Paloalto Networks XSIAM Engineer 시험

Question No : 1

A Behavioral Threat Protection (BTP) alert is triggered with an action of "Prevented (Blocked)" on one of several application servers running Windows Server 2022. The investigation determines the involved processes to be legitimate core OS binaries, and the description from the triggered BTP rule is an acceptable risk for the company to allow the same activity in the future.
This type of activity is only expected on the endpoints that are members of the endpoint group "AppServers," which already has a separate prevention policy rule with an exceptions profile named "Exceptions-AppServers" and a malware profile named "Malware-AppServers."
The CGO that was terminated has the following properties:
SHA256: eb71ea69dd19f728ab9240565e8c7efb59821e19e3788e289301e1e74940c208
File path: C:\Windows\System32\cmd.exe
Digital Signer: Microsoft Corporation
How should the exception be created so that it is scoped as narrowly as possible to minimize the security gap?

• A.Create the exception via the alert itself, selecting the CGO hash, CGO signer, CGO process path, and applying the scope to the "Exceptions-AppServers" profile.
• B.Create a Disable Prevention Rule via Exceptions Configuration with the following selections:
  
  
• C.Create a Legacy Agent Exception via Exceptions Configuration with the following selections:
  
  
• D.Create the exception via the alert itself, selecting the CGO hash, CGO signer, CGO process path, and applying the scope to "Global."

답을 확인하기

정답:
Explanation:
The most secure approach is to create a Disable Prevention Rule via Exceptions Configuration, scoped specifically to the Exceptions-AppServers profile. This rule should include the hash (SHA256), signer (Microsoft Corporation), and file path (C:\Windows\System32\cmd.exe). This ensures the exception is applied only to the trusted, legitimate process on the AppServers group while minimizing the security gap.

Question No : 2

A file for a support exception that needs to be updated locally on a Linux endpoint has been supplied.
Which cytool command will upload this support exception file to the endpoint?

• A.cytool upload suexfile -target </local/file/path>
• B.cytool upload suex -file </local/file/path>
• C.cytool import suex -path </local/file/path>
• D.cytool import suexfile -path </local/file/path>

답을 확인하기

정답:
Explanation:
The correct command is cytool import suex -path </local/file/path>, which imports a supplied support exception (suex) file onto a Linux endpoint, ensuring the exception is applied locally.

Question No : 3

What is the primary function of the URL "https://<region>-docker.pkg.dev" in the context of a Palo Alto Networks infrastructure?

• A.It downloads Docker content updates.
• B.It downloads Kubernetes images for agent installation.
• C.It imports Docker licensing.
• D.It downloads Engine Docker containers.

답을 확인하기

정답:
Explanation:
The URL https://<region>-docker.pkg.dev is used in Palo Alto Networks infrastructure to download Engine Docker containers. This ensures the Cortex XSIAM engine components are pulled securely from the regional Docker registry.

Question No : 4

A Cortex XSIAM engineer at a SOC downgrades a critical threat intelligence content pack from the Cortex Marketplace while performing routine maintenance. As a result, the SOC team loses access to the latest threat intelligence data.
Which action will restore the functionality of the content pack to its previously installed version?

• A.Contact Palo Alto Networks Support to create an exception to revert to the previously installed version.
• B.Back up the current configuration and data, then revert to the previously installed version.
• C.Remove all integrations and playbooks associated with the content pack, then revert to the previously installed version.
• D.Directly reinstall the previously installed version over the current one.

답을 확인하기

정답:
Explanation:
To restore the content pack to its previously installed version, the engineer can directly reinstall the desired version from the Cortex Marketplace. Content packs support version management, allowing rollback or upgrade without requiring support intervention or removing existing configurations.

Question No : 5

The following string is a value of a key named "Data2" in the context:
{"@admin":"admin","@dirtyld":"1","@loc":"Lab","@name":"default#1","@oldname":"Test","@time":"2024 /08/28 07:45:15","alert":{"@admin":"admin","@dirtyld":"2","@time":"2024/08/28 07:45:15","member": {"#text":"
Based on the image below, what will be displayed in the "Test result" field when the "Test" button is pressed?

• A.1
• B."1
• C.2
• D."2

답을 확인하기

정답:
Explanation:
The applied transformers extract the value of @dirtyId from the root-level Data2 object. The sequence includes trimming using "Id:" and ending with a quotation mark ". As a result, the root @dirtyId value (1) is returned with a leading quotation mark, so the Test result will display "1.

Question No : 6

In which two locations can correlation rules be monitored for errors? (Choose two.)

• A.XDR Collector audit logs (type = Rules, subtype = Error)
• B.correlations_auditing dataset through XQL
• C.Management audit logs (type = Rules, subtype = Error)
• D.Alerts table as a health alert

답을 확인하기

정답:
Explanation:
Correlation rule errors can be tracked in XDR Collector audit logs (type = Rules, subtype = Error) and by querying the correlations_auditing dataset through XQL. These provide visibility into execution issues and failures for correlation rules.

Question No : 7

Which installer type should be used when upgrading a non-Linux Kubernetes cluster?

• A.Standalone
• B.Helm
• C.Upgrade from ESM
• D.Kubernetes

답을 확인하기

정답:
Explanation:
For upgrading a non-Linux Kubernetes cluster, the correct installer type is Helm, since Helm charts are the supported method for deploying and managing Cortex XDR agents in Kubernetes environments.

