Exam Vouchers: Palo Alto Networks: Certified Security Operations Professional (PAN-CSOP)

The Palo Alto Networks Certified Security Operations Professional certification is designed to validate knowledge, understanding, and the job-ready skills required for basic application of the Palo Alto Networks Cortex portfolio of solutions and related technologies in a Security Operations Center (SOC).

This exam is designed for the individuals with the following job roles:

• Security Operations Center (SOC) professionals responsible for the basic application of Palo Alto Networks Cortex products and solutions:
• Cortex XDR
• Cortex XSIAM
• Cortex XSOAR

Palo Alto Networks certification exam items are developed and approved by exam development experts in conjunction with subject matter experts (SMEs) who represent a broad spectrum of roles relevant to each certification. Each item is referenced to a publicly available technical or scholarly source.

Candidates should be able to demonstrate an understanding of SecOps processes and procedures, including the following:

• MITRE ATT&CK framework
• Incident response plans
• Investigative lifecycle
• Cortex XDR, Cortex XSIAM, Cortex XSOAR in the SOC
• Review dashboards and generate reports (compliance)
• Identify key components of incidents
• Initiate playbooks
• Identify IOCs
• Escalate incidents
• Initiate response actions
• Basic knowledge of analytics concepts, such as profiling and entity classification
• Alerts and incidents
• Interaction with playbook tasks to progress an investigation

Security Operations Fundamentals 25%

• Explain the function of users, roles, log management, compliance, and data protection in Cortex XDR
• Explain the process of creating and managing reports and dashboards in Cortex products
• Explain the common components and functions of a Security Operations Center (SOC)
• Roles and responsibilities
• Tools, technologies, and analytics
• Differentiate between AI and machine learning (ML) in Security Operations

Threat Intelligence and Incident Response 16%

• Identify and explain the steps of the NIST incident response plan
• Explain the concept of incident management and response
• Explain the role of threat intelligence in incident response
• Explain the function of incident categorization and prioritization
• Explain how file, IP address, domain, and URL indicator types are used in Cortex products
• Compare and contrast WildFire, Unit 42 intelligence, and VirusTotal
• Evaluate false positive, false negative, and true positive security incidents
• Conduct basic threat hunting based on a common indicator types

Cortex XDR 23%

• Identify and explain the use of key Cortex XDR elements
• Sensors
• Log Stitching
• Causality View
• WildFire
• Detection and response
• Behavioral analytics
• Data sources, users, artifacts, and assets in investigations
• Explain the process of agent management and deployment, including cloud workloads
• Identify use cases where a business would benefit from Cortex XDR compared to an EDR solution

Cortex XSOAR 16%

• Explain the features and functionality of Cortex XSOAR
• Marketplace
• Playbooks
• Third-party system integration
• Indicators and feeds in Threat Intelligence Management
• War Room
• Incident investigation
• Differentiate between scripts and jobs in Cortex XSOAR

Cortex XSIAM 20%

• Explain the function of key Cortex XSIAM components
• Sensors
• Log Stitching
• Automations and integrations
• Content packs
• Playbooks
• Explain Cortex XSIAM processes, capabilities, use cases, and rules
• Data ingestion
• Key investigation artifacts and assets
• Threat management, detection, and response
• Threat hunting and investigation searches and queries
• IOC, BIOC, and correlations

Completion of the following Digital Learning Path is recommended:

• Introduction to SecOps
• SOC Processes
• Network-Focused Security
• Cortex Cloud-Focused Security
• Endpoint Security
• Threat Investigations
• Automation and Orchestrations
• Cortex Portfolio