Paloalto Networks XSOAR-Engineer Palo Alto Networks XSOAR Engineer Exam Practice Test

According to the Threat Intelligence section of the XSOAR Admin Guide, indicatorverdict resolutionuses two key rules:

If multiple sources have different reliability levels, the verdict from the highest-reliability source wins.

If multiple sources share the same reliability, XSOAR selects the “worst” (most severe) verdict among them.

Because both integrations have equal reliability (B – Usually reliable), XSOAR selects the more severe verdict. “Malicious” is more severe than “Benign,” so the resulting indicator verdict will beMalicious.

However, indicatorfield valuesfollow a different rule:

When multiple sources share the same reliability score,the most recently updated source overwrites the indicator fields, except for the verdict field.

Integration B updated the indicator after Integration A, so its field values overwrite Integration A’s fields. But its verdict does not override the malicious verdict because severity resolution rules take precedence.

Therefore, the correct combined logic yields:

Verdict: Benign? No → Because Malicious is the highest severity.

Other Fields: From the most recently updated feed → Integration B.

But the verdict is strictly the “worst” verdict, so:

Correct answer: C.

Integration performs

Classification is applied

Mapping is applied

Incident is created (before incident creation it should be also pre-process rule step)

The XSOAR Layouts documentation states that scripts can appear inside incident layouts only when they are designated as Dynamic Section scripts. Dynamic Sections are special script types that run automatically within layouts to display enrichment data, contextual summaries, or markdown-rendered information.

When creating such a script, the developer must mark it with the "dynamic-section" tag; otherwise, XSOAR does not expose it as an option during layout configuration. Without this mandatory tag, the script is treated as an ordinary automation and therefore cannot be placed into layout components.

Permissions (option B) affect script execution but do not prevent it from appearing in the layout editor. Integration commands (option C) are unrelated—dynamic sections do not use integration command definitions. Markdown output type (option D) determines formatting only and does not affect whether the script is selectable within the layout editor.

Thus, the missing configuration step is failing to tag the script as a Dynamic Section, making option A the correct answer according to the official XSOAR documentation.

XSOAR provides two types of user-interaction mechanisms in playbooks:Ask tasksandData Collection tasks. Ask tasks present asingle questionwhose answer determines the playbook’s conditional path. Conversely, Data Collection tasks are specifically designed to gathermultiple questions, forming a structured form or survey.

The Admin Guide explains that Data Collection tasks allow multiple question fields such as text input, dropdowns, yes/no responses, and date fields. These tasks may be delivered via email links, the XSOAR UI, or external response pages. Once completed, responses are automatically populated into incident fields or context keys.

A Section Header (option B) only organizes information within playbooks and layouts; it does not collect user input. Conditional Ask (option C) is strictly limited to single-question logic branching. A “Survey task” (option D) does not exist as a named task type in XSOAR; surveys are implemented through Data Collection tasks.

Thus, the correct answer isA: Data Collection, as it is the documented method for sending multi-question forms to users or customers.

The Admin Guide states that layouts—representing how analysts view incident data, evidence, fields, and work plans—are attached directly toincident types. When configuring an incident type, the administrator can specify the layout for the “New,” “Editing,” and “Preview” modes. This ensures consistent presentation of data across the SOC, tailored to each use case (e.g., phishing, endpoint alerts, malware investigations).

Pre-process rules (option A) operate before incident creation and do not control the user interface layout. Incident playbooks (option B) automate response actions but have no effect on how the incident UI is presented. Integration instance settings (option C) define connection details and ingestion parameters but do not control UI layouts.

Only theIncident Type configuration pageincludes fields for selecting or assigning custom layouts. This aligns with XSOAR’s design principle: incident types define schema, workflows, and UI behavior, including which layout is displayed to analysts.

Thus, the correct answer isD, as incident layouts are configured and bound within theIncident Typesettings.

Jobs in XSOAR run playbooks or scripts automatically at scheduled intervals. According to the Job Execution section of the Admin Guide, if a job encounters an error during playbook execution, its continued operation depends on whether“Continue on Error”is enabled. When this checkbox is selected, the job will not terminate due to an exception or integration failure. Instead, it logs the error and proceeds to the next scheduled execution as normal.

Queue handling settings (A) apply to indicators/job queues within feeds, not job failure behavior. RBAC changes (C) do not influence job execution continuity. Ensuring the last task closes the investigation (D) is unrelated and may even disrupt job workflows, since jobs often do not require incident-based models.

By contrast, enablingContinue on Erroris the documented mechanism that prevents scheduled jobs from halting due to transient or recurring errors. It ensures operational resilience, especially during integration outages or API rate limits.

Thus, optionBis the correct and fully documented answer.

The XSOAR Engine Installation Guide explains that a single Linux host can run multiple engines using theShell Installer with the “Allow running multiple engines” option enabled. This method is specifically intended for Dev/Prod, HA, and multi-tenant scenarios. When this option is selected, the installer configures separate engine services and directories, preventing conflicts in ports, logs, or runtime environments.

