Palo Alto Networks XSIAM Engineer v1.0
Question 1
A CISO has asked an engineer to create a custom dashboard in Cortex XSIAM that can be filtered to show incidents assigned to a specific user.
Which feature should be used to filter the incident data in the dashboard?
- A. Filters and inputs in the custom dashboard
- B. Report template to set the incident user filter
- C. Visualization filter options in the widget configuration
- D. Incident summary view to filter by user
Answer : A
Question 2
How can a Cortex XSIAM engineer resolve the issue when a SOC analyst escalates missing details after merging two similar incidents?
- A. Check the War Room of the destination incident.
- B. Examine the incident context of the source incident.
- C. Unmerge the incidents and copy the missing details into the incident notes.
- D. Check the child incident of the destination incident.
Answer : A
Question 3
Which cytool command will look up the policy being applied to a Cortex XDR agent?
- A. cytool adaptive_policy interval 0
- B. cytool payload_execution query
- C. cytool adaptive_policy recalc
- D. cytool persist print agent_settings.db
Answer : C
Question 4
A file for a support exception that needs to be updated locally on a Linux endpoint has been supplied.
Which cytool command will upload this support exception file to the endpoint?
- A. cytool upload suexfile -target </local/file/path>
- B. cytool upload suex -file </local/file/path>
- C. cytool import suex -path </local/file/path>
- D. cytool import suexfile -path </local/file/path>
Answer : C
Question 5
Using the integrationContext object, how is data stored and retrieved between integration command runs in Cortex XSIAM?
- A. The integrationContex object can only store strings, not key-value dictionaries.
- B. The integrationContex object is retrieved and set using the test-module command.
- C. The get_integration_context() method overrides the existing object that is stored.
- D. The integrationContex object supports get_integration_context() and set_integration_context().
Answer : D
Question 6
Which types of content may be included in a Marketplace content pack?
- A. Integrations, playbooks, parsers, and server configuration keys
- B. Predefined dashboards, indicators, and reports
- C. Scripts, playbooks, integrations, and correlation rules
- D. Behavioral indicator of compromise (BIOC) rules, layouts, and custom dashboards
Answer : C
Question 7
Cortex XSIAM has not received any logs for 30 minutes from a Palo Alto Networks NGFW named "MainFW.” An engineer wants to create an alert for this scenario.
Correlation rule settings include:
Time Schedule: Every 30 minutes -
Query Timeframe: 30 minutes -
Action: Generate alert -
Alert Name: No logs received from MainFW in the past 30 minutes
Which query should be used in the correlation rule?
-
A.
-
B.
-
C.
-
D.
Answer : D
Question 8
A Cortex XSIAM engineer at a SOC downgrades a critical threat intelligence content pack from the Cortex Marketplace while performing routine maintenance. As a result, the SOC team loses access to the latest threat intelligence data.
Which action will restore the functionality of the content pack to its previously installed version?
- A. Contact Palo Alto Networks Support to create an exception to revert to the previously installed version.
- B. Back up the current configuration and data, then revert to the previously installed version.
- C. Remove all integrations and playbooks associated with the content pack, then revert to the previously installed version.
- D. Directly reinstall the previously installed version over the current one.
Answer : D
Question 9
Which two alert notification options can be configured without creating a playbook? (Choose two.)
- A. Pager Duty
- B. Email
- C. Slack
- D. SMS
Answer : BC
Question 10
An engineer needs to migrate Cortex XDR agents without internet connection from Cortex XSIAM tenant A to Cortex XSIAM tenant B. There is a broker configured for each tenant. This is the communication flow:
XDR agents <-> Broker A <-> XSIAM tenant A
XDR agents <-> Broker B <-> XSIAM tenant B
Which two steps should be taken before moving the agents? (Choose two.)
- A. Install a new Broker C on site B, and register it into Cortex XSIAM tenant A.
- B. Install a new Broker C on site and register it into Cortex XSIAM tenant B.
- C. Also register Broker A to Cortex XSIAM tenant B.
- D. Select all endpoints in the console and add a new Broker C as proxy.
Answer : BC
Question 11
Which field is automatically mapped from the dataset to the data model when creating a data model rule?
- A. _event_type
- B. _insert_time
- C. _host_name
- D. _cloud_id
Answer : A
Question 12
A Cortex XSIAM engineer plans to add Kafka and Syslog Collectors to a Broker VM cluster.
What are two expected behaviors of the applets when they are added to the cluster? (Choose two.)
- A. Syslog Collector applet is automatically initiated, enters an active state on the primary node, and is on standby on the standby nodes.
- B. Kafka Collector applet is automatically initiated, enters an active state on the primary node, and is on standby on the standby nodes.
- C. Syslog Collector applet is active on all cluster nodes, including primary and standby.
- D. Kafka Collector applet is active on all cluster nodes, including primary and standby.
Answer : AD
Question 13
Based on the _raw_log and XQL query information below, what will be the result(s) of the temp_value?
-
A.
123
192.168.10.1 - B. 20
- C. 10.120.80.2
-
D.
149.235.219.208
59977
Answer : A
Question 14
When activating the Cortex XSIAM tenant, how is the data at rest configured with AES 128 encryption?
- A. Under Advanced -> Encryption Method, choose the desired encryption method during the initial setup of the tenant.
- B. Under Advanced, choose "BYOK," and adhere to the wizard's instructions as outlined in the encryption method section.
- C. Create encryption keys with AES 128 and upload it securely through Cortex Gateway.
- D. Under Advanced -> Encryption Method, choose the desired encryption method after the initial setup of the tenant.
Answer : B
Question 15
A sub-playbook is configured to loop with a For Each Input. The following inputs are given to the sub-playbook:
Input x: W,X,Y,Z -
Input y: a,b,c,d -
Input z: 9 -
Which inputs will be used for the second iteration of the loop?
- A. a,b,c,d
- B. X,b,9
- C. X,b
- D. X,b,c
Answer : B