Palo Alto Networks

PCSAE
Study Guide

May 2021
Palo Alto Networks, Inc.

www.paloaltonetworks.com

© 2021 Palo Alto Networks – all rights reserved.

Aperture, AutoFocus, GlobalProtect, Palo Alto Networks, PAN-OS, Panorama, Traps, and WildFire are trademarks of Palo Alto Networks, Inc. All other
trademarks are the property of their respective owners.

PALO ALTO NETWORKS: PCSAE Study Guide 2

Table of Contents

Palo Alto Networks PCSAE Study Guide 5

Overview .............................................................................................................................................................5
Exam Format .....................................................................................................................................................5
How to Take This Exam ................................................................................................................................6
Preparation Resources ..................................................................................................................................6
Exam Domains and Objectives 7
1 Playbook Development .............................................................................................................................7
1.1 Conceptualize context data ........................................................................................................ 7
1.2 Summarize the difference between inputs, outputs, and results for playbook tasks ................. 9
1.3 Outline how to use loop sub-playbooks .................................................................................... 17
1.4 Differentiate between playbook task types ............................................................................... 18
1.5 Use filters and transformers to manipulate data ....................................................................... 21
2 Incident Types, Indicator Types, Layouts, and Fields ................................................................ 24
2.1 Compare and contrast the different incident types ................................................................... 24
2.2 Outline the different layout types .............................................................................................. 30
2.3 Compare and contrast the different indicator types.................................................................. 35
2.4 Summarize field types, associated capabilities, and purpose .................................................. 40
3 Automations and Integration and Related Concepts ................................................................. 44
3.1 Use automations to respond to incidents ................................................................................. 44
3.2 Outline integration concepts ..................................................................................................... 54
3.3 Configure integration instances ................................................................................................ 59
4 Solution Architecture .............................................................................................................................. 61
4.1 Describe the components of the Cortex XSOAR system architecture ..................................... 61
4.2 Assess system architecture and outline scalability opportunities............................................. 69
4.3 Create incidents using Cortex XSOAR ..................................................................................... 73
5 Content Updates and Content Management .................................................................................. 75
5.1 Outline Marketplace concepts .................................................................................................. 75
5.2 Apply custom content and manage content updates ............................................................... 79

PALO ALTO NETWORKS: PCSAE Study Guide 3

 6 Web Interface Workflow, Dashboards, and Reports .................................................................. 86
6.1 Navigate the web interface and query system data ................................................................. 86
6.2 Summarize the workflow elements used during an investigation............................................. 90
6.3 Create dashboards and reports ................................................................................................ 93
6.4 Apply the appropriate widget type ............................................................................................ 97
Sample Questions 99
Answers to Sample Questions 114

PALO ALTO NETWORKS: PCSAE Study Guide 4

Palo Alto Networks PCSAE Study Guide
Welcome to the Palo Alto Networks PCSAE Study Guide. The purpose of this guide is to help you prepare
for your Palo Alto Networks Certified Security Automation Engineer (PCSAE) exam and achieve your
PCSAE credential.

Overview

The PCSAE program is a formal, third-party-proctored certification. Success on the PCSAE exam shows
that you possess the in-depth skills and knowledge to develop playbooks, manage incidents, create
automations and integrations, and demonstrate the highest standard of deployment methodology and
operational best practices associated with Palo Alto Networks Cortex XSOAR. The exam is not intended
to trick you with its questions or to test obscure detail. However, a nuanced understanding, and the
ability gained through significant experience to make subtle technical distinctions, will help you make
better answer choices.

More information is available from the Palo Alto Networks public page at:
https://www.paloaltonetworks.com/cortex/xsoar

Cortex XSOAR technical documentation is located at:

https://docs.paloaltonetworks.com/cortex/cortex-xsoar.html

Exam Format

The test format is 85 multiple-choice items. Candidates will have five minutes to complete the non-
disclosure agreement (NDA), 80 minutes (1 hour, 20 minutes) to complete the questions, and five
minutes to complete a survey at the end of the exam.

The approximate distribution of items by topic (Exam Domain) and topic weightings are shown in the
following table.

This exam is based on Cortex XSOAR 6.1.

PALO ALTO NETWORKS: PCSAE Study Guide 5

 Exam Domain Weight (%)

Playbook Development 25%

Incident Types, Indicator Types, Layouts, and Fields 20%

Automations and Integrations and Related Concepts 20%

Solution Architecture 15%

Content Updates and Content Management 10%

Web Interface Workflow, Dashboards, and Reports 10%

Total 100%

How to Take This Exam

The exam is available through the third-party Pearson VUE testing platform.
To register for the exam, visit:
https://home.pearsonvue.com/paloaltonetworks

Preparation Resources

The document is a compilation of key resources to guide exam preparation. These resources cover the
material designated by the exam objectives. To study efficiently, focus on the suggested topics listed for
each resource. Be sure that you have a clear and complete understanding of these topics before you
take the exam.

PALO ALTO NETWORKS: PCSAE Study Guide 6

Exam Domains and Objectives

1 Playbook Development

1.1 Conceptualize context data

Context data is all the data gathered. Every incident and playbook has a place to store data called the
context. It stores the results from every integration command and every automation script that is run.

1.1.1 Query and use context data

The context is a map or key-value pair dictionary, the values of which can nest additional structures. A
context is a JSON-formatted object that is created for each incident.

The context keys are strings, and the values can be strings, numbers, objects, or arrays. The context’s
primary use is to pass data between playbook tasks; one task stores its output in the context, and the
other task reads that output from the context and uses it.

The output result is stored into the JSON context in the incident or the playground, whether you run an
integration command from the CLI or a playbook task. For example, a command such as !whois
query="paloaltonetworks.com" would return the data and store the results into the context.

Another use is to capture the important structured data from automations and display that data in the
incident summary.

PALO ALTO NETWORKS: PCSAE Study Guide 7

References

• https://xsoar.pan.dev/docs/integrations/context-and-outputs

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/extend-
context.html

1.1.2 Differentiate between public and private concepts

Sub-playbooks should be discussed before public (or global) and private concepts are explained. Sub-
playbooks are playbooks that can be nested into other playbooks, which are referred to as parent
playbooks. Because sub-playbooks are building blocks that preferably will be usable in other playbooks
and use cases, you should define generic inputs for them.

Inputs can be passed into sub-playbooks from the parent playbook, used and processed in the sub-
playbook, and sent as output to the parent playbook.

The context of a sub-playbook can be either private or global.

You can use private context when you want the content to be affected only by the inputs that this sub-
playbook receives, not by outside changes.

Global context is for when the context in the parent playbook should be considered and accessed. Note
that a change made to a sub-playbook will impact the parent playbook at the next run of the parent
playbook.

PALO ALTO NETWORKS: PCSAE Study Guide 8

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/playbook-development.html

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/configure-a-sub-playbook-loop.html

1.2 Summarize the difference between inputs, outputs, and results for playbook
tasks
Depending on the task type you select and the script you are running, playbook tasks have inputs. Inputs
are data pieces that are present in the playbook or task. The inputs are often manipulated or enriched,
and they produce outputs. Outputs are the objects whose entries will serve the tasks throughout the
playbook, and they can be derived from the result of a task or command.

1.2.1 Describe inputs and outputs for playbook tasks

The inputs might come from the incident itself, such as the role to which to assign the incident, or input
can be provided by integration—for example, when an Active Directory integration is used in a task to
extract a user’s credentials.

PALO ALTO NETWORKS: PCSAE Study Guide 9

The following graphics show a playbook that is triggered based on context data, meaning an incident.
The first two inputs are the SrcIP, which comes from the incident.src key, and DstIP, which is retrieved
from incident.dest.

The playbook itself creates output objects whose entries will serve the tasks throughout the playbook.

Outputs can be data that was extracted or derived from the inputs. For example, the following images
show the user’s credentials being retrieved from Active Directory. Those credentials will be used to get
the user’s account name, email address, and any groups to which they belong.

PALO ALTO NETWORKS: PCSAE Study Guide 10

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/playbook-tasks.html

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/playbook-inputs-and-outputs.html

1.2.2 Describe inputs and outputs for sub-playbooks

Playbooks can be divided into two categories, depending on their use. Technically, they are the same,
but in terms of use, there are some differences.

“Parent” playbooks are playbooks that run as the main playbook of an incident. The other type is “sub-
playbooks,” which are just playbooks that are being called by another playbook.

Sub-playbooks are playbooks that can be nested into other playbooks, which are referred to as parent
playbooks. They appear as tasks in the flow and have a book icon, but they can contain a whole
playbook.

Examples of parent playbooks are “Phishing Investigation - Generic v2” or “Endpoint Malware
Investigation – Generic” because an incident starts with them. Examples of sub-playbooks are IP
“Enrichment - Generic v2” or “Retrieve File From Endpoint – Generic” because they are steps taken as
part of the bigger investigation.

PALO ALTO NETWORKS: PCSAE Study Guide 11

Because sub-playbooks are used as part of a bigger investigation, they should have inputs and outputs.
Ensure that the data you want to get from a sub-playbook is defined in its outputs, so that it can be used
outside of that playbook. Because sub-playbooks are building blocks that preferably will be usable in
other playbooks and use cases, you should define generic inputs for them.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/configure-a-sub-playbook-loop.html

• https://xsoar.pan.dev/docs/playbooks/playbook-contributions

1.2.3 Configure playbooks using the web interface (e.g., box of text that you fill in)

Cortex XSOAR has an advanced web-based interface that allows you to create playbooks easily. To
create a playbook, navigate to the Playbooks tab in Cortex XSOAR and click New Playbook:

Ensure that all third-party products and services you need for the playbook are configured and enabled
for your playbook to work properly. These products and services can be set under Settings >
Integrations > Servers & Services.

PALO ALTO NETWORKS: PCSAE Study Guide 12

Playbooks run commands that are found in both an integration and scripts. Playbooks comprise tasks,
each of which performs a specific action. Tasks are either manual or automatic. Manual tasks are actions
that are not associated with scripts. Automated tasks are associated with scripts written in Python or
JavaScript. A key feature of playbooks is the ability to structure and automate security responses
previously handled manually. You can reuse playbook tasks as building blocks for new playbooks, thus
saving you time and streamlining knowledge retention.

A task is a step or building block of a playbook that specifies an action within the playbook sequence. A
task can be extracting an IP address from a suspected phishing email, checking reputation, sending an
email, calling a manager, etc. A new task can be added to an existing playbook, or a series of tasks can
be connected to create a new playbook.

Cortex XSOAR provides a Task Library, which is a library of predefined tasks that you can reuse or edit in
your playbooks, depending on your needs:

PALO ALTO NETWORKS: PCSAE Study Guide 13

To add a new task from the Task Library, you can locate or search for the task. Tasks are arranged in
three tabs:

• Automation, where tasks are arranged by the integrations they serve. You can scroll through the
integrations list and expand it to see the tasks by clicking the +. You can search for a task by name,
tag, or keyword in the search box above the list of integrations.

• Manual Tasks, where tasks are listed that are done manually by a user and are not automated. You
can group these tasks by playbook, the playbook they are used in, or by name for an alphabetical
list.

• Playbooks, where existing playbooks can be found and dragged into the new playbook to be used as
sub-playbooks. You should create small playbooks for the procedures used frequently so that they
can be called easily. Cortex XSOAR provides many predefined playbooks you can either use as is or
copy and customize to your needs.

To create a new task, either click + Create Task or drag off a line from the default section header
Playbook Triggered:

For a new task, you can choose three different types: standard, conditional, and data collection.

PALO ALTO NETWORKS: PCSAE Study Guide 14

References

• https://xsoar.pan.dev/docs/playbooks/playbooks

1.2.4 Read, troubleshoot, and respond to error conditions

You should read, troubleshoot, and respond to error conditions while you are developing or using
playbooks. The Cortex XSOAR interface has a Work Plan feature that enables you to monitor and
manage a playbook workflow and add new tasks to customize the playbook to a specific investigation.

The use of color coding and symbols in the Work Plan helps you to understand the status of a task. The
color coding enables you to easily troubleshoot errors or respond to manual steps in the Work Plan. The
following table shows the color codes and their meanings:

PALO ALTO NETWORKS: PCSAE Study Guide 15

If you want to manage overdue tasks highlighted in orange and the tasks that threw an error highlighted
in red, click the task to open the Task Details window, where you can view and define the details:

While you create playbooks, you should have an environment in which to test automation scripts, APIs,
and commands. You can use the playground as the nonproduction environment to safely test and
develop. You also can use the playground to test integration commands, automations, and other tools
from the Cortex XSOAR CLI.

