Pass Your Palo Alto Networks PCSAE Exam Easy!

Palo Alto Networks PCSAE Palo Alto Networks Certified Security Automation Engineer exam dumps vce, practice test questions, study guide & video training course to study and pass quickly and easily. Palo Alto Networks PCSAE Palo Alto Networks Certified Security Automation Engineer exam dumps & practice test questions and answers. You need avanset vce exam simulator in order to study the Palo Alto Networks PCSAE certification exam dumps & Palo Alto Networks PCSAE practice test questions in vce format.

Domain 3

1. Domain 3

So welcome back to domain three PCs, and we're going to now, within this domain, be looking at automation, integration, and related concepts. That's the heading of the section. And this is really, as it suggests, just around the configuration and understanding of automations and how the integrations and everything work together in order to give Cortex strength. Basically, as far as I'm aware, there is no coding aspect to the exam. However, if you want to take the exam, I would very much suggest that you have at least a good working knowledge of Python or JavaScript. I think majority of the scripts now, majorityof the automations are written in Python. But my experience is that certain people are programmers, which I am not. My experience is that once you've learned one language, it's quite easy to port it over to another language.So one of the first things we're going to do is go to the automations to have a look and see what's there. This is the automation page. You've got the library there, which you can hide or show. And then you put your automations to one side. So if we click into that, you can see that this is the automation. So when we're using a Seth Parser, this is what we're going to be using. Okay, so if you ever have an issue with an automation, I think I'm repeating myself, but I'll go back over it again. If you're having an issue with an automation, such as the virus-total one I had, the automation and the integration wanted me to have the private API key. So when I looked into it within the integration itself, within the playbook it was looking for, there you go, find the return virus API, even if I screw up. Jesus. So there you can see that he's looking for the VirusTotal private API. And so every time that I had this playbook called, it was failing because it failed this check. So, where it says get modules brand, it means via total private API. You can then duplicate this and edit it to look for the integration that you have. Okay, so to go through what the exams actually want you to know, So you've got to outline the different types of automation. Okay, so you've got to stop saying okay after everything I say. It's getting really annoying on my nerves. So you've got single-purpose automations that, as a general rule, manipulate data systems or wrap up multiple integrations. It's not a complete product. It's basically used to enrich something or to bring two things together or something like that. You have automation scripts that perform specific actions, such as "add evidence." This performs a specific action. Yes, commands associated with integration objectscripts are used as part of tasks in playbooks and commands in the War Room. It's important to know that AllScripts can access all XOR APIs. So this is where we are now, wanting you to understand the role-based access controls and how you can control people's access to potentially dangerous scripts. So you can stop people from doing things that they don't understand and would harm the situation. Okay, you can also password-protect the scripts as well. Okay, so then we move onto differentiating between inputs and outputs. As previously stated, the inputs could come from the instant itself, such as the role of who signs the incident, or from an input provided by an integration. Or say, for example, that when active directory integration is used in the playbook task to extract the user's credentials, let's say the playbook itself creates objects whose entries will serve the tasks inside the playbook. Okay? So if we look at playbooks, we can see how to get to the end. Okay? So from the playbook, there are inputs. And this goes through all the inputs that the playbook is going to have. So these will be the inputs it takes from the instant that it's created, whether it's a task, a job, or something like that. Then there are the outputs, which you can act on or pass to another playbook. So you've got the file and the file object, the indicator, the Shah one, the Shah 256, and the malicious vendor for the file. So as I said there, it's just those malicious files and a vendor that made the decision. So if you had Virus Total, then that would be Virus Total. If you had Wildfire, then that would be wildfire. Okay? So those are your inputs and outputs—basically, that's how they make sense. They're inputs and outputs, and then inputs that come from an incident go through a process, and then they become outputs, and you can take those outputs and put them into the instant, or they appear in the war room. So when we are looking at changing scripts When we are looking at editingscripts or building our own scripts. Our own automations Part of the reason you need to have a good working knowledge is that there's a lot already built into XOR to make that easier for you to do and to allow you to write stuff even if you're not a code wiz or something. You've got the script helper here, and the script helper basically covers all the commands. The API. So