Spring Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = getmirror

Home
Paloalto Networks
Security Operations
XSIAM-Engineer
Palo Alto Networks XSIAM Engineer Questions and Answers

Pass the Paloalto Networks Security Operations XSIAM-Engineer Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam XSIAM-Engineer Premium Access

View all detail and faqs for the XSIAM-Engineer exam

Go to Exam

773 Students Passed

84% Average Score

98% Same Questions

Viewing page 2 out of 2 pages

Viewing questions 11-20 out of questions

Questions # 11:

A Cortex XDR agent is installed on an endpoint, but the agent is unable to download content updates and has not registered with the Cortex XSIAM server. An engineer troubleshoots the network connection and determines that, by design, this endpoint does not have direct internet access to the required network destinations for the Cortex XDR agent traffic.

A Broker VM that has the local agent settings applet enabled with Agent Proxy configured is reachable by the endpoint. The Broker VM details are as follows:

FQDN: crtxbroker01.company.net

Proxy listening port: 8888

How should the engineer configure the Cortex XDR agent to use the existing Broker VM as a proxy for the agent network traffic?

Options:

cytool proxy set "crtxbroker01. company.net: 8888"

cytool config proxy --host crtxbroker01.company.net --port 8888

cytool set proxy --host crtxbroker01.company.net --port 8888

cytool proxy config "crtxbroker01.company.net:8888"

Answer

Explanation

The correct command is cytool config proxy --host crtxbroker01.company.net --port 8888, which configures the Cortex XDR agent to route its traffic through the Broker VM acting as a proxy. This allows the agent to register and download updates without requiring direct internet access.

Questions # 12:

Which action is required to enable use of a custom script in an alert layout?

Options:

Tag the script with "dynamic-section," add a general purpose dynamic section, and edit the section settings to add the automation script.

Tag the script with "general-purpose-dynamic-section," add a custom script section, and edit the section settings to add the automation script.

Add a general purpose dynamic section and edit the section settings to add the automation script.

Tag the script with "general-purpose-dynamic-section." add a general purpose dynamic section, and edit the section settings to add the automation script.

Answer

Explanation

To use a custom script in an alert layout, the script must be tagged with "general-purpose-dynamic-section", then a general purpose dynamic section is added to the layout, and finally the section settings are edited to attach the automation script. This ensures the script executes and displays results dynamically within the alert layout.

Questions # 13:

A file for a support exception that needs to be updated locally on a Linux endpoint has been supplied.

Which cytool command will upload this support exception file to the endpoint?

Options:

cytool upload suexfile -target

cytool upload suex -file

cytool import suex -path

cytool import suexfile -path

Answer

Explanation

The correct command is cytool import suex -path , which imports a supplied support exception (suex) file onto a Linux endpoint, ensuring the exception is applied locally.

Questions # 14:

How will Cortex XSIAM help with raw log ingestion from third-party sources in an existing infrastructure?

Options:

Any structured logs coming into it are left completely unchanged, and only metadata is added to the raw data.

For structured logs, like CEF, LEEF, and JSON, it decouples the key-value pairs and saves them in table format.

Any unstructured logs coming into it are left completely unchanged, and metadata is not added to the raw data.

For unstructured logs, it decouples the key-value pairs and saves them in a table format.

Answer

Explanation

Cortex XSIAM ingests structured third-party logs (such as CEF, LEEF, and JSON) by breaking down the key-value pairs and saving them in a normalized table format. This enables efficient correlation, analytics, and query performance across diverse log sources while preserving data fidelity.

Questions # 15:

What is a key characteristic of a parsing rule in Cortex XSIAM?

Options:

It uses regular expressions exclusively for data modifications, discards unmatched logs by default, and only retains fields with non-null values.

It is bound to all vendors and products, performs data parsing once per log, and does not allow grouping.

It is bound to a specific vendor and product, performs data parsing once per log, and does not allow grouping.

It is bound to a specific vendor and product which allow grouping with a no-match policy, and retains all fields.

Answer

Explanation

A parsing rule in Cortex XSIAM is bound to a specific vendor and product, ensuring accurate parsing logic for that log source. It processes each log individually (once per log) and does not allow grouping, making it distinct from data model rules.

Questions # 16:

An engineer is conducting a threat actor emulated test to determine which Cortex XDR module would provide protection or alert on a real-world attack. The first test was prevented.

Which action must the engineer take to enable continued testing?

A Remove the hash from the restrictions profile

B. Add an indicator exclusion.