recovery scenarios also are part of the
solution design.

Reference:

• https://www.paloaltonetworks.com/resources/guides/prevention-detection-and-response-for-
security-operations-architecture-guide

4.2.2 Export a log bundle and send for investigation:

The Cortex XSOAR logs provide information about events that occur in the system. These logs are a

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 58

valuable tool in troubleshooting issues that might arise in your Cortex XSOAR environment.

A log bundle is a zip file of additional logs available in the Cortex XSOAR system. Send the log bundle
zip file to Cortex XSOAR support to use for debugging purposes. After you create the log bundle, the
logs also will appear in /var/log/demisto/.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/logs/create-a-log-
bundle.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/logs/audit-
trail.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/logs/send-the-
audit-trail-to-an-external-log-service.html

4.2.3 Identify common errors and troubleshooting:

You can read the related reference topics for the identification of common errors and troubleshooting
suggestions.

References:

• Troubleshoot and debug engine errors:

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/engines/demisto-
engines-troubleshooting.html
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/engines/demisto-
engines-troubleshooting/engine-upgrade-troubleshooting
• Troubleshoot and debug docker issues:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-
hardening-guide/troubleshoot-docker-networking-issues.html
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-
hardening-guide/troubleshoot-docker-container-performance-issues.html
• Troubleshoot reports
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/reports/troubleshoot-reports.html
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/reports/troubleshoot-reports/troubleshoot-script-timeout-for-reports.html
• Troubleshoot Elasticsearch:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/migrate-indicators-to-elasticsearch/troubleshoot-elasticsearch-memory-issues.html
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/migrate-indicators-to-elasticsearch/troubleshoot-elasticsearch-feed-ingestion-issues.html
• Troubleshoot data and database:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/reindex-the-database.html
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/reindex-a-specific-index-database.html

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 59

 https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/reindex-the-entire-database-for-a-distributed-database.html
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/reindex-a-specific-index-for-a-distributed-database.html
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-data/free-
up-disc-space-with-data-archiving.html
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/migrate-data-to-another-server.html
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/migrate-data-to-another-server-for-multi-tenant.html
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/move-data-folders-to-another-location-on-the-server.html
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/restore-condensed-folders.html
• Troubleshoot tenants:
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-multi-tenant-
guide/configure-the-multi-tenant-deployment/move-a-tenant-to-a-different-host.html

4.2.4 Identify use of engines:

Cortex XSOAR engines are installed in a remote network and allow communication between the remote
network and the Cortex XSOAR server. Although you cannot run scripts, you can run integration
commands. The engine initiates a TCP port 443 connection back to the Cortex XSOAR server, and all
subsequent communication uses this connection. The server never initiates downstream connections to an
engine. Also, note that engines do not maintain local databases for incident data. All data produced by the
engines is sent to and stored on the upstream Cortex XSOAR server.

The following graphic depicts the usage of engines for Cortex XSOAR:

An engine is used for the following purposes:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 60

 • You can use multiple engines to support multiple remote, isolated, or protected network
segments.
• You can pool multiple engines into an engine group to expand capacity and provide load
balancing beyond what a single Cortex XSOAR server can provide for use within the main site.

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/engines/understand-demisto-engines.html

4.3 Create incidents using Cortex XSOAR.

4.3.1 Describe the three ways incidents are created:
Incidents are events that have been observed at a point in time for analysis. Cortex XSOAR ingests
incidents from an integration instance, from the REST API, or from an incident you create manually.

An incident investigation can be opened in the following ways:

• Automatically: An incident associated with a playbook opens automatically for investigation and
runs the associated playbook.
• Manually: Select the incident in the Incidents table.
• CLI: Type /investigate id=<incidentID#>.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-investigation.html

4.3.2 Understand the logic and order of incident creation:

The logic and the order of incident creation is a three-step process:

• Configure integrations: You configure integrations with your third-party products to start fetching
events. Events can be potential phishing emails, authentication attempts, SIEM events, and more.
• Classification and mapping: After you configure the integrations, you must determine how the
events ingested from those integrations will be classified as incidents. For example, you might
want to classify items based on the subject field for email integrations, but for SIEM events, you
will classify by event type. You must map the information coming from the integrations into the
fields that you created in the planning stage.
• Pre-processing: Pre-processing rules enable you to perform certain actions on incidents as they
are ingested into Cortex XSOAR directly from the web interface. You can use the rules to select
incoming events on which to perform actions, for example, link the incoming event to an existing
incident or, based on configured conditions, drop the incoming incident.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 61

Incidents of various types are created based on the definitions you provided in the classification and
mapping stage and on the rules, you created for pre-processing events. The incidents all appear on the
Incidents page of the Cortex XSOAR user interface, where you can start investigating.

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/incidents/incident-
lifecycle.html

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 62

5 Content Updates and Content Management
5.1 Outline Marketplace concepts.
Cortex XSOAR Marketplace is a digital storefront for discovering, exchanging, and contributing security
orchestration content centrally within the Cortex XSOAR platform.

It enables you to install turnkey Content Packs to help solve any security use case with content
contributed by SecOps experts and the world’s largest SOAR partner community.