there you go. So add a child investigation, so the arguments there and then the description of what that's going to do So you can add that into your, into your script. You can, and there we go. So, if active users D receive active content from users displaying Cortex or server scripts, So, if you need assistance and you're editing something, know how to return narrowly to the war room, and there you've literally got the line of code if you're creating, So let's create some new automation. Is that rightly spelled? Yes, I have don't usually okay,this is our test automation. Okay? So we have language type in the version that we're going to use a description, so it's enabled, and you've got arguments, and then your argument there would be the argument you need, whether it's going to be mandatory, default, or case sensitive. But the thing I really wanted to show you was because that's fairly easy, and then the document name is there. So this is the document that you're creating, and that's going to be a container. Okay? So if we do that, now when we're editing our own script, what we can do is copy this across. So if we decide that this is what we want to add, a child investigation, we can copy it to the script, and it is already in there for us. So this is what I mean by if you've got a working knowledge," meaning that as long as you've got a working knowledge of how you need things to be done and how things need to go together, you can use the script helper to add functions, functionality, and lines of code to script. Okay, so I don't care. So now, as we said, we need to go back over the RBAC stuff, the role-based access controls. So the reason for using permissions is to have a separation of people who can do things. Because this whole idea so let's look in at XOR. The whole idea behind it is that the guesswork is removed, right? So you have an instant, something has happened, and the idea is to bring in all the people who are the best at dealing with those things and give them the permissions and information they need to deal with the incident, to respond to it as quickly and accurately as possible. So within that, you then have the ability to control who can make changes to two scripts and who can make changes to things that are going to be sensitive. Because what you want to do is make sure that only the person who knows what they're doing does that. Excuse me, for some reason I can't breathe, which isn't ideal if I'm being honest. To then add that, to add the permissions to it, we need to go to settings, users, and roles integration permissions, and here you'll see all of the permissions, sorry, all of the integrations that are currently enabled. Let's say we wanted to be safe, so PolySwarm—about which I've spoken again—doesn't actually work right now because the uptake on the integration was quite low. so it kind of got pushed back along their development line. Although that said, I've used their online API, I'veused HTML Five stuff and it is very good. So it'd be a shame. Maybe I'll do a project at some point to try to fix it. But yeah, you never knew me. So, got all commands and then we can edit this. Okay, so all instances add the roles for all commands. So we have an administrator who can add all instances and add all commands. Yeah. Okay, so then if we move down, what we wantto do then is if we then say that URLscan, an analyst can do that file rescan makes sense. Analysts, file analysts—you get the picture. I'm not going to go through them all. You get the idea. And this simply means that within these two instances, which are the two instances there, you've got PolySwarm Epoch, which is one instance, and PolySwarm Lima. So this would be specifically for those two instances. So if I've got an analyst here, basically the administrator can do everything on PolySwarm Epoch, and on there I've restricted it to the analyst for doing the Lima stuff. Okay, so that means when I save that, yes, I am, and I'm happy with that. What I now have is that I've made it so that the analyst can't use the URL command, can't use the IP command, can't use the file command, but they can do a URL scan, a forward scan, and a get file. So in that respect, what you're doing is segmenting further the abilities of the analysts, the administrators, and all other roles that are defined within XOR to determine what people can and can't do. I guess you'd base that on your conversation with your customer, because I'm sure you'd want only your engineers to do things like editing and integrations, and analysts wouldn't be able to do that. And it also determines what they can actually see. So if we try and start remembering that the idea behind XOR is to take the guesswork out of the initial analysis and all the noise, and then it potentially goes around different departments before it gets to where it needs to be within the existing infrastructure within a company, then you'll start to sort of understand how it works. Because up until that point, you do tend to fight against it a little bit because I don't understand why it's doing that. I don't understand why I do that. Maybe that's just me. This is my first foray into this kind of depth. Okay, so we've done the role-based access controls, and we'll go back over that again at some point. So move further on. Start talking about differentiating between automation objects. We begin to think of the XORCLI as an operating system. Start thinking about it that way. It makes life a lot easier. It's built into the product and connects to every tool that you