Online Access Free XSIAM-Analyst Practice Test

An alert fires indicating lateral movement between endpoints. It was triggered after evaluating multiple unrelated activities, such as credential access and abnormal port scanning. What are likely characteristics of this alert? (Choose two)

• A.Likely caused by a multi-stage correlation rule
• B.Suggests a pre-configured playbook was executed
• C.Triggered by an IOC match
• D.Behaviorally inferred by a correlation rule

A user navigates to a non-malicious URL. The firewall logs contain information on the network connection, and the endpoint logs contain information on the process that triggered the connection-both of which are ingested into Cortex XSIAM.
What is the term for combining this information upon ingestion?

• A.Alert grouping
• B.Correlation
• C.Stitching
• D.BIOC

An analyst is responding to a critical incident involving a potential ransomware attack. The analyst immediately initiates full isolation on the compromised endpoint using Cortex XSIAM to prevent the malware from spreading across the network. However, the analyst now needs to collect additional forensic evidence from the isolated machine, including memory dumps and disk images, without reconnecting it to the network.
Which action will allow the analyst to collect the required forensic evidence while ensuring the endpoint remains fully isolated?

• A.Disabling full isolation temporarily to allow forensic tools to communicate with the endpoint
• B.Using the management console to remotely run a predefined forensic playbook on the associated alert
• C.Collecting the evidence manually through the agent by accessing the machine directly and running "Generate Support File"
• D.Using the endpoint isolation feature to create a secure tunnel for evidence collection

An alert involves credential dumping. Reviewing the causality chain, you notice the following:
- lsass.exe is accessed by powershell.exe
- Prior to this, cmd.exe launched the PowerShell script
What can you infer?

• A.It's a known benign service activity
• B.There is an indicator of defense evasion
• C.Possible credential access tactic
• D.Scripted behavior likely launched manually

Which pane in the User Risk View will identify the country from which a user regularly logs in, based on the past few weeks of data?

• A.Latest Authentication Attempts
• B.ACTUAL ACTIVITY
• C.Login Attempts
• D.Common Locations