Exam XSIAM-Engineer Topic 1 Question 110 Discussion

Actual exam question for Palo Alto Networks's XSIAM-Engineer exam
Question #: 110
Topic #: 1
A new zero-day exploit targeting a widely used web server application has been announced. Your XSIAM deployment needs to rapidly deploy an indicator rule to detect exploitation attempts. You receive the following highly specific indicators of compromise (IOCs): a unique HTTP User-Agent string, a specific URL path with a known malicious payload, and a suspicious process execution (e.g., 'cmd.exe' or 'bash') initiated by the web server process. Which XQL query structure would be most appropriate for a robust indicator rule in XSIAM to detect this attack, ensuring high fidelity?

Suggested Answer: C Vote an answer

Option C provides the most robust and high-fidelity detection. It correctly combines all three IOCs using logical 'AND' operations, which is crucial for reducing false positives in specific attack scenarios. It specifically looks for 'Web Traffic' events with the specified User-Agent and URL, and then uses a 'lookup' (or a similar join logic, though ' lookup' is often more performant for correlating disparate event types like web traffic and process creation) to find process creations where the parent process initiated the web traffic and the child process is suspicious (cmd.exe or bash). This multi-stage correlation significantly reduces false positives. Options A, B, D, and E either miss critical correlations or are too broad.

by Lesley at Dec 19, 2025, 02:35 PM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10