need. So it has full connectivity. You can run everything from the CLI, you can run everything from here for running automations, and so on and so forth. So you're going to need to familiarise yourself with the different types of commands. So basically, that's acting upon XOR itself. So you can clear a playground, for instance. But then that clears up, and then you have these commands. You can see the difference here. So you have commands, and there are system commands that start with a forward slash that you can run, and it has that at the top to help you. And then you have scripts where you've got a capital "S." These are scripts that you run from here. And if we go further, further, further down, you'll see that you get to lower-case-first characters, and they're the commands. So you can add to a list "get indicators." Let's try that: "get indicators." So that's just gone off to anyone involved, and it's got indicators, IP indicators, and of course it's not going to show everything here because there's too much of it. So it literally tells you it's showing 50% of its content. The full artefact will then be displayed in a new tab. Just give it a second because my XORbox is woefully underpowered and then this isall the indicators that it got, okay? and from here you can export that to CSV. You can use it market as evidence, you can download it asa file, you can do literally what you want with it. Okay? So those are the important things to remember when it comes to that and so on. From there, we start looking at being able to apply the appropriate automation commands. So you have integrations that contain automation scripts and commands. We can see these if we go to our settings. When you look at that integration, there's an integration there, but there is no instance for it. So although it's there, it's not actually current, whereas this one is. So as long as I don't screw this up again, we should be able to duo-authenticate. Thank you very much. And yes, confidence is restored. So there's another thing that's really interesting here: At the top and bottom of it, when you download and install an integration, although its commands are there, they don't appear down here because there's no instance to act upon. So you have to create the instance to get the commands. Okay? So as we said before, the differentiate between themby looking at the first letter, basically a script. A first letter is always in upper case, whereas a command is always in lower case. And then according to the type of letter you search for, you will see scripts and commands. So, if we test that as active, and then there are commands underneath, nothing to activate but commands underneath, you can see Active Users and two scripts at the top. Okay? So from there, we get into the wonderful world of creating your integrations and stuff like that. So within the realm of being an expert, the automation engineer kind of dictates that as you go into employment or as you start with the service, you're going to end up in a situation where you will be the one that is creating integrations, or at the very least engineering integrations to suit the customers' actual needs out of the box. These things are very, very good, I have to admit. And there is a majority of people; there are many integrations that work exactly as they should. I mean, and I would mention the opinion that, to be fair, the majority of the stuff here is going to work how you want it to. So do you have an instance of Active Directory? There are two here. There's the authentication, and that is why if you configure an instance for that, you authenticate Active Directory, and that authentication exhausts Active Directory. And then you've got the query V two.And that's the one where, when you look, there are a lot more commands involved in that because you'll find that within the playbooks and scripts to do the further enrichment of Active Directory users within an environment in response to an incident. So you'll find a lot more. But what you will also find is that you will sometimes be called upon to spend money on the customer. Sometimes you'll be called upon to create integrations from scratch. Because believe me, that is how it's going to be sold. It's going to be sold as is. To be honest, it's going to be sold exactly as it is. It's a Swiss Army knife. It is designed specifically to work really, really well, as Demisto did. I mean, Demisto was the right one to go with. It's designed to work really well. But its main selling feature is the factthat you're not tied down to a specificset of commands, a specific set of integrations,specific API calls or anything like that. You can design it however you want. And therefore, as well, even as an analyst, it isprobably advisable to look at the engineering side of things,because if you were to move customers or you wereto move jobs or anything like that, contracts, whatever, youmay find that as this becomes more and more adoptedand it becomes more and more prevalent, you may alsofind that no two implementations are the same. So at what point are you going to have to start considering the engineering side of it? You have to look through what it's doing in order to work out how to properly leverage it. So in the integrations we have here, we can search for So if we just do that again, we can show all the enabled ones. So, remember again, enabled is installed, and there's an instance of it that is running. We can go with disabled. These are disabled because the API doesn't work. and that's disabled because