A sophisticated APT group is observed to be rapidly developing and deploying new malware variants. Your organization needs to not only identify these new variants but also understand their attack chains, and proactively update security controls, specifically Palo Alto Networks Next-Generation Firewalls (NGFWs), to block them before they reach endpoints. Given this scenario, which of the following operational flows represents the most effective and efficient integration of threat intelligence sources to achieve this goal?
Correct Answer: B
This scenario emphasizes rapid detection, understanding attack chains, and proactive blocking on NGFWs. WildFire is purpose-built for automated dynamic analysis, generating signatures that are automatically distributed to Palo Alto Networks NGFWs, providing immediate protection against new malware variants. Unit 42 intelligence provides the broader context, TTPs, and strategic insights into APT groups, helping to anticipate and proactively defend against their evolving tactics. This integrated approach leverages the strengths of both WildFire's automated technical analysis and Unit 42's human-driven strategic intelligence for comprehensive, proactive defense aligned with Palo Alto Networks capabilities.
Question 102
A Palo Alto Networks security analyst is investigating a suspected advanced persistent threat (APT) campaign targeting the organization. The latest threat intelligence report indicates that the APT group leverages obfuscated PowerShell scripts for lateral movement and Cobalt Strike beacons for C2. Given this context, which of the following Cortex XDR queries, combining process execution, network activity, and threat intelligence insights, would be most effective in identifying compromised endpoints exhibiting these behaviors?
Correct Answer: E
This question assesses the ability to construct sophisticated Cortex XDR queries leveraging threat intelligence (External Dynamic Lists) and correlating different event types (process and network). Option E is the most comprehensive and effective: It first identifies suspicious PowerShell executions ('process_name contains "powershell" and command_line contains "-EncodedCommand"'). Then, it uses a 'join' (implicitly via 'match_guid' or explicit 'join' on 'host_id' and if available) to correlate these processes with network connections to known Cobalt Strike C2s, which are dynamically updated via an This precisely matches the threat intelligence profile (obfuscated PowerShell + Cobalt Strike C2). Let's break down why other options are less optimal: *A: Too generic. While it looks for PowerShell and network connections, it doesn't incorporate specific threat intelligence for Cobalt Strike C2s, nor does it guarantee the network connection is from the PowerShell process. *B: This syntax is incorrect for combining two filter statements in Cortex XDR directly for a join on 'process_guid' across different event types in a single query. It attempts to filter network connections by process name which isn't always accurate. *C: Similar to B, the 'join' syntax is problematic for directly correlating events from two separate filtered datasets in a single XDR query in this manner. It also filters = 80 or 443' which are common ports and not specific to Cobalt Strike without the IP context. *D: Relies on a pre-existing While correlation rules are powerful, the question asks for constructing a query. This option doesn't demonstrate the construction of the query leveraging threat intelligence.
