XSOAR-Engineer Sample Questions Answers

The XSOAR Playbook Debugger documentation states that breakpoints only apply when the playbook is run in Debug mode, not when an incident triggers the playbook normally.

Running from an incident executes the playbook without debugger controls, so breakpoints are ignored—leading to the deletion task running normally.

The Admin Guide states that layouts—representing how analysts view incident data, evidence, fields, and work plans—are attached directly toincident types. When configuring an incident type, the administrator can specify the layout for the “New,” “Editing,” and “Preview” modes. This ensures consistent presentation of data across the SOC, tailored to each use case (e.g., phishing, endpoint alerts, malware investigations).

Pre-process rules (option A) operate before incident creation and do not control the user interface layout. Incident playbooks (option B) automate response actions but have no effect on how the incident UI is presented. Integration instance settings (option C) define connection details and ingestion parameters but do not control UI layouts.

Only theIncident Type configuration pageincludes fields for selecting or assigning custom layouts. This aligns with XSOAR’s design principle: incident types define schema, workflows, and UI behavior, including which layout is displayed to analysts.

Thus, the correct answer isD, as incident layouts are configured and bound within theIncident Typesettings.

XSOAR’s ingestion pipeline defines a strict order in which raw fetched data is processed, and the Admin Guide explains that Classification determines the incident type based on incoming fields, while Mapping performs the actual transformation of event data into structured incident fields. Mapping profiles define how each field from the integration’s raw JSON (for example, source_ip, username, alert_id) is converted into standard or custom incident fields.

The Mapping Editor allows administrators to select specific fields from the incoming event data and bind them to incident fields used throughout playbooks, layouts, and reports. This ensures normalization of data and consistent schema usage across the SOC.

The documentation makes clear that Mapping is responsible for populating incident field values, whereas Classification only chooses the incident type. Field configuration defines field metadata but does not map values. Layout configuration controls visual presentation only and does not populate fields.

Thus, option B (Mapping) is the function that converts event data into incident field values and is the correct answer according to the ingestion architecture documented in the XSOAR Admin Guide.

Cortex XSOAR jobs are automated scheduled tasks used for running playbooks or scripts on a recurring basis. According to the Jobs documentation within the XSOAR Admin Guide, the available job trigger mechanisms includeTime-based triggersandDelta-based feed triggers.

ATimetrigger enables execution at scheduled intervals using either predefined frequency settings or a cron expression. This allows running jobs hourly, daily, weekly, etc.

ABy delta in feedtrigger launches a job when a connected feed detects changes (new, updated, or removed indicators). This is commonly used in threat-intelligence workflows to perform enrichment, normalization, or distribution when new indicator data arrives.

The other options listed do not exist within XSOAR’s job trigger configuration. "Mapping and Classification" are ingestion components, not job triggers. "Cron View and Human View" are simply formatting options for viewing scheduling expressions—not trigger types. "Script Start and CLI" describe execution methods for scripts, not job-initialization triggers.

Thus, optionBis the accurate and documented set of job trigger types available when creating a new job in XSOAR.

In Cortex XSOAR’s documented Dev/Prod deployment model, thedevelopment tenantis designed to be the workspace where engineers create, modify, test, and validate content before promoting it into production. As part of this workflow, the development tenant includes the“Export all custom content”feature, which generates a structured content bundle containing custom playbooks, integrations, fields, layouts, lists, and other artifacts. This bundle is then imported into the production tenant to ensure controlled, versioned, and tested promotion of content.

The Admin Guide highlights that this export capability isrestricted to the development environmentto preserve the integrity and stability of the production tenant. Production systems are intentionally limited, allowing only the import (not export) of custom content to prevent accidental overwriting, drift, or unintended modifications.

Marketplace access (A) exists in both tenants. Custom integration instances (C) can be created in either tenant. The Content Repository page (B) is also available across both environments.

Therefore, the only feature exclusive to the development tenant isD: “Export all custom content.”This ensures a safe, repeatable Dev→Prod promotion model aligned with enterprise change-control requirements.

The XSOAR Playbook Editor allows engineers to manipulate and transform context data dynamically. According to the XSOAR Admin and Playbook Development Guides,“Extend Context”is the dedicated mechanism that enables a task to save output values into new or existing context keys, including keys that correspond to incident fields. By defining a key under the “Extend Context” section, the playbook task can map specific outputs—such as JSON fields, strings, arrays, or nested objects—to a structured location within the incident context. These keys can then be used to populate incident fields through further playbook tasks, field mappings, or automated incident field updates.

Classification (option A) applies only during ingestion and cannot assign task outputs to incident fields. Inputs (option B) define what data a task receives, not how it is stored afterward. Mapping (option D) belongs to the ingestion pipeline and determines how event fields become incident fields during creation, not during playbook execution.

Therefore,Extend Contextis the correct feature that allows a task to associate its output with incident fields, making optionCthe correct answer based on documentation.

The XSOAR Timers/SLA documentation states that when an incident reaches the Closed state, all timers automatically stop and cannot continue unless manually reset. Timers do not pause — they terminate.

Additionally, when an incident is closed, its associated playbook completes, because closure marks the end of the investigation lifecycle.

The XSOAR Playbook Debugger documentation states that only open incidents can be selected as Test Data.

Closed incidents do not appear in the debugger’s incident selection list.

Starring an incident does not override this limitation; if it is closed, it will not appear.

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/disaster-recovery-and-live-backup/backup-the-database.html

The XSOAR Admin Guide explains that the Ask task is created inside a Conditional Task, and is specifically used when the system needs to prompt the analyst with a single question to determine the playbook path.

Data collection tasks are used for multi-question forms, not conditional branching.

XSOAR separatesContext DatafromIncident Layout fields. When an incident field is populated, its value is stored in Context, even if the incident type later changes. The Admin Guide clearly states that context is persistent and not dependent on whether a field belongs to the new incident type.

If an incident is reassigned to a different incident type, fields not included in the new type’s layout are no longer visiblein the UI, but the data is fully retained in Context. Analysts can still retrieve the values through playbooks, scripts, or JSON view. This ensures investigations are not disrupted and historical information is never lost due to schema changes.

The data isnot deleted, nor is it hidden from context (ruling out options A and D). It also does not appear grayed out in the UI (C), because the fields no longer appear at all unless re-added to the layout.

Thus, per XSOAR’s data retention model, the correct state isB: Visible within Context Data and fully accessible.

The XSOAR Playbook Debugger allows engineers to simulate playbook behavior using existing incidents as sample data. The documentation explicitly states that onlyopen incidentsappear within the debugger’s Test Data selection list. Closed incidents are removed from the selectable list because the debugger cannot execute against non-active incident states.

Starring an incident does not affect debugger availability; the star is a user-level convenience for bookmarking. RBAC restrictions (B) could hide an incident in general UI contexts but not selectively from the debugger. Incorrect incident type (D) also does not prevent selection as long as the incident is open.

Therefore, if a starred incident does not appear as a debugging option, the most common and documented reason is that the incident has beenclosed, and closed incidents cannot be used as debugger input. This aligns with optionA.