Paloalto Networks XSOAR-Engineer Palo Alto Networks XSOAR Engineer Exam Practice Test

When an integration has multiple instances configured, XSOAR’s playbook engine attempts to execute the command once per available instance unless directed otherwise. This behavior is described in the Playbook Task Execution Model within the Admin Guide. To prevent multiple executions, the engineer must explicitly specify which integration instance the command should use.

Playbook tasks include a "Using" drop-down (the “using=” parameter in CLI form), which binds the task to a particular instance. Once set, XSOAR will run the command only on that selected instance, ensuring it does not loop through all available instances.

The limits settings in Advanced Options or Performance sections control retry behavior or error handling, not instance selection. The “runlimit” parameter is used for limiting iterative loops or repeated command execution inside playbooks, not for controlling multi-instance execution.

Thus, to ensure the integration command executes only once, the engineer must specify the using=instance_name, making option A the correct answer.

Integration performs

Classification is applied

Mapping is applied

Incident is created (before incident creation it should be also pre-process rule step)

The SSO (SAML) configuration is performed inside each Cortex XSOAR tenant, under the Authentication settings.

Group mapping (SAML group → XSOAR role/group) is managed at the tenant level, not in the Hub, Gateway, or Support Portal.

According to the Cortex XSOAR Admin Guide, visibility of layout tabs is controlled byrole-based access permissions (RBAC). When customizing layouts, administrators can assign tabs, fields, and components to specific user roles. If the “Forensics” tab appears for senior analysts but not junior analysts, this indicates that the tab has been assigned only to certain roles through the “Roles” field in the layout editor.

XSOAR does not hide layout tabs due to incorrect field mappings (option A). If a field is unmapped, it simply appears empty, not invisible. Likewise, marking a tab as “read-only” (option C) still makes it visible; it only restricts editing. Display filters (option D) apply to list widgets, dashboards, and incidents—not layout tab visibility.

The documentation clearly states thata tab will not appear to a user unless their assigned role is included in the tab’s role permissions. Therefore, junior analysts cannot view the tab becausethe tab was not assigned to their role, making optionBthe correct explanation based on XSOAR’s RBAC-controlled layout behavior.

According to the Cortex XSOAR Indicator Lifecycle documentation, when an indicator reaches its expiration date or is manually set toExpired, the platform doesnotdelete it. Instead, the indicator remains fully stored within the Indicator Store and can still be searched, viewed, and referenced within the system. Expiration affectshow the indicator behaves operationally, not whether it still exists in the database. Specifically, an expired indicatorno longer participates in active enrichment, matching, or classificationworkflows. It will not trigger rules, correlation, or alerting functionality, and enrichment engines stop providing updates.

The system retains expired indicators for historical accuracy, audit trail completeness, and investigation continuity. Deleting indicators automatically would compromise incident history and threat intelligence analytics, which XSOAR explicitly avoids. Furthermore, the documentation states that indicator deletion is alwaysmanualunless automated cleanup is configured, and even then, expiration alone does not initiate deletion.

Thus, the correct statement is optionA: the indicatorstill exists and remains searchable, maintaining its presence in XSOAR’s intelligence repository while no longer influencing automated processes. Options B, C, and D contradict documented indicator-retention behavior.

XSOAR separatesContext DatafromIncident Layout fields. When an incident field is populated, its value is stored in Context, even if the incident type later changes. The Admin Guide clearly states that context is persistent and not dependent on whether a field belongs to the new incident type.

If an incident is reassigned to a different incident type, fields not included in the new type’s layout are no longer visiblein the UI, but the data is fully retained in Context. Analysts can still retrieve the values through playbooks, scripts, or JSON view. This ensures investigations are not disrupted and historical information is never lost due to schema changes.

The data isnot deleted, nor is it hidden from context (ruling out options A and D). It also does not appear grayed out in the UI (C), because the fields no longer appear at all unless re-added to the layout.

Thus, per XSOAR’s data retention model, the correct state isB: Visible within Context Data and fully accessible.

The Admin Guide states that layouts—representing how analysts view incident data, evidence, fields, and work plans—are attached directly toincident types. When configuring an incident type, the administrator can specify the layout for the “New,” “Editing,” and “Preview” modes. This ensures consistent presentation of data across the SOC, tailored to each use case (e.g., phishing, endpoint alerts, malware investigations).

Pre-process rules (option A) operate before incident creation and do not control the user interface layout. Incident playbooks (option B) automate response actions but have no effect on how the incident UI is presented. Integration instance settings (option C) define connection details and ingestion parameters but do not control UI layouts.

