Xxiam SIEM

How will Cortex XSIAM help with raw log ingestion from third-party sources in an existing infrastructure?. Any structured logs coming into it are left completely unchanged, and only metadata is added to the raw data. For structured logs, like CEF, LEEF, and JSON, it decouples the key-value pairs and saves them in table format. Any unstructured logs coming into it are left completely unchanged, and metadata is not added to the raw data. For unstructured logs, it decouples the key-value pairs and saves them in a table format.

In which two locations can correlation rules be monitored for errors? (Choose two.). XDR Collector audit logs (type = Rules, subtype = Error). correlations_auditing dataset through XQL. Management audit logs (type = Rules, subtype = Error). Alerts table as a health alert.

Which option should be used when customizing a dashboard in Cortex XSIAM to include a widget that will display data filtered by more than one dynamic value?. Free text/number. Fixed filter. Multi-select. Single-select.

How must Cloud Identity Engine be deployed and activated on Cortex XSIAM?. In a different region than Cortex XSIAM; logs can be verified using pan_dss_raw dataset. In a different region than Cortex XSIAM; logs can be verified using endpoints dataset. In the same region as Cortex XSIAM; logs can be verified using pan_dss_raw dataset. In the same region as Cortex XSIAM; logs can be verified using endpoints dataset.

Which common issue can result in sudden data ingestion loss for a data source that was previously successful?. Data source is using an unsupported data format. Data source has reached its maximum storage capacity. Data source has reached its end of life for support. API key used for the integration has expired.

While using the remote repository on a Development XSIAM tenant, which two objects can be pushed or pulled to the remote repository? (Choose two.). Scripts. Parsing rules. Lists. Layouts.

When a Cortex XSIAM playbook execution reaches a breakpoint on a non-manual task, which two actions will allow the playbook to continue? (Choose two.). Disable the breakpoint and rerun the playbook from the start. Skip the task with the breakpoint to let the playbook proceed automatically. Wait for all parallel tasks to be completed before the breakpoint task resumes automatically. Click Run Script Now or Complete Manually.

What is the purpose of using rolling tokens to manage Cortex XDR agents?. To periodically rotate encryption keys used for tenant communication. To perform administration on agents without requiring static credentials. To authorize agents to download and install content updates. To temporarily disable the agents during maintenance windows.

Based on the image below, which statement applies to the ability to remove tabs when creating a new alert layout?. Only "Alert Info" tab can be removed. Only "Alert Info" and "War Room" tabs can be removed. Only "War Room" and "Work Plan" tabs can be removed. Only "Work Plan" tab can be removed.

Cortex XSIAM engineer is developing a playbook that uses reputation commands such as '!ip' to enrich and analyze indicators. Which statement applies to the use of reputation commands in this scenario?. If no reputation integration instance is configured, the '!ip' command will execute but will return no results. Reputation commands such as '!ip' will fail if the required reputation integration instance is not configured and enabled. The mapping flow for enrichment commands is disabled if extraction is set to "None.". Enrichment data will not be saved to the indicator unless the extraction setting is manually configured in the playbook task.

An engineer wants to onboard data from a third-party vendor’s firewall. There is no content pack available for it, so the engineer creates custom data source integration and parsing rules to generate a dataset with the firewall data. How can the analytics capabilities of Cortex XSIAM be used on the data?. Create a behavioral indicator of compromise (BIOC) rule on the network fields (source IP, source port, target IP, target port, IP protocol). Create a data model rule with network fields mapped (source IP, source port, target IP, target port, IP protocol). Create a correlation rule on the network fields (source IP, source port, target IP, target port, IP protocol). Create a parsing rule and ensure the network fields exist (source IP, source port, target IP, target port, IP protocol).

Which two requirements must be met for a Cortex XDR agent to successfully use the Broker VM as a download source for content updates? (Choose two.). Device Configuration profile applied to the XDR agent must specify the Broker VM as a Download Source. Agent Settings profile applied to the XDR agent must specify the Broker VM as a Download Source. Broker VM must be configured with an FQDN. XDR agent must authenticate to the Broker VM using a machine certificate.

