Palo Alto Networks Certified Security

Automation Engineer
(PCSAE)
Study Guide
July 2022

PCSAE | Study Guide

Table of Contents
How to Use This Study Guide 7

About the PCSAE Exam 7

Exam Format 7
How to Take This Exam 8
Disclaimer 8

Audience and Qualifications 8

Skills Required 8

Domain 1: Playbook Development 9

1.1 Reference and manipulate context data to manage automation workflow 9
1.1.1 References 10
1.2 Summarize inputs, outputs, and results for playbook tasks 11
1.2.1 References 12
1.3 Configure Inputs and Outputs for Sub-playbooks Tasks 12
1.3.1 References 13
1.4 Enable and Configure Looping on a Sub-playbook 13
1.4.1 References 15
1.5 Differentiate among Playbook Task Types 15
1.5.1 Manual 15
1.5.2 Automated 15
1.5.3 Conditional 15
1.5.4 Data Collection 15
1.5.5 Sub-Playbook 15
1.5.6 References 16
1.6 Apply filters and transformers to manipulate data 16
1.6.1 References 18
1.7 Apply the Playbook Debugger to Aid in Development Playbooks 18
1.7.1 Reference 19
1.8 Summary of Key Ideas 19
1.9 Sample Questions 20

Domain 2: Incident Objects 22

2.1 Configure Incident Types 22
2.2 Identify the Role of an Incident Type within the Incident Lifecycle 23
2.2.1 References 24
2.3 Configure an Incident Layout 24
2.3.1 Fields and Buttons 25
2.3.2 Tabs 25
2.3.3 New/Edit and Close Forms 26
2.3.4 References 26
2.4 Summarize the Function, Capabilities, and Purpose of Incident Fields 26

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 2

 2.4.1 References 28
2.5 Configure Classifier and Mappers 29
2.5.1 References 30
2.6 Summary of Key Ideas 30
2.7 Sample Questions 31

Domain 3: Automations, Integrations, and Related Concepts 33

3.1 Define the Capabilities of Automation across XSOAR Functions 33
3.1.1 Playbook Tasks 33
3.1.2 War Room 33
3.1.3 Layouts (Dynamic Sections, Buttons) 34
3.1.4 Jobs 34
3.1.5 Field Trigger Scripts 35
3.1.6 Pre/Post-Processing 36
3.1.7 References 37
3.2 Differentiate between Automations, Commands, and Scripts 37
3.2.1 References 38
3.3 Interpret and Modify Automation Scripts 38
3.3.1 Script Helper 38
3.3.2 Script Settings 40
3.3.3 Language Types 41
3.3.4 Using Script to Create Widget for Dashboards 41
3.3.5 References 42
3.4 Identify the Properties and Capabilities of the XSOAR Framework for Integration 43
3.4.1 References 43
3.5 Configure and Manage Integration Instances 43
3.5.1 Reference 44
3.6 Summary of Key Ideas 44
3.7 Sample Questions 46

Domain 4: Content Management and Solution Architecture 48

4.1 Apply Marketplace Concepts for the Management of Content 48
4.1.1 Searching in Marketplace 48
4.1.2 Installation and Updates 48
4.1.3 Dependencies 50
4.1.4 Version History 51
4.1.5 Partner-supported Versus XSOAR-supported 51
4.1.6 Submitting Content to the Marketplace 52
4.1.7 Reference 53
4.2 Apply General Content Customization and Management Concepts 54
4.2.1 Custom versus System Content 54
4.2.2 Duplicating Content 55
4.2.3 Importing/Exporting Custom Content 56

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 3

 4.2.4 Version Control 57
4.2.5 References 58
4.3 Manage Local Changes in a Remote Repository (dev-prod) Configuration 58
4.3.1 Reference 61
4.4 Describe the Components of the XSOAR System Architecture 61
4.4.1 System Hardware Requirements 61
4.4.2 Remote Repositories (dev-prod) 62
4.4.3 Engines 63
4.4.4 Multi Tenancy 65
4.4.5 Elasticsearch/HA 67
4.4.6 Docker 69
4.4.7 Reference 69
4.5 Describe the Incident Lifecycle within XSOAR 70
4.5.1 Reference 71
4.6 Define the Capabilities of RBAC 71
4.6.1 Page Access 71
4.6.2 Integration Permissions 72
4.6.3 Incident Tabs (Layout Specification) 73
4.6.4 Automation Permissions, 74
4.6.5 Incident Viewing Permission by Role 77
4.6.6 Reference 78
4.7 Identify the Troubleshooting Tools Available to Obtain More Diagnostic Information 79
4.7.1 Log Bundles 79
4.7.2 Integration Testing 79
4.7.3 References 79
4.8 Identify Options Available for Performance Tuning 80
4.8.1 Ignore Output 80
4.8.2 Quiet Mode 80
4.8.3 Reference 80
4.9 Monitor System Health using the System Diagnostic Page 80
4.9.1 Reference 81
4.10 Summary of Key Ideas 81
4.11 Sample Questions 82

Domain 5: UI Workflow, Dashboards, and Reports. 84

5.1 Identify Methods for Querying Data 84
5.1.1 Indicators 84
5.1.2 Incidents 85
5.1.3 Dashboards 87
5.1.4 Global Search 89
5.1.5 Reference 90
5.2 Summarize the Workflow Elements used during an Investigation 90
5.2.1 Layouts 90

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 4

 5.2.2 War Room 93
5.2.3 Work Plan 95
5.2.4 Evidence Board 96
5.2.5 Actions Menu 97
5.2.6 Reference 98
5.3 Interact with Layouts for Incident Management 98
5.3.1 Sections 98
5.3.2 Fields 99
5.3.3 Buttons 101
5.3.4 Reference 103
5.4 Summarize Tools used for Managing Incidents 103
5.4.1 Bulk Incident Actions 103
5.4.2 Table View versus Summary View 104
5.4.3 Table Settings 105
5.4.4 Reference 107
5.5 Identify the Capabilities of Existing Dashboards and Reports 107
5.5.1 References 110
5.6 Summarize what Information can be Created, Edited, or Shared within Dashboards and
Reports 110
5.6.1 Reference 111
5.7 Summarize the Capabilities of the Widget Builder 111
5.7.1 Reference 112
5.8 Summary of Key Ideas 112
5.9 Sample Questions 113

Domain 6: Threat Intel Management 115

6.1 Identify the Parameters Available for Configuring Indicator Objects 115
6.1.1 Layouts and Types 115
6.1.2 Fields 115
6.1.3 Reputation Scripts and Command 116
6.1.4 Expiration 116
6.1.5 Reference 117
6.2 Generate Threat Intel Reports 117
6.2.1 Reference 118
6.3 Describe the Features of the Threat Intel Page 118
6.3.1 Unit 42 Intel Feature 118
6.3.2 XSOAR Indicators 121
6.3.3 Export/Import Capabilities 121
6.3.4 References 122
6.4 Configure Threat Intel Feed Integrations 122
6.4.1 Reference 122
6.5 Identify the Options Available to Auto Extract 122
6.5.1 Exclusion List 122

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 5

 6.5.2 Playbook Auto Extract 125
6.5.3 Regex for Auto Extract 126
6.5.4 System Defaults 126
6.5.5 Extraction Settings for Incident Types 127
6.5.6 Reference 129
6.6 Summary of Key Ideas 129
6.7 Sample Questions 130

Appendix A: Sample Questions with Answers 132

Appendix B: Sample Test 142

Appendix C: Answers to the Sample Test 147

Appendix D: Glossary 152

Appendix E: What’s Different in This Study Guide 156

Continuing Your Learning Journey with Palo Alto Networks 157

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 6

How to Use This Study Guide
Welcome to the Palo Alto Networks Palo Alto Networks PCSAE Study Guide. The purpose of this
guide is to help you prepare for your Palo Alto Networks Certified Security Automation Engineer
(PCSAE) exam and achieve your PCSAE credential.

You can read through this study guide from start to finish, or you may jump straight to topics you
would like to study. Hyperlinked cross-references will help you locate important definitions and
background information from earlier sections.

About the PCSAE Exam

The test format is 85 multiple-choice items. Candidates will have five minutes to complete the
non-disclosure agreement (NDA), 80 minutes (1 hour, 20 minutes) to complete the questions, and
five minutes to complete a survey at the end of the exam.

This exam is based on Cortex XSOAR 6.6.

More information is available from the Palo Alto Networks public page at:
https://www.paloaltonetworks.com/cortex/xsoar

Cortex XSOAR technical documentation is located at:

https://docs.paloaltonetworks.com/cortex/cortex-xsoar.html

Exam Format

The approximate distribution of items by topic (Exam Domain) and topic weightings are shown in
the following table.

Exam Domain Weight (%)

Playbook Development 27%

Incident Objects 13%

Automations, Integrations, and Related 18%

Concepts

Content Management and Solution 17%

Architecture

UI Workflow, Dashboards, and Reports 13%

Threat Intel Management 12%

TOTAL 100%

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 7

How to Take This Exam

The exam is available through the third-party Pearson VUE testing platform.
To register for the exam, visit: https://home.pearsonvue.com/paloaltonetworks

Disclaimer

This study guide is intended to provide information about the objectives covered by this exam,
related resources, and recommended courses. The material contained within this study guide is not
intended to guarantee that a passing score will be achieved on the exam. Palo Alto Networks
recommends that candidates thoroughly understand the objectives indicated in this guide and use
the resources and courses recommended in this guide where needed to gain that understanding.

Audience and Qualifications

Skills Required

● You can Develop Playbooks and integrations, configure incidents and layouts, configure and
manage indicator fields in XSOAR, know basics of Cyber Security such as IOC blocking, etc
and can configure dashboards and reports
● You have experience coding in Python and in cyber security as an Analyst
● There is no exam or course prerequisite towards attempting the PCSAE exam

Recommended Training

Palo Alto Networks strongly recommends that you attend the following instructor-led training
courses or equivalent digital-learning courses:
● Cortex XSOAR: IT Administrator (DL)
● Cortex XSOAR Engineer- Building the Next-Generation SOC (DL)
● Cortex XSOAR SOC Analyst Training or equivalent knowledge (DL)
● Cybersecurity Fundamentals of Security Operations Center (DL)
● EDU 280 - Cortex XSOAR Analyst
● EDU 380 - Cortex XSOAR Engineer

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 8

Domain 1: Playbook Development
Playbooks are at the heart of the Cortex XSOAR system. Playbooks enable you to automate many
security processes, including handling investigations and managing tickets. You can structure and
automate security responses that were previously handled manually. Playbook tasks can open
tickets in a ticketing system, such as Jira, detonate a file using a sandbox, or extract information
from an incident (such as an email or attachment) for further review. You can interact with users in
your organization using communication tasks, or remediate an incident by interacting with a 3rd
party integration.

Playbooks have different task types for each of the actions you want to take. Manual tasks can be
used where an analyst needs to confirm information or escalate an incident. Conditional tasks can
be used with a loop to check if certain information is present, so that you can proceed with the
investigation.

1.1 Reference and manipulate context data to manage automation workflow

“Context data” is all of the gathered data. Every incident and playbook has a place to store data
called the “context,” which stores the results from every integration command and every
automation script that is run. The context is a map or key-value pair dictionary, the values of which
can nest additional structures. Context objects are in JSON-format, and they are created for each
incident.

The context keys are strings, while the values can be strings, numbers, objects, or arrays. The
context’s primary use is to pass data between playbook tasks; one task stores its output in the
context, and the other task reads that output from the context and uses it.

The context of a sub-playbook can be either private or global.

You can use private context when you want the content to be affected only by the inputs that this
sub-playbook receives rather than by outside changes.

Global context is for when the context in the parent playbook should be considered and accessed.
Note that a change made to a sub-playbook will impact the parent playbook during the next run of
the parent playbook.

The output result is stored into the JSON context in the incident or the playground, whether you
run an integration command from the CLI or a playbook task. For example, a command such as
!whois query="paloaltonetworks.com" would return the data and store the results into the
context.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 9

Another use is to capture the important structured data from automations and display that data in
the incident summary.

1.1.1 References

● Context and Outputs, https://xsoar.pan.dev/docs/integrations/context-and-outputs

● Playbook Development,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/pla
ybook-development

1.2 Summarize inputs, outputs, and results for playbook tasks

Depending on the task type you select and the script you are running, playbook tasks have inputs.
Inputs are data pieces that are present in the playbook or task. The inputs are often manipulated or
enriched, and they produce outputs. Outputs are the objects whose entries will serve the tasks
throughout the playbook. They can be derived from the result of a task or command.

For the playbook tasks, the inputs might come from the incident itself, such as the role to which to
assign the incident, or input can be provided by integration—for example, when an Active Directory
integration is used in a task to extract a user’s credentials.

The following graphics show a playbook that is triggered based on context data, meaning an
incident. The first two inputs are the SrcIP, which comes from the incident.src key, and DstIP,
which is retrieved from incident.dest.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 10

The playbook itself creates output objects whose entries will serve the tasks throughout the
playbook.

Outputs can be data that was extracted or derived from the inputs. For example, the following
images show the user’s credentials being retrieved from Active Directory. Those credentials will be
used to get the user’s account name, email address, and any groups to which they belong.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 11

 Key Idea

● The above example uses incident context data as the playbook input, Threat
Intel Management playbooks

1.2.1 References
● Playbook Tasks,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/pla
ybook-tasks
● Playbook Inputs and Outputs,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/pla
ybook-inputs-and-outputs

1.3 Configure Inputs and Outputs for Sub-playbooks Tasks

Playbooks can be divided into two categories, depending on their use. Technically, they are the
same, but there are some differences in terms of use.

“Parent” playbooks are playbooks that run as the main playbook of an incident. The other type is
“sub-playbooks,” which are just playbooks that are being called by another playbook.

Sub-playbooks are playbooks that can be nested into other playbooks, which are referred to as
parent playbooks. Sub-playbooks appear as tasks in the flow and have a book icon, but they can
contain a whole playbook. Inputs can be passed into sub-playbooks from the parent playbook,
used, processed in the sub-playbook, and then sent as output to the parent playbook.

Examples of parent playbooks are “Phishing Investigation —Generic v2” or “Endpoint Malware
Investigation – Generic” because an incident starts with them. Examples of sub-playbooks are “IP
Enrichment —Generic v2” or “Retrieve File From Endpoint – Generic” because they are steps taken
as part of the bigger investigation.

Because sub-playbooks are used as part of a bigger investigation, they should have inputs and
outputs. Ensure that the data you want to get from a sub-playbook is defined in its outputs, so that
it can be used outside of that playbook. Because sub-playbooks are building blocks that preferably
will be usable in other playbooks and use cases, you should define generic inputs for them.

Key Idea

● Any change made to a sub-playbook impacts the parent playbook in the

next run of the parent playbook

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 12

1.3.1 References

● Playbook Contribution Guide,

https://xsoar.pan.dev/docs/playbooks/playbook-contributions

1.4 Enable and Configure Looping on a Sub-playbook

You can add the sub-playbook in the parent playbook as follows:

Navigate to Playbooks in the task viewer and select the sub-playbook to use as described in the
figure below:

You configure when to exit the loop by selecting one of the following options:

● For Each Input: The loop will exit automatically when the array it is looping over executes
the last item in the array. Note the following:

○ If the input is a single item, the sub-playbook will run one time. However, if the input
is a list of items, the sub-playbook will run as many times as there are items in the list.
Each iteration of the sub-playbook will use the next item in the list as the input.

○ If there are multiple input lists with the same number of items, then the
sub-playbook will run once for each input set. For example, if you have “input1” and
“input2”, “input1[i]” will run with “input2[i]”.

○ If there are multiple input lists with different numbers of items, the sub-playbook will
run once for each item in the input that has the greater number of items. When the
input with fewer items reaches its last item, the subsequent runs will continue to use
the last item in the shorter list until all items in the largest list have run.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 13

 ● Built-in or Choose Loop automation: The loop will exit based on a condition. The playbook
will not loop through the inputs, but it will take the inputs as a whole.

Key Idea

Consider the following when adding a loop:

● The maximum number of loops (default is 100). A high amount or a high
wait time combined with a large number of incidents, may affect
performance.
● Periodically check looping conditions to ensure they are still valid for the
data set.
● When the tasks input is an array, it is iterated automatically (no need to
define a loop)

1.4.1 References

● Configure a Sub-playbook Loop,

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/con
figure-a-sub-playbook-loop
● Sub-Playbook Loop Example,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/con
figure-a-sub-playbook-loop/sub-playbook-tutorial

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 14

1.5 Differentiate among Playbook Task Types

1.5.1 Manual

Standard tasks are used for classic manual or script-based tasks, such as closing an investigation,
escalating to another analyst, or using a script to enrich data.

1.5.2 Automated

Automation is where tasks are arranged by the integrations they serve. You can scroll through the
integrations list and expand it to see the tasks by clicking the +. You can search for a task by name,
tag, or keyword in the search box above the list of integrations.

1.5.3 Conditional

Conditional tasks can be selected for decision trees or communicating with users through an Ask
task. Conditional tasks are used for determining different paths for your playbook. You can use
conditional tasks for something simple, such as proceeding if a particular integration exists or
determining whether a user account has an email address.

1.5.4 Data Collection

Data collection tasks can be selected for surveying users. Data collection tasks are multi question
surveys or forms that survey recipient access from a link in the message. The survey resides on an
external site that does not require authentication, thereby allowing survey recipients to respond
without restriction.

1.5.5 Sub-Playbook

The existing playbooks can be found and dragged into the new playbook to be used as
sub-playbooks. You should create small playbooks for the procedures used frequently so that they
can be called easily. Cortex XSOAR provides many predefined playbooks you can either use as is or
copy and customize to your needs. Refer to 1.4 for details.

To create a new task, either click + Create Task or drag off a line from the default section header
Playbook Triggered:

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 15

For a new task, you can choose three different types: standard, conditional, and data collection.

1.5.6 References
● Playbook Tasks,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/pla
ybook-tasks
● Create Playbooks,
https://xsoar.pan.dev/docs/playbooks/playbooks

1.6 Apply filters and transformers to manipulate data

In Cortex XSOAR, data is extracted and collected from various sources, such as playbook tasks,
command results, and fetched incidents, and is presented in JSON format. The data can be
manipulated by using filters and transformers.

You can add filters and transformers in a playbook task or when mapping an instance.

Filters enable the extraction of relevant data that you can use elsewhere in Cortex XSOAR. For
example, if an incident has several files with varying file types and extensions, you can filter the files
by file extension or file type and use the filtered files in a detonation playbook.

Transformers enable you to take one value and transform or render it to another value—for
example, converting a date in non-Unix format to Unix format. Another example is applying the
count transformer, which renders the number of elements.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 16

You can create filters and transformers to manipulate context data when adding or editing a task in
a playbook or when mapping an instance.

You can filter as many nested objects as required. Cortex XSOAR automatically calculates the
context root to which to filter. For example, if you want to work with file extensions, Cortex XSOAR
calculates context root as File.Extension.

Filters enable you to extract relevant data for use elsewhere in Cortex XSOAR. For example, if an
incident has several files with varying file types and extensions, you can filter the files by file
extension or file type and use the filtered files in a detonation playbook.

Filter categories are as follows:

Boolean: Determines whether a Cortex XSOAR field is true or false, or whether the string
representation is true or false

Date: Determines whether the left-side time value is earlier than, later than, or the same time as the
right-side time value. Different time and date formats are supported. For a detailed table, see the
references.

General: Includes general filters such as contains, doesn’t contain, in, and empty

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 17

String: Determines the relationship between the left-side string value and the right-side string
value, such as starts with, includes, and in list. The string filter returns partial matches as true.

Number: Determines the relationship between the left-side number value and the right-side
number value, such as equals, greater than, and less than.

Unknown: Miscellaneous filter category

Transformers enable you to take one value and transform or render it to another value. When you
have more than one transformer, you can reorder them by clicking and dragging them.

Transformer categories are as follows:

Date: Transforms the date. For example, Date to string and Date to Unix

General: Includes general transformers such as join, sort, splice, and stringify

String: Transforms strings. To make regex non-sensitive to case, use the (?i) prefix—for example,
(?i)yourRegexText.

Number: Transforms a number—for example, round, absolute, and to percent

Key Idea

● In Cortex XSOAR, data is presented in JSON format.

1.6.1 References

● Filters and Transformers,

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/filte
rs-and-transformers
● Create Filters and Transformers in a Playbook,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/filte
rs-and-transformers/create-filters-and-transformers
● Filter Operators,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/filte
rs-and-transformers/filter-operators
● Transformers Operators,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/filte
rs-and-transformers/transformers-operators

1.7 Apply the Playbook Debugger to Aid in Development Playbooks

The Cortex XSOAR playbook debugger enables you to build and troubleshoot playbooks by helping
you find tasks that might fail and by testing different conditions, branches, and input and output
options. Common use cases include:
● Playbook development – Test and improve playbooks as you build them.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 18

 ● Proof of concept – Begin to create and test playbooks even before all integrations are in
place by manually providing inputs and outputs as needed.
● Error troubleshooting – Use the debugger to find and fix issues if a playbook stops on an
error.
● Explore Marketplace playbooks – Install content packs and use the debugger to see whether
the included playbooks are relevant for your use case.
Building a playbook is an iterative process. The debugger provides a test environment where you
can make changes to data and playbook logic and view the results in real time. You have the
opportunity to see exactly what is written to context at each step and which indicators are
extracted.

The debugger runs the playbook with the permissions of the logged in user, not as dBot. When the
user sets breakpoints, skips tasks, or overrides inputs or outputs, those changes only apply to the
individual user’s session and do not permanently change the playbook. Using an existing incident
as test data does not affect the original incident or change the original context data. When tasks
run, however, they execute the same as they would without the debugger. For example, if you run
the debugger and a task adds an item to a list, that item will be in the real list, accessible across
Cortex XSOAR for all users with permission to view that list.

Key Idea

● Debugger runs the playbook with the permissions of the logged in user and
not as dBot.

1.7.1 Reference

● Playbook Debugger,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/playbooks/deb
ugger

1.8 Summary of Key Ideas

● Any change made to a sub-playbook impacts the parent playbook in the next run of the
parent playbook.
● The above example uses incident context data as the playbook input, Threat Intel
Management playbooks.
● Consider the following when adding a loop:
○ The maximum number of loops (default is 100). A high amount or a high wait time
combined with a large number of incidents, may affect performance.
○ Periodically check looping conditions to ensure they are still valid for the data set.
○ When the tasks input is an array, it is iterated automatically (no need to define a
loop).
● In Cortex XSOAR, data is presented in JSON format.
● Debugger runs the playbook with the permissions of the logged in user and not as dBot.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 19

1.9 Sample Questions

Q1. Which statement is true about context data?

a. It is purged after each task in a playbook is run.

b. It must be transformed before a task can use it.
c. After it is written, it can be changed only by manual editing.
d. It does not necessarily include all data generated by the incident-related activity.

Q2. What is the context data is primarily used for?

a. Sending data to related incidents

b. Passing data between playbook tasks
c. Storing data for use with integrations
d. Mapping data to required fields

Q3. Which of the following provides dynamic input to playbook tasks and automation?

a. Incident tasks
b. Context data
c. Quick view
d. System

Q4.Which of the following is a category of playbooks?

a. System
b. Parent
c. Boolean
d. Number

Q5. What is a sub-playbook?

a. A playbook used as a task in another playbook

b. An obsolete playbook of inferior quality
c. An app that underlies a playbook to ensure that it flows from task to task
d. An updated playbook that substitutes for an older playbook

Q6. If the input is a list of items, then what will the sub-playbook do?

a. Run once for each input set

b. Run twice for each input set
c. Run as many times as there are items in the list
d. Run once for each item in the input that has a greater number of items

Q7. Which of the following is not a playbook task type?

a. Manual
b. Automated
c. Conditional
d. Boolean

Q8. Which of the following is not a part of the transformer category?

a. Date
b. String

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 20

 c. Boolean
d. Number

Q9. In which format type is the context root calculated by the Cortex XSOAR?

a. File.Get
b. File.Extension
c. File.String
d. File.Number
Q10. Which of the following is the function of error troubleshooting?

a. Use the debugger to find and fix issues if a playbook stops on an error.
b. Test and improve playbooks as you build them.
c. Install content packs and use the debugger to see whether the included playbooks are
relevant for your use case.
d. Begin to create and test playbooks even before all integrations are in place by manually
providing inputs and outputs as needed.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 21

Domain 2: Incident Objects

2.1 Configure Incident Types

Incident types are used to classify the events that are ingested into the Cortex XSOAR system. Each
incident type can be configured to work with a dedicated playbook, which can run either
automatically when an event is ingested or when triggered separately at a later point. You also can
configure dedicated service-level agreement (SLA) parameters for each incident type and run
specific post-processing scripts for the given incident type.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 22

2.2 Identify the Role of an Incident Type within the Incident Lifecycle

Cortex XSOAR is an orchestration and automation system used to bring all of the various pieces of
your security apparatus together.
Using Cortex XSOAR, you can define integrations with your third-party security and incident
management vendors. You can then trigger events from these integrations that become incidents
in Cortex XSOAR. Once the incidents are created, you can run playbooks on these incidents to
enrich them with information from other products in your system, which helps to paint a more
complete picture.
In most cases, you can use rules and automation to determine if an incident requires further
investigation or can be closed based on the findings. This enables your analysts to focus on the
minority of incidents that require further investigation.
The following diagram explains the incident lifecycle in Cortex XSOAR.

