Palo Alto Networks Certified XSIAM Analyst v1.0
Question 1
What is the cause when alerts generated by a correlation rule are not creating an incident?
- A. The rule does not have a drill-down query configured.
- B. The rule is configured with alert severity below Medium.
- C. The rule has alert suppression enabled.
- D. The rule is using the preconfigured Cortex XSIAM alert field mapping.
Answer : C
Question 2
While investigating an incident on the Incident Overview page, an analyst notices that the playbook encountered an error. Upon playbook work plan review, it is determined that the error was caused by a timeout. However, the analyst does not have the necessary permissions to fix or create a new playbook.
Given the critical nature of the incident, what can the analyst do to ensure the playbook continues executing the remaining steps?
- A. Navigate to the step where the error occurred and run the task again.
- B. Pause the step with the error, thus automatically triggering the execution of the remaining steps.
- C. Contact TAC to resolve the task error, as the playbook cannot proceed without it.
- D. Clone the playbook, remove the faulty step, and run the new playbook to bypass the error.
Answer : A
Question 3
Which configuration will ensure any alert involving a specific critical asset will always receive a score of 100?
- A. A risk scoring policy for the critical asset
- B. A user scoring rule for the critical asset
- C. An asset as critical in Asset Inventory
- D. SmartScore to apply the specific score to the critical asset
Answer : D
Question 4
How would Incident Context be referenced in an alert War Room task or alert playbook task?
- A. ${parentIncidentContext}
- B. ${parentIncidentFields}
- C. ${getParentIncidentContext}
- D. ${getparentIncidentFields}
Answer : A
Question 5
Which feature terminates a process during an investigation?
- A. Response Center
- B. Live Terminal
- C. Exclusion
- D. Restriction
Answer : A
Question 6
Which statement applies to a low-severity alert when a playbook trigger has been configured?
- A. The alert playbook will automatically run when grouped in an incident.
- B. The alert playbook can be manually run by an analyst.
- C. The alert playbook will run if the severity increases to medium or higher.
- D. Only low-severity analytics alerts will automatically run playbooks.
Answer : B
Question 7
A threat hunter discovers a true negative event from a zero-day exploit that is using privilege escalation to launch "Malware.pdf.exe."
Which XQL query will always show the correct user context used to launch "Malware.pdf.exe"?
- A. config case_sensitive = false | dataset = xdr_data | filter event_type = ENUM.PROCESS | filter action_process_image_name = "Malware.pdf.exe” | fields action_process_username
- B. config case_sensitive = false | datamodel dataset = xdr_data | filter xdm.source.process.name = "Malware.pdf.exe" | fields xdm.target.user.username
- C. config case_sensitive = false | dataset = xdr_data | filter event_type = ENUM.PROCESS | filter action_process_image_name = "Malware.pdf.exe" | fields causality_actor_effective_username
- D. config case_sensitive = false | dataset = xdr_data | filter event_type = ENUM.PROCESS | filter action_process_image "Malware.pdf.exe" | fields actor_process_username
Answer : C
Question 8
Based on the image below, which two additional steps should a SOC analyst take to secure the endpoint? (Choose two.)
- A. Block 192.168.1.199.
- B. Reboot the machine.
- C. Isolate the affected workstation.
- D. Live Terminal into the workstation to verify.
Answer : CD
Question 9
During an investigation of an alert with a completed playbook, it is determined that no indicators exist from the email "[email protected]” in the Key Assets & Artifacts tab of the parent incident.
Which command will determine if Cortex XSIAM has been configured to extract indicators as expected?
- A. !createNewIndicator value="[email protected]"
- B. !checkIndicatorExtraction text="[email protected]"
- C. !extractIndicators text="[email protected]" auto-extract=inline
- D. !emailvalue="[email protected]"
Answer : B
Question 10
In the Endpoint Data context menu of the Cortex XSIAM endpoints table, where will an analyst be able to determine which users accessed an endpoint via Live Terminal?
- A. View Incidents
- B. View Actions
- C. View Endpoint Policy
- D. View Endpoint Logs
Answer : B
Question 11
With regard to Attack Surface Rules, how often are external scans updated?
- A. Hourly
- B. Daily
- C. Weekly
- D. Monthly
Answer : B
Question 12
What is the expected behavior when querying a data model with no specific fields specified in the query?
- A. The default dataset=xdr_data fields will be returned.
- B. The query will error out and not run.
- C. No fields will be returned by default.
- D. The xdm_core fieldset will be returned by default.
Answer : D
Question 13
An on-demand malware scan of a Windows workstation using the Cortex XDR agent is successful and detects three malicious files. An analyst attempts further investigation of the files by right-clicking on the scan result, selecting "Additional data," then "View related alerts," but no alerts are reported.
What is the reason for this outcome?
- A. The malicious files were false positives and were automatically removed from the scan results.
- B. The malware scan action detects malicious files but does not generate alerts for them.
- C. The malicious files were true positives and were automatically quarantined from the scan results.
- D. The malicious files are currently in an excluded directory in the Malware Profile.
Answer : B
Question 14
A Cortex XSIAM analyst in a SOC is reviewing an incident involving a workstation showing signs of a potential breach. The incident includes an alert from Cortex XDR Analytics Alert source: "Remote service command execution from an uncommon source." As part of the incident handling process, the analyst must apply response actions to contain the threat effectively.
Which initial Cortex XDR agent response action should be taken to reduce attacker mobility on the network?
- A. Block IP Address: Prevent future connections to the IP from the workstation.
- B. Terminate Process: Stop the suspicious processes identified.
- C. Isolate Endpoint: Prevent the endpoint from communicating with the network.
- D. Remove Malicious File: Delete the malicious file detected.
Answer : C
Question 15
A security analyst has been assigned a ticket from the help desk stating that users are experiencing errors when attempting to open files on a specific network share. These errors state that the file format cannot be opened. IT has verified that the file server is online and functioning, but that all files have unusual extensions attached to them.
The security analyst reviews alerts within Cortex XSIAM and identifies malicious activity related to a possible ransomware attack on the file server. This incident is then escalated to the incident response team for further investigation.
Upon reviewing the incident, the responders confirm that ransomware was successfully executed on the file server. Other details of the attack are noted below:
An unpatched vulnerability on an externally facing web server was exploited for initial access
The attackers successfully used Mimikatz to dump sensitive credentials that were used for privilege escalation
PowerShell was used on a Windows server for additional discovery, as well as lateral movement to other systems
The attackers executed SystemBC RAT on multiple systems to maintain remote access
Ransomware payload was downloaded on the file server via an external site, "file.io"
Refer to the scenario to answer this question:
Which hunt collection category in Cortex XSIAM should the incident responders use to identify all systems where the attackers established persistence during the attack?
- A. Network Data
- B. Process Execution
- C. Command History
- D. Remote Access
Answer : D