To erase a playground and create a new one, run the /playground_create command in the Cortex
XSOAR CLI.

References

• https://xsoar.pan.dev/docs/integrations/test-playbooks

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/work-plan

PALO ALTO NETWORKS: PCSAE Study Guide 16

1.3 Outline how to use loop sub-playbooks

1.3.1 Differentiate between the three different loop types of playbooks

You configure when to exit the loop by selecting one of the following options:

• For Each Input: The loop will exit automatically when the array it is looping over executes the last
item in the array. Note the following:

• If the input is a single item, the sub-playbook will run one time. However, if the input is a list of
items, the sub-playbook will run as many times as there are items in the list. Each iteration of
the sub-playbook will use the next item in the list as the input.

• If there are multiple input lists with the same number of items, then the sub-playbook will run
once for each input set. For example, if you have “input1” and “input2”, “input1[i]” will run with
“input2[i]”.

• If there are multiple input lists with different numbers of items, the sub-playbook will run once
for each item in the input that has the greater number of items. When the input with fewer
items reaches its last item, the subsequent runs will continue to use the last item in the shorter
list until all items in the largest list have run.

• Built-in or Choose Loop automation: The loop will exit based on a condition. The playbook will not
loop through the inputs, but it will take the inputs as a whole.

PALO ALTO NETWORKS: PCSAE Study Guide 17

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/configure-a-sub-playbook-loop.html

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/configure-a-sub-playbook-loop/sub-playbook-tutorial.html

1.4 Differentiate between playbook task types

You have three different playbook types to use when you create playbooks.

1.4.1 Differentiate between manual, automatic, and conditional playbook tasks

When you create a new task, you have three different types to choose from: standard, conditional, and
data collection.

Standard tasks are used for classic manual or script-based tasks, such as closing an investigation,
escalating to another analyst, or using a script to enrich data.

Conditional tasks can be selected for decision trees or communicating with users through an Ask task.
Conditional tasks are used for determining different paths for your playbook. You can use conditional
tasks for something simple, such as proceeding if a particular integration exists or determining whether
a user account has an email address.

Data collection tasks can be selected for surveying users. Data collection tasks are multiquestion surveys
or forms that survey recipient access from a link in the message. The survey resides on an external site
that does not require authentication, thereby allowing survey recipients to respond without restriction.

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/playbook-tasks.html

PALO ALTO NETWORKS: PCSAE Study Guide 18

1.4.2 Gather, analyze, and evaluate data to make decisions about specific playbook
task types

Ask task: Communication tasks enable you to send surveys to users, both internal and external, to
collect data for an incident. The collected data can be used for incident analysis and also as input for
subsequent playbook tasks.

For example, you might want to send a single-question (standalone) survey to determine how an issue
was handled:

Because this task is conditional, remember to create a condition for each answer. For example, if the
survey answers include Yes, No, and Maybe, there should be a corresponding condition (path) in the
playbook for each of these answers.

PALO ALTO NETWORKS: PCSAE Study Guide 19

Your single-question survey will look like the following:

Data Collection Task: When you need to survey recipients with multiquestion forms, use data collection
tasks. The survey is hosted on an external site. All responses are collected and recorded in the incident’s
context data, whether you receive responses from a single user or multiple users. It thus enables you to
use the survey questions and answers as input for subsequent playbook tasks:

PALO ALTO NETWORKS: PCSAE Study Guide 20

Your multiquestion survey on the web form will look like the following:

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/playbook-tasks/communication-tasks.html

1.5 Use filters and transformers to manipulate data

In Cortex XSOAR, data is extracted and collected from various sources, such as playbook tasks, command
results, and fetched incidents, and it is presented in JSON format. The data can be manipulated by using
filters and transformers.

1.5.1 Explain the difference between filters and transformers

You can add filters and transformers in a playbook task or when mapping an instance.

Filters enable you to extract relevant data that you can use elsewhere in Cortex XSOAR. For example, if
an incident has several files with varying file types and extensions, you can filter the files by file
extension or file type and use the filtered files in a detonation playbook.

PALO ALTO NETWORKS: PCSAE Study Guide 21

Transformers enable you to take one value and transform or render it to another value—for example,
converting a date in non-Unix format to Unix format. Another example is applying the count
transformer, which renders the number of elements.

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/filters-and-transformers.html

1.5.2 Identify when filtering and transforming data is required

You can create filters and transformers to manipulate context data when adding or editing a task in a
playbook or when mapping an instance.

You can filter as many nested objects as required. Cortex XSOAR automatically calculates the context
root to which to filter. For example, if you want to work with file extensions, Cortex XSOAR calculates
context root as File.Extension:

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/filters-and-transformers/create-filters-and-transformers.html

PALO ALTO NETWORKS: PCSAE Study Guide 22

1.5.3 Specify and explain different options of filters and transformers:

Filters enable you to extract relevant data for use elsewhere in Cortex XSOAR. For example, if an
incident has several files with varying file types and extensions, you can filter the files by file extension
or file type and use the filtered files in a detonation playbook.

Filter categories are as follows:

• Boolean: Determines whether a Cortex XSOAR field is true or false, or whether the string
representation is true or false

• Date: Determines whether the left-side time value is earlier than, later than, or the same time as the
right-side time value. Different time and date formats are supported. For a detailed table, see the
references.

• General: Includes general filters such as contains, doesn’t contain, in, and empty

• String: Determines the relationship between the left-side string value and the right-side string value,
such as starts with, includes, and in list. The string filter returns partial matches as true.

• Number: Determines the relationship between the left-side number value and the right-side
number value, such as equals, greater than, and less than.

• Unknown: Miscellaneous filter category

Transformers enable you to take one value and transform or render it to another value. When you have
more than one transformer, you can reorder them by clicking and dragging them.

Transformer categories are as follows:

• Date: Transforms the date. For example, Date to string and Date to unix

• General: Includes general transformers such as join, sort, splice, and stringify

• String: Transforms strings. To make regex non-sensitive to case, use the (?i) prefix—for example,
(?i)yourRegexText.

• Number: Transforms a number—for example, round, absolute, and to percent

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/filters-
and-transformers/filter-operators.html

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/playbooks/filters-
and-transformers/transformers-operators.html

PALO ALTO NETWORKS: PCSAE Study Guide 23

2 Incident Types, Indicator Types, Layouts, and Fields

2.1 Compare and contrast the different incident types

Incident types are used to classify the events that are ingested into the Cortex XSOAR system. Each
incident type can be configured to work with a dedicated playbook, which can run either automatically
when an event is ingested or when triggered separately at a later point. You also can configure
dedicated service-level agreement (SLA) parameters for each incident type and run specific post-
processing scripts for the given incident type.

PALO ALTO NETWORKS: PCSAE Study Guide 24

2.1.1 Outline the capabilities, functions, and features related to each incident type

After you define the incident type, you can configure its layout using the Cortex XSOAR embedded
Incident Layout Builder. For example, analysts will be interested in different information when
investigating a phishing incident versus a ransomware incident. You can customize the layout for each
incident to be presented with exactly the information the analysts need. In a phishing incident example,
that information might include the email headers and the email body, whereas for the ransomware, the
information would be the family to which the ransomware belongs.

After configuring the layout for the incident type, you must map the different incident types that your
organization handles and the third-party integrations you have. For example, Cortex XSOAR comes with
ready-to-use incident types for phishing attacks. If you work with a different phishing integration
product, you can define an incident type specifically for those events. When you configure your phishing
product integration, you will associate it with your phishing product’s new incident type, which probably
also will have a dedicated phishing playbook.

PALO ALTO NETWORKS: PCSAE Study Guide 25

As is the case with the fields, definition of incident types should be an iterative process. As you plan your
deployment and begin working with your system, you will learn which incident types are missing. You
then can add the new incident types to your system and fine-tune the entire incident-ingestion process.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management.html

• https://xsoar.pan.dev/docs/incidents/incident-types

PALO ALTO NETWORKS: PCSAE Study Guide 26

2.1.2 Summarize the relationship between external data and the Cortex XSOAR
incident type

You can define integrations with your third-party security and incident-management vendors. You then
can trigger events from these integrations to get their external data to become incidents in Cortex
XSOAR. The external data can include potential phishing emails, authentication attempts, and security
information and event management (SIEM) events.

You can either poll or fetch third-party integration instances for the events to turn them into Cortex
XSOAR incidents that trigger automations.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/fetch-incidents-from-an-integration-instance.html

• https://xsoar.pan.dev/docs/incidents/incident-types

2.1.3 Assess the consequences of miscategorized incident types

While polling integration instances, events received from integrations need to be mapped to Cortex
XSOAR incident types. For example, Cortex might generate alerts from Cortex XDR, which you would
classify according to the information in those events either as a dedicated XDR incident type or maybe
an Authentication or Malware incident type. Also, you might have EWS configured to ingest both
phishing and malware alerts, which you want to classify to their respective incident types based on
some information in the event. When you classify the events as different incident types, you can process
them with different playbooks suited to their requirements.

If you cannot properly classify and map a step, wrong automations and playbooks can trigger, and
outputs and the whole investigation process will suffer.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/classification-and-mapping.html

PALO ALTO NETWORKS: PCSAE Study Guide 27

2.1.4 Describe how to leverage machine learning in Cortex XSOAR

Machine learning models enable Cortex XSOAR to analyze and predict behavior through incident types
and fields. The model uses past incidents that have already been classified to classify incoming events
automatically.

Machine learning models are used mainly for phishing incidents. You can train the models to
automatically recognize phishing emails, emails that are legitimate, and those that contain spam, among
other examples.

As you create a machine learning model, you must select the correct fields in the field-mapping phase to
map the verdicts for malicious, legitimate, and spam emails.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/machine-learing-
models/machine-learning-models-overview.html

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/machine-learing-
models/create-a-machine-learning-model/machine-learning-model-example.html

2.1.5 Schedule a job to create a new incident to run a playbook

You can create scheduled events in Cortex XSOAR using jobs. Jobs are triggered by either time-triggered
events or feed-triggered events.

For example, you can define a feed-triggered job to trigger a playbook when a specified threat
intelligence management (TIM) feed finishes a fetch operation for new indicators. Or you can schedule a
time-triggered job that runs nightly and removes expired indicators.

You can use the jobs feature for the following cases:

• Analyze from feeds.

• Batch processing data.
• Detect information.
• Schedule process to move from folder to list for use.
• Push indicator to SIEM products.

PALO ALTO NETWORKS: PCSAE Study Guide 28

Reference

• https://xsoar.pan.dev/docs/incidents/incident-jobs

PALO ALTO NETWORKS: PCSAE Study Guide 29

2.2 Outline the different layout types
The two different layout types are incident layouts and indicator layouts. Layouts are used to show you
the required information in different views and tabs.

For a phishing incident, you will want to see email headers, which would not be relevant for an access
incident or a file hash indicator; you might want to count how many times this hash is found in related
incidents.

2.2.1 Summarize the purpose of each layout type

2.2.1.1 Incident layouts

You must build or customize the layout to ensure that you see the information relevant to the incident
type.

You can customize almost every aspect of the layout, including the following:

• Which tabs appear

• The order in which the tabs appear

• Who has permission to view the tabs

• Which information appears and how is it displayed

PALO ALTO NETWORKS: PCSAE Study Guide 30

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/customize-incident-view-layouts/customize-incident-layouts.html

2.2.1.2 Indicator layouts

You must build or customize the layout to ensure that you see the information relevant to the indicator
type.

You can customize almost every aspect of the layout, including the following:

• Which tabs appear

• The order in which the tabs appear

• Who has permission to view the tabs

• Which information appears and how it is displayed

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators/customize-indicator-view-layouts/customize-an-indicator-type-
layout.html

PALO ALTO NETWORKS: PCSAE Study Guide 31

2.2.2 Specify the different incident layout special sections

You can add dynamic sections to a layout, such as a graph of the number of bad indicators, their source,
and severity. You also can use queries to filter the information in the dynamic section to fit your exact
needs.

When you start to create or edit an incident layout by using Incident Layout Builder, you can use the
Library feature to add ready-to-use Sections, Fields and Buttons, and Tabs.

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/customize-incident-view-layouts/customize-incident-layouts.html

PALO ALTO NETWORKS: PCSAE Study Guide 32

2.2.3 Summarize the main layout options

For incident layouts, each incident type has a unique set of data relevant to that specific incident type.
You must display the most relevant data for users at all the incident lifecycle stages.

