XSOAR-Engineer Palo Alto Networks XSOAR Engineer Questions and Answers

Cortex XSOAR jobs are automated scheduled tasks used for running playbooks or scripts on a recurring basis. According to the Jobs documentation within the XSOAR Admin Guide, the available job trigger mechanisms includeTime-based triggersandDelta-based feed triggers.

ATimetrigger enables execution at scheduled intervals using either predefined frequency settings or a cron expression. This allows running jobs hourly, daily, weekly, etc.

ABy delta in feedtrigger launches a job when a connected feed detects changes (new, updated, or removed indicators). This is commonly used in threat-intelligence workflows to perform enrichment, normalization, or distribution when new indicator data arrives.

The other options listed do not exist within XSOAR’s job trigger configuration. "Mapping and Classification" are ingestion components, not job triggers. "Cron View and Human View" are simply formatting options for viewing scheduling expressions—not trigger types. "Script Start and CLI" describe execution methods for scripts, not job-initialization triggers.

Thus, optionBis the accurate and documented set of job trigger types available when creating a new job in XSOAR.

https://www.jaacostan.com/2021/02/palo-alto-cortex-xsoar-playbook-icons.html

The Marketplace section states that administrators can revert any installed content pack to a previous version via the Version History → Revert to this version option.

This is the recommended method when a new release introduces a bug.

Reinstalling the same version does not fix the code error.

The XSOAR Layouts documentation states that scripts can appear inside incident layouts only when they are designated as Dynamic Section scripts. Dynamic Sections are special script types that run automatically within layouts to display enrichment data, contextual summaries, or markdown-rendered information.

When creating such a script, the developer must mark it with the "dynamic-section" tag; otherwise, XSOAR does not expose it as an option during layout configuration. Without this mandatory tag, the script is treated as an ordinary automation and therefore cannot be placed into layout components.

Permissions (option B) affect script execution but do not prevent it from appearing in the layout editor. Integration commands (option C) are unrelated—dynamic sections do not use integration command definitions. Markdown output type (option D) determines formatting only and does not affect whether the script is selectable within the layout editor.

Thus, the missing configuration step is failing to tag the script as a Dynamic Section, making option A the correct answer according to the official XSOAR documentation.

The XSOAR RBAC documentation states that role-based permissions can restrict user access to dashboards. When the administrator selects“Only allow these dashboards”within a role, the platform enforces a strict limitation: users assigned to this role can viewonlythe dashboards explicitly listed in the role configuration. These dashboards become theirdefault and sole available dashboards. They cannot create new dashboards, modify existing ones, delete dashboards, or access any dashboard not included in the allowed list. This setting is typically used in regulated environments or SOC tiers where dashboard visibility must align with job function and least-privilege principles.

The documentation clarifies that this permission setting removes access to any dashboards not included, overriding normal dashboard-sharing behavior. Therefore, options suggesting the user can modify dashboards (A or B) or automatically gain access to shared dashboards (C) contradict RBAC restrictions. The correct behavior is complete restriction: users canonlyview the explicitly authorized dashboards, withno ability to modifythem. Thus, optionDreflects the exact enforced behavior per XSOAR’s role permissions model.

According to the Cortex XSOAR Admin Guide, visibility of layout tabs is controlled byrole-based access permissions (RBAC). When customizing layouts, administrators can assign tabs, fields, and components to specific user roles. If the “Forensics” tab appears for senior analysts but not junior analysts, this indicates that the tab has been assigned only to certain roles through the “Roles” field in the layout editor.

XSOAR does not hide layout tabs due to incorrect field mappings (option A). If a field is unmapped, it simply appears empty, not invisible. Likewise, marking a tab as “read-only” (option C) still makes it visible; it only restricts editing. Display filters (option D) apply to list widgets, dashboards, and incidents—not layout tab visibility.

The documentation clearly states thata tab will not appear to a user unless their assigned role is included in the tab’s role permissions. Therefore, junior analysts cannot view the tab becausethe tab was not assigned to their role, making optionBthe correct explanation based on XSOAR’s RBAC-controlled layout behavior.

The Layout customization section of the XSOAR Admin Guide explains that incident layouts control how analysts view and interact with fields, evidence, and metadata. Within a layout tab, sections exist purely for the purpose of organizing related fields into structured blocks, improving clarity, readability, and workflow efficiency. This is essential in complex incident types where numerous fields must be grouped logically (e.g., “User Details,” “Endpoint Information,” “Alert Metadata”).

Sections do not trigger automations or playbooks; automation triggers are defined through playbooks, field-change scripts, or incident type settings. They also do not enforce field mandatory requirements—mandatory fields are defined in the incident type configuration, not within layout sections. Likewise, RBAC does not operate at the section level; access restrictions apply to fields or entire incident types, not layout sections.