I disabled it. I have absolutely no idea. It does explain something, though, about all types of custom. So, if you create a custom integration, as you can see, I started with the Yoga speak, which I'll put a link to, I believe, down below, that's an awesome bit of documentation from XOR and Cortext that walks you through building an integration from scratch. So if you create your own custom integrations, this is what they'll be. and then system integrations. These integrations are in here, and from what I can see, I've never actually clicked on that before, but from what I can see, it's probably the same as all the other categories. You can filter by categories, you can filter by authentication case management where it integrates with Jira and the ServiceNow database, and on my scroll skill server, you can see how they're both deprecated. So I could probably do it uninstalling them, frankly. So that's the integration page. Now, the actual knowledge required by the programme is more about how you can create your own integrations and the process by which you would do it. As far as I'm aware, there is no coding element to the exams I mentioned before, and creating integrations is very code-intensive because you're literally writing the code. Although of course you have to remember, as mentioned in the previous section, the IDE does have a comprehensive script helper to guide you through the process. In addition to this, there's a plugin for PyCharm. There's an XOR plugin for PyCharm that allows you to connect to your XOR instance and then allows you to write your code within PyCharm and run it against the "Misto mock code," I believe they call it, where you can develop your code outside of XOR for whatever reason. If you're more comfortable using PyCharm—if that's what you've used before—I know it's a very popular IDE. So you can develop your code outside of XOR, sorry, and that will automatically put it on. You can upload it to XOR. From there, I believe you can upload it to the Marketplace as well. I will be doing a video on creating integrations, but as for the PCSAE, I don't think it really needs to go that far. However, from this particular aspect, let's talk about how we do it and the way to create it. Just quickly, if you have an integration that you want to download from somebody, you can upload it using the wonderfully named Upload integration, and then you've got a version history for all integrations. But if you want to create your own, click on the "bring your own integration" button. And again, there's a lot of documentation here that, if you read through it, makes a lot of sense. If you already know about coding, it makes even more sense. You can create and drag your own logo and bring that in here. You've got all the options that you have here. So the name description makes perfect sense, "utilities," so you would cross that off, and then you've got to choose a type. So it's authentication, and then you see how it refers to brand. You'd use that later. So you'd be using brand. So if you do who is and then query using brand, and then the brand is, as you can see, who is for that particular query because who is query is the only one that exists. So that is what you would refer to later on in order to refer to your integration. So then we have the fetches instances and fetches indicators, which make perfect sense, whether they are fetches instances or fetches indicators. So if that's an EDL or something like that, you would have fetched indicators, an external schema, support, syncmirror in, syncmirror out, long-running integration—all those are covered within the code explanations. And then of course you have your parameters, detailed instructions on how to do it, and the commands that you're going to run. This is from the Hello, World! one. It seems to have loaded that one in the background, and then the Docker music is going to run it. Okay. And then you would save your "I've saved it," which is probably the best thing to do, or save your version. Sorry, I'll just go back to that. So if you save under there, that just saves the whole thing, which is probably the best thing to do at first, and then saving a version allows you to use this one. So if you then change it and you change your settings and it stops working or you want to revert to a previous version, I would always do version control until you're happy, then you can drop back to a different version and load a different version from there. Okay, so that's basically how you start building your own integration and your own code. So we talked about the excavation mark. The next thing they're going to really want you to know about is what we call integration concepts. So it's to differentiate between parameters and arguments within the integration. So in this context, a parameter is a configurable value that is globally available. This means that every command can or will use those objects to run. And there are several types of parameters, such as standard ones such as boolean, long or short text, API keys, usernames, and so on, which are all then available tool commands. as the term implies, further down the argument Again, if you're comfortable with coding, then you know what arguments are light parameters that are user configurable, but in some countries, parameters are single-use only and available only to a single command. So you've got a command followed by an argument. In my limited programming experience, that is pretty much standard. So we need to now look at defining integration types because