Paloalto Networks XSIAM-Analyst 시험

Question No : 1

While investigating an alert, an analyst notices that a URL indicator has a related alert from a previous incident. The related alert has the same URL but it resolved to a different IP address.
Which combination of two actions should the analyst take to resolve this issue? (Choose two.)

• A.Expire the URL indicator
• B.Remove the relationship between the URL and the older IP address
• C.Enrich the IP address indicator associated with the previous alert
• D.Enrich the URL indicator

답을 확인하기

정답:
Explanation:
The correct answers are B (Remove the relationship between the URL and the older IP address)andD (Enrich the URL indicator).
B: If the same URL now resolves to a new IP, but old relationships are still present, the analyst should remove the outdated relationship between the URL indicator and the previous IP address to avoid confusion in future investigations.
D: Enriching the URL indicator will update its context, relationships, and threat intelligence attributes, ensuring the indicator reflects the most accurate and current data.
"Analysts should remove obsolete relationships between indicators and enrich indicators to update contextual data as network conditions change (e.g., when a URL points to a new IP address)."
Document
Reference: XSIAM Analyst ILT Lab Guide.pdf
Page: Page 36-37 (Threat Intel Management section)

Question No : 2

Why would an analyst schedule an XQL query?

• A.To trigger endpoint isolation action
• B.To retrieve data either at specific intervals or at a specified time
• C.To auto-resolve a false positive alert
• D.To increase accuracy of queries during off-peak load times

답을 확인하기

정답:
Explanation:
The correct answer is B C To retrieve data either at specific intervals or at a specified time.
Scheduling XQL queries allows analysts and teams to automate the retrieval of data at regular intervals or specific times(such as daily, hourly, or during set windows), supporting reporting, monitoring, and automation workflows without requiring manual intervention.
"Analysts can schedule XQL queries to automatically retrieve data or generate reports at regular intervals or specified times."
Document
Reference: EDU-270c-10-lab-guide_02.docx (1).pdf
Page: Page 25 (Data Analysis with XQL section)

Question No : 3

With regard to Attack Surface Rules, how often are external scans updated?

• A.Hourly
• B.Daily
• C.Weekly
• D.Monthly

답을 확인하기

정답:
Explanation:
The correct answer is B - Daily.
In Cortex XSIAM's Attack Surface Management (ASM), external scans and associated attack surface rules are refreshed and updated on a daily basis. Daily updates ensure that security analysts are provided with timely and relevant insights regarding exposed assets and potential vulnerabilities that could impact the organization's security posture.
"External scans for Attack Surface Rules are updated daily to ensure the latest and most relevant security visibility."
Document
Reference: XSIAM Analyst ILT Lab Guide.pdf
Exact Page: Page 41 (Attack Surface Management Section)

Question No : 4

Which attribution evidence will have the lowest confidence level when evaluating assets to determine if they belong to an organization’s attack surface?

• A.An asset discovered through registration information attributed to the organization
• B.An asset attributed to the organization because the name server domain contains the company domain
• C.An asset attributed to the organization because the Subject Organization field contains the company name
• D.An asset manually approved by a Cortex Xpanse analyst

답을 확인하기

정답:
Explanation:
The correct answer is C C An asset attributed to the organization because the Subject Organization field contains the company name.
When determining ownership of assets in the attack surface, attribution based solely on the Subject Organization field containing the company name is considered less reliable than evidence based on domain registration, authoritative DNS relationships, or manual analyst validation. This is because the Subject Organization field may contain non-unique or common names, leading to a higher rate of false associations, and is not as strong as direct registration records or explicit analyst verification.
“The confidence level is lowest when asset attribution is based on the Subject Organization field, since this field may not be unique to the organization and can result in inaccurate mapping.”
Document
Reference: XSIAM Analyst ILT Lab Guide.pdf
Page: Page 42 (Attack Surface Management section)

Question No : 5

Which interval is the duration of time before an analytics detector can raise an alert?

• A.Activation period
• B.Test period
• C.Training period
• D.Deduplication period

답을 확인하기

정답:
Explanation:
The correct answer is C - Training period.
Analytics detectors within Cortex XSIAM utilize a training period to establish a baseline of normal behavior. During this interval, the detector learns and identifies patterns and behaviors that are considered normal within the environment. Once the training period is complete, the detector can accurately detect and raise alerts on anomalies.
Other intervals mentioned do not match the definition:
Activation period: Refers to the time from activation to full functionality.
Test period: Typically refers to internal or manual testing stages.
Deduplication period: The time during which similar alerts are suppressed.
"Analytics detectors require an initial training period to learn normal patterns before being able to accurately raise alerts."
Document
Reference: EDU-270c-10-lab-guide_02.docx (1).pdf
Exact Page: Page 28 (Alerting and Detection Processes Section)

Question No : 6

Which type of task can be used to create a decision tree in a playbook?

