Question 36

Consider an XSIAM environment where the XDR Collectors are deployed as Docker containers orchestrated by Kubernetes. A new XDR Collector image version (2.5.0) has been released, and you need to perform a controlled update across your cluster. Your current deployment uses a Helm chart. Which of the following kubectl commands, when used in conjunction with a modified Helm chart value for the image tag, would facilitate a rolling update with zero downtime, assuming the Helm chart is correctly configured for rolling updates?
  • Question 37

    An organization relies heavily on cloud infrastructure, and a new XSIAM deployment is underway to monitor AWS accounts. A key requirement is to detect 'data exfiltration via S3 bucket public exposure'. This involves correlating an 'AWS.CloudTrail.EventName' indicating a change in S3 bucket policy to public, with subsequent high-volume 'AWS.S3.BytesTransferred' events and Network.Protocol == 'HTTPS" outbound connections from compromised instances. Which XSIAM content optimization approach effectively addresses this multi-cloud, multi-event type detection scenario?
  • Question 38

    A Cortex XSIAM engineer is implementing role-based access control (RBAC) and scope-based access control (SBAC) for users accessing the Cortex XSIAM tenant with the following requirements:
    Users managing machines in Europe should be able to manage and control all endpoints and installations, create profiles and policies, view alerts, and initiate Live Terminal, but only for endpoints in the Europe region.
    Users managing machines in Europe should not be able to create, modify, or delete new or existing user roles.
    The Europe region endpoints are identified by both of the following:
    Endpoint Tag = "Europe-Servers" and Endpoint Group = "Europe" for servers in Europe Endpoint Group = "Europe" and Endpoint Tag = "Europe-Workstation" for workstations in Europe Which two sets of implementation actions should the engineer take? (Choose two.)
  • Question 39

    A security analyst is designing an automation workflow in XSIAM to automatically quarantine endpoints exhibiting specific malware behavior identified by XDR. The workflow needs to first enrich the endpoint details from an external CMDB, then check if the endpoint belongs to a critical asset group, and finally, if both conditions are met, initiate a quarantine action via an API call to the endpoint security solution. Which XSIAM automation construct would be most suitable for this conditional logic and external system interaction?
  • Question 40

    During the XSIAM deployment planning, the security team identifies that their existing identity provider (IdP), Okta, is used for SSO across multiple critical applications. To optimize user context within XSIAM and enable identity-based threat detection, what specific type of integration with Okta should be prioritized?