Question 21

An organization relies heavily on custom correlation rules within XSIAM. After a mandatory XSIAM content update, several critical custom rules are no longer triggering, despite relevant raw events being ingested. The XSIAM console shows the custom rules as 'Enabled' and 'Validated'. What is the most sophisticated and often overlooked reason for this behavior, and what's the recommended diagnostic approach?
  • Question 22

    A financial institution is implementing Cortex XSIAM and has a very stringent data residency policy, requiring all sensitive log data to remain within a specific geographical region. They are planning to deploy multiple Broker VMs. Which architectural considerations and data flow principles must be strictly adhered to regarding Broker VM placement and configuration to ensure compliance with this data residency requirement?
  • Question 23

    What is the reason all Broker VM options are greyed out when a user attempts to select a Broker VM as a download source in the Agent Settings profile?
  • Question 24

    Administrators from Building 3 have been added to Cortex XSIAM to perform limited functions on a subset of endpoints. Custom roles have been created and applied to the administrators to limit their permissions, but their access should also be constrained through the principle of least privilege according to the endpoints they are allowed to manage. All endpoints are part of an endpoint group named "Building3," and some endpoints may also be members of other endpoint groups.
    Which technical control will restrict the ability of the administrators to manage endpoints outside of their area of responsibility, while maintaining visibility to Building 3's endpoints?
  • Question 25

    An XSIAM administrator is reviewing the audit logs for user activity and notices suspicious API calls originating from a compromised service account. The API key associated with this service account has 'Security Operations Center - Admin' permissions. The immediate action is to revoke the compromised API key. Which of the following XSIAM commands or API operations would be used to revoke a specific API key, assuming you have the necessary administrative privileges?