XSIAM-Engineer Palo Alto Networks XSIAM Engineer Questions and Answers

In the Incident War Room, which command is used to update incident fields identified in the incident layout?

A Cortex XDR agent is installed on an endpoint, but the agent is unable to download content updates and has not registered with the Cortex XSIAM server. An engineer troubleshoots the network connection and determines that, by design, this endpoint does not have direct internet access to the required network destinations for the Cortex XDR agent traffic.

A Broker VM that has the local agent settings applet enabled with Agent Proxy configured is reachable by the endpoint. The Broker VM details are as follows:

FQDN: crtxbroker01.company.net

Proxy listening port: 8888

How should the engineer configure the Cortex XDR agent to use the existing Broker VM as a proxy for the agent network traffic?

Which option should be used when customizing a dashboard in Cortex XSIAM to include a widget that will display data filtered by more than one dynamic value?

An application which ingests custom application logs is hosted in an on-premises virtual environment on an Ubuntu server, and it logs locally to a .csv file.

Which set of actions will allow the ingestion of the .csv logs into Cortex XSIAM directly from the server?

An application which ingests custom application logs is hosted in an on-premises virtual environment on an Ubuntu server, and it logs locally to a .csv file.

Which set of actions will allow the ingestion of the .csv logs into Cortex XSIAM directly from the server?

Cortex XSIAM has not received any logs for 30 minutes from a Palo Alto Networks NGFW named "MainFW.” An engineer wants to create an alert for this scenario.

Correlation rule settings include:

Time Schedule: Every 30 minutes

Query Timeframe: 30 minutes

Action: Generate alert

Alert Name: No logs received from MainFW in the past 30 minutes

Which query should be used in the correlation rule?

A)

B)

C)

D)

A vulnerability analyst asks a Cortex XSIAM engineer to identify assets vulnerable to newly reported zero-day CVE affecting the "ai_app" application and versions 12.1, 12.2, 12.4, and 12.5.

Which XQL query will provide the required result?

A)

B)

C)

D)

What is the purpose of using rolling tokens to manage Cortex XDR agents?

A Cortex XSIAM engineer is implementing role-based access control (RBAC) and scope-based access control (SBAC) for users accessing the Cortex XSIAM tenant with the following requirements:

Users managing machines in Europe should be able to manage and control all endpoints and installations, create profiles and policies, view alerts, and initiate Live Terminal, but only for endpoints in the Europe region.

Users managing machines in Europe should not be able to create, modify, or delete new or existing user roles.

The Europe region endpoints are identified by both of the following:

Endpoint Tag = "Europe-Servers" and Endpoint Group = "Europe" for servers in Europe

Endpoint Group = "Europe" and Endpoint Tag = "Europe-Workstation" for workstations in Europe

Which two sets of implementation actions should the engineer take? (Choose two.)

Administrators from Building 3 have been added to Cortex XSIAM to perform limited functions on a subset of endpoints. Custom roles have been created and applied to the administrators to limit their permissions, but their access should also be constrained through the principle of least privilege according to the endpoints they are allowed to manage. All endpoints are part of an endpoint group named "Building3," and some endpoints may also be members of other endpoint groups.

Which technical control will restrict the ability of the administrators to manage endpoints outside of their area of responsibility, while maintaining visibility to Building 3's endpoints?

A Behavioral Threat Protection (BTP) alert is triggered with an action of "Prevented (Blocked)" on one of several application servers running Windows Server 2022. The investigation determines the involved processes to be legitimate core OS binaries, and the description from the triggered BTP rule is an acceptable risk for the company to allow the same activity in the future.

This type of activity is only expected on the endpoints that are members of the endpoint group "AppServers," which already has a separate prevention policy rule with an exceptions profile named "Exceptions-AppServers" and a malware profile named "Malware-AppServers."

The CGO that was terminated has the following properties:

SHA256: eb71ea69dd19f728ab9240565e8c7efb59821e19e3788e289301e1e74940c208

File path: C:\Windows\System32\cmd.exe

Digital Signer: Microsoft Corporation

How should the exception be created so that it is scoped as narrowly as possible to minimize the security gap?

When a Cortex XSIAM playbook execution reaches a breakpoint on a non-manual task, which two actions will allow the playbook to continue? (Choose two.)

Which types of content may be included in a Marketplace content pack?

Which cytool command will look up the policy being applied to a Cortex XDR agent?

An engineer wants to onboard data from a third-party vendor’s firewall. There is no content pack available for it, so the engineer creates custom data source integration and parsing rules to generate a dataset with the firewall data.

How can the analytics capabilities of Cortex XSIAM be used on the data?