5.1.1 Identify challenges and benefits related to Marketplace concepts:

The Marketplace allows you to easily:

• Leverage content from the largest SOAR community: You can extend Cortex XSOAR with
proven use cases contributed by SecOps users and SOAR partners.
• Discover top-rated, validated content: You can identify the best premium and free content
offerings recommended by your peers and validated by the world’s leading cybersecurity
company. You can experience how to increase automation with the tools you already have and
browse through community best practices.
• Solve your most difficult security use cases: You can use a single click to deploy turnkey security
workflows that span integrations, playbooks, dashboard layouts, and reports.

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-overview.html

5.1.2 Describe Marketplace content:

All content on Marketplace is included in a Content Pack, and Cortex XSOAR digitally signs all packs. A
Content Pack is like a small content repository, and it contains all relevant content items under its
directories.

Content Packs are categorized as free and premium (paid) and contain the following:

• Classifiers
• Dashboard Widgets and Reports
• Incident Fields and Incident Types
• Indicator Fields and Indicator Types
• Layouts (Incident and Indicator Layouts)
• Playbooks
• Scripted Automations
• Technology Integrations

References:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 63

 • https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-overview/content-packs-support-types.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-overview/access-the-marketplace.html

5.1.3 Outline the product development lifecycle:

The custom Content Packs, also known as contributions, need to be sent to the Cortex XSOAR team for
review and approval. After approval, these Content Packs are uploaded to the Marketplace, shared, and
installed as would be any other Content Pack.

When you create new content such as playbooks, automations, incident types, and integrations, you can
send the contribution to Cortex XSOAR directly from the content. Cortex XSOAR automatically adds
dependencies to ensure that the Content Pack installs and runs correctly. For example, from a playbook,
you can click Contribute to Marketplace:

After you send the contribution for review, Cortex XSOAR contacts you. You also can download the
contribution and upload it, for example, to GitHub.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/content-pack-contributions.html
• https://xsoar.pan.dev/docs/tutorials/tut-setup-dev
• https://xsoar.pan.dev/docs/contributing/checklist
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/content-pack-contributions/create-a-content-pack.html
• https://xsoar.pan.dev/docs/concepts/design-best-practices

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 64

5.1.4 Identify how content can be searched:
You can manage content such as install, delete, and update and contribute and share content items such as
playbooks, integration, and incident types in the Marketplace.

You can browse all content (including installed content), view only installed Content Packs, or see your
contributions. When a Content Pack needs to be updated, you receive the notifications and view the
updates on the Installed Content Packs tab.

When you search for content, you can use the search bar by adding text and then selecting the content
from which to search:

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-overview/marketplace-search-and-navigation.html

5.1.5 Describe the relationship between the Marketplace and Docker:

Docker is a tool used by developers to package dependencies into a single container (or image). To use
your integration, you are not required to “pip install” all the packages required. They are part of a
container that “docks” to the server and contains all the libraries you need.

Cortex XSOAR primarily uses Docker to run Python and PowerShell scripts and integrations in a
controlled environment. Scripts and integrations run isolated from the server environment to prevent
someone from accidentally damaging the server. By packaging libraries and dependencies, you can
prevent unknown issues from occurring because the environment is all the same.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 65

Marketplace allows you to install Content Packs that contain content items such as integrations and
scripted automations. Some content items required to run on Docker and Cortex XSOAR maintain a
repository of Docker images, all of which are available in the Docker hub under the Cortex XSOAR
organization (https://hub.docker.com/u/demisto/).

Reference:

• https://xsoar.pan.dev/docs/integrations/docker

5.2 Apply custom content and manage content updates.

5.2.1 Describe the purpose of content updates:
All Cortex XSOAR content is organized in packs. Packs essentially are groups of artifacts that implement
use cases in the product. Content Packs are created by Palo Alto Networks, technology partners,
consulting companies, MSSPs, customers, and individual contributors. As was discussed in Task 5.1.2,
Content Packs may include various components such as integrations, automations, playbooks, incident
types, and widgets.

When the Content Packs need to be updated by the creators, they become ready after the review and
approval process by the Cortex XSOAR team and you are notified about the updates in the Cortex
XSOAR interface.

Suppose you want to contribute the content entities you created. In that case, you should create a Content
Pack and submit it for review for it to be added to the Cortex XSOAR Marketplace and become available
to customers.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions/content-pack-installation/update-a-content-
pack.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions.html

5.2.2 Outline the process of how content is updated and why:

When a Content Pack is available for update, you receive a notification next to the Marketplace icon
and a message about Content updates displays at the top of the Settings page:

You can update to the latest content version or specific versions. Any customizations you have made are
automatically included in any update. All dependent Content Packs update automatically with the main

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 66

Content Pack.

