XSIAM-ANALYST Exam Questions

Which type of task can be used to create a decision tree in a playbook?

A Cortex XSIAM analyst is investigating a security incident involving a workstation after having deployed a Cortex XDR agent for 45 days. The incident details include the Cortex XD...

Which Cytool command will re-enable protection on an endpoint that has Cortex XDR agent protection paused?

A Cortex XSIAM analyst is reading a blog that references an unfamiliar critical zero-day vulnerability. This vulnerability has been weaponized, and there is evidence that it is bei...

While investigating an alert, an analyst notices that a URL indicator has a related alert from a previous incident. The related alert has the same URL, but it resolved to a differe...

Which two actions will allow a security analyst to review updated commands from the core pack and interpret the results without altering the incident audit? (Choose two.)

Based on the artifact details in the image below, what can an analyst infer from the hexagon- shaped object with the exclamation mark (!) at the center?

An analyst is responding to a critical incident involving a potential ransomware attack. The analyst immediately initiates full isolation on the compromised endpoint using Cortex X...

In addition to defining the Rule Name and Severity Level, which step or set of steps accurately reflects how an analyst should configure an indicator prevention rule before reviewi...

During an investigation, an analyst runs the reputation script for an indicator that is listed as Suspicious. The new reputation results display in the War Room as Malicious; howev...

Which two statements apply to IOC rules? (Choose two.)

What is the cause when alerts generated by a correlation rule are not creating an incident?

While investigating an incident on the Incident Overview page, an analyst notices that the playbook encountered an error. Upon playbook work plan review, it is determined that the...

Which configuration will ensure any alert involving a specific critical asset will always receive a score of 100?

How would Incident Context be referenced in an alert War Room task or alert playbook task?

Which feature terminates a process during an investigation?

Which statement applies to a low-severity alert when a playbook trigger has been configured?

A threat hunter discovers a true negative event from a zero-day exploit that is using privilege escalation to launch "Malware.pdf.exe." Which XQL query will always show the correct...

Based on the image below, which two additional steps should a SOC analyst take to secure the endpoint? (Choose two.)

During an investigation of an alert with a completed playbook, it is determined that no indicators exist from the email "[email protected]" in the Key Assets & Artifacts tab of th...

In the Endpoint Data context menu of the Cortex XSIAM endpoints table, where will an analyst be able to determine which users accessed an endpoint via Live Terminal?

A security analyst has been assigned a ticket from the help desk stating that users are experiencing errors when attempting to open files on a specific network share. These errors...

A security analyst has been assigned a ticket from the help desk stating that users are experiencing errors when attempting to open files on a specific network share. These errors...

Two security analysts are collaborating on complex but similar incidents. The first analyst merges the two incidents into one for easier management. The other analyst immediately d...

Which type of analytics will trigger the alert on the image shown?

What can be used to filter out empty values in the query results table?

An alert for malware propagation triggers an incident. The associated playbook isolates the endpoint and notifies the SOC team. What advantages does this approach provide? (Choose...

In the Identity Threat Detection and Response (ITDR) module, what does "compromised identity" typically indicate?

Which option allows continuous monitoring and triage of evolving threats?

You are hunting for endpoints that have recently executed PowerShell commands. Which two XQL query steps are appropriate?

Which dataset should an analyst search when looking for Palo Alto Networks NGFW logs?

In which two locations can mapping be configured for indicators? (Choose two.)

An analyst conducting a threat hunt needs to collect multiple files from various endpoints. The analyst begins the file retrieval process by using the Action Center, but upon revie...

Which interval is the duration of time before an analytics detector can raise an alert?

Which two actions can an analyst take to reduce the number of false positive alerts generated by a custom BIOC? (Choose two.)

For a critical incident, Cortex XSIAM suggests several playbooks which should have been executed automatically. Why were the playbooks not executed?

What information is provided in the timeline view of Cortex XSIAM?

Which two methods can be used to create and share queries into the Query Library? (Choose two.)

You observe that a CVE is impacting multiple assets. How can you use ASM to investigate further? (Choose two)

An alert fires indicating lateral movement between endpoints. It was triggered after evaluating multiple unrelated activities, such as credential access and abnormal port scanning....

An alert involves credential dumping. Reviewing the causality chain, you notice the following: - lsass.exe is accessed by powershell.exe - Prior to this, cmd.exe launched the Power...

Based on the image below, which two determinations can be made from the causality chain? (Choose two.)

How can a SOC analyst highlight alerts generated on C-level executive hosts?

Which query will hunt for only incoming traffic from 99.99.99.99 when all log sources have been mapped to XDM?

Which pane in the User Risk View will identify the country from which a user regularly logs in, based on the past few weeks of data?

Which attributes can be used as featured fields?

A SOC team member implements an incident starring configuration, but incidents created before this configuration were not starred. What is the cause of this behavior?

An incident in Cortex XSIAM contains the following series of alerts: 10:24:17 AM - Informational Severity - XDR Analytics BIOC - Rare process execution in organization 10:24:18 AM...

Which attribution evidence will have the lowest confidence level when evaluating assets to determine if they belong to an organization's attack surface?

When a sub-playbook loops, which task tab will allow an analyst to determine what data the sub- playbook used in each iteration of the loop?