the exam will expect you to know different integration types. And the best way to research is to look around the marketplace. So if we go to the marketplace, basically, that is where you can download stuff. So these are my install contact packs, and I have so many installed due to update availability that you have all packs. So these are all the ones that are installed. But if we go to the marketplace and browse, we can start to have a look at what's actually available. And there are some premium ones, which obviously must be paid for. And then you get a subscription fee, so you can install the free trial for this one and then also take up the subscription later. The range of things you can do with XOR, as well as the range of third-party integration and information sources, is absolutely enormous. The idea behind XOR isn't really to hold up a little Palo Alto flag and say that Palo Alto is the best and everybody else has got it wrong. It's literally designed specifically to allow you to integrate stuff that you already have. So third-party feeds and sensors and IPS, for example, all that type of thing, existing firewall infrastructure, existing VFN infrastructure, existing socks infrastructure—you have it all in one place rather than having to move everything over to Palo Alto in one big hit. On the back end, it's literally Bender Agnostic. But also, it's really been designed with the understanding that, as far as security analysis and information are concerned, you can never have too much. You can't have too much information. What you do have and what you can do, and what we're seeing increasingly within security operations centers, is too much noise, too many alerts, and everything coming together. And what is critical for one particular vendor may not be for another. You have some vendors there at the moment. either by virtue of the vendor itself. or by virtue of the fact that it hasn't been configured the right way or there are gaps in the configuration. They're giving out a lot of noise, and then you've got people looking, so you do have information exhaustion. You do have analysts struggling to know what to look at. and not only that. But obviously, spending time looking for possibly the wrong thing is a waste. And so the idea is to put it all in one place and to filter out the stuff at the bottom, the noise, as best we can by using best practises and by using XOR engineers such as yourself. When you pass this exam anyway, that's me banging on myself. So basically, those are the premium ones. And then if we go here, we can see that we've got a proof point. For example, risk cents are all downloadable. So if I install that there, installit, it has one integration. And then I could go make an instance of that, and it would show you the integration email gateway description, userproof point response, integration tool, straight and automate, instant response, and 13 commands. So then this is what you would use. And you could use this within automations and playbooks to ultimately take action in this particular instance. You take in an email, something looks suspicious, and this can then run that email through Proof Point and tell you whether or not you need to look at it. The dependencies for the particular contact packversion history, so you can see what was done and what was wrong. So version 1.1 clearly has nothing wrong with it. And then what you can see is that you can revert to the versions that are in it, although I wouldn't in that particular instance and certainly wouldn't anyway. When we return to server configuration, we can go to Proof Point, add the instance, and see all of the sections that we could configure when we built our own instance, their own integration. Sorry. Okay, so all of this now returns to the marketplace integration list, which includes, but is not limited to, analytics and SIM authentication, case management, data enrichment, threat intelligence, database deception, and email gateway. as demonstrated by a proof point endpoint, forensic amount It's services, messaging, network security, threat intelligence, utilities, vulnerability management, you name it—there's something there. And if there isn't something there and you write your own integration and it works really well, you can submit that to the marketplace, where under contributions you can contribute your content. And it's got all the automations that have been written by me, none of which are worth anything to anybody. And then that will go through an approval process with Excel, and if it's found to be okay, they will then normalize. They don't alter the code other than to make sure that it runs perfectly every time and to ensure the dependencies are met as well. And it's then on here, and if you decide to charge for it, then I imagine—I don't know anything about that side of it—that there's some kind of financial enumeration. But the fact is, if it doesn't exist, you can create it. So, going through from there, in the case where you created it, it isn't working. Part of the exam is applying basic troubleshooting. If the integration is not performing well throughout the integration process, it will break. Unlike all code, you'll need to debug the program. I'd be cautious of any programmer who claims they don't have to do this because their nodes will be growing. So, as previously stated, you can run the code and look for logs in the war room, or you can use PyCharm plugins, which add an asidebar to the PyCharm user interface that provides auto-complete functions and code suggestions, and