XSOAR-Engineer Palo Alto Networks XSOAR Engineer Questions and Answers

Jobs in XSOAR run playbooks or scripts automatically at scheduled intervals. According to the Job Execution section of the Admin Guide, if a job encounters an error during playbook execution, its continued operation depends on whether“Continue on Error”is enabled. When this checkbox is selected, the job will not terminate due to an exception or integration failure. Instead, it logs the error and proceeds to the next scheduled execution as normal.

Queue handling settings (A) apply to indicators/job queues within feeds, not job failure behavior. RBAC changes (C) do not influence job execution continuity. Ensuring the last task closes the investigation (D) is unrelated and may even disrupt job workflows, since jobs often do not require incident-based models.

By contrast, enablingContinue on Erroris the documented mechanism that prevents scheduled jobs from halting due to transient or recurring errors. It ensures operational resilience, especially during integration outages or API rate limits.

Thus, optionBis the correct and fully documented answer.

The XSOAR Layouts documentation states that scripts can appear inside incident layouts only when they are designated as Dynamic Section scripts. Dynamic Sections are special script types that run automatically within layouts to display enrichment data, contextual summaries, or markdown-rendered information.

When creating such a script, the developer must mark it with the "dynamic-section" tag; otherwise, XSOAR does not expose it as an option during layout configuration. Without this mandatory tag, the script is treated as an ordinary automation and therefore cannot be placed into layout components.

Permissions (option B) affect script execution but do not prevent it from appearing in the layout editor. Integration commands (option C) are unrelated—dynamic sections do not use integration command definitions. Markdown output type (option D) determines formatting only and does not affect whether the script is selectable within the layout editor.

Thus, the missing configuration step is failing to tag the script as a Dynamic Section, making option A the correct answer according to the official XSOAR documentation.

When running integration commands in Cortex XSOAR, the system automatically structures outputs into context keys defined in the integration YAML. However, many commands return additional data not mapped by default. To find the complete JSON output—including unmapped data—XSOAR provides the raw-response=true flag.

According to the Admin and Integration Development Guides, setting raw-response=true displays the full unprocessed output exactly as returned by the integration. This is essential when configuring “Extend Context,” because the engineer must reference the exact JSON path to extract specific values into a new context key.

debug-mode enables verbose logging but does not display full JSON output. auto extract triggers automatic IOC extraction, unrelated to examining context paths. extend-parent-context modifies output behavior inside playbooks but does not reveal underlying JSON structure.

Therefore, only raw-response reliably exposes the complete output structure, enabling accurate mapping when using “Extend Context.”

The SSO (SAML) configuration is performed inside each Cortex XSOAR tenant, under the Authentication settings.

Group mapping (SAML group → XSOAR role/group) is managed at the tenant level, not in the Hub, Gateway, or Support Portal.

XSOAR’s ingestion pipeline defines a strict order in which raw fetched data is processed, and the Admin Guide explains that Classification determines the incident type based on incoming fields, while Mapping performs the actual transformation of event data into structured incident fields. Mapping profiles define how each field from the integration’s raw JSON (for example, source_ip, username, alert_id) is converted into standard or custom incident fields.

The Mapping Editor allows administrators to select specific fields from the incoming event data and bind them to incident fields used throughout playbooks, layouts, and reports. This ensures normalization of data and consistent schema usage across the SOC.

The documentation makes clear that Mapping is responsible for populating incident field values, whereas Classification only chooses the incident type. Field configuration defines field metadata but does not map values. Layout configuration controls visual presentation only and does not populate fields.

Thus, option B (Mapping) is the function that converts event data into incident field values and is the correct answer according to the ingestion architecture documented in the XSOAR Admin Guide.