The create fields phase is used to display information from third-party integrations and playbook
tasks when an incident is created or processed.

The create incident types phase is used to classify the different types of attacks with which your
organization deals.

The create incident layouts phase is used to customize your layouts for each incident type to make
sure the most relevant information is shown for each type.

Key Idea

● Using Cortex XSOAR, you can define integrations with your third-party
security, incident management vendors and trigger events.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 23

2.2.1 References

● Incident Lifecycle,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/inci
dent-lifecycle

2.3 Configure an Incident Layout

After you define the incident type, you can configure its layout using the Cortex XSOAR embedded
Incident Layout Builder. For example, analysts will be interested in different information when
investigating a phishing incident versus a ransomware incident. You can customize the layout for
each incident to be presented with exactly the information the analysts need. In a phishing incident
example, that information might include the email headers and the email body, whereas for the
ransomware, the information would center on the family to which the ransomware belongs.

After configuring the layout for the incident type, you must map the different incident types that
your organization handles and the third-party integrations you have. For example, Cortex XSOAR
comes with ready-to-use incident types for phishing attacks. If you work with a different phishing
integration product, you can define an incident type specifically for those events. When you
configure your phishing product integration, you will associate it with your phishing product’s new
incident type, which will probably also have a dedicated phishing playbook.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 24

As is the case with the fields, definition of incident types should be an iterative process. As you plan
your deployment and begin working with your system, you will learn which incident types are
missing. You then can add the new incident types to your system and fine-tune the entire
incident-ingestion process.

2.3.1 Fields and Buttons

You can add dynamic fields to a layout, such as a graph of the number of bad indicators, their
source, and severity. You can also use queries to filter the information in the dynamic section to suit
your exact needs. In addition, buttons may be added to a tab depending upon the type of
investigation being conducted.

2.3.2 Tabs
You can customize almost every aspect of the layout, including which tabs appear, the order in
which they appear, who has permissions, and what type of information appears. You can add filters
in each field or tab by clicking on the eye icon, which enables you to add conditions that show
specific fields or tabs. For example, if an analyst decides that a Cortex XDR Malware incident is a
Ransomware subtype, they may only want fields showing data about the encryption method to
appear and not to show information if the Malware subtype is adware.

You may also want to limit specific tabs to certain scenarios. For example, if a user clicks a phishing
link, the new tab can contain the relevant fields and action buttons for this scenario.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 25

2.3.3 New/Edit and Close Forms

● New/Edit Form: When creating or editing an incident, you can add or delete sections and
fields as required.
● Close Form: Add, edit, or delete sections, fields, filters, when closing an incident.

Key Idea

● There are several Cortex XSOAR system layout sections and fields that you
cannot remove, but you can rearrange them in the layout and modify their
queries and filters.

2.3.4 References
● Incident Management,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/inci
dent-management#id79e86392-cdd0-42d8-9878-160e69df540f
● Working with Incident Types,
https://xsoar.pan.dev/docs/incidents/incident-types

2.4 Summarize the Function, Capabilities, and Purpose of Incident Fields

Use the Settings > ADVANCED > Fields screen to see system fields and add custom fields for
Incidents, Evidence, and Indicators.

Use Incident Fields to accept or populate incident data coming from incidents. You create fields for
the information you want to insert that arrives from third-party integrations. The fields are added to
incident type layouts and are mapped using the Classification and Mapping feature.

Incident fields can be populated by the incident team members during an investigation, at the
beginning of the investigation, or before closing the investigation.

Use Indicator Fields to add specific indicator information to incidents. When you create an
indicator field, you can associate it with one particular incident type or all incident types.

You can add the following field types when adding a new field:

● Attachments: Enables addition of an attachment such as .doc, malicious files, reports, and
images of an incident
● Boolean: Determines whether a Cortex XSOAR field is true or false, or whether the string
representation is true or false
● Date picker: Enables the user to select datetime in ISO 8601 format using the datetime
widget in XSOAR
● Grid (table): Includes an interactive, editable grid as a field type for selected incident types
or all incident types
● HTML: Configuring the HTML field provides the capability to insert data into the field as
HTML. However, this makes the field not searchable in incident query.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 26

 ● Long text: You can configure the Long text field for situations where the field is required to
store longer texts without a character limitation. However, this will make the field not
searchable in incident query.
● Markdown: Markdown is a lightweight markup language that can be best suited to
represent tables, lists and formatted texts. You can configure a field as markdown to allow
using markdown to display formatted text in incident layouts. However, this will make the
field not searchable in incident query.
● Multi select / Array: Includes two options a) Multi select from a pre-filled list b) An empty
array field for the user to add one or more values as a comma separated list.
● Number: Can contain any number. The default number is 0, but any quantity can be used.
● Role: Roles assigned to the incident determine which users (by the role to which they are
assigned) can view the incident.
● Short text: Maximum of 60,000 characters
● Single select: This type of parameter is used to allow selecting a single input from a list of
allowed inputs.
● Tags: accepts a single tag or a comma-separated list, not case sensitive.
● Timer/SLA: View how much time is left before an SLA becomes past due and configure
actions to take if the SLA does pass.
● URL: Include the address of the web page
● User: A user in the system; used to state a manager or fallback
Fields can be system fields and custom fields for the incidents, indicators, and evidence. Use the
Settings > ADVANCED > Fields screen to see system fields and add custom fields.

Different field types are used in different parts of the investigation and integrations. For example,
the Dest NT Domain incident field is assigned to the Access, Malware, and Brute Force incident
types and can be used with them, as seen in the following screenshot.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 27

You can create fields and assign them either to different incidents and indicators or to all types of
incidents and indicators. For example, the Detection Engines indicator field is assigned to all types
of indicators.

Key Idea

● Creating Incident Fields is an iterative process in which you continue to

create fields as you gain a better understanding of your needs and the
information available in the third party integrations that you use.

2.4.1 References

● Customize Incident Layouts,

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/cust
omize-incident-view-layouts/customize-incident-layouts
● Incident Fields,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/inci
dent-management/incident-fields
● Indicator Fields,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/understand-indicators/indicator-fields
● Field Types, https://xsoar.pan.dev/docs/incidents/incident-fields#field-types
● Create a Custom Incident Field,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/inci
dent-management/incident-fields/create-a-custom-incident-field

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 28

 ● Create a Custom Indicator Field,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/understand-indicators/indicator-fields/create-a-custom-indicator-field#id0e6ff3a2-0b5
7-4d56-b032-c933f9b8a48a

2.5 Configure Classifier and Mappers

The classification and mapping feature enables you to take the events and event information that
Cortex XSOAR ingests from integrations and classify the event as a type of Cortex XSOAR incident.
For example, Cortex might generate alerts from Cortex Traps, which you would classify according to
the information in those events either as a dedicated Traps incident type or perhaps Authentication
or Malware. Also, you might have EWS configured to ingest both phishing and malware alerts
which you want to classify to their respective incident types based on some information in the
event. By classifying the events as different incident types, you can process them with different
playbooks suited to their respective requirements.

Classification

Classification determines the type of incident that is created for events ingested from a specific
integration. You create a classifier and define that classifier in an integration.

Mapping

You can map the fields from your third party integration to the fields you defined in your incident
layouts.

Starting with version 6.0, mappers are separate entities from classifiers. This enables you to do the
following:

● Map your fields to incident types irrespective of the integration or classifier. This means that
you can create a mapping before defining an instance and ingesting incidents. By doing so,
when you do define an instance and apply a mapper, the incidents that come in are already
mapped.
● Create a default mapping for all of the fields that are common to all incident types, and then
map only those fields that are specific to each incident type individually. You can still
overwrite the contents of a field in the specific incident type.
● Use auto-map to automatically map fields based on their naming convention. For example,
severity would be mapped to importance.
● Mirror content in Cortex XSOAR with third party integrations. This enables you to make
changes to an incident in Cortex XSOAR and have that change be reflected in the case
managed by the integration. For example, if you are using a case management system such
as JIRA or Salesforce, you can close an incident in Cortex XSOAR and have that closure
reflected automatically.

Key Idea

● The integration must support pulling the integration schema for mirroring to

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 29

 work.

2.5.1 References

● Classification and Mapping,

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/clas
sification-and-mapping

2.6 Summary of Key Ideas

● Using Cortex XSOAR, you can define integrations with your third-party security, incident
management vendors and trigger events.
● There are several Cortex XSOAR system layout sections and fields that you cannot remove,
but you can rearrange them in the layout and modify their queries and filters.
● Creating Incident Fields is an iterative process in which you continue to create fields as you
gain a better understanding of your needs and the information available in the third party
integrations that you use.
● The integration must support pulling the integration schema for mirroring to work.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 30

2.7 Sample Questions

Q1. What is the primary use of incident types?

a. Classify the events ingested into the Cortex XSOAR system

b. Integrate with third-party security
c. Determine further investigational needs
d. Customize the layouts

Q2. Which phase is used to display information from playbook tasks and third-party integrations?

a. Pre-processing phase
b. Create fields phase
c. Post processing phase
d. Planning phase

Q3. Why is the create incident types phase used?

a. Display information
b. Customize layouts by incident type
c. Show relevant information of each incident type
d. Classify the types of attacks with which the organization deals

Q4. How can you configure the incident type layout?

a. Incident Layout Builder

b. Settings tab
c. Advanced tab
d. Layouts tab

Q5. Which action should a user perform after configuring the layout?

a. Work with a phishing integration product.

b. Define incident type for all events.
c. Plan deployment.
d. Map the different incident types that your organization handles.

Q6. When will you learn about the missing incident types?

a. After adding the new incident types to your system

b. As you plan deployment and start working on your system
c. After configuring the layout for the incident type
d. After you configure your phishing product

Q7. Who can populate the incident fields during an investigation?

a. Analyst
b. Administrator
c. Incident team members
d. Partners

Q8. Which three field types can you add when creating a new field? (Choose three.)

a. Short text
b. HTML

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 31

 c. Date picker
d. Attachments
e. Decimal number

Q9. What do the classification and map features enable users to do? (Choose two.)

a. Generate alters
b. Classify phishing and malware alerts to respective incident types
c. Use events and event information that Cortex XSOAR ingests from integration
d. Map the fields from third-party integration to the fields defined in the incident layouts.
e. Create mapping for specific fields.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 32

Domain 3: Automations, Integrations, and Related Concepts

3.1 Define the Capabilities of Automation across XSOAR Functions

3.1.1 Playbook Tasks

You have three different playbook types to use when you create playbooks. And when you create a
new task, you have three different types to choose from: standard, conditional, and data collection.

Standard tasks are used for classic manual or script-based tasks, such as closing an investigation,
escalating to another analyst, or using a script to enrich data.

Conditional tasks can be selected for decision trees or communicating with users through an Ask
task. Conditional tasks are used for determining different paths for your playbook. You can use
conditional tasks for something simple, such as proceeding if a particular integration exists or
determining whether a user account has an email address.

Data collection tasks can be selected for surveying users. Data collection tasks are multi question
surveys or forms that survey recipient access from a link in the message. The survey resides on an
external site that does not require authentication, thereby allowing survey recipients to respond
without restriction.

Key Idea

● You can collect responses in custom fields, for example, a Grid field.

3.1.2 War Room

War Room commands are commands that can be entered manually in the CLI at the bottom of the
screen.

The automation scripts that can be used with an integration can be found in several ways. Choose
the one best for you and the specific scenario you are in:

Start by typing ! and continue writing the name of an automation script or an integration
command from an enabled integration in the CLI. Cortex XSOAR will autocomplete and show
possible commands or scripts for that integration.

Start by typing ! and the CLI will autocomplete possible commands that you can execute and
provide tips for using the command. For example, !whois paloaltonetworks.com will return
registration information for the paloaltonetworks.com domain.

To see all possible commands for an enabled integration, open the integration in Settings >
Integration > Servers & Services and click the Show Commands link.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 33

 Key Idea

● To access the War Room: If you have an Admin role, clicking Playground on
the side bar opens the Playground - War Room tab. If you have another role,
typing any command in the CLI at the bottom of the page opens this tab.
● Cortex XSOAR does not index notes, chats, and pinned as evidence entries. If
you want to index these entries, see War Room Indexing.

3.1.3 Layouts (Dynamic Sections, Buttons)

The two different layout types are incident layouts and indicator layouts. Layouts are used to show
you the required information in different views and tabs.

For a phishing incident, you will want to see email headers, which would not be relevant for an
access incident or a file hash indicator; however, you might want to count how many times the
hash indicator is found in related incidents.

You can add automation script-based content to the Incident Summary and Incident Quick View
layout by adding the General Purpose Dynamic Section in the layout builder. The General
Purpose Dynamic Section enables you to configure a section in the Incident Info tab from an
automation script. The automation can return a simple text, markdown, or an HTML, the results of
which appear in General Purpose Dynamic Section.

You can add any required information from an automation. For example, you can assign a script
that calculates the total number of entries that exist for an incident, and it dynamically updates
when new entries are added to the incident. You can also Add a Custom Widget to the Incident
page and Add Note Information Using an Automation Script.

Before you begin, you need to create an automation script.

Key Idea

● Indicators are used to show required information in different views and tabs.

3.1.4 Jobs

You can create scheduled events in Cortex XSOAR using jobs. Jobs are triggered by either
time-triggered events or feed-triggered events.

For example, you can define a feed-triggered job to trigger a playbook when a specified threat
intelligence management (TIM) feed finishes a fetch operation for new indicators. Or you can
schedule a time-triggered job that runs nightly and removes expired indicators.

You can use the jobs feature for the following cases:

● Analyze from feeds.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 34

 ● Batch processing data.
● Detect information.
● Schedule process to move from folder to list for use.
● Push indicator to SIEM products.

Key Idea

● Jobs are triggered by time-triggered events or feed-triggered events.

3.1.5 Field Trigger Scripts

You can associate indicator fields with trigger automation scripts that check for field changes and
then take actions based on them. These scripts can perform any action when the conditions are
met. Indicator field trigger scripts allow indicators to become a proactive force within Cortex
XSOAR. For example, you can:
● Define a script that will run when the Verdict field of an indicator has changed. For example,
the script will fetch all incidents related to that indicator, and take any action that is
configured (reopen, change severity, etc.).

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 35

 ● Define a script that will run when the Expiration Status field has changed. For example, you
can define a script that will immediately update the relevant allow/block list (and not wait
for the next iteration) as seen in the following script example:

indicators = demisto.args().get('indicators')

new_value = demisto.args().get('new')

indicator_values = []

for indicator in indicators:

current_value = indicator.get('value')

indicator_values.append(current_value)

if new_value == "Expired":

# update allow/block list regarding expired indicators

else:

# update allow/block list regarding active indicators

Automations can be created in Python, PowerShell, or JavaScript in the Automation page. To use a
field trigger automation, you need to add the field-change-triggered-indicator tag when creating
the automation. You can then add the automation in the Attributes tab, when you edit or Create a
Custom Indicator Field. If you did not add the tag when creating the automation, the automation
will not be available for use.

Key Idea

● Automations can be created using Python, PowerShell or JavaScript in the

automation page.

3.1.6 Pre/Post-Processing

Pre-Processing

Pre-processing rules enable you to perform certain actions on incidents as they are ingested into
Cortex XSOAR directly from the UI. Using the rules, you can select incoming events on which to
perform actions. For example, you can link the incoming event to an existing incident or, based on
configured conditions, drop the incoming incident altogether. For more information, see Create
Pre-Process Rules for Incidents.

Post-Processing

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 36

Once the incident is complete and you are ready to close it out, you can run various post-processing
actions on the incident. These actions might include sending an email to the person who opened
the incident informing them that their incident has been resolved, or closing an incident in a
ticketing system.

3.1.7 References

● Playbook Tasks,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-admin/playbooks/pla
ybook-tasks
● Incident Tasks,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/inci
dent-management/incident-tasks#id82f6c4a9-846c-4a79-9e0d-ac94123b942c
● War Room Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/inci
dent-management/war-room-overview
● Customized Incident Layouts,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/cust
omize-incident-view-layouts/customize-incident-layouts
● Add a Script to the Incident Layout,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/cust
omize-incident-view-layouts/add-a-script-in-the-incident-layout
● Jobs, https://xsoar.pan.dev/docs/incidents/incident-jobs
● Indicator Field Trigger Scripts,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/mana
ge-indicators/understand-indicators/indicator-fields/indicator-field-trigger-scripts

3.2 Differentiate between Automations, Commands, and Scripts

Automations

The Automation section is where you manage, create, and modify scripts. These scripts perform a
specific action and are comprised of commands associated with an integration. You write scripts in
either Python or JavaScript. Scripts are used as part of tasks, which are in turn used in playbooks
and commands in the War Room.

Scripts can access all Cortex XSOAR APIs, including access to incidents and investigations, and
share data to the War Room, and so on. Scripts can receive and access arguments, and you can
password protect scripts.

The Automation section includes a Script Helper, which provides a list of available commands and
scripts, ordered alphabetically.

Commands

Cortex XSOAR has two different kinds of commands:

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 37

 ● System commands – Commands that enable you to perform Cortex XSOAR operations, such
as clearing the playground or closing an incident. These commands are not specific to an
integration. System commands are entered in the command line using a /.
● External commands – Integration-specific commands that enable you to perform actions
specific to an integration. For example, you can quickly check the reputation of an IP
address. External commands are entered in the command line using a !. For example, !ip.
Scripts
Common Scripts are scripts that contain common code (functions, variables, etc.) to be used across
scripts which can be embedded when writing your own Automation scripts and Integrations. The
common scripts appear in the Automation page, but are used to enhance the API in other scripts
and integrations.
For example, the function tableToMarkdown in CommonServer.yml takes a JSON and transforms it
to markdown. You can call this function from integrations and scripts that you author.

Key Idea

● Scripts written in Python or JavaScript can access all Cortex APIs.

● Common scripts can be embedded when writing your own Automation
scripts and Integrations.

3.2.1 References

● Automations,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-8/cortex-xsoar-admin/playbooks/aut
omations
● Cortex XSOAR Concepts,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/cortex-xsoar-o
verview/cortex-xsoar-concepts
● Common Scripts to use in Automations,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/aut
omations/common-scripts-to-use-in-automations

3.3 Interpret and Modify Automation Scripts

3.3.1 Script Helper

The Automation section includes a Script Helper, which provides an alphabetical list of available
commands and scripts:

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 38

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 39
3.3.2 Script Settings

In Script settings, you can define the following information:

Basic

Parameter Description

Name An identifying name for the automation

Language Select the automation language

type

Version The automation language version

Description A meaningful description for the automation

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 40

 Tags Predefined script identifiers that determine
where the automation is available. For
example, to use this automation as a
pre-processing automation, it must be
tagged with the pre-processing tag.

Run on The Cortex XSOAR server, single engine, or

Load-balancing group.

Propagation (Multitenant) Select the propagation labels

Labels for the automation

Enabled Whether the automation is available for

playbook tasks, indicator types, incident
types, and fields.

Content pack The content pack for which the automation

belongs

3.3.3 Language Types

In the Automation page, you can view, edit, and create automations in JavaScript, Python, or
Powershell. When creating an automation, you can access all Cortex XSOAR APIs, including
incidents and investigations, share data to the War Room, and so on. Automations can receive and
access arguments, and can also be password protected.

Key Idea

● In the Automation page, you can view, edit and create automations using
JavaScript, Powershell or Python.

3.3.4 Using Script to Create Widget for Dashboards

Create a script that queries and returns current on-line users and displays the data in a markdown
table.
In the automation script, type one of the following return values:
JavaScript

return executeCommand(“getUsers”, {online:true})[0].HumanReadable;

Python

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 41

demisto.results(demisto.executeCommand(“getUsers”, {“online”: True })[0][“HumanReadable”])

When creating or editing the widget in the Cortex XSOAR, to add a page break,
type /pagebreak in the text box. When you generate a report, the widgets that follow the page
break are on a separate page.

In the dashboard, the following widget displays the on-line users:

3.3.5 References
● Cortex XSOAR IDE, https://xsoar.pan.dev/docs/concepts/xsoar-ide#the-script-helper
● Automations,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/aut
omation

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 42

 ● Automations,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/aut
omation
● Script based Widgets using Automation Scripts Examples,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/widgets/creat
e-a-custom-widget-using-an-automation-script/widget-type-examples-using-automation-s
cripts

3.4 Identify the Properties and Capabilities of the XSOAR Framework for Integration

Throughout development of integrations and scripts, your code likely will cause something to break
at some point. One of the most significant features of Cortex XSOAR is its use of machine learning
to better time these crashes so they occur during your time off.

To find the source of the problem, you can check logs and War Room entries, and you can also use
the Demistomock library.

There is also a fourth option to debug your integration. The Cortex XSOAR plugin for the PyCharm
IDE enables you to design and author scripts and integrations for Cortex XSOAR directly from
PyCharm. The plugin adds a sidebar with Automation and Integration Settings, just like the
Settings sidebar in the Cortex XSOAR script editor. When you write code, the plugin provides you
with autocomplete of Cortex XSOAR and Python functions and allows you to debug your code
easily.

Key Idea

● You can easily debug your integration using the Cortex XSOAR plugin.

3.4.1 References

● Debugging,
https://xsoar.pan.dev/docs/integrations/debugging
● Create an Integration,
https://xsoar.pan.dev/docs/tutorials/tut-integration-ui

3.5 Configure and Manage Integration Instances

You can poll third party integration instances for events and turn them into Cortex XSOAR incidents
that trigger automations (fetching). There are a number of integrations that support fetching, but
not all support this feature. You can view each integration in the Cortex XSOAR Developer Hub.

When setting up an instance, you can configure the integration instance to fetch events. You can
also set the interval for which to fetch new incidents by configuring the Incident Fetch
Interval field. This enables you to control the interval in which an integration instance reaches out

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 43

to third party platforms to fetch incidents into Cortex XSOAR. If the integration instance does not
have the Incident Fetch Interval field, you can add this field by editing the integration settings.
The fetch interval default is 1 minute.

You can change the default for all integration instances by setting the server configuration using
the serversiemincidents.schedule key. The value is the interval in seconds (s), minutes (m), or
hours (h). Setting the incident fetch interval when defining an instance overrides the server
configuration settings.

Go to Settings > About > Troubleshooting.For example, type jobs.serversiemincidents.schedule

key and 120s value. It is recommended that you do not set the value to less than one minute (1m).
Set the objects to be fetched and their mapping in Settings > OBJECTS SETUP > Incidents >
Classification & Mapping.

Key Idea

● You can add the field to any integration that fetches incidents. For
out-of-the-box integrations, to add the field, you need to create a copy of the
integration. Editing the integration settings including adding the Incident
Fetch Interval field, breaks the connection to out-of-the-box content. Any
future updates to this integration will be applied to the out-of-the-box
integration and not to the copy integration.
● If you turn off fetching for a period of time and then turn it on or disabled the
instance and enabled it, the instance remembers the "last run" timestamp,
and pulls all events that occurred while it was off. If you don't want this to
happen, verify that the instance is enabled and then click Reset the “last
run” timestamp in the settings window. Also, note that "last run" is retained
when an instance is renamed.

3.5.1 Reference

● Fetch Incidents from an Integration Instance,

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/inci
dent-management/fetch-incidents-from-an-integration

3.6 Summary of Key Ideas

● You can collect responses in custom fields, for example, a Grid field.
● To access the War Room: If you have an Admin role, clicking Playground on the side bar
opens the Playground - War Room tab. If you have another role, typing any command in
the CLI at the bottom of the page opens this tab.
● Cortex XSOAR does not index notes, chats, and pinned as evidence entries. If you want to
index these entries, see War Room Indexing.
● Indicators are used to show required information in different views and tabs.
● Jobs are triggered by time-triggered events or feed-triggered events
● Automations can be created using Python, PowerShell or JavaScript in the automation page
● Scripts written in Python or JavaScript can access all Cortex APIs.
● Common scripts can be embedded when writing your own Automation scripts and
Integrations.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 44

● In the Automation page, you can view, edit and create automations using JavaScript,
Powershell or Python.
● You can easily debug your integration using the Cortex XSOAR plugin.
● You can add the field to any integration that fetches incidents. For out-of-the-box
integrations, to add the field, you need to create a copy of the integration. Editing the
integration settings including adding the Incident Fetch Interval field, breaks the
connection to out-of-the-box content. Any future updates to this integration will be applied
to the out-of-the-box integration and not to the copy integration.
● If you turn off fetching for a period of time and then turn it on or disabled the instance and
enabled it, the instance remembers the "last run" timestamp, and pulls all events that
occurred while it was off. If you don't want this to happen, verify that the instance is enabled
and then click Reset the “last run” timestamp in the settings window. Also, note that "last
run" is retained when an instance is renamed

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 45

3.7 Sample Questions

Q1. Which playbook task can be selected for surveying users?

a. Conditional task
b. Standard task
c. Data collection task
d. None of the above

Q2. Which statement about War Rooms is true?

a. War Room commands are used for script-based tasks.

b. War Room commands are used to determine different paths for your playbook.
c. War Room commands are commands entered manually in the CLI.
d. War Room commands are used as integration commands.

