Palo Alto Networks Certified Security Automation Engineer (PCSAE) — Question 44

What is the most effective way to correlate multiple raw events coming from a SIEM and link them together?

Answer options

• A. Process all alerts by running the respective playbook and link related incidents during post-processing
• B. Ingest all raw events, run a custom script to find the relationship between them and proceed to link them together
• C. Configure a pre-process rule to link related events as they are ingested
• D. Manually go through the incidents created by the raw events and link related incidents

Correct answer: C

Explanation

The correct answer is C because configuring a pre-process rule allows for real-time linking of related events as they are ingested, enhancing efficiency. Option A involves post-processing, which is less immediate, while B requires custom scripting that may not be necessary. Option D is the least effective as it relies on manual intervention, which is time-consuming and prone to error.