The following views display for each incident type:

• Incident Summary

• “New”/“Edit” Form

• “Close” Form

• Incident Quick View

• Mobile

There are Cortex XSOAR system layout sections and fields that you cannot remove, but you can
rearrange them in the layout and modify their queries and filters:

For indicator layouts, each indicator type has a unique set of data relevant to that specific indicator type.
You must display the most relevant data for users.

PALO ALTO NETWORKS: PCSAE Study Guide 33

For each indicator type, there are two views:

• Indicator Summary

• Quick View

You can customize how the information is displayed for existing indicators by modifying the sections and
fields for each view. You can access the indicator quick view when you click an indicator on an incident
page or the canvas:

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/customize-incident-view-layouts.html

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-1/cortex-xsoar-threat-intel-management-
guide/manage-indicators/understand-indicators.html

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-investigation.html

PALO ALTO NETWORKS: PCSAE Study Guide 34

2.3 Compare and contrast the different indicator types

2.3.1 Outline the capabilities, functions, and features related to each indicator type

Indicators are artifacts associated with incidents and are an essential part of the incident management
and remediation process. Indicators help to correlate incidents, create hunting operations, and enable
you to quickly analyze incidents and reduce mean time to recovery (MTTR).

Cortex XSOAR includes an indicator repository, which collects and correlates indicators across all
incidents, alerts, and feeds flowing into Cortex XSOAR.

The indicators are categorized by type; the type determines the indicator layout fields displayed and
which scripts are run on indicators of that type. The system-level (out-of-the-box) indicator types
include:

• IP Address
• Registry Path Reputation
• File
• Email
• Username
• Hostname
• Domain
• File Enhancement Scripts
• CVE CVSS Score

You can easily create custom indicator types by using the Settings > Advanced > Indicator Types > New
Indicator Type button.

If you need to customize the default indicators, select the indicator to activate the Edit link on top of the
table. Click Edit and use the Custom Fields tab to customize it.

PALO ALTO NETWORKS: PCSAE Study Guide 35

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators.html

PALO ALTO NETWORKS: PCSAE Study Guide 36

2.3.2 Explain how data is mapped to an indicator

When you add an indicator type, you add regex, formatting, enhancement, and reputation scripts.
Regex is the regular expression by which to identify indicators for this indicator type:

Enhancement scripts are the scripts to run on an identified indicator—for example, a script that runs a
search in a SIEM for the indicator. After indicators are identified, you can go to the Indicator Quick
View, click the Actions button, and run an enhancement script directly on an indicator. These scripts
need the enhancement tag before they can be available in the drop-down menu.

Reputation scripts are the user-created scripts that either override the Cortex XSOAR command
algorithm or run on top of the data returned from the command. This script’s output is a reputation
score, which is used as the basis for the indicator reputation.

PALO ALTO NETWORKS: PCSAE Study Guide 37

You use custom fields to map the required fields to the indicators. There is an option to load an
Indicator Sample to create the custom fields from the sample.

References
• https://xsoar.pan.dev/docs/concepts/concepts#indicators-and-indicator-types

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators/indicator-fields/map-indicator-custom-fields

PALO ALTO NETWORKS: PCSAE Study Guide 38

2.3.3 Define criteria for exclusion list entries

Indicators added to the exclusion list are ignored by the system and are not considered indicators. You
still can manually enrich IP addresses and URLs on the exclusion list, but the results are not posted to
the War Room.

You can add indicators to the exclusion list in several ways.

You can select one or more indicators from the Indicators table and click the Delete and Exclude button.
The indicators are deleted from the Indicators table and added to the exclusion list. You can associate
these indicators with one or more indicator types.

You can manually add a single indicator or define indicators using a regex or Classless Inter-Domain
Routing (CIDR) from the Exclusion List page:

• Regex: A regular expression enables you to identify a sequence of characters in an unknown string.
The following example would identify www.paloaltonetworks.com: [A-Za-z0-
9!@#$%\.&]*demisto[A-Za-z0-9!@#$%\.&]*.

• CIDR: Classless Inter-Domain Routing (CIDR) enables you to define a range of IP addresses. For
example, 192.168.100.14/24 represents the IPv4 address 192.168.100.14 and its associated routing
prefix 192.168.100.0, or equivalently, its subnet mask 255.255.255.0, which has 24 leading 1-bits.
The IPv4 block 192.168.100.0/22 represents the 1,024 IPv4 addresses from 192.168.100.0 to
192.168.103.255.

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators/exclusion-list.html

PALO ALTO NETWORKS: PCSAE Study Guide 39

2.4 Summarize field types, associated capabilities, and purpose
Use the Settings > ADVANCED> Fields screen to see system fields and add custom fields for Incidents,
Evidence, and Indicators.

2.4.1 Outline the different field types

Use Incident Fields to accept or populate incident data coming from incidents. You create fields for
information that arrives from third-party integrations in which you want to insert information. The fields
are added to incident type layouts and are mapped using the Classification and Mapping feature.

Incident fields can be populated by the incident team members during an investigation, at the beginning
of the investigation, or before closing the investigation.

Use Indicator Fields to add specific indicator information to incidents. When you create an indicator
field, you can associate it with one particular incident type or all incident types.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-fields.html

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators/indicator-fields.html

2.4.2 Align appropriate field types to data types

You can add the following field types when adding a new field.

• Attachments: Enables addition of an attachment such as .doc, malicious files, reports, and images of
an incident
• Boolean (check box)
• Date picker
• Grid (table): Includes an interactive, editable grid as a field type for selected incident types or all
incident types
• HTML: You can configure the HTML field.
• Long text
• Markdown
• Multi select
• Number: Can contain any number. The default number is 0. Any quantity can be used.
• Role: Roles assigned to the incident determine which users (by the role to which they are assigned)
can view the incident.

PALO ALTO NETWORKS: PCSAE Study Guide 40

• Short text: Maximum of 60,000 characters
• Single select
• Tags
• Timer/SLA: View how much time is left before an SLA becomes past due and configure actions to
take if the SLA does pass.
• URL
• User: A user in the system; used to state a manager or fallback

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-fields

• https://xsoar.pan.dev/docs/incidents/incident-fields#field-types

2.4.3 Summarize how fields are created and used

Fields can be system fields and custom fields for the incidents, indicators, and evidence. Use the Settings
> ADVANCED> Fields screen to see system fields and add custom fields.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-fields/create-a-custom-incident-field.html

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators/indicator-fields/create-a-custom-indicator-field.html

PALO ALTO NETWORKS: PCSAE Study Guide 41

2.4.4 Outline advanced field capabilities

Different field types are used in different parts of the investigation and integrations. For example, the
Dest NT Domain incident field is assigned to the Access, Malware, and Brute Force incident types and
can be used with them:

You can create fields and assign them either to different incidents and indicators or to all types. For
example, the Detection Engines indicator field is assigned to all types of indicators.

PALO ALTO NETWORKS: PCSAE Study Guide 42

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-fields.html

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
indicators/understand-indicators/indicator-fields.html

PALO ALTO NETWORKS: PCSAE Study Guide 43

3 Automations and Integration and Related Concepts

3.1 Use automations to respond to incidents

The Automation section is where you manage, create, and modify automations (commands and scripts):

3.1.1 Outline the different types of automation

Single-purpose automations generally manipulate data in the system, wrap multiple
integrations, or develop single-purpose tools that are not complete products.
Automation scripts perform specific actions and comprise commands associated with an integration
object. Scripts are used as part of tasks used in playbooks and commands in the War Room.

Scripts can access all Cortex XSOAR APIs, including access to incidents and investigations, and sharing
data to the War Room. Scripts can receive and access arguments, and you can password-protect scripts.

PALO ALTO NETWORKS: PCSAE Study Guide 44

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/automations

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-de-duplication.html

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-de-duplication/creating-pre-process-rules-for-
incidents.html

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/post-processing-for-incidents.html

3.1.2 Differentiate between inputs and outputs

The inputs might come from the incident itself, such as the role to which to assign the incident, or from
an input provided by an integration—for example, when an Active Directory integration is used in a
playbook task to extract a user’s credentials. The playbook itself creates output objects whose entries
will serve the tasks inside the playbook.

Outputs can be data that was extracted or derived from the inputs. For example, in the following
subsection, we are retrieving the user’s credentials from Active Directory. We will use those credentials
to get the user’s account name, email address, and any groups they belong to.

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/playbook-inputs-and-outputs.html

PALO ALTO NETWORKS: PCSAE Study Guide 45

3.1.3 Apply the script helper

The Automation section includes a Script Helper, which provides an alphabetical list of available
commands and scripts:

PALO ALTO NETWORKS: PCSAE Study Guide 46

Reference

• https://xsoar.pan.dev/docs/integrations/xsoar-ide#the-script-helper

PALO ALTO NETWORKS: PCSAE Study Guide 47

3.1.4 Apply permission access

Cortex XSOAR uses role-based access control (RBAC) for controlling user access. RBAC helps manage
access to Cortex XSOAR components so that users, based on their roles, are granted the minimal access
required to accomplish their tasks:

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/users-and-
roles/integration-permissions

PALO ALTO NETWORKS: PCSAE Study Guide 48

3.1.5 Differentiate automation objects

Think of the Cortex XSOAR CLI like an operating system CLI that is built into the product and connects to
every tool that you need. It allows the user to test and run integration commands, run automations, and
more.

Cortex XSOAR has two different kinds of commands:

• System commands: Commands that enable you to perform Cortex XSOAR operations such as
clearing the playground or closing an incident. These commands are not specific to an integration.
System commands are entered in the command line using a slash mark (/).For example,
/playground_create:

PALO ALTO NETWORKS: PCSAE Study Guide 49

• External commands: Integration-specific commands that enable you to perform actions specific to
an integration. For example, you can quickly check the reputation of an IP address. External
commands are entered in the command line using an exclamation point (!). For example, !ip:

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/common-scripts-to-use-in-automations

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/cortex-xsoar-
overview/cortex-xsoar-concepts

PALO ALTO NETWORKS: PCSAE Study Guide 50

3.1.6 Apply appropriate automation commands

Integrations may contain automation scripts and commands. You can differentiate them by looking at
the first letter. A script’s first letter is always in uppercase, and the command’s first letter is in
lowercase. According to the type of letter you search for, you will start to see scripts and commands.

Integration commands are located in the integrations; if you enable the required integration by creating
a new instance, you can start to use those commands. Otherwise, they are not ready to use.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/common-scripts-to-use-in-automations
• https://xsoar.pan.dev/docs/concepts/concepts#commands

PALO ALTO NETWORKS: PCSAE Study Guide 51

3.1.7 Identify how to build and test automations

The Cortex XSOAR Bring Your Own Integration (BYOI) feature enables you to create integrations using a
simple Cortex XSOAR SDK (JavaScript or Python) from the Cortex XSOAR management console.

To create your own integration, navigate to Settings > Integrations > +BYOI:

The playground is a nonproduction environment where you can safely develop and test automation
scripts, APIs, commands, and more. It is an investigation area that is not connected to a live (active)
investigation. Go to the playground to test integration commands, automations, and other tools from
the Cortex XSOAR CLI:

To erase a playground and create a new one, run the /playground_create command in the Cortex
XSOAR CLI.

References

• https://xsoar.pan.dev/docs/concepts/concepts#playground
• https://xsoar.pan.dev/docs/tutorials/tut-integration-ui
• https://xsoar.pan.dev/docs/integrations/unit-testing

PALO ALTO NETWORKS: PCSAE Study Guide 52

3.1.8 Use automations for incidents and playbook tasks

War Room commands are commands that can be entered manually in the CLI, at the bottom of the
screen.

The automation scripts that can be used with an integration can be found in several ways. Choose the
one best for you and the specific scenario you are in:

• Start by typing ! and continue writing the name of an automation script or an integration command
from an enabled integration in the CLI. Cortex XSOAR will autocomplete and show possible
commands or scripts for that integration.

• Start by typing ! and the CLI will autocomplete possible commands that you can execute and
provide tips for using the command. For example, !whois paloaltonetworks.com will return
registration information for the paloaltonetworks.com domain.

To see all possible commands for an enabled integration, open the integration in Settings > Integration
> Servers & Services and click the Show Commands link.