Q3. What are the two types of layouts? (Choose two.)

a. Incident layouts
b. Dynamic layouts
c. Indicator layouts
d. Button layouts

Q4. Why use automations?

a. To create scripts
b. To create, manage and modify scripts
c. To write scripts in Java and Python
d. To access a few Cortex XSOAR APIs

Q5. Which two kinds of commands are available in Cortex XSOAR? (Choose two.)

a. Internal commands
b. System commands
c. Warm room commands
d. External commands

Q6. Which statement regarding Script helper is true?

a. Provides a list of commands

b. Provides a list of available commands and scripts in alphabetical order
c. Provides the language version
d. Provides a list of scripts

Q7. Which three parameters can you define in Script settings? (Choose three.)

a. Language type
b. Disabled
c. Run on
d. Content pack

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 46

Q8. Where can you check the source of a problem?

a. Settings
b. Logs and War Room entries
c. Library
d. PyCharm IDE

Q9. What is the default fetch interval time?

a. Two minutes
b. 30 seconds
c. One minute
d. 15 seconds

Q10. Where can you view every integration instance?

a. Cortex XSOAR
b. Integration settings field
c. Cortex XSOAR Developer Hub
d. Incident Fetch Interval field

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 47

Domain 4: Content Management and Solution Architecture
4.1 Apply Marketplace Concepts for the Management of Content

4.1.1 Searching in Marketplace

You can install, delete, and update content and contribute and share content items such as
playbooks, integration, and incident types in the Marketplace.

You can browse all content (including installed content), view only the installed content packs, or
see your contributions. When a content pack needs to be updated, you receive notifications and
view the updates on the Installed Content Packs tab.

When you search for content, you can use the search bar by adding text and then selecting the
content from which to search.

4.1.2 Installation and Updates

All Cortex XSOAR content is organized in packs. Packs are essentially groups of artifacts that
implement use cases in the product. Content packs are created by Palo Alto Networks, technology
partners, consulting companies, MSSPs, customers, and individual contributors. As was discussed in
Task 5.1.2, content packs may include various components, such as integrations, automations,
playbooks, incident types, and widgets.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 48

Before you install a content pack, you should review the content pack to see what it includes, any
dependencies that are required, reviews, etc. When selecting a content pack, you can view the
following information:
● Details – General information about the content pack, including installation, content, version,
author, status, etc.
● Content – Information about the content pack such as automations, integrations, etc.
● Release Notes – Contains information about each version including fixes, improvements, etc.
● Dependencies – Details of any Required Content Packs and Optional Content Packs that
may need to be installed with the content pack.
● Review: You can view or add a review to the content pack (but you must be logged in).
If you experience timeout issues when downloading content, see Marketplace Troubleshooting.

When content packs need to be updated by the creators, they become ready for use after the
review and approval process by the Cortex XSOAR team, and you are notified about the updates in
the Cortex XSOAR interface.

Suppose you want to contribute the content entities you created. In that case, you should create a
content pack and submit it for review to Cortex XSOAR team so that it can be added to the Cortex
XSOAR Marketplace and thereafter become available to customers.

When a content pack is available for update, a notification appears next to the Marketplace icon,
and a message about content pack updates displays at the top of the Settings page.

You can update to the latest content version or specific versions. Any customizations you have made
are automatically included in any update. All dependent content packs update automatically with
the main content pack.

Users can see updates for content packs they have in their environment that were downloaded by
another user.

Key Idea

● If you want to downgrade, any content that depends on the content pack
including any customizations may be deleted if it does not exist in the target
content pack version.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 49

4.1.3 Dependencies
In Cortex XSOAR, some objects are dependent on other objects. For example, a playbook may be
dependent on other playbooks, scripts, integrations, and incident fields, etc.

In the figure above, you can see that an incident type depends on a playbook, an incident layout,
and an incident field. A widget depends on an incident field and a script. A script depends on
another script, and an integration and how they all are dependent on each other.

When you install a content pack, mandatory dependencies, including required content packs, are
added automatically to ensure that it installs correctly.

Some content which is not essential for installation still ensures that the other content runs
successfully. These dependencies include optional content packs, which can be added or removed
in the Cart.

Key Idea

● If you delete a content pack, which depends on other content packs, these
content packs may not run correctly. Also, if you roll back to an earlier version
of a content pack, other content packs might be affected. For example, if
content pack A depends on layouts from content pack B Version 2, reverting
to Content Back B Version 1 could cause content pack A to stop working.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 50

4.1.4 Version History

You can revert to an earlier version of an installed content pack by following the these steps:

Step 1: In the Installed Content Packs tab of the Marketplace, search for the content pack.

Step 2: In the Version History tab of the content pack, view the previous versions.

Step 3: Choose the version you want to revert to and click Revert to this version. The selected
version will be added to your cart.

Step 4 : In the Marketplace cart, click Downgrade.

Key Idea

● If you roll back to an earlier version of a content pack, other content packs
might be affected. For example, if content pack A depends on layouts from
content pack B Version 2, reverting to content pack B Version 1 could cause
content pack A to stop working.

4.1.5 Partner-supported Versus XSOAR-supported

Partner-supported content packs

This term applies to content packs published by Cortex XSOAR Technology Partners. Support and
maintenance is provided by the Technology Partner, whose contact information appears in the
content pack details.

Cortex XSOAR Technology Partners are required to join the industry-standard support
framework, TSANet, to deliver support to our mutual customers. Customers engage directly with the
Partner for support and maintenance of the partner-supported content pack.

Cortex XSOAR-supported content packs

This term applies only to content packs published by Palo Alto Networks. These content packs are
supported and maintained by Palo Alto Networks according to the Palo Alto Networks End User
Support Agreement.

Key Idea

● Palo Alto Networks is not liable for and does not warrant or support any
content pack produced by a third-party publisher.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 51

4.1.6 Submitting Content to the Marketplace

Any user can add content to a content pack. The content pack is submitted and reviewed by Cortex
XSOAR to ensure it complies with Cortex XSOAR standards. After approval, the content pack can be
used in the Marketplace.

Step 1 : Select Marketplace > CONTRIBUTIONS > Contribute Content

Step 2 : In the Content Pack Editor field, type a meaningful name for the content pack.

Step 3 : In the Add Content section, select the type of content you want from the drop-down list,
locate the content you want to add, and click Add.

For more information about how to build a content pack, see the Dev Hub documentation.

Step 4 : If you want to continue adding content at a later time or to use the Validate Pack option,
click the Save button.

Step 5 : (Optional) Click Validate Pack to check for errors. The pack must be saved before you
validate.

Step 6 : If you have finished and want to send the content pack to a Cortex XSOAR developer for
review, click Save and contribute to either contribute or download your contribution.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 52

Step 7 : (Optional) In the Contribute dialog box, add a description.

Step 8 : Select Save and submit your contribution, enter your email address and click Contribute.

Instead of submitting the contribution, you can also download the content pack and upload it, for
example, to GitHub.

After sending the content pack, a confirmation message appears. You will be contacted about the
next steps in the review process.

4.1.7 Reference

● Update a Content Pack,

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/marketplace/c
ontent-pack-installation/update-a-content-pack
● Content Pack Lifecycle,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/marketplace/
marketplace-subscriptions
● Content Pack Installation,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/marketplace/c
ontent-pack-installation#id330fd342-f533-4345-9dae-9ea0cecf8690
● Content Pack Installation,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/marketplace/c
ontent-pack-installation#id330fd342-f533-4345-9dae-9ea0cecf8690
● Version Control,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/vers
ion-control

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 53

 ● Revert a Content Pack,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/marketplace/c
ontent-pack-installation/revert-a-content-pack
● Install a Content Pack Offline,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/marketplace/i
nstall-a-content-pack-offline
● Create a Content Pack,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/marketplace/c
ontent-pack-contributions/create-a-content-pack

4.2 Apply General Content Customization and Management Concepts

4.2.1 Custom versus System Content

All Cortex XSOAR content is organized in packs. Packs are essentially groups of artifacts that
implement use cases in the product. Content packs are created by Palo Alto Networks, technology
partners, consulting companies, MSSPs, customers, and individual contributors, and they may
include various components, such as integrations, automations, playbooks, incident types, and
widgets.

When content packs need to be updated by the creators, they become ready after the review and
approval process by the Cortex XSOAR team, and you are notified about the updates in the Cortex
XSOAR interface. To contribute the content entities you created, you should create a content pack
and submit it for review for it to be added to the Cortex XSOAR Marketplace and become available
to customers.

Any user can add content to a content pack that has been created, submitted, and reviewed by
Cortex XSOAR to ensure that it complies with Cortex XSOAR standards. After approval, the content
pack can be used in the Marketplace.

You can install only one content pack at a time from the Marketplace. Cortex XSOAR automatically
adds any content that is required to install the content pack. You also can add any recommended
content packs that use the content pack you want to install.

Before you install a content pack, search for it by using the Browse tab. When you find the required
pack, you can see what is included in it and then use the Install button to finish the installation.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 54

 Key Idea

● You can install only one content pack at a time from the Marketplace.

4.2.2 Duplicating Content

To edit a content item, the item must be detached or be custom content. When content items are
detached, they do not receive updates from the Marketplace. There are two options for editing
content items:
● Detach the content item (playbook, automation, etc.) and edit it. If you want to receive
content updates in the future, you can reattach the content item, but the modifications
you made while the item was detached will be overwritten in the next content update.
● Duplicate the content item and edit the copy. When a content item is duplicated, it
becomes a custom content item and therefore will not receive updates, but you can still
view updates to the original content item.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 55

 Key Idea

● When a content item is duplicated, it becomes a custom content and will

not receive updates but you can view updates.

4.2.3 Importing/Exporting Custom Content

When you create your content packs, you can use the Contributions tab in the Marketplace to send
them to Cortex XSOAR for review and approval. If you want to prepare the content pack and send it
later for review or upload it to GitHub, you can export your package in the Contribution screen by
selecting the Save and download your contribution option:

You usually need an Internet connection when using the Marketplace for tasks such as
downloading and subscribing to content packs because all these services are in the cloud. However,
you can upload content packs offline. The administrator downloads the content pack to install,
which is in ZIP format.

In ZIP format, you can upload the following:

● Each content pack separately

● Several content packs together

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 56

 ● An all-packs zip, which installs all content packs at the same time. All dependencies are
included.

Before you start uploading content that you want to install, you should update server configurations
to turn off Marketplace synchronization in the cloud for both the content packs and the review
process by adding the following keys values to Settings > About > Troubleshooting > Add Server
Configuration. Addition of those keys improves system performance.

Key Value

marketplace.sync.enabled false

marketplace.content.packs.rating.enabled false

marketplace.subscriptions.sync.enabled false

Key Idea

● You need internet connection when using the Marketplace for tasks such as
downloading and subscribing to content packs.

4.2.4 Version Control

You can save versions of a playbook as you develop it. When you save a version of a playbook, add a
meaningful comment so that you will be able to recognize the changes you made to that version at
a later time. The saved version includes the name of the playbook, your commit message, an
indication of what the change was (modify, insert, etc.), the date the playbook was saved, and the
name of the author who last saved it. If necessary, you can access the playbook’s version history and
revert your playbook to a previous version.
Step 1 : From the Save Playbook drop-down list, click Save version for current Playbook.

Step 2 : Enter a description of the change that was made to the current version.

Step 3 : Click Update Playbook.

Step 4 : To access a version of a playbook:

1. Click Version history for all Playbooks.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 57

 2. Search for the required playbook. The description you entered when you saved the version
should help you locate the version you now require.

3. Click Restore to open the required version of the playbook.

4.2.5 References
● Content Pack Contributions,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/marketplace/c
ontent-pack-contributions#id155ef400-1b97-4e8b-9027-055c7fe873e6
● Marketplace FAQs,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/marketplace/
marketplace-faqs
● Troubleshoot Content Issues,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/5-5/cortex-xsoar-multi-tenant-guide/re
mote-repositories-for-multi-tenant-deployments/troubleshoot-a-remote-repository-configur
ation/troubleshoot-content-issues#id8ccd163f-44fd-49ac-a8f3-275b2a7809c2
● Version Control,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/vers
ion-control

4.3 Manage Local Changes in a Remote Repository (dev-prod) Configuration

Once you develop your content, you must push the changes to the remote repository for the
updated content to be available as part of a content update for the production environment.
You can save versions and manage revisions locally using the Save Version button. Alternatively, you
can click the save button to save the changes.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 58

These options are only available for the following content types:
● Automation
● Playbooks
● Integrations
● Classifiers
● Layouts
● Reports
● Dashboards
● Incident types
● Fields
● Preprocess rules
● Lists
● Jobs

For all other content types, your changes are automatically saved locally.
You can push individual items such as a playbook or content packs as a whole. If you want to have
more granular control over the items in the content packs that you push, add the
ui.version.control.push.partial.packs server configuration and set the value to true.

Step 1 : Push content to the Remote Repository

1. Go to Settings > Local Changes. Push the following content according to the tabs:
● Items: Content that is not related specifically to a content pack. For example,
customized automations or playbooks.
If you have already pushed a content pack and later edit one of its content items, the
edited items will appear in the Items tab, not the Packs tab.
● Packs: All of the content that is specific to the content packs you installed from
Marketplace.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 59

 2. Select the changes that you want to push to the remote repository and click Push.
3. In the dialog box, add an optional message and click Push.
4. If the items have dependencies, review the contents and click Push.
● Sometimes you may not want to push all content, content pack dependencies, etc.
For example, when a user makes a change in a playbook that includes an automation
dependency to which another user is adding a feature, and the change does not
require the new feature (version) of the automation, you can push the playbook
without the new automation.

Step 2 : On the remote repository, install the new content.

1. At the top of any page, click Install New Content.

2. In the dialog box, click Install Content.
3. You can also check for new content that has been pushed.
4. If conflicts appear, click Resolve conflicts.
5. In the Action column, select one of the following:
● Skip: Keeps the local content in your production environment
● Replace: Deletes the local content and installs the content from the remote repository
6. Click OK to save the changes.

Step 3 : (Optional) If you want to control access when pushing content, do the following on the
remote repository:

1. Select Settings > About > Troubleshooting > Server Configuration

2. Click Add Configuration.
3. Under key, enter UI.version.control.admin.only
4. Click Save.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 60

 Key Idea

● When working with remote repositories and upgrading to v6.0 and above,
push your classifiers and mappers on the development environment before
grading the product environment.

4.3.1 Reference
● Edit and Push Content to a Remote Repository,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/remote-reposit
ory/edit-and-push-content-to-a-remote-repository

4.4 Describe the Components of the XSOAR System Architecture

4.4.1 System Hardware Requirements

Cortex XSOAR requires the following hardware. Ensure you meet all minimum system requirements.
Cortex XSOAR Server

Cortex XSOAR server has specific operating system and hardware requirements.

Hardware Requirements

COMPONENT DEV ENVIRONMENT PRODUCTION MINIMUM

MINIMUM
CPU 8 CPU cores 16 CPU cores
Memory 16GB RAM 32GB RAM
Storage 500GB SSD 1TG SSD with minimum
3k dedicated IOPS

If your hard drive is partitioned, we recommend a minimum of 450GB for the /var partition for the
development environment, and 900GB for the /var partition for the production environment.
When deploying Cortex XSOAR with BoltDB, we recommend a limit of 1 million indicators for the
development environment and 5–7 million indicators for the production environment. If you will
have more indicators, we recommend using Elasticsearch.

Docker/Podman Requirements

Cortex XSOAR requires Docker or Podman for container management. Cortex XSOAR installs either

Docker or Podman automatically based on your operating system. IPv4 forwarding is required.

You may need to take additional steps to set up Docker or Podman, depending on your operating
system.

Podman, by default, uses the $HOME/.local/share/containers/storage directory, and we

recommend reserving 100GB for the /home partition.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 61

 Key Idea

● A minimum of 450 GB for var/partition for the development environment

and 900 GB for var/partition for the production development is
recommended.
● Cortex XSOAR requires Docker or Podman for container management.

4.4.2 Remote Repositories (dev-prod)

The Remote repository feature in the UI
Cortex XSOAR supports the ability to work with separate repositories for development and
production environments. This enables you to develop and test all of your content in one location,
and when it is ready, you push the content to the remote repository. In your production
environment, you pull the content as you would all other content updates. This feature does not
need the resources for CI/CD process and is designed for less complicated content, usually one or
two developers working on a local machine.
Working with the Remote repository feature in the UI
In the production environment, the content appears as a content update, just like any other, and
you pull the content from the remote repository into your working branch.
In addition, Cortex XSOAR content updates are only delivered to the development environment. This
enables you to determine which updates you want to push to production.
● Working with remote repositories is Git-based. Any service that supports this protocol can be
used, for example, GitHub, GitLab, Bitbucket, etc. In addition, on-premise repositories are also
supported.
● Verify that your Cortex XSOAR has access to the remote repository as this feature can not be
configured to work with Engines.
To work with remote repositories, you must have two separate Cortex XSOAR environments on two
separate machines. The development environment is used to write the following content:
● Automations
● Playbooks
● Integrations
● Classification
● Incident fields
● Evidence fields
● Incident layouts
● Incident types
● Pre-processing rules
● Indicator types
● Reports
● Dashboards
● Widgets

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 62

It is not possible to edit these elements in the production environment.
You need to configure the remote repository feature both on your development machine and
the main account. If you want your developed content to be available as part of a content update for
the production environment, you must push the changes to the remote repository. If you
experience issues, learn how to troubleshoot remote repositories.
The Remote Repository UI feature and High Availability

The remote repository feature in the UI is not supported on development environments that run as
High Availability (multi-app servers). You can still use a development > staging > production set
up, where development is a single server (not High availability), but production can be High
Availability. In this setup, both staging and production pull from the same git repository. If your
development environment runs as High Availability, use the CI/CD Solution.

Key Idea

● Working with remote repositories is git-based. Any service that supports this
protocol can be used, for example, GitHub, GitLab, Bitbucket, etc. In addition
on-premise repositories are also supported.
● If you have more than two pre-processing rules in your Local Changes queue,
you must push all of those changes to the remote repository.

4.4.3 Engines
Cortex XSOAR engines are installed in a remote network and allow communication between the
remote network and the Cortex XSOAR server. You can run scripts and integration commands on an
engine. It is possible to install a single engine or multiple engines.
You can install multiple engines on the same machine (Shell installation only) which is useful in a
dev-prod environment where you do not want to have numerous engines in different environments,
and to manage those machines. In a multi-tenant environment, users may want to deploy engines
for tenants on the same machine, and you can share an engine between tenants.
An engine is used for the following purposes:

● Proxy
● Load-balancing

Engine Proxy

Cortex XSOAR engines enable the Cortex XSOAR server to access internal or external services that
are otherwise blocked by a firewall, proxy, or other blockers. For example, if a firewall blocks external
communication and you want to run the Rasterize integration, you need to install an engine to
access the Internet.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 63

Within the network, you need to allow the engine to access the Cortex XSOAR server's IP address
and listening port (by default, TCP 443). The engine always initiates the communication to the
server.
Engine Load-Balancing
Engines can be part of a load-balancing group, which enables distribution of the command
execution load. The load-balancing group uses an algorithm to efficiently share the workload for
integrations that the group is assigned to, thereby speeding up execution time. In general, heavy
workloads are caused by playbooks that run a high number of commands.

Before configuring an integration to run using multiple engines in a load-balancing group, we

recommend you test the integration using a single engine in the load-balancing group.

By default, the Cortex XSOAR server is part of the load balancing group. It is recommended that
you Remove the Cortex XSOAR Server From the Load-Balancing Group, which increases
performance, when there are two or more engines in the load-balancing group or if you use engines
to access integrations that are inaccessible from the Cortex XSOAR server.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 64

Engine Installation and Configuration

You can Install a Cortex XSOAR Engine on Linux and Windows machines. After installing the engine,
you can Configure Engines, such as log levels, add/remove servers to a load-balancing group, use as
a web proxy, etc. You can also Manage Engines, such as getting logs, add/remove engines, delete
engines, remove engines, etc. Before installing, review the system requirements in Install a Cortex
XSOAR Engine.

Key Idea

● You cannot share a multiple engine installation with a single engine

installation.
● When you add an engine to a load balancing group, you cannot use that
engine separately. The engine does not appear in the engines drop-down
menu when configuring an integration instance.
● For Linux machines, you need to install Docker before installing an engine. If
you use the Shell installer, Docker is automatically installed.

4.4.4 Multi Tenancy

Multitenancy architecture is based on the platform’s ability to run multiple instances (processes and
data) of the XSOAR server on a single server. Each deployment consists of a main server and tenant
accounts. All tenant accounts can reside on the same (main) server or an MSSP can choose to run
tenants on additional hosts. Tenants are deployed across hosts for several reasons.
Scalability: This includes full horizontal scalability; when a server or host is maxed out due to an
excess of tenants on the same host, MSSPs can add another host on which to run tenants. MSSPs
can easily move tenants between hosts.
Geography: A global MSSP may have customers in multiple countries or even continents. To
increase responsiveness, the MSSP may choose to locate a host or multiple hosts in each location.
Compliance: In some cases, MSSPs are asked to run the tenant within the country where the
customers’ offices are located or even within the customer’s internal network. For the latter, XSOAR
supports installing a single host running a single tenant that can be installed on the customer’s
premises.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 65

Components

Main host
The main host is the main instance in the architecture from which you access and administer
tenants (accounts) and create and manage hosts.

Host
A host is an instance of Cortex XSOAR that acts as a proxy between the main host and tenants. In a
multi tenant deployment, hosts are not required but they do enable you to scale your deployment
by managing a collection of tenants. Data is not stored on host machines.

Tenant
A tenant is also an instance of Cortex XSOAR that serves a customer or account and can be located
either on the main or other hosts. The tenant has customer-specific data such as indicators,
incidents, layouts, etc., which are stored in the tenant’s index of the database. Tenants share
indicators with the main host using a shared database index. The tenant can also inherit content,
such as playbooks, indicators, incident types, etc. from the main host using propagation labels.

Engines

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 66

Engines are smaller installations of Cortex XSOAR that are used to enable communication between
third-party integrations, which might sit in a different part of the network or might be blocked
through firewalls, and the main host. Engines can be installed on their own or as part of an engine
group, which distributes the load from an integration, or several integrations, between multiple
engines.

Data Segmentation
Cortex XSOAR content, including playbooks, automation scripts, and incident/indicator layouts,
among others, is managed on the main host and propagated to tenants.

Indicator Sharing
Each tenant account has a dedicated shared index in Elasticsearch, which enables tenant accounts
to share local indicators to a dedicated Elasticsearch index, from which other tenants can ingest
those indicators (as configured on the main host). Storing local indicators on a shared index
maintains data segregation between tenants, but the tenants are able to benefit from the locally
discovered threat intel.

Communication
The main host and hosts communicate with each other using TLS 2.1 over port 443 (this is the
default port, but can be configured). In addition, all hosts working with Elasticsearch communicate
with the database over port 9200.

Requests to the tenants are sent through the hosts (main or other) on port 443. The hosts forward
the requests to the tenants, which listen on ports 18501 and higher.

