SecOps-Pro Exam Question 21

A Security Operations Center (SOC) analyst is investigating a sophisticated, multi-stage attack where an initial phishing email led to credential theft, followed by lateral movement using PowerShell and ultimately data exfiltration via an uncommon protocol. The analyst is using Cortex XDR. Which of the following best describes how Cortex XDR's Log Stitching capability aids in rapidly identifying the entire attack kill chain, as opposed to simply correlating isolated alerts?
  • SecOps-Pro Exam Question 22

    Consider an advanced XSOAR threat intelligence scenario where you need to implement a 'kill chain stage' attribute for indicators, which is dynamically determined based on external context and used to prioritize responses. You receive a daily JSON feed of indicators. If an indicator's 'source_context' field contains 'initial_access', it should be tagged as 'Reconnaissance'. If it contains 'persistence_mechanism', it should be tagged as 'Persistence'. If 'lateral_movement_tool', it's 'Lateral Movement'. This custom attribute, once set, should influence the severity of any incident created from this indicator. Which XSOAR objects and code snippet best exemplify how to achieve this dynamic tagging and incident severity influence?
  • SecOps-Pro Exam Question 23

    A security analyst is tasked with optimizing incident response workflows in Cortex XSIAM. They notice that a significant number of 'Malware Detected' incidents are created, but many are false positives due to a specific legacy application. Current playbooks initiate a full endpoint isolation and forensic data collection for every malware detection, causing unnecessary disruption. The analyst wants to refine the automation: if a 'Malware Detected' alert originates from the legacy application's directory (e.g., C: \ LegacyApp\), the Playbook should instead submit the file hash to an internal allow-list system (via API) and only proceed with full response if the hash is NOT found in the allow-list. Otherwise, the incident should be automatically closed as a false positive. Which XSIAM automation components and logic are required for this optimization?
  • SecOps-Pro Exam Question 24

    A security incident escalates to a full-scale breach investigation. Logs from Cortex Data Lake reveal suspicious outbound connections to multiple, previously unknown IP addresses (198.51.100.1, 198.51.100.2, 198.51.100.3) originating from internal compromised hosts, along with a newly observed file hash (d41d8cd98fOOb2θ=4e980998ecf8427e) associated with a dropper. The incident response team needs to quickly identify all historical instances of these indicators, determine their reputation, and deploy countermeasures across a global network. Which programmatic solution, combining XQL, Cortex XSOAR, and NGFW APIs, offers the most efficient and scalable approach?
  • SecOps-Pro Exam Question 25

    A Security Operations Center (SOC) using Cortex XDR observes a high-severity alert indicating a potential ransomware attack. The alert details include a specific file hash (SHA256: e3bOc44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855) associated with a suspicious process. Which of the following Cortex XDR and Cortex XSOAR capabilities would be most effective in leveraging this file indicator for rapid investigation and containment?