Free XSIAM-Engineer Sample Questions — Palo Alto Networks XSIAM Engineer

What should be considered when creating a custom incident domain?

• A. Alert grouping will not apply, but SmartScore will
• B. Alert grouping will apply, but SmartScore will not
• C. Alert grouping and SmartScore will not be applied to incidents
• D. Alert grouping and SmartScore will be applied to incidents

Which field is automatically mapped from the dataset to the data model when creating a data model rule?

• A. _event_type
• B. _insert_time
• C. _host_name
• D. _cloud_id

Which type of parsing error is categorized in the dataset "parsing_rules_errors"?

• A. Compilation
• B. Unrecognized code
• C. Invalid syntax
• D. Data mismatch

In the Incident War Room, which command is used to update incident fields identified in the incident layout?

• A. !setIncidentFields
• B. !setParentIncidentFields
• C. !setParentIncidentContext
• D. !updateParentIncidentFields

A sub-playbook is configured to loop with a For Each Input. The following inputs are given to the sub-playbook: Input x: W,X,Y,Z - Input y: a,b,c,d - Input z: 9 - Which inputs will be used for the second iteration of the loop?

• A. a,b,c,d
• B. X,b,9
• C. X,b
• D. X,b,c

During a new Cortex XSIAM deployment, a user consistently experiences timeout sessions while trying to connect to the agent through Live Terminal, even though the firewall engineer has confirmed that all source IP addresses, port 443, and destinations are allowed. What could be causing these persistent timeout issues?

• A. User does not have administrative privileges on the managed endpoint
• B. SSL Decryption is currently being used to inspect the underlying traffic
• C. NTP is not synchronized with the server time
• D. Live Terminal feature is not supported on the current OS

When activating the Cortex XSIAM tenant, how is the data at rest configured with AES 128 encryption?

• A. Under Advanced -> Encryption Method, choose the desired encryption method during the initial setup of the tenant
• B. Under Advanced, choose "BYOK," and adhere to the wizard's instructions as outlined in the encryption method section
• C. Create encryption keys with AES 128 and upload it securely through Cortex Gateway
• D. Under Advanced -> Encryption Method, choose the desired encryption method after the initial setup of the tenant

An application which ingests custom application logs is hosted in an on-premises virtual environment on an Ubuntu server, and it logs locally to a .csv file. Which set of actions will allow the ingestion of the .csv logs into Cortex XSIAM directly from the server?

• A. Install a Broker VM in the environment, and configure the CSV Collector to collect the files of interest
• B. Install a Cortex XDR agent on the Ubuntu server, and configure the agent to collect the files of interest
• C. Install a Broker VM in the environment, and migrate the application to the Broker VM
• D. Install XDR Collector on the Ubuntu server, and configure the agent to collect the files of interest

What is the primary benefit of setting the "--memory-swap" option to "-1" during Cortex XSIAM engine deployment?

• A. It enhances the network throughput by optimizing memory usage
• B. It increases the total disk space available to the engine
• C. It allows the engine to operate without requiring swap capabilities
• D. It automatically doubles the available RAM to the engine

When a Cortex XSIAM playbook execution reaches a breakpoint on a non-manual task, which two actions will allow the playbook to continue? (Choose two.)

• A. Disable the breakpoint and rerun the playbook from the start
• B. Skip the task with the breakpoint to let the playbook proceed automatically
• C. Wait for all parallel tasks to be completed before the breakpoint task resumes automatically
• D. Click Run Script Now or Complete Manually

A security engineer notices that in the past week ingestion has spiked significantly. Upon investigating the anomaly, it is determined that a custom application developed in-house caused the spike. The custom application is sending syslog to the Broker VM Syslog Collector applet. The engineer consults with the SOC analyst, who determines that 90% of the logs from the custom application are not used. What can the engineer configure to reduce the ingestion?

• A. Parsing rule to drop the unnecessary data at the Broker VM
• B. Data model rule to drop the unnecessary data
• C. Correlation rule on the Cortex XSIAM server to drop the unnecessary data
• D. Data model rule to map the useful data

Which cytool command will look up the policy being applied to a Cortex XDR agent?

• A. cytool adaptive_policy interval 0
• B. cytool payload_execution query
• C. cytool adaptive_policy recalc
• D. cytool persist print agent_settings.db

A CISO has asked an engineer to create a custom dashboard in Cortex XSIAM that can be filtered to show incidents assigned to a specific user. Which feature should be used to filter the incident data in the dashboard?

• A. Filters and inputs in the custom dashboard
• B. Report template to set the incident user filter
• C. Visualization filter options in the widget configuration
• D. Incident summary view to filter by user

Which action will prevent the automatic extraction of indicators such as IP addresses and URLs from a script's output?

• A. Add 'ExtractIndicators': False to the script
• B. Add 'IgnoreAutoExtract': True to the script
• C. Use 'AutoExtract': False in the script
• D. Set 'IndicatorExtraction': None in the script

While using the remote repository on a Development XSIAM tenant, which two objects can be pushed or pulled to the remote repository? (Choose two.)

• A. Scripts
• B. Parsing rules
• C. Lists
• D. Layouts