Users can see updates for Content Packs that they have in their environment that were downloaded by
another user.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions/content-pack-installation/update-a-content-
pack.html

5.2.3 Summarize the relationship between customer content and existing content updates:
Contributions are Content Packs that you create that are sent to Cortex XSOAR for review and approval.
After approval, these Content Packs are uploaded to the Marketplace, shared, and installed as would be
any other Content Pack. You can create the following Content Packs:

• Basic Content Pack for specific content, such as playbooks, automations, integrations, and
incident types
• Advanced Content Pack in the Contributions tab in the Marketplace

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/content-pack-contributions.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-overview/content-packs-support-types.html

5.2.4 Outline recommendations for content updates and when custom content would be
appropriate:
Contributions are Content Packs that you create. Contributions allow you to make the content that you
build on Cortex XSOAR available to every client through the Marketplace. Content can be Partner or
Community supported, Free, or Paid.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 67

All the free content (i.e., everything excluding Paid Content Packs) is open source and lives in the Cortex
XSOAR GitHub Repository, with an MIT license.

After you have created your content, you must submit your content for the Palo Alto Networks team to
review and approve.

There are three ways to submit your work:

• In most cases if you want to provide a Content Pack that you want to support, you must open a
GitHub Pull Request.
• Cortex XSOAR supports a simplified flow to contribute directly from the product web interface.
Use this flow only if you are an individual contributor and your Content Pack will be community
supported.
• If you are providing a Premium (Paid) Content Pack, the GitHub process is slightly different and
to learn the process in detail see the article at
https://xsoar.pan.dev/docs/integrations/premium_packs.

Before you proceed, see the content contribution checklist at

https://xsoar.pan.dev/docs/contributing/checklist to make sure you have created everything you need.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions/content-pack-installation.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/content-pack-contributions.html
• https://xsoar.pan.dev/docs/contributing/checklist
• https://xsoar.pan.dev/docs/concepts/design
• https://xsoar.pan.dev/docs/integrations/premium_packs

5.2.5 Identify the benefits of custom content:

Any user can add content to a Content Pack that has been created, a submitted, and reviewed by Cortex
XSOAR to ensure it complies with Cortex XSOAR standards. After approval, the content pack can be
used in the Marketplace.

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/content-pack-contributions/create-a-content-pack.html

5.2.6 Describe how new content gets implemented:

You can install only one Content Pack at a time from the Marketplace. Cortex XSOAR automatically
adds any content that is required to install the Content Pack. You also can add any recommended Content
Packs that use the Content Pack you want to install.

Before you install a Content Pack, you can search it by using the Browse tab. When you find the required
pack, you can see what is included in the pack and then use the Install button to finish the installation:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 68

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions/content-pack-installation/install-a-content-
pack.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions/content-pack-installation/update-a-content-
pack.html
• https://xsoar.pan.dev/docs/contributing/checklist

5.2.7 Explain when imports or exports are appropriate and how they would be done:
When you create your Content Packs, you can use the Contributions tab in the Marketplace to send them
to Cortex XSOAR for review and approval. If you want to prepare the Content Pack and send it later for
review or upload GitHub, you can export your package in the Contribution screen by selecting the Save
and download your contribution option:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 69

You usually need an internet connection when using the Marketplace for tasks such as downloading and
subscribing to Content Packs because all these services are in the cloud.

However, you can upload Content Packs offline. The Administrator downloads the Content Pack to
install, which is in zip format.

In zip format, you can upload the following:

• Each Content Pack separately

• Several Content Pack s together
• An all-packs zip, which installs all Content Pack at the same time. All dependencies are included.

Before you start uploading content that you want to install, you should update server configurations to
turn off Marketplace synchronization in the cloud for both the Content Packs and the review process by
adding the following keys values to Settings > About > Troubleshooting > Add Server Configuration.
Addition of those keys improves system performance.

Key Value
marketplace.sync.enabled false
marketplace.content.packs.rating.enabled false
marketplace.subscriptions.sync.enabled false

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions/install-a-content-pack-offline.html

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 70

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/content-pack-contributions/create-a-content-pack.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/remote-
repository/troubleshoot-a-remote-repository-configuration/troubleshoot-content-issues
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/remote-
repository/troubleshoot-a-remote-repository-configuration/troubleshoot-editing-and-pushing-
content

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 71

6 Web Interface Workflow, Dashboards, and Reports
6.1 Navigate the web interface and query system data.
6.1.1 Navigate between the different options in the system:
Cortex XSOAR provides an extensible user interface and contains well designed and customizable
dashboards and reports to get quick information about the SOC, Incidents, and Indicators sections for
your analysts to perform investigations.

The following image depicts the main menu for Cortex XSOAR that contains links for the home page,
reports, incidents, indicators, playbooks, automation, jobs, marketplace, and settings sections:

The default landing page of the management web console is the Home page, which displays the default
Dashboards. Dashboards consist of visualized data powered by fully customizable widgets, which
enables you to analyze data from inside or outside Cortex XSOAR in different formats such as graphs, pie
charts, or text. You can add new dashboards or edit and customize the existing dashboards by adding or
creating widgets.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 72

Dashboards can be configured to display almost any information that the system itself can generate.

This default dashboard provides quick access to summary data, including mentions of the user within
various incidents or cases. The Dashboards page also provides high-level system-health status relative to
disk, CPU, and memory.

The widget-based configuration and display functionality used for dashboards also provides the basis for
reports. You access the preview and design function for a report by clicking the double-page icon in the
top right of the target report’s information area. Reports, like dashboards, are constructed of the graphical
placement of widgets.

The Indicators page allows you to collect and track several discrete data elements extracted from
incidents such as hashes, domains, URLs, and email addresses.