• A.Sub-playbook
• B.Standard
• C.Job
• D.Conditional

답을 확인하기

정답:
Explanation:
The correct answer is D C Conditional.
Conditional tasks are used in Cortex XSIAM playbooks to create decision trees. They enable branching logic based on the outcome of previous steps, allowing the playbook to automatically choose different paths and actions depending on analysis results, alert types, or input values.
"Conditional tasks in playbooks enable the construction of decision trees, supporting dynamic response automation based on pre-defined criteria and branching logic."
Document
Reference: XSIAM Analyst ILT Lab Guide.pdf
Page: Page 38 (Automation and Playbooks section)

Question No : 7

What can be used to filter out empty values in the query results table?

• A.<name of field> != null or <field name> != ®
• B.<name of field> != empty or <field name> != "NA"
• C.<name of field> != null or <field name> != "NA"
• D.<name of field> != empty or <field name> != ""

답을 확인하기

정답:
Explanation:
The correct answer is C C <name of field> != null or <field name> != "NA".
Filtering with != null removes records with null values, and != "NA" further removes records that explicitly have "NA" as the value, ensuring the table only displays meaningful results.
"Use filters like <field> != null or <field> != 'NA' in XQL queries to exclude empty or placeholder values from results."
Document
Reference: XSIAM Analyst ILT Lab Guide.pdf
Page: Page 22 (XQL section)

Question No : 8

What is the expected behavior when querying a data model with no specific fields specified in the query?

• A.The query will error out and not run.
• B.The default dataset=xdr_data fields will be returned.
• C.No fields will be returned by default.
• D.The xdm_core fieldset will be returned by default.

답을 확인하기

정답:
Explanation:
The correct answer is D C The xdm_core fieldset will be returned by default.
In Cortex XSIAM, when no specific fields are selected in a data model query, thexdm_core fieldset(which contains essential, core fields of the dataset) is automatically returned. This ensures analysts always have a baseline set of meaningful information in the results, even when fields are not explicitly specified.
"When no fields are specified in a data model query, Cortex XSIAM defaults to returning the xdm_core field set, which contains key metadata and context."
Document
Reference: EDU-270c-10-lab-guide_02.docx (1).pdf
Page: Page 29 (Data Model section)

Question No : 9

Which attributes can be used as featured fields?

• A.Device-ID, URL, port, and indicator
• B.Endpoint-ID, alert source, critical asset, and threat name
• C.CIDR range, file hash, tags, and log source
• D.Hostnames, user names, IP addresses, and Active Directory

답을 확인하기

정답:
Explanation:
The correct answer is D C Hostnames, user names, IP addresses, and Active Directory.
These are commonly used and supported asfeatured fieldsin Cortex XSIAM for filtering, correlation, and highlighting key data points across incidents and alerts.
"Featured fields can include hostnames, user names, IP addresses, and Active Directory objects for enhanced alert context and searchability."
Document
Reference: EDU-270c-10-lab-guide_02.docx (1).pdf
Page: Page 18 (Endpoint Management/Incident Handling section)

Question No : 10

In the Endpoint Data context menu of the Cortex XSIAM endpoints table, where will an analyst be able to determine which users accessed an endpoint via Live Terminal?

• A.View Endpoint Policy
• B.View Endpoint Logs
• C.View Incidents
• D.View Actions

답을 확인하기

정답:
Explanation:
The correct answer is D C View Actions.
Within the Cortex XSIAM Endpoints table, the View Actions context menu allows analysts to review historical actions performed on an endpoint, including Live Terminal access. This menu logs all actions such as isolations, scans, and terminal sessions, along with the user who initiated each action, making it the source for tracking who accessed the endpoint via Live Terminal.
"The View Actions option in the endpoints table displays a history of all performed actions, including Live Terminal sessions and the corresponding users."
Document
Reference: EDU-270c-10-lab-guide_02.docx (1).pdf
Page: Page 13 (Agent Deployment and Configuration section)

Question No : 11

A Cortex XSIAM analyst in a SOC is reviewing an incident involving a workstation showing signs of a potential breach. The incident includes an alert from Cortex XDR Analytics Alert source "Remote service command execution from an uncommon source." As part of the incident handling process, the analyst must apply response actions to contain the threat effectively.
Which initial Cortex XDR agent response action should be taken to reduce attacker mobility on the network?

• A.Isolate Endpoint: Prevent the endpoint from communicating with the network
• B.Remove Malicious File: Delete the malicious file detected
• C.Terminate Process: Stop the suspicious processes identified
• D.Block IP Address: Prevent future connections to the IP from the workstation

답을 확인하기

정답:
Explanation:
The correct answer is A C Isolate Endpoint.
The most effective initial response to contain a breach and reduce attacker mobility is toisolate the endpoint. This action ensures that the compromised machine can no longer communicate with the network or external systems, effectively cutting off lateral movement and exfiltration by attackers, while still allowing controlled response operations.
"Isolate Endpoint is the primary response action used to immediately contain a threat by severing all network communication, thus limiting attacker movement during active incidents."
Document
Reference: EDU-270c-10-lab-guide_02.docx (1).pdf
Page: Page 40 (Incident Handling/SOC section)

Question No : 12

A threat hunter discovers a true negative event from a zero-day exploit that is using privilege escalation to launch "Malware pdf.exe".
Which XQL query will always show the correct user context used to launch "Malware pdf.exe"?

