PCSAE Practice Test Questions

156 Questions


What is the most effective way to correlate multiple raw events coming from a SIEM and link them together?


A. Process all alerts by running the respective playbook and link related incidents during post-processing


B. Ingest all raw events, run a custom script to find the relationship between them and proceed to link them together


C. Configure a pre-process rule to link related events as they are ingested


D. Manually go through the incidents created by the raw events and link related incidents





C.   Configure a pre-process rule to link related events as they are ingested

Where can engineers add the post-processing scripts to incidents?


A. The post-processing tag must be added to the automation


B. Post-processing scripts must be added at the end of playbooks


C. Post-processing scripts must be added from the Incident Type editor


D. Post-processing scripts must be added from the Post-Process Rules editor





C.   Post-processing scripts must be added from the Incident Type editor

Reliability scores in XSOAR range from A through F. What do A and F stand for?


A. F - Reliability cannot be judged, A - Completely Reliable


B. F - Not reliable, A - Usually Reliable


C. F - Not usually reliable, A - Fairly Reliable


D. F - Unreliable, A - Completely Reliable





D.   F - Unreliable, A - Completely Reliable

An Engineer wants to filter a csvList value according to a dynamic value saved under the test context key.
Which three values would save the test context key? (Choose three.)


A. Get csvList.value where csvList.value equals test [from previous tasks]


B. Get csvList.value where csvList.value equals ${test} [from previous tasks]


C. Get csvList.value where csvList.value equals test {}[from previous tasks]


D. Get csvList.value where csvList.value equals test [as value]


E. Get csvList.value where csvList.value equals ${test} [as value]





A.   Get csvList.value where csvList.value equals test [from previous tasks]

B.   Get csvList.value where csvList.value equals ${test} [from previous tasks]

E.   Get csvList.value where csvList.value equals ${test} [as value]


Which two causes may be occurring if an integration test is working, but the integration is not fetching incidents? (Choose two.)


A. The ’Fetches Incidents’ option may not have been enabled


B. There are no new events from the external service


C. The first fetch should be manually triggered to start the fetching process


D. It can take up to 1-hour before incidents are initially fetched





A.   The ’Fetches Incidents’ option may not have been enabled

B.   There are no new events from the external service

An incident field is created having the display name as Source_IP. How can the field be accessed?


A. ${incident.sourceip}


B. ${incident.Source_IP}


C. ${incident.srcip}


D. ${incident.Source IP}





C.   ${incident.srcip}

An engineer notices that playbooks only start once the user clicks the ‘investigate’ button and he/she would like the playbook to start automatically. How can this be implemented?


A. Add the playbook to the integration’s settings


B. Select ‘Run playbook automatically’ from the incident type settings


C. Add the !startinvestigation automation to the beginning of the playbook


D. Select ‘Run playbook automatically’ from the integration settings





B.   Select ‘Run playbook automatically’ from the incident type settings

What are two primary uses of standard tasks? (Choose two.)


A. To highlight different paths in a playbook


B. To generate new widgets for a dashboard


C. To create an incident or escalate an existing incident


D. To automate tasks such as parsing a file or enriching indicators





C.   To create an incident or escalate an existing incident

D.   To automate tasks such as parsing a file or enriching indicators

A SOC analyst needs to retrieve the list of all open phishing incidents in the last 30 days. What is the correct query to use?


A. -status:closed -category:job type:Phishing created:>="30 days ago"


B. status:closed -category:job & type:Phishing created:>="30 days ago"


C. -status:closed -category:job & type:Phishing created:<="30 days ago"


D. -status:closed -category:job type:Phishing created:="30 days ago"





C.   -status:closed -category:job & type:Phishing created:<="30 days ago"

Arrange these steps in the order that they occur during an incident fetch.







Explanation:
Integration performs
Classification is applied
Mapping is applied
Incident is created (before incident creation it should be also pre-process rule step)

An engineer would like to add a custom field to the New Job form for a job triggered from a threat intel feed. How would the engineer implement this?


A. The new job form changes based on the threat intel feed integration configuration


B. The new job form can be edited from the Indicator Feed incident type editor


C. The new job form for a threat intel feed job cannot be edited


D. The new job form can be edited from the threat intel feeds integration settings





B.   The new job form can be edited from the Indicator Feed incident type editor

An engineer wants to customize the regex for the default IP indicator type. How can this change be implemented?


A. Create a new indicator type and disable the built-in IP indicator


B. Edit the regex of the default IP Indicator


C. Add a new server configuration key that will overwrite the default regex of the IP indicator


D. Delete the default IP indicator





A.   Create a new indicator type and disable the built-in IP indicator


Page 1 out of 13 Pages