so on. On the Misto code, and that will be the most convenient way to debug your code. That's pretty much everything that I've seen of all the documentation of the exam. That's pretty much all that they're going to expect you to know about that; you can do a bit more research on it. But basically, the top and bottom of it are that you can put a whole load of print statements in to see where it's failing or whether you've ever debugged code in any way. shape or form. Then you'll know what to do. So then we have the classification and mapping, and this is where you start to look at the strength of XOR because this is where we go from. We begin with the integration, specifically the instance of the integration that ingests data. And then, as we can see, the first thing for it to go through is if we go to if I stop clicking that, which will be very helpful. So we can see that this is literally the logical flow of it. So we've got a classifier set. The classifier instant type of classifier doesn't exist. So if we don't want to classify this traffic and just create an incident from it, which would be the case in this case if we don't classify it ourselves, it will drop the instant type; it needs instant type there, and then it matches. You can create your own mapper. You've got the standard sort of mapping that's already here for phishing and stuff like that. And that's mapping the data that's ingested to fields within your incident. I'll do better than just talk through that because that started to wander off into the land of bullshit. So here we go. So classification and mapping As a result, we received panel log alerts, which are classifiers. So to classify this, this is where I drag stuff in from Syslog on my firewall. So the only real thing you can take from this is the content, which is a comma-separated value that is just gobbly gook until you split it up. Now, what I did find was that for all the threat logs that came through with threats being there, it was this, which is index three, so 0123, that contained the type of threat that it was. So in this case, it's spyware. You can see I've got a packet, which is reconnaissance and vulnerability. Now you can draw from your instance when you do this; you can fetch data through it, so you can configure it based on that. However, one rather annoying thing, I don't know ifit's just me, but if your instance is setto not pull incidents, do not fetch incidents, youcan't pull from it, I suspect it's probably becauseyou're kind of switching instance off. So we're also using Splunk as well.which I also logged into. What I was able to do waseven though all these are spyware. I put those under the malware and then this isthe instant type that's going to be created as aresult of this classification put packet under a constance becauseI know that is that type of log when it'sdetecting host suites and pool sweeps and things like thisand then vulnerability for when it's picking up anything todo with CVS or anybody trying any kind of anykind of hacking into the system or to use avulnerability that it knows about. So you can do that simply by if you know whatthat is by adding the value in there now anything thatwas to come through that test value there which will beabsolutely zero that would then create trapped interdimen okay so ifI come away from there so it's in advanced then instanttypes so if we come down now to malware here rememberthat's what it's going to be and you can create newinstant types so you don't need to stick with the typesor any if you really want to if you want tohave multiple types of malware for instance instance you can malwareone. Two and three and have them handled in a different wayand then just tell then just pull that information from theclassifier into your incident type and then it will classify asthat kind of incident type and then in here you've gotthe layout talk about that in a minute. The default playbook is going to run on the playbookautomatically so specifically with things like manual investigations I don'tknow if there's any real advantage in running the playbookautomatically you can run it automatically but it will juststop at the manual tasks in my particular instance becauseI'm running the community version and only have 166 commandsin a day I don't run any playbooks automatically becausethey can soon run away with you and before youknow it you've enriched stuff that you didn't even knowabout and you've ended up with a manner of issues all talks straight instant indicators the default is in lineso it's done at the same time none is noinline as I say is the default or you canselect inline and then out of band is afterwards whatyou got to remember is if you do it Outbandthen when the incident is created it won't have allthe information at that time. Post processing is what you do afterwards generate investigation summer Report is a specifically good one so youput that in there and then as you closethat investigation automatically would generate an investigation summer Report I can't demonstrate that here because the reporting functionfor the community version isn't available and then aspart of that instant type based on what youdecided it's going to be you then got anSLA and you can select different SLAs with differentinstant types obviously then set reminder and a reminderfor when you want a reminder which is straightforward. So, returning to classification and mapping, So we had the classifier for that. But now what we want to do iswe want to map it as well. So we want to see what kind of