Palo Alto Networks XSIAM Analyst XSIAM-Analyst Exam Questions

Page: 1 / 14
Total 50 questions
Question 1

A security analyst is reviewing alerts and incidents associated with internal vulnerability scanning performed by the security operations team.

Which built-in incident domain will be assigned to these alerts and incidents in Cortex XSIAM?



Answer : D

The correct answer is D -- IT.

Alerts and incidents related to internal vulnerability scanning and other non-security operational events are categorized under the IT domain in Cortex XSIAM. This allows teams to differentiate between security-related and IT operations--related alerts for better incident management and prioritization.

'Incidents generated from internal IT operations, such as vulnerability scanning, are assigned to the IT domain, separating them from security-focused domains.'

Document Reference: XSIAM Analyst ILT Lab Guide.pdf

Page: Page 28 (Alerting and Detection Processes section)


Question 2

Which Cytool command will re-enable protection on an endpoint that has Cortex XDR agent protection paused?



Answer : A

The correct answer is A -- cytool security enable.

The command cytool security enable is used to re-enable Cortex XDR agent protection on an endpoint after it has been paused or disabled. This command restores all core security functions as per XDR agent configuration.

''Use the cytool security enable command to re-enable the Cortex XDR agent's protection if it has been paused on an endpoint.''

Document Reference: EDU-270c-10-lab-guide_02.docx (1).pdf

Page: Page 13 (Agent Deployment and Configuration section)

===========


Question 3

In which two locations can mapping be configured for indicators? (Choose two.)



Answer : A, B

The correct answers are A (Feed Integration settings) and B (Classification & Mapping tab).

Feed Integration settings: Mapping of indicator fields can be configured directly within the feed integration configuration, allowing incoming threat intelligence feeds to be parsed and mapped correctly to XSIAM fields.

Classification & Mapping tab: This tab is available in various integration and indicator settings, enabling detailed field mapping and classification logic for incoming indicators.

'Mapping for indicators can be set within the Classification & Mapping tab or during Feed Integration setup to ensure proper parsing and normalization.'

Document Reference: XSIAM Analyst ILT Lab Guide.pdf

Page: Page 36 (Threat Intel Management section)

===========


Question 4

Which type of analytics will trigger the alert on the image shown?



Answer : D

Comprehensive and Detailed Explanation From Exact Extract:

The correct answer is D -- Anomaly.

In Cortex XSIAM, Anomaly analytics are designed to trigger alerts when a monitored activity deviates significantly from the established baseline or historical average. In the image, the 'Failed login by non-existent users on host' metric remains at zero for several days and then suddenly spikes to 267 and 381---far above the average threshold. This significant deviation from the established norm is identified by the analytics engine as an anomaly and will trigger an alert for further investigation.

''Anomaly analytics identify significant deviations from established baselines or averages, such as unusual spikes in failed login attempts or other behavioral outliers, and trigger alerts for potential threats.''

Document Reference: XSIAM Analyst ILT Lab Guide.pdf

Page: Page 28 (Alerting and Detection section)


Question 5

A Cortex XSIAM analyst in a SOC is reviewing an incident involving a workstation showing signs of a potential breach. The incident includes an alert from Cortex XDR Analytics Alert source "Remote service command execution from an uncommon source." As part of the incident handling process, the analyst must apply response actions to contain the threat effectively.

Which initial Cortex XDR agent response action should be taken to reduce attacker mobility on the network?



Answer : A

The correct answer is A -- Isolate Endpoint.

The most effective initial response to contain a breach and reduce attacker mobility is to isolate the endpoint. This action ensures that the compromised machine can no longer communicate with the network or external systems, effectively cutting off lateral movement and exfiltration by attackers, while still allowing controlled response operations.

'Isolate Endpoint is the primary response action used to immediately contain a threat by severing all network communication, thus limiting attacker movement during active incidents.'

Document Reference: EDU-270c-10-lab-guide_02.docx (1).pdf

Page: Page 40 (Incident Handling/SOC section)


Question 6

A SOC team member implements an incident starring configuration, but incidents created before this configuration were not starred.

What is the cause of this behavior?



Answer : D

The correct answer is D -- Starring configuration is applied to the newly created alerts, and the incident is subsequently starred.

Incident starring configuration in Cortex XSIAM is not retroactive. It only applies to new alerts and incidents created after the configuration is implemented. Pre-existing incidents are not starred automatically and must be managed manually if needed.

'Starring configurations take effect for new alerts and incidents created after the configuration is applied. Existing incidents are not updated retroactively.'

Document Reference: XSIAM Analyst ILT Lab Guide.pdf

Page: Page 33 (Incident Handling and Response section)


Question 7

Based on the image below, which two determinations can be made from the causality chain? (Choose two.)



Answer : B, D

Comprehensive and Detailed Explanation From Exact Extract:

D (Correct): The process cmd.exe is marked as the Causality Group Owner (GCO) in the image, meaning it is the root process responsible for spawning or causing the rest of the chain, including the execution of Malware.pdf.exe.

B (Correct): The alert icons shown next to Malware.pdf.exe are typical when the malware profile is set to 'Report' mode, which allows detection and alerting on the behavior without actively blocking it (otherwise, the process would not execute fully, and you'd see prevention action).

A (Incorrect): While Malware.pdf.exe is shown as responsible for generating the alerts, the entire chain starts from cmd.exe, not Malware.pdf.exe.

C (Incorrect): The image shows two alert icons, not three, so this statement cannot be determined as true from the causality chain.

'The GCO (Causality Group Owner) in the causality chain visual indicates the parent/root process. If a prevention profile is set to Report, the process is logged and not blocked.'

Document Reference: XSIAM Analyst ILT Lab Guide.pdf, Page 46 (Incident Handling -- Causality Investigation)


Page:    1 / 14   
Total 50 questions