Paloalto Networks XSIAM-Engineer Palo Alto Networks XSIAM Engineer Exam Practice Test

To show incidents assigned to a specific user in a Cortex XSIAM custom dashboard, the engineer should use filters and inputs in the custom dashboard. This enables dynamic filtering of incident data, allowing the dashboard to be customized based on user assignment.

The correct command is cytool import suex -path , which imports a supplied support exception (suex) file onto a Linux endpoint, ensuring the exception is applied locally.

For Cortex XDR agents running on servers in zones without internet access, a Broker VM is used as a communication bridge. The Broker VM securely relays traffic between the isolated agents and the Cortex platform, maintaining connectivity without requiring direct internet access from the servers.

During Cortex XSIAM tenant activation, data at rest is configured with AES 128 encryption by selecting "BYOK" (Bring Your Own Key) under the Advanced → Encryption Method option and following the wizard’s instructions. This ensures secure key management and compliance with encryption standards.

To prevent Cortex XSIAM from automatically extracting indicators (like IPs, domains, and URLs) from a script’s output, you must use 'AutoExtract': False in the script. This disables the auto-extraction mechanism for that script.

Cortex XSIAM ingests structured third-party logs (such as CEF, LEEF, and JSON) by breaking down the key-value pairs and saving them in a normalized table format. This enables efficient correlation, analytics, and query performance across diverse log sources while preserving data fidelity.

The cytool adaptive_policy recalc command is used to look up and recalculate the policy being applied to a Cortex XDR agent, allowing engineers to verify the active policy enforcement on the endpoint.

The most secure approach is to create a Disable Prevention Rule via Exceptions Configuration, scoped specifically to the Exceptions-AppServers profile. This rule should include the hash (SHA256), signer (Microsoft Corporation), and file path (C:\Windows\System32\cmd.exe). This ensures the exception is applied only to the trusted, legitimate process on the AppServers group while minimizing the security gap.

The correct command is cytool config proxy --host crtxbroker01.company.net --port 8888, which configures the Cortex XDR agent to route its traffic through the Broker VM acting as a proxy. This allows the agent to register and download updates without requiring direct internet access.

Broker VM options appear greyed out in the Agent Settings profile when the Local Agent Settings applet is activated without an FQDN. An FQDN is required for agents to resolve and connect to the Broker VM as a download source.

The integrationContext object in Cortex XSIAM is persistent across integration command runs and is managed using get_integration_context() and set_integration_context(). This allows data (such as key-value dictionaries) to be stored and retrieved reliably between executions.

The XQL query uses regextract with conditions to check if the source IP begins with 149.235. When true, it assigns the replacement value 192.168.10.1, otherwise it extracts the source port. From the given logs, this produces 123 (from the port extraction in the second log) and 192.168.10.1 (replacement for the first log’s matching source IP).

The !setIncidentFields command is used in the Incident War Room to directly update incident fields that are defined in the incident layout, ensuring the incident record reflects the latest information.

Persistent timeout issues with Cortex XSIAM Live Terminal, despite firewall rules being open, are often caused by SSL Decryption inspecting the traffic. Live Terminal relies on secure, end-to-end TLS communication, and decryption breaks this channel, leading to session failures.

For upgrading a non-Linux Kubernetes cluster, the correct installer type is Helm, since Helm charts are the supported method for deploying and managing Cortex XDR agents in Kubernetes environments.

When creating a custom incident domain in Cortex XSIAM, alert grouping still applies, allowing related alerts to be combined into incidents. However, SmartScore is not applied, since it is reserved for predefined domains.

To enforce least privilege for Building 3 administrators, SBAC must be enabled in Restrictive Mode and the administrators’ scope must be limited to EG:Building3. This ensures they can only manage endpoints within the Building 3 group, even if those endpoints are also part of other groups, while blocking access to endpoints outside their responsibility.