Question 131

You are tuning an XSIAM indicator rule to detect suspicious use of 'PsExecs for lateral movement. The current rule filters for:

However, the Red Team has shown that attackers are now renaming 'PsExec.exe' to arbitrary names (e.g., 'tools.exe', 'serv.exe'). To counter this obfuscation, what modifications are required for a high-fidelity indicator rule? (Select all that apply)
  • Question 132

    An XSIAM deployment requires ingesting logs from a highly isolated industrial control system (ICS) network. Direct network access from the corporate network to the ICS environment is strictly prohibited due to security policies. The ICS systems generate a mix of Syslog (UDP) and OPC UA data'. How can XSIAM effectively collect and analyze these logs while maintaining the strict network isolation?
  • Question 133

    An organization is migrating from a traditional SIEM to Cortex XSIAM. They have existing log forwarders that send logs to a central syslog aggregator. To minimize changes to the existing infrastructure, the security team decides to point these existing log forwarders to the newly deployed Broker VM instead of the old aggregator. What is the most important configuration aspect on the Broker VM itself to accommodate this strategy?