According to the Cortex XSOAR Indicator Lifecycle documentation, when an indicator reaches its expiration date or is manually set toExpired, the platform doesnotdelete it. Instead, the indicator remains fully stored within the Indicator Store and can still be searched, viewed, and referenced within the system. Expiration affectshow the indicator behaves operationally, not whether it still exists in the database. Specifically, an expired indicatorno longer participates in active enrichment, matching, or classificationworkflows. It will not trigger rules, correlation, or alerting functionality, and enrichment engines stop providing updates.

The system retains expired indicators for historical accuracy, audit trail completeness, and investigation continuity. Deleting indicators automatically would compromise incident history and threat intelligence analytics, which XSOAR explicitly avoids. Furthermore, the documentation states that indicator deletion is alwaysmanualunless automated cleanup is configured, and even then, expiration alone does not initiate deletion.

Thus, the correct statement is optionA: the indicatorstill exists and remains searchable, maintaining its presence in XSOAR’s intelligence repository while no longer influencing automated processes. Options B, C, and D contradict documented indicator-retention behavior.

The XSOAR Incident Relationships model provides multiple ways to connect related incidents for correlation and hierarchical investigation. The Admin Guide details howRelate Incidentscreates a logical link between two or more incidents, identifying them as connected without altering their internal data. This is commonly used when incidents share a common threat, indicator, or root cause.

Join Incidentsallows analysts to group multiple incidents under a single parent investigation while keeping them technically separate. Joined incidents appear together in correlation views and analytics dashboards, enabling SOC teams to assess broader attack patterns. Joining does not merge content or overwrite fields; it simply binds multiple incidents under a shared investigative umbrella.

“Add Child Incidents” (option B) is used for parent–child hierarchical workflows, not grouping related violations. “Merge Incidents” (option D) consolidates multiple incidents into one and deletes the originals, which is not the intended function for grouping related but distinct events.

The Threat Intelligence section specifies that XSOAR determines an indicator’s verdict by selecting the verdict from the source that has the highest reliability score.

Only when two sources have equal reliability does XSOAR choose the most severe (worst) verdict between them.

The Layout customization section of the XSOAR Admin Guide explains that incident layouts control how analysts view and interact with fields, evidence, and metadata. Within a layout tab, sections exist purely for the purpose of organizing related fields into structured blocks, improving clarity, readability, and workflow efficiency. This is essential in complex incident types where numerous fields must be grouped logically (e.g., “User Details,” “Endpoint Information,” “Alert Metadata”).

Sections do not trigger automations or playbooks; automation triggers are defined through playbooks, field-change scripts, or incident type settings. They also do not enforce field mandatory requirements—mandatory fields are defined in the incident type configuration, not within layout sections. Likewise, RBAC does not operate at the section level; access restrictions apply to fields or entire incident types, not layout sections.

Therefore, the only correct and documented result of using sections within tabs is enhanced logical grouping of fields, improving analyst usability and data-entry organization. This aligns with option C, matching the intended purpose described in the layout configuration documentation.

Cortex XSOAR jobs are automated scheduled tasks used for running playbooks or scripts on a recurring basis. According to the Jobs documentation within the XSOAR Admin Guide, the available job trigger mechanisms includeTime-based triggersandDelta-based feed triggers.

ATimetrigger enables execution at scheduled intervals using either predefined frequency settings or a cron expression. This allows running jobs hourly, daily, weekly, etc.

ABy delta in feedtrigger launches a job when a connected feed detects changes (new, updated, or removed indicators). This is commonly used in threat-intelligence workflows to perform enrichment, normalization, or distribution when new indicator data arrives.

The other options listed do not exist within XSOAR’s job trigger configuration. "Mapping and Classification" are ingestion components, not job triggers. "Cron View and Human View" are simply formatting options for viewing scheduling expressions—not trigger types. "Script Start and CLI" describe execution methods for scripts, not job-initialization triggers.

Thus, optionBis the accurate and documented set of job trigger types available when creating a new job in XSOAR.

According to the Threat Intelligence section of the XSOAR Admin Guide, indicatorverdict resolutionuses two key rules:

If multiple sources have different reliability levels, the verdict from the highest-reliability source wins.

