SecOps-Pro Exam Question 61

An XSOAR playbook for insider threat detection involves monitoring employee activity. If suspicious activity (e.g., large data exfiltration) is detected, the playbook needs to:
1 . Confirm the activity with a manager (manual approval).
2. If approved, temporary disable the user's network access via Active Directory and firewall.
3. If disapproved or no response within 2 hours, escalate to HR and security management.
4. Generate a detailed report of the activity.
Which set of XSOAR playbook features allows for this sophisticated orchestration, particularly the timed escalation and conditional branching based on human input?
  • SecOps-Pro Exam Question 62

    An XSIAM customer with a highly customized data ingestion pipeline for proprietary applications wants to share their custom parsing logic and associated data models as a content pack with other organizations within their industry consortium. They've developed specific XQL queries for these data models to identify unique industry-specific threats. Which aspects of the content pack manifest must they carefully define to ensure successful import and operation by other consortium members, particularly concerning data availability and normalization?
  • SecOps-Pro Exam Question 63

    A Security Operations Center (SOC) is deploying Cortex XDR agents to 500 Windows endpoints, 150 macOS endpoints, and 50 Linux servers. The deployment strategy for the Windows endpoints involves Group Policy Objects (GPOs), while macOS and Linux endpoints will utilize a centralized MDM solution and Ansible, respectively. The SOC team wants to ensure that all agents report to a specific XDR tenant and are automatically assigned to a 'Production' endpoint group. What is the most efficient and robust method to achieve this tenant assignment and group categorization during initial agent deployment across all operating systems?
  • SecOps-Pro Exam Question 64

    A SOC analyst is investigating a complex attack involving a custom malware variant. The EDR flagged several suspicious process injections and network connections, but failed to provide full context on the malware's origin, the user account involved, or its lateral movement across the network. The analyst needs to perform a deep forensic analysis and then rapidly contain the threat. Consider the following KQL query an EDR might provide:

    Which of the following capabilities of Cortex XDR, beyond this EDR-level query, would significantly aid the SOC analyst in this investigation and response? (Select all that apply)
  • SecOps-Pro Exam Question 65

    A security analyst is performing a threat hunt for a specific malware family known to employ reflective DLL injection and subsequently create a named pipe for C2 communication. The analyst wants to leverage Cortex XDR's Log Stitching for this hunt. Which AQL (XDR Query Language) query best utilizes the underlying stitched log data to identify such a complex chain of events, assuming the necessary data sources are ingested?