During a new Cortex XSIAM deployment, a user consistently experiences timeout sessions while trying to connect to the agent through Live Terminal, even though the firewall engineer has confirmed that all source IP addresses, port 443, and destinations are allowed. What could be causing these persistent timeout issues?. User does not have administrative privileges on the managed endpoint. SSL Decryption is currently being used to inspect the underlying traffic. NTP is not synchronized with the server time. Live Terminal feature is not supported on the current OS.

What should be considered when creating a custom incident domain?. Alert grouping will not apply, but SmartScore will. Alert grouping will apply, but SmartScore will not. Alert grouping and SmartScore will not be applied to incidents. Alert grouping and SmartScore will be applied to incidents.

How does Cortex XSIAM manage licensing for Kubernetes environments?. Managed per namespace and returned when the namespace is decommissioned. Issued per container and returned upon container termination. Issued for each node and returned when the agent is removed or the node is deleted. Applied per service deployment and returned upon service deactivation.

Cortex XSIAM engineer is preparing to install a new content pack and notices that there are several optional content packs associated with the main one that needs to be installed. What must the engineer take into consideration when deciding whether or not to install the optional content packs?. Mandatory dependencies required by the optional content packs are automatically included during installation. The engineer should consider the additional functionality and potential impact on system performance. The optional content packs without their associated dependencies are installed first, and then the main content pack installation is triggered. The engineer should ensure that the optional content packs do not conflict with existing configurations. Optional content packs are installed without any dependencies, as they are not necessary. The engineer should only install them if they require the additional features. Only the selected optional content packs are installed, without including any additional dependencies. The engineer should manually check for any required dependencies.

In the Incident War Room, which command is used to update incident fields identified in the incident layout?. !setIncidentFields. !setParentIncidentFields. !setParentIncidentContext. !updateParentIncidentFields.

In the Incident War Room, which command is used to update incident fields identified in the incident layout?. !ConvertTableToHTML table=${parentIncidentFields.custom_fields}. !JsonToTable value=${parentIncidentFields.custom_fields}. !ToTable data=${parentIncidentFields.custom_fields.incidentassignment}. !ExtractHTMLTables html=${parentIncidentFields.custom_fields.incidentassignment}.

What is the role of "in" in the query line below? action_local_port in (1122, 2234). Operand. Operator. Function. Range.

Which section of a parsing rule defines the newly created dataset?. RULE. COLLECT. INGEST. CONST.

Which step must be taken to enable Cloud Identity Engine on Cortex XSIAM?. Enable SSO integration. Activate it in the Customer Support Portal. Activate it on HUB. Enable Active Directory log collection.

Which step must be taken to enable Cloud Identity Engine on Cortex XSIAM?. dataset = va_cves | filter affected_products contains "ai_app" | fields affected_hosts, affected_products. dataset = xdr_data | filter event_type = ENUM.PROCESS | filter action_process_image_name = "ai_app" | filter action_process_file_info not in ("12.1", "12.2", "12.4", "12.5"). preset = host_inventory_applications | filter application_name contains "ai_app" and version in ("12.1", "12.2", "12.4", "12.5"). dataset = host_inventory | filter applicationName contains "ai_app" | filter applicationVersion not in ("12.1", "12.2", "12.4", "12.5").

When Cortex XDR agents are on servers in a zone with no internet access, which configuration will keep them communicating with the platform?. Logging service in the isolated zone. Broker VM. Integration using filebeat. Engine.

Which installer type should be used when upgrading a non-Linux Kubernetes cluster?. Standalone. Helm. Upgrade from ESM. Kubernetes.