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-tasks.html

PALO ALTO NETWORKS: PCSAE Study Guide 53

3.2 Outline integration concepts

3.2.1 Differentiate between parameters and arguments

Parameters are global variables that mean that every command can or will use these configurable
options to run. Some common parameters are API keys, usernames, endpoints, and proxy options.

Arguments are similar to parameters in that they are configurable by a user. But unlike parameters,
arguments are single-use only and specific to only one command. Arguments are not shared with other
commands and must be present for each command:

PALO ALTO NETWORKS: PCSAE Study Guide 54

References

• https://xsoar.pan.dev/docs/integrations/parameter-types
• https://xsoar.pan.dev/docs/tutorials/tut-integration-ui#parameters
• https://xsoar.pan.dev/docs/tutorials/tut-integration-ui#command-settings

PALO ALTO NETWORKS: PCSAE Study Guide 55

3.2.2 Implement RBACs

You can use RBAC to assign commands at the integration instance level. If you have multiple instances of
the same integration, you can assign different roles (permission levels) for the same command in each
instance.

If you want to view or edit integration permissions, go to Settings > Users and Roles > Integration
Permissions. You can see a list of all the enabled integrations in Cortex XSOAR. Under each integration,
you can see the following:

• Commands: A list of all commands for the integration

• Instance: A list of all instances for the integration
• Permitted roles: A drop-down list of roles you can assign to the command

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/users-and-
roles/integration-permissions
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/users-and-
roles/roles.html

3.2.3 Define integration types

Product integrations or automations are codes that allow Cortex XSOAR to communicate with other
products. These integrations can be executed through REST APIs, webhooks, and other techniques. An
integration can be unidirectional or bidirectional, with the latter allowing both products to execute
cross-console actions. Integrations enable connections with third-party tools and services that the
Cortex XSOAR platform orchestrates and automate security operations center (SOC) operations. In
addition to third-party tools, you can create your own integration using the BYOI feature.

The following list of integration categories available in Cortex XSOAR is not exhaustive and highlights the
main categories:

• Analytics and SIEM

• Authentication
• Case Management
• Data Enrichment and Threat Intelligence
• Database
• Deception
• Email Gateway
• Endpoint
• Forensics and Malware Analysis

PALO ALTO NETWORKS: PCSAE Study Guide 56

• IT Services
• Messaging
• Network Security
• Threat Intel Feeds
• Utilities
• Vulnerability Management

Reference

• https://xsoar.pan.dev/docs/concepts/concepts#integrations

3.2.4 Describe capabilities related to custom integrations

An integration instance is the configuration of an integration. You can have multiple instances of an
integration—for example, to connect to different environments. If you are a managed security service
provider (MSSP) and have multiple tenants, you also could configure a separate instance for each
tenant.

References
• https://xsoar.pan.dev/docs/tutorials/tut-integration-ui#navigating-to-byoi

• https://xsoar.pan.dev/docs/integrations/code-conventions

PALO ALTO NETWORKS: PCSAE Study Guide 57

3.2.5 Describe the process of contributing integrations to the marketplace

Contributions are Content Packs that you create that are sent to Cortex XSOAR for review and approval.
After approval, these Content Packs are uploaded to the Marketplace, shared, and installed as would be
any other Content Pack.

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/content-pack-contributions.html

PALO ALTO NETWORKS: PCSAE Study Guide 58

3.3 Configure integration instances

3.3.1 Apply basic troubleshooting if the integration is not performing

Throughout development of integrations and scripts, your code likely will cause something to break at
some point. One of the most significant features of Cortex XSOAR is its use of machine learning to better
time these crashes so they occur on your time off.

You can check logs and War Room entries. You can use the Demistomock library.

There is another option to debug your integration. The Cortex XSOAR plugin for the PyCharm IDE
enables you to design and author scripts and integrations for Cortex XSOAR directly from PyCharm. The
plugin adds a sidebar with Automation and Integration Settings, just like the Settings sidebar in the
Cortex XSOAR script editor. When you write code, the plugin provides you with autocomplete of Cortex
XSOAR and Python functions and allows you to debug your code easily.

References

• https://xsoar.pan.dev/docs/integrations/debugging

• https://xsoar.pan.dev/docs/tutorials/tut-integration-ui

3.3.2 Apply the appropriate classification and mapping technique

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/classification-and-mapping.html

PALO ALTO NETWORKS: PCSAE Study Guide 59

3.3.3 Classify and map a set of data to different types of fields

The classification and mapping feature enables you to take the events and event information that Cortex
XSOAR ingests from integrations and classify each event as a type of Cortex XSOAR incident.

After an integration fetches the incidents, it populates the rawJSON object in the incident object. The
rawJSON object contains all attributes for the event—for example, source, when the event was created,
and the priority that was designated by the integration. When you classify the event, you want to select
an attribute that can determine the event type.

Mappers enable you to map the information from incoming events to the incident or indicator layouts
you have in your system.

Mapping of event attributes or indicator fields now takes place in two stages. First you map all of the
common fields to all incident or indicator types in the default mapping. Then you can map the additional
fields specific for each incident or indicator type or overwrite the mapping you used in the default
mapping.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/classification-and-mapping/create-a-mapper.html

• https://xsoar.pan.dev/docs/incidents/incident-classification-mapping#map-event-attributes-to-
fields

PALO ALTO NETWORKS: PCSAE Study Guide 60

4 Solution Architecture

4.1 Describe the components of the Cortex XSOAR system architecture

4.1.1 Describe the relationship between servers, live backup, Devprod, and other
available components:

The Cortex XSOAR server system provides a centralized server function for all system operations. The
server includes the Cortex XSOAR centralized database to store incident data.

SOAR engineers may connect the Cortex XSOAR server to any number of incident sources, tools, or
infrastructure devices that are located at the main site or otherwise within the intranet, using Cortex
XSOAR integrations.

The Cortex XSOAR database solution itself uses files stored in the standard file system of the Linux-based
server.

The Cortex XSOAR platform integrates with SIEM systems, IT ticketing systems, vulnerability-
management systems, and other products, on-premises or in the cloud, such as Cortex XDR by Palo Alto
Networks or Prisma Cloud and Prisma SaaS by Palo Alto Networks. These products can ingest data to
autogenerate Cortex XSOAR incidents or cases.

For activities such as data enrichment, the Cortex XSOAR server also may connect via integrations to any
number of Internet-based threat intelligence services or other cloud-based tools, including sandboxes
such as Palo Alto Networks WildFire® malware prevention service.

PALO ALTO NETWORKS: PCSAE Study Guide 61

You can create and install Cortex XSOAR dissoluble agents (D2 agents) on machines under investigation
to unobtrusively perform forensic tasks on those machines. After the agents complete the forensic
tasks, they dissolve and leave no trace. D2 agents are designed to assist you when you perform an
investigation in the War Room for a specific incident only. If you want to create agents for more than
one incident, you can create a shared agent.

Cortex XSOAR also provides you a mobile phone app for lightweight access to the dashboard and case
management and monitoring functions.

Deployment considerations follow.

A minimalist deployment of the Cortex XSOAR platform can comprise a standalone server.

The use of one or more instances of a Demisto Engine is entirely optional.

Other extended installation types of the Cortex XSOAR platform include a high-availability or disaster-
recovery solution named Live Backup. Deployment of a Live Backup server provides an active/passive
manual failover option for high availability.

Suppose you want to offload database functions from the main server to expand the platform’s storage
and data-handling capacity for incident-related data. In that case, you can deploy one or more dedicated
database servers.

You can deploy and connect a dedicated dev server to a custom repository to manage your own content
repository and to support a formal development, testing, acceptance, and deployment process for
custom content.

PALO ALTO NETWORKS: PCSAE Study Guide 62

References
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/installation/system-requirements.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/disaster-recovery-
and-live-backup/disaster-recovery-and-backup-overview.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/distributed-
database/distributed-database-deployment.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/remote-
repository/remote-repositories-overview
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/engines/understand-demisto-engines.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-
images-in-demisto.html

4.1.2 Summarize how Cortex XSOAR uses the Docker component

Cortex XSOAR primarily uses Docker to run Python scripts and integrations in a controlled environment.
The scripts and integrations run isolated from the server to prevent someone from accidentally
damaging the server. By packaging libraries and dependencies, you can prevent unknown issues from
occurring because the environment is all the same.

Palo Alto Networks maintains a large repository of Docker images. All Docker images are available via
the Docker Hub under the Demisto organization at https://hub.docker.com/u/demisto/.

The Docker image creation process is managed via the open-source project “demisto/dockerfiles”.
Before you try to create a new Docker image, check if one already is available. You can search the
repository-info branch updated nightly with image metadata and os/python packages used in the
images.

Note: For security reasons, Cortex XSOAR cannot accept images that are not part of the Docker Hub Palo
Alto Networks (Demisto) organization.

If you cannot find an existing image, see the article about creating a Docker image for testing and
production use at https://xsoar.pan.dev/docs/integrations/docker#docker-image-creation.

Suppose you need to install Docker images in air-gapped environments. In that case, you can download
Docker images by appending &downloadName=dockerimages to the Cortex XSOAR server download
link you received from Cortex XSOAR, then read the required instructions in the related reference
documents in the “References” section below.

PALO ALTO NETWORKS: PCSAE Study Guide 63

References

• https://xsoar.pan.dev/docs/integrations/docker
• https://github.com/demisto/dockerfiles/blob/master/README.md
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-
images-in-demisto.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/install-
docker-images-offline.html

4.1.3 Specify the benefits and differences between backup types

Cortex XSOAR backs up the database daily by storing the entire database of incidents, playbooks, scripts,
and user-defined configurations.

On the Settings > ADVANCED > Backups page, you can define whether you want Cortex XSOAR to create
automatic backups and define where to store the backups. The database backup files are located in
/var/lib/demisto/backup by default; you can change this configuration.

To have a full local backup, in addition to the database, the following directories must be backed up and
restored manually:

• /var/lib/demisto/artifacts
• /var/lib/demisto/attachments
• /var/lib/demisto/d2_server.key
• /var/lib/demisto/tools
• /var/lib/demisto/versionControlRepo
• /usr/local/demisto
• /etc/demisto.conf

Another option for backup is the Live Backup, which enables you to mirror your production server to a
backup server. In a disaster-recovery situation, you can easily convert your backup server to be the
production server.

Server actions are mirrored in real time. If a server fails over, engines dynamically reconnect to the
active host.

PALO ALTO NETWORKS: PCSAE Study Guide 64

There might be pending actions due to high server load, connectivity issues, and so on. Note the
following:

• You must install the same Cortex XSOAR version and build number on all servers.

• Live Backup uses a single main server and a single standby server. Additional servers are not
currently supported.

• Active/active configuration is not currently supported.

• Each host retains its distinct IP address and hostname.

• Neither host has any awareness of which node is truly active. Therefore, failover is not dynamic,
which means that a node must be made active manually by an administrator.

Consider the following information about hostnames, DNS, and designated router (DR):

• When you configure Live Backup, each Cortex XSOAR server should have its own unique hostname
and IP address.

• You may require analysts to always navigate to the same hostname when they access Cortex XSOAR.
In this scenario, configure a separate DNS record that points to the active Cortex XSOAR server. If a
server fails over, you must manually repoint this DNS record to the IP of the newly active Cortex
XSOAR server.

• The time to live (TTL) of the DNS record must be set to a zero value. If the value is higher, analysts
cannot access the active server using the shared hostname until the TTL of the record expires and
the DNS record is refreshed in the cache. The refresh of DNS records may take more than an hour.

• If you do not require a single URL to access Cortex XSOAR, you might point your browser to the URL
of the newly active Cortex XSOAR server when a server failover occurs.

PALO ALTO NETWORKS: PCSAE Study Guide 65

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/disaster-recovery-
and-live-backup/backup-the-database.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/disaster-recovery-
and-live-backup/disaster-recovery-and-backup-overview.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/disaster-recovery-
and-live-backup/configure-the-live-backup-environment.html

4.1.4 Differentiate between a standalone tenant and multitenant

Cortex XSOAR multitenant deployments are designed for MSSPs that require strict data segregation
between tenant accounts and the flexibility to easily share critical security data, such as known
malicious or /benign indicators, to those tenant accounts.

Multitenancy also enables MSSPs to manage many tenants from a single console, and to easily switch
between tenant environments or from a tenant environment to the main environment, where the MSSP
can get a high-level, global-view status—for example, all open incidents and indicators across all
tenants.

