A Cortex XSIAM engineer plans to add Kafka and Syslog Collectors to a Broker VM cluster.
What are two expected behaviors of the applets when they are added to the cluster? (Choose two.)
ASyslog Collector applet is automatically initiated, enters an active state on the primary node, and is on standby on the standby nodes.
BKafka Collector applet is automatically initiated, enters an active state on the primary node, and is on standby on the standby nodes.
CSyslog Collector applet is active on all cluster nodes, including primary and standby.
DKafka Collector applet is active on all cluster nodes, including primary and standby.
A Cortex XDR agent is installed on an endpoint, but the agent is unable to download content updates and has not registered with the Cortex XSIAM server. An engineer troubleshoots the network connection and determines that, by design, this endpoint does not have direct internet access to the required network destinations for the Cortex XDR agent traffic.
A Broker VM that has the local agent settings applet enabled with Agent Proxy configured is reachable by the endpoint. The Broker VM details are as follows:
FQDN: crtxbroker01.company.net -
Proxy listening port: 8888 -
How should the engineer configure the Cortex XDR agent to use the existing Broker VM as a proxy for the agent network traffic?
Acytool proxy set "crtxbroker01. company.net: 8888"
In the Incident War Room, which command is used to update incident fields identified in the incident layout?
A!setIncidentFields
B!setParentIncidentFields
C!setParentIncidentContext
D!updateParentIncidentFields
Question 6
Maintenance and Troubleshooting
0
Question 7
Planning and Installation
Question 8
Integration and Automation
Question 9
Content Optimization
Question 10
Integration and Automation
Question 11
Planning and Installation
Question 12
Maintenance and Troubleshooting
Question 13
Maintenance and Troubleshooting
Question 14
Integration and Automation
Question 15
Planning and Installation
Question 16
Maintenance and Troubleshooting
Question 17
Integration and Automation
Question 18
Integration and Automation
Question 19
Integration and Automation
Question 20
Maintenance and Troubleshooting
Question 21
Planning and Installation
Question 22
Planning and Installation
Question 23
Planning and Installation
Question 24
Content Optimization
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ad
Want a break from the ads?
Become a Supporter and enjoy a completely ad-free experience, plus unlock Learn Mode, Exam Mode, AstroTutor AI, and more.
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Ask AstroTutor
0
Which cytool command will look up the policy being applied to a Cortex XDR agent?
Acytool adaptive_policy interval 0
Bcytool payload_execution query
Ccytool adaptive_policy recalc
Dcytool persist print agent_settings.db
What should be considered when creating a custom incident domain?
AAlert grouping will not apply, but SmartScore will.
BAlert grouping will apply, but SmartScore will not.
CAlert grouping and SmartScore will not be applied to incidents.
DAlert grouping and SmartScore will be applied to incidents.
While using the remote repository on a Development XSIAM tenant, which two objects can be pushed or pulled to the remote repository? (Choose two.)
AScripts
BParsing rules
CLists
DLayouts
Which option should be used when customizing a dashboard in Cortex XSIAM to include a widget that will display data filtered by more than one dynamic value?
AFree text/number
BMulti-select
CFixed filter
DSingle-select
How will Cortex XSIAM help with raw log ingestion from third-party sources in an existing infrastructure?
AAny structured logs coming into it are left completely unchanged, and only metadata is added to the raw data.
BFor structured logs, like CEF, LEEF, and JSON, it decouples the key-value pairs and saves them in table format.
CAny unstructured logs coming into it are left completely unchanged, and metadata is not added to the raw data.
DFor unstructured logs, it decouples the key-value pairs and saves them in a table format.
How must Cloud Identity Engine be deployed and activated on Cortex XSIAM?
AIn a different region than Cortex XSIAM; logs can be verified using pan_dss_raw dataset
BIn a different region than Cortex XSIAM; logs can be verified using endpoints dataset
CIn the same region as Cortex XSIAM; logs can be verified using pan_dss_raw dataset
DIn the same region as Cortex XSIAM; logs can be verified using endpoints dataset
Which common issue can result in sudden data ingestion loss for a data source that was previously successful?
AData source is using an unsupported data format.
BData source has reached its maximum storage capacity.
CData source has reached its end of life for support.
DAPI key used for the integration has expired.
When a Cortex XSIAM playbook execution reaches a breakpoint on a non-manual task, which two actions will allow the playbook to continue? (Choose two.)
