Exam SecOps-Pro Topic 1 Question 111 Discussion
Actual exam question for Palo Alto Networks's SecOps-Pro exam
Question #: 111
Topic #: 1
Question #: 111
Topic #: 1
A global enterprise manages its security incidents using Palo Alto Networks XSOAR. The CEO's laptop, classified as a 'Tier 0' asset, triggers an alert for an 'Unknown Malware Execution' (WildFire verdict: 'Grayware'). Historically, 'Grayware' on endpoints has been deprioritized. However, given the asset's criticality, the SOC needs a dynamic prioritization mechanism. Which set of XSOAR automation steps and corresponding incident attributes should be leveraged to ensure this incident is elevated appropriately, even with a 'Grayware' verdict?
Suggested Answer: B Vote an answer
Option B provides the most robust and dynamic solution. The key is to integrate asset criticality into the incident enrichment and subsequent prioritization logic. Step 1, using an XSOAR pre-processing rule, automatically enriches the incident data with the 'Tier 0' criticality from the CMDB. This means the incident context always includes the asset's importance. Step 2, the conditional playbook task, is crucial: it explicitly checks for both the 'Grayware' verdict AND the 'Tier 0' asset criticality. When both conditions are met, it overrides the default 'Grayware' low severity and elevates the incident to 'High' severity with a specific category like 'Executive Compromise Attempt', ensuring it receives immediate attention despite the initially 'lower' malware verdict. This demonstrates a sophisticated understanding of context-aware incident prioritization.
by Orville at Jun 29, 2026, 11:17 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).