Free Practice Questions for Paloalto Networks XSOAR-Engineer Exam

The XSOAR Admin Guide specifies that field-change trigger scripts allow automations to run whenever a designated incident field changes. Severity is a standard incident field, and when its value increases due to analyst action, a playbook, enrichment script, or correlation event, a field-change trigger can automatically run a script to notify teams.

Post-processing rules only run after an incident closes, making them unsuitable for real-time severity escalation alerts. SLA scripts respond to timer conditions, not field changes, and are used for SLA violations or deadline tracking. Server configuration does not provide automation behavior tied to field modifications.

Field-change triggers are explicitly documented as the mechanism to automate workflows for “reacting to changes in incident fields such as owner, severity, status, or custom fields.” When severity is updated, XSOAR evaluates matching triggers and runs the associated automation immediately.

Thus, only a field-change trigger script can reliably detect a severity escalation and execute a notification action the moment the field changes, making option C the correct and documented solution.

STIX/TAXII are industry-standard protocols for structured threat intelligence exchange. According to the Threat Intelligence section of the XSOAR documentation, TAXII servers and clients provide automated bidirectional sharing using STIX objects, supporting both ingestion and distribution of indicators, observables, relationships, and threat objects.

The TAXII Server content pack specifically enables an organization to expose its threat intelligence via a TAXII 2.0/2.1 compliant endpoint, where the transmitted data is formatted as STIX, making it the correct choice for sharing structured intelligence externally.

The Generic Export Indicators Service pack supports indicator export, but not in STIX format—it exports simple CSV, JSON, or list-based formats. MISP Server supports STIX ingestion and export but is considered a MISP-specific implementation and not the generic STIX distribution mechanism expected in the question. External dynamic lists are not related to STIX or TAXII at all.

Thus, the correct answer is D, as only the TAXII Server pack is designed explicitly for STIX-formatted intelligence sharing.

Cortex XSOAR jobs are automated scheduled tasks used for running playbooks or scripts on a recurring basis. According to the Jobs documentation within the XSOAR Admin Guide, the available job trigger mechanisms includeTime-based triggersandDelta-based feed triggers.

ATimetrigger enables execution at scheduled intervals using either predefined frequency settings or a cron expression. This allows running jobs hourly, daily, weekly, etc.

ABy delta in feedtrigger launches a job when a connected feed detects changes (new, updated, or removed indicators). This is commonly used in threat-intelligence workflows to perform enrichment, normalization, or distribution when new indicator data arrives.

The other options listed do not exist within XSOAR’s job trigger configuration. "Mapping and Classification" are ingestion components, not job triggers. "Cron View and Human View" are simply formatting options for viewing scheduling expressions—not trigger types. "Script Start and CLI" describe execution methods for scripts, not job-initialization triggers.

Thus, optionBis the accurate and documented set of job trigger types available when creating a new job in XSOAR.