4.4.5 Elasticsearch/HA

Elasticsearch is a distributed, open source search and analytics engine for all types of data. It enables
processing and storing large amounts of data.
When you migrate the objects that exist in Cortex XSOAR to Elasticsearch, they are moved to a
designated index used by a specific Elasticsearch instance. Every Elasticsearch index is composed of
at least one primary shard where the data is stored. A replica shard is a copy of a primary shard.
Replicas provide redundant copies of your data to protect against hardware failure and increase
capacity to serve read requests like searching or retrieving data.
The following diagram depicts a Cortex XSOAR environment with Elasticsearch.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 67

The number of primary shards in an index is fixed at the time that an index is created, but the
number of replica shards can be changed at any time without interrupting indexing or query
operations.
In order to move to Elasticsearch, you must have Cortex XSOAR v6.0 and Elasticsearch installed. We
recommend that you install Elasticsearch on a different server than Cortex XSOAR due to the high
memory consumption for both services.
Perform the migration by running the migration tool, which is a standalone binary file. The binary
file must be run with either sudo or admin permission. The migration tool uses the demisto.conf file
to read the following information:
● Database location
● Partitions data
The migration tool begins by reading the Cortex XSOAR database to identify existing partitions and
custom fields. It then creates the index (if it does not already exist) based on the Elasticsearch
configuration in the demisto.conf file, or based on the Elasticsearch default configurations set in the
Elasticsearch cluster setting. After Elasticsearch is successfully configured, the tool reads each
partition, from older to newer, and copies all objects to the index. Duplicate objects are overridden,
taking only the latest version of the object.
When working with Elasticsearch, Cortex XSOAR does not maintain, nor is it responsible for, the
following:
● Redundancy
● Backups
● Security
● Elasticsearch clusters

Key Idea

● You must stop the Cortex XSOAR server before you run the migration tool.
This enables the tool to safely access the database and required
configurations.
● Moving data from the Elasticsearch database back to the Cortex XSOAR Bolt
database is not supported.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 68

4.4.6 Docker
Cortex XSOAR primarily uses Docker to run Python scripts and integrations in a controlled
environment. The scripts and integrations run isolated from the server to prevent someone from
accidentally damaging the server. By packaging libraries and dependencies, you can prevent
unknown issues from occurring because the environment is all the same.
Palo Alto Networks maintains a large repository of Docker images. All Docker images are available
via the Docker Hub under the Demisto organization at https://hub.docker.com/u/demisto/.

The Docker image creation process is managed via the open-source project “demisto/dockerfiles.”
Before you try to create a new Docker image, check to see whether one already is available. You can
search the repository-info branch updated nightly with image metadata and os/python packages
used in the images.

Note: For security reasons, Cortex XSOAR cannot accept images that are not part of the Docker Hub
Palo Alto Networks (Demisto) organization.
If you cannot find an existing image, see the article about creating a Docker image for testing and
production use at https://xsoar.pan.dev/docs/integrations/docker#docker-image-creation.

Suppose you need to install Docker images in air-gapped environments. In that case, you can
download Docker images by appending &downloadName=dockerimages to the Cortex XSOAR
server download link you received from Cortex XSOAR, then read the required instructions in the
related reference documents in the “References” section below.

Key Idea

● For security, images that are not part of the Demisto organization in Docker
hub cannot be accepted.

4.4.7 Reference

● System Requirements,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/installation/sys
tem-requirements
● Remote Repositories Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-multi-tenant-guide/re
mote-repositories-for-multi-tenant-deployments/remote-repositories-overview
● Remote Repositories Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/remote-reposit
ory/remote-repositories-overview#idd7d0e7b2-d264-4fb6-92a9-e3cb757bcaef
● Cortex XSOAR Engines Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/engines/under
stand-demisto-engines
● Multi-Tenant Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-multi-tenant-guide/m
ulti-tenant-deployments/multi-tenant-overview#ida761db45-9bd8-4dc9-8209-36f0b3ada236

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 69

 ● Elasticsearch Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/elasticsearch/o
verview
● Incident Access Control Configuration,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/incid
ent-access-control-configuration
● Using Docker, https://xsoar.pan.dev/docs/integrations/docker
● Dockerfiles, https://github.com/demisto/dockerfiles/blob/master/README.md
● Docker Images in Cortex XSOAR,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/docker/docker-
images-in-demisto#idd1e8360c-99c3-41e7-ad86-89c3ad460aa7
● Docker Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/docker/docker-
overview

4.5 Describe the Incident Lifecycle within XSOAR

The Cortex XSOAR is an orchestration and automation system which is used to bring all of the
various pieces of your security apparatus together. You can define integrations with your third-party
security and incident management vendors using Cortex XSOAR. You can then trigger events from
these integrations that become incidents in Cortex XSOAR. Once the incidents are created, you can
run playbooks on these incidents to enrich them with information from other products in your
system, which helps to paint a more complete picture.
In most cases, you can use rules and automation to determine if an incident requires further
investigation or can be closed based on the findings. This enables your analysts to focus on the
minority of incidents that require further investigation.
The following diagram explains the incident lifecycle in Cortex XSOAR.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 70

The create fields phase is used to display information from third-party integrations and playbook
tasks when an incident is created or processed. The create incident types phase is used to classify
the different types of attacks with which your organization deals. The create incident layouts allow
you to customize layouts for each incident type to make sure the most relevant information is
shown for each type.

4.5.1 Reference

● Incident Lifecycle,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/incidents/incid
ent-lifecycle#id7fb4dd09-6ebf-472f-a3a4-c9998c6f2224

4.6 Define the Capabilities of RBAC

4.6.1 Page Access

Cortex XSOAR uses role-based access control (RBAC) for controlling user access. RBAC helps
manage access to Cortex XSOAR components so that users, based on their roles, are granted the
minimal access required to accomplish their tasks:

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 71

 Key Idea

● To restrict access to integrations using RBAC, see Roles in Cortex XSOAR.

4.6.2 Integration Permissions

You can use Role Based Access Control (RBAC) to assign commands at the integration instance
level. If you have multiple instances of the same integration, you can assign different roles
(permission levels) for the same command in each instance.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 72

If you want to view or edit integration permissions, go to Settings > USERS AND ROLES >
Integration Permissions. You can see a list of all the enabled integrations in Cortex XSOAR. Under
each integration you can see the following:

● Commands: A list of all commands for the integration

● Instance: A list of all instances for the integration
● Permitted roles: A drop-down list of roles you can assign to the command
Users that do not have command permissions cannot do the following:
● Run the command from the CLI (!)
● Complete pending tasks in a Work Plan that run the command
● Edit arguments for playbook tasks that have this command
● Select the command when editing a playbook
● Select a script if using a reputation-command

4.6.3 Incident Tabs (Layout Specification)

It is important to build or customize the layout to ensure that you see the information that is
relevant to the incident type. For example, in a phishing incident, you would want to view email
headers, which would not be relevant for an access incident.
While some information might be relevant for multiple incident types, its location in one incident
type might require more prominence than in another incident type.
You can see which incident type uses the incident layout in the Types tab (Settings > OBJECTS
SETUP > Incidents). The incident layout name appears in the Layout column. You can edit the
layouts in the Layouts tab, which shows both out-of-the-box content pack and custom layouts.

Content Pack Incident Layouts

Out-of-the-box content pack incident layouts display a locked icon, which means you must
complete one of the following options to edit the layout:
● Duplicate an incident layout. To add the layout to the incident type, you need to detach the
incident type and then add the layout.
● Detach the layout. When detached, the layout does not receive content pack updates until
reattached. You do not need to edit the incident type because the layout name remains the
same. If you detach a layout, make edits, and later want to receive content pack updates for
that layout, we recommend you duplicate the incident layout before reattaching the original
to protect your changes from content pack updates.
Incident Layout Builder
You can customize the display information, including fields for existing incidents, by modifying the
sections and fields for the following views, as explained below:
● Incident Summary
o Within the incident summary, you can see different tabs that appear for the incident
type, some of which can be customized.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 73

 o You can customize almost every aspect of the layout, including which tabs appear,
the order they appear, who has permissions, and what type of information appears.
You can add filters by clicking on the eye icon in each field or tab, which enables you
to add conditions that show specific fields or tabs. For example, if an analyst decides
that a Cortex XDR Malware incident is a Ransomware subtype, they may only want
fields to appear that show data about the encryption method rather than the
different information shown if the Malware subtype is adware.

You may also want to limit specific tabs to certain scenarios. For example, if a user clicks a phishing
link, the new tab can contain the relevant fields and action buttons for this scenario.
You can add dynamic fields to a layout, such as a graph of the number of bad indicators, their
source, and severity. You can also use queries to filter the information in the dynamic section to suit
your exact needs.
● New/Edit Form
When creating or editing an incident you can add, edit, delete sections, fields, and filters as
required.
● Close Form
Add, edit, or delete sections, fields, and filters when closing an incident.
● Incident Quick View
Add, edit, and delete sections, fields, and filters in the Incident Quick view section within the
incident.

Key Idea

● There are several Cortex XSOAR system layout sections and fields that you
cannot remove, but you can rearrange them in the layout and modify their
queries and filters.

4.6.4 Automation Permissions,

Permissions for automations in Cortex XSOAR are determined by the Run as and Role fields.
Run as determines the permissions with which the automation runs. 
Role determines who the automation can be seen and executed by.

By default, most automations in Cortex XSOAR are run as the limited user. However, some
automations require higher permissions and are delivered out-of-the-box with Run as set

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 74

to DbotRole, which means the automation executes with elevated permissions. When an
automation runs with elevated permissions, its results can still be viewed by users with lower
permissions. To mitigate this, you should assign a role to the automation that is aligned with the
users to whom you want to expose the information the automation can extract.

Consider, for example, that you have an automation that searches for all incidents in the system. The
following scenarios show how the system behaves given the various configurations.

Scenario 1

Set the automation with Run as, defined as DBotRole, and do not set the Role parameter.
Anyone can run the automation, whether they are an analyst or administrator, and they have access
to all incidents that are returned.

Scenario 2
Set the Run as parameter to DBotRole, and set the Role parameter to Analyst. Any user with at least
analyst permissions will have access to execute the automation. All other users are not able to
implement the automation in playbook tasks. They cannot run the automation manually from
either the command line or in a playbook.

All users can see the results of the execution in the War Room.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 75

Scenario 3

Set the Run as parameter to Analyst and do not set a role. Everyone can run the automation, but
only incidents that are viewable by the analyst role are returned.

Scenario 4
You set the Run as as parameter to Analyst and define the Role parameter as Analyst. Only users
with at least the analyst role are able to execute the automation, and only incidents that are
viewable by the analyst role are returned.

For example, you implemented the following roles on your incidents:

● Incident 1 viewable to Administrators
● Incident 2 without any role assigned
● Incident 3 viewable by Analysts
● Incident 4 viewable by nested Analyst (custom role)
As a nested analyst, you run the automation to search for the incidents in your system.
● In scenario 1, you will see incidents 1 through 4.
● In scenario 2, you will not be able to execute the automation, but if a playbook runs the
automation, you will see incidents 1 through 4.
● In scenario 3, you will be able to see incidents 2 through 4.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 76

 ● In scenario 4, you will not be able to execute the automation. However, if a playbook runs the
automation, you will see incidents 2 and 4.
If you do not detach or duplicate the automation, the changes made are overwritten the next time
the content is updated. You can change the Run As parameter without having to detach or
duplicate the automation. This parameter is not overwritten.
For more information, see Role-based Permission Levels.

Key Idea

● As content packs may use a number of these automations, and the

automations could have some dependency on each another, it is important
that you assign the Run as and Role parameters consistently to ensure that
all of the automations can run properly.

4.6.5 Incident Viewing Permission by Role

There are a number of different roles and responsibilities in any SOC team. For example, you have
specific teams to deal with specific threats, such as threat intelligence researchers, security analysts
(Tier 1), senior analysts (Tier 2), SOC leads, SOC manager, SIEM engineers, etc. After Cortex XSOAR
begins ingesting incidents, you should consider how you want to investigate the incidents being
ingested. You have various options to limit access to incidents and investigations, including:

● Exclude access to incident actions and investigations according to roles, such as SIEM

engineers. This enables you to limit role permission levels in investigations, data, and
chats in the War Room and restrict batch table actions in the Incidents page.
● Restrict an Investigation to only team members. For example, if an incident contains
sensitive data, and you only want specific users to investigate the incident, you can mark
the incident as restricted. Other users cannot view or access the incident. Team members
are added automatically when you send them a notification in the CLI or add them from
the gear button. You can remove the investigation’s restrictions at any time.
● Limit Access to Investigations using RBAC.
o Limit investigations according to specific roles. By adding a role to the
investigation, you restrict access to all roles other than those you have specifically
added. For example, after an investigation is closed, add administrators or those with
specialty roles so only they can reopen or link incidents.
The added roles have read and write permission, but all other roles do not have access
unless you have added them in the read-only field. If team members have been
added to the incident, the team members and the added roles have access to the
investigation.
You can limit the investigation by either adding a role in the Roles field to the Incident
Summary page, use the incident_set roles command, or run the command in a
playbook. If using the Roles field in the Incident Summary page, you need to add the
field when Customize Incident Layouts customizing incident layouts.
o Give read-only access to certain roles. For example, when an incident is in triage
(phase 1), you may want all Tier 2 analysts to have read-only access, so that only Tier 1

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 77

 analysts can edit the incident. When the phase changes to phase 2, Tier 1 analysts
have read-only access.
Add roles in the XSOAR Read-Only field in the Incident Summary page, use
the incident_set role command, or add the command to a playbook.
If using the XSOAR Read-Only field in the Incident Summary page, you need to add
the field when customizing incident layouts. You can manually change the XSOAR
Read-Only field or automate the process by creating a custom incident field using
a Incident Field Trigger Scripts, or by creating a script and adding a new field button.
When granting read-only access, the user can view the incident but not edit. Adding
a team member overrides the XSOAR read-only role, so if you add User A, (Tier 1) as a
team member, even if you assign Tier 1 as a read-only role, the user still has read/write
access. You need to remove the user as a Team Member.

Key Idea

● All team members have read and write permissions. If you add team
members, but their roles have read-only permission, the user still has read
and write permission and can access the investigation.
● If you add a role, but the incident has been restricted to team members, and
the user is not a team member, the user cannot access the incident
regardless of the role. For example, if you restrict the incident to User A and
User B team members who are Tier 1 analysts but then try to add Tier 2
analysts (none of whom are team members) to the list of roles, a Tier 2
analyst cannot access the incident.
● If you assign a role (read and write permission) and assign the same role as
read only, the user still has read/write permission. You need to remove the
assigned role. If you restrict the incident, the read-only role does not override
the restriction. In other words, team members permission takes precedence.

4.6.6 Reference
● Integration Permissions,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/users-and-role
s/integration-permissions#ida5e08d7e-348a-402b-bbfc-d051212913c0
● Customize Incident Layouts,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/cust
omize-incident-view-layouts/customize-incident-layouts
● Automations,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/aut
omations
● Incident Access Control Configuration,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/incid
ent-access-control-configuration

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 78

4.7 Identify the Troubleshooting Tools Available to Obtain More Diagnostic Information

4.7.1 Log Bundles

The Cortex XSOAR logs provide information about events that occur in the system. These logs are a
valuable tool in troubleshooting issues that might arise in your Cortex XSOAR environment.

A log bundle is a zip file of additional logs available in the Cortex XSOAR system. These logs provide
additional information that is useful in troubleshooting issues that arise in your Cortex XSOAR
system. Send the log bundle zip file to Cortex XSOAR support to use for debugging purposes. After
you create the log bundle, the logs also will appear in /var/log/demisto/.

4.7.2 Integration Testing

Product integrations or automations are codes that allow Cortex XSOAR to communicate with other
products. These integrations can be executed through REST APIs, webhooks, and other techniques.
An integration can be unidirectional or bidirectional, with the latter allowing both products to
execute cross-console actions. Integrations enable connections with third-party tools and services
that the Cortex XSOAR platform uses to orchestrate and automate security operations center (SOC)
operations. In addition to third-party tools, you can create your own integration using the BYOI
feature.

Apply basic troubleshooting if the integration is not performing

Throughout development of integrations and scripts, your code likely will cause something to break
at some point. One of the most significant features of Cortex XSOAR is its use of machine learning to
better time these crashes so they occur on your time off.

You can check logs and War Room entries and use the Demistomock library.

Another option is to debug your integration. The Cortex XSOAR plugin for the PyCharm IDE enables
you to design and author scripts and integrations for Cortex XSOAR directly from PyCharm. The
plugin adds a sidebar with Automation and Integration Settings, just like the Settings sidebar in the
Cortex XSOAR script editor. When you write code, the plugin provides you with autocomplete of
Cortex XSOAR and Python functions and allows you to debug your code easily.

4.7.3 References

● Create a Log Bundle,

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/logs/create-a-l
og-bundle
● Audit Trail,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/logs/audit-trail
● Send the Audit Trail to an External Log Service,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/logs/send-the-
audit-trail-to-an-external-log-service#id09b7780e-c88d-4ace-8079-3fe5f6603a9d

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 79

4.8 Identify Options Available for Performance Tuning

4.8.1 Ignore Output

When selected, this takes the results from the Extend context field and overwrites existing output.

4.8.2 Quiet Mode

Determine if this task operates in Quiet Mode. When in Quiet Mode, tasks do not display inputs and
outputs, nor do they extract indicators. Errors and Warnings are still documented. You can
determine to turn Quiet Mode on or off for a given task or control Quiet Mode by what is defined at
the playbook level.

4.8.3 Reference
● Playbook Task Fields,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/playbooks/play
book-tasks/playbook-task-fields

4.9 Monitor System Health using the System Diagnostic Page

The System Diagnostics page enables you to monitor and improve system performance and
resilience. On the System Diagnostics page, you can view CPU and memory usage, the status of the
Docker service, unusually large tasks, storage issues, etc. In some cases, the issue can be corrected
within the System Diagnostics page. Audit Trails, for example, can be deleted with one click. For
issues that require more in depth troubleshooting, you can click through to a Knowledge Base
article with more information and solutions. System Diagnostics thresholds can be customized.

You can view the System Diagnostics page at Settings > About > System Diagnostics.

A daily email is sent by default to all site administrators, notifying them of possible issues. The
following server configurations enable you to disable or modify email notifications.

Key Value
Default is true. False disables all system diagnostics
diagnostics.notification.enabled
email notifications.

Default is true. False disables notifications when

diagnostics.notification.send.on.atRisk
status is at risk.

diagnostics.notification.send.to.default.a Default is true. False disables notifications to the

dmin default administrator.

Default is “Administrator.” Can be empty (no roles), or

diagnostics.notification.send.to.roles a list: “Role1, Role2, Role3.” Will notify all users in the
roles provided. If empty (no roles), the default
administrator will still receive notifications.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 80

 diagnostics.notification.hour.of.the.day Default is 12. Format is HH. The hour of the day to
send the notification email (server time).

(Multitenant) To view System Diagnostics for hosts in a multitenant environment, go to Settings >
Account Management > Hosts in the main host account. Each host has a Diagnostics page. You
can also view information about CPU, Storage, and Memory usage for each tenant account on the
host.

You can also use the getSystemDiagnostics command to create a JSON output of this data. If
you have an open support ticket related to system performance, you can attach the output of this
command to the ticket to provide Cortex XSOAR Customer Support with relevant information. Use
the associated verbose argument to return additional information, such as the specific IDs of
incidents with big context data.

4.9.1 Reference
● System Diagnostics,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/cortex-xsoar-o
verview/system-diagnostics

4.10 Summary of Key Ideas

● If you want to downgrade, any content that depends on the content pack including any
customizations may be deleted if it does not exist in the target content pack version
● If you delete a content pack, which depends on other content packs, these content packs
may not run correctly. Also, if you roll back to an earlier version of a content pack, other
content packs might be affected. For example, if content pack A depends on layouts from
content pack B Version 2, reverting to Content Back B Version 1 could cause content pack A
to stop working.
● If you roll back to an earlier version of a content pack, other content packs might be affected.
For example, if content pack A depends on layouts from content pack B Version 2, reverting
to content pack B Version 1 could cause content pack A to stop working.
● Palo Alto Networks is not liable for and does not warrant or support any content pack
produced by a third-party publisher.
● You can install only one content pack at a time from the Marketplace.
● When a content item is duplicated, it becomes a custom content and will not receive
updates but you can view updates.
● You need internet connection when using the Marketplace for tasks such as downloading
and subscribing to content packs.
● When working with remote repositories and upgrading to v6.0 and above, push your
classifiers and mappers on the development environment before grading the product
environment.
● Working with remote repositories is git-based. Any service that supports this protocol can be
used, for example, GitHub, GitLab, Bitbucket, etc. In addition on-premise repositories are also
supported.
● If you have more than two pre-processing rules in your Local Changes queue, you must push
all of those changes to the remote repository.
● You cannot share a multiple engine installation with a single engine installation.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 81

 ● When you add an engine to a load balancing group, you cannot use that engine separately.
The engine does not appear in the engines drop-down menu when configuring an
integration instance.
● For Linux machines, you need to install Docker before installing an engine. If you use the
Shell installer, Docker is automatically installed.
● You must stop the Cortex XSOAR server before you run the migration tool. This enables the
tool to safely access the database and required configurations.
● Moving data from the Elasticsearch database back to the Cortex XSOAR Bolt database is not
supported.
● For security, images that are not part of the Demisto organization in Docker hub cannot be
accepted.
● To restrict access to integrations using RBAC, see Roles in Cortex XSOAR.
● As content packs may use a number of these automations, and the automations could have
some dependency on each another, it is important that you assign the Run as and Role
parameters consistently to ensure that all of the automations can run properly.
● All team members have read and write permissions. If you add team members, but their
roles have read-only permission, the user still has read and write permission and can access
the investigation.
● If you add a role, but the incident has been restricted to team members, and the user is not a
team member, the user cannot access the incident regardless of the role. For example, if you
restrict the incident to User A and User B team members who are Tier 1 analysts but then try
to add Tier 2 analysts (none of whom are team members) to the list of roles, a Tier 2 analyst
cannot access the incident.
● If you assign a role (read and write permission) and assign the same role as read only, the
user still has read/write permission. You need to remove the assigned role. If you restrict the
incident, the read-only role does not override the restriction. In other words, team members
permission takes precedence.

4.11 Sample Questions

Q1. Which two search actions can you perform in the Marketplace? (Choose two.)

a. Only view installed content packs.

b. Install, delete, and update content.
c. Contribute and share content items.
d. Only view playbooks.

Q2. How is Cortex XSOAR content organized?

a. Files
b. Packs
c. Both files and packs
d. Sequence

Q3. What is the other name for custom content packs?

a. System content packs

b. Contributions
c. Partner-supported content packs
d. Cortex XSOAR-supported content packs

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 82

Q4. The Version history for Playbook tabs enables users to…?

a. Update a playbook
b. Access a playbook version
c. Restore a playbook version
d. Search the required playbook

Q5. What does the Cortex XSOAR require for container management?

a. BoltDB
b. Docker
c. Docker or Podman
d. Only IPv4

Q6. You can install the Cortex XSOAR Engine on which two types of machine? (Choose two.)

a. Windows
b. Mac OS
c. Linus
d. Ubuntu

Q7. What is an accurate description of an Elasticsearch? (Choose two.)

a. Enables storing and processing large amount of data

b. Manages paybooks, automation scripts, and others on the main host
c. Helps to migrate objects present in Cortex XSOAR to Elasticsearch
d. An open source, distributed search, and analytics engine for all types of data

Q8. How can you edit the locked icon of the content pack incident layout? (Choose two.)

a. Duplicate an incident layout.

b. Detach the layout.
c. Edit the layouts in the Layouts tab.
d. Edit incident type.

Q9. Who can view the results when an automation runs with elevated permissions?

a. All users
b. Users with high permissions
c. Users with low permissions
d. User to whom Cortex team assign permission

Q10. What happens when a task operates in Quiet Mode? (Choose two.)

a. It only display inputs.

b. It does not display inputs and outputs.
c. It does not extract indicators.
d. It displays inputs and outputs.
e. It displays errors and warnings.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 83

Domain 5: UI Workflow, Dashboards, and Reports.

5.1 Identify Methods for Querying Data

5.1.1 Indicators
The indicators tab provides a summary of threat intelligence data that Palo Alto Networks has on a
particular threat indicator, including URLs, domains, IP addresses (IPv4 and IPv6), and hashes. The
threat intelligence summary data, depending on the type of indicator, can include the WildFire
verdict, detection reasons, associated metadata (including the indicator source(s)), WHOIS
information, tags, logs of DNS activity from all samples analyzed with WildFire active/passive DNS
history where autofocus detected instances of the artifact, and other related information. This can
help you assess whether a specific hash, domain, URL, or IP address is associated with suspicious
behavior and analyze the nature of a threat.

Threat Indicator Overview

The threat indicator summary provides a breakdown of the properties, behaviors, and activities
reported by various Palo Alto Networks analytics services. URL entries can include additional context
provided by analysis data derived from the improved URL analysis capabilities found in the WildFire
global cloud. This content is categorized into three categories: Summary, Evidence, and Analyst.
Summary content provides a high-level overview of the URL, including PAN-DB categorization
details, detection reasons with verdict, WHOIS information, all accompanied by a screenshot.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 84

Evidence shows details regarding why and how the verdict was reached. Analyst describes various
insights into the operational details of the web page, including network traffic and file transfers. For
all other indicators, the threat indicator summary provides a breakdown of the general properties,
behaviors, and activities reported by various Palo Alto Networks analytics services. The following list
shows some of the threat data that can populate the threat indicator overview.