The Incidents page lists all relevant incidents. You can create and use saved queries to query the
incidents and then investigate one of them:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 73

When you start an investigation by opening an incident, several tabs are displayed on that screen:

• The first tab that welcomes you is the Incident Info tab, where you can find various information
about that incident.
• The War Room tab displays the results of automated activity, provides a context for running
manual commands from the CLI at the bottom of the page, and provides a place for sending
messages among analysts or adding notes to the War Room.
• On the same page, the Work Plan tab provides access to the playbook that was run and allows
you to review the results of individual tasks and resolve any issues or respond to any pauses in
execution based on any pending manual tasks.
• In the investigation process, additional tracking, recording, and collaboration features include an
Evidence Board tab that provides a space for selected, important items that appear in the War
Room first and are added either automatically based on a playbook action or selectively based on
manual review.
• The Related Incidents analytical tool maps the current incident to other incidents based on a
framework for assessing similarity. A Canvas feature is based on a pin-board metaphor where
you can auto-populate related and linked incidents and indicators. This tool can plot relationships
in more complicated cases that may benefit from this type of visualization.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 74

The Playbooks page lists all of the playbooks available to the system, whether out-of-the-box,
customized, or custom made. Existing playbooks can be edited, copied, and created from this page.

The Automation page contains the automations and the associated code for each automation. It also
includes the Script Helper tool that opens a menu that presents all of the functions of the common server
on the Automations page.

Jobs trigger incidents on-demand or based on a schedule. The incident can run a playbook. The playbook
in turn can run automations for anything that can be scripted and controlled via API. Jobs are somewhat
like typical Linux-system cron jobs and can help you to run almost any commands.

The Marketplace page is the central location for installing, exchanging, contributing, and managing all
of your content, including playbooks, integrations, automations, fields, and layouts .

The Settings page provides access to additional SOAR-engineer functions such as configuring
integrations, defining fields and mapping data to fields, defining incident types, editing or configuring
page layouts, and managing indicator types and allow lists. Several IT-administrator functions and cross-
over functions with the SOAR-engineer role also are found within the Settings area. Such functions
include backup configuration, access to version information, license status, and troubleshooting and
advanced server configuration tools.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/cortex-xsoar-
overview/cortex-xsoar-concepts.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/dashboards/dashboard-overview.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/cortex-xsoar-
overview/keyboard-shortcuts.html

6.1.2 Write a structured query using the appropriate syntax:

Cortex XSOAR has a powerful search feature. You can search for data in Cortex XSOAR in the
following ways:

• Using the search query: You can search for information using the Lucene query syntax. The
search query appears in the Indicators, Incidents, Jobs, Playbooks, Automation, and Evidence
Board pages. For example, to search for all incidents that have the status as pending and are
critical, type status:Pending and severity:Critical.
• Using the search box: You can search for incidents, entries, evidence, investigations, and
indicators in Cortex XSOAR. The search box appears in the top-right corner on every page. You
can either type free text or search using the search query format by using the arrow keys. For
example, incident.severity:Low searches for all incidents that have “low” in the severity
category.
• Using a general search: For example, when searching for a table in the Users tab, you can search
for a widget, a task in a playbook, etc.

References:

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 75

 • https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/cortex-xsoar-
overview/how-to-search-in-cortex-xsoar
• https://lucene.apache.org/core/2_9_4/queryparsersyntax.html

6.2 Summarize the workflow elements used during an investigation.

6.2.1 Outline the purpose of the workflow elements:
Playbooks serve as automation workflows in Cortex XSOAR and have self-documenting procedures that
query, analyze, and perform other actions on incidents using the information associated with those
incidents. They organize and document security monitoring orchestration and response activities for
Cortex XSOAR.

Playbooks are like flowcharts. They have different branches that can do different things. Decisions
influence the flow of the book. These decisions can be made automatically, manually, or with a mix of the
two.

References:

• https://xsoar.pan.dev/docs/playbooks/playbooks-overview
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/playbooks-overview.html

6.2.2 Differentiate the workflow elements and the impact on an investigation:

Tasks are the building blocks of playbooks. Cortex XSOAR has an extensive Task Library. Task Library
is categorized as Automations, Manual Tasks, and Playbooks (Sub-Playbooks).

Each step in the playbook is a Cortex XSOAR task. Tasks can be standard tasks, conditional tasks, and

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 76

data collection tasks.

The Standard task type includes both manual and script-based (automation-based) tasks. A manual task
requires your analysts to review information, confirm an automated verdict, make a determination, or
escalate an incident.

You can run automated tasks on scripts that exist in the system and are exposed to and managed within
the user interface as an “automation.”

When you add a playbook to a playbook and connect it to one or more preceding and following tasks, the
playbook you add will function as a sub-playbook.

Playbooks enable you to automate many of your security processes, including handling your
investigations and managing your tickets. Cortex XSOAR has a Work Plan page to enable you to monitor
and manage the playbook workflow and add new tasks to customize the playbook to a specific
investigation.

References:

• https://xsoar.pan.dev/docs/playbooks/playbook-conventions

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 77

 • https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/work-plan.html

6.3 Create dashboards and reports.

6.3.1 Outline the difference between dashboards and reports:
Dashboards typically are configured to display summary information about incidents and can be
configured to display almost any information that the system itself can generate.

