Winter Sale- Special Discount Limited Time 65% Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

Activedumpsnet Logo
  1. Home
  2. Paloalto Networks
  3. Security Operations
  4. XSIAM-Engineer
  5. XSIAM-Engineer - Palo Alto Networks XSIAM Engineer

Paloalto Networks XSIAM-Engineer Palo Alto Networks XSIAM Engineer Exam Practice Test

Page: 1 / 6
Total 59 questions
Get XSIAM-Engineer Full Access Download XSIAM-Engineer PDF

Palo Alto Networks XSIAM Engineer Questions and Answers

Question 1

In the Incident War Room, which command is used to update incident fields identified in the incident layout?

Options:

A.

!setIncidentFields

B.

!setParentIncidentFields

C.

!setParentIncidentContext

D.

!updateParentIncidentFields

Question 2

When Cortex XDR agents are on servers in a zone with no internet access, which configuration will keep them communicating with the platform?

Options:

A.

Logging service in the isolated zone

B.

Broker VM

C.

Integration using filebeat

D.

Engine

Question 3

Which two requirements must be met for a Cortex XDR agent to successfully use the Broker VM as a download source for content updates? (Choose two.)

Options:

A.

Device Configuration profile applied to the XDR agent must specify the Broker VM as a Download Source.

B.

Agent Settings profile applied to the XDR agent must specify the Broker VM as a Download Source.

C.

Broker VM must be configured with an FQDN.

D.

XDR agent must authenticate to the Broker VM using a machine certificate.\

Question 4

Which action will prevent the automatic extraction of indicators such as IP addresses and URLs from a script's output?

Options:

A.

Add 'ExtractIndicators': False to the script.

B.

Add 'IgnoreAutoExtract': True to the script.

C.

Use 'AutoExtract': False in the script.

D.

Set 'IndicatorExtraction': None in the script.

Question 5

A Cortex XSIAM engineer is implementing role-based access control (RBAC) and scope-based access control (SBAC) for users accessing the Cortex XSIAM tenant with the following requirements:

Users managing machines in Europe should be able to manage and control all endpoints and installations, create profiles and policies, view alerts, and initiate Live Terminal, but only for endpoints in the Europe region.

Users managing machines in Europe should not be able to create, modify, or delete new or existing user roles.

The Europe region endpoints are identified by both of the following:

Endpoint Tag = "Europe-Servers" and Endpoint Group = "Europe" for servers in Europe

Endpoint Group = "Europe" and Endpoint Tag = "Europe-Workstation" for workstations in Europe

Which two sets of implementation actions should the engineer take? (Choose two.)

Options:

A.

Verify and confirm that SBAC mode under "Server Settings" is set to "Restrictive," and assign "EG:Europe" under the user permission scope configuration.

B.

Use the pre-defined roles, assign the "Instance Administrator" role to the user or user group managing Europe-based endpoints.

C.

Verify and confirm that SBAC mode under "Server Settings" is set to "Permissive," and assign "EG:Europe" under the user permission scope configuration.

D.

Use the pre-defined roles, assign the "Privileged IT Admin" role to the user or user group managing Europe-based endpoints.

Question 6

While using the playbook debugger, an engineer attaches the context of an alert as test data.

What happens with respect to the interactions with the list objects via tasks in this scenario?

Options:

A.

The original content of the list and the original context are not altered, because Cortex XSIAM is running inside debug mode.

B.

The original content of the list is not altered, but the original context is, because XSIAM commands are running within debug mode.

C.

The original content of the list is altered, but the original context is not, because Cortex XSIAM commands interact directly with the original list objects within debug mode.

D.

The original content of the list and the original context are altered, because Cortex XSIAM tasks interact directly with the objects, even within debug mode.

Question 7

Which two alert notification options can be configured without creating a playbook? (Choose two.)

Which two alert notification options can be configured without creating a playbook? (Choose two.)

Options:

A.

Pager Duty

B.

Email

C.

Slack

D.

SMS

Question 8

Which installer type should be used when upgrading a non-Linux Kubernetes cluster?

Options:

A.

Standalone

B.

Helm

C.

Upgrade from ESM

D.

Kubernetes

Question 9

Administrators from Building 3 have been added to Cortex XSIAM to perform limited functions on a subset of endpoints. Custom roles have been created and applied to the administrators to limit their permissions, but their access should also be constrained through the principle of least privilege according to the endpoints they are allowed to manage. All endpoints are part of an endpoint group named "Building3," and some endpoints may also be members of other endpoint groups.

Which technical control will restrict the ability of the administrators to manage endpoints outside of their area of responsibility, while maintaining visibility to Building 3's endpoints?

Options:

A.

SBAC enabled in Building 3's IP range with the "EG:Building3" tag assigned to each administrator's scope

B.

SBAC enabled in Permissive Mode with the "EG:Building3" tag assigned to each administrator's scope

C.

