Exam SecOps-Pro Topic 1 Question 58 Discussion

Actual exam question for Palo Alto Networks's SecOps-Pro exam
Question #: 58
Topic #: 1
A SOC is migrating from a traditional SIEM to a cloud-native Security Operations Platform, specifically evaluating the integration capabilities of Palo Alto Networks Cortex XSOAR. The primary objective is to automate repetitive incident response tasks, such as enriching alerts with threat intelligence, containing compromised endpoints, and generating incident reports. Which of the following Python code snippets, when integrated into a custom playbook in Cortex XSOAR, would exemplify the automation of enriching an alert with threat intelligence from a external API, assuming 'demisto' is the global object for XSOAR functions and 'incident' is the current incident object?

Suggested Answer: C,E Vote an answer

This is a multiple-response question requiring knowledge of SOAR automation and Palo Alto Networks XSOAR specifics. Option C (Correct): This snippet correctly demonstrates how a Python script within Cortex XSOAR (using 'demisto.executeCommand') would call a pre-configured integration (e.g., VirusTotal) to enrich an indicator, then 'demisto.resultS and 'demisto.setContext' to make the data available within the incident. This directly addresses the 'enriching alerts with threat intelligence' part of the question. Option E (Correct): This snippet correctly demonstrates how XSOAR would be used to automate the 'containing compromised endpoints' task by calling an action from an integrated EDR solution (like Cortex XDR) via This is a core SOAR capability. Option A: This uses 'requests' directly, which is generally not how XSOAR's built-in integrations or playbooks would interact with external APIs. XSOAR prefers demisto.executeCommand' for integration interactions. Option B: This uses 'subprocess.run' to execute shell commands, which is highly system-dependent and not the standard, secure, or portable way to interact with network devices via a SOAR platform; XSOAR would use specific firewall integrations for this. Option D: This only generates a report header, not the full report and doesn't involve any enrichment or containment automation. While report generation is a SOAR function, this code snippet is too simplistic and doesn't address the primary automation objectives. The question asks for automating repetitive incident response tasks like enrichment and containment, and generating incident reports (not just headers).

by Joyce at Apr 07, 2026, 04:14 PM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10