● WildFire Verdict: The verdict of the sample based on the WildFire analysis of the file or
email link.
● Tags: Lists the tags or tag groups associated with the threat indicator.
● Upload Source: Lists which of your connected Palo Alto Networks services or appliances
uploaded the threat indicator.
● First/Last Seen Date: Displays when the threat indicator was first and last sent to WildFire
for analysis.
● WHOIS: Shows general domain information.
● PAN-DB Categorization: View URLs associated with the domain, URL, or IP address
through PAN-DB and the PAN-DB category for each URL.
● WildFire DNS History: View a log of domain to IP address mappings based on all samples
that launched a request to connect to a domain during WildFire Analysis.
● DNS Security Results: A list of domains that have been analyzed by DNS Security is
displayed here.
● Passive DNS History: View a passive history of domain to IP address mappings that
contain matches to the artifact you searched for.
● Active DNS History: View active domain to IP address mappings that contain matches to
the artifact you searched for.
Virus Total
A direct link to the Virus Total analysis of the specified file hash.
This option is only available for file hashes.
Sample and Session Details
You can pivot to a sample or session search on the specified indicator. This automatically initiates a
search based off of the initial query and can provide a wider context and additional details.

Key Idea

● The Virus Total option is only available for file hashes.

5.1.2 Incidents
By using Cortex XSOAR, you can define integrations with your third-party security and incident
management vendors. Then you can trigger events from these integrations that become incidents
in Cortex XSOAR. Once the incidents are created, you can run playbooks on these incidents to enrich

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 85

them with information from other products in your system. Use rules and automation to determine
if an incident requires further investigation or can be closed based on the findings as this enables
your analysts to focus on the minority of incidents that require further investigation.
Planning
Before you begin configuring integrations and ingesting information from third parties, consider
the following:

PHASE DESCRIPTION

Used to display information from

third-party integrations and playbook
Create fields tasks when an incident is created or
processed. For more information, see
Incident Fields.

Classify the different types of attacks

Create incident types
with which your organization deals.

Customize layouts for each incident type

to make sure the most relevant
Create incident layouts information is shown for each type. For
more information, see Customize
Incident Layouts.

This is an iterative process. After you initially create your fields and incident types and then
implement them in your incident layouts, you can start the process of ingesting information. At that
point, you can see how accurately you mapped out your information. Make changes as you go along
and learn more about the information you are receiving. Information not mapped to fields is
available in labels, but it is much easier to work with the information when it is properly mapped to
a field and displayed in the relevant layouts.
Configure Integrations
Configure integrations with your third-party products to start fetching events. Events can be
potential phishing emails, authentication attempts, and SIEM events, among others.
Classification Mapping
Once you configure the integrations, you must determine how the events ingested from those
integrations will be classified as incidents. For example, for email integrations, you might want to
classify items based on the subject field; however, for SIEM events, you will classify by event type. In
addition, you need to map the information coming from the integrations into the fields you created
in the planning stage. For more information, see Classification and Mapping.
Pre-Processing
Pre-processing rules enable you to perform certain actions on incidents as they are ingested into
Cortex XSOAR directly from the UI. Using the rules, you can select incoming events on which to
perform actions; for example, you can link the incoming event to an existing incident, or based on
configured conditions, drop the incoming incident altogether. For more information, see Create
Pre-Process Rules for Incidents.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 86

Incident Created
Incidents of various types are created based on the definitions you provided in the Classification and
Mapping stage and the rules you created for pre-processing events. All incidents appear in the
Incidents page of the Cortex XSOAR user interface, where you can start the process of investigating.
Running Playbooks
Playbooks are triggered either when an incident is created or when you manually run the playbooks
as part of an investigation. When triggered as part of an incident that was created, the playbooks for
the type of incident that was classified will run on the incident. Alternatively, if you are manually
running a playbook, you can select whichever playbook is relevant for the investigation. For
example, playbooks can take IP address information from one integration and enrich that IP address
with information from additional integrations or sources.
Post-Processing
Once the incident is complete and you are ready to close it out, you can run various post-processing
actions on the incident. For example, you can send an email to the person who opened the incident
informing them that their incident has been resolved, or close an incident in a ticketing system.

5.1.3 Dashboards
The dashboard consists of visualized data powered by fully customizable widgets that enable you to
analyze data from inside or outside Cortex XSOAR in different formats such as graphs, pie charts, or
text from information. For more information about widgets, see Widgets Overview.
When you first install Cortex XSOAR, the following dashboard tabs are created:
● Incidents: Information relating to incidents, such as severity type, active incidents,
unassigned incidents, and so on
● System Health: Information relating to the Cortex XSOAR Server
● My Dashboard: A personalized dashboard relating to your incidents, tasks, and so on
● SLA: Information relating to your Service Level Agreement
My Dashboard Options
In every dashboard, you can set the date range from which to return data and the refresh rate. In the
DASHBOARDS tab, you can do the following:
● Filter Data for all widgets
You can filter dashboard data either by typing the query in the query bar, or, in the
relevant widget, by clicking Filter In. When clicking Filter In, the query is added to the
query bar. To filter out, delete the query. For example, if you only want to see critical Cortex
XDR incidents, hover over the Cortex XDR incident and click Filter In in the Incident
Severity by Type widget.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 87

In the Active Incidents by Severity widget, hover over Critical and click Filter In. The dashboard
only shows active critical incidents relating to Cortex XDR.

● After creating the filter, you can send the URL of the filtered dashboard to other users.
● Change Color of Widgets: You can change the group color of some of the widgets. The
color changes only for that widget in the dashboard. To permanently change the color of
the widget, edit the color in the Widgets Library. For example, while in the Widgets
Library, if you change the color for Cortex XDR in the Incident Severity by Type to red, that
widget remains red the next time you add it to a dashboard. However, it does not change
for any other widget.
● Copy the value: From the widget, selecting Copy value enables you to copy the value
used in the widget for commands, in the War Room, etc.
● Create a Dashboard
● Edit a Dashboard
● Import and export a dashboard, which is useful in a test and production environment.
The dashboard is exported as a JSON file. You can make any changes you require and
then import the file.
● Add default dashboards
In a production environment, an administrator defines the default dashboards for each
user, which is dependent on a user’s role. If a user has not modified their dashboard, these

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 88

 dashboards are added automatically. Otherwise users can add these dashboards to their
existing dashboards. These default dashboards can be removed but not deleted, and can
be added again if required.
● Share a Dashboard
● Duplicate, delete, or remove (if shared) a dashboard.
● Create a report
You can generate a report from the dashboard as is or add new widgets as required. You
can set the format, when to run, orientation, etc. To run the report, click Run Now. The
report is generated and also appears in the Reports tab, which can be run again. For
more information about creating reports, see Create a Report.

Key Idea

● If you install a Content Pack which contains dashboards, these can be added
when creating a new dashboard. To change the order of the dashboards,
click next to the relevant dashboard, and then drag and drop the dashboard
into the required location.
● If you want to see more information about the data, click the data to take
you to the relevant page. For example, in the Active Incidents by Severity
widget, to see only critical incidents, click Critical. This takes you to the
Incident page, where you can see all the active critical incidents.

5.1.4 Global Search

Use the search function to perform both simple and complex searches based on threat indicators or
identifiers. The search function has a range of features for customizing and executing searches. For
details on navigating and using the search results (including adding identifiers to your search as you
go), refer to Drill Down in Search Results.
Open the Search editor on the navigation pane and select a search type.
● Indicators—Search based on threat indicators; these include artifacts that have been
ascertained by security experts as exhibiting signs of a compromised network. Artifacts
include file hashes, domains, URLS, and IP addresses.
● Sample—Search based on samples sent to WildFire for analysis by various connected
appliances and services. WildFire receives samples from firewalls, WildFire, Traps, Traps
Android, Magnifier, Proofpoint, Prima SaaS, manual uploads, partner integrations, and other
industry sources.
● Session—Search based on the session data provided by samples during sample submission.
This allows you to search based on various context details, such as the time stamp, upload
source, application, file URL, and more. The session data displayed in the search results
include all relevant data submitted to WildFire through your organization's various product
integrations.

See the following topics for details on using the AutoFocus search:
○ Start an Indicator Search.
○ Start a sample or session simple mode search.
○ Start a sample or session advanced mode search.
○ Add a search condition to a remote search.
○ Use a saved search.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 89

5.1.5 Reference
● Indicators,
https://docs.paloaltonetworks.com/autofocus/autofocus-admin/autofocus-search/drill-down-i
n-search-results/indicators
● Incident Lifecycle,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/incid
ent-lifecycle
● Dashboard Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/dashboards/da
shboard-overview#id8327f032-160d-430b-87c8-600e751099e5
● Work with the Search,
https://docs.paloaltonetworks.com/autofocus/autofocus-admin/autofocus-search/work-with-t
he-search-editor

5.2 Summarize the Workflow Elements used during an Investigation

5.2.1 Layouts
Each out-of-the-box threat intel type comes with its own associated layout, but there might be
times where customization is needed. You can customize almost every aspect of the layout,
including which tabs appear, in which order they appear, who has permissions to view the tabs, and
which information appears and how it is displayed.
Out-of-the-box and custom report types appear in the Threat Intel Reports > Types tab. The name
of the layout for the out-of-the-box reports appears in the Threat Intel Reports > Layouts tab.
To customize the layout of an out-of-the-box report, you can do any of the following:
● Duplicate and edit the report layout, and then edit the report type to add the new layout.
● Detach the layout and edit it.
● While a report layout is detached, it does not receive content pack updates. If you detach
a report type layout, make edits, and later want to receive content pack updates for that
layout, we recommend you duplicate the report layout before reattaching the original to
protect your changes from content pack updates.
● Create a new layout, detach the report type, and then edit the report type to add the new
layout.
Create a New Report Layout
The following procedure describes how to create a new layout, but you can follow similar steps to
customize an existing layout (using the guidelines mentioned above).
Step 1 : Go to Settings > OBJECTS SETUP > Threat Intel Reports > Layouts
Step 2 : Click to add a New Layout
Step 3 : Customize the tabs

1. If relevant, create a new tab.

2. Edit a tab’s name by clicking the tab.
3. Click and drag a tab to reorder the tabs.
4. Click the cog wheel icon and then configure any of the following options:
● Rename

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 90

 ● Duplicate
● Delete
● Hide Empty Fields
● The setting that you configure in the layout becomes the default value seen in the
report for the specific tab, which can then be overridden. You can also set a global
default value using the UI. summary.page.hide.empty.fields server configuration,
which can also be overridden for a specific tab.
● Hide Tab
● Format for exporting
Build your layout based on A4 proportions to match the format used for exporting.
Selecting this option hides the tab by default, but the tab will remain available for
export.
● Viewing Permissions
When clicking Viewing permissions, select which roles can view the tabs.
● Display Filter
This option enables you to add or view a filter applied to the tab. If the filters apply, the
specific fields or tabs are shown in the layout. If the mandatory field is not shown in
the layout, the user is not obliged to complete it.
Step 4 : Add sections to the layout.

1. From the Library section, drag and drop the required Cortex XSOAR Sections as follows:

SECTION DESCRIPTION

After creating a new section, click

New Section the Fields and Buttons tab and
drag and drop the fields as required.

Enables you to Add a Script in the

General Purpose Dynamic Section
Threat Intel Report Layout

Enables you to manually create a

Relationships relationship between the report and
an indicator

Step 5 : Define the section properties.

You can determine how a section appears in the layout. For example, does the section include the
section header? You can also configure the fields to appear in rows or as cards. For example, if you
know that some of the field values will be very long, you are better off using rows. If you know that
the field values are short, you might want to use cards so you can fit more fields in a section.

1. Select the section, click   and then click Edit section settings.

2. Edit the section as required and click OK.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 91

 3. Click the save button or Save Version.

Step 6 : Remove or duplicate a section, select the section, click   and select the relevant option.

Step 7 : Add the layout to the report type.

1. Go to Settings > OBJECTS SETUP > Threat Intel Reports > Types

2. Select the report type and click Edit.

3. Add the customized layout from the drop-down list in the Layout field.

Step 8 : If the layout you created was for a new report type that was based on an out-of-the-box
threat intel report type, you can contribute it to Marketplace.

1. In the Layouts page, click the new report type you want to contribute to Marketplace.

2. Complete the information in the Contribute form and click Contribute.

Add a Script in the Threat Intel Report Layout

You can add content to threat intel report layouts, based on an automation script. You need to add
the General Purpose Dynamic Section when editing layouts.

The General Purpose Dynamic Section allows you to configure a section in a layout tab from an
automation script. The automation can return a simple text, markdown, or an HTML, the results of
which appear in the General Purpose Dynamic Section. You can add any required information from
an automation. Before you begin, you need to create an automation script.

The following is an example of a script that can be added. This script can be used to add a button to
the layout that sets a threat intel report as published.
def publish ():
now_utc = datetime.now(timezone.utc)
object = demisto.args('object')
object_id = object.get('id')
roles = execute_command('getRoles', {})
execute_command(
'setThreatIntelReport',
{
'id': object_id,

'xsoarReadOnlyRoles': demisto.dt(

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 92

 roles, 'DemistoRoles.name'
),
'reportstatus': 'Published',
'published': now_utc.isoformat(),
},
)
demisto.results('ok')
if __name__ in ('__main__', '__builtin__', 'builtins'):
publish()

Step 1 : Edit the relevant threat intel report layout.

Step 2 : Drag and drop the General purpose Dynamic Section onto the page.

Step 3 : Select the General purpose Dynamic Section, click   and then Edit section settings.

Step 4 : In the Name and Description fields, add a meaningful name and a description for the

dynamic section that explains what the script displays.

Step 5 : In the Automation script field, select from the drop-down list the script that returns data for
the dynamic section.

Step 6. Click OK.

Key Idea
● Only automations to which you have added the general-dynamic-section
tag appear in the drop down list.

5.2.2 War Room

Within Cortex XSOAR, real-time investigation is facilitated through the War Room, which is powered
by Chat Ops and helps analysts do the following:

● Run real-time security actions through the CLI without switching consoles
● Run security playbooks, scripts, and commands
● Collaborate and execute remote actions across integrated products
● Capture incident context from different sources
● Document all actions in one source
● Converse with others for joint investigations

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 93

Cortex XSOAR also provides machine learning insights to suggest the most effective analyses and
command-sets. Each incident has a unique War Room.

When you open the War Room, you can see a number of entries such as commands, notes,
evidence, tasks, etc., in several formats such as Markdown, HTML, and so on. When Markdown,
HTML, or geographical information is received, the content is displayed in the relevant format.

You can do the following actions for each artifact entry:

ACTION DESCRIPTION

You can edit, format, or delete your own entries. If an entry has
Edit been changed, a History link will appear where you can view all
changes to the entry.

Opens the Mark as Evidence window, where you specify the

evidence details to be saved in the Evidence Board. The Evidence
Mark as Evidence Board stores key artifacts for current and future analysis. You can
add evidence in the Case Info tab, the Evidence Board, or the War
Room.

View artifact in new

Opens a new tab for the artifact
tab

Detach from task Removes a task from the artifact

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 94

 Attach to a task Add a task to the artifact

Downloads an artifact according to the entry type, such txt files

Download artifact
for text, json for a JSON entry, etc.

Add relevant tags to use, which help you to find relevant

Add tags
information.

You can run various commands in the CLI by typing the following:
● Integration commands, automations, and built-in commands. For example, add evidence,
assign an analyst, etc.
● /: System commands/operations. For example, add notes, close an investigation, etc.

● @: User tagging. Send notifications to administrators, teams, analysts, etc.

You can edit incidents, create a report, add child incidents, and so on, as described in Incident
Actions.

Filter Entities

You can filter entries by clicking   . You can add any filter by selecting the check box or click   to
remove that action. The filter menu contains three types of War Room entities by which you can
filter, including:
● Actions
● Tags
● From
Use the And/Or toggles between the Actions, Tags, and From sections.
● And: Use to combine two or more filters.
● Or: When one item is found, it shows relevant entries.
You can save the filter by clicking Add. You can also retrieve Saved filters.

Key Idea

● To access the War Room: If you have an Admin role, clicking Playground on
the side bar opens the Playground - War Room tab. If you have another role,
typing any command in the CLI at the bottom of the page opens this tab.
● Cortex XSOAR does not index notes, chats, and pinned as evidence entries. If
you want to index these entries, see War Room Indexing.

5.2.3 Work Plan

The Work Plan is a visual representation of the running Playbook that is assigned to an incident.
Playbooks enable you to automate many of your security processes, including but not limited to

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 95

handling your investigations and managing your tickets. Work Plans enable you to monitor and
manage a playbook workflow and add new tasks to tailor the Playbook to a specific investigation.

After clicking the Follow check box, you can see the playbook executing in real time.
You can do the following in the Work Plan:
● View inputs and outputs of a playbook.
● View, create, and edit a playbook task for each required step.
When you create a task, add a name, automation, and description. The name and
description should be meaningful so that the task corresponds to the data that you are
collecting.
For each task you can do the following:
Designate tasks as complete either manually or by running a script.
Assign an owner for a task.
Set a due date for the task.
Add comments and completed notes as required.
● Re-run the playbook, zoom in and out, and export to a PNG format.
The color coding and symbols in the Work Plan help you to easily troubleshoot errors or respond to
manual steps. The following table displays the color codes and their meanings.

5.2.4 Evidence Board

In the War Room, you can mark any entity as evidence by clicking the flag next to each entry. You
can view the evidence within the War Room or by opening the evidence entry from the Evidence
Board. When adding evidence, you need to add a description, which should contain enough details
that it can be referred to at a later date. Adding a tag helps you to find the evidence by searching for
the tag. You can also add an occurrence date and time.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 96

The Evidence Board stores key artifacts for current and future analysis. You can view and manage
evidence entities that were detected in the War Room and then designated as evidence.
You can also search for evidence and select the date range for when the evidence occurred.
Evidence can be viewed in Table View or Summary View. In the Table View, you can remove,
export, or show in the War Room. In the Summary View, you can remove or edit the evidence.

5.2.5 Actions Menu

In an incident, you can undertake a number of actions, including editing the incident, adding a child
incident, adding tasks and notes, and so on.

After selecting Actions, you can undertake the following actions:

ACTION DESCRIPTION

Edit Edit the incident as required.

Report Create a report to capture investigation specific data and share it

with team members.

Add child incident Adds a child incident to the incident.

Child investigations are used to compartmentalize sensitive War
Room activity. You can create child investigations to collaborate
discreetly with a select group of people on a specific topic of
investigation. Child investigations are also used in situations where
a secondary investigation is needed and its content may add too
much "noise" in the original investigation.
You can also create child investigations from the CLI using the
/investigation_child_create command.
To turn the child investigation to a discrete investigation, select the
Restricted check box.

Restrict incident Restrict an investigation to the incident owner and team.

Close incident Marks the incident as closed

Delete Deletes the incident

When clicking you can undertake the following actions:

ACTION DESCRIPTION

Quick View You can see a summary of the incident, timeline information, labels,
and indicators.

Incident tasks Add tasks for users to complete as part of an investigation.

Team Add team members to the incident.

Context Data View context data. The context is a map (dictionary) created for each
incident and is used to store structured results from the integration

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 97

 commands and automation scripts. The context keys are strings and
the values can be strings, numbers, objects, and arrays.
You can use context data to:
● Pass data between playbook tasks
● Capture the important structured data from automations
and display the data in the incident summary

You can also edit or add actions in the Case Info/Incident Info field.

Key Idea

● Closing a parent investigation also closes all associated child investigations.

5.2.6 Reference

● Configure Threat Intel Report Layouts,

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-threat-intel-manage
ment-guide/threat-intel-reports/set-up-and-customize-threat-intel-report-templates/configu
re-threat-intel-layouts
● War Room Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/incid
ent-management/war-room-overview
● Work Plan,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/incid
ent-management/work-plan
● Evidence Handling,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/incid
ent-management/evidence-handling
● Incident Actions,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/incid
ent-management/incident-actions

5.3 Interact with Layouts for Incident Management

5.3.1 Sections

You can add dynamic sections to a layout, such as a graph of the number of bad indicators, their
source, and severity. You also can use queries to filter the information in the dynamic section to fit
your exact needs.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 98

When you start to create or edit an incident layout by using Incident Layout Builder, you can use the
Library feature to add ready-to-use Sections, Fields and Buttons, and Tabs.

5.3.2 Fields
Use Incident Fields to accept or populate incident data coming from incidents. You create fields for
information that arrives from third party integrations in which you want to insert information. The
fields are added to Incident Type layouts and mapped using the Classification and Mapping feature.
Incident Fields can be populated by the incident team members during an investigation, at the
beginning of the investigation, or prior to closing the investigation.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 99

Incident Field Types

You can add the following field types when adding a new field.

● Attachments: Enables addition of an attachment such as .doc, malicious files, reports, and
images of an incident
● Boolean : Determines whether a Cortex XSOAR field is true or false, or whether the string
representation is true or false
● Date picker: Enables the user to select datetime in ISO 8601 format using the datetime
widget in XSOAR
● Grid (table): Includes an interactive, editable grid as a field type for selected incident types or
all incident types
● HTML: Configuring the HTML field provides the capability to insert data into the field as
HTML. However, this makes the field not searchable in incident query.
● Long text: You can configure the Long text field for situations where the field is required to
store longer texts without a character limitation. However, this will make the field not
searchable in incident query.
● Markdown: Markdown is a lightweight markup language that can be best suited to
represent tables, lists and formatted texts. You can configure a field as markdown to allow
using markdown to display formatted text in incident layouts. However, this will make the
field not searchable in incident query.
● Multi select / Array: Includes two options a) Multi select from a pre-filled list b) An empty
array field for the user to add one or more values as a comma separated list.
● Number: Can contain any number. The default number is 0, but any quantity can be used.
● Role: Roles assigned to the incident determine which users (by the role to which they are
assigned) can view the incident.

● Short text:
● Treated as a single unit of text, not indexed by word. Advanced search, including
wildcards, is not supported.
● Case sensitive by default, but can be changed to case insensitive when creating the
field.
● While editing a short text field, pressing enter will save and close.
● Maximum length 60,000 characters
● Recommended use is one
● Word entries. Examples include username and email address.
● Single select: This type of parameter is used to allow selecting a single input from a list of
allowed inputs.
● Tags: accepts a single tag or a comma-separated list, not case sensitive.
● Timer/SLA: View how much time is left before an SLA becomes past due and configure
actions to take if the SLA does pass.
● URL: Include the address of the web page
● User: A user in the system; used to state a manager or fallback

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 100

 Key Idea

● Creating Incident Fields is an iterative process in which you continue to

create fields as you gain a better understanding of your needs and the
information available in the third party integrations that you use.

5.3.3 Buttons
To add custom buttons, you need to create an automation and then add the buttons to the layout
using the automation. These buttons can simplify and assist an analyst in carrying out various tasks.
For example, you can add buttons for an analyst to self-assign an incident, link or unlink an incident,
close an incident as a duplicate, generate a summary report, etc.

For optional fields (script arguments), you can define whether to show them to analysts when they
click buttons. To expose an optional field, select the Ask User check box next to the script
argument/s in the button settings page.

The script that runs when an action button is clicked accepts only mandatory arguments through
the pop up window and does not provide an option for any non-mandatory arguments to be filled
in when the button is clicked. Palo Alto Networks recommends using a wrapper script to collect and
validate arguments in scenarios where there can be a combination of mandatory and
non-mandatory arguments for a button.

In the following example, we will add a button to self assign an incident for an analyst. The
automation is included in the Case Management – Generic Content Pack.

Step 1: Drag the +New Button and drop into the relevant section.

Step 2: Click to configure.

Step 3: Enter a descriptive name for the button, select a color, and select the script that you want to
run when the button is clicked.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 101

Step 4: Click Save.

In the Incident Summary tab, when you click Assign To Me, the incident will be self-assigned.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 102

5.3.4 Reference
● Customize Incident Layouts,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/cust
omize-incident-view-layouts/customize-incident-layouts#id497ae31a-9e74-407e-9700-46d28
be0767e
● Incident Fields,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-5/cortex-xsoar-admin/incidents/incid
ent-management/incident-fields
● Customize Incident Layouts,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/cust
omize-incident-view-layouts/customize-incident-layouts

5.4 Summarize Tools used for Managing Incidents

5.4.1 Bulk Incident Actions

The Threat Intel page displays a table or summary view of all indicators and enables you to perform
several indicator actions.

Indicator actions

You can perform the following actions on the Indicators page.

ACTION DESCRIPTION

View and take action on an Click an indicator to view and take action on the indicator. You
indicator can view in detail the verdict, relationships, and timeline, enrich
indicators, add tags, etc.
By default, when editing the following inline values in an
incident/indicator, the changes are not saved until you confirm
your changes (clicking the check mark icon in the value field).
These include:
● Drop-down values, such as Owner, Severity, etc.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 103

 ● Text values, such as Asset ID. (You can only edit when you
click the pencil in the value field.)
These icons are designed to give you an additional level of
security before you make changes to the fields in
incidents/indicators.
To change this default behavior, set the inline.edit.on.blur to true
to allow changes to the inline fields without clicking the check
mark. The changes are automatically saved when clicking
anywhere on the page or when navigating to another page. You
can also click anywhere in the value field to edit text values.

Create a new indicator Manually create a new indicator in the system.

