Palo Alto Networks System Engineer – Cortex — Question 26

Cortex XSOAR has extracted a malicious Internet Protocol (IP) address involved in command-and-control (C2) traffic.
What is the best method to block this IP from communicating with endpoints without requiring a configuration change on the firewall?

Answer options

• A. Have XSOAR automatically add the IP address to a threat intelligence management (TIM) malicious IP list to elevate priority of future alerts.
• B. Have XSOAR automatically add the IP address to a deny rule in the firewall.
• C. Have XSOAR automatically add the IP address to an external dynamic list (EDL) used by the firewall.
• D. Have XSOAR automatically create a NetOps ticket requesting a configuration change to the firewall to block the IP.

Correct answer: C

Explanation

The correct answer is C because adding the IP address to an external dynamic list (EDL) allows the firewall to block traffic without needing to change its configuration directly. Option A only raises alert priority but does not block traffic, B requires a direct configuration change to the firewall, and D also necessitates a configuration change, making them less effective methods for immediate action.