Exam XSIAM-Analyst Topic 1 Question 18 Discussion
Actual exam question for Palo Alto Networks's XSIAM-Analyst exam
Question #: 18
Topic #: 1
Question #: 18
Topic #: 1
A threat hunter discovers a true negative event from a zero-day exploit that is using privilege escalation to launch "Malware pdf.exe". Which XQL query will always show the correct user context used to launch
"Malware pdf.exe"?
"Malware pdf.exe"?
Suggested Answer: A Vote an answer
The correct answer isA- the query using the fieldcausality_actor_effective_username.
When analyzing events where privilege escalation is used, it is essential to identify the original effective user that initiated the causality chain, not merely the process's own running user (as provided by other fields). The fieldcausality_actor_effective_usernamespecifically provides the effective username context of the actor behind the entire chain of actions that resulted in launching the suspicious executable.
Explanation of fields from Official Document:
* causality_actor_effective_username: This field indicates the original effective user who started the entire causality chain.
* actor_process_usernameandaction_process_username: These fields indicate the immediate process username, not necessarily reflecting the correct original context when privilege escalation occurs.
Therefore, to always identify the correct user context in privilege escalation scenarios, optionAis the verified correct answer.
When analyzing events where privilege escalation is used, it is essential to identify the original effective user that initiated the causality chain, not merely the process's own running user (as provided by other fields). The fieldcausality_actor_effective_usernamespecifically provides the effective username context of the actor behind the entire chain of actions that resulted in launching the suspicious executable.
Explanation of fields from Official Document:
* causality_actor_effective_username: This field indicates the original effective user who started the entire causality chain.
* actor_process_usernameandaction_process_username: These fields indicate the immediate process username, not necessarily reflecting the correct original context when privilege escalation occurs.
Therefore, to always identify the correct user context in privilege escalation scenarios, optionAis the verified correct answer.
by Beck at Jul 08, 2026, 06:13 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).