A systems engineer overseeing the integration of data from various sources through data pipelines into Cortex XSIAM notices modifications occurring during the ingestion process, and these modifications reduce the accuracy of threat detection and response. The engineer needs to assess the risks associated with the pre-ingestion data modifications and develop effective solutions for data integrity and system efficacy. Which set of steps must be followed to meet these goals?. Develop an advanced monitoring system to track and log all changes made to data during ingestion, and use analytics to compare pre- and post-ingestion states based on XDM to identify and mitigate discrepancies. Design a hybrid approach for critical data fields to be safeguarded against modifications during ingestion, while less critical data fields undergo allowable modifications that are rectified post-ingestion by using XDM to balance performance with data integrity. Implement a pre-ingestion data validation process that aligns with the post-ingestion standards set by XDM, ensuring data consistency and integrity before it enters Cortex XSIAM. Establish a process to minimize data modifications during ingestion, prioritizing raw data capture and using XDM post-ingestion for necessary transformations and integrity checks.

A security engineer notices that in the past week ingestion has spiked significantly. Upon investigating the anomaly, it is determined that a custom application developed in-house caused the spike. The custom application is sending syslog to the Broker VM Syslog Collector applet. The engineer consults with the SOC analyst, who determines that 90% of the logs from the custom application are not used. What can the engineer configure to reduce the ingestion?. Parsing rule to drop the unnecessary data at the Broker VM. Data model rule to drop the unnecessary data. Correlation rule on the Cortex XSIAM server to drop the unnecessary data. Data model rule to map the useful data.

An engineer is conducting a threat actor emulated test to determine which Cortex XDR module would provide protection or alert on a real-world attack. The first test was prevented. Which action must the engineer take to enable continued testing?. Remove the hash from the restrictions profile. Add an indicator exclusion. Add a prevention rule. Change the profile from "alert" to "prevent" for the BTP module.

A Cortex XSIAM engineer adds a disable injection and prevention rule for a specific running process. After an hour, the engineer disables the rule to reinstate the security capabilities, but the capabilities are not applied. What is the explanation for this behavior?. The engineer needs to restart the process to get back the security capabilities. The engineer needs a support exception to get back the security capabilities. The engineer needs to wait for the time period configured in the rule to pass first. The engineer can disable the rule, but security capabilities are not applied to the process.

What is the function of the "MODEL" section when creating a data model rule?. To make a list of all the relevant fields to be mapped from the logs to XDM. To define the mapping between a single dataset and XDM. To finalize rule definition with all XQL statements. To map log fields to corresponding Cortex XSIAM Data Model (XDM) fields.

What is the primary benefit of setting the "--memory-swap" option to "-1" during Cortex XSIAM engine deployment?. It enhances the network throughput by optimizing memory usage. It increases the total disk space available to the engine. It allows the engine to operate without requiring swap capabilities. It automatically doubles the available RAM to the engine.

A CISO has asked an engineer to create a custom dashboard in Cortex XSIAM that can be filtered to show incidents assigned to a specific user. Which feature should be used to filter the incident data in the dashboard?. Filters and inputs in the custom dashboard. Report template to set the incident user filter. Visualization filter options in the widget configuration. Incident summary view to filter by user.

How can a Cortex XSIAM engineer resolve the issue when a SOC analyst escalates missing details after merging two similar incidents?. Check the War Room of the destination incident. Examine the incident context of the source incident. Unmerge the incidents and copy the missing details into the incident notes. Check the child incident of the destination incident.

Which cytool command will look up the policy being applied to a Cortex XDR agent?. cytool adaptive_policy interval 0. cytool payload_execution query. cytool adaptive_policy recalc. cytool persist print agent_settings.db.

A file for a support exception that needs to be updated locally on a Linux endpoint has been supplied. Which cytool command will upload this support exception file to the endpoint?. cytool upload suexfile -target </local/file/path>. cytool upload suex -file </local/file/path>. cytool import suex -path </local/file/path>. cytool import suexfile -path </local/file/path>.

Using the integrationContext object, how is data stored and retrieved between integration command runs in Cortex XSIAM?. The integrationContex object can only store strings, not key-value dictionaries. The integrationContex object is retrieved and set using the test-module command. The get_integration_context() method overrides the existing object that is stored. The integrationContex object supports get_integration_context() and set_integration_context().

Which types of content may be included in a Marketplace content pack?. Integrations, playbooks, parsers, and server configuration keys. Predefined dashboards, indicators, and reports. Scripts, playbooks, integrations, and correlation rules. Behavioral indicator of compromise (BIOC) rules, layouts, and custom dashboards.

