Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: validbest

Discussions
  1. Home
  2. Paloalto Networks
  3. Security Operations
  4. XSIAM-Engineer
  5. Palo Alto Networks XSIAM Engineer Questions and Answers

Pass the Paloalto Networks Security Operations XSIAM-Engineer Questions and answers with ValidTests

Exam XSIAM-Engineer All Questions
Exam XSIAM-Engineer Premium Access

View all detail and faqs for the XSIAM-Engineer exam

Go to Exam
Viewing page 2 out of 2 pages
Viewing questions 11-20 out of questions
Questions # 11:

An engineer needs to migrate Cortex XDR agents without internet connection from Cortex XSIAM tenant A to Cortex XSIAM tenant B. There is a broker configured for each tenant. This is the communication flow:

XDR agents <-> Broker A <-> XSIAM tenant A

XDR agents <-> Broker B <-> XSIAM tenant B

Which two steps should be taken before moving the agents? (Choose two.)

Options:

A.

Install a new Broker C on site B, and register it into Cortex XSIAM tenant A.

B.

Install a new Broker C on site and register it into Cortex XSIAM tenant B.

C.

Also register Broker A to Cortex XSIAM tenant B.

D.

Select all endpoints in the console and add a new Broker C as proxy.

Expert Solution
Questions # 12:

Which field is automatically mapped from the dataset to the data model when creating a data model rule?

Options:

A.

_event_type

B.

_insert_time

C.

_host_name

D.

_cloud_id

Expert Solution
Questions # 13:

Based on the image below, which statement applies to the ability to remove tabs when creating a new alert layout?

Question # 13

Options:

A.

Only "Alert Info" tab can be removed.

B.

Only "Alert Info" and "War Room" tabs can be removed.

C.

Only "War Room" and "Work Plan" tabs can be removed.

D.

Only "Work Plan" tab can be removed.

Expert Solution
Questions # 14:

A Cortex XSIAM engineer is developing a playbook that uses reputation commands such as '!ip' to enrich and analyze indicators.

Which statement applies to the use of reputation commands in this scenario?

Options:

A.

If no reputation integration instance is configured, the '!ip' command will execute but will return no results.

B.

Reputation commands such as '!ip' will fail if the required reputation integration instance is not configured and enabled.

C.

The mapping flow for enrichment commands is disabled if extraction is set to "None."

D.

Enrichment data will not be saved to the indicator unless the extraction setting is manually configured in the playbook task.

Expert Solution
Questions # 15:

An engineer wants to onboard data from a third-party vendor’s firewall. There is no content pack available for it, so the engineer creates custom data source integration and parsing rules to generate a dataset with the firewall data.

How can the analytics capabilities of Cortex XSIAM be used on the data?

Options:

A.

Create a behavioral indicator of compromise (BIOC) rule on the network fields (source IP, source port, target IP, target port. IP protocol).

B.

Create a data model rule with network fields mapped (source IP. source port, target IP. target port. IP protocol).

C.

Create a correlation rule on the network fields (source IP. source port, target IP. target port. IP protocol).

D.

Create a parsing rule and ensure the network fields exist (source IP. source port, target IP. target port. IP protocol).

Expert Solution
Questions # 16:

Which action will prevent the automatic extraction of indicators such as IP addresses and URLs from a script's output?

Options:

A.

Add 'ExtractIndicators': False to the script.

B.

Add 'IgnoreAutoExtract': True to the script.

C.

Use 'AutoExtract': False in the script.

D.

Set 'IndicatorExtraction': None in the script.

Expert Solution
Questions # 17:

A CISO has asked an engineer to create a custom dashboard in Cortex XSIAM that can be filtered to show incidents assigned to a specific user.

Which feature should be used to filter the incident data in the dashboard?

Options:

A.

Filters and inputs in the custom dashboard

B.

Report template to set the incident user filter

C.

Visualization filter options in the widget configuration

D.

Incident summary view to filter by user

Expert Solution
Questions # 18:

Before initiating a malware scan action on a Linux workstation, an engineer notices that the Cortex XDR agent's operational status on the workstation is reporting as "partially protected." There have been no configuration changes made from the Cortex XSIAM server.

What are two explanations for this operational status? (Choose two.)

Options:

A.

The Linux endpoint is currently running 4.0 kernel version.

B.

The Linux endpoint's kernel modules failed to load due to unsupported kernel versions.

C.

The agent is outdated and requires an upgrade to the latest version to regain full protection.

D.

The agent was manually disabled on the endpoint by the user or an administrator.

Expert Solution
Questions # 19:

Which field is automatically mapped from the dataset to the data model when creating a data model rule?

Options:

A.

_event_type

B.

_insert_time

C.

_host_name

D.

_cloud_id

Expert Solution
Questions # 20:

A Cortex XSIAM engineer is developing a playbook that uses reputation commands such as '!ip' to enrich and analyze indicators.

Which statement applies to the use of reputation commands in this scenario?

Options:

A.

If no reputation integration instance is configured, the '!ip' command will execute but will return no results.

B.

Reputation commands such as '!ip' will fail if the required reputation integration instance is not configured and enabled.

C.

The mapping flow for enrichment commands is disabled if extraction is set to "None."

D.

Enrichment data will not be saved to the indicator unless the extraction setting is manually configured in the playbook task.

Expert Solution
Viewing page 2 out of 2 pages
Viewing questions 11-20 out of questions