ADisable the breakpoint and rerun the playbook from the start.
BSkip the task with the breakpoint to let the playbook proceed automatically.
CWait for all parallel tasks to be completed before the breakpoint task resumes automatically.
DClick Run Script Now or Complete Manually.
What is the purpose of using rolling tokens to manage Cortex XDR agents?
ATo periodically rotate encryption keys used for tenant communication
BTo perform administration on agents without requiring static credentials
CTo authorize agents to download and install content updates
DTo temporarily disable the agents during maintenance windows
Which two requirements must be met for a Cortex XDR agent to successfully use the Broker VM as a download source for content updates? (Choose two.)
ADevice Configuration profile applied to the XDR agent must specify the Broker VM as a Download Source.
BAgent Settings profile applied to the XDR agent must specify the Broker VM as a Download Source.
CBroker VM must be configured with an FQDN.
DXDR agent must authenticate to the Broker VM using a machine certificate.
During a new Cortex XSIAM deployment, a user consistently experiences timeout sessions while trying to connect to the agent through Live Terminal, even though the firewall engineer has confirmed that all source IP addresses, port 443, and destinations are allowed.
What could be causing these persistent timeout issues?
AUser does not have administrative privileges on the managed endpoint.
BSSL Decryption is currently being used to inspect the underlying traffic.
CNTP is not synchronized with the server time.
DLive Terminal feature is not supported on the current OS.
A Cortex XSIAM engineer is developing a playbook that uses reputation commands such as '!ip' to enrich and analyze indicators.
Which statement applies to the use of reputation commands in this scenario?
AIf no reputation integration instance is configured, the '!ip' command will execute but will return no results.
BReputation commands such as '!ip' will fail if the required reputation integration instance is not configured and enabled.
CThe mapping flow for enrichment commands is disabled if extraction is set to "None."
DEnrichment data will not be saved to the indicator unless the extraction setting is manually configured in the playbook task.
An engineer wants to onboard data from a third-party vendor’s firewall. There is no content pack available for it, so the engineer creates custom data source integration and parsing rules to generate a dataset with the firewall data.
How can the analytics capabilities of Cortex XSIAM be used on the data?
ACreate a behavioral indicator of compromise (BIOC) rule on the network fields (source IP, source port, target IP, target port, IP protocol).
BCreate a data model rule with network fields mapped (source IP, source port, target IP, target port, IP protocol).
CCreate a correlation rule on the network fields (source IP, source port, target IP, target port, IP protocol).
DCreate a parsing rule and ensure the network fields exist (source IP, source port, target IP, target port, IP protocol).
Which section of a parsing rule defines the newly created dataset?
ARULE
BCOLLECT
CINGEST
DCONST
Based on the images below, which command will allow the context data to be displayed as a table when troubleshooting a playbook task?
A Cortex XSIAM engineer is preparing to install a new content pack and notices that there are several optional content packs associated with the main one that needs to be installed.
What must the engineer take into consideration when deciding whether or not to install the optional content packs?
AMandatory dependencies required by the optional content packs are automatically included during installation. The engineer should consider the additional functionality and potential impact on system performance.
BThe optional content packs without their associated dependencies are installed first, and then the main content pack installation is triggered. The engineer should ensure that the optional content packs do not conflict with existing configurations.
COptional content packs are installed without any dependencies, as they are not necessary. The engineer should only install them if they require the additional features.
DOnly the selected optional content packs are installed, without including any additional dependencies. The engineer should manually check for any required dependencies.
When Cortex XDR agents are on servers in a zone with no internet access, which configuration will keep them communicating with the platform?
ALogging service in the isolated zone
BBroker VM
CIntegration using filebeat
DEngine
Which installer type should be used when upgrading a non-Linux Kubernetes cluster?
AStandalone
BHelm
CUpgrade from ESM
DKubernetes
A security engineer notices that in the past week ingestion has spiked significantly. Upon investigating the anomaly, it is determined that a custom application developed in-house caused the spike. The custom application is sending syslog to the Broker VM Syslog Collector applet. The engineer consults with the SOC analyst, who determines that 90% of the logs from the custom application are not used.
What can the engineer configure to reduce the ingestion?
AParsing rule to drop the unnecessary data at the Broker VM
BData model rule to drop the unnecessary data
CCorrelation rule on the Cortex XSIAM server to drop the unnecessary data