The dashboards also provide a high-level system-health status (relative to disk, CPU, and memory) pre-
configured service-level-agreement report that measures completion time against parameters that you can
set, enable, or disable, based on incident type. You also have an Incidents summary that reports on data
beyond the scope of just the current user.

The widget-based configuration and display functionality used for dashboards also provides the basis for
reports. You access the preview and design function for a report by clicking the double-page icon in the
top right of the target report’s information area.

Reports, like dashboards, are constructed of the graphical placement of widgets. Widgets can be
individually configured for reports and dashboards.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/dashboards/dashboard-overview.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/reports/report-
overview.html

6.3.2 Select the appropriate dashboard or report:

When you first install Cortex XSOAR, the following dashboard tabs are created:

• Incidents: Information relating to incidents, such as severity type, active incidents, and
unassigned incidents
• System Health: Information relating to the Cortex XSOAR server
• My Dashboard: A personalized dashboard relating to your incidents, tasks, and so on
• SLA: Information relating to your Service Level Agreement

In every dashboard, you can do the following:

• Create a dashboard
• Edit a dashboard
• Import and export a dashboard, which is useful in a test and production environment
• Share and unshare a dashboard
• Delete or remove (if shared) a dashboard

Cortex XSOAR comes with out-of-the-box reports such as critical and high incidents, daily incidents, and

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 78

last seven days incidents. These reports cannot be edited apart from the scheduled time and who can
receive the report. If you want to change these reports, go to the GitHub reports repository
(https://github.com/demisto/content/tree/a81bce4def89d579b17b09bcf796daf183fefd5b/Packs/Legacy/Re
ports), download and update the JSON file, and upload the report.

In every report, you can do the following:

• Create a report: Custom reports can be in PDF, CSV, or Word format.

• Add a Widget to a report
• Edit a report
• Change the report logo
• Configure the time zone and format in a report

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/dashboards/configure-a-default-dashboard.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/reports/create-a-
report.html

6.3.3 Summarize which information can be added, edited, or shared within dashboards and
reports:
Typical dashboard control functions accessible by a click of the gear icon allow you to delete, duplicate,
share, import, export, and reset your dashboards. Shared dashboards and new, blank dashboard spaces are
added from the Add dashboard drop-down menu. Dashboards can be shared among analysts, which helps
in collaboration during investigations.

The following two images contain the same widgets, one for a new dashboard and the other for a new
report. The Widget Library that you will use is the same.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 79

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 80
You can configure dashboards and reports by specifying various parameters. To configure the data to be
included, use a query string, the time frame for the data, and how the widget displays the data:

• Graphically in a chart or graph, or in a table or list

• In a single, summary total

For PDF and Word document output, the Report Editor’s layout view will match almost exactly the way
the report will display in the target application.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/dashboards/edit-a-
dashboard.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/dashboards/share-
a-dashboard.html

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 81

 • https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/reports/select-and-
customize-sections-to-export-to-a-summary-report.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/reports/edit-a-
report.html

6.4 Apply the appropriate widget type.

6.4.1 Describe the purpose of widgets:
Widgets are visual components that enable you to analyze data internally or externally from Cortex
XSOAR, in different formats such as graphs, pie charts, and text from information.

Cortex XSOAR comes with many out-of-the-box system widgets such as Today’s New Incidents, Late
Incidents, and Saved by Dbot. You can edit these widgets when you create or edit a dashboard or report.

Reference:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/widgets/widget-
overview.html

6.4.2 Define when custom widgets are necessary:

Widgets are visual components that populate dashboards and reports with specific data. Although various
out-of-the-box system widgets are available, you can create custom widgets in the Widgets Library. You
also can create them from an incident or an indicator.

You can create a custom widget for your dashboard or report using a JSON file and then add the new
widget to a new or edited dashboard or report.

You also can use custom script-based widgets with an automation script to create dynamic widgets for
more complex calculations. If you create or upload the script to the Automation page, you can use the
script in any widget, use the script with a JSON file, and add it to an Incident and an Indicator page, rather
than uploading the script each time.

References:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/widgets/create-a-
widget-in-the-widgets-library.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/widgets/create-a-
custom-widget-using-a-json-file.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/widgets/create-a-
custom-widget-using-an-automation-script.html

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 82

Sample Questions
The answers to the sample questions are in the “Answers to Sample Questions” section.

1. Playbook Development
1) What is the primary use of the context data?
a) sending data to related incidents
b) passing data between playbook tasks
c) storing data for use with integrations
d) mapping data to required fields

2) Which statement is true about context data?

a) It is purged after each task in a playbook is run.
b) It must be transformed before a task can use it.
c) After it is written, it can be changed only by manual editing.
d) It does not necessarily include all data generated by the incident-related activity.

