XSOAR Engineer Intermediate Practice Exam: Medium Difficulty 2025

A global SOC wants to deploy Cortex XSOAR in a way that allows analysts in multiple regions to use the platform while keeping management centralized. They also want to minimize latency for users and isolate workloads if one region has an outage. Which deployment approach best meets these requirements?

Your XSOAR deployment must allow integrations to access internal systems that are not reachable from the internet. Security policy requires that the XSOAR application server has no direct network access to those internal systems. What is the best design to satisfy these constraints?

A team is building a phishing response playbook. Sometimes the email includes a URL, sometimes only an attachment hash, and sometimes neither. They want the playbook to run the relevant enrichment steps only when the corresponding indicator type exists in the incident, without failing or adding noise. What is the best approach?

An organization wants to automatically close low-risk malware alerts when multiple conditions are met: the file hash is known benign in their TI source, the endpoint is already isolated, and no other related incidents exist for the host in the last 24 hours. Which playbook design best supports this requirement?

You are standardizing automation across multiple incident types. Several playbooks need the same sequence: normalize indicators, enrich them, then update incident fields. You want to reduce duplication and simplify maintenance. What is the best solution in Cortex XSOAR?

A playbook uses several integrations that occasionally take longer to respond (for example, sandbox detonation). Analysts complain that the playbook appears “stuck,” but you want the workflow to continue when results arrive without manual intervention. Which playbook technique best addresses this?

You are onboarding alerts from a SIEM into XSOAR. The SIEM sometimes sends duplicate alerts with the same event identifier. The SOC wants duplicates to be avoided so analysts don’t waste time. Which approach is best to implement this in XSOAR?

A new integration requires an API token and must be used by multiple playbooks. The security team mandates that secrets must not be stored in playbook tasks or scripts. What is the best practice for handling the API token in XSOAR?

After onboarding an EDR integration, the enrichment command returns results in a structure that does not match what your incident fields expect. You want indicators and key attributes (hostname, user, verdict) to populate consistently across incidents. Which combination of features best addresses this?

Analysts report that an integration works when run manually from the War Room but fails when executed in a playbook step on certain incidents. You suspect missing inputs due to inconsistent field mapping from ingestion. What is the most effective troubleshooting workflow?