Scalability features allow you to deploy multiple servers on-premises or via the hosted cloud and across
multiple geographies. The multitenant scheme allows multiple tenants on each server and multiple
additional host servers that operate like the standard Cortex XSOAR server-engine communication
model. In MSSP networks, engines often are used to enable the network connectivity between the
MSSP’s network and the customer’s local network. The system scales to enable support for more than
100 tenants.

When you use Cortex XSOAR multitenancy in an enterprise, several limitations can negatively impact
enterprise productivity:

• There is complete isolation among tenants. The data is not easily shared between tenants. For
example, collaboration on an incident requires extra steps, such as mirroring the data between
tenants.

• Tenants cannot change definitions set by the main account (e.g., playbooks).

• Multitenancy architecture is more complicated than Cortex XSOAR Enterprise server architecture. It
requires more IT and computing resources. In general, server maintenance is more complicated and
requires a strong IT team. For example, re-indexing of a single tenant is a complicated procedure,
and troubleshooting often is very complex.

• Backup and restore, and the DR mechanism, are more complex than single-server deployments.

• Because multitenancy environments are more complex, some infrastructure features are introduced
only after being introduced in enterprise environments.

PALO ALTO NETWORKS: PCSAE Study Guide 66

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-multi-tenant-guide/multi-
tenant-deployments/multi-tenant-overview.html

4.1.5 Describe threat intelligence management capabilities

The Cortex XSOAR native threat intelligence (threat intel) management capabilities provide you with the
ability to unify the core components of threat intelligence, including aggregation, scoring, and sharing.

Cortex XSOAR automates threat intel management by ingesting and processing indicator sources, such
as feeds and lists, and exporting the enriched intelligence data to the SIEMs, firewalls, and any other
system that can benefit from the data. These capabilities enable you to sort through millions of
indicators daily and take automated steps to make those indicators actionable in your security posture.

The threat intelligence capabilities of Cortex XSOAR are closely associated with indicators. You can find
the essential concepts related to threat intel management in the following topics:

• Fetch indicators: Cortex XSOAR includes integrations that fetch indicators from either a vendor-
specific source, such as AutoFocus, or a generic source, such as a comma-separated value (CSV) or
JSON file.

• Export indicators: You can export indicators as a hosted list, an external dynamic list (EDL), or a
trusted automated exchange of indicator information (TAXII) collection. Export of indicators enables
your SIEM or firewall to ingest or pull the indicator list to update policy rules. Examples of supported
file types are JSON, CSV, and TXT.

PALO ALTO NETWORKS: PCSAE Study Guide 67

• Exclusion list: The exclusion list prevents indicators from being extracted and created in the system.
For example, to prevent google.com from being flagged as a malicious indicator, add it to the
exclusion list.

o When millions of indicators are ingested and processed daily, two practices are essential:

o Control whether they are active or expired.

o Define how and when indicators are expired.

The indicator field Expiration Status displays the indicator status, Active or Expired. The indicator field
Expiration displays when that indicator expired and by which method.

Indicator expiration is applied at the indicator type level. Indicators assigned to a specific indicator type
inherit the indicator type’s expiration method.

• Indicator smart merge: The same indicator can originate from multiple sources and be enriched
with various methods (integrations, scripts, playbooks, and so on). Cortex XSOAR employs smart
merge logic to make sure indicators are accurately scored and aggregated.

• Indicator timeline: The indicator timeline is the default section in the indicator summary layout. The
timeline is in table format and displays an indicator’s complete history, including the first-seen
timestamp and last-seen timestamp and changes made to indicator fields.

• Common indicator data model: When indicators are ingested, regardless of their source, they have
a unified, standard set of indicator fields, including traffic light protocol (TLP), expiration, and tags.

• Feed-based job: You can define a job to trigger a playbook when the specified feeds identify a
modification in the feed. The modification can be a new indicator, a modified indicator, or a
removed indicator.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-threat-intel-management-
guide/threat-intelligence-management-overview.html

• https://www.paloaltonetworks.com/resources/videos/cortex-xsoar-threat-intelligence

PALO ALTO NETWORKS: PCSAE Study Guide 68

4.2 Assess system architecture and outline scalability opportunities

4.2.1 Review the system diagram and summarize the flow of data

The Cortex XSOAR platform supports two multitier server configurations:

• One app server and one database server running on separate machines

• One app server and multiple database servers running on separate machines

When working with one database server, all content is stored on the one database server.

When working with multiple database servers, the first database you install is considered the main
database, and any secondary database that you install is considered a node.

The main database server maintains all content that is not an incident or related to an incident, such as
playbooks, automations, integrations, and layouts. The nodes maintain all incidents and incident-related
data, including a copy of the playbook used to process the specific incident, indicators extracted from
the incident, and all other context data created. The Cortex XSOAR server distributes incidents among
secondary nodes using a round-robin method.

Backup options for the main database and each node for disaster recovery scenarios also are part of the
solution design.

Reference

• https://www.paloaltonetworks.com/resources/guides/prevention-detection-and-response-for-
security-operations-architecture-guide

PALO ALTO NETWORKS: PCSAE Study Guide 69

4.2.2 Export a log bundle and send for investigation

The Cortex XSOAR logs provide information about events that occur in the system. These logs are a
valuable tool in troubleshooting issues that might arise in your Cortex XSOAR environment.

A log bundle is a zip file of additional logs available in the Cortex XSOAR system. These logs provide
additional information that is useful in troubleshooting issues that arise in your Cortex XSOAR system.
Send the log bundle zip file to Cortex XSOAR support to use for debugging purposes. After you create
the log bundle, the logs also will appear in /var/log/demisto/.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/logs/create-a-log-
bundle.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/logs/audit-
trail.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/logs/send-the-
audit-trail-to-an-external-log-service.html

4.2.3 Identify common errors and troubleshooting

You can read the related reference topics for the identification of common errors and troubleshooting
suggestions.

References

Troubleshoot and debug engine errors:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/engines/demisto-
engines-troubleshooting.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/engines/demisto-
engines-troubleshooting/engine-upgrade-troubleshooting

Troubleshoot and debug Docker issues:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-
hardening-guide/troubleshoot-docker-networking-issues.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/docker/docker-
hardening-guide/troubleshoot-docker-container-performance-issues.html

PALO ALTO NETWORKS: PCSAE Study Guide 70

Troubleshoot reports:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/reports/troubleshoot-reports.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/reports/troubleshoot-reports/troubleshoot-script-timeout-for-reports.html

Troubleshoot Elasticsearch:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/migrate-indicators-to-elasticsearch/troubleshoot-elasticsearch-memory-issues.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/migrate-indicators-to-elasticsearch/troubleshoot-elasticsearch-feed-ingestion-issues.html

Troubleshoot data and database:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/reindex-the-database.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/reindex-a-specific-index-database.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/reindex-the-entire-database-for-a-distributed-database.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/reindex-a-specific-index-for-a-distributed-database.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-data/free-
up-disc-space-with-data-archiving.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/migrate-data-to-another-server.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/migrate-data-to-another-server-for-multi-tenant.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/move-data-folders-to-another-location-on-the-server.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/manage-
data/restore-condensed-folders.html

Troubleshoot tenants:

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-multi-tenant-
guide/configure-the-multi-tenant-deployment/move-a-tenant-to-a-different-host.html

PALO ALTO NETWORKS: PCSAE Study Guide 71

4.2.4 Identify use of engines

Cortex XSOAR engines are installed in a remote network and allow communication between the remote
network and the Cortex XSOAR server. Although you cannot run scripts, you can run integration
commands. The engine initiates a TCP port 443 connection back to the Cortex XSOAR server, and all
subsequent communication uses this connection. The server never initiates downstream connections to
an engine. Also, note that engines do not maintain local databases for incident data. All data produced
by the engines is sent to, and stored on, the upstream Cortex XSOAR server.

An engine is used for the following purposes:

• You can use multiple engines to support multiple remote, isolated, or protected network segments.
• You can pool multiple engines into an engine group to expand capacity and provide load balancing
beyond what a single Cortex XSOAR server can provide for use within the main site.

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/engines/understand-demisto-engines.html

PALO ALTO NETWORKS: PCSAE Study Guide 72

4.3 Create incidents using Cortex XSOAR

4.3.1 Describe the three ways incidents are created

Incidents are events that have been observed at a point in time for analysis. Cortex XSOAR ingests
incidents from an integration instance, from the REST API, or from an incident you create manually.

An incident investigation can be opened in the following ways:

• Automatically: An incident associated with a playbook opens automatically for investigation and
runs the associated playbook.
• Manually: Select the incident in the Incidents table.
• CLI: Type /investigate id=<incidentID#>.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/incident-investigation.html

PALO ALTO NETWORKS: PCSAE Study Guide 73

4.3.2 Understand the logic and order of incident creation

The logic and order of incident creation is a three-step process:

• Configure integrations: You configure integrations with your third-party products to start fetching
events. Events can be potential phishing emails, authentication attempts, SIEM events, and more.

• Classification and mapping: After you configure the integrations, you must determine how the
events ingested from those integrations will be classified as incidents. For example, you might want
to classify items based on the subject field for email integrations, but for SIEM events, you will
classify by event type. You must map the information coming from the integrations into the fields
that you created in the planning stage.

• Preprocessing: Preprocessing rules enable you to perform certain actions on incidents as they are
ingested into Cortex XSOAR directly from the web interface. You can use the rules to select incoming
events on which to perform actions—for example, link the incoming event to an existing incident or,
based on configured conditions, drop the incoming incident.

Incidents of various types are created based on the definitions you provided in the classification and
mapping stage and the rules you created for preprocessing events. The incidents all appear on the
Incidents page of the Cortex XSOAR user interface, where you can start investigating.

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/incidents/incident-
lifecycle.html

PALO ALTO NETWORKS: PCSAE Study Guide 74

5 Content Updates and Content Management

5.1 Outline Marketplace concepts

Cortex XSOAR Marketplace is a digital storefront for discovering, exchanging, and contributing security-
orchestration content centrally within the Cortex XSOAR platform.

It enables you to install turnkey Content Packs to help solve any security use case with content
contributed by SecOps experts and the world’s largest SOAR partner community.

5.1.1 Identify challenges and benefits related to Marketplace concepts

The Marketplace allows you to easily:

• Leverage content from the largest SOAR community: You can extend Cortex XSOAR with proven use
cases contributed by SecOps users and SOAR partners.

• Discover top-rated, validated content: You can identify the best premium and free content offerings
recommended by your peers and validated by the world’s leading cybersecurity company. You can
learn how to increase automation with the tools you already have and browse through community
best practices.

• Solve your most difficult security use cases: You can use a single click to deploy turnkey security
workflows that span integrations, playbooks, dashboard layouts, and reports.

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-overview.html

5.1.2 Describe Marketplace content

All content on Marketplace is included in a Content Pack, and Cortex XSOAR digitally signs all packs. A
Content Pack is like a small content repository, and it contains all relevant content items under its
directories.

Content Packs are categorized as free and premium (paid) and contain the following:

• Technology integrations
• Scripted automations
• Playbooks
• Dashboard widgets and reports
• Layouts (incident and indicator layouts)
• Incident fields and incident types

PALO ALTO NETWORKS: PCSAE Study Guide 75

• Classifiers
• Indicator fields and indicator types

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-overview/content-packs-support-types.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-overview/access-the-marketplace.html

5.1.3 Outline the product development lifecycle

Custom Content Packs, also known as contributions, need to be sent to the Cortex XSOAR team for
review and approval. After approval, these Content Packs are uploaded to the Marketplace, shared, and
installed as would be any other Content Pack.

When you create new content, such as playbooks, automations, incident types, and integrations, you
can send the contribution to Cortex XSOAR directly from the content. Cortex XSOAR automatically adds
dependencies to ensure that the Content Pack installs and runs correctly. For example, from a playbook,
you can click Contribute to Marketplace.

After you send the contribution for review, Cortex XSOAR contacts you. You also can download the
contribution and upload it, for example, to GitHub.

PALO ALTO NETWORKS: PCSAE Study Guide 76

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/content-pack-contributions.html
• https://xsoar.pan.dev/docs/tutorials/tut-setup-dev
• https://xsoar.pan.dev/docs/contributing/checklist
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/content-pack-contributions/create-a-content-pack.html
• https://xsoar.pan.dev/docs/concepts/design-best-practices

PALO ALTO NETWORKS: PCSAE Study Guide 77

5.1.4 Identify how content can be searched

You can install, delete, and update content and contribute and share content items such as playbooks,
integration, and incident types in the Marketplace.

