Exam SecOps-Pro Topic 1 Question 23 Discussion
Actual exam question for Palo Alto Networks's SecOps-Pro exam
Question #: 23
Topic #: 1
Question #: 23
Topic #: 1
A security incident escalates to a full-scale breach investigation. Logs from Cortex Data Lake reveal suspicious outbound connections to multiple, previously unknown IP addresses (198.51.100.1, 198.51.100.2, 198.51.100.3) originating from internal compromised hosts, along with a newly observed file hash (d41d8cd98fOOb2θ=4e980998ecf8427e) associated with a dropper. The incident response team needs to quickly identify all historical instances of these indicators, determine their reputation, and deploy countermeasures across a global network. Which programmatic solution, combining XQL, Cortex XSOAR, and NGFW APIs, offers the most efficient and scalable approach?
Suggested Answer: A Vote an answer
Option A provides the most efficient, scalable, and automated programmatic solution leveraging the indicated Cortex products and their integration capabilities: 1. XQL Query for Historical Lookup: The XQL query shown is powerful and scalable for querying Cortex Data Lake (which underpins Cortex XDR's data) for both IP addresses and file hashes across a specified time range. This efficiently identifies all historical instances. 2. Enrichment via AutoFocus/Unit 42: Cortex XSOAR (through its 'ip' and 'file' commands, which abstract integrations like AutoFocus and Unit 42) can instantly fetch reputation and context for the indicators. This is crucial for confirming their maliciousness and understanding the threat. 3. Dynamic Blocking (NGFW and XDR): IPs: XSOAR can dynamically update an External Dynamic List (EDL) on the NGFW via API. EDLs are highly efficient for blocking large numbers of IPs without manual configuration or commit operations, ensuring network-wide prevention. File Hash: XSOAR can programmatically update Cortex XDR's prevention policies (e.g., 'Malware Prevention' policy) to block the execution of the specific file hash across all managed endpoints. This provides endpoint-level prevention. 4. Automated Incident Creation/Response: The script triggers an incident in XSOAR if historical data is found, allowing for further automated or manual investigation and remediation via playbooks. Option B is too manual and not scalable. Option C's method of updating Anti-Spyware/Threat Prevention profiles for specific IPs/hashes via generic IOC feeds might not be as granular or flexible as EDLs and XDR prevention policies, and it lacks the comprehensive XQL historical lookup and automated response. Option D is reactive (deletion) and focuses only on endpoints for the file, and its IP blocking strategy is indirect. Option E is reactive and completely manual for network countermeasures.
by Edgar at May 22, 2026, 05:06 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).