Create incident Create an incident from the selected indicators and populate
relevant incident fields with indicator data.

Edit Edit a single indicator or select multiple indicators to perform a

bulk edit.

Delete and Exclude Delete and exclude one or more indicators from all indicator
types or from a subset of indicator types.
If you select the Do not add option to the exclusion list check
box; the selected indicators are only deleted.

Export Export the selected indicators to a CSV file. You can Export an
Indicator to CSV Using the UTF8-BOM Format.

Export (STIX) Export the selected indicators to a STIX file.

Upload a STIX file Upload a STIX file and add the indicators from the file to the
system.

5.4.2 Table View versus Summary View

Incident Management Dashboard

The Incidents Management Dashboard provides a graphical summary of incidents in your

environment, with incidents prioritized and listed by severity, assignee, incident age, and affected
hosts.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 104

The Incidents page displays all incidents in the Cortex XDR management console to help you
prioritize, track, triage, investigate, and take remedial action.

5.4.3 Table Settings

Most pages in Cortex XDR present data in table format and provide controls to help you manage
and filter the results. If additional views or actions are available for a specific value, you can pivot
(right-click) from the value in the table. For example, you can view the incident details or pivot to the
Causality View for an alert or to the results for a query.

On most pages, you can also refresh ( ) the content on the page.

To manage tables in the app:

Filter Page Results

To reduce the number of results, you can filter by any heading and value. When you apply a filter,
Cortex XDR displays the filter criteria above the results table. You can also filter individual columns
for specific values using the icon to the right of the column heading.

Some fields also support additional operators such as =, !=, Contains, not Contains, *, !*.

There are three ways you can filter results:

● By column, using the filter next to a field heading

● By building a filter query for one or more fields using the filter builder
● By pivoting from the contents of a cell (show or hide rows containing)

Filters are persistent. When you navigate away from the page and return, any filter you added
remains active.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 105

Export Results to File

If needed, you can export the page results for most pages in Cortex XDR to a tab separated values
(TSV) file.

Save and Share Filters

You can save and share filters across your organization.

Show or Hide Results

As an alternative to building a filter query from scratch or using the column filters, you can pivot
from rows and specific values to define the match criteria to fine tune the results in the table. You
can also pivot on empty values to show only results with empty values or only results that do not
have empty values in the column from which you pivot.

The show or hide action is a temporary means of filtering the results: If you navigate away from the
page and later return, any results you previously hid will appear again.

This option is available for fields which have a finite list of options.

Manage Columns and Rows

From Cortex XDR pages, you can manage how you want to view the results table and what
information you want the Cortex XDR app to display. This includes:

● Adjust the row height and column width.

● Add or Remove fields in the table.
● Configure the order of the columns.

Any adjustments you make to the columns or rows persist when you navigate away from and later
return to the page.

Display Quick Actions

From the Cortex XDR tables, you can quickly initiate actions using icons available in the table rows.
Depending on the table, the icons provide a quick alternative to the corresponding right-click pivot
menus. You can:

● Navigate to a Cortex XDR table throughout the Cortex XDR app

● Hover over a table row to display the available actions

Key Idea

● CMD fields are limited to 128 characters. If you pivot on a CMD field with a
truncated value, the app shows or hides all results that match the first 128
characters.
● Field names that are locked ( ) cannot be moved.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 106

5.4.4 Reference
● Threat Intel Page,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/understand-indicators/indicators-page
● Manage Tables,
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/get-started-with-c
ortex-xdr-pro/use-cortex-xdr/manage-tables

5.5 Identify the Capabilities of Existing Dashboards and Reports

Dashboards

The dashboard consists of visualized data powered by fully customizable widgets, which enables
you to analyze data from inside or outside Cortex XSOAR in different formats such as graphs, pie
charts, or text from information. For more information about widgets, see Widgets Overview.

When you first install Cortex XSOAR, the following dashboard tabs are created:

● Incidents: Information relating to incidents, such as severity type, active incidents,

unassigned incidents, and so on
● System Health: Information relating to the Cortex XSOAR Server
● My Dashboard: A personalized dashboard relating to your incidents, tasks, and so on
● SLA: Information relating to your Service Level Agreement
Dashboard Options
In every dashboard, you can set the date range from which to return data and the refresh rate. In
the DASHBOARDS tab, you can do the following:
● Filter Data for all widgets
You can filter dashboard data by either typing the query into the query bar, or in the relevant
widget by clicking Filter In. When clicking Filter In, the query is added to the query bar. To
filter out, delete the query. For example, if you only want to see critical Cortex XDR incidents,
hover over the Cortex XDR incident in the Incident Severity by Type widget and click Filter
In.

In the Active Incidents by Severity widget, hover over Critical and click Filter In. The dashboard

only shows active critical incidents relating to Cortex XDR.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 107

To remove the filter, delete the query.
After you have created the filter, you can send the URL of the filtered dashboard to other users.
● Change Color of Widgets: You can change the group color in some of the widgets. The color
changes only for that particular widget in the dashboard. To change the color of the widget
permanently, edit the color in the Widgets Library. For example, if you change the color for
Cortex XDR in the Incident Severity by Type to red within the Widgets Library, the next time
you add it to a dashboard, the color will remain red for that widget only. It does not change
for any other widget.
● Copy the value: From the widget, you can select Copy value, which enables you to copy the
value used in the widget for commands, in the War Room, etc.
● Create a Dashboard
● Edit a Dashboard
● Import and export a dashboard, which is useful in a test and production environment.
The dashboard is exported as a JSON file. You can make any changes you require and then
import the file.
● Add default dashboards
In a production environment, an administrator defines the default dashboards for each user,
which is dependent on a user’s role. If a user has not modified their dashboard, these
dashboards are added automatically; otherwise, users can add these dashboards to their
existing dashboards. These default dashboards can be removed but not deleted, and can be
added again if required.
● Share a Dashboard
● Duplicate, delete or remove (if shared) a dashboard.
● Create a report
You can generate a report from the dashboard as is, or add new widgets as required. You can
set the format, when to run, orientation, etc. To run the report, click Run Now. The Report is
generated and it also appears in the Reports tab, which can be run again. For more
information about creating reports, see Create a Report.
● Reports

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 108

 Reports contain statistical data in the form of widgets, which enable you to analyze data
from inside or outside Cortex XSOAR in different formats such as graphs, pie charts, or text
from information.

After generating a report, it also appears in the Reports tab, so you can use the report again.
You can then do the following:
● Create a custom report

When creating a report, what you see is what you get; how you configure the report is how it
generates. You can add widgets to a report, change the format, paper size, insert page
breaks (by adding the Page Break widget), etc. If you have a table widget that contains
many rows, you can select the number of rows on each page or print the whole table (in the
table widget, right click and select Force Print full Chart).

You can add your own logo, by going to Settings > Troubleshooting and uploading your
logo in the Full-size logo field.
Reports are generated in PDF, Word, and CSV formats.
● Create a report from a dashboard
You can create a report from the dashboard as is or add new widgets as required. These
widgets provide the same functionality as custom reports, such as format, when to run,
orientation, etc. To create a report from the dashboard, click Create report.
Schedule a report

You can schedule a report to run at specific times, or you can run the report immediately.
You can also send to the report specific recipients or restrict it according to roles.
● Generate an out-of-the-box report
Cortex XSOAR comes with out-of-the-box reports, such as critical and High incidents, Daily
incidents, last seven days incidents, and so on. You can change the time range for the
incidents, the scheduled time, and who can receive the report. If you want to make more
comprehensive changes to these types of out-of-the-box reports, copy or download (and
upload) the report.
o Edit a report
o Change the Report Logo
o Configure the Time Zone and Format in a Report
o Schedule a report from an incident

This process captures investigation-specific data and shares it with team members. You can
customize how the information is displayed for existing incidents.
If you encounter problems with reports, see Troubleshoot Reports.

Key Idea

● Information may be provided in the form of custom reports, reports

generated from Dashboards, or even from out-of-the-box reports.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 109

5.5.1 References

● Dashboard Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/dashboards/da
shboard-overview#id8327f032-160d-430b-87c8-600e751099e5
● Reports Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/reports/report-
overview

5.6 Summarize what Information can be Created, Edited, or Shared within Dashboards and
Reports

You can create and customize reports in the REPORT tab. You can add widgets, schedule times,
incident time range, add recipients, change the format, size, and so on. Reports support PDF, CSV,
and Word formats.

Step 1 : Select Dashboards & Reports > REPORTS > New Report.

Step 2 : In the Widgets Library, add the widgets as required and as described in Add a Widget to a
Report.

Step 3 : From the Date Range drop-down list, select the date range from which to generate the
report.

Widgets can have their own date range, which can be different from the report’s date range.

Step 4 : To schedule a report, click Disabled.

Step 5 : To change the number of recipients or their details, click the number of recipients in the
Recipients field.

Step 6 : To change the format, orientation, or paper size, select the options as required.

Palo Alto Networks recommends that users select the landscape orientation to ensure that all
information displays in the report.

Step 8 : Before generating the report, click Preview to see a preview of the report. You can change
the size, arrange the widgets, insert a page break (using the Page Break Widget), etc.

Step 9 : Click Save or Save Version.

Save Version enables you to view a history of the changes made to your report. You can
revert to previous reports.

Step 10 : In the Reports tab, edit the Date Range of the incidents if required, and click Run Now to
generate the report immediately. The Report then downloads. Ensure that you enable
pop-ups in your browser.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 110

5.6.1 Reference
● Create a Report,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/reports/create-
a-report

5.7 Summarize the Capabilities of the Widget Builder

In the Widgets Library, creating a widget through the widget builder allows you to define and
configure data and preview how that widget appears. The widget builder also allows you to create
complex widgets, which eliminates the need to write scripts or upload JSON files (although you
have the option to do this). These complex widgets have the same capabilities as if you were
creating a script-based widget.

You can create the following types of widgets through the widget builder:
● Incidents: Widgets relating to incidents, such as active incidents by type, incidents by phase,
late incidents, etc.
● Indicators: Widgets relating to indicators, such as indicators by type, indicators activity, bad
indicators, etc.
● Script: Automation driven widgets. Although you can create complex widgets using the
widget builder, you can also create dynamic widgets using automation scripts, such as
calculating the percentage of incidents that DBot closed. The automation script can also pull
information from the Cortex XSOAR API.
In the widget builder, although you cannot manipulate the data (no data appears in the
operations tab) you can define the arguments for the script and change the color, layout,
legends, etc.
For automation script examples, see Create a Custom Widget Using an Automation Script.
● War Room Entries: Widgets relating to the number of War Room entries, including number
of entries according to owner, etc.
● SOAR Metrics: Widgets relating to automations, playbooks, integrations, such as
troubleshooting, how long it runs, number of runs for API, errors, etc.
● Threat Intel Reports: Widgets relating to threat intel reports that have been created, such as
reports by type, status, etc.
● Upload: You can upload a JSON file to create a static widget, which displays relatively
straightforward information such as grouping incidents severity by type, active incidents by
type, and so on.

Key Idea

● Before creating a script based widget, you need to create a script in the
Automation page and then select the script in the widget builder. The script
must have the widget tag assigned, otherwise it does not appear when
selecting the script in the widget builder.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 111

5.7.1 Reference
● Widget Overview,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/widgets/widge
t-overview#id1a61212d-6957-48dc-aaf8-d563fd709ead

5.8 Summary of Key Ideas

● If you install a Content Pack which contain dashboards, these can be added when creating a
new dashboard. To change the order of the dashboards, click next to the relevant dashboard,
and then drag and drop the dashboard into the required location.
● If you want to see more information about the data, click the data to take you to the relevant
page. For example, in the Active Incidents by Severity widget, to see only critical incidents,
click Critical. This takes you to the Incident page, where you can see all the active critical
incidents
● Only automations to which you have added the general-dynamic-section tag appear in the
drop down list.
● To access the War Room: If you have an Admin role, clicking Playground on the side bar
opens the Playground - War Room tab. If you have another role, typing any command in the
CLI at the bottom of the page opens this tab.
● Cortex XSOAR does not index notes, chats, and pinned as evidence entries. If you want to
index these entries, see War Room Indexing.
● Closing a parent investigation also closes all associated child investigations.
● Creating Incident Fields is an iterative process in which you continue to create fields as you
gain a better understanding of your needs and the information available in the third party
integrations that you use.
● CMD fields are limited to 128 characters. If you pivot on a CMD field with a truncated value,
the app shows or hides all results that match the first 128 characters.
● Field names that are locked ( ) cannot be moved.
● If you install a Content Pack which contain dashboards, these can be added when creating a
new dashboard. To change the order of the dashboards, click next to the relevant dashboard,
and then drag and drop the dashboard into the required location.
● If you want to see more information about the data, click the data to take you to the relevant
page. For example, in the Active Incidents by Severity widget, to see only critical incidents,
click Critical. This takes you to the Incident page, where you can see all the active critical
incidents.
● Before creating a script based widget, you need to create a script in the Automation page
and then select the script in the widget builder. The script must have the widget tag
assigned, otherwise it does not appear when selecting the script in the widget builder.

5.9 Sample Questions

Q1. Which statement is true about incidents?

a. Using Cortex you can define integration with third party security and incident management
vendors
b. You cannot run playbooks after incident creation
c. Using Cortex XSOAR you can determine the investigation of incidents
d. You cannot trigger events after integration

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 112

Q2. What option can be selected for “Virus Total?”

e. Direct link
f. Total analysis
g. File hash
h. All the above

Q3. What is the primary use of the indicator?

a. Provides data URLs, domains, IP addresses and hashes

b. Provides WildFire verdict and detection reasons
c. It provides summary of threat intelligence
d. Does not provide a Paloalto networks analytics services

Q4. What are the essential tabs used by dashboards?

a. My dashboard
b. SLA
c. System Health
d. Indicators

Q5. Which option provides War Room and Workplan?

a. Filter entities
b. Playbooks
c. Market place
d. Incidents

Q6. Why are fields used?(Choose three)

a. To accept or populate incident data coming from an incident

b. To add incident type layouts and map using the mapping feature
c. To help incident team members during an investigation
d. To restore long text field
e. To collect information deriving from third-party integration

Q7. What type of arguments does the script accept when an action button is clicked?

a. Script arguments
b. Non-mandatory arguments
c. Combination of mandatory and non-mandatory arguments
d. Mandatory arguments

Q8. What is meant by “Table settings?”

a. Ability to sort columns

b. Ability to navigate page to page
c. Ability to adjust the number of rows

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 113

 d. Represents complex table format in Cortex XSOAR

Q9. What can existing dashboards and reports do?

a. Schedule reports for email delivery

b. Report a pulse on your network
c. View reports
d. Delete default dashboards

Q10. Which two requirements can be added to reports and dashboards? (Choose two.)

a. Schedule time
b. Incident time range
c. Create, edit, or share
d. Change the format or size

Q11. What type of widgets can you create using Widget builder?

a. Widget library
b. Incident table
c. Operation
d. Location

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 114

Domain 6: Threat Intel Management

6.1 Identify the Parameters Available for Configuring Indicator Objects

6.1.1 Layouts and Types

1. Go to Settings > Advanced > Incident Types
2. Create an Incident Type for the self-service read-only user. Be sure to configure the playbook
to run automatically.
3. Select the Incident Type and click Edit Layouts.
4. Create a new incident tab dedicated to self-service read-only users.
5. Hover over the tab you want the self-service read-only user to view and click the gear icon.
6. Click Viewing Permissions.
7. In the Viewing Permissions window, select the Permit users with no roles to view this tab
option.
8. Customize this incident tab to only include widgets with data read-only users can access.
Such information can include Case Details, Timeline Information, Attachments, and War
Room entries.
9. Test and validate this incident tab layout as a self-service read-only user to ensure it displays
correctly and without an insufficient permission error message.

6.1.2 Fields
Synopsis

fields [-] <field_1> [as <name1>], <field_2> [as <name2>], ...

Description

The field stage identifies which fields are returned in the result set. If this stage is used, then
subsequent stages can operate only on the fields identified by this stage.

Use a wildcard (*) to include all fields that match the pattern. Use a '-' to exclude a field from the
result set.

Use the “as” clause to set an alias for a field. If you use the as clause, then subsequent stages must
use that alias to refer to the field.

Examples

Return the action_country field from all xdr_data records where the action_country field is both not
null and not "-". Also include all fields with names that match event_* except for event_type

dataset = xdr_data

| fields action_country as ac

| fields event_*

| fields - event_type

| filter ac != null and ac != "-"

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 115

6.1.3 Reputation Scripts and Command
Reputation Script

The output of the reputation script is a verdict score, which is used as the basis for the indicator
verdict. Reputation scripts must be tagged “reputation” in order to appear in the drop-down for the
indicator type.

Reputation scripts are user-created scripts that either:

Return only the verdict as a number. The number will override the verdict returned from the
reputation command. The reliability of the score from a reputation script is A++ – Reputation script
by default and controlled by the enrichment.reputationScript.reliability server configuration.

Return entry with entry context. The entry context must have DbotScore as with reputation
commands. The entry context will be mapped to the custom fields of the indicator with the same
reliability as if it came from a reputation command. The default is A+ – third party enrichment, but
the entry context can be controlled per vendor by the integrations.enrichment.reliability.%s server
configuration.

The results of reputation scripts do not print to the War Room in the extraction flow.

Reputation Command

The reputation command calculates the reputation of indicators of this type. The verdict
(reputation) is only associated with the specific indicator on which it is run (not the indicator type).
The command returns the reputation of the indicator as an entry with entry context and in some
cases also returns context values that can be mapped to the custom fields of the indicator. The
results of the reputation command do not print to the War Room in the auto-extract flow.

6.1.4 Expiration
Indicators can have the Expiration Status field set to Active or Expired, which is determined by the
Expiration field. When indicators expire, they still exist in Cortex XSOAR, meaning they are still
displayed and you can still search for them. A job that runs every hour checks for newly expired
indicators and updates the Expiration Status field.

When indicators expire, the expiration Status and expiration fields are updated. You can use an
indicator field trigger script to take actions based on indicator expiration.

You can set the default expiration method for indicators to either never expire, or expire after a
specific period of time. The default expiration method is set by the indicator type. For more
information, see Indicator Type Profile.

This is the hierarchy by which indicators are expired:

Manual: A user manually expires the indicator or sets it to never expire. This method overrides all
others.

Automation script : Use the expireIndicators command to change the expiration status to Expired
for one or more indicators. This script accepts a comma-separated list of indicator values and

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 116

supports multiple indicator types. For example, an IP address, domain, and file hash:
!expireIndicators value=1.1.1.1,safeurl.com,45356A9DB614ED7161A3B9192E2F318D0AB5AD10

(Automation scripts sit in the same indicator expiration hierarchy as manual.)

Use the !setIndicators command to reset the indicator's expiration value. The value can also be set to
Never so that the indicators never expire. For example, !setIndicators indicatorsValues=watson.com
expiration=Never

Feed integration : The expiration method is configured for an integration instance, which overrides
the method defined for the indicator type.

Indicator type : The expiration method (interval or never) is defined according to indicator type,
which applies to all indicators of this type. This is the default expiration method for an indicator.

6.1.5 Reference
● Create the Read-only Incident Type and Layout,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/users-and-role
s/self-service-read-only-users/create-the-read-only-incident-type-and-layout
● Fields,
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-xql-language-reference/stage
s-commands-reference/stages-commands-reference-fields
● Indicator Type Profile,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/understand-indicators/indicator-types/indicator-type-profile
●
● Indicator Expiration,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/understand-indicators/indicator-expiration

6.2 Generate Threat Intel Reports

You can create a threat intel report by choosing a type of report and defining other basic report
information. Before you create a report, make sure you set up threat intel report types first to ensure
that your type is defined correctly. The creation process generates a blank report based on the type
you choose. Once created, you will need to edit the report to populate it with relevant content
before you Export or Share a Threat Intel Report.

The core of the report is the Report Body, which is used to enter freeform text. After report creation,
you can edit any predefined template text in this section and replace it with your own content.
Using the Markdown Editor, you can apply rich formatting options to the body text, including text
sizing, coloring, formatting, pictures/icons, and section headers.

Step 1: Go to Threat Intel Reports.

Step 2: Create a New Threat Intel Report from the button at the top right.

Step 3: In the Report Details section, enter a Name and Type and configure any other relevant fields.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 117

Step 4: In the Permissions section, assign Roles that you want to grant read/write access to the
report. If you don’t assign any roles to a report, all roles will have read/write access for the
report.

Step 5: Create the report.

The report is displayed.

Step 6: From the Summary tab, you can edit report fields as needed and add any information
pertaining to the specific report.

Key Idea

● If you don’t assign any roles to a report, all roles will have read/write access
for the report.

6.2.1 Reference
● Create a Threat Intel Report,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-threat-intel-manage
ment-guide/threat-intel-reports/create-a-threat-intel-report#id6aa00977-833b-44fd-bb0c-c0
474ea55f3c

6.3 Describe the Features of the Threat Intel Page

6.3.1 Unit 42 Intel Feature

Cortex XSOAR Threat Intel includes access to the Unit 42 Intel service, enabling you to identify
threats in your network and discover and contextualize trends. Unit 42 Intel provides data from
WildFire (Palo Alto Networks’ cloud based malware sandbox), the PAN-DB URL Filtering database,
Palo Alto Networks’ Unit 42 threat intelligence team, and from third-party feeds (including both
closed and open-source intelligence). Unit 42 Intel data is continually updated to include the most
recent threat samples analyzed by Palo Alto Networks, enabling you to keep up with threat trends
and take a proactive approach to securing your network.

Unit 42 Intel data is cloud based and remotely maintained, so you can view data from Unit 42 Intel
and add only the information you need to your Cortex XSOAR threat intel library. When you search
for an IP address, domain, URL, or file in the Threat Intel page, you can view the indicator in Cortex
XSOAR as well as the additional information provided by Unit 42 Intel. When an indicator does not
yet exist in Cortex XSOAR but does exist in Unit 42 Intel, you are able to add the indicator into the
Cortex XSOAR threat intel library. You have the option to add the indicator and enrich it with your
existing integrations or add the indicator without enrichment. When the indicator already exists in
Cortex XSOAR but there is additional information available from Unit 42 Intel, you can update your
indicator with the most recent data from Unit 42 Intel.

For IP addresses, domains, URLs, and files, the following information is available:

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 118

 INDICATOR TYPE LAYOUT SECTION

● References and Source References

● Relationships
IP Address
● PAN-DB Categorization
● Passive DNS
● Verdict
● Source
● Relationships
URL
● PAN-DB Categorization
● WHOIS

● Verdict
● Source
● Relationships
DOMAIN ● PAN-DB Categorization
● Passive DNS
● WHOIS

● Verdict
● Source
● Relationships
FILE ● Summary
● WildFire Analysis
● Related Sessions & Submissions

Sample Analysis

With respect to files, Unit 42 Intel also provides sample analysis that helps you conduct in-depth
investigations, find links between attacks, and analyze threat patterns. If the file indicator is in the
Unit 42 Intel service, you have access to a full report on activities, properties, and behaviors
associated with the file. In addition, you can see how many other malicious, suspicious, or unknown
file samples are included the same activities, properties, and behaviors, and also build queries to
find related samples.

Sessions & Submissions

Cortex XSOAR customers can use their Sessions & Submissions data for investigation and analysis in
Cortex XSOAR. Sessions & Submissions data is available for customers with a TIM license and one or
more of the following products:

Firewall – Samples that a Palo Alto Networks firewall forwarded to WildFire

WF Appliance – Samples that a WildFire appliance submitted to the WildFire public cloud

Cortex XDR – Samples submitted through Cortex XDR

Prisma SaaS – Samples submitted through Prisma SaaS

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 119

Prisma Access – Samples submitted through Prisma Access

While the Sample Analysis tab provides information on what a file did, the Sessions & Subscriptions
tab provides in-depth information on communication between devices. Consider, as an example,
that you have a file indicator that has been determined to be malicious, and you have a Palo Alto
Networks firewall and Cortex XDR. In the Sessions and Submissions tab, you can see where this
malicious file originated and where it has gone in your network by viewing the firewall sessions that
this file passed through. You can see which XDR agents in your system reported the file, which tells
you which machines might be infected. You can block the external IP address with your firewall,
and, if needed, isolate the affected machines to contain the attack. If the source is internal, you can
investigate that endpoint.

Relationships

The Threat Intel Management system in Cortex XSOAR includes a feed that brings in a collection of
threat intel objects as indicators. These indicators are stored in the Cortex XSOAR threat intel library
and include Malware, Attack Patterns, Campaigns, and Threat Actors.

When you add or update an indicator from Unit 42 Intel, a relationship is formed in the database
between the relevant threat intel object and the new, or updated, indicator.

Unit 42 Intel is available from Cortex XSOAR 6.5 for customers with a TIM license. When upgrading
from an earlier Cortex XSOAR version, the TIM license must also be updated. Contact Cortex XSOAR
Customer Support to receive the updated license file.