You can browse all content (including installed content), view only installed Content Packs, or see your
contributions. When a Content Pack needs to be updated, you receive notifications and view the
updates on the Installed Content Packs tab.

When you search for content, you can use the search bar by adding text and then selecting the content
from which to search.

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-overview/marketplace-search-and-navigation.html

PALO ALTO NETWORKS: PCSAE Study Guide 78

5.1.5 Describe the relationship between the Marketplace and Docker

Docker is a tool used by developers to package dependencies into a single container (or image). This
means that to use your integration, you are not required to “pip install” all the packages required. They
are part of a container that “docks” to the server and contains all the libraries you need.

Cortex XSOAR primarily uses Docker to run Python scripts and integrations in a controlled environment.
Scripts and integrations run isolated from the server environment to prevent someone from accidentally
damaging the server. By packaging libraries and dependencies, you can prevent unknown issues from
occurring because the environment is all the same.

Marketplace allows you to install Content Packs that contain content items such as integrations and
scripted automations. Some content items required to run on Docker and Cortex XSOAR maintain a
repository of Docker images, all of which are available in the Docker hub under the Cortex XSOAR
organization (https://hub.docker.com/u/demisto/).

Reference

• https://xsoar.pan.dev/docs/integrations/docker

5.2 Apply custom content and manage content updates

5.2.1 Describe the purpose of content updates

All Cortex XSOAR content is organized in packs. Packs are essentially groups of artifacts that implement
use cases in the product. Content Packs are created by Palo Alto Networks, technology partners,
consulting companies, MSSPs, customers, and individual contributors. As was discussed in Task 5.1.2,
Content Packs may include various components, such as integrations, automations, playbooks, incident
types, and widgets.

When Content Packs need to be updated by the creators, they become ready after the review and
approval process by the Cortex XSOAR team, and you are notified about the updates in the Cortex
XSOAR interface.

Suppose you want to contribute the content entities you created. In that case, you should create a
Content Pack and submit it for review for it to be added to the Cortex XSOAR Marketplace and become
available to customers.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions/content-pack-installation/update-a-content-
pack.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions.html

PALO ALTO NETWORKS: PCSAE Study Guide 79

5.2.2 Outline the process of how content is updated and why

When a Content Pack is available for update, you receive a notification next to the Marketplace
icon, and a message about Content Pack updates displays at the top of the Settings page.

You can update to the latest content version or specific versions. Any customizations you have made are
automatically included in any update. All dependent Content Packs update automatically with the main
Content Pack.

Users can see updates for Content Packs that they have in their environment that were downloaded by
another user.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions/content-pack-installation/update-a-content-
pack.html

PALO ALTO NETWORKS: PCSAE Study Guide 80

5.2.3 Summarize the relationship between customer content and existing content
updates

Contributions are Content Packs that you create that are sent to Cortex XSOAR for review and approval.
After approval, these Content Packs are uploaded to the Marketplace, shared, and installed as would be
any other Content Pack. You can create the following Content Packs:

• Basic Content Pack for specific content, such as playbooks, automations, integrations, and incident
types

• Advanced Content Pack in the Contributions tab in the Marketplace

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/content-pack-contributions.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-overview/content-packs-support-types.html

PALO ALTO NETWORKS: PCSAE Study Guide 81

5.2.4 Outline recommendations for content updates and when custom content would
be appropriate

Contributions are Content Packs that you create. Contributions allow you to make the content that you
build on Cortex XSOAR available to every client through the Marketplace. Content can be partner or
community supported, free or paid.

All the free content (i.e., everything excluding paid Content Packs) is open source and lives in the Cortex
XSOAR GitHub Repository, with an MIT license.

After you have created your content, you must submit it for the Palo Alto Networks team to review and
approve.

There are three ways to submit your work:

• In most cases, if you want to provide a Content Pack that you want to support, you must open a
GitHub pull request.

• Cortex XSOAR supports a simplified flow to contribute directly from the product web interface. Use
this flow only if you are an individual contributor and your Content Pack will be community
supported.

• If you are providing a Premium (Paid) Content Pack, the GitHub process is slightly different and is
described here.

Before you proceed, check the content contribution checklist to make sure you have created everything
you need.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions/content-pack-installation.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/content-pack-contributions.html
• https://xsoar.pan.dev/docs/contributing/checklist
• https://xsoar.pan.dev/docs/concepts/design

PALO ALTO NETWORKS: PCSAE Study Guide 82

5.2.5 Identify the benefits of custom content

Any user can add content to a Content Pack that has been created, submitted, and reviewed by Cortex
XSOAR to ensure that it complies with Cortex XSOAR standards. After approval, the Content Pack can be
used in the Marketplace.

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/content-pack-contributions/create-a-content-pack.html

5.2.6 Describe how new content gets implemented

You can install only one Content Pack at a time from the Marketplace. Cortex XSOAR automatically adds
any content that is required to install the Content Pack. You also can add any recommended Content
Packs that use the Content Pack you want to install.

Before you install a Content Pack, you can search for it by using the Browse tab. When you find the
required pack, you can see what is included in the pack and then use the Install button to finish the
installation.

PALO ALTO NETWORKS: PCSAE Study Guide 83

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions/content-pack-installation/install-a-content-
pack.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions/content-pack-installation/update-a-content-
pack.html
• https://xsoar.pan.dev/docs/contributing/checklist

5.2.7 Explain when imports or exports are appropriate and how they would be done

When you create your Content Packs, you can use the Contributions tab in the Marketplace to send
them to Cortex XSOAR for review and approval. If you want to prepare the Content Pack and send it
later for review or upload to GitHub, you can export your package in the Contribution screen by
selecting the Save and download your contribution option:

You usually need an Internet connection when using the Marketplace for tasks such as downloading and
subscribing to Content Packs because all these services are in the cloud.

PALO ALTO NETWORKS: PCSAE Study Guide 84

However, you can upload Content Packs offline. The administrator downloads the Content Pack to
install, which is in zip format.

In zip format, you can upload the following:

• Each Content Pack separately

• Several Content Packs together

• An all-packs zip, which installs all Content Packs at the same time. All dependencies are included.

Before you start uploading content that you want to install, you should update server configurations to
turn off Marketplace synchronization in the cloud for both the Content Packs and the review process by
adding the following keys values to Settings > About > Troubleshooting > Add Server Configuration.
Addition of those keys improves system performance.

Key Value
marketplace.sync.enabled false
marketplace.content.packs.rating.enabled false
marketplace.subscriptions.sync.enabled false

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/marketplace-subscriptions/install-a-content-pack-offline.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/marketplace/content-pack-contributions/create-a-content-pack.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/remote-
repository/troubleshoot-a-remote-repository-configuration/troubleshoot-content-issues
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/remote-
repository/troubleshoot-a-remote-repository-configuration/troubleshoot-editing-and-pushing-
content

PALO ALTO NETWORKS: PCSAE Study Guide 85

6 Web Interface Workflow, Dashboards, and Reports

6.1 Navigate the web interface and query system data

6.1.1 Navigate between the different options in the system

Cortex XSOAR provides an extensible user interface and contains well-designed, customizable
dashboards and reports to get quick information about the SOC, Incidents, and Indicators sections for
your analysts to perform investigations. The Playbooks, Automation, Jobs, Marketplace, and Settings
sections allow for various configuration operations:

The default landing page of the management web console is the Home page, which displays the default
dashboards. Dashboards consist of visualized data powered by fully customizable widgets, which
enables you to analyze data from inside or outside Cortex XSOAR in different formats, such as graphs,
pie charts, or text. You can add new dashboards or edit and customize the existing dashboards by
adding or creating widgets.

PALO ALTO NETWORKS: PCSAE Study Guide 86

Dashboards can be configured to display almost any information that the system itself can generate.

This default dashboard provides quick access to summary data, including mentions of the user within
various incidents or cases. The Dashboards page also provides high-level system-health status relative to
disk, CPU, and memory.

The widget-based configuration and display functionality used for dashboards also provides the basis for
reports. You access the preview and design function for a report by clicking the double-page icon in the
top right of the target report’s information area. Reports, like dashboards, are constructed of the
graphical placement of widgets.

The Indicators page allows you to collect and track several discrete data elements extracted from
incidents, such as hashes, domains, URLs, and email addresses.

PALO ALTO NETWORKS: PCSAE Study Guide 87

The Incidents page lists all relevant incidents. You can create and use saved queries to query the
incidents and then investigate one of them.

When you start an investigation by opening an incident, several tabs are displayed on that screen:

• The first tab that welcomes you is the Incident Info tab, where you can find various information
about that incident.

• The War Room tab displays the results of automated activity, provides a context for running manual
commands from the CLI at the bottom of the page, and provides a place for sending messages
among analysts or adding notes to the War Room.

• On the same page, the Work Plan tab provides access to the playbook that was run and allows you
to review the results of individual tasks and resolve any issues or respond to any pauses in execution
based on any pending manual tasks.

• In the investigation process, additional tracking, recording, and collaboration features include an
Evidence Board tab that provides a space for selected, important items that appear in the War

PALO ALTO NETWORKS: PCSAE Study Guide 88

 Room first and are added either automatically based on a playbook action or selectively based on
manual review.

• The Related Incidents analytical tool maps the current incident to other incidents based on a
framework for assessing similarity. A Canvas feature is based on a pin-board metaphor where you
can autopopulate related and linked incidents and indicators. This tool can plot relationships in
more complicated cases that may benefit from this type of visualization.

The Playbooks page lists all of the playbooks available to the system, whether out-of-the-box,
customized, or custom made. Existing playbooks can be edited, copied, and created from this page.

The Automation page contains the automations and the associated code for each one. It also includes
the Script Helper tool, which opens a menu that presents all of the functions of the common server on
the Automation page.

Jobs trigger incidents on demand or based on a schedule. The incident can run a playbook. The
playbook, in turn, can run automations for anything that can be scripted and controlled via API. Jobs are
somewhat like typical Linux-system cron jobs and can do almost anything.

The Marketplace page is the central location for installing, exchanging, contributing, and managing all of
your content, including playbooks, integrations, automations, fields, and layouts.

The Settings page provides access to additional SOAR-engineer functions, such as configuring
integrations, defining fields and mapping data to fields, defining incident types and within the incident
type, editing or configuring page layouts, and managing indicator types and allow lists. Several IT-
administrator functions and crossover functions with the SOAR-engineer role also are found within the
Settings area. Such functions include backup configuration, access to version information, license status,
and troubleshooting and advanced server-configuration tools.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/cortex-xsoar-
overview/cortex-xsoar-concepts.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/dashboards/dashboard-overview.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/cortex-xsoar-
overview/keyboard-shortcuts.html

PALO ALTO NETWORKS: PCSAE Study Guide 89

6.1.2 Write a structured query using the appropriate syntax
Cortex XSOAR has a powerful search feature. You can search for data in Cortex XSOAR in the following
ways:

• Using the search query: You can search for information using the Lucene query syntax. The search
query appears in the Indicators, Incidents, Jobs, Playbooks, Automation, and Evidence Board pages.
For example, to search for all incidents that have the status of pending and are critical, type
status: Pending and severity:Critical.

• Using the search box: You can search for incidents, entries, evidence, investigations, and indicators
in Cortex XSOAR. The search box appears in the top-right corner on every page. You can either type
free text or search using the search query format by using the arrow keys. For example,
incident.severity:Low searches for all incidents that have “low” in the severity category.

• Using a general search: For example, when searching for a table in the Users tab, you can search for
a widget, a task in a playbook, etc.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/cortex-xsoar-
overview/how-to-search-in-cortex-xsoar
• https://lucene.apache.org/core/2_9_4/queryparsersyntax.html

6.2 Summarize the workflow elements used during an investigation

6.2.1 Outline the purpose of the workflow elements

Playbooks serve as automation workflows in Cortex XSOAR and have self-documenting procedures that
query, analyze, and perform other actions on incidents using the information associated with those
incidents. They organize and document security monitoring orchestration and response activities for
Cortex XSOAR.

Playbooks are like flowcharts. They have different branches that can do different things. Decisions
influence the flow of the book. These decisions can be made automatically, manually, or with a mix of
the two.

PALO ALTO NETWORKS: PCSAE Study Guide 90

References

• https://xsoar.pan.dev/docs/playbooks/playbooks-overview
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/playbooks/playbooks-overview.html

6.2.2 Differentiate the workflow elements and the impact on an investigation

Tasks are the building blocks of playbooks. Cortex XSOAR has an extensive Task Library. The tasks are
categorized as automations, manual tasks, and playbooks (sub-playbooks) in the Task Library.