3) Which option best describes the structure of context data?

a) a key-value pair dictionary
b) a row-oriented data serialization framework
c) a node-graph hierarchy of multiple object types
d) a binary storage format front-ended by a Java interpreter

4) Which type of task is used to interact with users through a survey?

a) conditional
b) standard
c) section header
d) data collection

5) Which option provides dynamic input to playbook tasks and automations?

a) incident tasks
b) context data
c) quick view
d) system

6) Which is the first step in the playbook development process?

a) create custom data fields
b) create a skeleton playbook
c) formalize the use-case definition
d) configure enrichment integrations

7) Which characteristic indicates a playbook is a “skeleton playbook”?

a) installed from the Marketplace
b) unconfigured Inputs/Outputs options
c) incomplete task details for many tasks or all tasks
d) loaded in a development environment but not deployed to production

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 83

8) What are two ways to create a new task in a playbook that is open for editing? (Choose two.)
a) Click Create Task on the Task Library fly-out panel.
b) Right-click an open area of the workspace and select New Task.
c) Double-click an open area of the workspace and click Yes in response to the prompt.
d) Click-and-drag the output node of an existing object to an open area of the workspace.

9) Which is the proper name for a “step” in a Cortex XSOAR playbook?

a) task
b) step
c) procedure
d) automation

10) Which two types of actions can be specified with a “Standard” playbook task? (Choose two.)
a) manual
b) automated
c) conditional
d) data collection

11) How do playbooks and the War Room work together?

a) The War Room documents playbook tasks and related artifacts and evidence.
b) Each incident’s War Room activity is auto-documented into a playbook for that incident.
c) Playbooks provide a guide to the use of the War Room for information flow among
analysts.
d) Playbooks document the activity and decisions made in the War Room.

12) What is a sub-playbook?

a) a playbook used as a task in another playbook
b) an obsolete playbook of inferior quality
c) an app that underlies a playbook to ensure it flows from task to task
d) an updated playbook that substitutes for an older playbook

2. Incident Types, Indicator Types, Layouts, and Fields

13) Which option describes the trigger of an incident?
a) specification of the name of the Incident Type
b) the application of enrichment tasks to a playbook
c) the point at which auto-extraction of indicators is performed
d) the action inside or outside the system that should generate an incident

14) How do incidents relate to indicators?

a) Incidents generate indicators as part of their automated response.
b) Indicators provide context to incidents.
c) Incidents determine the severity of indicators.
d) Indicators specify which incidents to ingest.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 84

15) Which three fields are available for querying indicators? (Choose three.)
a) expirationStatus
b) reputation
c) SLA
d) type
e) indicatorAge

16) Which two privileges are needed to create or customize an incident layout? (Choose two.)
a) page access privilege for the settings page
b) read privilege for integrations
c) page access privilege for Incidents page
d) read/write privilege for investigations

17) What should you do if you want to keep a set of specific information for every event of a certain
type?
a) add that information in the Evidence Board when investigating the incident
b) add custom fields to incidents representing events of that type
c) chat about it in the War Room
d) use Remote Device Control to obtain the information

3. Automations and Integration and Related Concepts

18) What are the two primary purposes for defining outputs of an automation script or integration
command? (Choose two.)
a) outputs are used to display data to users
b) outputs are used for sending data to third-party APIs
c) outputs are used to define data that is set into the incident context data
d) outputs are used for helping users to connect playbooks more easily

19) What are two sources of alert enrichment for Cortex XSOAR? (Choose two.)
a) SIEMs
b) Widgets
c) Dashboards
d) AutoFocus

20) Which command is used to retrieve lists to use in a playbook task?

a) /FetchList
b) !fetchList
c) /GetList
d) !getList

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 85

21) What is a deprecated automation script?
a) Automation script that is not available in the system, and no longer is supported by the
script author.
b) Automation script that still is available in the system, but no longer is supported by the
script author.
c) Automation script that is available in the system, but it is outdated and needs to be
updated.
d) Automation script that was located in the system, but it is deleted manually by the
analyst.

22) Which action is required before a new integration can ingest a typed alert and automatically run a
playbook for the resulting incident?
a) An instance of the integration must be created.
b) The integration must be primed with a test alert of that type.
c) The playbook must be run manually with that type of alert.
d) The alert source must be made aware through an API of the playbook to be run.

23) Which Cortex XSOAR functionality always is part of accessing external sources for alert
enrichment?
a) Incidents
b) Playbooks
c) War Room
d) Integrations

24) What are two ways used to classify events ingested from an integration? (Choose two.)
a) when configuring an integration
b) by fetching incidents
c) by setting a classification key
d) when setting incident layout

25) In Cortex XSOAR, what do integrations do?

a) They connect alerts with responses.
b) They enable real-time Cortex XSOAR software updates.
c) They map alerts to incidents and query third-party information sources.
d) They integrate the various components and functions that comprise Cortex XSOAR.

26) What will happen if you click to Disable an integration?

a) The integration code will be removed from the system.
b) The Marketplace no longer will report related content dependencies.
c) The instance of the integration and your configuration information will be retained.
d) The integration’s commands will be removed from display in the auto-suggestions of the
CLI tool.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 86

27) What will happen if you configure an integration with inaccurate credentials and click Done?
a) The initial operational status will be set to “Disabled.”
b) A popup dialog box will prompt you for new credentials.
c) A failure message will appear at the bottom of the form.
d) The system will create a new instance of the integration.

