Pcsae Study Guide
Pcsae Study Guide
Automation Engineer
(PCSAE)
Study Guide
July 2022
You can read through this study guide from start to finish, or you may jump straight to topics you
would like to study. Hyperlinked cross-references will help you locate important definitions and
background information from earlier sections.
More information is available from the Palo Alto Networks public page at:
https://www.paloaltonetworks.com/cortex/xsoar
Exam Format
The approximate distribution of items by topic (Exam Domain) and topic weightings are shown in
the following table.
TOTAL 100%
The exam is available through the third-party Pearson VUE testing platform.
To register for the exam, visit: https://home.pearsonvue.com/paloaltonetworks
Disclaimer
This study guide is intended to provide information about the objectives covered by this exam,
related resources, and recommended courses. The material contained within this study guide is not
intended to guarantee that a passing score will be achieved on the exam. Palo Alto Networks
recommends that candidates thoroughly understand the objectives indicated in this guide and use
the resources and courses recommended in this guide where needed to gain that understanding.
Skills Required
● You can Develop Playbooks and integrations, configure incidents and layouts, configure and
manage indicator fields in XSOAR, know basics of Cyber Security such as IOC blocking, etc
and can configure dashboards and reports
● You have experience coding in Python and in cyber security as an Analyst
● There is no exam or course prerequisite towards attempting the PCSAE exam
Recommended Training
Palo Alto Networks strongly recommends that you attend the following instructor-led training
courses or equivalent digital-learning courses:
● Cortex XSOAR: IT Administrator (DL)
● Cortex XSOAR Engineer- Building the Next-Generation SOC (DL)
● Cortex XSOAR SOC Analyst Training or equivalent knowledge (DL)
● Cybersecurity Fundamentals of Security Operations Center (DL)
● EDU 280 - Cortex XSOAR Analyst
● EDU 380 - Cortex XSOAR Engineer
Playbooks have different task types for each of the actions you want to take. Manual tasks can be
used where an analyst needs to confirm information or escalate an incident. Conditional tasks can
be used with a loop to check if certain information is present, so that you can proceed with the
investigation.
“Context data” is all of the gathered data. Every incident and playbook has a place to store data
called the “context,” which stores the results from every integration command and every
automation script that is run. The context is a map or key-value pair dictionary, the values of which
can nest additional structures. Context objects are in JSON-format, and they are created for each
incident.
The context keys are strings, while the values can be strings, numbers, objects, or arrays. The
context’s primary use is to pass data between playbook tasks; one task stores its output in the
context, and the other task reads that output from the context and uses it.
You can use private context when you want the content to be affected only by the inputs that this
sub-playbook receives rather than by outside changes.
Global context is for when the context in the parent playbook should be considered and accessed.
Note that a change made to a sub-playbook will impact the parent playbook during the next run of
the parent playbook.
The output result is stored into the JSON context in the incident or the playground, whether you
run an integration command from the CLI or a playbook task. For example, a command such as
!whois query="paloaltonetworks.com" would return the data and store the results into the
context.
1.1.1 References
Depending on the task type you select and the script you are running, playbook tasks have inputs.
Inputs are data pieces that are present in the playbook or task. The inputs are often manipulated or
enriched, and they produce outputs. Outputs are the objects whose entries will serve the tasks
throughout the playbook. They can be derived from the result of a task or command.
For the playbook tasks, the inputs might come from the incident itself, such as the role to which to
assign the incident, or input can be provided by integration—for example, when an Active Directory
integration is used in a task to extract a user’s credentials.
The following graphics show a playbook that is triggered based on context data, meaning an
incident. The first two inputs are the SrcIP, which comes from the incident.src key, and DstIP,
which is retrieved from incident.dest.
Outputs can be data that was extracted or derived from the inputs. For example, the following
images show the user’s credentials being retrieved from Active Directory. Those credentials will be
used to get the user’s account name, email address, and any groups to which they belong.
● The above example uses incident context data as the playbook input, Threat
Intel Management playbooks
1.2.1 References
● Playbook Tasks,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/pla
ybook-tasks
● Playbook Inputs and Outputs,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/pla
ybook-inputs-and-outputs
Playbooks can be divided into two categories, depending on their use. Technically, they are the
same, but there are some differences in terms of use.
“Parent” playbooks are playbooks that run as the main playbook of an incident. The other type is
“sub-playbooks,” which are just playbooks that are being called by another playbook.
Sub-playbooks are playbooks that can be nested into other playbooks, which are referred to as
parent playbooks. Sub-playbooks appear as tasks in the flow and have a book icon, but they can
contain a whole playbook. Inputs can be passed into sub-playbooks from the parent playbook,
used, processed in the sub-playbook, and then sent as output to the parent playbook.
Examples of parent playbooks are “Phishing Investigation —Generic v2” or “Endpoint Malware
Investigation – Generic” because an incident starts with them. Examples of sub-playbooks are “IP
Enrichment —Generic v2” or “Retrieve File From Endpoint – Generic” because they are steps taken
as part of the bigger investigation.
Because sub-playbooks are used as part of a bigger investigation, they should have inputs and
outputs. Ensure that the data you want to get from a sub-playbook is defined in its outputs, so that
it can be used outside of that playbook. Because sub-playbooks are building blocks that preferably
will be usable in other playbooks and use cases, you should define generic inputs for them.
Key Idea
https://xsoar.pan.dev/docs/playbooks/playbook-contributions
Navigate to Playbooks in the task viewer and select the sub-playbook to use as described in the
figure below:
You configure when to exit the loop by selecting one of the following options:
● For Each Input: The loop will exit automatically when the array it is looping over executes
the last item in the array. Note the following:
○ If the input is a single item, the sub-playbook will run one time. However, if the input
is a list of items, the sub-playbook will run as many times as there are items in the list.
Each iteration of the sub-playbook will use the next item in the list as the input.
○ If there are multiple input lists with the same number of items, then the
sub-playbook will run once for each input set. For example, if you have “input1” and
“input2”, “input1[i]” will run with “input2[i]”.
○ If there are multiple input lists with different numbers of items, the sub-playbook will
run once for each item in the input that has the greater number of items. When the
input with fewer items reaches its last item, the subsequent runs will continue to use
the last item in the shorter list until all items in the largest list have run.
Key Idea
1.4.1 References
1.5.1 Manual
Standard tasks are used for classic manual or script-based tasks, such as closing an investigation,
escalating to another analyst, or using a script to enrich data.
1.5.2 Automated
Automation is where tasks are arranged by the integrations they serve. You can scroll through the
integrations list and expand it to see the tasks by clicking the +. You can search for a task by name,
tag, or keyword in the search box above the list of integrations.
1.5.3 Conditional
Conditional tasks can be selected for decision trees or communicating with users through an Ask
task. Conditional tasks are used for determining different paths for your playbook. You can use
conditional tasks for something simple, such as proceeding if a particular integration exists or
determining whether a user account has an email address.
Data collection tasks can be selected for surveying users. Data collection tasks are multi question
surveys or forms that survey recipient access from a link in the message. The survey resides on an
external site that does not require authentication, thereby allowing survey recipients to respond
without restriction.
1.5.5 Sub-Playbook
The existing playbooks can be found and dragged into the new playbook to be used as
sub-playbooks. You should create small playbooks for the procedures used frequently so that they
can be called easily. Cortex XSOAR provides many predefined playbooks you can either use as is or
copy and customize to your needs. Refer to 1.4 for details.
To create a new task, either click + Create Task or drag off a line from the default section header
Playbook Triggered:
1.5.6 References
● Playbook Tasks,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/pla
ybook-tasks
● Create Playbooks,
https://xsoar.pan.dev/docs/playbooks/playbooks
In Cortex XSOAR, data is extracted and collected from various sources, such as playbook tasks,
command results, and fetched incidents, and is presented in JSON format. The data can be
manipulated by using filters and transformers.
You can add filters and transformers in a playbook task or when mapping an instance.
Filters enable the extraction of relevant data that you can use elsewhere in Cortex XSOAR. For
example, if an incident has several files with varying file types and extensions, you can filter the files
by file extension or file type and use the filtered files in a detonation playbook.
Transformers enable you to take one value and transform or render it to another value—for
example, converting a date in non-Unix format to Unix format. Another example is applying the
count transformer, which renders the number of elements.
You can filter as many nested objects as required. Cortex XSOAR automatically calculates the
context root to which to filter. For example, if you want to work with file extensions, Cortex XSOAR
calculates context root as File.Extension.
Filters enable you to extract relevant data for use elsewhere in Cortex XSOAR. For example, if an
incident has several files with varying file types and extensions, you can filter the files by file
extension or file type and use the filtered files in a detonation playbook.
Boolean: Determines whether a Cortex XSOAR field is true or false, or whether the string
representation is true or false
Date: Determines whether the left-side time value is earlier than, later than, or the same time as the
right-side time value. Different time and date formats are supported. For a detailed table, see the
references.
General: Includes general filters such as contains, doesn’t contain, in, and empty
Number: Determines the relationship between the left-side number value and the right-side
number value, such as equals, greater than, and less than.
Transformers enable you to take one value and transform or render it to another value. When you
have more than one transformer, you can reorder them by clicking and dragging them.
Date: Transforms the date. For example, Date to string and Date to Unix
General: Includes general transformers such as join, sort, splice, and stringify
String: Transforms strings. To make regex non-sensitive to case, use the (?i) prefix—for example,
(?i)yourRegexText.
Key Idea
1.6.1 References
The Cortex XSOAR playbook debugger enables you to build and troubleshoot playbooks by helping
you find tasks that might fail and by testing different conditions, branches, and input and output
options. Common use cases include:
● Playbook development – Test and improve playbooks as you build them.
The debugger runs the playbook with the permissions of the logged in user, not as dBot. When the
user sets breakpoints, skips tasks, or overrides inputs or outputs, those changes only apply to the
individual user’s session and do not permanently change the playbook. Using an existing incident
as test data does not affect the original incident or change the original context data. When tasks
run, however, they execute the same as they would without the debugger. For example, if you run
the debugger and a task adds an item to a list, that item will be in the real list, accessible across
Cortex XSOAR for all users with permission to view that list.
Key Idea
● Debugger runs the playbook with the permissions of the logged in user and
not as dBot.
1.7.1 Reference
● Playbook Debugger,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/deb
ugger
● Any change made to a sub-playbook impacts the parent playbook in the next run of the
parent playbook.
● The above example uses incident context data as the playbook input, Threat Intel
Management playbooks.
● Consider the following when adding a loop:
○ The maximum number of loops (default is 100). A high amount or a high wait time
combined with a large number of incidents, may affect performance.
○ Periodically check looping conditions to ensure they are still valid for the data set.
○ When the tasks input is an array, it is iterated automatically (no need to define a
loop).
● In Cortex XSOAR, data is presented in JSON format.
● Debugger runs the playbook with the permissions of the logged in user and not as dBot.
Q3. Which of the following provides dynamic input to playbook tasks and automation?
a. Incident tasks
b. Context data
c. Quick view
d. System
a. System
b. Parent
c. Boolean
d. Number
Q6. If the input is a list of items, then what will the sub-playbook do?
a. Manual
b. Automated
c. Conditional
d. Boolean
a. Date
b. String
Q9. In which format type is the context root calculated by the Cortex XSOAR?
a. File.Get
b. File.Extension
c. File.String
d. File.Number
Q10. Which of the following is the function of error troubleshooting?
a. Use the debugger to find and fix issues if a playbook stops on an error.
b. Test and improve playbooks as you build them.
c. Install content packs and use the debugger to see whether the included playbooks are
relevant for your use case.
d. Begin to create and test playbooks even before all integrations are in place by manually
providing inputs and outputs as needed.
Incident types are used to classify the events that are ingested into the Cortex XSOAR system. Each
incident type can be configured to work with a dedicated playbook, which can run either
automatically when an event is ingested or when triggered separately at a later point. You also can
configure dedicated service-level agreement (SLA) parameters for each incident type and run
specific post-processing scripts for the given incident type.
Cortex XSOAR is an orchestration and automation system used to bring all of the various pieces of
your security apparatus together.
Using Cortex XSOAR, you can define integrations with your third-party security and incident
management vendors. You can then trigger events from these integrations that become incidents
in Cortex XSOAR. Once the incidents are created, you can run playbooks on these incidents to
enrich them with information from other products in your system, which helps to paint a more
complete picture.
In most cases, you can use rules and automation to determine if an incident requires further
investigation or can be closed based on the findings. This enables your analysts to focus on the
minority of incidents that require further investigation.
The following diagram explains the incident lifecycle in Cortex XSOAR.
The create fields phase is used to display information from third-party integrations and playbook
tasks when an incident is created or processed.
The create incident types phase is used to classify the different types of attacks with which your
organization deals.
The create incident layouts phase is used to customize your layouts for each incident type to make
sure the most relevant information is shown for each type.
Key Idea
● Using Cortex XSOAR, you can define integrations with your third-party
security, incident management vendors and trigger events.
● Incident Lifecycle,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/inci
dent-lifecycle
After you define the incident type, you can configure its layout using the Cortex XSOAR embedded
Incident Layout Builder. For example, analysts will be interested in different information when
investigating a phishing incident versus a ransomware incident. You can customize the layout for
each incident to be presented with exactly the information the analysts need. In a phishing incident
example, that information might include the email headers and the email body, whereas for the
ransomware, the information would center on the family to which the ransomware belongs.
After configuring the layout for the incident type, you must map the different incident types that
your organization handles and the third-party integrations you have. For example, Cortex XSOAR
comes with ready-to-use incident types for phishing attacks. If you work with a different phishing
integration product, you can define an incident type specifically for those events. When you
configure your phishing product integration, you will associate it with your phishing product’s new
incident type, which will probably also have a dedicated phishing playbook.
