SecOps-Pro Exam Question 6

Your organization is experiencing a sophisticated multi-stage attack where an initial compromise led to credential theft, followed by lateral movement using PowerShell. The attacker is leveraging encoded PowerShell commands to evade traditional signature-based detection. As a Cortex XSIAM Security Operations Professional, you need to create a custom detection rule that identifies suspicious encoded PowerShell executions with a high degree of confidence, minimizes false positives, and triggers an alert when a baseline of normal activity is breached. Which combination of XQL, rule type, and aggregation logic would be most suitable?
  • SecOps-Pro Exam Question 7

    Consider an incident categorization and prioritization framework within Palo Alto Networks XSOAR. An analyst identifies an alert indicating a 'Brute Force' attempt (MITRE ATT&CK T 1110) against an administrative service. The asset involved is tagged in XSOAR as having 'PCI-DSS Data' and 'Internet-Facing'. Which of the following XSOAR automation script segments would correctly classify this incident as 'Critical' and categorize it appropriately, adhering to best practices for a compliance-driven environment? (Select all that apply)
  • SecOps-Pro Exam Question 8

    A global financial institution uses Cortex XDR to protect its distributed environment. They encounter an incident where an insider, using legitimate credentials, accesses a sensitive database from an unusual location (geographical anomaly), executes a series of complex SQL queries to extract financial data, and then attempts to upload it to an unauthorized cloud storage service. The SOC analyst is presented with multiple alerts from different sources: a Prisma Access (SASE) alert for unusual login, a database activity monitoring (DAM) alert for suspicious queries, and a Cortex XDR endpoint alert for an unusual outbound network connection from the database server. Assume a scenario where Cortex XDR needs to integrate with a custom, in-house built application logging system for detailed SQL query data, which is not natively supported by a standard XDR connector. Which of the following options represents the most effective technical strategy to leverage Cortex XDR's Log Stitching for a complete, correlated incident story, including the custom log source?
  • SecOps-Pro Exam Question 9

    A large enterprise is onboarding its AWS CloudTrail logs into Cortex XSIAM. They have multiple AWS accounts, and the CloudTrail logs are delivered to separate S3 buckets in different regions. The security team needs to ensure all audit logs are ingested efficiently, parsed correctly, and enriched with account IDs and region information for granular security analytics and compliance reporting. Which of the following ingestion strategies within Cortex XSIAM is the most scalable and robust for this scenario, and what specific configurations would be required?
  • SecOps-Pro Exam Question 10

    A SOC needs to establish a robust process in Cortex XSOAR for handling newly identified malicious domains. This process must include: 1) Automatic enrichment from multiple public and private sources. 2) A confidence score assignment based on the number of sources flagging the domain. 3) Automatic creation of a 'watchlist' entry for security devices if the confidence score exceeds a certain threshold. 4) A periodic review mechanism for domains that remain in the watchlist for an extended period without new activity. Which XSOAR components and configurations are essential to implement this entire workflow, and what is the typical order of operations?