28) What must you do to modify the code for an integration that you have downloaded from the
Marketplace?
a) Click to duplicate it.
b) Click the edit icon and enter the admin password.
c) Click to download the integration and give it a new name.
d) Click the view icon, click Save Version, and give it a new name.

29) Which element enables Cortex XSOAR to automatically extract a custom indicator type from an
unmapped key string?
a) regex
b) layout
c) structured query in Lucene syntax
d) valid data description in SRE syntax

4. Solution Architecture
30) What is required to display dev-prod configuration options?
a) access to the integrations page
b) use of a command in the graphical CLI
c) implementation of a custom server parameter
d) login credentials for the Linux command shell

31) Which element of the Cortex XSOAR solution architecture supports the isolation of the
development of new integrations, automations, and playbooks?
a) dev-prod
b) hybrid cloud
c) Cortex XSOAR engine
d) multi-tenant mode

32) In a dev-prod configuration, from where does the prod server get updates authored by Palo Alto
Networks?
a) Cortex XSOAR public content repository
b) remote repository specified in the dev-prod configuration parameters
c) content database on the local dev server
d) dev server default repository

33) Which is a requirement of the remote, private repository in a dev-prod configuration?

a) The proxy server address of prod server must be set to the IP address of the dev server.
b) Access from the dev server to the official public repository must be disabled.
c) Connections from the prod server to the private repository must be blocked.
d) The repository must have a minimum of one branch.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 87

34) Which is an accurate description of a Docker image?
a) open-source hypervisor for cloud-based machine images
b) modular engine that runs multiple operating systems
c) unit of software that packages everything required to run an application
d) instance of a virtual machine that, when running, becomes a Docker image

35) Which is the default global registry for Docker?

a) Docker Hub
b) Docker Engine
c) support.docker.com
d) support.paloaltonetworks.com

36) What is required to download the system’s Docker images manually?

a) run a CLI command sequence
b) a user account on GitHub
c) root access to the command line on the target server
d) the installer download link from the email used to send your license file

37) Which two settings are recommended to harden or optimize the system’s use of Docker? (Choose
two.)
a) setting imageless-mode flag
b) limiting the memory allowed for each container
c) limiting the number of CPUs a container may use
d) increasing the limit for the number of allowed PIDs

38) What is the maximum number of servers supported for a Live Backup configuration?
a) 2
b) 3
c) 4
d) 8

39) Which path hosts the artifacts folder?

a) /etc/
b) /etc/demisto/
c) /var/lib/demisto/
d) /user/demisto/blobs

40) Which content is excluded from backup by the Automated Backups feature?
a) incidents
b) scripts and playbooks
c) artifacts and attachments
d) user-defined configurations

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 88

41) Which is the best option to manually back up artifacts and attachments?
a) set Automated Backups to ON
b) export the master database in a supported plaintext file format
c) select target incidents and click Export
d) use the tar command

42) Where is incident data stored?

a) /var/log/demisto/
b) /var/lib/demisto/
c) /var/lib/private/Answer
d) /usr/local/demisto/

43) Which Live Backup configuration architecture can you deploy for disaster recovery?
a) active-active
b) active-standby
c) cold backup
d) DNS round-robin load balancing

44) Which three statements are true regarding live backup for distributed database environments?
(Choose three.)
a) Live backup enables mirroring of active database servers to passive servers.
b) Active/active configuration is supported.
c) Live backup converts passive servers to the active database servers in a disaster recovery
case.
d) The failover is dynamic.
e) Live backup uses a single active server and a single standby server.

45) Which installation file is required to install Live Backup on a target backup server?
a) the same file that you use to install Cortex XSOAR on a primary server
b) the Live Backup installer available on the Integrations > Agent Tools page
c) the engine installer that you download from the Integrations > Engines page
d) the live-bckp-server-xxxx.sh file that you download by use of a link sent to DR-Group
members

46) How do you export all the custom content from a Cortex XSOAR instance?
a) Run a detailed content report.
b) Click Export at the bottom of the Settings > About > Troubleshooting page.
c) Use the !scp custom-all <user>@<host>:<path><file-name> command in the graphical
CLI.
d) Execute with sudo privileges the send-non-vendor-files.sh script from the Linux
command shell.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 89

47) What are two limitations of multi-tenancy architectures? (Choose two.)
a) Tenants can change the definitions that were set by the main account.
b) Troubleshooting often is very complex.
c) Multi-tenancy architectures are more complex than Cortex XSOAR Enterprise server
architectures.
d) There is a complete isolation between tenants.

48) Which two indicator types should have an indicator expiration applied when they are consumed
from threat intel feeds? (Choose two.)
a) IP address
b) domain
c) file hash
d) ssdeep

49) What are two use cases when analyzing indicators via playbooks? (Choose two.)
a) indicator enrichment
b) pushing indicators to third-party products for enhanced alerting and detection
c) generating finished threat intelligence products
d) static analysis of malware samples

50) Which two configurations are available for threat intel feeds? (Choose two.)
a) Fetch Incidents
b) Source Reliability
c) Indicator Expiration Method
d) Incident type

51) Which Cortex XSOAR feature enables playbooks to execute against new indicators from threat
intel feeds?
a) Feed Triggered Jobs
b) Mapping
c) bring your own integration
d) Export Indicators Service

52) Mapping of threat intel feeds enables which two abilities? (Choose two.)
a) assign attributes from a threat intel feed to indicator fields
b) apply transforms (e.g., Uppercase) to attributes from threat intel feeds
c) run playbooks against new indicators of compromise
d) integrate threat intel feeds into other Palo Alto Networks products, such as Cortex XDR

53) How do you change the log level?

a) Edit the /etc/demisto.conf file.
b) Use the Log Level drop-down menu on the Troubleshooting page.
c) Stop the server process and restart it with a --log-level=<value> parameter.
d) Add a custom server parameter services.log.detail with a value of 0, 1, or 2.