You can add dynamic fields to a layout, such as a graph of the number of bad indicators, their
source, and severity. You can also use queries to filter the information in the dynamic section to suit
your exact needs. In addition, buttons may be added to a tab depending upon the type of
investigation being conducted.
2.3.2 Tabs
You can customize almost every aspect of the layout, including which tabs appear, the order in
which they appear, who has permissions, and what type of information appears. You can add filters
in each field or tab by clicking on the eye icon, which enables you to add conditions that show
specific fields or tabs. For example, if an analyst decides that a Cortex XDR Malware incident is a
Ransomware subtype, they may only want fields showing data about the encryption method to
appear and not to show information if the Malware subtype is adware.
You may also want to limit specific tabs to certain scenarios. For example, if a user clicks a phishing
link, the new tab can contain the relevant fields and action buttons for this scenario.
● New/Edit Form: When creating or editing an incident, you can add or delete sections and
fields as required.
● Close Form: Add, edit, or delete sections, fields, filters, when closing an incident.
Key Idea
● There are several Cortex XSOAR system layout sections and fields that you
cannot remove, but you can rearrange them in the layout and modify their
queries and filters.
2.3.4 References
● Incident Management,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/inci
dent-management#id79e86392-cdd0-42d8-9878-160e69df540f
● Working with Incident Types,
https://xsoar.pan.dev/docs/incidents/incident-types
Use the Settings > ADVANCED > Fields screen to see system fields and add custom fields for
Incidents, Evidence, and Indicators.
Use Incident Fields to accept or populate incident data coming from incidents. You create fields for
the information you want to insert that arrives from third-party integrations. The fields are added to
incident type layouts and are mapped using the Classification and Mapping feature.
Incident fields can be populated by the incident team members during an investigation, at the
beginning of the investigation, or before closing the investigation.
Use Indicator Fields to add specific indicator information to incidents. When you create an
indicator field, you can associate it with one particular incident type or all incident types.
You can add the following field types when adding a new field:
● Attachments: Enables addition of an attachment such as .doc, malicious files, reports, and
images of an incident
● Boolean: Determines whether a Cortex XSOAR field is true or false, or whether the string
representation is true or false
● Date picker: Enables the user to select datetime in ISO 8601 format using the datetime
widget in XSOAR
● Grid (table): Includes an interactive, editable grid as a field type for selected incident types
or all incident types
● HTML: Configuring the HTML field provides the capability to insert data into the field as
HTML. However, this makes the field not searchable in incident query.
Different field types are used in different parts of the investigation and integrations. For example,
the Dest NT Domain incident field is assigned to the Access, Malware, and Brute Force incident
types and can be used with them, as seen in the following screenshot.
Key Idea
2.4.1 References
The classification and mapping feature enables you to take the events and event information that
Cortex XSOAR ingests from integrations and classify the event as a type of Cortex XSOAR incident.
For example, Cortex might generate alerts from Cortex Traps, which you would classify according to
the information in those events either as a dedicated Traps incident type or perhaps Authentication
or Malware. Also, you might have EWS configured to ingest both phishing and malware alerts
which you want to classify to their respective incident types based on some information in the
event. By classifying the events as different incident types, you can process them with different
playbooks suited to their respective requirements.
Classification
Classification determines the type of incident that is created for events ingested from a specific
integration. You create a classifier and define that classifier in an integration.
Mapping
You can map the fields from your third party integration to the fields you defined in your incident
layouts.
Starting with version 6.0, mappers are separate entities from classifiers. This enables you to do the
following:
● Map your fields to incident types irrespective of the integration or classifier. This means that
you can create a mapping before defining an instance and ingesting incidents. By doing so,
when you do define an instance and apply a mapper, the incidents that come in are already
mapped.
● Create a default mapping for all of the fields that are common to all incident types, and then
map only those fields that are specific to each incident type individually. You can still
overwrite the contents of a field in the specific incident type.
● Use auto-map to automatically map fields based on their naming convention. For example,
severity would be mapped to importance.
● Mirror content in Cortex XSOAR with third party integrations. This enables you to make
changes to an incident in Cortex XSOAR and have that change be reflected in the case
managed by the integration. For example, if you are using a case management system such
as JIRA or Salesforce, you can close an incident in Cortex XSOAR and have that closure
reflected automatically.
Key Idea
● The integration must support pulling the integration schema for mirroring to
2.5.1 References
● Using Cortex XSOAR, you can define integrations with your third-party security, incident
management vendors and trigger events.
● There are several Cortex XSOAR system layout sections and fields that you cannot remove,
but you can rearrange them in the layout and modify their queries and filters.
● Creating Incident Fields is an iterative process in which you continue to create fields as you
gain a better understanding of your needs and the information available in the third party
integrations that you use.
● The integration must support pulling the integration schema for mirroring to work.
Q2. Which phase is used to display information from playbook tasks and third-party integrations?
a. Pre-processing phase
b. Create fields phase
c. Post processing phase
d. Planning phase
a. Display information
b. Customize layouts by incident type
c. Show relevant information of each incident type
d. Classify the types of attacks with which the organization deals
Q5. Which action should a user perform after configuring the layout?
Q6. When will you learn about the missing incident types?
a. Analyst
b. Administrator
c. Incident team members
d. Partners
Q8. Which three field types can you add when creating a new field? (Choose three.)
a. Short text
b. HTML
Q9. What do the classification and map features enable users to do? (Choose two.)
a. Generate alters
b. Classify phishing and malware alerts to respective incident types
c. Use events and event information that Cortex XSOAR ingests from integration
d. Map the fields from third-party integration to the fields defined in the incident layouts.
e. Create mapping for specific fields.
You have three different playbook types to use when you create playbooks. And when you create a
new task, you have three different types to choose from: standard, conditional, and data collection.
Standard tasks are used for classic manual or script-based tasks, such as closing an investigation,
escalating to another analyst, or using a script to enrich data.
Conditional tasks can be selected for decision trees or communicating with users through an Ask
task. Conditional tasks are used for determining different paths for your playbook. You can use
conditional tasks for something simple, such as proceeding if a particular integration exists or
determining whether a user account has an email address.
Data collection tasks can be selected for surveying users. Data collection tasks are multi question
surveys or forms that survey recipient access from a link in the message. The survey resides on an
external site that does not require authentication, thereby allowing survey recipients to respond
without restriction.
Key Idea
● You can collect responses in custom fields, for example, a Grid field.
War Room commands are commands that can be entered manually in the CLI at the bottom of the
screen.
The automation scripts that can be used with an integration can be found in several ways. Choose
the one best for you and the specific scenario you are in:
Start by typing ! and continue writing the name of an automation script or an integration
command from an enabled integration in the CLI. Cortex XSOAR will autocomplete and show
possible commands or scripts for that integration.
Start by typing ! and the CLI will autocomplete possible commands that you can execute and
provide tips for using the command. For example, !whois paloaltonetworks.com will return
registration information for the paloaltonetworks.com domain.
To see all possible commands for an enabled integration, open the integration in Settings >
Integration > Servers & Services and click the Show Commands link.
● To access the War Room: If you have an Admin role, clicking Playground on
the side bar opens the Playground - War Room tab. If you have another role,
typing any command in the CLI at the bottom of the page opens this tab.
● Cortex XSOAR does not index notes, chats, and pinned as evidence entries. If
you want to index these entries, see War Room Indexing.
The two different layout types are incident layouts and indicator layouts. Layouts are used to show
you the required information in different views and tabs.
For a phishing incident, you will want to see email headers, which would not be relevant for an
access incident or a file hash indicator; however, you might want to count how many times the
hash indicator is found in related incidents.
You can add automation script-based content to the Incident Summary and Incident Quick View
layout by adding the General Purpose Dynamic Section in the layout builder. The General
Purpose Dynamic Section enables you to configure a section in the Incident Info tab from an
automation script. The automation can return a simple text, markdown, or an HTML, the results of
which appear in General Purpose Dynamic Section.
You can add any required information from an automation. For example, you can assign a script
that calculates the total number of entries that exist for an incident, and it dynamically updates
when new entries are added to the incident. You can also Add a Custom Widget to the Incident
page and Add Note Information Using an Automation Script.
Key Idea
● Indicators are used to show required information in different views and tabs.
3.1.4 Jobs
You can create scheduled events in Cortex XSOAR using jobs. Jobs are triggered by either
time-triggered events or feed-triggered events.
For example, you can define a feed-triggered job to trigger a playbook when a specified threat
intelligence management (TIM) feed finishes a fetch operation for new indicators. Or you can
schedule a time-triggered job that runs nightly and removes expired indicators.
You can use the jobs feature for the following cases:
Key Idea
You can associate indicator fields with trigger automation scripts that check for field changes and
then take actions based on them. These scripts can perform any action when the conditions are
met. Indicator field trigger scripts allow indicators to become a proactive force within Cortex
XSOAR. For example, you can:
● Define a script that will run when the Verdict field of an indicator has changed. For example,
the script will fetch all incidents related to that indicator, and take any action that is
configured (reopen, change severity, etc.).
indicators = demisto.args().get('indicators')
new_value = demisto.args().get('new')
indicator_values = []
current_value = indicator.get('value')
indicator_values.append(current_value)
if new_value == "Expired":
else:
Automations can be created in Python, PowerShell, or JavaScript in the Automation page. To use a
field trigger automation, you need to add the field-change-triggered-indicator tag when creating
the automation. You can then add the automation in the Attributes tab, when you edit or Create a
Custom Indicator Field. If you did not add the tag when creating the automation, the automation
will not be available for use.
Key Idea
3.1.6 Pre/Post-Processing
Pre-Processing
Pre-processing rules enable you to perform certain actions on incidents as they are ingested into
Cortex XSOAR directly from the UI. Using the rules, you can select incoming events on which to
perform actions. For example, you can link the incoming event to an existing incident or, based on
configured conditions, drop the incoming incident altogether. For more information, see Create
Pre-Process Rules for Incidents.
Post-Processing
3.1.7 References
● Playbook Tasks,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-admin/playbooks/pla
ybook-tasks
● Incident Tasks,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/inci
dent-management/incident-tasks#id82f6c4a9-846c-4a79-9e0d-ac94123b942c
● War Room Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/inci
dent-management/war-room-overview
● Customized Incident Layouts,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/cust
omize-incident-view-layouts/customize-incident-layouts
● Add a Script to the Incident Layout,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/cust
omize-incident-view-layouts/add-a-script-in-the-incident-layout
● Jobs, https://xsoar.pan.dev/docs/incidents/incident-jobs
● Indicator Field Trigger Scripts,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/mana
ge-indicators/understand-indicators/indicator-fields/indicator-field-trigger-scripts
Automations
The Automation section is where you manage, create, and modify scripts. These scripts perform a
specific action and are comprised of commands associated with an integration. You write scripts in
either Python or JavaScript. Scripts are used as part of tasks, which are in turn used in playbooks
and commands in the War Room.
Scripts can access all Cortex XSOAR APIs, including access to incidents and investigations, and
share data to the War Room, and so on. Scripts can receive and access arguments, and you can
password protect scripts.
The Automation section includes a Script Helper, which provides a list of available commands and
scripts, ordered alphabetically.
Commands
Key Idea
3.2.1 References
● Automations,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-admin/playbooks/aut
omations
● Cortex XSOAR Concepts,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/cortex-xsoar-o
verview/cortex-xsoar-concepts
● Common Scripts to use in Automations,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/aut
omations/common-scripts-to-use-in-automations
The Automation section includes a Script Helper, which provides an alphabetical list of available
commands and scripts:
Basic
Parameter Description
Key Idea
● In the Automation page, you can view, edit and create automations using
JavaScript, Powershell or Python.
Python
When creating or editing the widget in the Cortex XSOAR, to add a page break,
type /pagebreak in the text box. When you generate a report, the widgets that follow the page
break are on a separate page.
3.3.5 References
● Cortex XSOAR IDE, https://xsoar.pan.dev/docs/concepts/xsoar-ide#the-script-helper
● Automations,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/aut
omation
3.4 Identify the Properties and Capabilities of the XSOAR Framework for Integration
Throughout development of integrations and scripts, your code likely will cause something to break
at some point. One of the most significant features of Cortex XSOAR is its use of machine learning
to better time these crashes so they occur during your time off.
To find the source of the problem, you can check logs and War Room entries, and you can also use
the Demistomock library.
There is also a fourth option to debug your integration. The Cortex XSOAR plugin for the PyCharm
IDE enables you to design and author scripts and integrations for Cortex XSOAR directly from
PyCharm. The plugin adds a sidebar with Automation and Integration Settings, just like the
Settings sidebar in the Cortex XSOAR script editor. When you write code, the plugin provides you
with autocomplete of Cortex XSOAR and Python functions and allows you to debug your code
easily.
Key Idea
● You can easily debug your integration using the Cortex XSOAR plugin.
3.4.1 References
● Debugging,
https://xsoar.pan.dev/docs/integrations/debugging
● Create an Integration,
https://xsoar.pan.dev/docs/tutorials/tut-integration-ui
You can poll third party integration instances for events and turn them into Cortex XSOAR incidents
that trigger automations (fetching). There are a number of integrations that support fetching, but
not all support this feature. You can view each integration in the Cortex XSOAR Developer Hub.
When setting up an instance, you can configure the integration instance to fetch events. You can
also set the interval for which to fetch new incidents by configuring the Incident Fetch
Interval field. This enables you to control the interval in which an integration instance reaches out
You can change the default for all integration instances by setting the server configuration using
the serversiemincidents.schedule key. The value is the interval in seconds (s), minutes (m), or
hours (h). Setting the incident fetch interval when defining an instance overrides the server
configuration settings.
Key Idea
● You can add the field to any integration that fetches incidents. For
out-of-the-box integrations, to add the field, you need to create a copy of the
integration. Editing the integration settings including adding the Incident
Fetch Interval field, breaks the connection to out-of-the-box content. Any
future updates to this integration will be applied to the out-of-the-box
integration and not to the copy integration.