Cortex XSIAM has not received any logs for 30 minutes from a Palo Alto Networks NGFW named "MainFW.” An engineer wants to create an alert for this scenario. Correlation rule settings include: Time Schedule: Every 30 minutes - Query Timeframe: 30 minutes - Action: Generate alert - Alert Name: No logs received from MainFW in the past 30 minutes Which query should be used in the correlation rule?. dataset = collection_auditing | filter collector_type = "NGFW" and instance = "MainFW" | comp count_distinct(description) as total_events by instance | filter total_events = 0. preset = metrics_view | filter _vendor = "PANW" and _product = "NGFW" and _reporting_device_name = "MainFW" | comp count_distinct(total_event_count) as total_events by _reporting_device_name | filter total_events = 0. dataset = collection_auditing | filter collector_type = "NGFW" and instance = "MainFW" | comp values(description) as total_events by instance | filter total_events = 0. preset = metrics_view | filter _vendor = "PANW" and _product = "NGFW" and _reporting_device_name = "MainFW" | comp sum(total_event_count) as total_events by _reporting_device_name | filter total_events = 0.

A Cortex XSIAM engineer at a SOC downgrades a critical threat intelligence content pack from the Cortex Marketplace while performing routine maintenance. As a result, the SOC team loses access to the latest threat intelligence data. Which action will restore the functionality of the content pack to its previously installed version?. Contact Palo Alto Networks Support to create an exception to revert to the previously installed version. Back up the current configuration and data, then revert to the previously installed version. Remove all integrations and playbooks associated with the content pack, then revert to the previously installed version. Directly reinstall the previously installed version over the current one.

Which two alert notification options can be configured without creating a playbook? (Choose two.). Pager Duty. Email. Slack. SMS.

An engineer needs to migrate Cortex XDR agents without internet connection from Cortex XSIAM tenant A to Cortex XSIAM tenant B. There is a broker configured for each tenant. This is the communication flow: XDR agents <-> Broker A <-> XSIAM tenant A XDR agents <-> Broker B <-> XSIAM tenant B Which two steps should be taken before moving the agents? (Choose two.). Install a new Broker C on site B, and register it into Cortex XSIAM tenant A. Install a new Broker C on site and register it into Cortex XSIAM tenant B. Also register Broker A to Cortex XSIAM tenant B. Select all endpoints in the console and add a new Broker C as proxy.

Which field is automatically mapped from the dataset to the data model when creating a data model rule?. _event_type. _insert_time. _host_name. _cloud_id.

A Cortex XSIAM engineer plans to add Kafka and Syslog Collectors to a Broker VM cluster. What are two expected behaviors of the applets when they are added to the cluster? (Choose two.). Syslog Collector applet is automatically initiated, enters an active state on the primary node, and is on standby on the standby nodes. Kafka Collector applet is automatically initiated, enters an active state on the primary node, and is on standby on the standby nodes. Syslog Collector applet is active on all cluster nodes, including primary and standby. Kafka Collector applet is active on all cluster nodes, including primary and standby.

Based on the _raw_log and XQL query information below, what will be the result(s) of the temp_value?. 123 192.168.10.1. 20. 10.120.80.2. 149.235.219.208 59977.

When activating the Cortex XSIAM tenant, how is the data at rest configured with AES 128 encryption?. Under Advanced -> Encryption Method, choose the desired encryption method during the initial setup of the tenant. Under Advanced, choose "BYOK," and adhere to the wizard's instructions as outlined in the encryption method section. Create encryption keys with AES 128 and upload it securely through Cortex Gateway. Under Advanced -> Encryption Method, choose the desired encryption method after the initial setup of the tenant.

A sub-playbook is configured to loop with a For Each Input. The following inputs are given to the sub-playbook: Input x: W,X,Y,Z - Input y: a,b,c,d - Input z: 9 - Which inputs will be used for the second iteration of the loop?. a,b,c,d. X,b,9. X,b. X,b,c.

