Palo Alto Networks Certified Detection and Remediation Analyst (PCDRA) — Question 18

When creating a BIOC rule, which XQL query can be used?

Answer options

• A. dataset = xdr_data | filter event_sub_type = PROCESS_START and action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
• B. dataset = xdr_data | filter event_type = PROCESS and event_sub_type = PROCESS_START and action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
• C. dataset = xdr_data | filter action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe" | fields action_process_image
• D. dataset = xdr_data | filter event_behavior = true event_sub_type = PROCESS_START and action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"

Correct answer: B

Explanation

Option B is correct because it includes both the event type and event sub-type, which are necessary to accurately identify the relevant process start events for the BIOC rule. The other options are incomplete or improperly structured, either lacking essential filters or having syntax errors, which would prevent them from functioning correctly.