Question No : 8

What should be considered when creating a custom incident domain?

• A.Alert grouping will not apply, but SmartScore will.
• B.Alert grouping will apply, but SmartScore will not.
• C.Alert grouping and SmartScore will not be applied to incidents.
• D.Alert grouping and SmartScore will be applied to incidents.

답을 확인하기

정답:
Explanation:
When creating a custom incident domain in Cortex XSIAM, alert grouping still applies, allowing related alerts to be combined into incidents. However, SmartScore is not applied, since it is reserved for predefined domains.

Question No : 9

Cortex XSIAM has not received any logs for 30 minutes from a Palo Alto Networks NGFW named "MainFW.” An engineer wants to create an alert for this scenario.
Correlation rule settings include:



Time Schedule: Every 30 minutes



Query Timeframe: 30 minutes



Action: Generate alert



Alert Name: No logs received from MainFW in the past 30 minutes
Which query should be used in the correlation rule?
A)



B)



C)



D)

• A.Option A
• B.Option B
• C.Option C
• D.Option D

답을 확인하기

정답:
Explanation:
The correct query is the one using preset = metrics_view with comp sum(total_event_count) as total_events by _reporting_device_name and filtering total_events = 0.
This query directly checks event counts reported by the NGFW ("MainFW"). If no logs are received in the last 30 minutes, the total event count will be 0, which triggers the correlation rule alert.

Question No : 10

What is the purpose of using rolling tokens to manage Cortex XDR agents?

• A.To periodically rotate encryption keys used for tenant communication
• B.To perform administration on agents without requiring static credentials
• C.To authorize agents to download and install content updates D To temporarily disable the agents during maintenance windows

답을 확인하기

정답:
Explanation:
Rolling tokens in Cortex XDR are used to perform administration on agents without relying on static credentials. This improves security by providing time-limited, automatically rotating tokens that maintain agent management access without exposing long-lived credentials.

Question No : 11

Which common issue can result in sudden data ingestion loss for a data source that was previously successful?

• A.Data source is using an unsupported data format.
• B.Data source has reached its maximum storage capacity.
• C.Data source has reached its end of life for support.
• D.API key used for the integration has expired.

답을 확인하기

정답:
Explanation:
A sudden data ingestion loss for a previously successful data source commonly occurs when the API key used for the integration has expired, breaking authentication and preventing further log collection.

Question No : 12

What is the primary benefit of setting the "--memory-swap" option to "-1" during Cortex XSIAM engine deployment?

• A.It enhances the network throughput by optimizing memory usage.
• B.It increases the total disk space available to the engine.
• C.It allows the engine to operate without requiring swap capabilities.
• D.It automatically doubles the available RAM to the engine.

답을 확인하기

정답:
Explanation:
Setting the "--memory-swap" option to "-1" during Cortex XSIAM engine deployment configures the container to run without requiring swap capabilities. This ensures the engine operates fully within allocated RAM, improving stability and avoiding issues related to memory swapping.

Question No : 13

What is the role of "in" in the query line below?
action_local_port in (1122, 2234)

• A.Operand
• B.Operator
• C.Function
• D.Range

답을 확인하기

정답:
Explanation:
In the query action_local_port in (1122, 2234), the word "in" functions as an operator. It checks whether the field action_local_port matches any value in the specified list (1122, 2234).

Question No : 14

A systems engineer overseeing the integration of data from various sources through data pipelines into Cortex XSIAM notices modifications occurring during the ingestion process, and these modifications reduce the accuracy of threat detection and response. The engineer needs to assess the risks associated with the pre-ingestion data modifications and develop effective solutions for data integrity and system efficacy.
Which set of steps must be followed to meet these goals?

• A.Develop an advanced monitoring system to track and log all changes made to data during ingestion, and use analytics to compare pre- and post-ingestion states based on XDM to identify and mitigate discrepancies.
• B.Design a hybrid approach for critical data fields to be safeguarded against modifications during ingestion, while less critical data fields undergo allowable modifications that are rectified post-ingestion by using XDM to balance performance with data integrity.
• C.Implement a pre-ingestion data validation process that aligns with the post-ingestion standards set by XDM, ensuring data consistency and integrity before it enters Cortex XSIA
• D.Establish a process to minimize data modifications during ingestion, prioritizing raw data capture and using XDM post-ingestion for necessary transformations and integrity checks.

답을 확인하기

정답:
Explanation:
The best approach is to minimize data modifications during ingestion, prioritizing raw data capture to preserve accuracy. Then, apply XDM (XSIAM Data Model) transformations and integrity checks post-ingestion. This ensures that threat detection and response are based on unaltered, high-fidelity data while still enabling normalization and enrichment after ingestion.

Question No : 15

Which action will prevent the automatic extraction of indicators such as IP addresses and URLs from a script's output?

• A.Add 'ExtractIndicators': False to the script.
• B.Add 'IgnoreAutoExtract': True to the script.
• C.Use 'AutoExtract': False in the script.
• D.Set 'IndicatorExtraction': None in the script.

답을 확인하기

정답:
Explanation:
To prevent Cortex XSIAM from automatically extracting indicators (like IPs, domains, and URLs) from a script’s output, you must use 'AutoExtract': False in the script. This disables the auto-extraction mechanism for that script.