Palo_Alto_Networks
XSIAM-ENGINEER · Question #23
XSIAM-ENGINEER Question #23: Real Exam Question with Answer & Explanation
Sign in or unlock XSIAM-ENGINEER to reveal the answer and full explanation for question #23. The question stem and answer options stay visible for context.
Question
A Behavioral Threat Protection (BTP) alert is triggered with an action of "Prevented (Blocked)" on one of several application servers running Windows Server 2022. The investigation determines the involved processes to be legitimate core OS binaries, and the description from the triggered BTP rule is an acceptable risk for the company to allow the same activity in the future. This type of activity is only expected on the endpoints that are members of the endpoint group "AppServers," which already has a separate prevention policy rule with an exceptions profile named "Exceptions-AppServers" and a malware profile named "Malware-AppServers." The CGO that was terminated has the following properties: - SHA256: eb71ea69dd19f728ab9240565e8c7efb59821e19e3788e289301e1e74940c208 - File path: C:\Windows\System32\cmd.exe - Digital Signer: Microsoft Corporation How should the exception be created so that it is scoped as narrowly as possible to minimize the security gap?
Options
- ACreate the exception via the alert itself, selecting the CGO hash, CGO signer, CGO process path,
- BCreate a Disable Prevention Rule via Exceptions Configuration with the following selections:
- CCreate a Legacy Agent Exception via Exceptions Configuration with the following selections:
- DCreate the exception via the alert itself, selecting the CGO hash, CGO signer, CGO process path,
Unlock XSIAM-ENGINEER to see the answer
You've previewed enough free XSIAM-ENGINEER questions. Unlock XSIAM-ENGINEER for full answers, explanations, the timed quiz mode, progress tracking, and the master PDF. Question stem and options stay visible so you can still see what's on the exam.