Palo Alto Networks Certified Security Automation Engineer (PCSAE) — Question 36

An engineer's organization system is registered in the following manner: <SiteName-SystemID-Username>. The engineer created a new indicator type for detecting systems using regex. The engineer would now like the username to be created as a separate `˜User' indicator automatically once a system is found.
What is the most efficient way for the engineer to achieve this?

Answer options

• A. Create a custom indicator field named 'username' and link it to the internal system indicator
• B. Change the reputation command for the internal system indicator type
• C. Create a new indicator type of the internal username and set a formatting script to extract only the username
• D. Create a new indicator type of the internal username and have the regex included on any string that has dash at the beginning

Correct answer: B

Explanation

The correct answer is B because changing the reputation command for the internal system indicator type allows for direct manipulation of how the username is processed after system detection. Options A and C involve creating additional fields or types, which may not be as efficient as modifying the existing command. Option D unnecessarily complicates the process by including regex on a specific string format.