● If you turn off fetching for a period of time and then turn it on or disabled the
instance and enabled it, the instance remembers the "last run" timestamp,
and pulls all events that occurred while it was off. If you don't want this to
happen, verify that the instance is enabled and then click Reset the “last
run” timestamp in the settings window. Also, note that "last run" is retained
when an instance is renamed.
3.5.1 Reference
● You can collect responses in custom fields, for example, a Grid field.
● To access the War Room: If you have an Admin role, clicking Playground on the side bar
opens the Playground - War Room tab. If you have another role, typing any command in
the CLI at the bottom of the page opens this tab.
● Cortex XSOAR does not index notes, chats, and pinned as evidence entries. If you want to
index these entries, see War Room Indexing.
● Indicators are used to show required information in different views and tabs.
● Jobs are triggered by time-triggered events or feed-triggered events
● Automations can be created using Python, PowerShell or JavaScript in the automation page
● Scripts written in Python or JavaScript can access all Cortex APIs.
● Common scripts can be embedded when writing your own Automation scripts and
Integrations.
a. Conditional task
b. Standard task
c. Data collection task
d. None of the above
a. Incident layouts
b. Dynamic layouts
c. Indicator layouts
d. Button layouts
a. To create scripts
b. To create, manage and modify scripts
c. To write scripts in Java and Python
d. To access a few Cortex XSOAR APIs
Q5. Which two kinds of commands are available in Cortex XSOAR? (Choose two.)
a. Internal commands
b. System commands
c. Warm room commands
d. External commands
Q7. Which three parameters can you define in Script settings? (Choose three.)
a. Language type
b. Disabled
c. Run on
d. Content pack
a. Settings
b. Logs and War Room entries
c. Library
d. PyCharm IDE
a. Two minutes
b. 30 seconds
c. One minute
d. 15 seconds
a. Cortex XSOAR
b. Integration settings field
c. Cortex XSOAR Developer Hub
d. Incident Fetch Interval field
You can install, delete, and update content and contribute and share content items such as
playbooks, integration, and incident types in the Marketplace.
You can browse all content (including installed content), view only the installed content packs, or
see your contributions. When a content pack needs to be updated, you receive notifications and
view the updates on the Installed Content Packs tab.
When you search for content, you can use the search bar by adding text and then selecting the
content from which to search.
All Cortex XSOAR content is organized in packs. Packs are essentially groups of artifacts that
implement use cases in the product. Content packs are created by Palo Alto Networks, technology
partners, consulting companies, MSSPs, customers, and individual contributors. As was discussed in
Task 5.1.2, content packs may include various components, such as integrations, automations,
playbooks, incident types, and widgets.
When content packs need to be updated by the creators, they become ready for use after the
review and approval process by the Cortex XSOAR team, and you are notified about the updates in
the Cortex XSOAR interface.
Suppose you want to contribute the content entities you created. In that case, you should create a
content pack and submit it for review to Cortex XSOAR team so that it can be added to the Cortex
XSOAR Marketplace and thereafter become available to customers.
When a content pack is available for update, a notification appears next to the Marketplace icon,
and a message about content pack updates displays at the top of the Settings page.
You can update to the latest content version or specific versions. Any customizations you have made
are automatically included in any update. All dependent content packs update automatically with
the main content pack.
Users can see updates for content packs they have in their environment that were downloaded by
another user.
Key Idea
● If you want to downgrade, any content that depends on the content pack
including any customizations may be deleted if it does not exist in the target
content pack version.
In the figure above, you can see that an incident type depends on a playbook, an incident layout,
and an incident field. A widget depends on an incident field and a script. A script depends on
another script, and an integration and how they all are dependent on each other.
When you install a content pack, mandatory dependencies, including required content packs, are
added automatically to ensure that it installs correctly.
Some content which is not essential for installation still ensures that the other content runs
successfully. These dependencies include optional content packs, which can be added or removed
in the Cart.
Key Idea
● If you delete a content pack, which depends on other content packs, these
content packs may not run correctly. Also, if you roll back to an earlier version
of a content pack, other content packs might be affected. For example, if
content pack A depends on layouts from content pack B Version 2, reverting
to Content Back B Version 1 could cause content pack A to stop working.
You can revert to an earlier version of an installed content pack by following the these steps:
Step 1: In the Installed Content Packs tab of the Marketplace, search for the content pack.
Step 2: In the Version History tab of the content pack, view the previous versions.
Step 3: Choose the version you want to revert to and click Revert to this version. The selected
version will be added to your cart.
Key Idea
● If you roll back to an earlier version of a content pack, other content packs
might be affected. For example, if content pack A depends on layouts from
content pack B Version 2, reverting to content pack B Version 1 could cause
content pack A to stop working.
Cortex XSOAR Technology Partners are required to join the industry-standard support
framework, TSANet, to deliver support to our mutual customers. Customers engage directly with the
Partner for support and maintenance of the partner-supported content pack.
This term applies only to content packs published by Palo Alto Networks. These content packs are
supported and maintained by Palo Alto Networks according to the Palo Alto Networks End User
Support Agreement.
Key Idea
● Palo Alto Networks is not liable for and does not warrant or support any
content pack produced by a third-party publisher.
Any user can add content to a content pack. The content pack is submitted and reviewed by Cortex
XSOAR to ensure it complies with Cortex XSOAR standards. After approval, the content pack can be
used in the Marketplace.
Step 2 : In the Content Pack Editor field, type a meaningful name for the content pack.
Step 3 : In the Add Content section, select the type of content you want from the drop-down list,
locate the content you want to add, and click Add.
For more information about how to build a content pack, see the Dev Hub documentation.
Step 4 : If you want to continue adding content at a later time or to use the Validate Pack option,
click the Save button.
Step 5 : (Optional) Click Validate Pack to check for errors. The pack must be saved before you
validate.
Step 6 : If you have finished and want to send the content pack to a Cortex XSOAR developer for
review, click Save and contribute to either contribute or download your contribution.
Step 8 : Select Save and submit your contribution, enter your email address and click Contribute.
Instead of submitting the contribution, you can also download the content pack and upload it, for
example, to GitHub.
After sending the content pack, a confirmation message appears. You will be contacted about the
next steps in the review process.
4.1.7 Reference
All Cortex XSOAR content is organized in packs. Packs are essentially groups of artifacts that
implement use cases in the product. Content packs are created by Palo Alto Networks, technology
partners, consulting companies, MSSPs, customers, and individual contributors, and they may
include various components, such as integrations, automations, playbooks, incident types, and
widgets.
When content packs need to be updated by the creators, they become ready after the review and
approval process by the Cortex XSOAR team, and you are notified about the updates in the Cortex
XSOAR interface. To contribute the content entities you created, you should create a content pack
and submit it for review for it to be added to the Cortex XSOAR Marketplace and become available
to customers.
Any user can add content to a content pack that has been created, submitted, and reviewed by
Cortex XSOAR to ensure that it complies with Cortex XSOAR standards. After approval, the content
pack can be used in the Marketplace.
You can install only one content pack at a time from the Marketplace. Cortex XSOAR automatically
adds any content that is required to install the content pack. You also can add any recommended
content packs that use the content pack you want to install.
Before you install a content pack, search for it by using the Browse tab. When you find the required
pack, you can see what is included in it and then use the Install button to finish the installation.
● You can install only one content pack at a time from the Marketplace.
When you create your content packs, you can use the Contributions tab in the Marketplace to send
them to Cortex XSOAR for review and approval. If you want to prepare the content pack and send it
later for review or upload it to GitHub, you can export your package in the Contribution screen by
selecting the Save and download your contribution option:
You usually need an Internet connection when using the Marketplace for tasks such as
downloading and subscribing to content packs because all these services are in the cloud. However,
you can upload content packs offline. The administrator downloads the content pack to install,
which is in ZIP format.
Before you start uploading content that you want to install, you should update server configurations
to turn off Marketplace synchronization in the cloud for both the content packs and the review
process by adding the following keys values to Settings > About > Troubleshooting > Add Server
Configuration. Addition of those keys improves system performance.
Key Value
marketplace.sync.enabled false
marketplace.content.packs.rating.enabled false
marketplace.subscriptions.sync.enabled false
Key Idea
● You need internet connection when using the Marketplace for tasks such as
downloading and subscribing to content packs.
Step 2 : Enter a description of the change that was made to the current version.
4.2.5 References
● Content Pack Contributions,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/marketplace/c
ontent-pack-contributions#id155ef400-1b97-4e8b-9027-055c7fe873e6
● Marketplace FAQs,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/marketplace/
marketplace-faqs
● Troubleshoot Content Issues,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-multi-tenant-guide/re
mote-repositories-for-multi-tenant-deployments/troubleshoot-a-remote-repository-configur
ation/troubleshoot-content-issues#id8ccd163f-44fd-49ac-a8f3-275b2a7809c2
● Version Control,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/vers
ion-control
Once you develop your content, you must push the changes to the remote repository for the
updated content to be available as part of a content update for the production environment.
You can save versions and manage revisions locally using the Save Version button. Alternatively, you
can click the save button to save the changes.
For all other content types, your changes are automatically saved locally.
You can push individual items such as a playbook or content packs as a whole. If you want to have
more granular control over the items in the content packs that you push, add the
ui.version.control.push.partial.packs server configuration and set the value to true.
1. Go to Settings > Local Changes. Push the following content according to the tabs:
● Items: Content that is not related specifically to a content pack. For example,
customized automations or playbooks.
If you have already pushed a content pack and later edit one of its content items, the
edited items will appear in the Items tab, not the Packs tab.
● Packs: All of the content that is specific to the content packs you installed from
Marketplace.
Step 3 : (Optional) If you want to control access when pushing content, do the following on the
remote repository:
● When working with remote repositories and upgrading to v6.0 and above,
push your classifiers and mappers on the development environment before
grading the product environment.
4.3.1 Reference
● Edit and Push Content to a Remote Repository,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/remote-reposit
ory/edit-and-push-content-to-a-remote-repository
Cortex XSOAR requires the following hardware. Ensure you meet all minimum system requirements.
Cortex XSOAR Server
Cortex XSOAR server has specific operating system and hardware requirements.
Hardware Requirements
If your hard drive is partitioned, we recommend a minimum of 450GB for the /var partition for the
development environment, and 900GB for the /var partition for the production environment.
When deploying Cortex XSOAR with BoltDB, we recommend a limit of 1 million indicators for the
development environment and 5–7 million indicators for the production environment. If you will
have more indicators, we recommend using Elasticsearch.
Docker/Podman Requirements
You may need to take additional steps to set up Docker or Podman, depending on your operating
system.
The remote repository feature in the UI is not supported on development environments that run as
High Availability (multi-app servers). You can still use a development > staging > production set
up, where development is a single server (not High availability), but production can be High
Availability. In this setup, both staging and production pull from the same git repository. If your
development environment runs as High Availability, use the CI/CD Solution.
Key Idea
● Working with remote repositories is git-based. Any service that supports this
protocol can be used, for example, GitHub, GitLab, Bitbucket, etc. In addition
on-premise repositories are also supported.
● If you have more than two pre-processing rules in your Local Changes queue,
you must push all of those changes to the remote repository.
4.4.3 Engines
Cortex XSOAR engines are installed in a remote network and allow communication between the
remote network and the Cortex XSOAR server. You can run scripts and integration commands on an
engine. It is possible to install a single engine or multiple engines.
You can install multiple engines on the same machine (Shell installation only) which is useful in a
dev-prod environment where you do not want to have numerous engines in different environments,
and to manage those machines. In a multi-tenant environment, users may want to deploy engines
for tenants on the same machine, and you can share an engine between tenants.
An engine is used for the following purposes:
● Proxy
● Load-balancing
Engine Proxy
Cortex XSOAR engines enable the Cortex XSOAR server to access internal or external services that
are otherwise blocked by a firewall, proxy, or other blockers. For example, if a firewall blocks external
communication and you want to run the Rasterize integration, you need to install an engine to
access the Internet.
By default, the Cortex XSOAR server is part of the load balancing group. It is recommended that
you Remove the Cortex XSOAR Server From the Load-Balancing Group, which increases
performance, when there are two or more engines in the load-balancing group or if you use engines
to access integrations that are inaccessible from the Cortex XSOAR server.
You can Install a Cortex XSOAR Engine on Linux and Windows machines. After installing the engine,
you can Configure Engines, such as log levels, add/remove servers to a load-balancing group, use as
a web proxy, etc. You can also Manage Engines, such as getting logs, add/remove engines, delete
engines, remove engines, etc. Before installing, review the system requirements in Install a Cortex
XSOAR Engine.
Key Idea
Main host
The main host is the main instance in the architecture from which you access and administer
tenants (accounts) and create and manage hosts.
Host
A host is an instance of Cortex XSOAR that acts as a proxy between the main host and tenants. In a
multi tenant deployment, hosts are not required but they do enable you to scale your deployment
by managing a collection of tenants. Data is not stored on host machines.
Tenant
A tenant is also an instance of Cortex XSOAR that serves a customer or account and can be located
either on the main or other hosts. The tenant has customer-specific data such as indicators,
incidents, layouts, etc., which are stored in the tenant’s index of the database. Tenants share
indicators with the main host using a shared database index. The tenant can also inherit content,
such as playbooks, indicators, incident types, etc. from the main host using propagation labels.
Engines
Data Segmentation
Cortex XSOAR content, including playbooks, automation scripts, and incident/indicator layouts,
among others, is managed on the main host and propagated to tenants.
Indicator Sharing
Each tenant account has a dedicated shared index in Elasticsearch, which enables tenant accounts
to share local indicators to a dedicated Elasticsearch index, from which other tenants can ingest
those indicators (as configured on the main host). Storing local indicators on a shared index
maintains data segregation between tenants, but the tenants are able to benefit from the locally
discovered threat intel.