License Requirements

Unit 42 Intel includes indicator relationship data provided as part of the Unit 42 Intel Objects Feed.
The feed integration instance is automatically configured for new Cortex XSOAR v6.5 or later
installations with a TIM license. When upgrading from an earlier version to Cortex XSOAR v6.5 or
later or adding a TIM license to an existing Cortex XSOAR v6.6 deployment, the TIM license must be
updated and the feed integration must be installed and enabled.

● If you have an existing TIM license and are upgrading from Cortex v6.2 or earlier to Cortex
XSOAR v6.6:

Contact Cortex XSOAR Customer support to receive the updated TIM license file. Confirm the Unit
42 Intel Objects Feed is installed and enabled.

● If you have an existing Cortex XSOAR license for v6.6 (without TIM) and are adding a TIM
license:

Confirm the Unit 42 Intel Objects Feed is installed and enabled.

Multitenant Deployments

Tenants accounts have access to Unit 42 Intel, with the following limitations:

● On the Sample Analysis page, only Public Samples are available. My Samples data is not
available for multitenant deployments.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 120

 ● Sessions & Submissions data is not available for multitenant deployments.

● For tenant accounts, the API key must be manually entered for the Unit 42 Intel Objects
Feed integration and the Palo Alto Networks WildFire Reports integration. Enter the API key
in the instance configuration.

Key Idea

● Unit 42 Intel is available from Cortex XSOAR v6.5, for customers with a TIM
license. When upgrading from an earlier Cortex XSOAR version, the TIM
license must be updated. Contact Cortex XSOAR Customer Support to
receive the updated license file.

6.3.2 XSOAR Indicators

Indicators are artifacts associated with incidents and are an essential part of the incident
management and remediation process. They help correlate incidents, create hunting operations,
and enable you to easily analyze incidents and reduce Mean Time to Response (MTTR).

Detect and ingest indicators

There are several methods by which indicators are detected and ingested in Cortex XSOAR.

Integration

● Feed: Integrations that fetch indicators from a feed – for example TAXII, AutoFocus, Office
365, and so on.

● Enrichment integrations: Enhance the indicator, giving it more context and information – for
example, AutoFocus, VirusTotal, Ipinfo, and so on.

Indicator Extraction

Indicators are extracted from selected incidents that flow into Cortex XSOAR – for example, from a
SIEM integration.

Manual

● Command line

● Mark: User marks a piece of data as an indicator.

● STIX file: Manually upload a STIX file on the Indicators page.

6.3.3 Export/Import Capabilities

You can import and export rules from each rule management page on the ESM Console. This
enables you to:

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 121

 ● Back up user-defined rules before migrating or upgrading to a new version of the ESM
Console.

● Back up user-defined rules before deploying a policy to multiple independent ESM Consoles.

● Import user-defined rules from another ESM Console (running the same version).

● Update your default security policy with the latest recommendations and best practices from
Palo Alto Networks.

The ESM Console supports the ability to import both user-defined rules and default security rules.

When you import a policy file that contains multiple types of rules, the ESM Console automatically
determines the rule type and distributes the rules to their respective rule management pages.
When you export a policy or set of rules, you can only export user-defined rules of the same type.
This is because you must select the rules from a single rule management page when you perform
the export. When you export rules, the ESM Console saves them to an XML file in the location of your
choice.

When you import user-defined rules, the ESM Console appends the rules to the existing policy and
assigns each rule a unique ID number. When you install a content update to import the latest
default security rules, the ESM Console overwrites the existing rules with the updated policy. When
available, you can download the latest default security policy from the Dynamic Updates section of
the Support portal.

6.3.4 References

● Unit 42 Intel Overview,

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-threat-intel-manage
ment-guide/unit42-intel/unit42-intel-overview
● Indicator Detection and Ingestion,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/understand-indicators

6.4 Configure Threat Intel Feed Integrations

The Cortex XSOAR Threat Intel Management guide provides you with the ability to unify the core
components of threat intel, including threat intel aggregation, scoring, and haring.

6.4.1 Reference

● Cortex XSOAR Threat Intel Management Guide,

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-threat-intel-manage
ment-guide

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 122

6.5 Identify the Options Available to Auto Extract

6.5.1 Exclusion List

The exclusion list prevents indicators from being extracted and created in the system. For example,
to prevent google.com from being flagged as a malicious indicator, add it to the exclusion list.

When millions of indicators are ingested and processed daily, two practices are essential:

● Control whether they are active or expired.

● Define how and when indicators are expired.

The indicator field Expiration Status displays the indicator status, either Active or Expired. The
indicator field Expiration displays when that indicator expired and by which method.

Indicator expiration is applied at the indicator type level. Indicators assigned to a specific indicator
type inherit the indicator type’s expiration method.

Indicators added to the exclusion list are disregarded by the system and are not created or involved
in automated flows such as indicator extraction. You can still manually enrich IP addresses and URLs
that are on the exclusion list, but the results are not posted to the War Room.

There are several methods by which to add indicators to the exclusion list.

Delete and exclude indicators

You can select one or more indicators from the Indicators table and click the Delete and Exclude
button. The indicators are deleted from the Indicators table and added to the exclusion list. You can
associate these indicators with one or more indicator types.

If you delete the indicator it is removed from Cortex XSOAR. This option should be used mainly for
correcting errors in ingestion and not as part of your regular work flow.

Manually add indicators to the exclusion list

From the Exclusion List page, you can manually add a single indicator or define indicators using a
regular expression (regex) or CIDR.

Regex

A regular expression enables you to identify a sequence of characters in an unknown string. The
following example would identify www.demisto.com:
[A-Za-z0-9!@#$%\ .&]*demisto[A-Za-z0-9!@#$%\ .&]*.

CIDR

Classless inter-domain routing (CIDR) enables you to define a range of IP addresses. For example,
the IPv4 block 192.168.100.0/22 represents the 1024 IPv4 addresses from 192.168.100.0 to
192.168.103.255.

Exclusion List examples:

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 123

 EXCLUSIONS DESCRIPTION SETTINGS

URLs, domains, Excludes the top level Value: The top-level domain (TLD).
and subdomains domain (TLD), its Example:example.com
subdomains, and URLs (http Check Use Regex
or https) on the top level Do not select any indicator types.
domain.

Subdomain (and Excludes the given Value: The subdomain.

URLs) specifically subdomain and its URLs, but Example:
the TLD is still extracted. examplesub.example.com
Check Use Regex
Do not select any indicator types.

Specific domain Specifically excludes the TLD. Value: The domain.

only Subdomains and URLs are Example: example.com
still extracted. Do NOT select Use Regex
Select indicator type: Domain

URL with Excludes any indicators of Value: The URL with wildcard
wildcards type URL matching the added at the end.
regex. Indicators Example:
example.com and http://examplesub.example.com/*
examplesub.example.com of Check Use Regex
type Domain would still be Select indicator type:
extracted. Start the regex URL.
with
https?:// to exclude both
HTTP and HTTPS URLs.

Specific URL Excludes the given URL, but Value: The URL.
the TLD and subdomains are Example:
still extracted. http://examplesub.example.com/m
yexample
Do NOT select Use Regex
Select indicator type: URL

URLs, domain, and Excludes domain Value example:

subdomains, example.com, its (?i)^(https?://)?(([a-zA-Z0-9\-]+\ .)+)?
case-insensitive, subdomains, and its URLs. example\ .com
anchored to start Case-insensitive. Anchors Check Use Regex
regex match to the start of Select indicator types: URL,
the indicator value, so Domain.
indicators that contain but
do not start with a match
(e.g.,

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 124

 example.net?param=exampl
e.com) are not excluded.

6.5.2 Playbook Auto Extract

When using indicator extraction rules, indicators are extracted from tasks in playbooks.

The default indicator extraction value depends on the playbook task. For example, the indicator
extraction mode is set to none in the Enrich offending user account task (from the Impossible
Traveler playbook). In the Extract the email address of the reporting user task (from the Phishing
Generic V3 playbook), indicator extract is set to system default.

You can use the following commands in a task:

● extractIndicators

● Reputation commands, such as !ip, !file, etc.

● enrichIndicators

For more information, see Run Indicator Extraction in the CLI.

Step 1 : If a content pack installed playbook, click either Duplicate Playbook or Detach Playbook.

Step 2 : Select the playbook you want to extra indicators, and click Edit.

Step 3 : In the playbook, click a task to extract indicators.

Step 4 : Click the Advanced tab.

Step 5 : In the indicator extraction drop-down menu, select the mode you want to use.

Step 6 : Click OK.

Extract Indicators from a Phishing Email

The following scenario shows how indicator extraction is used in the Process Email –
Generic playbook to extract and enrich a very specific group of indicators.

This playbook parses the headers in the original email used in a phishing attack. It is important to
parse the original email used in the phishing attack and not the email that was forwarded to ensure
that you only extract the email headers from the malicious email and not the one your organization
uses to report phishing attacks.

Step 1 : Go to the Playbooks page and search for the Process Email – Generic playbook.

Step 2 : Click either Duplicate Playbook or Detach Playbook.

Step 3 : If you have already duplicated or detached the playbook, click Edit.

Step 4 : Scroll down and open the Add original email details to context task.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 125

Step 5 : In the Automation field, click Set and select ParseEmailFilesV2.

In the Outputs tab, you can see all of the different data that the task extracts, such as Email To, CC,
From, etc.

Step 6 : Go to the Advanced tab.

Under Indicator Extraction mode, ensure that the Inline option is selected. This indicates that all of
the outputs are processed before the playbook moves ahead to the next task.

Step 7 : Open the Display email information in layout task. This task receives the data from the
saved attachment tasks and sets the various data points to context.

Under the Advanced tab, ensure that Indicator Extraction mode is set to None because the
indicators have already been extracted earlier in the Extract email artifacts and attachments task
and there is no need to repeat the process.

Key Idea

● If you select system default in a task, the default is set to none. You can
change the default by updating the reputation.calc.algorithm.tasks server
configuration. For more information, see Indicator Extraction Modes.

6.5.3 Regex for Auto Extract

Regex: A regular expression enables you to identify a sequence of characters in an unknown string.
The following example would identify www.paloaltonetworks.com:
[A-Za-z0-9!@#$%\ .&]*demisto[A-Za-z0-9!@#$%\ .&]*.

6.5.4 System Defaults

Resetting the firewall to factory defaults will result in the loss of all configuration settings and logs.

Step 1: Set up a console connection to the firewall.

● Connect a serial cable from your computer to the Console port and connect to the firewall
using terminal emulation software (9600-8-N-1).

If your computer does not have a 9-pin serial port, use a USB-to-serial port connector.

● Enter your login credentials.

● Enter the following CLI command: debug system maintenance-mode

The firewall will reboot in the maintenance mode.

Step 2: Reset the system to factory default settings.

● When the firewall reboots, press Enter to continue to the maintenance mode menu.

● Select Factory Reset and press Enter.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 126

 ● Select Factory Reset and press Enter again.

The firewall will reboot without any configuration settings. The default username and password to
log in to the firewall is admin/admin.

To perform initial configuration on the firewall and to set up network connectivity, see Integrate the
Firewall into Your Management Network.

6.5.5 Extraction Settings for Incident Types

You can extract indicators from incident fields upon creation of an incident and when a field
changes. For example, you want to extract the IP address upon incident creation and again when
the field changes.

The indicator extraction feature extracts indicators from incident fields and enriches them using
commands and scripts defined for the indicator type.

Step 1: Go to Settings > OBJECTS > SETUP > IncidentsTypes.

Step 2: For Content Pack-installed incident types, select the incident type check box to define the
extraction rules and the click Detach.

Step 3: Click Edit.

Step 4: From the Indicators Extraction Rules tab, in the On incident creation and the On field
change fields, select the required indicator extraction mode.

If you select Out of band, the extracted indicators do not appear in the context. If you want the
extracted indicators to appear, select Inline.

Step 5: In the What to Extract section, if you want to extract all incident fields, select Extract all
indicators from all fields.

Step 6: If you want to choose which indicators are extracted according to each field, select Extract
specific indicators.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 127

You can search and filter the incident fields. For each field, use the drop-down menu to control the
indicator types to extract.

Optionally, you can select all indicators, set all indicators to none, or copy settings from an incident
type by clicking: to the right of the table’s column headers.

INDICATOR TYPE TO
DESCRIPTION
EXTRACT

No indicators are extracted.

None
All indicator types with regex
Specific indicator types
Some indicator types are associated with a regex (such
as IP), and some are not (such as Registry Key).
Only indicators that are associated with a regex are
extracted.
You can choose one or more indicator types based on
regex. The system extracts values that match the regex
from this incident field.

Select the Use field value check box to use any indicator based on the field value (not regex based).
This creates an indicator out of the entire value of the field, regardless whether the indicator type
has a configured regex. This can be used in cases such as extracting hostnames.

Note the following:

● It is recommended to turn off incident extraction (select “‘none”) for the Labels incident field.
When an incident JSON is received from an integration, the JSON members are mapped to
incident fields (based on the mapping configuration). Every member in the JSON that was
not mapped to a field will be written to the Labels field. If the Labels field extracts indicators,
it can expose unmapped or unknown data to external sources. You should only map the
relevant data to fields and set their extraction settings.

● If you want to extract attachments, select the attachment field and then select File as the
indicator type to extract. The File extracts a hash (usually SHA-256), which can be viewed in

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 128

 the War Room. You may want to disable indicator extraction for attachments to reduce
external API usage and protect restricted data (the hash) from being sent.

Step 7: Click Save.

In this example, if an email is forwarded that potentially includes phishing, we want to extract at
incident creation (inline) and upon a field change (out of band):

● Email Body: Extract all indicators.

● Email From: Extract Email only.

● Email Subject: Extract all indicators.

● Email To: Extract Email only.

6.5.6 Reference
● Threat Intel Concepts,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-threat-intel-manage
ment-guide/threat-intelligence-management-overview/threat-intelligence-concepts#idc5bd
04c0-d11f-448d-ab2f-748f225db392
● Exclusion List,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/understand-indicators/exclusion-list
● Create Indicator Extract Rules for a Playbook Task,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/auto-extract-indicators/define-indicator-extract-rules-for-a-playbook-task
● Exclusion List,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/understand-indicators/exclusion-list

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 129

 ● Create Indicator Extraction Rules for an Incident Type,
https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/manage-indic
ators/auto-extract-indicators/define-indicator-extraction-rules-for-an-indicator-type

6.6 Summary of Key Ideas

● If you don’t assign any roles to a report, all roles will have read/write access for the report.
● Unit 42 Intel is available from Cortex XSOAR v6.5, for customers with a TIM license. When
upgrading from an earlier Cortex XSOAR version, the TIM license must be updated. Contact
Cortex XSOAR Customer Support to receive the updated license file.
● If you select system default in a task, the default is set to none. You can change the default
by updating the reputation.calc.algorithm.tasks server configuration. For more information,
see Indicator Extraction Modes.

6.7 Sample Questions

Q1. What is the purpose of the wildcard in the field?

a. To include all fields that do not match the pattern

b. To exclude a field from the result set
c. To include a field from the result set
d. To include all fields that match the pattern

Q2. The indicator verdict is based on what?

a. Verdict Score
b. Reputation script
c. Indicator type
d. User script

Q3. What does the reputation command do?

a. Calculates the verdict score

b. Calculates the reputation of indicators of this type
c. Calculates the specific indicator
d. Calculates specific indicators when the command runs

Q4. What is/are updated when the indicator expires?

a. expirationStatus
b. expiration fields
c. expirationStatus and expiration fields
d. default method

Q5. What must you do before creating a Threat Intel report?

a. Edit the report to populate it with relevant content.

b. Edit any predefined template text in this section.
c. Assign roles to which you want to grant read/write access to the report.
d. Set up Threat Intel report types to ensure that your type is defined correctly.

Q6. From where does Unit 42 Intel provide data?

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 130

 a. Only WildFire
b. Only the PAN-DB URL Filtering database
c. Only Palo Alto Networks Unit 42 threat intelligence team
d. WildFire, the PAN-DB URL Filtering database, Palo Alto Networks Unit 42 threat intelligence
team, and third-party feeds

Q7. What are the essential parts of the incident management and remediation process?

a. Indicators
b. Layouts
c. Fields
d. Reputation script

Q8. What happens when you import a policy that contains multiple types of rules?

a. The ESM Console automatically determines the rule type and distributes the rules to their
respective rule management pages.
b. You can only export user-defined rules of the same type.
c. The ESM Console appends the rules to the existing policy and assigns each rule a unique ID
number.
d. The ESM Console overwrites the existing rules with the updated policy.

Q9. Which ability does Cortex XSOAR Threat Intel Management provide?

a. Unifying the core components of threat intel

b. Including threat intel aggregation
c. Scoring and sharing
d. extracting indicators from the system

Q10. What are the two essential practices when indicators are ingested and processed daily?
(Choose two.)

a. Control whether they are active or expired.

b. Define how and when indicators are expired.
c. Prevent indicators from being extracted.
d. Add indicator to the exclusion list.

Q11. On which task does the default indicator extraction value depend?

a. Playbook task
b. Commands
c. Indicator extract
d. Default

Q12. Why is indicator extraction mode set to None under the advanced tab in the Playbooks page?

a. The indicators have already been extracted in the Extract email artifacts and attachments
task, and there is no need to do it again.
b. This task receives the data from the saved attachment tasks and sets the various data points
in context.
c. You can see all of the different data that the task extracts, such as Email To, CC, From, etc.
d. You can define indicators using regular expression

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 131

Q13. Which of the following enables you to identify a sequence of characters in an unknown string?

a. Array
b. Sets
c. Matrices
d. Regex

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 132

Appendix A: Sample Questions with Answers
Below are the questions offered throughout the study guide, with the correct answers indicated.

Domain 1

Q1. Which statement is true about context data?

a. It is purged after each task in a playbook is run.

b. It must be transformed before a task can use it.
c. After it is written, it can be changed only by manual editing.
d. It does not necessarily include all data generated by the incident-related activity.

Q2. What is the context data is primarily used for?

a. Sending data to related incidents

b. Passing data between playbook tasks
c. Storing data for use with integrations
d. Mapping data to required fields

Q3. Which of the following provides dynamic input to playbook tasks and automation?

a. Incident tasks
b. Context data
c. Quick view
d. System

Q4. Which of the following is a category of playbooks?

a. System
b. Parent
c. Boolean
d. Number

Q5. What is a sub-playbook?

a. A playbook used as a task in another playbook

b. An obsolete playbook of inferior quality
c. An app that underlies a playbook to ensure that it flows from task to task
d. An updated playbook that substitutes for an older playbook

Q6. If the input is a list of items, then what will the sub-playbook do?

a. Run once for each input set

b. Run twice for each input set
c. Run as many times as there are items in the list
d. Run once for each item in the input that has a greater number of items

Q7. Which of the following is not a playbook task type?

a. Manual
b. Automated
c. Conditional
d. Boolean

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 133

Q8. Which of the following is not a part of the transformer category?

a. Date
b. String
c. Boolean
d. Number

Q9. In which format type is the context root calculated by the Cortex XSOAR?

a. File.Get
b. File.Extension
c. File.String
d. File.Number
Q10. Which of the following is the function of error troubleshooting?

a. Use the debugger to find and fix issues if a playbook stops on an error.
b. Test and improve playbooks as you build them.
c. Install content packs and use the debugger to see whether the included playbooks are
relevant for your use case.
d. Begin to create and test playbooks even before all integrations are in place by manually
providing inputs and outputs as needed.

Domain 2
Q1. What is the primary use of incident types?
a. Classify the events ingested into the Cortex XSOAR system
b. Integrate with third-party security
c. Determine further investigational needs
d. Customize the layouts

Q2. Which phase is used to display information from playbook tasks and third-party integrations?
a. Pre-processing phase
b. Create fields phase
c. Post processing phase
d. Planning phase
Q3. Why is the create incident types phase used?
a. Display information
b. Customize layouts by incident type
c. Show relevant information of each incident type
d. Classify the types of attacks with which the organization deals
Q4. How can you configure the incident type layout?
a. Incident Layout Builder
b. Settings tab
c. Advanced tab
d. Layouts tab

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 134

Q5. Which action should a user perform after configuring the layout?

a. Work with a phishing integration product.

b. Define incident type for all events.
c. Plan deployment.
d. Map the different incident types that your organization handles.

Q6. When will you learn about the missing incident types?

a. After adding the new incident types to your system

b. As you plan deployment and start working on your system
c. After configuring the layout for the incident type
d. After you configure your phishing product

Q7. Who can populate the incident fields during an investigation?

a. Analyst
b. Administrator
c. Incident team members
d. Partners

Q8. Which three field types can you add when creating a new field? (Choose three.)

a. Short text
b. HTML
c. Date picker
d. Attachments
e. Decimal number

Q9. What do the classification and map features enable users to do? (Choose two.)

a. Generate alters
b. Classify phishing and malware alerts to respective incident types
c. Use events and event information that Cortex XSOAR ingests from integration
d. Map the fields from third-party integration to the fields defined in the incident layouts.
e. Create mapping for specific fields.

Domain 3

Q1. Which playbook task can be selected for surveying users?

a. Conditional task
b. Standard task
c. Data collection task
d. None of the above

Q2. Which statement about War Rooms is true?

a. War Room commands are used for script-based tasks.

b. War Room commands are used to determine different paths for your playbook.
c. War Room commands are commands entered manually in the CLI.
d. War Room commands are used as integration commands.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 135

Q3. What are the two types of layouts? (Choose two.)

a. Incident layouts
b. Dynamic layouts
c. Indicator layouts
d. Button layouts

Q4. Why use automations?

a. To create scripts
b. To create, manage and modify scripts
c. To write scripts in Java and Python
d. To access a few Cortex XSOAR APIs

Q5. Which two kinds of commands are available in Cortex XSOAR? (Choose two.)

a. Internal commands
b. System commands
c. Warm room commands
d. External commands

Q6. Which statement regarding Script helper is true?

a. Provides a list of commands

b. Provides a list of available commands and scripts in alphabetical order
c. Provides the language version
d. Provides a list of scripts

Q7. Which three parameters can you define in Script settings? (Choose three.)

a. Language type
b. Disabled
c. Run on
d. Content pack

Q8. Where can you check the source of a problem?

a. Settings
b. Logs and War Room entries
c. Library
d. PyCharm IDE

Q9. What is the default fetch interval time?

a. Two minutes
b. 30 seconds
c. One minute
d. 15 seconds

Q10. Where can you view every integration instance?

a. Cortex XSOAR
b. Integration settings field
c. Cortex XSOAR Developer Hub

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 136

 d. Incident Fetch Interval field

Domain 4

Q1. Which two search actions can you perform in the Marketplace? (Choose two.)

a. Only view installed content packs.

b. Install, delete, and update content.
c. Contribute and share content items.
d. Only view playbooks.

Q2. How is Cortex XSOAR content organized?

a. Files
b. Packs
c. Both files and packs
d. Sequence

Q3. What is the other name for custom content packs?

a. System content packs

b. Contributions
c. Partner-supported content packs
d. Cortex XSOAR-supported content packs

Q4. The Version history for Playbook tabs enables users to…?

a. Update a playbook
b. Access a playbook version
c. Restore a playbook version
d. Search the required playbook

Q5. What does the Cortex XSOAR require for container management?

a. BoltDB
b. Docker
c. Docker or Podman
d. Only IPv4

Q6. You can install the Cortex XSOAR Engine on which two types of machine? (Choose two.)

a. Windows
b. Mac OS
c. Linus
d. Ubuntu

Q7. What is an accurate description of an Elasticsearch? (Choose two.)

a. Enables storing and processing large amount of data

b. Manages paybooks, automation scripts, and others on the main host
c. Helps to migrate objects present in Cortex XSOAR to Elasticsearch

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 137

 d. An open source, distributed search, and analytics engine for all types of data

Q8. How can you edit the locked icon of the content pack incident layout? (Choose two.)

a. Duplicate an incident layout.

b. Detach the layout.
c. Edit the layouts in the Layouts tab.
d. Edit incident type.

Q9. Who can view the results when an automation runs with elevated permissions?

a. All users
b. Users with high permissions
c. Users with low permissions
d. User to whom Cortex team assign permission

Q10. What happens when a task operates in Quiet Mode? (Choose two.)

a. It only display inputs.

b. It does not display inputs and outputs.
c. It does not extract indicators.
d. It displays inputs and outputs.
e. It displays errors and warnings.