information we want topull from here, which is the raw data, always JSON data. And this is specifically because this is a syslog. So it's the instant type that we're going to use again. So if I want to say, okay, malware, So I now have there's the details, I can saythat I want to destination, go for destination IP. Sorry, my bad. Okay, so I can get the content and apply a transformer to it. I'm going to split it. It's comma deliminated, remember. So I'm splitting it at the comma, and then I'm going to get index nine and hope that's right. So then I can split that, get index nine fromthat, and then I can test it against my sampleand show me what the result will be done testing. Okay, so from now on, when you get malware, it's created from that incident. Basically, when it says, "Okay, an instant," you will pull that particular end result, and that will match the destination IP field of your layout. Okay? So then we go back to advanced layout, andthen this is where you then create a layout. And I'm not going to labour too much overthis because really one of the interesting things aboutthis is it tends not to concentrate on thisbecause this is really designed to be as simpleand straightforward as possible, the indicator summary. So this is for an indicator layout, the indicator summary, and the quick view. Those relate directly to the indicator summary when you get an indicator or the quick view. And that is exactly so if we get anincident that's exactly the same here, you can seeyou've got the same across the top and thenas you've got when you get the instant itself. And you can change what's in there, not in thisparticular one, because it's locked, but it's drag and drop. So then the new edit form is there when youcreated a new co fi security alert, when you're closingit, and you can edit what you want in there,what needs to go in there, what needs to bemandatory, what's not, the instant quick view. You've got the timeline information, for instance, and the basic information I really need to change my colours and how it appears on mobile. So you can configure all that from top to bottom, inside out, from scratch, or you can edit an already existing one. Although you have to remember, if you're going to edit an existing one, you need to copy it and sort of edit it over. You can't edit the actual document itself. You need to copy one that's there and then edit the copy. Okay, so then go back to instant types and then malware editing. And then that's where you get toselect your layout based on your incident. That's been ingested, really, for domainthree, that is pretty much it. It's going to want you to understand how youwant you to understand how you in summary, thenI guess it's going to want you to understandhow you classify something, how you map it. It also wants to know why you would do that. So you would have to go into very muchyou can have to understand that certain information. And I'm sure if you work in a sock or if you're considering being an EXO engineer, then you probably know this, but you're going to have to understand that there are different types of security events. And for each of those security events, there is a very different, sometimes very pertinent type of information. So for a malware incident, you probably don't want tobe looking at email addresses and things like this becauseit's going to have very little to do with it. And so the idea behind creating your own layouts,creating your own incidents, and then putting them togetherin the way that your customer wants what youwant, so that when you're building it for yourselfis that literally you have only the information thatis required, because that's the most efficient way toget from incident to resolution. Other than that, everything else that you have to read that has nothing to do with it is just taking up time, just not responding to the incident. So you need to understand that I'm just going to check through and make sure that I've covered everything. I've covered everything. So then you know about the process of contributing integrations to the marketplace. As I said, you create them, and then you can either upload them through GitHub. You can put them on a GitHub repository, so people just pull them down and use them, or you can send them straight to XOR for approval, and then they are uploaded to the marketplace, shared, and installed as any other contact pack would be. You can add, yeah, an interesting thing. So make sure I don't forget this within this particular one, because this also wants you to be able to describe the integrations and the difference between an integration and an instance of an integration. So if we just go to that So let's say you're a managed security service provider, or managed service security provider, whatever you want to call it. So you've got multitenants. You wouldn't need multiple integrations. If they are both using McAfee, for instance, then you can have an instance for customer A and an instance for customer B, and never the twain shall meet. So you would configure

Go to testing centre with ease on our mind when you use Palo Alto Networks PCSAE vce exam dumps, practice test questions and answers. Palo Alto Networks PCSAE Palo Alto Networks Certified Security Automation Engineer certification practice test questions and answers, study guide, exam dumps and video training course in vce format to help you study with ease. Prepare with confidence and study using Palo Alto Networks PCSAE exam dumps & practice test questions and answers vce from ExamCollection.