Communication
The main host and hosts communicate with each other using TLS 2.1 over port 443 (this is the
default port, but can be configured). In addition, all hosts working with Elasticsearch communicate
with the database over port 9200.
Requests to the tenants are sent through the hosts (main or other) on port 443. The hosts forward
the requests to the tenants, which listen on ports 18501 and higher.
4.4.5 Elasticsearch/HA
Elasticsearch is a distributed, open source search and analytics engine for all types of data. It enables
processing and storing large amounts of data.
When you migrate the objects that exist in Cortex XSOAR to Elasticsearch, they are moved to a
designated index used by a specific Elasticsearch instance. Every Elasticsearch index is composed of
at least one primary shard where the data is stored. A replica shard is a copy of a primary shard.
Replicas provide redundant copies of your data to protect against hardware failure and increase
capacity to serve read requests like searching or retrieving data.
The following diagram depicts a Cortex XSOAR environment with Elasticsearch.
Key Idea
● You must stop the Cortex XSOAR server before you run the migration tool.
This enables the tool to safely access the database and required
configurations.
● Moving data from the Elasticsearch database back to the Cortex XSOAR Bolt
database is not supported.
The Docker image creation process is managed via the open-source project “demisto/dockerfiles.”
Before you try to create a new Docker image, check to see whether one already is available. You can
search the repository-info branch updated nightly with image metadata and os/python packages
used in the images.
Note: For security reasons, Cortex XSOAR cannot accept images that are not part of the Docker Hub
Palo Alto Networks (Demisto) organization.
If you cannot find an existing image, see the article about creating a Docker image for testing and
production use at https://xsoar.pan.dev/docs/integrations/docker#docker-image-creation.
Suppose you need to install Docker images in air-gapped environments. In that case, you can
download Docker images by appending &downloadName=dockerimages to the Cortex XSOAR
server download link you received from Cortex XSOAR, then read the required instructions in the
related reference documents in the “References” section below.
Key Idea
● For security, images that are not part of the Demisto organization in Docker
hub cannot be accepted.
4.4.7 Reference
● System Requirements,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/installation/sys
tem-requirements
● Remote Repositories Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-multi-tenant-guide/re
mote-repositories-for-multi-tenant-deployments/remote-repositories-overview
● Remote Repositories Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/remote-reposit
ory/remote-repositories-overview#idd7d0e7b2-d264-4fb6-92a9-e3cb757bcaef
● Cortex XSOAR Engines Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/engines/under
stand-demisto-engines
● Multi-Tenant Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-multi-tenant-guide/m
ulti-tenant-deployments/multi-tenant-overview#ida761db45-9bd8-4dc9-8209-36f0b3ada236
The Cortex XSOAR is an orchestration and automation system which is used to bring all of the
various pieces of your security apparatus together. You can define integrations with your third-party
security and incident management vendors using Cortex XSOAR. You can then trigger events from
these integrations that become incidents in Cortex XSOAR. Once the incidents are created, you can
run playbooks on these incidents to enrich them with information from other products in your
system, which helps to paint a more complete picture.
In most cases, you can use rules and automation to determine if an incident requires further
investigation or can be closed based on the findings. This enables your analysts to focus on the
minority of incidents that require further investigation.
The following diagram explains the incident lifecycle in Cortex XSOAR.
4.5.1 Reference
● Incident Lifecycle,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/incidents/incid
ent-lifecycle#id7fb4dd09-6ebf-472f-a3a4-c9998c6f2224
Cortex XSOAR uses role-based access control (RBAC) for controlling user access. RBAC helps
manage access to Cortex XSOAR components so that users, based on their roles, are granted the
minimal access required to accomplish their tasks:
Out-of-the-box content pack incident layouts display a locked icon, which means you must
complete one of the following options to edit the layout:
● Duplicate an incident layout. To add the layout to the incident type, you need to detach the
incident type and then add the layout.
● Detach the layout. When detached, the layout does not receive content pack updates until
reattached. You do not need to edit the incident type because the layout name remains the
same. If you detach a layout, make edits, and later want to receive content pack updates for
that layout, we recommend you duplicate the incident layout before reattaching the original
to protect your changes from content pack updates.
Incident Layout Builder
You can customize the display information, including fields for existing incidents, by modifying the
sections and fields for the following views, as explained below:
● Incident Summary
o Within the incident summary, you can see different tabs that appear for the incident
type, some of which can be customized.
You may also want to limit specific tabs to certain scenarios. For example, if a user clicks a phishing
link, the new tab can contain the relevant fields and action buttons for this scenario.
You can add dynamic fields to a layout, such as a graph of the number of bad indicators, their
source, and severity. You can also use queries to filter the information in the dynamic section to suit
your exact needs.
● New/Edit Form
When creating or editing an incident you can add, edit, delete sections, fields, and filters as
required.
● Close Form
Add, edit, or delete sections, fields, and filters when closing an incident.
● Incident Quick View
Add, edit, and delete sections, fields, and filters in the Incident Quick view section within the
incident.
Key Idea
● There are several Cortex XSOAR system layout sections and fields that you
cannot remove, but you can rearrange them in the layout and modify their
queries and filters.
By default, most automations in Cortex XSOAR are run as the limited user. However, some
automations require higher permissions and are delivered out-of-the-box with Run as set
Consider, for example, that you have an automation that searches for all incidents in the system. The
following scenarios show how the system behaves given the various configurations.
Scenario 1
Set the automation with Run as, defined as DBotRole, and do not set the Role parameter.
Anyone can run the automation, whether they are an analyst or administrator, and they have access
to all incidents that are returned.
Scenario 2
Set the Run as parameter to DBotRole, and set the Role parameter to Analyst. Any user with at least
analyst permissions will have access to execute the automation. All other users are not able to
implement the automation in playbook tasks. They cannot run the automation manually from
either the command line or in a playbook.
All users can see the results of the execution in the War Room.
Set the Run as parameter to Analyst and do not set a role. Everyone can run the automation, but
only incidents that are viewable by the analyst role are returned.
Scenario 4
You set the Run as as parameter to Analyst and define the Role parameter as Analyst. Only users
with at least the analyst role are able to execute the automation, and only incidents that are
viewable by the analyst role are returned.
Key Idea
Key Idea
● All team members have read and write permissions. If you add team
members, but their roles have read-only permission, the user still has read
and write permission and can access the investigation.
● If you add a role, but the incident has been restricted to team members, and
the user is not a team member, the user cannot access the incident
regardless of the role. For example, if you restrict the incident to User A and
User B team members who are Tier 1 analysts but then try to add Tier 2
analysts (none of whom are team members) to the list of roles, a Tier 2
analyst cannot access the incident.
● If you assign a role (read and write permission) and assign the same role as
read only, the user still has read/write permission. You need to remove the
assigned role. If you restrict the incident, the read-only role does not override
the restriction. In other words, team members permission takes precedence.
4.6.6 Reference
● Integration Permissions,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/users-and-role
s/integration-permissions#ida5e08d7e-348a-402b-bbfc-d051212913c0
● Customize Incident Layouts,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/cust
omize-incident-view-layouts/customize-incident-layouts
● Automations,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/aut
omations
● Incident Access Control Configuration,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/incid
ent-access-control-configuration
The Cortex XSOAR logs provide information about events that occur in the system. These logs are a
valuable tool in troubleshooting issues that might arise in your Cortex XSOAR environment.
A log bundle is a zip file of additional logs available in the Cortex XSOAR system. These logs provide
additional information that is useful in troubleshooting issues that arise in your Cortex XSOAR
system. Send the log bundle zip file to Cortex XSOAR support to use for debugging purposes. After
you create the log bundle, the logs also will appear in /var/log/demisto/.
Throughout development of integrations and scripts, your code likely will cause something to break
at some point. One of the most significant features of Cortex XSOAR is its use of machine learning to
better time these crashes so they occur on your time off.
You can check logs and War Room entries and use the Demistomock library.
Another option is to debug your integration. The Cortex XSOAR plugin for the PyCharm IDE enables
you to design and author scripts and integrations for Cortex XSOAR directly from PyCharm. The
plugin adds a sidebar with Automation and Integration Settings, just like the Settings sidebar in the
Cortex XSOAR script editor. When you write code, the plugin provides you with autocomplete of
Cortex XSOAR and Python functions and allows you to debug your code easily.
4.7.3 References
4.8.3 Reference
● Playbook Task Fields,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/play
book-tasks/playbook-task-fields
The System Diagnostics page enables you to monitor and improve system performance and
resilience. On the System Diagnostics page, you can view CPU and memory usage, the status of the
Docker service, unusually large tasks, storage issues, etc. In some cases, the issue can be corrected
within the System Diagnostics page. Audit Trails, for example, can be deleted with one click. For
issues that require more in depth troubleshooting, you can click through to a Knowledge Base
article with more information and solutions. System Diagnostics thresholds can be customized.
You can view the System Diagnostics page at Settings > About > System Diagnostics.
A daily email is sent by default to all site administrators, notifying them of possible issues. The
following server configurations enable you to disable or modify email notifications.
Key Value
Default is true. False disables all system diagnostics
diagnostics.notification.enabled
email notifications.
(Multitenant) To view System Diagnostics for hosts in a multitenant environment, go to Settings >
Account Management > Hosts in the main host account. Each host has a Diagnostics page. You
can also view information about CPU, Storage, and Memory usage for each tenant account on the
host.
You can also use the getSystemDiagnostics command to create a JSON output of this data. If
you have an open support ticket related to system performance, you can attach the output of this
command to the ticket to provide Cortex XSOAR Customer Support with relevant information. Use
the associated verbose argument to return additional information, such as the specific IDs of
incidents with big context data.
4.9.1 Reference
● System Diagnostics,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/cortex-xsoar-o
verview/system-diagnostics
● If you want to downgrade, any content that depends on the content pack including any
customizations may be deleted if it does not exist in the target content pack version
● If you delete a content pack, which depends on other content packs, these content packs
may not run correctly. Also, if you roll back to an earlier version of a content pack, other
content packs might be affected. For example, if content pack A depends on layouts from
content pack B Version 2, reverting to Content Back B Version 1 could cause content pack A
to stop working.
● If you roll back to an earlier version of a content pack, other content packs might be affected.
For example, if content pack A depends on layouts from content pack B Version 2, reverting
to content pack B Version 1 could cause content pack A to stop working.
● Palo Alto Networks is not liable for and does not warrant or support any content pack
produced by a third-party publisher.
● You can install only one content pack at a time from the Marketplace.
● When a content item is duplicated, it becomes a custom content and will not receive
updates but you can view updates.
● You need internet connection when using the Marketplace for tasks such as downloading
and subscribing to content packs.
● When working with remote repositories and upgrading to v6.0 and above, push your
classifiers and mappers on the development environment before grading the product
environment.
● Working with remote repositories is git-based. Any service that supports this protocol can be
used, for example, GitHub, GitLab, Bitbucket, etc. In addition on-premise repositories are also
supported.
● If you have more than two pre-processing rules in your Local Changes queue, you must push
all of those changes to the remote repository.
● You cannot share a multiple engine installation with a single engine installation.
Q1. Which two search actions can you perform in the Marketplace? (Choose two.)
a. Files
b. Packs
c. Both files and packs
d. Sequence
a. Update a playbook
b. Access a playbook version
c. Restore a playbook version
d. Search the required playbook
Q5. What does the Cortex XSOAR require for container management?
a. BoltDB
b. Docker
c. Docker or Podman
d. Only IPv4
Q6. You can install the Cortex XSOAR Engine on which two types of machine? (Choose two.)
a. Windows
b. Mac OS
c. Linus
d. Ubuntu
Q8. How can you edit the locked icon of the content pack incident layout? (Choose two.)
Q9. Who can view the results when an automation runs with elevated permissions?
a. All users
b. Users with high permissions
c. Users with low permissions
d. User to whom Cortex team assign permission
Q10. What happens when a task operates in Quiet Mode? (Choose two.)
5.1.1 Indicators
The indicators tab provides a summary of threat intelligence data that Palo Alto Networks has on a
particular threat indicator, including URLs, domains, IP addresses (IPv4 and IPv6), and hashes. The
threat intelligence summary data, depending on the type of indicator, can include the WildFire
verdict, detection reasons, associated metadata (including the indicator source(s)), WHOIS
information, tags, logs of DNS activity from all samples analyzed with WildFire active/passive DNS
history where autofocus detected instances of the artifact, and other related information. This can
help you assess whether a specific hash, domain, URL, or IP address is associated with suspicious
behavior and analyze the nature of a threat.
The threat indicator summary provides a breakdown of the properties, behaviors, and activities
reported by various Palo Alto Networks analytics services. URL entries can include additional context
provided by analysis data derived from the improved URL analysis capabilities found in the WildFire
global cloud. This content is categorized into three categories: Summary, Evidence, and Analyst.
Summary content provides a high-level overview of the URL, including PAN-DB categorization
details, detection reasons with verdict, WHOIS information, all accompanied by a screenshot.
● WildFire Verdict: The verdict of the sample based on the WildFire analysis of the file or
email link.
● Tags: Lists the tags or tag groups associated with the threat indicator.
● Upload Source: Lists which of your connected Palo Alto Networks services or appliances
uploaded the threat indicator.
● First/Last Seen Date: Displays when the threat indicator was first and last sent to WildFire
for analysis.
● WHOIS: Shows general domain information.
● PAN-DB Categorization: View URLs associated with the domain, URL, or IP address
through PAN-DB and the PAN-DB category for each URL.
● WildFire DNS History: View a log of domain to IP address mappings based on all samples
that launched a request to connect to a domain during WildFire Analysis.
● DNS Security Results: A list of domains that have been analyzed by DNS Security is
displayed here.
● Passive DNS History: View a passive history of domain to IP address mappings that
contain matches to the artifact you searched for.
● Active DNS History: View active domain to IP address mappings that contain matches to
the artifact you searched for.
Virus Total
A direct link to the Virus Total analysis of the specified file hash.