The following string is a value of a key named "Data2" in the context: {"@admin":"admin","@dirtyld":"1","@loc":"Lab","@name":"default1","@oldname":"Test","@time":"2024/08/28 07:45:15","alert":{"@admin":"admin","@dirtyld":"2","@time":"2024/08/28 07:45:15","member":{"#text":" Based on the image below, what will be displayed in the "Test result" field when the "Test" button is pressed?. 1. "1. 2. "2.

A Cortex XDR agent is installed on an endpoint, but the agent is unable to download content updates and has not registered with the Cortex XSIAM server. An engineer troubleshoots the network connection and determines that, by design, this endpoint does not have direct internet access to the required network destinations for the Cortex XDR agent traffic. A Broker VM that has the local agent settings applet enabled with Agent Proxy configured is reachable by the endpoint. The Broker VM details are as follows: FQDN: crtxbroker01.company.net - Proxy listening port: 8888 - How should the engineer configure the Cortex XDR agent to use the existing Broker VM as a proxy for the agent network traffic?. cytool proxy set "crtxbroker01. company.net: 8888". cytool config proxy --host crtxbroker01.company.net --port 8888. cytool set proxy --host crtxbroker01.company.net --port 8888. cytool proxy config "crtxbroker01.company.net:8888".

A Behavioral Threat Protection (BTP) alert is triggered with an action of "Prevented (Blocked)" on one of several application servers running Windows Server 2022. The investigation determines the involved processes to be legitimate core OS binaries, and the description from the triggered BTP rule is an acceptable risk for the company to allow the same activity in the future. This type of activity is only expected on the endpoints that are members of the endpoint group "AppServers," which already has a separate prevention policy rule with an exceptions profile named "Exceptions-AppServers" and a malware profile named "Malware-AppServers." The CGO that was terminated has the following properties: SHA256: eb71ea69dd19f728ab9240565e8c7efb59821e19e3788e289301e1e74940c208 File path: C:\Windows\System32\cmd.exe Digital Signer: Microsoft Corporation How should the exception be created so that it is scoped as narrowly as possible to minimize the security gap?. Create the exception via the alert itself, selecting the CGO hash, CGO signer, CGO process path, and applying the scope to the "Exceptions-AppServers" profile. Create the exception via the alert itself, selecting the CGO hash, CGO signer, CGO process path, and applying the scope to the "Exceptions-AppServers" profile. Create a Disable Prevention Rule via Exceptions Configuration with the following selections: • Platform: Windows • Target Properties: SHA256, File path, Microsoft Corporation • Module: Behavioral Threat Protection • Scope: Exceptions-AppServers. Create the exception via the alert itself, selecting the CGO hash, CGO signer, CGO process path, and applying the scope to "Global.".

Which action will prevent the automatic extraction of indicators such as IP addresses and URLs from a script's output?. Add 'ExtractIndicators': False to the script. Add 'IgnoreAutoExtract': True to the script. Use 'AutoExtract': False in the script. Set 'IndicatorExtraction': None in the script.

An application which ingests custom application logs is hosted in an on-premises virtual environment on an Ubuntu server, and it logs locally to a .csv file. Which set of actions will allow the ingestion of the .csv logs into Cortex XSIAM directly from the server?. Install a Broker VM in the environment, and configure the CSV Collector to collect the files of interest. Install a Cortex XDR agent on the Ubuntu server, and configure the agent to collect the files of interest. Install a Broker VM in the environment, and migrate the application to the Broker VM. Install XDR Collector on the Ubuntu server, and configure the agent to collect the files of interest.

Which action is required to enable use of a custom script in an alert layout?. Tag the script with "dynamic-section," add a general purpose dynamic section, and edit the section settings to add the automation script. Tag the script with "general-purpose-dynamic-section," add a custom script section, and edit the section settings to add the automation script. Add a general purpose dynamic section and edit the section settings to add the automation script. Tag the script with "general-purpose-dynamic-section," add a general purpose dynamic section, and edit the section settings to add the automation script.

Tag the script with "general-purpose-dynamic-section," add a general purpose dynamic section, and edit the section settings to add the automation script. The Broker VM is offline. NTP is not synchronized properly on the Broker VM. Local Agent Setting applet is currently activated without SSL certificate. Local Agent Setting applet is currently activated without FQDN.

