Palo Alto Networks XSOAR-Engineer Exam - Topic 3 Question 1 Discussion

Actual exam question for Palo Alto Networks's XSOAR-Engineer exam

Question #: 1
Topic #: 3

[All XSOAR-Engineer Questions]

You need to retrieve a list of all malicious hashes over the last 30 days. What is the correct query to use?

Atype:File reputation:Malicious sourcetimestamp:'30 days ago'

Btype:File verdict:Malicious sourcetimestamp:<='30 days ago'

Ctype:File reputation:Malicious sourcetimestamp:='30 days ago'

Dtype:File verdict:Malicious sourcetimestamp:>='30 days ago'

Show Suggested Answer

Suggested Answer: A

by Jeffrey at Dec 20, 2025, 02:37 PM

Limited Time Offer

25%

Off

Get Premium XSOAR-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Teresita

6 days ago

Hmm, I'm not sure about that. Shouldn't we be using the "sourcetimestamp" field instead of just "timestamp"? I'd go with option D.

upvoted 0 times

...

Claribel

11 days ago

Option B looks good to me. Using the "verdict:Malicious" criteria seems more appropriate than "reputation:Malicious".

upvoted 0 times

...

Bambi

16 days ago

I think option D is the correct one. The query should use the greater than or equal to operator to retrieve all malicious hashes over the last 30 days.

upvoted 0 times

...

Horace

21 days ago

I want to say it's option D because it mentions "verdict" and uses the right date format, but I need to double-check my notes on that.

upvoted 0 times

...

Magdalene

26 days ago

I'm a bit confused about the difference between "reputation" and "verdict." I feel like I might have seen "verdict" used more often in examples.

upvoted 0 times

...

Georgeanna

1 month ago

I remember practicing a similar question, and I think the correct operator for the date should be ">=" to include the last 30 days.

upvoted 0 times

...

Trinidad

1 month ago

I think the query should focus on the "verdict" rather than "reputation," but I'm not entirely sure which timestamp format to use.

upvoted 0 times

...

Glenn

1 month ago

I'm a bit unsure about this one. I think I need to double-check the syntax for the timestamp filter to make sure I'm using the right operator and format.

upvoted 0 times

...

I'm pretty confident that D is the correct answer. The "verdict:Malicious" part clearly indicates we're looking for hashes that have been marked as malicious, and the ">=" operator on the timestamp will give us all the hashes from the last 30 days.

upvoted 0 times

...

Brigette

2 months ago

Option B seems like it could work, but I'm not sure if the "<=" operator is the correct one to use for the timestamp. Shouldn't it be ">=" to get all the hashes from the last 30 days?

upvoted 0 times

...

Stevie

2 months ago

Hmm, I'm a bit confused about the difference between "reputation" and "verdict" in the options. Do they mean the same thing in this context?

upvoted 0 times

...

Hannah

2 months ago

I think it's A. Seems straightforward.

upvoted 0 times

...

Tasia

2 months ago

I think option D looks right, since we want to get all the malicious hashes over the last 30 days, and that query checks for a timestamp greater than or equal to 30 days ago.

upvoted 0 times

Dewitt

2 months ago

I disagree, I think option A is more accurate.

upvoted 0 times

...