This option is only available for file hashes.
Sample and Session Details
You can pivot to a sample or session search on the specified indicator. This automatically initiates a
search based off of the initial query and can provide a wider context and additional details.
Key Idea
5.1.2 Incidents
By using Cortex XSOAR, you can define integrations with your third-party security and incident
management vendors. Then you can trigger events from these integrations that become incidents
in Cortex XSOAR. Once the incidents are created, you can run playbooks on these incidents to enrich
PHASE DESCRIPTION
This is an iterative process. After you initially create your fields and incident types and then
implement them in your incident layouts, you can start the process of ingesting information. At that
point, you can see how accurately you mapped out your information. Make changes as you go along
and learn more about the information you are receiving. Information not mapped to fields is
available in labels, but it is much easier to work with the information when it is properly mapped to
a field and displayed in the relevant layouts.
Configure Integrations
Configure integrations with your third-party products to start fetching events. Events can be
potential phishing emails, authentication attempts, and SIEM events, among others.
Classification Mapping
Once you configure the integrations, you must determine how the events ingested from those
integrations will be classified as incidents. For example, for email integrations, you might want to
classify items based on the subject field; however, for SIEM events, you will classify by event type. In
addition, you need to map the information coming from the integrations into the fields you created
in the planning stage. For more information, see Classification and Mapping.
Pre-Processing
Pre-processing rules enable you to perform certain actions on incidents as they are ingested into
Cortex XSOAR directly from the UI. Using the rules, you can select incoming events on which to
perform actions; for example, you can link the incoming event to an existing incident, or based on
configured conditions, drop the incoming incident altogether. For more information, see Create
Pre-Process Rules for Incidents.
5.1.3 Dashboards
The dashboard consists of visualized data powered by fully customizable widgets that enable you to
analyze data from inside or outside Cortex XSOAR in different formats such as graphs, pie charts, or
text from information. For more information about widgets, see Widgets Overview.
When you first install Cortex XSOAR, the following dashboard tabs are created:
● Incidents: Information relating to incidents, such as severity type, active incidents,
unassigned incidents, and so on
● System Health: Information relating to the Cortex XSOAR Server
● My Dashboard: A personalized dashboard relating to your incidents, tasks, and so on
● SLA: Information relating to your Service Level Agreement
My Dashboard Options
In every dashboard, you can set the date range from which to return data and the refresh rate. In the
DASHBOARDS tab, you can do the following:
● Filter Data for all widgets
You can filter dashboard data either by typing the query in the query bar, or, in the
relevant widget, by clicking Filter In. When clicking Filter In, the query is added to the
query bar. To filter out, delete the query. For example, if you only want to see critical Cortex
XDR incidents, hover over the Cortex XDR incident and click Filter In in the Incident
Severity by Type widget.
● After creating the filter, you can send the URL of the filtered dashboard to other users.
● Change Color of Widgets: You can change the group color of some of the widgets. The
color changes only for that widget in the dashboard. To permanently change the color of
the widget, edit the color in the Widgets Library. For example, while in the Widgets
Library, if you change the color for Cortex XDR in the Incident Severity by Type to red, that
widget remains red the next time you add it to a dashboard. However, it does not change
for any other widget.
● Copy the value: From the widget, selecting Copy value enables you to copy the value
used in the widget for commands, in the War Room, etc.
● Create a Dashboard
● Edit a Dashboard
● Import and export a dashboard, which is useful in a test and production environment.
The dashboard is exported as a JSON file. You can make any changes you require and
then import the file.
● Add default dashboards
In a production environment, an administrator defines the default dashboards for each
user, which is dependent on a user’s role. If a user has not modified their dashboard, these
Key Idea
● If you install a Content Pack which contains dashboards, these can be added
when creating a new dashboard. To change the order of the dashboards,
click next to the relevant dashboard, and then drag and drop the dashboard
into the required location.
● If you want to see more information about the data, click the data to take
you to the relevant page. For example, in the Active Incidents by Severity
widget, to see only critical incidents, click Critical. This takes you to the
Incident page, where you can see all the active critical incidents.
See the following topics for details on using the AutoFocus search:
○ Start an Indicator Search.
○ Start a sample or session simple mode search.
○ Start a sample or session advanced mode search.
○ Add a search condition to a remote search.
○ Use a saved search.
5.2.1 Layouts
Each out-of-the-box threat intel type comes with its own associated layout, but there might be
times where customization is needed. You can customize almost every aspect of the layout,
including which tabs appear, in which order they appear, who has permissions to view the tabs, and
which information appears and how it is displayed.
Out-of-the-box and custom report types appear in the Threat Intel Reports > Types tab. The name
of the layout for the out-of-the-box reports appears in the Threat Intel Reports > Layouts tab.
To customize the layout of an out-of-the-box report, you can do any of the following:
● Duplicate and edit the report layout, and then edit the report type to add the new layout.
● Detach the layout and edit it.
● While a report layout is detached, it does not receive content pack updates. If you detach
a report type layout, make edits, and later want to receive content pack updates for that
layout, we recommend you duplicate the report layout before reattaching the original to
protect your changes from content pack updates.
● Create a new layout, detach the report type, and then edit the report type to add the new
layout.
Create a New Report Layout
The following procedure describes how to create a new layout, but you can follow similar steps to
customize an existing layout (using the guidelines mentioned above).
Step 1 : Go to Settings > OBJECTS SETUP > Threat Intel Reports > Layouts
Step 2 : Click to add a New Layout
Step 3 : Customize the tabs
1. From the Library section, drag and drop the required Cortex XSOAR Sections as follows:
SECTION DESCRIPTION
You can determine how a section appears in the layout. For example, does the section include the
section header? You can also configure the fields to appear in rows or as cards. For example, if you
know that some of the field values will be very long, you are better off using rows. If you know that
the field values are short, you might want to use cards so you can fit more fields in a section.
Step 6 : Remove or duplicate a section, select the section, click and select the relevant option.
1. Go to Settings > OBJECTS SETUP > Threat Intel Reports > Types
3. Add the customized layout from the drop-down list in the Layout field.
Step 8 : If the layout you created was for a new report type that was based on an out-of-the-box
threat intel report type, you can contribute it to Marketplace.
1. In the Layouts page, click the new report type you want to contribute to Marketplace.
You can add content to threat intel report layouts, based on an automation script. You need to add
the General Purpose Dynamic Section when editing layouts.
The General Purpose Dynamic Section allows you to configure a section in a layout tab from an
automation script. The automation can return a simple text, markdown, or an HTML, the results of
which appear in the General Purpose Dynamic Section. You can add any required information from
an automation. Before you begin, you need to create an automation script.
The following is an example of a script that can be added. This script can be used to add a button to
the layout that sets a threat intel report as published.
def publish ():
now_utc = datetime.now(timezone.utc)
object = demisto.args('object')
object_id = object.get('id')
roles = execute_command('getRoles', {})
execute_command(
'setThreatIntelReport',
{
'id': object_id,
'xsoarReadOnlyRoles': demisto.dt(
Step 2 : Drag and drop the General purpose Dynamic Section onto the page.
Step 3 : Select the General purpose Dynamic Section, click and then Edit section settings.
Step 5 : In the Automation script field, select from the drop-down list the script that returns data for
the dynamic section.
Key Idea
● Only automations to which you have added the general-dynamic-section
tag appear in the drop down list.
● Run real-time security actions through the CLI without switching consoles
● Run security playbooks, scripts, and commands
● Collaborate and execute remote actions across integrated products
● Capture incident context from different sources
● Document all actions in one source
● Converse with others for joint investigations
When you open the War Room, you can see a number of entries such as commands, notes,
evidence, tasks, etc., in several formats such as Markdown, HTML, and so on. When Markdown,
HTML, or geographical information is received, the content is displayed in the relevant format.
ACTION DESCRIPTION
You can edit, format, or delete your own entries. If an entry has
Edit been changed, a History link will appear where you can view all
changes to the entry.
You can run various commands in the CLI by typing the following:
● Integration commands, automations, and built-in commands. For example, add evidence,
assign an analyst, etc.
● /: System commands/operations. For example, add notes, close an investigation, etc.
Filter Entities
You can filter entries by clicking . You can add any filter by selecting the check box or click to
remove that action. The filter menu contains three types of War Room entities by which you can
filter, including:
● Actions
● Tags
● From
Use the And/Or toggles between the Actions, Tags, and From sections.
● And: Use to combine two or more filters.
● Or: When one item is found, it shows relevant entries.
You can save the filter by clicking Add. You can also retrieve Saved filters.
Key Idea
● To access the War Room: If you have an Admin role, clicking Playground on
the side bar opens the Playground - War Room tab. If you have another role,
typing any command in the CLI at the bottom of the page opens this tab.
● Cortex XSOAR does not index notes, chats, and pinned as evidence entries. If
you want to index these entries, see War Room Indexing.
After clicking the Follow check box, you can see the playbook executing in real time.
You can do the following in the Work Plan:
● View inputs and outputs of a playbook.
● View, create, and edit a playbook task for each required step.
When you create a task, add a name, automation, and description. The name and
description should be meaningful so that the task corresponds to the data that you are
collecting.
For each task you can do the following:
Designate tasks as complete either manually or by running a script.
Assign an owner for a task.
Set a due date for the task.
Add comments and completed notes as required.
● Re-run the playbook, zoom in and out, and export to a PNG format.
The color coding and symbols in the Work Plan help you to easily troubleshoot errors or respond to
manual steps. The following table displays the color codes and their meanings.
ACTION DESCRIPTION
ACTION DESCRIPTION
Quick View You can see a summary of the incident, timeline information, labels,
and indicators.
Context Data View context data. The context is a map (dictionary) created for each
incident and is used to store structured results from the integration
You can also edit or add actions in the Case Info/Incident Info field.
Key Idea
5.2.6 Reference
5.3.1 Sections
You can add dynamic sections to a layout, such as a graph of the number of bad indicators, their
source, and severity. You also can use queries to filter the information in the dynamic section to fit
your exact needs.
5.3.2 Fields
Use Incident Fields to accept or populate incident data coming from incidents. You create fields for
information that arrives from third party integrations in which you want to insert information. The
fields are added to Incident Type layouts and mapped using the Classification and Mapping feature.
Incident Fields can be populated by the incident team members during an investigation, at the
beginning of the investigation, or prior to closing the investigation.
You can add the following field types when adding a new field.
● Attachments: Enables addition of an attachment such as .doc, malicious files, reports, and
images of an incident
● Boolean : Determines whether a Cortex XSOAR field is true or false, or whether the string
representation is true or false
● Date picker: Enables the user to select datetime in ISO 8601 format using the datetime
widget in XSOAR
● Grid (table): Includes an interactive, editable grid as a field type for selected incident types or
all incident types
● HTML: Configuring the HTML field provides the capability to insert data into the field as
HTML. However, this makes the field not searchable in incident query.
● Long text: You can configure the Long text field for situations where the field is required to
store longer texts without a character limitation. However, this will make the field not
searchable in incident query.
● Markdown: Markdown is a lightweight markup language that can be best suited to
represent tables, lists and formatted texts. You can configure a field as markdown to allow
using markdown to display formatted text in incident layouts. However, this will make the
field not searchable in incident query.
● Multi select / Array: Includes two options a) Multi select from a pre-filled list b) An empty
array field for the user to add one or more values as a comma separated list.
● Number: Can contain any number. The default number is 0, but any quantity can be used.
● Role: Roles assigned to the incident determine which users (by the role to which they are
assigned) can view the incident.
● Short text:
● Treated as a single unit of text, not indexed by word. Advanced search, including
wildcards, is not supported.
● Case sensitive by default, but can be changed to case insensitive when creating the
field.
● While editing a short text field, pressing enter will save and close.
● Maximum length 60,000 characters
● Recommended use is one
● Word entries. Examples include username and email address.
● Single select: This type of parameter is used to allow selecting a single input from a list of
allowed inputs.
● Tags: accepts a single tag or a comma-separated list, not case sensitive.
● Timer/SLA: View how much time is left before an SLA becomes past due and configure
actions to take if the SLA does pass.
● URL: Include the address of the web page
● User: A user in the system; used to state a manager or fallback
5.3.3 Buttons
To add custom buttons, you need to create an automation and then add the buttons to the layout
using the automation. These buttons can simplify and assist an analyst in carrying out various tasks.
For example, you can add buttons for an analyst to self-assign an incident, link or unlink an incident,
close an incident as a duplicate, generate a summary report, etc.
For optional fields (script arguments), you can define whether to show them to analysts when they
click buttons. To expose an optional field, select the Ask User check box next to the script
argument/s in the button settings page.
The script that runs when an action button is clicked accepts only mandatory arguments through
the pop up window and does not provide an option for any non-mandatory arguments to be filled
in when the button is clicked. Palo Alto Networks recommends using a wrapper script to collect and
validate arguments in scenarios where there can be a combination of mandatory and
non-mandatory arguments for a button.
In the following example, we will add a button to self assign an incident for an analyst. The
automation is included in the Case Management – Generic Content Pack.
Step 1: Drag the +New Button and drop into the relevant section.
Step 3: Enter a descriptive name for the button, select a color, and select the script that you want to
run when the button is clicked.
In the Incident Summary tab, when you click Assign To Me, the incident will be self-assigned.
Indicator actions
ACTION DESCRIPTION
View and take action on an Click an indicator to view and take action on the indicator. You
indicator can view in detail the verdict, relationships, and timeline, enrich
indicators, add tags, etc.
By default, when editing the following inline values in an
incident/indicator, the changes are not saved until you confirm
your changes (clicking the check mark icon in the value field).
These include:
● Drop-down values, such as Owner, Severity, etc.
Create incident Create an incident from the selected indicators and populate
relevant incident fields with indicator data.
Delete and Exclude Delete and exclude one or more indicators from all indicator
types or from a subset of indicator types.