Domain 5

Q1. Which statement is true about incidents?

a. Using Cortex you can define integration with third party security and incident
management vendors
b. You cannot run playbooks after incident creation
c. Using Cortex XSOAR you can determine the investigation of incidents
d. You cannot trigger events after integration

Q2. What option can be selected for “Virus Total?”

a. Direct link
b. Total analysis
c. File hash
d. All the above

Q3. What is the primary use of the indicator?

a. Provides data URLs, domains, IP addresses and hashes

b. Provides WildFire verdict and detection reasons
c. It provides summary of threat intelligence
d. Does not provide a Paloalto networks analytics services

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 138

Q4. What are the essential tabs used by dashboards?

a. My dashboard
b. SLA
c. System Health
d. Indicators

Q5. Which option provides War Room and Workplan?

a. Filter entities
b. Playbooks
c. Market place
d. Incidents

Q6. Why are fields used?(Choose three)

a. To accept or populate incident data coming from an incident

b. To add incident type layouts and map using the mapping feature
c. To help incident team members during an investigation
d. To restore long text field
e. To collect information deriving from third-party integration

Q7. What type of arguments does the script accept when an action button is clicked?

a. Script arguments
b. Non-mandatory arguments
c. Combination of mandatory and non-mandatory arguments
d. Mandatory arguments

Q8. What is meant by “Table settings?”

a. Ability to sort columns

b. Ability to navigate page to page
c. Ability to adjust the number of rows
d. Represents complex table format in Cortex XSOAR

Q9. What can existing dashboards and reports do?

a. Schedule reports for email delivery

b. Report a pulse on your network
c. View reports
d. Delete default dashboards

Q10. What type of widgets can you create using Widget builder?

a. Widget library
b. Incident table
c. Operation

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 139

 d. Location

Q11. Why is the incident tab layout tested and validated as a self-service read-only user?

a. To ensure that it displays correctly and without an “insufficient permission” error

message
a. To ensure that it displays correctly and with an “insufficient permission” error message
b. To ensure that it displays correctly
c. To ensure permissions

Domain 6

Q1. What is the purpose of the wildcard in the field?

a. To include all fields that do not match the pattern

b. To exclude a field from the result set
c. To include a field from the result set
d. To include all fields that match the pattern

Q2. The indicator verdict is based on what?

a. Verdict Score
a. Reputation script
b. Indicator type
c. User script

Q3. What does the reputation command do?

a. Calculates the verdict score

b. Calculates the reputation of indicators of this type
c. Calculates the specific indicator
d. Calculates specific indicators when the command runs

Q4. What is/are updated when the indicator expires?

a. expirationStatus
b. expiration fields
c. expirationStatus and expiration fields
d. default method

Q5. What must you do before creating a Threat Intel report?

a. Edit the report to populate it with relevant content.

b. Edit any predefined template text in this section.
c. Assign roles to which you want to grant read/write access to the report.
d. Set up Threat Intel report types to ensure that your type is defined correctly.

Q6. From where does Unit 42 Intel provide data?

a. Only WildFire
b. Only the PAN-DB URL Filtering database
c. Only Palo Alto Networks Unit 42 threat intelligence team
d. WildFire, the PAN-DB URL Filtering database, Palo Alto Networks Unit 42 threat
intelligence team, and third-party feeds

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 140

Q7. What are the essential parts of the incident management and remediation process?

a. Indicators
b. Layouts
c. Fields
d. Reputation script

Q8. What happens when you import a policy that contains multiple types of rules?

a. The ESM Console automatically determines the rule type and distributes the rules to
their respective rule management pages.
b. You can only export user-defined rules of the same type.
c. The ESM Console appends the rules to the existing policy and assigns each rule a unique ID
number.
d. The ESM Console overwrites the existing rules with the updated policy.

Q9. Which ability does Cortex XSOAR Threat Intel Management provide?

a. Unifying the core components of threat intel

b. Including threat intel aggregation
c. Scoring and sharing
d. extracting indicators from the system

Q10. What are the two essential practices when indicators are ingested and processed daily?
(Choose two.)

a. Control whether they are active or expired.

b. Define how and when indicators are expired.
c. Prevent indicators from being extracted.
d. Add indicator to the exclusion list.

Q11. On which task does the default indicator extraction value depend?

a. Playbook task
b. Commands
c. Indicator extract
d. Default

Q12. Why is indicator extraction mode set to None under the advanced tab in the Playbooks page?

a. The indicators have already been extracted in the Extract email artifacts and
attachments task, and there is no need to do it again.
b. This task receives the data from the saved attachment tasks and sets the various data points
in context.
c. You can see all of the different data that the task extracts, such as Email To, CC, From, etc.
d. You can define indicators using regular expression

Q13. Which of the following enables you to identify a sequence of characters in an unknown string?

a. Array
b. Sets
c. Matrices

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 141

d. Regex

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 142

Appendix B: Sample Test
Q1. Which of the following is related to inputs in playbook tasks?

a. Inputs are data pieces that are present in the playbook or task.
b. Inputs are the objects whose entries will serve the tasks throughout the playbook.
c. Inputs are multiquestion surveys or forms that survey recipient access.
d. Inputs are used for classic manual or script-based tasks.

Q2. Which two of the following are examples of a sub-playbook? (Choose two.)

a. Phishing Investigation
b. IP Enrichment
c. Endpoint Malware
d. Retrieve File From Endpoint
Q3. Which two types of actions can be specified with a Standard playbook task? (Choose two.)

a. Manual
b. Automated
c. Conditional
d. Data Collection
Q4. Which of the following is not a function of the Cortex XSOAR playbook debugger?

a. Build playbook
b. Troubleshoot playbook
c. Enable the performance of certain actions on incidents
d. Find tasks that might fail

Q5. Which automation system is used to bring all the various pieces of your security apparatus
together?

a. Playbooks
b. Cortex XSOAR
c. Prisma
d. Third-party security tool

Q6. What dynamic field can you add to an Incident Layout? (Choose two)

a. Phishing link
b. Email header
c. Graph of the number of bad indicators
d. Email body
e. Severity of bad indicators

Q7. When can the incident team populate Incident fields? (Choose two)

a. At the beginning of the investigation

b. After accepting the incident data coming from incidents
c. After adding custom fields for incidents, evidence and indicators
d. During an investigation

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 143

 e. After closing the investigation

Q8. Which markup language is best suited to represent table, formatted texts and lists?

a. HTML
b. SGML
c. Markdown
d. SLA

Q9. Select the types available when creating a new playbook task? (Choose three)

a. Custom task
b. Standard task
c. Ask task
d. Conditional task
e. Data collection task

Q10. Which script checks for field changes and takes action on them?

a. Field trigger script

b. Feed-trigger script
c. Trigger automation script
d. Indicator field trigger script

Q11. Why is Demistomock library used?

a. To integrate script
b. To find source of the problem in the code
c. To debug your integration
d. To check logs and War Room entries

Q12. How can you change the default for all integration instances?

a. Using serversiemincidents.schedule key

b. Using jobs.serversiemincidents.schedule key
c. Using Script Helper tab
d. Using ! and the integration command

Q13. Why is the content pack submitted and reviewed by Cortex XSOAR?

a. To use in the Marketplace

b. To check for errors
c. To ensure that it complies with Cortex XSOAR standards
d. To make it available for customers

Q14. Which action should a user perform to make the developed content part of the product
environment update content?

a. Save versions.
b. Install new content.
c. Save changes.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 144

 d. Push the changes to the remote repository.

Q15. How will you determine whether an incident requires further investigation or not?

a. Using rules and automation

b. Running playbooks
c. Using Cortex XSOAR
d. Using tenants

Q16. Which three elements can you view on the System Diagnostics page? (Choose three.)

a. Status of the Docker service

b. CPU and memory usage
c. System performance
d. Storage issues
e. Modify email modifications

Q17. Which of the following are incident types?

a. Planning
b. Pre-processing
c. Indicator
d. None

Q18. Which two types of actions can be specified with the actions menu?

a. Reset client
b. Deny
c. Default
d. modify

Q19. Which incidents are displayed for the “automatic remediation” search?

a. Bulk incident actions

b. Table view
c. Summary view
d. graphical summary of incidents

Q20. Where do logs appear after creating a log bundle?

a. /var/log
b. /var/log/demisto
c. DbotRole
d. demisto.dockerfiles
Q21. What is the field stage used for?

a. The number of fields

b. To determine fields pattern
c. To identify which fields are returned in the result set
d. To exclude a field from the result set

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 145

Q22. The Indicators can set the expiration status fields to?

a. Active or Expired
b. Active
c. Expired
d. Update

Q23. What happens if you don't assign any role in the permissions section of Threat Intel Reports?

a. All roles will have read/write access to the report.

b. No role will have read access to the report.
c. No role will have read/write access to the report.
d. No role will have write access to the report.

Q24. What are the Unit 42 Intel service features enabled by the Cortex XSOAR threat?

a. You can take a proactive approach to secure your network.

b. You can add the indicator into the Cortex XSOAR threat intel library.
c. You can identify threats in your network and discover and contextualize trends.
d. You can updated the most recent threat samples analyzed by Cortex XSOAR team

Q25. Which of the following is not a method by which indicators are detected and ingested in Cortex
XSOAR?

a. Feed integration
b. Indicator extraction
c. Manual command line
d. SIME integration

Q26. Which abilities are supported by the ESM Console?

a. The ability to import both user-defined rules and default security rules
b. The ability to import only user-defined rules
c. The ability to import only default security rules
d. The ability to back-up default security rules

Q27. At which layer is indicator expiration applied?

a. Intel report level

b. Indicator type level

c. Management layer
d. Unit level

Q28. What happens if you reset the firewall to factory defaults?

a. The firewall integrates with the management network

b. The firewall reboots in maintenance mode.
c. The firewall reboots without any configuration settings.
d. The reset results in the loss of all configuration settings and logs.

Q29. When an incident JSON is received from an integration, the JSON members are mapped to
incident fields based on which criteria?

a. Incident extraction

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 146

 b. The mapping configuration
c. Layouts
d. Fields

Q30. Why is indicator extraction disabled?

a. For attachments to reduce external API usage and protect restricted data (the hash) from
being sent
a. To unrestrict data
b. To give access to data
c. For read/write access to data

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 147

Appendix C: Answers to the Sample Test
Q1. Which of the following is related to inputs in playbook tasks?

a. Inputs are data pieces that are present in the playbook or task.
b. Inputs are the objects whose entries will serve the tasks throughout the playbook.
c. Inputs are multiquestion surveys or forms that survey recipient access.
d. Inputs are used for classic manual or script-based tasks.

Q2. Which two of the following are examples of a sub-playbook? (Choose two.)

a. Phishing Investigation
b. IP Enrichment
c. Endpoint Malware
d. Retrieve File From Endpoint
Q3. Which two types of actions can be specified with a Standard playbook task? (Choose two.)

a. Manual
b. Automated
c. Conditional
d. Data Collection
Q4. Which of the following is not a function of the Cortex XSOAR playbook debugger?

a. Build playbook
b. Troubleshoot playbook
c. Enable the performance of certain actions on incidents
d. Find tasks that might fail

Q5. Which automation system is used to bring all the various pieces of your security apparatus
together?

a. Playbooks
b. Cortex XSOAR
c. Prisma
d. Third-party security tool

Q6. What dynamic field can you add to an Incident Layout? (Choose two)

a. Phishing link
b. Email header
c. Graph of the number of bad indicators
d. Email body
e. Severity of bad indicators

Q7. When can the incident team populate Incident fields? (Choose two)

a. At the beginning of the investigation

b. After accepting the incident data coming from incidents
c. After adding custom fields for incidents, evidence and indicators
d. During an investigation

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 148

 e. After closing the investigation

Q8. Which markup language is best suited to represent table, formatted texts and lists?

a. HTML
b. SGML
c. Markdown
d. SLA

Q9. Select the types available when creating a new playbook task? (Choose three)

a. Custom task
b. Standard task
c. Ask task
d. Conditional task
e. Data collection task

Q10. Which script checks for field changes and takes action on them?

a. Field trigger script

b. Feed-trigger script
c. Trigger automation script
d. Indicator field trigger script

Q11. Why is Demistomock library used?

a. To integrate script
b. To find source of the problem in the code
c. To debug your integration
d. To check logs and War Room entries

Q12. How can you change the default for all integration instances?

a. Using serversiemincidents.schedule key

b. Using jobs.serversiemincidents.schedule key
c. Using Script Helper tab
d. Using ! and the integration command

Q13. Why is the content pack submitted and reviewed by Cortex XSOAR?

a. To use in the Marketplace

b. To check for errors
c. To ensure that it complies with Cortex XSOAR standards
d. To make it available for customers

Q14. Which action should a user perform to make the developed content part of the product
environment update content?

a. Save versions.
b. Install new content.
c. Save changes.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 149

 d. Push the changes to the remote repository.

Q15. How will you determine whether an incident requires further investigation or not?

a. Using rules and automation

b. Running playbooks
c. Using Cortex XSOAR
d. Using tenants

Q16. Which three elements can you view on the System Diagnostics page? (Choose three.)

a. Status of the Docker service

b. CPU and memory usage
c. System performance
d. Storage issues
e. Modify email modifications

Q17. Which of the following are incident types?

a. Planning
b. Pre-processing
c. Indicator
d. None

Q18. Which two types of actions can be specified with the actions menu?

a. Reset client
b. Deny
c. Default
d. modify

Q19. Which incidents are displayed for the “automatic remediation” search?

a. Bulk incident actions

b. Table view
c. Summary view
d. graphical summary of incidents

Q20. Where do logs appear after creating a log bundle?

a. /var/log
b. /var/log/demisto
c. DbotRole
d. demisto.dockerfiles
Q21. What is the field stage used for?

a. The number of fields

b. To determine fields pattern
c. To identify which fields are returned in the result set
d. To exclude a field from the result set

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 150

Q22. The Indicators can set the expiration status fields to?

a. Active or Expired
b. Active
c. Expired
d. Update

Q23. What happens if you don't assign any role in the permissions section of Threat Intel Reports?

a. All roles will have read/write access to the report.

b. No role will have read access to the report.
c. No role will have read/write access to the report.
d. No role will have write access to the report.

Q24. What are the Unit 42 Intel service features enabled by the Cortex XSOAR threat?

a. You can take a proactive approach to secure your network.

b. You can add the indicator into the Cortex XSOAR threat intel library.
c. You can identify threats in your network and discover and contextualize trends.
d. You can updated the most recent threat samples analyzed by Cortex XSOAR team

Q25. Which of the following is not a method by which indicators are detected and ingested in Cortex
XSOAR?

a. Feed integration
b. Indicator extraction
c. Manual command line
d. SIME integration

Q26. Which abilities are supported by the ESM Console?

a. The ability to import both user-defined rules and default security rules
b. The ability to import only user-defined rules
c. The ability to import only default security rules
d. The ability to back-up default security rules

Q27. At which layer is indicator expiration applied?

a. Intel report level

b. Indicator type level
c. Management layer
d. Unit level

Q28. What happens if you reset the firewall to factory defaults?

a. The firewall integrates with the management network

b. The firewall reboots in maintenance mode.
c. The firewall reboots without any configuration settings.
d. The reset results in the loss of all configuration settings and logs.

Q29. When an incident JSON is received from an integration, the JSON members are mapped to
incident fields based on which criteria?

a. Incident extraction

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 151

 b. The mapping configuration
c. Layouts
d. Fields

Q30. Why is indicator extraction disabled?

a. For attachments to reduce external API usage and protect restricted data (the hash)
from being sent
b. To unrestrict data
c. To give access to data
d. For read/write access to data

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 152

Appendix D: Glossary
● Active Directory integration- Is the process of incorporating directory services — a suite of
tools for managing users, groups, and resources — into a network of computers.
● Adware- Software that automatically displays or downloads advertising material such as
banners or pop-ups when a user is online.
● Security orchestration, automation, and response (SOAR)- Technology that helps
coordinate, execute, and automate tasks between various people and tools, allowing
companies to respond quickly to cybersecurity attacks and improve their overall security
posture. SOAR tools use playbooks to automate and coordinate workflows that may include
any number of disparate security tools and human tasks. See also “playbook.”
● Artificial intelligence (AI)- The ability of a system or application to interact with and learn
from its environment, and automatically perform actions accordingly, without requiring
explicit programming.
● Augmented reality (AR)- Augmented reality enhances a real-world environment with virtual
objects.
● BoltDB- Is an embedded ACID key/value database written in Go. It supports MVCC with
shadow paging by allowing only one writer and multiple readers.
● Boolean- A system of algebraic notation used to represent logical propositions.
● Bot- Individual endpoints that are infected with advanced malware that enables an attacker
to take control of the compromised endpoint. Also known as a zombie. See also botnet and
malware.
● Botnet- A network of bots (often tens of thousands or more) working together under the
control of attackers using numerous command-and-control (C2) servers. See also bot.
● Command Line Interface (CLI)- Is a text-based user interface (UI) used to run programs,
manage computer files and interact with the computer.
● Cortex- The AI-based continuous security operations platform—extends next-generation
security into cloud.
● Cortex XDR- is the world's first detection and response app that natively integrates network,
endpoint and cloud data to stop sophisticated attacks.
● Cortex XSOAR- is a comprehensive security orchestration, automation and response (SOAR)
platform that unifies case management, automation, real-time collaboration and threat intel
management to serve security teams across the incident lifecycle.
● Dashboard- It consists of visualized data powered by fully customizable widgets that enable
you to analyze data from inside or outside Cortex XSOAR in different formats such as graphs,
pie charts, or text from information.
● Dbot- is the Cortex XSOAR machine learning bot, which ingests information about indicators
to determine if they are malicious.
● Debugger- a computer program that assists in the detection and correction of errors in
other computer programs.
● Docker- Is a software framework for building, running, and managing containers. Cortex
XSOAR uses Docker to run Python scripts, PowerShell scripts, and integrations in a controlled
environment.
● Elasticsearch- Is a distributed, open source search and analytics engine for all types of data.
It enables processing and storing large amounts of data.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 153

● Endpoint- Is a remote computing device that communicates back and forth with a network
to which it is connected.
● Endpoint Protection- is a means of securing endpoint devices from cyber threats.
● Evidence board- Stores key artifacts for current and future analysis. You can view and
manage evidence entities that were detected in the War Room and designated as Evidence.
● GitHub- A website and cloud-based service that helps developers store and manage their
code, as well as track and control changes to their code.
● GitLab- Is a DevOps software package that combines the ability to develop, secure, and
operate software in a single application.
● GlobalProtect- Provides a complete infrastructure for managing your mobile workforce to
enable secure access for all your users, regardless of what endpoints they are using or where
they are located.
● High availability (HA)- Is a deployment in which two firewalls are placed in a group and their
configuration is synchronized to prevent a single point of failure on your network.
● Hypertext Transfer Protocol (HTTP)- An application protocol used to transfer data between
web servers and web browsers.
● Internet of things (IoT)- The IoT refers to the network of physical smart, connected objects
that are embedded with electronics, software, sensors, and network connectivity.
● Internet Protocol (IP) address- A 32-bit or 128-bit identifier assigned to a networked device
for communications at the Network layer of the OSI model or the Internet layer of the TCP/IP
model.
● Jira- Is a proprietary issue tracking product developed by Atlassian that allows bug tracking
and agile project management.
● Load balancing- Refers to the process of distributing a set of tasks over a set of resources,
with the aim of making their overall processing more efficient.
● Log bundle- is a zip file of additional logs available in the Cortex XSOAR system. These logs
provide additional information that is useful in troubleshooting issues that arise in your
Cortex XSOAR system.
● Machine Learning- A subset of AI that applies algorithms to large datasets to discover
common patterns in the data that then can be used to improve the performance of the
system.
● Malware- Malicious software or code that typically damages, takes control of, or collects
information from an infected endpoint. Malware broadly includes viruses, worms, trojan
horses (including remote access trojans, or RATs), anti-AV, logic bombs, back doors, root kits,
boot kits, spyware, and (to a lesser extent) adware.
● Markdown- is a lightweight markup language that can be best suited to represent tables,
lists and formatted texts.
● Mean Time to Response (MTTR)- is the average time required to return a system to
operational condition after receiving notification of a failure or cyberattack.
● Multitenancy architecture- Is based on the platform’s ability to run multiple instances
(processes and data) of the XSOAR server on a single server.
● Network Mapper- allows you to scan your network to detect and identify unmanaged hosts
in your environment according to defined IP address ranges.
● Orchestration- Is the automated configuration, coordination, and management of computer
systems and software.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 154

● Partner-supported content packs- This term applies to content packs published by Cortex
XSOAR Technology Partners. Support and maintenance is provided by the Technology
Partner, whose contact information appears in the content pack details.
● Phishing- is an attempt by an individual or group to solicit personal information from
unsuspecting users.
● Playbook- It enables you to automate security processes, including handling investigations
and managing tickets.
● Podman- Is a daemonless container engine for developing, managing, and running OCI
Containers on the Linux System.
● Proof of concept (POC)- is the effective test you can run to make sure you're getting the
right NGFW for your environment.
● Proxy server- Is a dedicated computer or software system that sits between an end “client,”
such as a desktop computer or mobile device, and a desired destination, such as a website,
server, or web- or cloud-based application.
● PyCharm- Is an integrated development environment used in computer programming,
specifically for the Python programming language.
● Ransomware- is a criminal business model that uses malicious software to hold something
of value for ransom or shutting down a victim's operations.
● Role-based access control (RBAC)- Enables you to define the privileges and responsibilities
of administrative users (administrators). Every administrator must have a user account that
specifies a role and authentication method.
● Sandbox- Is a security mechanism for separating running programs, usually in an effort to
mitigate system failures and/or software vulnerabilities from spreading.
● Script Helper- It provides a list of available commands and scripts, ordered alphabetically.
● Security Information and Event Management (SIEM)- Helps to manage security incidents
through the collection and analysis of log data, security events and other event or data
sources.
● Security operations center (SOC)- Is a physical room or area in an organization's office
where cybersecurity analysts work to monitor enterprise systems; defend against security
breaches; and identify, investigate and mitigate cybersecurity threats.
● Security orchestration, automation, and response (SOAR)- Technology that helps
coordinate, execute, and automate tasks between various people and tools, allowing
companies to respond quickly to cybersecurity attacks and improve their overall security
posture. SOAR tools use playbooks to automate and coordinate workflows that may include
any number of disparate security tools and human tasks. See also “playbook.”
● Software as a service (SaaS)- A category of cloud computing services in which the customer
is provided access to a hosted application that is maintained by the service provider.
● Tags- Are used to identify the purpose of a rule or a configuration object and better organize
your rulebase. You can tag objects to group related items and add color to the tag in order to
visually distinguish them for easy scanning. You can create tags for the following objects:
address objects, address groups, user groups, zones, service groups, and policy rules.
● Tenant- Is also an instance of Cortex XSOAR that serves a customer or account and can be
located either on the main or other hosts.
● Transformers- enable you to take one value and transform or render it to another value.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 155

● Unix- Is a family of multitasking, multiuser computer operating systems that derive from the
original AT&T Unix, whose development started in 1969 at the Bell Labs research center by
Ken Thompson, Dennis Ritchie, and others.
● URL filtering- limits access by comparing web traffic against a database to prevent
employees from accessing harmful sites such as phishing pages.
● Vulnerability- A bug or flaw that exists in a system or software and creates a security risk.
● War room commands- are commands that can be entered manually in the CLI at the
bottom of the screen.
● Widgets- are visual components that enable you to analyze data internally or externally from
Cortex XSOAR, in different formats such as graphs, pie charts, text from information.
● Wildfire- Identifies previously unknown malware and generates signatures that Palo Alto
Networks firewalls can use to detect and block the malware.
● XSOAR Marketplace- Is the central location for installing, exchanging, contributing, and
managing your content, including playbooks, integrations, automations, fields, layouts, and
more.

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 156

Continuing Your Learning Journey with Palo Alto Networks
Training from Palo Alto Networks and our Authorized Training Partners delivers the knowledge and
expertise to prepare you to protect our way of life in the digital age. Our trusted security
certifications give you the Palo Alto Networks product portfolio knowledge necessary to prevent
successful cyberattacks and to safely enable applications.

Digital Learning

For those of you who want to keep up to date on our technology, a learning library of free digital
learning is available. These on-demand, self-paced digital-learning classes are a helpful way to
reinforce the key information for those who have been to the formal hands-on classes. They also
serve as a useful overview and introduction to working with our technology for those unable to
attend a hands-on, instructor-led class.

Simply register in Beacon and you will be given access to our digital-learning portfolio. These online
classes cover foundational material and contain narrated slides, knowledge checks, and, where
applicable, demos for you to access.

New courses are being added often, so check back to see new curriculum available.

Instructor-Led Training

Looking for a hands-on, instructor-led course in your area?

Palo Alto Networks Authorized Training Partners (ATPs) are located globally and offer a breadth of
solutions from onsite training to public, open-environment classes. About 42 authorized training
centers are delivering online courses in 14 languages and at convenient times for most major
markets worldwide. For class schedule, location, and training offerings, see
https://www.paloaltonetworks.com/services/education/atc-locations.

Learning Through the Community

You also can learn from peers and other experts in the field. Check out our communities site at
https://live.paloaltonetworks.com, where you can:

● Discover reference material

● Learn best practices

● Learn what is trending

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 157

Palo Alto Networks Certified Security Automation Engineer (PCSAE) 158