Using Docker containers (option B) is not an officially supported or documented deployment method for running multiple XSOAR engines. Creating custom JSON or DEB installers (options A and D) applies to advanced engine deployments but doesnotenable multiple engines on the same host.

The Admin Guide explicitly states that the Shell Installer includes a built-in prompt allowing multiple engines to coexist safely, and this is the approved and supported mechanism provided by Palo Alto Networks. Therefore, the correct answer isC.

The XSOAR Playbook Debugger documentation states that breakpoints only apply when the playbook is run in Debug mode, not when an incident triggers the playbook normally.

Running from an incident executes the playbook without debugger controls, so breakpoints are ignored—leading to the deletion task running normally.

STIX/TAXII are industry-standard protocols for structured threat intelligence exchange. According to the Threat Intelligence section of the XSOAR documentation, TAXII servers and clients provide automated bidirectional sharing using STIX objects, supporting both ingestion and distribution of indicators, observables, relationships, and threat objects.

The TAXII Server content pack specifically enables an organization to expose its threat intelligence via a TAXII 2.0/2.1 compliant endpoint, where the transmitted data is formatted as STIX, making it the correct choice for sharing structured intelligence externally.

The Generic Export Indicators Service pack supports indicator export, but not in STIX format—it exports simple CSV, JSON, or list-based formats. MISP Server supports STIX ingestion and export but is considered a MISP-specific implementation and not the generic STIX distribution mechanism expected in the question. External dynamic lists are not related to STIX or TAXII at all.

Thus, the correct answer is D, as only the TAXII Server pack is designed explicitly for STIX-formatted intelligence sharing.

According to the Cortex XSOAR Indicator Lifecycle documentation, when an indicator reaches its expiration date or is manually set toExpired, the platform doesnotdelete it. Instead, the indicator remains fully stored within the Indicator Store and can still be searched, viewed, and referenced within the system. Expiration affectshow the indicator behaves operationally, not whether it still exists in the database. Specifically, an expired indicatorno longer participates in active enrichment, matching, or classificationworkflows. It will not trigger rules, correlation, or alerting functionality, and enrichment engines stop providing updates.

The system retains expired indicators for historical accuracy, audit trail completeness, and investigation continuity. Deleting indicators automatically would compromise incident history and threat intelligence analytics, which XSOAR explicitly avoids. Furthermore, the documentation states that indicator deletion is alwaysmanualunless automated cleanup is configured, and even then, expiration alone does not initiate deletion.

Thus, the correct statement is optionA: the indicatorstill exists and remains searchable, maintaining its presence in XSOAR’s intelligence repository while no longer influencing automated processes. Options B, C, and D contradict documented indicator-retention behavior.

The XSOAR Admin Guide explains that the Ask task is created inside a Conditional Task, and is specifically used when the system needs to prompt the analyst with a single question to determine the playbook path.

Data collection tasks are used for multi-question forms, not conditional branching.

The XSOAR event-to-incident pipeline is clearly defined in the admin documentation:Ingestion → Classification → Pre-Processing → Incident Creation → Playbook Execution. Classification must occurbeforepre-process rules because the system must determine an incident type (or classification result) before evaluating any pre-process logic that may drop, merge, link, or modify the incoming incident.

Pre-process rules use fields created during the classification stage—including incident type, normalized values, and extracted fields—to determine whether an incident should be suppressed, modified, or related to an existing incident. Without classification completing first, the rule engine would not have the necessary structured data.

Mapping, which transforms raw event fields into incident fields, occursafterclassification but during incident creation, meaning it also precedes playbook execution but not pre-process evaluation.

Therefore, optionD (Classification)is the only correct prerequisite. Pre-process rules cannot run at ingestion time (option C). Playbook execution (option B) happensafterthe incident is created. Mapping (option A) is not a prerequisite for pre-process rules.

The Indicator Exclusion List feature in XSOAR is designed to prevent certain IOCs (file hashes, IPs, domains, etc.) from being processed by the platform. The Admin Guide explains that once an indicator is added to the exclusion list, XSOARdoes not extract, enrich, score, or apply verdictsto that indicator during ingestion or field-change extraction. This ensures that benign internal hashes, test indicators, or noisy artifacts do not trigger incidents, enrichments, or correlation rules.

Option B does not reflect platform behavior—XSOAR does not create exclusion tags requiring manual review; instead, itcompletely bypasses extraction and enrichment. Option C is incorrect because excluded indicators do not undergo enrichment or verdict assignment at all. Option D incorrectly suggests that exclusion depends on feed reliability; the exclusion list applies globally and unconditionally.

Therefore, the correct interpretation per the documentation is thatexcluded indicators are never extracted or processed, aligning precisely with optionA.