If you select the Do not add option to the exclusion list check
box; the selected indicators are only deleted.
Export Export the selected indicators to a CSV file. You can Export an
Indicator to CSV Using the UTF8-BOM Format.
Upload a STIX file Upload a STIX file and add the indicators from the file to the
system.
Most pages in Cortex XDR present data in table format and provide controls to help you manage
and filter the results. If additional views or actions are available for a specific value, you can pivot
(right-click) from the value in the table. For example, you can view the incident details or pivot to the
Causality View for an alert or to the results for a query.
On most pages, you can also refresh ( ) the content on the page.
To reduce the number of results, you can filter by any heading and value. When you apply a filter,
Cortex XDR displays the filter criteria above the results table. You can also filter individual columns
for specific values using the icon to the right of the column heading.
Some fields also support additional operators such as =, !=, Contains, not Contains, *, !*.
Filters are persistent. When you navigate away from the page and return, any filter you added
remains active.
If needed, you can export the page results for most pages in Cortex XDR to a tab separated values
(TSV) file.
As an alternative to building a filter query from scratch or using the column filters, you can pivot
from rows and specific values to define the match criteria to fine tune the results in the table. You
can also pivot on empty values to show only results with empty values or only results that do not
have empty values in the column from which you pivot.
The show or hide action is a temporary means of filtering the results: If you navigate away from the
page and later return, any results you previously hid will appear again.
This option is available for fields which have a finite list of options.
From Cortex XDR pages, you can manage how you want to view the results table and what
information you want the Cortex XDR app to display. This includes:
Any adjustments you make to the columns or rows persist when you navigate away from and later
return to the page.
From the Cortex XDR tables, you can quickly initiate actions using icons available in the table rows.
Depending on the table, the icons provide a quick alternative to the corresponding right-click pivot
menus. You can:
Key Idea
● CMD fields are limited to 128 characters. If you pivot on a CMD field with a
truncated value, the app shows or hides all results that match the first 128
characters.
● Field names that are locked ( ) cannot be moved.
Dashboards
The dashboard consists of visualized data powered by fully customizable widgets, which enables
you to analyze data from inside or outside Cortex XSOAR in different formats such as graphs, pie
charts, or text from information. For more information about widgets, see Widgets Overview.
When you first install Cortex XSOAR, the following dashboard tabs are created:
After generating a report, it also appears in the Reports tab, so you can use the report again.
You can then do the following:
● Create a custom report
When creating a report, what you see is what you get; how you configure the report is how it
generates. You can add widgets to a report, change the format, paper size, insert page
breaks (by adding the Page Break widget), etc. If you have a table widget that contains
many rows, you can select the number of rows on each page or print the whole table (in the
table widget, right click and select Force Print full Chart).
You can add your own logo, by going to Settings > Troubleshooting and uploading your
logo in the Full-size logo field.
Reports are generated in PDF, Word, and CSV formats.
● Create a report from a dashboard
You can create a report from the dashboard as is or add new widgets as required. These
widgets provide the same functionality as custom reports, such as format, when to run,
orientation, etc. To create a report from the dashboard, click Create report.
Schedule a report
You can schedule a report to run at specific times, or you can run the report immediately.
You can also send to the report specific recipients or restrict it according to roles.
● Generate an out-of-the-box report
Cortex XSOAR comes with out-of-the-box reports, such as critical and High incidents, Daily
incidents, last seven days incidents, and so on. You can change the time range for the
incidents, the scheduled time, and who can receive the report. If you want to make more
comprehensive changes to these types of out-of-the-box reports, copy or download (and
upload) the report.
o Edit a report
o Change the Report Logo
o Configure the Time Zone and Format in a Report
o Schedule a report from an incident
This process captures investigation-specific data and shares it with team members. You can
customize how the information is displayed for existing incidents.
If you encounter problems with reports, see Troubleshoot Reports.
Key Idea
● Dashboard Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/dashboards/da
shboard-overview#id8327f032-160d-430b-87c8-600e751099e5
● Reports Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/reports/report-
overview
5.6 Summarize what Information can be Created, Edited, or Shared within Dashboards and
Reports
You can create and customize reports in the REPORT tab. You can add widgets, schedule times,
incident time range, add recipients, change the format, size, and so on. Reports support PDF, CSV,
and Word formats.
Step 2 : In the Widgets Library, add the widgets as required and as described in Add a Widget to a
Report.
Step 3 : From the Date Range drop-down list, select the date range from which to generate the
report.
Widgets can have their own date range, which can be different from the report’s date range.
Step 5 : To change the number of recipients or their details, click the number of recipients in the
Recipients field.
Step 6 : To change the format, orientation, or paper size, select the options as required.
Palo Alto Networks recommends that users select the landscape orientation to ensure that all
information displays in the report.
Step 8 : Before generating the report, click Preview to see a preview of the report. You can change
the size, arrange the widgets, insert a page break (using the Page Break Widget), etc.
Save Version enables you to view a history of the changes made to your report. You can
revert to previous reports.
Step 10 : In the Reports tab, edit the Date Range of the incidents if required, and click Run Now to
generate the report immediately. The Report then downloads. Ensure that you enable
pop-ups in your browser.
You can create the following types of widgets through the widget builder:
● Incidents: Widgets relating to incidents, such as active incidents by type, incidents by phase,
late incidents, etc.
● Indicators: Widgets relating to indicators, such as indicators by type, indicators activity, bad
indicators, etc.
● Script: Automation driven widgets. Although you can create complex widgets using the
widget builder, you can also create dynamic widgets using automation scripts, such as
calculating the percentage of incidents that DBot closed. The automation script can also pull
information from the Cortex XSOAR API.
In the widget builder, although you cannot manipulate the data (no data appears in the
operations tab) you can define the arguments for the script and change the color, layout,
legends, etc.
For automation script examples, see Create a Custom Widget Using an Automation Script.
● War Room Entries: Widgets relating to the number of War Room entries, including number
of entries according to owner, etc.
● SOAR Metrics: Widgets relating to automations, playbooks, integrations, such as
troubleshooting, how long it runs, number of runs for API, errors, etc.
● Threat Intel Reports: Widgets relating to threat intel reports that have been created, such as
reports by type, status, etc.
● Upload: You can upload a JSON file to create a static widget, which displays relatively
straightforward information such as grouping incidents severity by type, active incidents by
type, and so on.
Key Idea
● Before creating a script based widget, you need to create a script in the
Automation page and then select the script in the widget builder. The script
must have the widget tag assigned, otherwise it does not appear when
selecting the script in the widget builder.
● If you install a Content Pack which contain dashboards, these can be added when creating a
new dashboard. To change the order of the dashboards, click next to the relevant dashboard,
and then drag and drop the dashboard into the required location.
● If you want to see more information about the data, click the data to take you to the relevant
page. For example, in the Active Incidents by Severity widget, to see only critical incidents,
click Critical. This takes you to the Incident page, where you can see all the active critical
incidents
● Only automations to which you have added the general-dynamic-section tag appear in the
drop down list.
● To access the War Room: If you have an Admin role, clicking Playground on the side bar
opens the Playground - War Room tab. If you have another role, typing any command in the
CLI at the bottom of the page opens this tab.
● Cortex XSOAR does not index notes, chats, and pinned as evidence entries. If you want to
index these entries, see War Room Indexing.
● Closing a parent investigation also closes all associated child investigations.
● Creating Incident Fields is an iterative process in which you continue to create fields as you
gain a better understanding of your needs and the information available in the third party
integrations that you use.
● CMD fields are limited to 128 characters. If you pivot on a CMD field with a truncated value,
the app shows or hides all results that match the first 128 characters.
● Field names that are locked ( ) cannot be moved.
● If you install a Content Pack which contain dashboards, these can be added when creating a
new dashboard. To change the order of the dashboards, click next to the relevant dashboard,
and then drag and drop the dashboard into the required location.
● If you want to see more information about the data, click the data to take you to the relevant
page. For example, in the Active Incidents by Severity widget, to see only critical incidents,
click Critical. This takes you to the Incident page, where you can see all the active critical
incidents.
● Before creating a script based widget, you need to create a script in the Automation page
and then select the script in the widget builder. The script must have the widget tag
assigned, otherwise it does not appear when selecting the script in the widget builder.
a. Using Cortex you can define integration with third party security and incident management
vendors
b. You cannot run playbooks after incident creation
c. Using Cortex XSOAR you can determine the investigation of incidents
d. You cannot trigger events after integration
e. Direct link
f. Total analysis
g. File hash
h. All the above
a. My dashboard
b. SLA
c. System Health
d. Indicators
a. Filter entities
b. Playbooks
c. Market place
d. Incidents
Q7. What type of arguments does the script accept when an action button is clicked?
a. Script arguments
b. Non-mandatory arguments
c. Combination of mandatory and non-mandatory arguments
d. Mandatory arguments
Q10. Which two requirements can be added to reports and dashboards? (Choose two.)
a. Schedule time
b. Incident time range
c. Create, edit, or share
d. Change the format or size
Q11. What type of widgets can you create using Widget builder?
a. Widget library
b. Incident table
c. Operation
d. Location
6.1.2 Fields
Synopsis
Description
The field stage identifies which fields are returned in the result set. If this stage is used, then
subsequent stages can operate only on the fields identified by this stage.
Use a wildcard (*) to include all fields that match the pattern. Use a '-' to exclude a field from the
result set.
Use the “as” clause to set an alias for a field. If you use the as clause, then subsequent stages must
use that alias to refer to the field.
Examples
Return the action_country field from all xdr_data records where the action_country field is both not
null and not "-". Also include all fields with names that match event_* except for event_type
dataset = xdr_data
| fields action_country as ac
| fields event_*
| fields - event_type
The output of the reputation script is a verdict score, which is used as the basis for the indicator
verdict. Reputation scripts must be tagged “reputation” in order to appear in the drop-down for the
indicator type.
Return only the verdict as a number. The number will override the verdict returned from the
reputation command. The reliability of the score from a reputation script is A++ – Reputation script
by default and controlled by the enrichment.reputationScript.reliability server configuration.
Return entry with entry context. The entry context must have DbotScore as with reputation
commands. The entry context will be mapped to the custom fields of the indicator with the same
reliability as if it came from a reputation command. The default is A+ – third party enrichment, but
the entry context can be controlled per vendor by the integrations.enrichment.reliability.%s server
configuration.
The results of reputation scripts do not print to the War Room in the extraction flow.
Reputation Command
The reputation command calculates the reputation of indicators of this type. The verdict
(reputation) is only associated with the specific indicator on which it is run (not the indicator type).
The command returns the reputation of the indicator as an entry with entry context and in some
cases also returns context values that can be mapped to the custom fields of the indicator. The
results of the reputation command do not print to the War Room in the auto-extract flow.
6.1.4 Expiration
Indicators can have the Expiration Status field set to Active or Expired, which is determined by the
Expiration field. When indicators expire, they still exist in Cortex XSOAR, meaning they are still
displayed and you can still search for them. A job that runs every hour checks for newly expired
indicators and updates the Expiration Status field.
When indicators expire, the expiration Status and expiration fields are updated. You can use an
indicator field trigger script to take actions based on indicator expiration.
You can set the default expiration method for indicators to either never expire, or expire after a
specific period of time. The default expiration method is set by the indicator type. For more
information, see Indicator Type Profile.
Manual: A user manually expires the indicator or sets it to never expire. This method overrides all
others.
Automation script : Use the expireIndicators command to change the expiration status to Expired
for one or more indicators. This script accepts a comma-separated list of indicator values and
Use the !setIndicators command to reset the indicator's expiration value. The value can also be set to
Never so that the indicators never expire. For example, !setIndicators indicatorsValues=watson.com
expiration=Never
Feed integration : The expiration method is configured for an integration instance, which overrides
the method defined for the indicator type.
Indicator type : The expiration method (interval or never) is defined according to indicator type,
which applies to all indicators of this type. This is the default expiration method for an indicator.
6.1.5 Reference
● Create the Read-only Incident Type and Layout,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/users-and-role
s/self-service-read-only-users/create-the-read-only-incident-type-and-layout
● Fields,
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-xql-language-reference/stage
s-commands-reference/stages-commands-reference-fields
● Indicator Type Profile,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/understand-indicators/indicator-types/indicator-type-profile
●
● Indicator Expiration,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/understand-indicators/indicator-expiration
You can create a threat intel report by choosing a type of report and defining other basic report
information. Before you create a report, make sure you set up threat intel report types first to ensure
that your type is defined correctly. The creation process generates a blank report based on the type
you choose. Once created, you will need to edit the report to populate it with relevant content
before you Export or Share a Threat Intel Report.
The core of the report is the Report Body, which is used to enter freeform text. After report creation,
you can edit any predefined template text in this section and replace it with your own content.
Using the Markdown Editor, you can apply rich formatting options to the body text, including text
sizing, coloring, formatting, pictures/icons, and section headers.
Step 2: Create a New Threat Intel Report from the button at the top right.
Step 3: In the Report Details section, enter a Name and Type and configure any other relevant fields.
Step 6: From the Summary tab, you can edit report fields as needed and add any information
pertaining to the specific report.
Key Idea
● If you don’t assign any roles to a report, all roles will have read/write access
for the report.
6.2.1 Reference
● Create a Threat Intel Report,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-threat-intel-manage
ment-guide/threat-intel-reports/create-a-threat-intel-report#id6aa00977-833b-44fd-bb0c-c0
474ea55f3c
Unit 42 Intel data is cloud based and remotely maintained, so you can view data from Unit 42 Intel
and add only the information you need to your Cortex XSOAR threat intel library. When you search
for an IP address, domain, URL, or file in the Threat Intel page, you can view the indicator in Cortex
XSOAR as well as the additional information provided by Unit 42 Intel. When an indicator does not
yet exist in Cortex XSOAR but does exist in Unit 42 Intel, you are able to add the indicator into the
Cortex XSOAR threat intel library. You have the option to add the indicator and enrich it with your
existing integrations or add the indicator without enrichment. When the indicator already exists in
Cortex XSOAR but there is additional information available from Unit 42 Intel, you can update your
indicator with the most recent data from Unit 42 Intel.
