You are tuning an XSIAM indicator rule to detect suspicious use of 'PsExecs for lateral movement. The current rule filters for: However, the Red Team has shown that attackers are now renaming 'PsExec.exe' to arbitrary names (e.g., 'tools.exe', 'serv.exe'). To counter this obfuscation, what modifications are required for a high-fidelity indicator rule? (Select all that apply)
Correct Answer: A,B,D,E
To effectively detect renamed PsExec, a multi-faceted approach is required: A: This is a highly effective field because it often stores the original filename embedded in the executable's metadata, regardless of renaming. This is a primary and very strong indicator. B: Leveraging known hashes from threat intelligence is critical for catching specific malicious variants, including renamed ones. This provides a direct match to known bad. D: Behavioral Rule: While the question focuses on 'indicator rules', for advanced threats like PsExec, behavioral detection is superior. PsExec has distinct behavioral patterns (SMB/IPC$ connections, specific service creation). A behavioral rule can detect these underlying actions irrespective of the executable name. E: 'regex' on PsExec's command-line arguments often follow predictable patterns (e.g., targeting administrative shares 'ADMINS or 'CS). Using regex to match these patterns can detect PsExec activity even when the executable itself is renamed. Option C is less reliable; attackers often ensure the command line doesn't expose the original name. While sometimes useful, it's not as robust as the other options for renamed executables.
Question 132
An XSIAM deployment requires ingesting logs from a highly isolated industrial control system (ICS) network. Direct network access from the corporate network to the ICS environment is strictly prohibited due to security policies. The ICS systems generate a mix of Syslog (UDP) and OPC UA data'. How can XSIAM effectively collect and analyze these logs while maintaining the strict network isolation?
Correct Answer: A
For highly isolated ICS networks with strict one-way communication requirements, a data diode (often combined with a dedicated proxy/broker) is the most secure and compliant method. It physically enforces unidirectional data flow, preventing any inbound connections to the ICS network while allowing logs to be securely transferred out. Other options either violate security policies (C, E), are highly inefficient/manual (B), or rely on unverified vendor capabilities (D).
Question 133
An organization is migrating from a traditional SIEM to Cortex XSIAM. They have existing log forwarders that send logs to a central syslog aggregator. To minimize changes to the existing infrastructure, the security team decides to point these existing log forwarders to the newly deployed Broker VM instead of the old aggregator. What is the most important configuration aspect on the Broker VM itself to accommodate this strategy?
Correct Answer: A
The Broker VM's Universal Data Collector service is specifically designed to receive logs from various sources like syslog. Configuring the appropriate syslog profiles within this service tells the Broker VM how to listen for and parse incoming syslog messages. While disk space (B) is important, it's a sizing consideration, not a configuration aspect for receiving logs. Proxy configuration (C) is for outbound XSIAM communication, not inbound log ingestion. Multiple IP addresses (D) are generally not required for receiving diverse syslog sources, as different ports or source IPs can differentiate them. Changing the hostname (E) is irrelevant for log forwarding, as it relies on IP addresses or DNS names.