Only theIncident Type configuration pageincludes fields for selecting or assigning custom layouts. This aligns with XSOAR’s design principle: incident types define schema, workflows, and UI behavior, including which layout is displayed to analysts.

Thus, the correct answer isD, as incident layouts are configured and bound within theIncident Typesettings.

In Cortex XSOAR,Reportsare constructed fromWidgets, which are modular visualization components that pull data from incidents, indicators, tasks, lists, and other system sources. The Admin Guide clarifies that widgets serve as the building blocks for dashboards and reports. When creating a report, users select widgets—such as pie charts, tables, statistics blocks, histograms, and custom scripts—and XSOAR aggregates the underlying data (incidents, indicators, evidence, etc.) into the report output.

Automations (option B) may generate data, but they do not perform the aggregation within a report. SQL queries (option C) are not used natively in XSOAR reporting; instead, widgets may embed queries through the platform’s data model. Playbooks (option D) execute response workflows and can generate additional context but are not used for aggregating report data.

Thus, the report-generation process relies entirely on widgets to extract, sort, count, and visualize information. XSOAR renders the report by collecting the aggregated values produced by each widget. This makes optionAthe correct and documented answer.

XSOAR’s Threat Intelligence module represents connections between indicators—such as domain → IP mappings—usingrelationships. The Admin Guide explains that relationships have attributes including direction, type, andstate, allowing analysts to mark them as active or inactive. When an observed association (such as a malicious domain pointing to a particular IP address) is no longer valid, the platform provides the ability torevoke the relationship, which sets its state to inactive without deleting the indicator or removing historical context.

Revoking is the correct method because it preserves historical intelligence for correlation, investigations, and audit trails while preventing outdated relationships from impacting enrichment or automated processes.

Updating the relationship type (option B) merely changes classification, not the state. Expiring the IP address indicator (option C) affects the indicator itself—not the relationship—and does not correctly mark that the specific association has ended. Updating the description (option D) is cosmetic only and does not change operational behavior.

Thus,revoking the relationship(option A) is the documented and proper way to inactivate a domain–IP connection in XSOAR.

The XSOAR Incident Relationships model provides multiple ways to connect related incidents for correlation and hierarchical investigation. The Admin Guide details howRelate Incidentscreates a logical link between two or more incidents, identifying them as connected without altering their internal data. This is commonly used when incidents share a common threat, indicator, or root cause.

Join Incidentsallows analysts to group multiple incidents under a single parent investigation while keeping them technically separate. Joined incidents appear together in correlation views and analytics dashboards, enabling SOC teams to assess broader attack patterns. Joining does not merge content or overwrite fields; it simply binds multiple incidents under a shared investigative umbrella.

“Add Child Incidents” (option B) is used for parent–child hierarchical workflows, not grouping related violations. “Merge Incidents” (option D) consolidates multiple incidents into one and deletes the originals, which is not the intended function for grouping related but distinct events.

The XSOAR Playbook Editor allows engineers to manipulate and transform context data dynamically. According to the XSOAR Admin and Playbook Development Guides,“Extend Context”is the dedicated mechanism that enables a task to save output values into new or existing context keys, including keys that correspond to incident fields. By defining a key under the “Extend Context” section, the playbook task can map specific outputs—such as JSON fields, strings, arrays, or nested objects—to a structured location within the incident context. These keys can then be used to populate incident fields through further playbook tasks, field mappings, or automated incident field updates.

Classification (option A) applies only during ingestion and cannot assign task outputs to incident fields. Inputs (option B) define what data a task receives, not how it is stored afterward. Mapping (option D) belongs to the ingestion pipeline and determines how event fields become incident fields during creation, not during playbook execution.

Therefore,Extend Contextis the correct feature that allows a task to associate its output with incident fields, making optionCthe correct answer based on documentation.

Pre-process rules allow XSOAR to evaluate incoming events before they are fully created as incidents. These rules can suppress, modify, or relate events based on defined criteria. According to the Admin Guide, when a pre-process rule uses theLinkaction, XSOAR links the incoming event to an existing incident without triggering the standard incident creation process or subsequent playbook execution. This preserves the data for correlation and investigation while preventing duplicate or unnecessary playbook runs.

TheCloseaction (A) suppresses incidents completely and is used to auto-close unwanted events; this prevents preservation of the event and does not trigger the playbook. TheDropaction (C) discards incoming events entirely, removing them from the system and not preserving them. TheUpdateaction (B) modifies or enriches existing incidents but does not stop the playbook from running on newly created incidents of that type.

Because the requirement is topreserve the incident while also preventing automatic playbook execution, the Link action is the only workflow that fulfills both requirements according to XSOAR’s pre-process rule architecture. Thus, optionDis correct.