SecOps-Pro Exam Question 1

A threat hunter is investigating a potential Living Off The Land (LOTL) attack where adversaries are suspected of using legitimate system tools for malicious purposes, specifically executing PowerShell scripts to establish persistence. The Palo Alto Networks firewall is configured to log process information from endpoints via Cortex XDR, and these logs are ingested into a SIEM (Splunk). The hunter wants to identify instances where 'cmd.exe' spawns 'powershell.exe' with suspicious command-line arguments, potentially encoding malicious scripts. Which of the following Splunk queries, utilizing Cortex XDR endpoint data, would be most effective in surfacing these hidden or encoded malicious activities?
  • SecOps-Pro Exam Question 2

    A phishing email campaign successfully targets several employees, leading to credential harvesting. The email contained a malicious link to hxxps : //malicious-login.example.com/authenticate.php. A SOC analyst wants to use Cortex products to proactively prevent further access to this domain and associated URLs, and to identify any endpoints that might have already accessed it. Which combination of Cortex capabilities would achieve this most effectively?
  • SecOps-Pro Exam Question 3

    An advanced persistent threat (APT) group is known to use custom obfuscated PowerShell scripts for command and control (C2) communication. The SOC wants to leverage Cortex XSIAM's data ingestion capabilities to detect these C2 activities by analyzing PowerShell command-line arguments and network connections. Given that the XDR Agent is deployed on endpoints, and network logs are ingested via a Network Data Collector, which of the following XQL queries most effectively leverages the ingested data to identify suspicious PowerShell C2, assuming a dataset named 'endpoint_exec' for process execution and 'network connections for network data?
  • SecOps-Pro Exam Question 4

    An incident response team is collaborating on a highly sensitive data exfiltration incident. The War Room is heavily utilized for communication, command execution, and evidence collection. Post-incident, a forensic investigation requires a complete, immutable, and easily digestible timeline of all actions taken within the War Room, including who executed which command, when, and the exact output. Additionally, specific conversations or manual inputs from the War Room need to be extracted and presented to legal counsel. How can XSOAR's War Room functionality support this post-incident forensic and legal requirement effectively?
  • SecOps-Pro Exam Question 5

    A cybersecurity incident response team is investigating a highly sophisticated attack involving a polymorphic RAT (Remote Access Trojan) that attempts to disable security products by manipulating their services and processes directly in memory. The RAT uses advanced obfuscation techniques, making it difficult to detect with traditional signature-based methods. Which specific capabilities of the Cortex XDR sensor are designed to counteract such an attack, and why are they effective?