A SOC analyst at a financial institution is investigating a high-severity incident involving a compromised domain controller. The analyst needs to understand the full sequence of events, from initial access on a user's workstation to the final actions on the server. The analyst finds that the Causality Chain view for the incident seems to terminate after a `svchost.exe` process, failing to show the subsequent lateral movement. Which of the following is the most likely reason for this incomplete visualization?
Q2
A security architect is designing a playbook for responding to alerts indicating a successful multi-factor authentication (MFA) push bombing attack. The playbook needs to be efficient and modular. The core remediation steps—disabling the user account, forcing a password reset, and isolating endpoints—are common to several other identity-based incident types. What is the most effective way to structure this automation in XSIAM to maximize reusability and simplify maintenance?
Q3
An analyst needs to create a scheduled XQL query that runs daily to identify any endpoint that has communicated with more than 10 distinct, newly registered domains (NRDs) in the last 24 hours. The results must be grouped by endpoint name. Which of the following XQL queries correctly accomplishes this task?
Q4Multiple answers
A security team has integrated a third-party threat intelligence feed that provides SHA256 hashes of known malware. An analyst notices that for a specific hash, this feed provides a 'malicious' verdict, while Palo Alto Networks WildFire provides a 'benign' verdict. When an incident is created involving this hash, which two factors primarily determine the final verdict displayed in the XSIAM incident? (Select TWO)
Q5
True or False: When an endpoint is isolated using XSIAM, it is completely disconnected from the network and cannot communicate with any system, including the Cortex XDR management service.
Q6
An analyst is reviewing a BIOC alert titled 'Suspicious Child Process Created by a Microsoft Office Application'. The alert was triggered because `winword.exe` spawned `powershell.exe`. While this can be malicious, the company's finance team uses a legitimate, signed macro-enabled spreadsheet that runs a PowerShell script to fetch stock data. How can the analyst tune this alert to reduce false positives from the finance team without disabling the detection for all other users?
Q7
A SOC manager wants to create a dashboard that tracks the mean time to resolve (MTTR) for incidents handled by different analyst shifts (Day, Swing, Night). The analyst shift is not a standard field in the XDM but is recorded as a tag on each incident upon assignment. Which XQL function is essential for calculating the MTTR per shift tag for this dashboard widget?
Q8
During an investigation, an analyst uses the Live Terminal to connect to a Windows server and runs a command to list active network connections. The analyst wants to save the output of this command as evidence directly associated with the incident. What is the standard procedure for this within the XSIAM interface?
Q9
A new Attack Surface Management (ASM) rule has been created to identify all externally-facing web servers running a specific version of Apache known to be vulnerable to a new zero-day exploit. What is the primary function of this rule within XSIAM?
Q10
An XSIAM playbook task fails due to a temporary API rate-limiting error when trying to query an external service. The playbook developer needs to ensure that the playbook retries the task automatically before failing completely. Which playbook component should be configured to achieve this? ```mermaid flowchart TD Start --> Task{Query External API} Task -->|Success| Continue[Process Data] Task -->|Failure| Handle_Error{Handle Error} Handle_Error -->|Retryable?| Retry_Logic Handle_Error -->|Not Retryable?| Fail[End Playbook] Retry_Logic -- After 5 mins --> Task Continue --> End([End]) ```