For IP addresses, domains, URLs, and files, the following information is available:
● Verdict
● Source
● Relationships
DOMAIN ● PAN-DB Categorization
● Passive DNS
● WHOIS
● Verdict
● Source
● Relationships
FILE ● Summary
● WildFire Analysis
● Related Sessions & Submissions
Sample Analysis
With respect to files, Unit 42 Intel also provides sample analysis that helps you conduct in-depth
investigations, find links between attacks, and analyze threat patterns. If the file indicator is in the
Unit 42 Intel service, you have access to a full report on activities, properties, and behaviors
associated with the file. In addition, you can see how many other malicious, suspicious, or unknown
file samples are included the same activities, properties, and behaviors, and also build queries to
find related samples.
Cortex XSOAR customers can use their Sessions & Submissions data for investigation and analysis in
Cortex XSOAR. Sessions & Submissions data is available for customers with a TIM license and one or
more of the following products:
WF Appliance – Samples that a WildFire appliance submitted to the WildFire public cloud
While the Sample Analysis tab provides information on what a file did, the Sessions & Subscriptions
tab provides in-depth information on communication between devices. Consider, as an example,
that you have a file indicator that has been determined to be malicious, and you have a Palo Alto
Networks firewall and Cortex XDR. In the Sessions and Submissions tab, you can see where this
malicious file originated and where it has gone in your network by viewing the firewall sessions that
this file passed through. You can see which XDR agents in your system reported the file, which tells
you which machines might be infected. You can block the external IP address with your firewall,
and, if needed, isolate the affected machines to contain the attack. If the source is internal, you can
investigate that endpoint.
Relationships
The Threat Intel Management system in Cortex XSOAR includes a feed that brings in a collection of
threat intel objects as indicators. These indicators are stored in the Cortex XSOAR threat intel library
and include Malware, Attack Patterns, Campaigns, and Threat Actors.
When you add or update an indicator from Unit 42 Intel, a relationship is formed in the database
between the relevant threat intel object and the new, or updated, indicator.
Unit 42 Intel is available from Cortex XSOAR 6.5 for customers with a TIM license. When upgrading
from an earlier Cortex XSOAR version, the TIM license must also be updated. Contact Cortex XSOAR
Customer Support to receive the updated license file.
License Requirements
Unit 42 Intel includes indicator relationship data provided as part of the Unit 42 Intel Objects Feed.
The feed integration instance is automatically configured for new Cortex XSOAR v6.5 or later
installations with a TIM license. When upgrading from an earlier version to Cortex XSOAR v6.5 or
later or adding a TIM license to an existing Cortex XSOAR v6.6 deployment, the TIM license must be
updated and the feed integration must be installed and enabled.
● If you have an existing TIM license and are upgrading from Cortex v6.2 or earlier to Cortex
XSOAR v6.6:
Contact Cortex XSOAR Customer support to receive the updated TIM license file. Confirm the Unit
42 Intel Objects Feed is installed and enabled.
● If you have an existing Cortex XSOAR license for v6.6 (without TIM) and are adding a TIM
license:
Multitenant Deployments
Tenants accounts have access to Unit 42 Intel, with the following limitations:
● On the Sample Analysis page, only Public Samples are available. My Samples data is not
available for multitenant deployments.
● For tenant accounts, the API key must be manually entered for the Unit 42 Intel Objects
Feed integration and the Palo Alto Networks WildFire Reports integration. Enter the API key
in the instance configuration.
Key Idea
● Unit 42 Intel is available from Cortex XSOAR v6.5, for customers with a TIM
license. When upgrading from an earlier Cortex XSOAR version, the TIM
license must be updated. Contact Cortex XSOAR Customer Support to
receive the updated license file.
There are several methods by which indicators are detected and ingested in Cortex XSOAR.
Integration
● Feed: Integrations that fetch indicators from a feed – for example TAXII, AutoFocus, Office
365, and so on.
● Enrichment integrations: Enhance the indicator, giving it more context and information – for
example, AutoFocus, VirusTotal, Ipinfo, and so on.
Indicator Extraction
Indicators are extracted from selected incidents that flow into Cortex XSOAR – for example, from a
SIEM integration.
Manual
● Command line
You can import and export rules from each rule management page on the ESM Console. This
enables you to:
● Back up user-defined rules before deploying a policy to multiple independent ESM Consoles.
● Import user-defined rules from another ESM Console (running the same version).
● Update your default security policy with the latest recommendations and best practices from
Palo Alto Networks.
The ESM Console supports the ability to import both user-defined rules and default security rules.
When you import a policy file that contains multiple types of rules, the ESM Console automatically
determines the rule type and distributes the rules to their respective rule management pages.
When you export a policy or set of rules, you can only export user-defined rules of the same type.
This is because you must select the rules from a single rule management page when you perform
the export. When you export rules, the ESM Console saves them to an XML file in the location of your
choice.
When you import user-defined rules, the ESM Console appends the rules to the existing policy and
assigns each rule a unique ID number. When you install a content update to import the latest
default security rules, the ESM Console overwrites the existing rules with the updated policy. When
available, you can download the latest default security policy from the Dynamic Updates section of
the Support portal.
6.3.4 References
The Cortex XSOAR Threat Intel Management guide provides you with the ability to unify the core
components of threat intel, including threat intel aggregation, scoring, and haring.
6.4.1 Reference
The exclusion list prevents indicators from being extracted and created in the system. For example,
to prevent google.com from being flagged as a malicious indicator, add it to the exclusion list.
When millions of indicators are ingested and processed daily, two practices are essential:
The indicator field Expiration Status displays the indicator status, either Active or Expired. The
indicator field Expiration displays when that indicator expired and by which method.
Indicator expiration is applied at the indicator type level. Indicators assigned to a specific indicator
type inherit the indicator type’s expiration method.
Indicators added to the exclusion list are disregarded by the system and are not created or involved
in automated flows such as indicator extraction. You can still manually enrich IP addresses and URLs
that are on the exclusion list, but the results are not posted to the War Room.
There are several methods by which to add indicators to the exclusion list.
You can select one or more indicators from the Indicators table and click the Delete and Exclude
button. The indicators are deleted from the Indicators table and added to the exclusion list. You can
associate these indicators with one or more indicator types.
If you delete the indicator it is removed from Cortex XSOAR. This option should be used mainly for
correcting errors in ingestion and not as part of your regular work flow.
From the Exclusion List page, you can manually add a single indicator or define indicators using a
regular expression (regex) or CIDR.
Regex
A regular expression enables you to identify a sequence of characters in an unknown string. The
following example would identify www.demisto.com:
[A-Za-z0-9!@#$%\ .&]*demisto[A-Za-z0-9!@#$%\ .&]*.
CIDR
Classless inter-domain routing (CIDR) enables you to define a range of IP addresses. For example,
the IPv4 block 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to
192.168.103.255.
URLs, domains, Excludes the top level Value: The top-level domain (TLD).
and subdomains domain (TLD), its Example:example.com
subdomains, and URLs (http Check Use Regex
or https) on the top level Do not select any indicator types.
domain.
URL with Excludes any indicators of Value: The URL with wildcard
wildcards type URL matching the added at the end.
regex. Indicators Example:
example.com and http://examplesub.example.com/*
examplesub.example.com of Check Use Regex
type Domain would still be Select indicator type:
extracted. Start the regex URL.
with
https?:// to exclude both
HTTP and HTTPS URLs.
Specific URL Excludes the given URL, but Value: The URL.
the TLD and subdomains are Example:
still extracted. http://examplesub.example.com/m
yexample
Do NOT select Use Regex
Select indicator type: URL
The default indicator extraction value depends on the playbook task. For example, the indicator
extraction mode is set to none in the Enrich offending user account task (from the Impossible
Traveler playbook). In the Extract the email address of the reporting user task (from the Phishing
Generic V3 playbook), indicator extract is set to system default.
● extractIndicators
Step 1 : If a content pack installed playbook, click either Duplicate Playbook or Detach Playbook.
Step 2 : Select the playbook you want to extra indicators, and click Edit.
Step 5 : In the indicator extraction drop-down menu, select the mode you want to use.
The following scenario shows how indicator extraction is used in the Process Email –
Generic playbook to extract and enrich a very specific group of indicators.
This playbook parses the headers in the original email used in a phishing attack. It is important to
parse the original email used in the phishing attack and not the email that was forwarded to ensure
that you only extract the email headers from the malicious email and not the one your organization
uses to report phishing attacks.
Step 4 : Scroll down and open the Add original email details to context task.
In the Outputs tab, you can see all of the different data that the task extracts, such as Email To, CC,
From, etc.
Step 6 : Go to the Advanced tab.
Under Indicator Extraction mode, ensure that the Inline option is selected. This indicates that all of
the outputs are processed before the playbook moves ahead to the next task.
Step 7 : Open the Display email information in layout task. This task receives the data from the
saved attachment tasks and sets the various data points to context.
Under the Advanced tab, ensure that Indicator Extraction mode is set to None because the
indicators have already been extracted earlier in the Extract email artifacts and attachments task
and there is no need to repeat the process.
Key Idea
● If you select system default in a task, the default is set to none. You can
change the default by updating the reputation.calc.algorithm.tasks server
configuration. For more information, see Indicator Extraction Modes.
● Connect a serial cable from your computer to the Console port and connect to the firewall
using terminal emulation software (9600-8-N-1).
If your computer does not have a 9-pin serial port, use a USB-to-serial port connector.
● When the firewall reboots, press Enter to continue to the maintenance mode menu.
The firewall will reboot without any configuration settings. The default username and password to
log in to the firewall is admin/admin.
To perform initial configuration on the firewall and to set up network connectivity, see Integrate the
Firewall into Your Management Network.
You can extract indicators from incident fields upon creation of an incident and when a field
changes. For example, you want to extract the IP address upon incident creation and again when
the field changes.
The indicator extraction feature extracts indicators from incident fields and enriches them using
commands and scripts defined for the indicator type.
Step 2: For Content Pack-installed incident types, select the incident type check box to define the
extraction rules and the click Detach.
Step 4: From the Indicators Extraction Rules tab, in the On incident creation and the On field
change fields, select the required indicator extraction mode.
If you select Out of band, the extracted indicators do not appear in the context. If you want the
extracted indicators to appear, select Inline.
Step 5: In the What to Extract section, if you want to extract all incident fields, select Extract all
indicators from all fields.
Step 6: If you want to choose which indicators are extracted according to each field, select Extract
specific indicators.
Optionally, you can select all indicators, set all indicators to none, or copy settings from an incident
type by clicking: to the right of the table’s column headers.
INDICATOR TYPE TO
DESCRIPTION
EXTRACT
Select the Use field value check box to use any indicator based on the field value (not regex based).
This creates an indicator out of the entire value of the field, regardless whether the indicator type
has a configured regex. This can be used in cases such as extracting hostnames.
● It is recommended to turn off incident extraction (select “‘none”) for the Labels incident field.
When an incident JSON is received from an integration, the JSON members are mapped to
incident fields (based on the mapping configuration). Every member in the JSON that was
not mapped to a field will be written to the Labels field. If the Labels field extracts indicators,
it can expose unmapped or unknown data to external sources. You should only map the
relevant data to fields and set their extraction settings.
● If you want to extract attachments, select the attachment field and then select File as the
indicator type to extract. The File extracts a hash (usually SHA-256), which can be viewed in
In this example, if an email is forwarded that potentially includes phishing, we want to extract at
incident creation (inline) and upon a field change (out of band):
6.5.6 Reference
● Threat Intel Concepts,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-threat-intel-manage
ment-guide/threat-intelligence-management-overview/threat-intelligence-concepts#idc5bd
04c0-d11f-448d-ab2f-748f225db392
● Exclusion List,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/understand-indicators/exclusion-list
● Create Indicator Extract Rules for a Playbook Task,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/auto-extract-indicators/define-indicator-extract-rules-for-a-playbook-task
● Exclusion List,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/understand-indicators/exclusion-list
● If you don’t assign any roles to a report, all roles will have read/write access for the report.
● Unit 42 Intel is available from Cortex XSOAR v6.5, for customers with a TIM license. When
upgrading from an earlier Cortex XSOAR version, the TIM license must be updated. Contact
Cortex XSOAR Customer Support to receive the updated license file.
● If you select system default in a task, the default is set to none. You can change the default
by updating the reputation.calc.algorithm.tasks server configuration. For more information,
see Indicator Extraction Modes.
a. Verdict Score
b. Reputation script
c. Indicator type
d. User script
a. expirationStatus
b. expiration fields
c. expirationStatus and expiration fields
d. default method
Q7. What are the essential parts of the incident management and remediation process?
a. Indicators
b. Layouts
c. Fields
d. Reputation script
Q8. What happens when you import a policy that contains multiple types of rules?
a. The ESM Console automatically determines the rule type and distributes the rules to their
respective rule management pages.
b. You can only export user-defined rules of the same type.
c. The ESM Console appends the rules to the existing policy and assigns each rule a unique ID
number.
d. The ESM Console overwrites the existing rules with the updated policy.
Q9. Which ability does Cortex XSOAR Threat Intel Management provide?
Q10. What are the two essential practices when indicators are ingested and processed daily?
(Choose two.)