Each step in the playbook is a Cortex XSOAR task. Tasks can be standard tasks, conditional tasks, and
data-collection tasks.

The standard task type includes both manual and script-based (automation-based) tasks. A manual task
requires your analysts to review information, confirm an automated verdict, make a determination, or
escalate an incident.

PALO ALTO NETWORKS: PCSAE Study Guide 91

You can run automated tasks on scripts that exist in the system and are exposed to, and managed
within, the user interface as an “automation.”

When you add a playbook to a playbook and connect it to one or more preceding and following tasks,
the playbook you add will function as a sub-playbook.

Playbooks enable you to automate many of your security processes, including handling your
investigations and managing your tickets. Cortex XSOAR has a Work Plan page to enable you to monitor
and manage the playbook workflow and add new tasks to customize the playbook to a specific
investigation.

PALO ALTO NETWORKS: PCSAE Study Guide 92

References

• https://xsoar.pan.dev/docs/playbooks/playbook-conventions
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/incidents/incidents-management/work-plan.html

6.3 Create dashboards and reports

6.3.1 Outline the difference between dashboards and reports

Dashboards typically are configured to display summary information about incidents; they can be
configured to display almost any information that the system itself can generate.

The dashboards also provide a high-level system-health status (relative to disk, CPU, and memory), a
preconfigured service-level-agreement report that measures completion time against parameters that
you can set, enable, or disable, based on incident type. You also have an incidents summary that reports
on data beyond the scope of just the current user.

The widget-based configuration and display functionality used for dashboards also provides the basis for
reports. You access the preview and design function for a report by clicking the double-page icon in the
top right of the target report’s information area.

Reports, like dashboards, are constructed of the graphical placement of widgets. Widgets can be
individually configured for reports and dashboards.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/dashboards/dashboard-overview.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/reports/report-
overview.html

PALO ALTO NETWORKS: PCSAE Study Guide 93

6.3.2 Select the appropriate dashboard or report

When you first install Cortex XSOAR, the following dashboard tabs are created:

• Incidents: Information relating to incidents, such as severity type, active incidents, and unassigned
incidents
• System Health: Information relating to the Cortex XSOAR server
• My Dashboard: A personalized dashboard relating to your incidents, tasks, and so on
• SLA: Information relating to your service-level agreement

In every dashboard, you can do the following:

• Create a dashboard
• Edit a dashboard
• Import and export a dashboard, which is useful in a test and production environment
• Share and unshare a dashboard
• Delete or remove (if shared) a dashboard

Cortex XSOAR comes with out-of-the-box reports such as critical and high incidents, daily incidents, and
incidents in the last seven days. These reports cannot be edited apart from the scheduled time and who
can receive the report. If you want to change these reports, go to the GitHub reports repository
(https://github.com/demisto/content/tree/a81bce4def89d579b17b09bcf796daf183fefd5b/Packs/Legac
y/Reports), download and update the JSON file, and upload the report.

In every report, you can do the following:

• Create a report: Custom reports can be in PDF, CSV, or Word format.

• Add a Widget to a report
• Edit a report
• Change the report logo
• Configure the time zone and format in a report

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-
admin/dashboards/configure-a-default-dashboard.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/reports/create-a-
report.html

PALO ALTO NETWORKS: PCSAE Study Guide 94

6.3.3 Summarize which information can be added, edited, or shared within
dashboards and reports

Typical dashboard control functions accessible by a click of the gear icon allow you to delete, duplicate,
share, import, export, and reset your dashboards. Shared dashboards and new, blank dashboard spaces
are added from the Add dashboard drop-down menu. Dashboards can be shared among analysts, which
helps in collaboration during investigations.

The following two images contain the same widgets, one for a new dashboard and the other for a new
report. The Widget Library that you will use is the same.

PALO ALTO NETWORKS: PCSAE Study Guide 95

You can configure dashboards and reports by specifying various parameters.

The data to be included is configured by use of a query string, the timeframe for the data, and how the
widget displays the data:

• Graphically in a chart or graph, or in a table or list

• In a single, summary total

For PDF and Word document output, the Report Editor’s layout view will match almost exactly the way
the report will display in the target application.

PALO ALTO NETWORKS: PCSAE Study Guide 96

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/dashboards/edit-
a-dashboard.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/dashboards/share-
a-dashboard.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/reports/select-
and-customize-sections-to-export-to-a-summary-report.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/reports/edit-a-
report.html

6.4 Apply the appropriate widget type

6.4.1 Describe the purpose of widgets

Widgets are visual components that enable you to analyze data internally or externally from Cortex
XSOAR in different formats, such as graphs, pie charts, and text.

Cortex XSOAR comes with many out-of-the-box system widgets, such as Today’s New Incidents, Late
Incidents, and Saved by Dbot. You can edit these widgets when you create or edit a dashboard or report.

Reference

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/widgets/widget-
overview.html

PALO ALTO NETWORKS: PCSAE Study Guide 97

6.4.2 Define when custom widgets are necessary

Widgets are visual components that populate dashboards and reports with specific data. Although
various out-of-the-box system widgets are available, you can create custom widgets in the Widgets
Library. You also can create them from an incident or an indicator.

You can create a custom widget for your dashboard or report using a JSON file and then add the new
widget to a new or edited dashboard or report.

You also can use custom script-based widgets with an automation script to create dynamic widgets for
more complex calculations. If you create or upload the script to the Automation page, you can use the
script in any widget, use the script with a JSON file, and add it to an incident page and an indicator page,
rather than uploading the script each time.

References

• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/widgets/create-a-
widget-in-the-widgets-library.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/widgets/create-a-
custom-widget-using-a-json-file.html
• https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/widgets/create-a-
custom-widget-using-an-automation-script.html

PALO ALTO NETWORKS: PCSAE Study Guide 98

Sample Questions
The answers to the sample questions are in the “Answers to Sample Questions” section.

1 Playbook Development
Q1. What is the primary use of the context data?
a) sending data to related incidents
b) passing data between playbook tasks
c) storing data for use with integrations
d) mapping data to required fields

Q2. Which statement is true about context data?

a) It is purged after each task in a playbook is run.
b) It must be transformed before a task can use it.
c) After it is written, it can be changed only by manual editing.
d) It does not necessarily include all data generated by the incident-related activity.

Q3. Which option describes the structure of context data?

a) a key-value pair dictionary
b) a row-oriented data serialization framework
c) a node-graph hierarchy of multiple object types
d) a binary storage format front-ended by a Java interpreter

Q4. Which type of task is used to interact with users through a survey?
a) conditional
b) standard
c) section header
d) data collection

Q5. Which option provides dynamic input to playbook tasks and automations?
a) incident tasks
b) context data
c) quick view
d) system

PALO ALTO NETWORKS: PCSAE Study Guide 99

Q6. Which is the first step in the playbook development process?
a) Create custom data fields.
b) Create a skeleton playbook.
c) Formalize the use-case definition.
d) Configure enrichment integrations.

Q7. Which characteristic indicates that a playbook is a “skeleton playbook”?

a) installed from the Marketplace
b) unconfigured Inputs/Outputs options
c) incomplete task details for many tasks or all tasks
d) loaded in a development environment but not deployed to production

Q8. What are two ways to create a new task in a playbook that is open for editing? (Choose
two.)
a) Click Create Task on the Task Library fly-out panel.
b) Right-click an open area of the workspace and select New Task.
c) Double-click an open area of the workspace and click Yes in response to the prompt.
d) Click-and-drag the output node of an existing object to an open area of the workspace.

Q9. Which is the proper name for a “step” in a Cortex XSOAR playbook?
a) task
b) step
c) procedure
d) automation

Q10. Which two types of actions can be specified with a Standard playbook task? (Choose
two.)
a) manual
b) automated
c) conditional
d) data collection

PALO ALTO NETWORKS: PCSAE Study Guide 100

Q11. How do playbooks and the War Room work together?
a) The War Room documents playbook tasks and related artifacts and evidence.
b) Each incident’s War Room activity is autodocumented into a playbook for that incident.
c) Playbooks provide a guide to the use of the War Room for information flow among
analysts.
d) Playbooks document the activity and decisions made in the War Room.

Q12. What is a sub-playbook?

a) a playbook used as a task in another playbook
b) an obsolete playbook of inferior quality
c) an app that underlies a playbook to ensure it flows from task to task
d) an updated playbook that substitutes for an older playbook

2 Incident Types, Indicator Types, Layouts, and Fields

Q13. Which option describes the trigger of an incident?
a) specification of the name of the incident type
b) the application of enrichment tasks to a playbook
c) the point at which auto-extraction of indicators is performed
d) the action inside or outside the system that should generate an incident

Q14. How do incidents relate to indicators?

a) Incidents generate indicators as part of their automated response.
b) Indicators provide context to incidents.
c) Incidents determine the severity of indicators.
d) Indicators specify which incidents to ingest.

Q15. Which three fields are available for querying indicators? (Choose three.)
a) expirationStatus
b) reputation
c) SLA
d) type
e) indicatorAge

PALO ALTO NETWORKS: PCSAE Study Guide 101

Q16. Which two privileges are needed to create or customize an incident layout? (Choose
two.)
a) page access privilege for the Settings page
b) read privilege for integrations
c) page access privilege for the Incidents page
d) read/write privilege for investigations

Q17. What should you do if you want to keep a set of specific information for every event of a
certain type?
a) Add that information in the Evidence Board when investigating the incident.
b) Add custom fields to incidents representing events of that type.
c) Chat about it in the War Room.
d) Use Remote Device Control to obtain the information.

Q18. Which statement is true regarding Indicator Extraction in Cortex XSOAR?

a) If you create an Extraction Rule where you select Extract all indicators from all fields,
Cortex XSOAR will extract all fields including the Custom Field.
b) If you create an Extraction Rule where you select Extract all indicators from all fields,
Cortex XSOAR will extract system default fields except for the Custom Field.
c) If you create an Extraction Rule where you select Extract specific indicators by default,
Cortex XSOAR will set the indicator extraction for the new custom field to None.
d) If you create an Extraction Rule where you select Extract specific indicators by default,
Cortex XSOAR will set the indicator extraction for the new custom field to Use System
Default.

3 Automations and Integration and Related Concepts

Q19. What are the two primary purposes for defining outputs of an automation script or
integration command? (Choose two.)
a) Outputs are used to display data to users.
b) Outputs are used for sending data to third-party APIs.
c) Outputs are used to define data that is set into the incident context data.
d) Outputs are used for helping users to connect playbooks more easily.

PALO ALTO NETWORKS: PCSAE Study Guide 102

Q20. What are two sources of alert enrichment for Cortex XSOAR? (Choose two.)
a) SIEMs
b) Cortex Data Lake
c) Cortex XSOAR dashboards
d) AutoFocus

Q21. Which command is used to retrieve lists to use in a playbook task?

a) /FetchList
b) !fetchList
c) /GetList
d) !getList

Q22. What is a deprecated automation script?

a) an automation script that is not available in the system and is no longer supported
by the script author
b) an automation script that still is available in the system but is no longer supported
by the script author
c) an automation script that is available in the system but is outdated and needs to be
updated
d) an automation script that was located in the system but it has been deleted
manually by the analyst

Q23. Which action is required before a new integration can ingest a typed alert and
automatically run a playbook for the resulting incident?
a) An instance of the integration must be created.
b) The integration must be primed with a test alert of that type.
c) The playbook must be run manually with that type of alert.
d) The alert source must be made aware through an API of the playbook to be run.

Q24. Which Cortex XSOAR functionality is always part of accessing external sources for alert
enrichment?
a) incidents
b) playbooks
c) War Room
d) integrations

PALO ALTO NETWORKS: PCSAE Study Guide 103

Q25. What are two ways used to classify events ingested from an integration? (Choose two.)
a) when configuring an integration
b) by fetching incidents
c) by setting a classification key
d) when setting incident layout

Q26. In Cortex XSOAR, what do integrations do?

a) They connect alerts with responses.
b) They enable real-time Cortex XSOAR software updates.
c) They map alerts to incidents and query third-party information sources.
d) They integrate the various components and functions that comprise Cortex XSOAR.

Q27. What will happen if you click to disable an integration?

a) The integration code will be removed from the system.
b) The Marketplace no longer will report related content dependencies.
c) The instance of the integration and your configuration information will be retained.
d) The integration’s commands will be removed from display in the auto-suggestions
of the CLI tool.