• A.config case_sensitive = false | dataset = xdr_data | filter event_type = ENU
• B.PROCESS | filter action_process_image_name = "Malware.pdf.exe" | fields causality_actor_effective_username
• C.config case_sensitive = false | dataset = xdr_data | filter event_type = ENU
• D.PROCESS | filter action_process_image_name = "Malware.pdf.exe" | fields actor_process_username
• E.config case_sensitive = false | datamodel dataset = xdrdata | filter xdm.source.process.name = "Malware. pdf.exe" | fields xdm.target.user.username
• F.config case_sensitive = false | dataset = xdr_data | filter event_type = ENU
• G.PROCESS | filter action_process_image_name = "Malware.pdf.exe" | fields action_process_username

답을 확인하기

정답:
Explanation:
The correct answer is AC the query using the fieldcausality_actor_effective_username.
When analyzing events where privilege escalation is used, it is essential to identify the original effective user that initiated the causality chain, not merely the process’s own running user (as provided by other fields). The fieldcausality_actor_effective_usernamespecifically provides the effective username context of the actor behind the entire chain of actions that resulted in launching the suspicious executable.
Explanation: of fields from Official Document:
causality_actor_effective_username: This field indicates the original effective user who started the entire causality chain.
actor_process_usernameandaction_process_username: These fields indicate the immediate process username, not necessarily reflecting the correct original context when privilege escalation occurs.
Therefore, to always identify the correct user context in privilege escalation scenarios, optionAis the verified correct answer.

Question No : 13

Which statement applies to a low-severity alert when a playbook trigger has been configured?

• A.The alert playbook will automatically run when grouped in an incident.
• B.The alert playbook will run if the severity increases to medium or higher.
• C.The alert playbook can be manually run by an analyst.
• D.Only low-severity analytics alerts will automatically run playbooks.

답을 확인하기

정답:
Explanation:
The correct answer is A. When a playbook trigger is configured for an alert―regardless of severity―the playbook will automatically run when the alert is grouped into an incident, unless a severity condition is specifically configured in the playbook trigger. By default, the playbook will execute for any alert (including low severity) as soon as it is grouped within an incident.
“A playbook that is configured as a trigger for an alert will automatically execute when that alert is grouped as part of an incident, independent of the alert's severity unless a specific severity threshold is set.”
Document
Reference: XSIAM Analyst ILT Lab Guide.pdf
Page: Page 38 (Automation section)

Question No : 14

While investigating an incident on the Incident Overview page, an analyst notices that the playbook encountered an error. Upon playbook work plan review, it is determined that the error was caused by a timeout. However, the analyst does not have the necessary permissions to fix or create a new playbook.
Given the critical nature of the incident, what can the analyst do to ensure the playbook continues executing the remaining steps?

• A.Clone the playbook, remove the faulty step and run the new playbook to bypass the error
• B.Contact TAC to resolve the task error, as the playbook cannot proceed without it
• C.Navigate to the step where the error occurred and run the task again
• D.Pause the step with the error, thus automatically triggering the execution of the remaining steps.

답을 확인하기

정답:
Explanation:
The correct answer is D C Pause the step with the error, thus automatically triggering the execution of the remaining steps.
When a playbook encounters an error and the analyst does not have permissions to modify or recreate the playbook, the recommended action is to pause the step with the error. This will skip the problematic step and allow the remaining steps of the playbook to execute, ensuring the investigation or response continues.
"Pausing a failed step in the playbook work plan allows the remaining steps to continue executing, useful when immediate playbook edits are not possible due to permission restrictions."
Document
Reference: XSIAM Analyst ILT Lab Guide.pdf
Page: Page 39 (Automation section)

Question No : 15

A security analyst is reviewing alerts and incidents associated with internal vulnerability scanning performed by the security operations team.
Which built-in incident domain will be assigned to these alerts and incidents in Cortex XSIAM?

• A.Security
• B.Health
• C.Hunting
• D.IT

답을 확인하기

정답:
Explanation:
The correct answer is D C IT.
Alerts and incidents related to internal vulnerability scanning and other non-security operational events are categorized under the IT domain in Cortex XSIAM. This allows teams to differentiate between security-related and IT operationsCrelated alerts for better incident management and prioritization.
"Incidents generated from internal IT operations, such as vulnerability scanning, are assigned to the IT domain, separating them from security-focused domains."
Document
Reference: XSIAM Analyst ILT Lab Guide.pdf
Page: Page 28 (Alerting and Detection Processes section)