Free Paloalto Networks XSOAR-Engineer Practice Exam with Questions & Answers | Set: 5

XSOAR provides two types of user-interaction mechanisms in playbooks:Ask tasksandData Collection tasks. Ask tasks present asingle questionwhose answer determines the playbook’s conditional path. Conversely, Data Collection tasks are specifically designed to gathermultiple questions, forming a structured form or survey.

The Admin Guide explains that Data Collection tasks allow multiple question fields such as text input, dropdowns, yes/no responses, and date fields. These tasks may be delivered via email links, the XSOAR UI, or external response pages. Once completed, responses are automatically populated into incident fields or context keys.

A Section Header (option B) only organizes information within playbooks and layouts; it does not collect user input. Conditional Ask (option C) is strictly limited to single-question logic branching. A “Survey task” (option D) does not exist as a named task type in XSOAR; surveys are implemented through Data Collection tasks.

Thus, the correct answer isA: Data Collection, as it is the documented method for sending multi-question forms to users or customers.

XSOAR automates indicator-driven actions through various trigger types. To execute a search automatically on a remote SIEM when new IP indicators are extracted, two components are needed:

Feed-triggered job (D)– The Admin Guide explains that jobs can be triggered when a feed updates. When new indicators are fetched, a feed-triggered job can automatically start a playbook.

Integration command (C)– The playbook executed by the job can call SIEM integration commands (such as siem-search, query-log, or custom search commands). These commands send API queries to the remote SIEM and return event/log results.

Reputation scripts (option A) evaluate or enrich indicators but do not execute SIEM searches. Enhancement scripts (option B) add contextual data to indicators but not remote searches.

Thus, the correct pair supported by XSOAR automation architecture is:

✅Integration Commandto perform the SIEM query

+

✅Feed-Triggered Jobto automatically initiate the action when new IP indicators appear.

This reflects XSOAR’s feed-driven automation workflow.

XSOAR’s ingestion pipeline defines a strict order in which raw fetched data is processed, and the Admin Guide explains that Classification determines the incident type based on incoming fields, while Mapping performs the actual transformation of event data into structured incident fields. Mapping profiles define how each field from the integration’s raw JSON (for example, source_ip, username, alert_id) is converted into standard or custom incident fields.

The Mapping Editor allows administrators to select specific fields from the incoming event data and bind them to incident fields used throughout playbooks, layouts, and reports. This ensures normalization of data and consistent schema usage across the SOC.

The documentation makes clear that Mapping is responsible for populating incident field values, whereas Classification only chooses the incident type. Field configuration defines field metadata but does not map values. Layout configuration controls visual presentation only and does not populate fields.

Thus, option B (Mapping) is the function that converts event data into incident field values and is the correct answer according to the ingestion architecture documented in the XSOAR Admin Guide.