Palo Alto Networks XSIAM Engineer - XSIAM-Engineer Exam Practice Test

Question 1

In which two locations can correlation rules be monitored for errors? (Choose two.)

A. correlations_auditingdataset through XQL

B. XDR Collector audit logs (type = Rules, subtype = Error)

C. Alerts table as a health alert

D. Management audit logs (type = Rules, subtype = Error)

Correct Answer: A,B

Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).

Question 2

When a newly installed agent is not reporting telemetry to Cortex XSIAM, which two steps should you check first? (Choose two)

A. Assigned user permission groups

B. Agent certificate status

C. Broker VM version compatibility

D. Agent connectivity to Cortex gateways

Correct Answer: B,D

Question 3

Which section of a parsing rule defines the newly created dataset?

A. INGEST

B. RULE

C. COLLECT

D. CONST

Correct Answer: C

Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).

Question 4

Cortex XSIAM has not received any logs for 30 minutes from a Palo Alto Networks NGFW named
"MainFW." An engineer wants to create an alert for this scenario.
Correlation rule settings include:
- Time Schedule: Every 30 minutes
- Query Timeframe: 30 minutes
- Action: Generate alert
- Alert Name: No logs received from MainFW in the past 30 minutes
Which query should be used in the correlation rule?

A.

B.

C.

D.

Correct Answer: C

Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).

Question 5

An engineer is conducting a threat actor emulated test to determine which Cortex XDR module would provide protection or alert on a real-world attack. The first test was prevented.
Which action must the engineer take to enable continued testing?

A. Remove the hash from the restrictions profile.

B. Add an indicator exclusion.

C. Change the profile from "alert" to "prevent" for the BTP module.

D. Add a prevention rule.

Correct Answer: B

Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).

Question 6

An engineer wants to onboard data from a third-party vendor's firewall. There is no content pack available for it, so the engineer creates custom data source integration and parsing rules to generate a dataset with the firewall data.
How can the analytics capabilities of Cortex XSIAM be used on the data?

A. Create a correlation rule on the network fields (source IP, source port, target IP, target port, IP protocol).

B. Create a data model rule with network fields mapped (source IP, source port, target IP, target port, IP protocol).

C. Create a behavioral indicator of compromise (BIOC) rule on the network fields (source IP, source port, targe

D. Create a parsing rule and ensure the network fields exist (source IP, source port, target IP, target port, IP protocol).

Correct Answer: B

Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).

Question 7

Which action is required to enable use of a custom script in an alert layout?

A. Tag the script with "dynamic-section," add a general purpose dynamic section, and edit the section settings to add the automation script.

B. Tag the script with "general-purpose-dynamic-section," add a custom script section, and edit the section settings to add the automation script.

C. Add a general purpose dynamic section and edit the section settings to add the automation script.

D. Tag the script with "general-purpose-dynamic-section," add a general purpose dynamic section, and edit the section settings to add the automation script.

Correct Answer: D

Explanation: Only visible for Actualtests4sure members. You can sign-up / login (it's free).

Palo Alto Networks XSIAM Engineer - XSIAM-Engineer Exam Practice Test

Latest Update

Useful Links

Contact Us