SBAC enabled in Restrictive Mode with the "EG:Building3" tag assigned to each administrator's scope

D.

SBAC enabled globally with the "EG:Building3" tag assigned to each administrator's scope

Question 10

A Cortex XSIAM engineer adds a disable injection and prevention rule for a specific running process. After an hour, the engineer disables the rule to reinstate the security capabilities, but the capabilities are not applied.

What is the explanation for this behavior?

Options:

A.

The engineer needs to restart the process to get back the security capabilities.

B.

The engineer needs a support exception to get back the security capabilities.

C.

The engineer needs to wait for the time period configured in the rule to pass first.

D.

The engineer can disable the rule, but security capabilities are not applied to the process.

Question 11

Which step must be taken to enable Cloud Identity Engine on Cortex XSIAM?

Options:

A.

Enable SSO integration.

B.

Activate it in the Customer Support Portal.

C.

Activate it on HUB.

D.

Enable Active Directory log collection.

Question 12

A security engineer notices that in the past week ingestion has spiked significantly. Upon investigating the anomaly, it is determined that a custom application developed in-house caused the spike. The custom application is sending syslog to the Broker VM Syslog Collector applet. The engineer consults with the SOC analyst, who determines that 90% of the logs from the custom application are not used.

What can the engineer configure to reduce the ingestion?

Options:

A.

Parsing rule to drop the unnecessary data at the Broker VM

B.

Data model rule to drop the unnecessary data

C.

Correlation rule on the Cortex XSIAM server to drop the unnecessary data

D.

Data model rule to map the useful data

Question 13

A Behavioral Threat Protection (BTP) alert is triggered with an action of "Prevented (Blocked)" on one of several application servers running Windows Server 2022. The investigation determines the involved processes to be legitimate core OS binaries, and the description from the triggered BTP rule is an acceptable risk for the company to allow the same activity in the future.

This type of activity is only expected on the endpoints that are members of the endpoint group "AppServers," which already has a separate prevention policy rule with an exceptions profile named "Exceptions-AppServers" and a malware profile named "Malware-AppServers."

The CGO that was terminated has the following properties:

SHA256: eb71ea69dd19f728ab9240565e8c7efb59821e19e3788e289301e1e74940c208

File path: C:\Windows\System32\cmd.exe

Digital Signer: Microsoft Corporation

How should the exception be created so that it is scoped as narrowly as possible to minimize the security gap?

Options:

A.

Create the exception via the alert itself, selecting the CGO hash, CGO signer, CGO process path, and applying the scope to the "Exceptions-AppServers" profile.

B.

Create a Disable Prevention Rule via Exceptions Configuration with the following selections:

Option B13

C.

Create a Legacy Agent Exception via Exceptions Configuration with the following selections:

Option C13

D.

Create the exception via the alert itself, selecting the CGO hash, CGO signer, CGO process path, and applying the scope to "Global."

Question 14

A Cortex XSIAM engineer at a SOC downgrades a critical threat intelligence content pack from the Cortex Marketplace while performing routine maintenance. As a result, the SOC team loses access to the latest threat intelligence data.

Which action will restore the functionality of the content pack to its previously installed version?

Options:

A.

Contact Palo Alto Networks Support to create an exception to revert to the previously installed version.

B.

Back up the current configuration and data, then revert to the previously installed version.

C.

Remove all integrations and playbooks associated with the content pack, then revert to the previously installed version.

D.

Directly reinstall the previously installed version over the current one.

Question 15

How does Cortex XSIAM manage licensing for Kubernetes environments?

Options:

A.

Managed per namespace and returned when the namespace is decommissioned

B.

Issued per container and returned upon container termination

C.

Issued for each node and returned when the agent is removed or the node is deleted

D.

Applied per service deployment and returned upon service deactivation

Question 16

How can a Cortex XSIAM engineer resolve the issue when a SOC analyst escalates missing details after merging two similar incidents?

Options:

A.

Check the War Room of the destination incident.

B.

Examine the incident context of the source incident.

C.

Unmerge the incidents and copy the missing details into the incident notes.

D.

Check the child incident of the destination incident.

Question 17

An engineer wants to onboard data from a third-party vendor’s firewall. There is no content pack available for it, so the engineer creates custom data source integration and parsing rules to generate a dataset with the firewall data.

How can the analytics capabilities of Cortex XSIAM be used on the data?

Options:

A.

Create a behavioral indicator of compromise (BIOC) rule on the network fields (source IP, source port, target IP, target port. IP protocol).

B.

Create a data model rule with network fields mapped (source IP. source port, target IP. target port. IP protocol).

C.

Create a correlation rule on the network fields (source IP. source port, target IP. target port. IP protocol).

D.

Create a parsing rule and ensure the network fields exist (source IP. source port, target IP. target port. IP protocol).

Load More XSIAM-Engineer Questions 
Page: 1 / 6
Total 59 questions
Get XSIAM-Engineer Full Access Download XSIAM-Engineer PDF