Question 1

Which two requirements must be met for a Cortex XDR agent to successfully use the Broker VM as a download source for content updates? (Choose two.)

Accepted Answer

B, C

Explanation: For a Cortex XDR agent to successfully use a Broker VM for content updates, two key configurations are required. First, the agent must be instructed where to look for the updates. This is configured within an Agent Settings profile in the Cortex XDR management console, where the Broker VM's address is specified as a download source. Second, for the connection to be secure and reliable, the Broker VM must be identified by a Fully Qualified Domain Name (FQDN). This is critical for proper TLS certificate validation, as Palo Alto Networks recommends using the FQDN in the certificate's Common Name (CN) to prevent security errors that would block a successful connection.

Question 2

What is the purpose of using rolling tokens to manage Cortex XDR agents?

Accepted Answer

B

Explanation: Rolling tokens, referred to as "temporary agent passwords" in Cortex XDR documentation, are generated on-demand from the management console to provide time-limited authorization for administrative actions on an endpoint. Their primary purpose is to enable secure management tasks, such as using the Cytool command-line utility to disable protection or uninstall the agent, without relying on a static, long-lived password. This enhances security by preventing the misuse of a persistent credential and ensuring that administrative access is granted only for a specific, temporary period.

Question 3

Which action will prevent the automatic extraction of indicators such as IP addresses and URLs from a script's output?

Accepted Answer

B

Explanation: In Palo Alto XSIAM (and Cortex XSOAR), automation scripts can return data to the War Room. By default, the platform parses this human-readable output to automatically find and extract indicators like IP addresses, URLs, and file hashes. To disable this behavior for a specific script output, the script must return an entry object that includes the key-value pair 'IgnoreAutoExtract': True. This flag explicitly instructs the system to bypass the automatic indicator extraction and enrichment process for that particular entry, preventing the indicators within the script's output from being added to the incident's context automatically.

Question 4

While using the remote repository on a Development XSIAM tenant, which two objects can be pushed or pulled to the remote repository? (Choose two.)

Accepted Answer

A, C

Explanation: The Cortex XSIAM remote repository feature facilitates a CI/CD workflow for managing custom content development. It allows developers to use a Git-based version control system to push and pull content packs between a development tenant and the repository. According to the official documentation, the supported content items for this feature include core automation and data objects. Scripts (containing automation logic) and Lists (custom data sets, also known as iLists) are two of the fundamental content types that can be managed through this push/pull mechanism.

Question 5

Which common issue can result in sudden data ingestion loss for a data source that was previously successful?

Accepted Answer

D

Explanation: A previously successful data ingestion process that suddenly stops is most commonly due to an authentication or authorization failure. API keys, tokens, and other credentials used to establish a connection between XSIAM and a data source are often configured with an expiration date for security purposes. When the key expires, the data source rejects XSIAM's connection attempts, leading to an abrupt halt in data ingestion. This aligns perfectly with the scenario of a previously functional integration suddenly failing without any other configuration changes.

Question 6

A Cortex XDR agent is installed on an endpoint, but the agent is unable to download content updates
and has not registered with the Cortex XSIAM server. An engineer troubleshoots the network
connection and determines that, by design, this endpoint does not have direct internet access to the
required network destinations for the Cortex XDR agent traffic.
A Broker VM that has the local agent settings applet enabled with Agent Proxy configured is
reachable by the endpoint. The Broker VM details are as follows:
FQDN: crtxbroker01.company.net
Proxy listening port: 8888
How should the engineer configure the Cortex XDR agent to use the existing Broker VM as a proxy for
the agent network traffic?

Accepted Answer

B

Explanation: The cytool command-line utility is used for local administration of the Cortex XDR agent on an endpoint. To configure the agent to use a proxy server, the config proxy command is used. Option B provides the correct syntax, where cytool config proxy is the command group, followed by the --host and --port flags to specify the FQDN and listening port of the Broker VM acting as a proxy. This structure correctly applies the necessary network configuration for the agent to communicate through the designated proxy.

Question 7

A Cortex XSIAM engineer is developing a playbook that uses reputation commands such as '!ip' to
enrich and analyze indicators.
Which statement applies to the use of reputation commands in this scenario?

Accepted Answer

B

Explanation: Reputation commands, such as !ip, are generic commands that function by querying one or more underlying threat intelligence integration instances (e.g., VirusTotal, AbuseIPDB, etc.). For these commands to execute successfully, at least one integration that provides the relevant reputation data (in this case, for IP addresses) must be configured, instantiated, and enabled. If no such integration instance is active, the system has no source to query for the reputation information. Consequently, the command cannot be executed, and the playbook task will fail with an error indicating that no enabled integration can fulfill the request.

Question 8

A sub-playbook is configured to loop with a For Each Input. The following inputs are given to the sub-
playbook:
Input x: W,X,Y,Z
Input y: a,b,c,d
Input z: 9
Which inputs will be used for the second iteration of the loop?

