The correct answer isD - Starring configuration is applied to the newly created alerts, and the incident is subsequently starred.
Incident starring configuration in Cortex XSIAM isnot retroactive. It only applies tonew alerts and incidents created after the configuration is implemented. Pre-existing incidents are not starred automatically and must be managed manually if needed.
"Starring configurations take effect for new alerts and incidents created after the configuration is applied.
Existing incidents are not updated retroactively."
Document Reference:XSIAM Analyst ILT Lab Guide.pdf
Page:Page 33 (Incident Handling and Response section)

The correct answer isD, a risk scoring policy for the critical asset.
In Cortex XSIAM, to consistently apply a high score (e.g., 100) to any alert involving a particular asset, analysts should define and apply a risk scoring policy. Such policies allow organizations to specifically customize and enforce a scoring framework to reflect the critical nature of certain assets, ensuring they are always prioritized during incident response activities.
* Asset criticality alone (option A) doesn't automatically assign a static high score to every alert.
* SmartScore (option B) is AI-driven and dynamic; it cannot guarantee a fixed, always-maximized score.
* User scoring rules (option C) target user entities, not specifically the assets themselves.
"Risk scoring policies are explicitly defined to consistently assign specific scores to incidents or alerts involving critical assets, ensuring prioritized visibility in the incident queue."

The correct answer isA - The file retrieval policy applied to the endpoints may restrict access to certain system or kernel files.
Cortex XSIAM and XDR implement security policies and permissions that mayrestrict the retrieval of sensitive system files, including kernel files, for safety and compliance reasons. When a file retrieval action is initiated, the endpoint policy controls which files are accessible; kernel and other protected files are often excluded from remote retrieval actions to prevent accidental or unauthorized access.
"The file retrieval policy controls which files can be remotely collected from endpoints. Sensitive files, such as kernel or system files, may be restricted by policy and are not accessible through standard remote retrieval actions." Document Reference:EDU-270c-10-lab-guide_02.docx (1).pdf Exact Page:Page 13 (Agent Deployment and Configuration section)