Therefore, the only correct and documented result of using sections within tabs is enhanced logical grouping of fields, improving analyst usability and data-entry organization. This aligns with option C, matching the intended purpose described in the layout configuration documentation.

The Threat Intelligence section specifies that XSOAR determines an indicator’s verdict by selecting the verdict from the source that has the highest reliability score.

Only when two sources have equal reliability does XSOAR choose the most severe (worst) verdict between them.

In Cortex XSOAR,Reportsare constructed fromWidgets, which are modular visualization components that pull data from incidents, indicators, tasks, lists, and other system sources. The Admin Guide clarifies that widgets serve as the building blocks for dashboards and reports. When creating a report, users select widgets—such as pie charts, tables, statistics blocks, histograms, and custom scripts—and XSOAR aggregates the underlying data (incidents, indicators, evidence, etc.) into the report output.

Automations (option B) may generate data, but they do not perform the aggregation within a report. SQL queries (option C) are not used natively in XSOAR reporting; instead, widgets may embed queries through the platform’s data model. Playbooks (option D) execute response workflows and can generate additional context but are not used for aggregating report data.

Thus, the report-generation process relies entirely on widgets to extract, sort, count, and visualize information. XSOAR renders the report by collecting the aggregated values produced by each widget. This makes optionAthe correct and documented answer.

According to the Cortex XSOAR Indicator Lifecycle documentation, when an indicator reaches its expiration date or is manually set toExpired, the platform doesnotdelete it. Instead, the indicator remains fully stored within the Indicator Store and can still be searched, viewed, and referenced within the system. Expiration affectshow the indicator behaves operationally, not whether it still exists in the database. Specifically, an expired indicatorno longer participates in active enrichment, matching, or classificationworkflows. It will not trigger rules, correlation, or alerting functionality, and enrichment engines stop providing updates.

The system retains expired indicators for historical accuracy, audit trail completeness, and investigation continuity. Deleting indicators automatically would compromise incident history and threat intelligence analytics, which XSOAR explicitly avoids. Furthermore, the documentation states that indicator deletion is alwaysmanualunless automated cleanup is configured, and even then, expiration alone does not initiate deletion.

Thus, the correct statement is optionA: the indicatorstill exists and remains searchable, maintaining its presence in XSOAR’s intelligence repository while no longer influencing automated processes. Options B, C, and D contradict documented indicator-retention behavior.

The XSOAR Playbook Debugger allows engineers to simulate playbook behavior using existing incidents as sample data. The documentation explicitly states that onlyopen incidentsappear within the debugger’s Test Data selection list. Closed incidents are removed from the selectable list because the debugger cannot execute against non-active incident states.

Starring an incident does not affect debugger availability; the star is a user-level convenience for bookmarking. RBAC restrictions (B) could hide an incident in general UI contexts but not selectively from the debugger. Incorrect incident type (D) also does not prevent selection as long as the incident is open.

Therefore, if a starred incident does not appear as a debugging option, the most common and documented reason is that the incident has beenclosed, and closed incidents cannot be used as debugger input. This aligns with optionA.

XSOAR separatesContext DatafromIncident Layout fields. When an incident field is populated, its value is stored in Context, even if the incident type later changes. The Admin Guide clearly states that context is persistent and not dependent on whether a field belongs to the new incident type.

If an incident is reassigned to a different incident type, fields not included in the new type’s layout are no longer visiblein the UI, but the data is fully retained in Context. Analysts can still retrieve the values through playbooks, scripts, or JSON view. This ensures investigations are not disrupted and historical information is never lost due to schema changes.

The data isnot deleted, nor is it hidden from context (ruling out options A and D). It also does not appear grayed out in the UI (C), because the fields no longer appear at all unless re-added to the layout.

Thus, per XSOAR’s data retention model, the correct state isB: Visible within Context Data and fully accessible.

The Admin Guide states that layouts—representing how analysts view incident data, evidence, fields, and work plans—are attached directly toincident types. When configuring an incident type, the administrator can specify the layout for the “New,” “Editing,” and “Preview” modes. This ensures consistent presentation of data across the SOC, tailored to each use case (e.g., phishing, endpoint alerts, malware investigations).

Pre-process rules (option A) operate before incident creation and do not control the user interface layout. Incident playbooks (option B) automate response actions but have no effect on how the incident UI is presented. Integration instance settings (option C) define connection details and ingestion parameters but do not control UI layouts.

Only theIncident Type configuration pageincludes fields for selecting or assigning custom layouts. This aligns with XSOAR’s design principle: incident types define schema, workflows, and UI behavior, including which layout is displayed to analysts.

Thus, the correct answer isD, as incident layouts are configured and bound within theIncident Typesettings.