Q28. What will happen if you configure an integration with inaccurate credentials and click
Done?
a) The initial operational status will be set to “Disabled.”
b) A popup dialog box will prompt you for new credentials.
c) A failure message will appear at the bottom of the form.
d) The system will create a new instance of the integration.

Q29. What must you do to modify the code for an integration that you have downloaded
from the Marketplace?
a) Click to duplicate it.
b) Click the edit icon and enter the admin password.
c) Click to download the integration and give it a new name.
d) Click the view icon, click Save Version, and give it a new name.

PALO ALTO NETWORKS: PCSAE Study Guide 104

Q30. Which element enables Cortex XSOAR to automatically extract a custom indicator type
from an unmapped key string?
a) regex
b) layout
c) structured query in Lucene syntax
d) valid data description in SRE syntax

4 Solution Architecture
Q31. What is required to display dev-prod configuration options?
a) access to the integrations page
b) use of a command in the graphical CLI
c) implementation of a custom server parameter
d) login credentials for the Linux command shell

Q32. Which element of the Cortex XSOAR solution architecture supports the isolation of the
development of new integrations, automations, and playbooks?
a) dev-prod
b) hybrid cloud
c) Cortex XSOAR engine
d) multitenant mode

Q33. In a dev-prod configuration, from where does the prod server get updates authored by
Palo Alto Networks?
a) Cortex XSOAR public content repository
b) remote repository specified in the dev-prod configuration parameters
c) content database on the local dev server
d) dev server default repository

Q34. Which is a requirement of the remote, private repository in a dev-prod configuration?

a) The proxy server address of the prod server must be set to the IP address of the dev
server.
b) Access from the dev server to the official public repository must be disabled.
c) Connections from the prod server to the private repository must be blocked.
d) The repository must have a minimum of one branch.

PALO ALTO NETWORKS: PCSAE Study Guide 105

Q35. Which is an accurate description of a Docker image?
a) an open-source hypervisor for cloud-based machine images
b) a modular engine that runs multiple operating systems
c) a unit of software that packages everything required to run an application
d) an instance of a virtual machine that, when running, becomes a Docker image

Q36. Which is the default global registry for Docker?

a) Docker Hub
b) Docker Engine
c) support.docker.com
d) support.paloaltonetworks.com

Q37. What is required to download the system’s Docker images manually?

a) access to Docker Hub
b) a user account on GitHub
c) root access to the command line on the target server
d) the installer download link from the email used to send your license file

Q38. Which two settings are recommended to harden or optimize the system’s use of
Docker? (Choose two.)
a) setting imageless-mode flag
b) limiting the memory allowed for each container
c) limiting the number of CPUs a container may use
d) increasing the limit for the number of allowed process IDs (PIDs)

Q39. What is the maximum number of servers supported for a Live Backup configuration?
a) 2
b) 3
c) 4
d) 8

Q40. Which path hosts the artifacts folder?

a) /etc/
b) /etc/demisto/
c) /var/lib/demisto/
d) /user/demisto/blobs

PALO ALTO NETWORKS: PCSAE Study Guide 106

Q41. Which content is excluded from backup by the Automated Backups feature?
a) incidents
b) scripts and playbooks
c) artifacts and attachments
d) user-defined configurations

Q42. Which is the best option to manually back up artifacts and attachments?
a) Set Automated Backups to ON.
b) Export the master database in a supported plaintext file format.
c) Select target incidents and click Export.
d) Use the tar command.

Q43. Where is incident data stored?

a) /var/log/demisto/
b) /var/lib/demisto/
c) /var/lib/private/Answer
d) /usr/local/demisto/

Q44. Which Live Backup configuration scheme can you deploy for disaster recovery?
a) active-active
b) active-standby
c) active-active or active-standby
d) DNS round-robin load balancing

Q45. Which three statements are true regarding live backup for distributed database
environments? (Choose three.)
a) Live backup enables mirroring of active database servers to passive servers.
b) Active/active configuration is supported.
c) Live Backup converts passive servers to the active database servers in a disaster-
recovery case.
d) The failover is dynamic.
e) Live Backup uses a single active server and a single standby server.

PALO ALTO NETWORKS: PCSAE Study Guide 107

Q46. Which installation file is required to install Live Backup on a target backup server?
a) the same file that you use to install Cortex XSOAR on a primary server
b) the Live Backup installer available on the Integrations > Agent Tools page
c) the engine installer that you download from the Integrations > Engines page
d) the live-bckp-server-xxxx.sh file that you download by use of a link sent to DR-Group
members

Q47. How do you export all the custom content from a Cortex XSOAR instance?
a) Run a detailed content report.
b) Click Export at the bottom of the Settings > About > Troubleshooting page.
c) Use the !scp custom-all <user>@<host>:<path><file-name> command
in the graphical CLI.
d) Execute with sudo privileges the send-non-vendor-files.sh script from the Linux
command shell.

Q48. What are two limitations of multitenancy architectures? (Choose two.)

a) Tenants can change the definitions that were set by the main account.
b) Troubleshooting often is very complex.
c) Multitenancy architectures are more complex than Cortex XSOAR Enterprise server
architectures.
d) There is complete isolation between tenants.

Q49. Which two indicator types should have an indicator expiration applied when they are
consumed from threat intel feeds? (Choose two.)
a) IP address
b) domain
c) file hash
d) ssdeep

Q50. What are two use cases for analyzing indicators via playbooks? (Choose two.)
a) indicator enrichment
b) pushing indicators to third-party products for enhanced alerting and detection
c) generating finished threat intelligence products
d) static analysis of malware samples

PALO ALTO NETWORKS: PCSAE Study Guide 108

Q51. Which two configurations are available for threat intel feeds? (Choose two.)
a) fetch incidents
b) source reliability
c) indicator expiration method
d) incident type

Q52. Which Cortex XSOAR feature enables playbooks to execute against new indicators from
threat intel feeds?
a) Feed Triggered Jobs
b) Mapping
c) bring your own integration
d) Export Indicators Service

Q53. Mapping of threat intel feeds enables which two abilities? (Choose two.)
a) assigning attributes from a threat intel feed to indicator fields
b) applying transforms (e.g., Uppercase) to attributes from threat intel feeds
c) running playbooks against new indicators of compromise
d) integrating threat intel feeds into other Palo Alto Networks products, such as Cortex
XDR

Q54. How do you change the log level?

a) Edit the /etc/demisto.conf file.
b) Use the Log Level drop-down menu on the Troubleshooting page.
c) Stop the server process and restart it with a --log-level=<value> parameter.
d) Add a custom server parameter services.log.detail with a value of 0, 1, or 2.

Q55. When is the basic system configuration information generated for log files in the log
bundle?
a) at 00:05 for the current day
b) at the time the log bundle is requested
c) at five minutes past every hour
d) at the same time as the last automatic backup

PALO ALTO NETWORKS: PCSAE Study Guide 109

Q56. Which type of deployment involves the use of one or more Cortex XSOAR engines?
a) hosted cloud
b) hybrid cloud
c) private cloud
d) protective enclave

Q57. Which Cortex XSOAR infrastructure component do you deploy in a protected network to
extend the core server’s capabilities?
a) Live Backup server
b) Cortex XSOAR engine
c) distributed database
d) dev server

Q58. Incidents are created in which three ways? (Choose three.)

a) manually by a privileged user
b) fetching from other products with the help of integrations
c) using playbooks
d) using the REST API
e) using remote connection feature

5 Content Updates and Content Management

Q59. Which three types of content packs can be downloaded from Marketplace? (Choose
three.)
a) playbooks
b) system settings
c) automations
d) use cases
e) integrations

Q60. Which type of update is included in Content Pack updates?

a) playbooks
b) incident data
c) core binaries for Cortex XSOAR
d) image files for the web interface

PALO ALTO NETWORKS: PCSAE Study Guide 110

Q61. Which is the distribution point for content-update packages?
a) Marketplace
b) Docker Hub
c) www.demisto.com
d) support.demisto.com

Q62. What does “installed” status mean for content related to an item listed in the
Marketplace?
a) One or more associated integrations are in active use.
b) One or more associated content elements are in active use.
c) The content is downloaded for potential use on the local system.
d) The content is configured for use but could be enabled or disabled.

Q63. What is required to upload content update packages manually?

a) access to Docker Hub
b) use of the tar utility
c) access to the web console of the target server
d) root access to the command line on the target server

Q64. Which manual action can you perform by use of the Cortex XSOAR web console to
support air-gapped deployments?
a) installation of Docker images
b) execution of the tar command to decompress platform-content archives
c) update of the content repository
d) download of Docker images

Q65. Which feature requires you migrate your database to support Cortex XSOAR High
Availability (HA)?
a) multitenancy
b) Elasticsearch
c) Network File Share (NFS)
d) HTTP proxy

PALO ALTO NETWORKS: PCSAE Study Guide 111

Q66. While reviewing the d.1log file, you notice the following error message:
Listen tcp :443 bind: permission denied

What is most likely the solution to resolve this error?

a. Change the Cortex XSOAR configuration to allow binding to lower port numbers.
b. Update firewall proxy to allow port 443.
c. Change the URL port number to the correct Cortex XSOAR management port.
d. Enable Apache service on Cortex XSOAR.

6 Web Interface Workflow, Dashboards, and Reports

Q67. Where can the entire history of group interactions involving an attack response be seen?
a) Cortex XSOAR War Room
b) Cortex XDR Incident page
c) AutoFocus
d) WildFire

Q68. Which is the correct search query for “incidents that are not jobs and are not closed”?
a) -status:closed -category:job
b) Status is not closed and Category is not job
c) Status!:closed or Category!:job
d) status!=job and category!=job

Q69. Which incidents are displayed for the search string owner:””?
a) all incidents
b) all unassigned incidents
c) all incidents with a named owner
d) all incidents that are jobs and thus owned by the system

Q70. Which permission is required for the display of Dashboard widgets?

a) read permission for investigation data
b) read/write permission for investigations
c) page-access permission for the Reports page
d) no permission required

PALO ALTO NETWORKS: PCSAE Study Guide 112

Q71. Which two options describe dashboard widgets? (Choose two.)
a) A widget’s display layout cannot be changed.
b) A widget’s timeframe can be edited.
c) A widget’s data query can be set.
d) A widget’s size cannot be set.

Q72. How do you specify the data to use in a widget applied to a dashboard or a report?
a) Enter a custom or an out-of-the-box automation script.
b) Select one or more incident fields from drop-down menus.
c) Drag and drop data fields, filtered by the context of the widget.
d) Use the same query syntax that is supported on the Incidents page.

Q73. What is the process for dashboard creation and modification in Cortex XSOAR?
a) Cortex XSOAR includes tools to make dashboard creation and modification easy.
b) Dashboard creation and modification can be achieved only through the partner
support website.
c) Integrations create and modify dashboards depending on the API capabilities of
third-party products.
d) Automated tasks in playbooks create and modify dashboards as appropriate,
depending on the incidents they are associated with.

Q74. If disk use is 45 percent, which color is the disk status indicator on the System Health
dashboard?
a) green
b) yellow
c) red
d) black

Q75. Which two statements are true regarding preconfigured system reports? (Choose two.)
a) They cannot be directly modified.
b) They can be modified by creating a copy.
c) They cannot be exported.
d) They cannot be run by an analyst directly.

PALO ALTO NETWORKS: PCSAE Study Guide 113

Answers to Sample Questions
1. b
2. d
3. a
4. d
5. b
6. c
7. c
8. a, d
9. a
10. a, b
11. a
12. a
13. d
14. b
15. a, b, d
16. a, d
17. b
18. a
19. c, d
20. a, d
21. d
22. b
23. a
24. d
25. a, c
26. c
27. c
28. d
29. a
30. a
31. c
32. a
33. b
34. d
35. c
36. a
37. d
38. b, c
39. a
40. c
41. c

PALO ALTO NETWORKS: PCSAE Study Guide 114

42. d
43. b
44. b
45. a, c, e
46. a
47. b
48. b, d
49. a, b
50. a, b
51. b, c
52. a
53. a, b
54. b
55. b
56. b
57. b
58. a, b, d
59. a, c, e
60. a
61. a
62. c
63. c
64. c
65. b
66. a
67. a
68. a
69. b
70. a
71. b, c
72. d
73. a
74. a
75. a, b

PALO ALTO NETWORKS: PCSAE Study Guide 115