If multiple sources share the same reliability, XSOAR selects the “worst” (most severe) verdict among them.

Because both integrations have equal reliability (B – Usually reliable), XSOAR selects the more severe verdict. “Malicious” is more severe than “Benign,” so the resulting indicator verdict will beMalicious.

However, indicatorfield valuesfollow a different rule:

When multiple sources share the same reliability score,the most recently updated source overwrites the indicator fields, except for the verdict field.

Integration B updated the indicator after Integration A, so its field values overwrite Integration A’s fields. But its verdict does not override the malicious verdict because severity resolution rules take precedence.

Therefore, the correct combined logic yields:

Verdict: Benign? No → Because Malicious is the highest severity.

Other Fields: From the most recently updated feed → Integration B.

But the verdict is strictly the “worst” verdict, so:

Correct answer: C.

The XSOAR Playbook Debugger documentation states that breakpoints only apply when the playbook is run in Debug mode, not when an incident triggers the playbook normally.

Running from an incident executes the playbook without debugger controls, so breakpoints are ignored—leading to the deletion task running normally.

XSOAR separatesContext DatafromIncident Layout fields. When an incident field is populated, its value is stored in Context, even if the incident type later changes. The Admin Guide clearly states that context is persistent and not dependent on whether a field belongs to the new incident type.

If an incident is reassigned to a different incident type, fields not included in the new type’s layout are no longer visiblein the UI, but the data is fully retained in Context. Analysts can still retrieve the values through playbooks, scripts, or JSON view. This ensures investigations are not disrupted and historical information is never lost due to schema changes.

The data isnot deleted, nor is it hidden from context (ruling out options A and D). It also does not appear grayed out in the UI (C), because the fields no longer appear at all unless re-added to the layout.

Thus, per XSOAR’s data retention model, the correct state isB: Visible within Context Data and fully accessible.

When an analyst manually sets an indicator’s verdict, XSOAR records the verdict with a source named "Manual", and assigns it a reliability of Undefined.

This is explicitly documented under Indicator Verdict + Reliability behavior when a manual override is applied.

In Cortex XSOAR,Reportsare constructed fromWidgets, which are modular visualization components that pull data from incidents, indicators, tasks, lists, and other system sources. The Admin Guide clarifies that widgets serve as the building blocks for dashboards and reports. When creating a report, users select widgets—such as pie charts, tables, statistics blocks, histograms, and custom scripts—and XSOAR aggregates the underlying data (incidents, indicators, evidence, etc.) into the report output.

Automations (option B) may generate data, but they do not perform the aggregation within a report. SQL queries (option C) are not used natively in XSOAR reporting; instead, widgets may embed queries through the platform’s data model. Playbooks (option D) execute response workflows and can generate additional context but are not used for aggregating report data.

Thus, the report-generation process relies entirely on widgets to extract, sort, count, and visualize information. XSOAR renders the report by collecting the aggregated values produced by each widget. This makes optionAthe correct and documented answer.

The XSOAR Admin Guide specifies that field-change trigger scripts allow automations to run whenever a designated incident field changes. Severity is a standard incident field, and when its value increases due to analyst action, a playbook, enrichment script, or correlation event, a field-change trigger can automatically run a script to notify teams.

Post-processing rules only run after an incident closes, making them unsuitable for real-time severity escalation alerts. SLA scripts respond to timer conditions, not field changes, and are used for SLA violations or deadline tracking. Server configuration does not provide automation behavior tied to field modifications.

Field-change triggers are explicitly documented as the mechanism to automate workflows for “reacting to changes in incident fields such as owner, severity, status, or custom fields.” When severity is updated, XSOAR evaluates matching triggers and runs the associated automation immediately.

Thus, only a field-change trigger script can reliably detect a severity escalation and execute a notification action the moment the field changes, making option C the correct and documented solution.