Palo Alto Certified Security Automation Engineer (PCSAE)

Exam Blueprint

Domain Weight (%)

Playbook Development 27%
Incident Objects 13%
Automations, Integrations, and Related Concepts 18%
Content Management and Solution Architecture 17%
UI Workflow, Dashboards, and Reports 13%
Threat Intel Management 12%

Domain 1 Playbook Development 27%

Task 1.1 Reference and manipulate context data to manage automation

workflow

Task 1.2 Summarize inputs, outputs, and results for playbook tasks

Task 1.3 Configure inputs and outputs for subplaybook tasks

Task 1.4 Enable and configure looping on a subplaybook

Task 1.5 Differentiate among playbook task types

1.5.1 Manual

1.5.2 Automated

1.5.3 Conditional

1.5.4 Data collection

1.5.5 Subplaybook

Task 1.6 Apply filters and transformers to manipulate data

Task 1.7 Apply the playbook debugger to aid in developing playbooks

1
Domain 2 Incident Objects 13%

Task 2.1 Configure incident types

Task 2.2 Identify the role of an incident type within the incident lifecycle

Task 2.3 Configure an incident layout

2.3.1 Fields and buttons

2.3.2 Tabs

2.3.3 New/Edit and Close Forms

Task 2.4 Summarize the function, capabilities, and purpose of incident

fields

Task 2.5 Configure classifiers and mappers

Domain 3 Automations, Integrations, and Related Concepts 18%

Task 3.1 Define the capabilities of automation across XSOAR functions

3.1.1 Playbook tasks

3.1.2 War room

3.1.3 Layouts (dynamic sections, buttons)

3.1.4 Jobs

3.1.5 Field trigger scripts

3.1.6 Pre/post-processing

Task 3.2 Differentiate between automations, commands, and scripts

Task 3.3 Interpret and modify automation scripts

© 2022 Palo Alto Networks | Palo Alto Networks Certified Security Automation Engineer (PCSAE)
Blueprint | Confidential and Proprietary 2
 3.3.1 Script helper

3.3.2 Script settings

3.3.3 Language types

3.3.4 Script text

Task 3.4 Identify the properties and capabilities of the XSOAR framework
for integration

Task 3.5 Configure and manage integration instances

Domain 4 Content Management and Solution Architecture 17%

Task 4.1 Apply marketplace concepts for the management of content

4.1.1 Searching in marketplace

4.1.2 Installation and updates

4.1.3 Dependencies

4.1.4 Version history

4.1.5 Partner supported versus XSOAR supported

4.1.6 Submitting content to the marketplace

Task 4.2 Apply general content customization and management concepts

4.2.1 Custom versus system content

4.2.2 Duplicating content

4.2.3 Importing/exporting custom content

4.2.4 Version control

Task 4.3 Manage local changes in a remote repository (dev-prod)

configuration

© 2022 Palo Alto Networks | Palo Alto Networks Certified Security Automation Engineer (PCSAE)
Blueprint | Confidential and Proprietary 3
Task 4.4 Describe the components of the XSOAR system architecture

4.4.1 System hardware requirements

4.4.2 Remote repositories (dev-prod)

4.4.3 Engines

4.4.4 Multitenancy

4.4.5 Elasticsearch/HA

4.4.6 Docker

Task 4.5 Describe the incident lifecycle within XSOAR

Task 4.6 Define the capabilities of RBAC

4.6.1 Page access

4.6.2 Integration permissions

4.6.3 Incident tabs (layout specification)

4.6.4 Automation permissions

4.6.5 Incident viewing permissions by role

Task 4.7 Identify the troubleshooting tools available to obtain more

diagnostic information

4.7.1 Log bundles

4.7.2 Integration testing

Task 4.8 Identify options available for performance tuning

4.8.1 Ignore output

4.8.2 Quiet mode

Task 4.9 Monitor system health using the System Diagnostics page

Domain 5 UI Workflow, Dashboards, and Reports 13%

Task 5.1 Identify methods for querying data

© 2022 Palo Alto Networks | Palo Alto Networks Certified Security Automation Engineer (PCSAE)
Blueprint | Confidential and Proprietary 4
 5.1.1 Indicators

5.1.2 Incidents

5.1.3 Dashboards

5.1.4 Global search

Task 5.2 Summarize the workflow elements used during an investigation

5.2.1 Layouts

5.2.2 War Room

5.2.3 Work Plan

5.2.4 Evidence Board

5.2.5 Actions menu

Task 5.3 Interact with layouts for incident management

5.3.1 Sections

5.3.2 Fields

5.3.3 Buttons

Task 5.4 Summarize tools used for managing incidents

5.4.1 Bulk incident actions

5.4.2 Table view versus summary view

5.4.3 Table settings

Task 5.5 Identify the capabilities of existing dashboards and reports

Task 5.6 Summarize what information can be created, edited, or shared

within dashboards and reports

Task 5.7 Summarize the capabilities of widget builder

Domain 6 Threat Intel Management 12%

Task 6.1 Identify the parameters available for configuring indicator

Objects

© 2022 Palo Alto Networks | Palo Alto Networks Certified Security Automation Engineer (PCSAE)
Blueprint | Confidential and Proprietary 5
 6.1.1 Layouts and types

6.1.2 Fields

6.1.3 Reputation scripts and commands

6.1.4 Expiration

Task 6.2 Generate threat intel reports

Task 6.3 Describe the features of the Threat Intel page

6.3.1 Unit 42 intel feature

6.3.2 XSOAR indicators

6.3.3 Export/import capabilities

Task 6.4 Configure threat intel feed integrations

Task 6.5 Identify the options available to auto extract

6.5.1 Exclusion list

6.5.2 Playbook auto extract

6.5.3 Regex for auto extract

6.5.4 System defaults

6.5.5 Extraction settings for incident types

© 2022 Palo Alto Networks | Palo Alto Networks Certified Security Automation Engineer (PCSAE)
Blueprint | Confidential and Proprietary 6