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 90

54) When is the basic system configuration information generated for log files in the log bundle?
a) at 00:05 for the current day
b) at the time the log bundle is requested
c) at five minutes past every hour
d) at the same time of the last automatic backup

55) Which type of deployment involves the use of one or more Cortex XSOAR engines?
a) hosted cloud
b) hybrid cloud
c) private cloud
d) public cloud

56) Which Cortex XSOAR infrastructure component do you deploy in a protected network to extend
the core server’s capabilities?
a) Live Backup server
b) Engine
c) distributed database
d) dev server

57) Incidents are created in which three ways? (Choose three.)

a) manually by a privileged user
b) fetching from other products with the help of integrations
c) using the investigation canvas
d) using the REST API
e) using remote connection feature

5. Content Updates and Content Management

58) Which three types of content packs can be downloaded from Marketplace? (Choose three.)
a) playbooks
b) system settings
c) automations
d) use cases
e) integrations

59) Which type of update is included in content pack updates?

a) playbooks
b) incident data
c) core binaries for Cortex XSOAR
d) image files for the web interface

60) Which is the distribution point for content-update packages?

a) Marketplace
b) Docker Hub
c) www.demisto.com
d) support.demisto.com

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 91

61) What does “installed” status mean for content pack related to an item listed in the Marketplace?
a) One or more associated integrations from a content pack are in active use.
b) One or more associated content pack elements are in active use.
c) The content pack is downloaded for potential use on the local system.
a) The content pack is configured for use but could be enabled or disabled.

62) What is required to upload content update packages manually?

a) access to Docker Hub
b) use of the tar utility
c) access to the web console of the target server
d) root access to the command line on the target server

63) Which manual action can you perform by use of the Cortex XSOAR web console to support air-
gapped deployments?
a) installation of Docker images
b) execution of the tar command to decompress platform-content archives
c) update of the content repository
d) download of Docker images

6. Web Interface Workflow, Dashboards, and Reports

64) Where can the entire history of group interactions involving an attack response be seen?
a) Cortex XSOAR War Room
b) Cortex XDR Incident page
c) AutoFocus
d) WildFire

65) Which is the correct search query for “incidents that are not jobs and that are not closed”?
a) -status:closed -category:job
b) Status is not closed and Category is not job
c) Status!:closed or Category!:job
d) status!=job and category!=job

66) Which incidents are displayed for the search string owner:””?
a) all incidents
b) all unassigned incidents
c) all incidents with a named owner
d) all incidents that are jobs and thus owned by the system

67) Which permission is required for the display of Dashboard widgets?

a) read permission for investigation data
b) read/write permission for investigations
c) page-access permission for the Reports page
d) read/write permission for the Reports page

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 92

68) Which two options describe dashboard widgets? (Choose two.)
a) A widget’s display layout cannot be changed.
b) A widget’s time frame can be edited.
c) A widget’s data query can be set.
d) A widget’s size cannot be set.

69) How do you specify the data to use in a widget applied to a dashboard or a report?
a) enter a custom or an out-of-the-box automation script
b) select one or more incident fields from drop-down menus
c) drag and drop data fields, filtered by the context of the widget
d) use the same query syntax that is supported on the Incidents page

70) If disk use is 45%, which color is the disk status indicator on the System Health dashboard?
a) green
b) yellow
c) red
d) black

71) Which two statements are true regarding pre-configured system reports? (Choose two.)
a) cannot be directly modified
b) can be modified by creating a copy
c) cannot be exported
d) cannot be run by an analyst directly

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 93

Answers to Sample Questions
1. b
2. d
3. a
4. d
5. b
6. c
7. c
8. a, d
9. a
10. a, b
11. a
12. a
13. d
14. b
15. a, b, d
16. a, d
17. b
18. c, d
19. a, d
20. d
21. b
22. a
23. d
24. a, c
25. c
26. c
27. d
28. a
29. a
30. c
31. a
32. b
33. d
34. c
35. a
36. d
37. b, c
38. a
39. c
40. c
41. d
42. b
43. b
44. a, c, e

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 94

45. a
46. b
47. b, d
48. a, b
49. a, b
50. b, c
51. a
52. a, b
53. b
54. b
55. b
56. b
57. a, b, d
58. a, c, e
59. a
60. a
61. c
62. c
63. c
64. a
65. a
66. b
67. a
68. b, c
69. d
70. a
71. a, b

PALO ALTO NETWORKS CERTIFIED SECURITY AUTOMATION ENGINEER STUDY GUIDE 95