Exam XSIAM-Engineer Topic 2 Question 33 Discussion

Actual exam question for Palo Alto Networks's XSIAM-Engineer exam
Question #: 33
Topic #: 2
A new XSIAM indicator rule aims to detect file exfiltration attempts by monitoring large file transfers to external, unsanctioned cloud storage services. The rule is currentl defined as:

This rule is generating too many false positives because legitimate business operations involve transferring large files to some of these cloud services (e.g., for partners, or sanctioned instances). To effectively optimize this rule, which combination of XSIAM features and XQL modifications should be considered?

Suggested Answer: C Vote an answer

Option C is the most comprehensive and effective approach for content optimization in this scenario. Internal Lookup List: Creating a context table (lookup list) of sanctioned cloud storage URLs/lPs is crucial for managing allowed destinations dynamically. The rule can then explicitly exclude traffic to these known good destinations. Exclude by IP/URL: Using 'not in' or 'not (remote_ip_address in sanctioned_ips or url_hostname in sanctioned_urls)' in the XQL query directly addresses the false positive issue from legitimate usage of specific cloud services. Correlate with User and Application: Adding 'user_name' and 'application_name' context allows for more granular tuning. For example, you might permit certain users or applications to transfer large files to specific sanctioned cloud services, further reducing false positives. This makes the rule adaptable to specific business processes. Option A is a partial solution; increasing file size alone might miss smaller but malicious exfiltrations, and manually maintaining exclusions in the Tl list is not scalable. Option B is too generic for network connections and might not be sufficient. Option D and E are valid, but they represent a shift away from a specific indicator rule to broader behavioral analytics. While UBA and behavioral rules are powerful, they might not catch highly specific IOCs immediately, and the question asks for optimizing the indicator rule.

by John at Jul 04, 2026, 12:01 AM

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Nick name: Submit Cancel
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

0
0
0
10