Exam SecOps-Pro Topic 1 Question 42 Discussion
Actual exam question for Palo Alto Networks's SecOps-Pro exam
Question #: 42
Topic #: 1
Question #: 42
Topic #: 1
Your organization is experiencing a sophisticated multi-stage attack where an initial compromise led to credential theft, followed by lateral movement using PowerShell. The attacker is leveraging encoded PowerShell commands to evade traditional signature-based detection. As a Cortex XSIAM Security Operations Professional, you need to create a custom detection rule that identifies suspicious encoded PowerShell executions with a high degree of confidence, minimizes false positives, and triggers an alert when a baseline of normal activity is breached. Which combination of XQL, rule type, and aggregation logic would be most suitable?
Suggested Answer: E Vote an answer
Option E offers the most robust solution for detecting sophisticated encoded PowerShell. The 'Anomaly' rule type is key for baselining normal activity and detecting deviations. Simply looking for '-EncodedCommand' (Option A, C) will generate many false positives, as legitimate tools also use it. Option B attempts decoding, which is powerful, but hardcoding specific malicious strings is not scalable for polymorphic attacks, and it's a 'Correlation' rule, not 'Anomaly'. Option D uses parent process analysis, which is a good filter but doesn't leverage baselining. Option E enhances the detection by adding' (long encoded commands are often malicious) and 'entropy_score' (high entropy indicates encoding/obfuscation). Combining these calculated fields with anomaly detection on the count of such suspicious commands per ' host_name, user_name' provides a high-fidelity, adaptive rule that minimizes false positives by learning normal behavior. This aligns with advanced threat hunting and detection in XSIAM.
by Mortimer at May 26, 2026, 08:37 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).