Accepted Answer

B

Explanation: When a sub-playbook is configured to loop with the "For Each Input" option, it iterates through array inputs in parallel. For each iteration, it takes the element at the corresponding index from each input array. If an input is a single value instead of an array, that same single value is used for every iteration of the loop. In this scenario, for the second iteration, the sub-playbook will take the second element from Input x (which is 'X'), the second element from Input y (which is 'b'), and the single value provided for Input z (which is '9').

Question 9

A CISO has asked an engineer to create a custom dashboard in Cortex XSIAM that can be filtered to
show incidents assigned to a specific user.
Which feature should be used to filter the incident data in the dashboard?

Accepted Answer

A

Explanation: To create a custom dashboard that can be dynamically filtered by an end-user, the correct feature is "Filters and inputs." This functionality allows an engineer to add interactive controls, such as dropdown menus or text boxes, directly onto the dashboard canvas. These inputs can then be configured to filter the data displayed in the dashboard's widgets based on user selection. For the CISO's request, an input could be created to select a specific user, which would then filter all relevant widgets to show only incidents assigned to that individual.

Question 10

A Cortex XSIAM engineer is preparing to install a new content pack and notices that there are several
optional content packs associated with the main one that needs to be installed.
What must the engineer take into consideration when deciding whether or not to install the optional
content packs?

Accepted Answer

A

Explanation: When installing a content pack from the Cortex XSIAM Marketplace, the system automatically identifies and includes all mandatory dependencies for both the main pack and any selected optional packs. This ensures that all components function correctly without manual intervention. The engineer's primary responsibility is to evaluate the trade-off: the added functionality, such as new playbooks, parsers, or correlation rules provided by the optional packs, versus the potential impact on system resources, including processing load and data storage. Installing unnecessary packs can lead to performance degradation and increased complexity.

Question 11

Which section of a parsing rule defines the newly created dataset?

Accepted Answer

B

Explanation: The COLLECT section is the final stage in an XSIAM parsing rule's XQL query. It uses the collect into command to ingest the processed data into a new, specified dataset. This command explicitly defines the vendor.productraw dataset where the parsed logs will be stored, effectively defining the newly created dataset for the incoming data source.

Question 12

Which types of content may be included in a Marketplace content pack?

Accepted Answer

C

Explanation: A Marketplace content pack is a bundle of pre-configured objects designed to address specific security use cases within Palo Alto XSIAM. These packs are designed to be self-contained solutions. The core components include integrations for connecting to third-party tools, playbooks for orchestrating automated workflows, and scripts (automations) that execute specific tasks within a playbook. Additionally, content packs can include detection logic such as correlation rules, which are used by the underlying SOAR engine to group and correlate related alerts into a single incident, streamlining the investigation process. This combination of components provides a comprehensive solution for a given security challenge.

Question 13

While using the playbook debugger, an engineer attaches the context of an alert as test data. What happens with respect to the interactions with the list objects via tasks in this scenario?

Accepted Answer

A

Explanation: The Cortex XSIAM playbook debugger is designed as a sandboxed, isolated environment for testing and troubleshooting. When an engineer attaches an alert's context as test data, the debugger works with a copy of that context. Consequently, any operations performed within the debug session, including modifications to context data or interactions with XSIAM lists (e.g., adding or removing items), are not committed. This ensures that the original alert and the live production lists remain unaltered, providing a safe environment to validate playbook logic without impacting the live system.

Question 14

An engineer needs to migrate Cortex XDR agents without internet connection from Cortex XSIAM
tenant A to Cortex XSIAM tenant B. There is a broker configured for each tenant. This is the
communication flow:
XDR agents <-> Broker A <-> XSIAM tenant A
XDR agents <-> Broker B <-> XSIAM tenant B
Which two steps should be taken before moving the agents? (Choose two.)

Accepted Answer

B, D

Explanation: Before migration, the endpoints must have a path to the new tenant. 1) Deploy a new Broker VM (Broker C) and register it to Cortex XSIAM tenant B (option B); this provides a local connection for the offline agents to the target tenant. 2) From tenant A’s console, edit the selected endpoints and add Broker C as an additional proxy (option D). When the agents receive this setting, they begin communicating through Broker C to tenant B, after which they can be reassigned. A Broker VM can be registered to only one tenant, so re-registering Broker A or installing Broker C in tenant A does not satisfy the requirement.

Question 15

Before initiating a malware scan action on a Linux workstation, an engineer notices that the Cortex
XDR agent's operational status on the workstation is reporting as "partially protected." There have
been no configuration changes made from the Cortex XSIAM server.
What are two explanations for this operational status? (Choose two.)

Accepted Answer

B, C

Explanation: The "Partially Protected" operational status for a Cortex XDR agent on a Linux endpoint indicates that the agent is running but one or more of its core protection capabilities are malfunctioning or disabled. A primary cause for this is the failure of the agent's required kernel modules to load, which often occurs after an operating system kernel update to a version not yet supported by the installed agent. Another common reason is that the agent version itself is outdated. The Cortex XSIAM management console may flag older agents as partially protected because they lack the latest security features, bug fixes, or compatibility required for full protection as defined by current policies.

Free Palo Alto Networks XSIAM Engineer Actual Exam Questions