What is a key characteristic of a parsing rule in Cortex XSIAM?. It uses regular expressions exclusively for data modifications, discards unmatched logs by default, and only retains fields with non-null values. It is bound to all vendors and products, performs data parsing once per log, and does not allow grouping. It is bound to a specific vendor and product, performs data parsing once per log, and does not allow grouping. It is bound to a specific vendor and product which allow grouping with a no-match policy, and retains all fields.

Which type of parsing error is categorized in the dataset "parsing_rules_errors"?. Compilation. Unrecognized code. Invalid syntax. Data mismatch.

Before initiating a malware scan action on a Linux workstation, an engineer notices that the Cortex XDR agent's operational status on the workstation is reporting as "partially protected." There have been no configuration changes made from the Cortex XSIAM server. What are two explanations for this operational status? (Choose two.). The Linux endpoint is currently running 4.0 kernel version. The Linux endpoint's kernel modules failed to load due to unsupported kernel versions. The agent is outdated and requires an upgrade to the latest version to regain full protection. The agent was manually disabled on the endpoint by the user or an administrator.

A Cortex XSIAM engineer is implementing role-based access control (RBAC) and scope-based access control (SBAC) for users accessing the Cortex XSIAM tenant with the following requirements: Users managing machines in Europe should be able to manage and control all endpoints and installations, create profiles and policies, view alerts, and initiate Live Terminal, but only for endpoints in the Europe region. Users managing machines in Europe should not be able to create, modify, or delete new or existing user roles. The Europe region endpoints are identified by both of the following: Endpoint Tag = "Europe-Servers" and Endpoint Group = "Europe" for servers in Europe Endpoint Group = "Europe" and Endpoint Tag = "Europe-Workstation" for workstations in Europe Which two sets of implementation actions should the engineer take? (Choose two.). Verify and confirm that SBAC mode under "Server Settings" is set to "Restrictive," and assign "EG:Europe" under the user permission scope configuration. Use the pre-defined roles, assign the "Instance Administrator" role to the user or user group managing Europe-based endpoints. Verify and confirm that SBAC mode under "Server Settings" is set to "Permissive," and assign "EG:Europe" under the user permission scope configuration. Use the pre-defined roles, assign the "Privileged IT Admin" role to the user or user group managing Europe-based endpoints.

Administrators from Building 3 have been added to Cortex XSIAM to perform limited functions on a subset of endpoints. Custom roles have been created and applied to the administrators to limit their permissions, but their access should also be constrained through the principle of least privilege according to the endpoints they are allowed to manage. All endpoints are part of an endpoint group named "Building3," and some endpoints may also be members of other endpoint groups. Which technical control will restrict the ability of the administrators to manage endpoints outside of their area of responsibility, while maintaining visibility to Building 3's endpoints?. SBAC enabled in Building 3's IP range with the "EG:Building3" tag assigned to each administrator's scope. SBAC enabled in Permissive Mode with the "EG:Building3" tag assigned to each administrator's scope. SBAC enabled in Restrictive Mode with the "EG:Building3" tag assigned to each administrator's scope. SBAC enabled globally with the "EG:Building3" tag assigned to each administrator's scope.

While using the playbook debugger, an engineer attaches the context of an alert as test data. What happens with respect to the interactions with the list objects via tasks in this scenario?. The original content of the list and the original context are not altered, because Cortex XSIAM is running inside debug mode. The original content of the list is not altered, but the original context is, because XSIAM commands are running within debug mode. The original content of the list is altered, but the original context is not, because Cortex XSIAM commands interact directly with the original list objects within debug mode. The original content of the list and the original context are altered, because Cortex XSIAM tasks interact directly with the objects, even within debug mode.

What is the primary function of the URL "https://<region>-docker.pkg.dev" in the context of a Palo Alto Networks infrastructure?. It downloads Docker content updates. It downloads Kubernetes images for agent installation. It imports Docker licensing. It downloads Engine Docker containers.