A Cortex XSOAR engineer is developing a playbook to process suspicious emails. A critical step involves parsing a proprietary, encrypted log file format attached to the emails. The standard 'Extract Indicators' automation fails on this format. The decryption key is available via a secure vault integration. Which approach provides the most efficient and scalable solution for handling this proprietary attachment within the playbook?
A security architect is designing a multi-tenant Cortex XSOAR environment with a master account and several child tenants. A requirement is to push a core set of 'blessed' playbooks from the master to all tenants, but tenants must be prevented from modifying these blessed playbooks. However, tenants should be able to duplicate them to create their own custom versions. How can this be achieved using the remote repository (dev-prod) functionality?
A playbook developer is using a sub-playbook that enriches a list of IP addresses. The sub-playbook is configured with looping enabled to iterate over an array of IPs from the parent context. A critical requirement is that if any single IP enrichment fails within the sub-playbook, the entire loop should terminate immediately, and the parent playbook should proceed down an error-handling path. Which configuration ensures this behavior?
A SOC team is ingesting threat intel from multiple external feeds. They have discovered that two different feeds often provide conflicting reputation scores for the same URL indicator (e.g., Feed A says 'Malicious', Feed B says 'Suspicious'). The team's policy is to always use the most severe reputation. How should an engineer configure the indicator type for URLs to automate this policy?
During a playbook debugging session for a complex incident involving multiple artifacts, an engineer needs to inspect the full context data at a specific point *after* a data transformation task has run, but *before* a conditional task evaluates it. The playbook is long and running it to completion is time-consuming. What is the most direct way to achieve this using the playbook debugger?
An XSOAR administrator has configured a new incident type for 'Insider Threat' and is now designing the corresponding layout. A key requirement is to display an employee's detailed HR information (manager, department, start date) dynamically when an analyst is viewing the incident. This data resides in an external HR system accessible via an integration. Which combination of XSOAR features should be used to implement this? (Select TWO).
A financial services company uses Cortex XSOAR for incident response. Due to strict compliance requirements, they need to implement a 'four-eyes' principle for any destructive action, such as blocking a C2 server's IP address. The action must be initiated by a Tier 1 analyst and then explicitly approved by a Tier 2 analyst before execution. Which playbook task type is specifically designed to handle this human-in-the-loop approval workflow?
True or False: When an integration instance is configured in Cortex XSOAR, its commands can ONLY be executed from within a playbook task and not directly from the War Room CLI.
An engineer needs to transform a string of comma-separated IP addresses, stored in the context at `Email.AttackerIPs`, into a JSON array for use as input to a sub-playbook. The input string looks like: `"1.1.1.1,2.2.2.2,3.3.3.3"`. Which filter or transformer should be applied to achieve this?
A new SOC analyst reports that they cannot see the 'Malware Analysis' tab on incidents of type 'Malware', but senior analysts can. The XSOAR administrator has confirmed the analyst has a role that grants access to the 'Malware' incident type. What is the most likely cause of this issue?