Q11. On which task does the default indicator extraction value depend?
a. Playbook task
b. Commands
c. Indicator extract
d. Default
Q12. Why is indicator extraction mode set to None under the advanced tab in the Playbooks page?
a. The indicators have already been extracted in the Extract email artifacts and attachments
task, and there is no need to do it again.
b. This task receives the data from the saved attachment tasks and sets the various data points
in context.
c. You can see all of the different data that the task extracts, such as Email To, CC, From, etc.
d. You can define indicators using regular expression
a. Array
b. Sets
c. Matrices
d. Regex
Domain 1
Q3. Which of the following provides dynamic input to playbook tasks and automation?
a. Incident tasks
b. Context data
c. Quick view
d. System
a. System
b. Parent
c. Boolean
d. Number
Q6. If the input is a list of items, then what will the sub-playbook do?
a. Manual
b. Automated
c. Conditional
d. Boolean
a. Date
b. String
c. Boolean
d. Number
Q9. In which format type is the context root calculated by the Cortex XSOAR?
a. File.Get
b. File.Extension
c. File.String
d. File.Number
Q10. Which of the following is the function of error troubleshooting?
a. Use the debugger to find and fix issues if a playbook stops on an error.
b. Test and improve playbooks as you build them.
c. Install content packs and use the debugger to see whether the included playbooks are
relevant for your use case.
d. Begin to create and test playbooks even before all integrations are in place by manually
providing inputs and outputs as needed.
Domain 2
Q1. What is the primary use of incident types?
a. Classify the events ingested into the Cortex XSOAR system
b. Integrate with third-party security
c. Determine further investigational needs
d. Customize the layouts
Q2. Which phase is used to display information from playbook tasks and third-party integrations?
a. Pre-processing phase
b. Create fields phase
c. Post processing phase
d. Planning phase
Q3. Why is the create incident types phase used?
a. Display information
b. Customize layouts by incident type
c. Show relevant information of each incident type
d. Classify the types of attacks with which the organization deals
Q4. How can you configure the incident type layout?
a. Incident Layout Builder
b. Settings tab
c. Advanced tab
d. Layouts tab
Q6. When will you learn about the missing incident types?
a. Analyst
b. Administrator
c. Incident team members
d. Partners
Q8. Which three field types can you add when creating a new field? (Choose three.)
a. Short text
b. HTML
c. Date picker
d. Attachments
e. Decimal number
Q9. What do the classification and map features enable users to do? (Choose two.)
a. Generate alters
b. Classify phishing and malware alerts to respective incident types
c. Use events and event information that Cortex XSOAR ingests from integration
d. Map the fields from third-party integration to the fields defined in the incident layouts.
e. Create mapping for specific fields.
Domain 3
a. Conditional task
b. Standard task
c. Data collection task
d. None of the above
a. Incident layouts
b. Dynamic layouts
c. Indicator layouts
d. Button layouts
a. To create scripts
b. To create, manage and modify scripts
c. To write scripts in Java and Python
d. To access a few Cortex XSOAR APIs
Q5. Which two kinds of commands are available in Cortex XSOAR? (Choose two.)
a. Internal commands
b. System commands
c. Warm room commands
d. External commands
Q7. Which three parameters can you define in Script settings? (Choose three.)
a. Language type
b. Disabled
c. Run on
d. Content pack
a. Settings
b. Logs and War Room entries
c. Library
d. PyCharm IDE
a. Two minutes
b. 30 seconds
c. One minute
d. 15 seconds
a. Cortex XSOAR
b. Integration settings field
c. Cortex XSOAR Developer Hub
Domain 4
Q1. Which two search actions can you perform in the Marketplace? (Choose two.)
a. Files
b. Packs
c. Both files and packs
d. Sequence
Q4. The Version history for Playbook tabs enables users to…?
a. Update a playbook
b. Access a playbook version
c. Restore a playbook version
d. Search the required playbook
Q5. What does the Cortex XSOAR require for container management?
a. BoltDB
b. Docker
c. Docker or Podman
d. Only IPv4
Q6. You can install the Cortex XSOAR Engine on which two types of machine? (Choose two.)
a. Windows
b. Mac OS
c. Linus
d. Ubuntu
Q8. How can you edit the locked icon of the content pack incident layout? (Choose two.)
Q9. Who can view the results when an automation runs with elevated permissions?
a. All users
b. Users with high permissions
c. Users with low permissions
d. User to whom Cortex team assign permission
Q10. What happens when a task operates in Quiet Mode? (Choose two.)
Domain 5
a. Using Cortex you can define integration with third party security and incident
management vendors
b. You cannot run playbooks after incident creation
c. Using Cortex XSOAR you can determine the investigation of incidents
d. You cannot trigger events after integration
a. Direct link
b. Total analysis
c. File hash
d. All the above
a. My dashboard
b. SLA
c. System Health
d. Indicators
a. Filter entities
b. Playbooks
c. Market place
d. Incidents
Q7. What type of arguments does the script accept when an action button is clicked?
a. Script arguments
b. Non-mandatory arguments
c. Combination of mandatory and non-mandatory arguments
d. Mandatory arguments
Q10. What type of widgets can you create using Widget builder?
a. Widget library
b. Incident table
c. Operation
Q11. Why is the incident tab layout tested and validated as a self-service read-only user?
Domain 6
a. Verdict Score
a. Reputation script
b. Indicator type
c. User script
a. expirationStatus
b. expiration fields
c. expirationStatus and expiration fields
d. default method
a. Only WildFire
b. Only the PAN-DB URL Filtering database
c. Only Palo Alto Networks Unit 42 threat intelligence team
d. WildFire, the PAN-DB URL Filtering database, Palo Alto Networks Unit 42 threat
intelligence team, and third-party feeds
a. Indicators
b. Layouts
c. Fields
d. Reputation script
Q8. What happens when you import a policy that contains multiple types of rules?
a. The ESM Console automatically determines the rule type and distributes the rules to
their respective rule management pages.
b. You can only export user-defined rules of the same type.
c. The ESM Console appends the rules to the existing policy and assigns each rule a unique ID
number.
d. The ESM Console overwrites the existing rules with the updated policy.
Q9. Which ability does Cortex XSOAR Threat Intel Management provide?
Q10. What are the two essential practices when indicators are ingested and processed daily?
(Choose two.)
Q11. On which task does the default indicator extraction value depend?
a. Playbook task
b. Commands
c. Indicator extract
d. Default
Q12. Why is indicator extraction mode set to None under the advanced tab in the Playbooks page?
a. The indicators have already been extracted in the Extract email artifacts and
attachments task, and there is no need to do it again.
b. This task receives the data from the saved attachment tasks and sets the various data points
in context.
c. You can see all of the different data that the task extracts, such as Email To, CC, From, etc.
d. You can define indicators using regular expression
Q13. Which of the following enables you to identify a sequence of characters in an unknown string?
a. Array
b. Sets
c. Matrices
a. Inputs are data pieces that are present in the playbook or task.
b. Inputs are the objects whose entries will serve the tasks throughout the playbook.
c. Inputs are multiquestion surveys or forms that survey recipient access.
d. Inputs are used for classic manual or script-based tasks.
Q2. Which two of the following are examples of a sub-playbook? (Choose two.)
a. Phishing Investigation
b. IP Enrichment
c. Endpoint Malware
d. Retrieve File From Endpoint
Q3. Which two types of actions can be specified with a Standard playbook task? (Choose two.)
a. Manual
b. Automated
c. Conditional
d. Data Collection
Q4. Which of the following is not a function of the Cortex XSOAR playbook debugger?
a. Build playbook
b. Troubleshoot playbook
c. Enable the performance of certain actions on incidents
d. Find tasks that might fail
Q5. Which automation system is used to bring all the various pieces of your security apparatus
together?
a. Playbooks
b. Cortex XSOAR
c. Prisma
d. Third-party security tool
Q6. What dynamic field can you add to an Incident Layout? (Choose two)
a. Phishing link
b. Email header
c. Graph of the number of bad indicators
d. Email body
e. Severity of bad indicators
Q7. When can the incident team populate Incident fields? (Choose two)
Q8. Which markup language is best suited to represent table, formatted texts and lists?
a. HTML
b. SGML
c. Markdown
d. SLA
Q9. Select the types available when creating a new playbook task? (Choose three)
a. Custom task
b. Standard task
c. Ask task
d. Conditional task
e. Data collection task
Q10. Which script checks for field changes and takes action on them?
a. To integrate script
b. To find source of the problem in the code
c. To debug your integration
d. To check logs and War Room entries
Q12. How can you change the default for all integration instances?
Q13. Why is the content pack submitted and reviewed by Cortex XSOAR?
Q14. Which action should a user perform to make the developed content part of the product
environment update content?
a. Save versions.
b. Install new content.
c. Save changes.
Q15. How will you determine whether an incident requires further investigation or not?
Q16. Which three elements can you view on the System Diagnostics page? (Choose three.)
a. Planning
b. Pre-processing
c. Indicator
d. None
Q18. Which two types of actions can be specified with the actions menu?
a. Reset client
b. Deny
c. Default
d. modify
Q19. Which incidents are displayed for the “automatic remediation” search?
a. /var/log
b. /var/log/demisto
c. DbotRole
d. demisto.dockerfiles
Q21. What is the field stage used for?
a. Active or Expired
b. Active
c. Expired
d. Update
Q23. What happens if you don't assign any role in the permissions section of Threat Intel Reports?
Q24. What are the Unit 42 Intel service features enabled by the Cortex XSOAR threat?
Q25. Which of the following is not a method by which indicators are detected and ingested in Cortex
XSOAR?
a. Feed integration
b. Indicator extraction
c. Manual command line
d. SIME integration
a. The ability to import both user-defined rules and default security rules
b. The ability to import only user-defined rules
c. The ability to import only default security rules
d. The ability to back-up default security rules
Q29. When an incident JSON is received from an integration, the JSON members are mapped to
incident fields based on which criteria?
a. Incident extraction
a. For attachments to reduce external API usage and protect restricted data (the hash) from
being sent
a. To unrestrict data
b. To give access to data
c. For read/write access to data
a. Inputs are data pieces that are present in the playbook or task.
b. Inputs are the objects whose entries will serve the tasks throughout the playbook.
c. Inputs are multiquestion surveys or forms that survey recipient access.
d. Inputs are used for classic manual or script-based tasks.
Q2. Which two of the following are examples of a sub-playbook? (Choose two.)
a. Phishing Investigation
b. IP Enrichment
c. Endpoint Malware
d. Retrieve File From Endpoint
Q3. Which two types of actions can be specified with a Standard playbook task? (Choose two.)
a. Manual
b. Automated
c. Conditional
d. Data Collection
Q4. Which of the following is not a function of the Cortex XSOAR playbook debugger?
a. Build playbook
b. Troubleshoot playbook
c. Enable the performance of certain actions on incidents
d. Find tasks that might fail
Q5. Which automation system is used to bring all the various pieces of your security apparatus
together?
a. Playbooks
b. Cortex XSOAR
c. Prisma
d. Third-party security tool
Q6. What dynamic field can you add to an Incident Layout? (Choose two)
a. Phishing link
b. Email header
c. Graph of the number of bad indicators
d. Email body
e. Severity of bad indicators
Q7. When can the incident team populate Incident fields? (Choose two)
Q8. Which markup language is best suited to represent table, formatted texts and lists?
a. HTML
b. SGML
c. Markdown
d. SLA
Q9. Select the types available when creating a new playbook task? (Choose three)
a. Custom task
b. Standard task
c. Ask task
d. Conditional task
e. Data collection task
Q10. Which script checks for field changes and takes action on them?
a. To integrate script
b. To find source of the problem in the code
c. To debug your integration
d. To check logs and War Room entries
Q12. How can you change the default for all integration instances?
Q13. Why is the content pack submitted and reviewed by Cortex XSOAR?
Q14. Which action should a user perform to make the developed content part of the product
environment update content?
a. Save versions.
b. Install new content.
c. Save changes.
Q15. How will you determine whether an incident requires further investigation or not?
Q16. Which three elements can you view on the System Diagnostics page? (Choose three.)
a. Planning
b. Pre-processing
c. Indicator
d. None
Q18. Which two types of actions can be specified with the actions menu?
a. Reset client
b. Deny
c. Default
d. modify
Q19. Which incidents are displayed for the “automatic remediation” search?
a. /var/log
b. /var/log/demisto
c. DbotRole
d. demisto.dockerfiles
Q21. What is the field stage used for?
a. Active or Expired
b. Active
c. Expired
d. Update
Q23. What happens if you don't assign any role in the permissions section of Threat Intel Reports?
Q24. What are the Unit 42 Intel service features enabled by the Cortex XSOAR threat?
Q25. Which of the following is not a method by which indicators are detected and ingested in Cortex
XSOAR?
a. Feed integration
b. Indicator extraction
c. Manual command line
d. SIME integration
a. The ability to import both user-defined rules and default security rules
b. The ability to import only user-defined rules
c. The ability to import only default security rules
d. The ability to back-up default security rules
Q29. When an incident JSON is received from an integration, the JSON members are mapped to
incident fields based on which criteria?
a. Incident extraction
a. For attachments to reduce external API usage and protect restricted data (the hash)
from being sent
b. To unrestrict data
c. To give access to data
d. For read/write access to data
Digital Learning
For those of you who want to keep up to date on our technology, a learning library of free digital
learning is available. These on-demand, self-paced digital-learning classes are a helpful way to
reinforce the key information for those who have been to the formal hands-on classes. They also
serve as a useful overview and introduction to working with our technology for those unable to
attend a hands-on, instructor-led class.
Simply register in Beacon and you will be given access to our digital-learning portfolio. These online
classes cover foundational material and contain narrated slides, knowledge checks, and, where
applicable, demos for you to access.
New courses are being added often, so check back to see new curriculum available.
Instructor-Led Training
Palo Alto Networks Authorized Training Partners (ATPs) are located globally and offer a breadth of
solutions from onsite training to public, open-environment classes. About 42 authorized training
centers are delivering online courses in 14 languages and at convenient times for most major
markets worldwide. For class schedule, location, and training offerings, see
https://www.paloaltonetworks.com/services/education/atc-locations.
You also can learn from peers and other experts in the field. Check out our communities site at
https://live.paloaltonetworks.com, where you can: