PCSAE Palo Alto Networks Certified Security Automation Engineer Question and Answers

Download the content from the Marketplace.

Go to Settings > About >Troubleshooting and set a flag to allow custom content.

Register a user account with support.paloaltonetworks.com .

Detach the content item you want to edit from the Marketplace.

Define input key in the subplaybook task. Map context values to pull from parent playbook.

The output of the previous task automatically becomes the input of the subplaybook.

Map inputs and outputs to the parent playbook and the subplaybook will use the same values.

Open the subplaybook and add inputs or outputs in the Playbook triggered task.

Submit content directly through feature requests

Private GitHub repository submission for premium content

A Github pull request on the public XSOAR Content Repository

Using the marketplace interface to upload the content

Using the content submission tool on live.paloaltonetworks.com

When creating incidents from the XSOAR REST API

When manually creating an incident from the UI

When adding a new analyst account to XSOAR

When fetching many different incident types from a single mailbox

The integration’s source code

A summary of each version history

A test instance for the content pack

The source code of each playbook

Process all alerts by running the respective playbook and link related incidents during post-processing

Ingest all raw events, run a custom script to find the relationship between them and proceed to link them together

Configure a pre-process rule to link related events as they are ingested

Manually go through the incidents created by the raw events and link related incidents

Planning > Incident Ingestion > Incident Creation > Mapping and Classification > Pre-processing > Playbook runs > Post-processing

Planning > Incident Ingestion > Pre-processing > Incident Creation > Mapping and Classification > Playbook runs > Post-processing

Planning > Incident Ingestion > Pre-processing > Mapping and Classification > Incident Creation > Playbook runs > Post-processing

Planning > Incident Ingestion > Mapping and Classification > Pre-processing > Incident Creation > Playbook runs > Post-processing

Indicator type

Incoming mapper

Incident types

Integration configuration

Marketplace access

Application with API

Private key/Public key integration

Multitenant deployment

status==“Pending“ && category!=”job” && severity==”High” && owner==”None” && type==”Phishing” && emailsubject==”You have won a million dollars”

Status:Pending and –Category:job and Severity:High and Owner:”” and Type:Phishing and Email Subject:You have won a million dollars

status:Pending and –category:job and severity:High and owner:”” and type:Phishing and emailsubject:”You have won a million dollars”

status:Pending or –category:job or severity:High or owner:”” or type:Phishing or emailsubject:”You have won a million dollars”

Create a custom indicator field named ‘username’ and link it to the internal system indicator

Change the reputation command for the internal system indicator type

Create a new indicator type of the internal username and set a formatting script to extract only the

username

Create a new indicator type of the internal username and have the regex included on any string that has dash at the beginning

Multi-region

Dev-Prod

Multi-tenant

Distributed database

Standard (Manual)

Conditional

Section header

Standard (Automated)

can run on multiple docker containers

can be set to run on a scheduled basis in the automation settings

can be password protected

can be written in C++

created:>=”7 days”

owner===admin

role is Analyst

status:closed –category:job

/var/lib/demisto

/tmp/log/demisto

/usr/local/demisto

/var/log/demisto

Summary

Compiler

Schedule

Run On

2 main DBs, 1 application server, 2 node servers

1 main DB, 1 application server, 3 node servers

2 application servers, 1 main DB, 1 node server

1 application server, 2 main DBs, 1 node server