Palo Alto Networks Certified Detection and Remediation Analyst (PCDRA) — Question 29

To create a BIOC rule with XQL query you must at a minimum filter on which field in order for it to be a valid BIOC rule?

Answer options

• A. causality_chain
• B. endpoint_name
• C. threat_event
• D. event_type

Correct answer: D

Explanation

The correct answer is D, as filtering on the event_type field is essential for a valid BIOC rule, since it defines the type of events being analyzed. The other options, while relevant to various contexts, do not serve as the primary requirement for establishing a BIOC rule.