Palo Alto Networks System Engineer – Cortex — Question 54

A Cortex XSOAR customer wants to ingest emails from a single mailbox. The mailbox brings in reported phishing emails and email requests from human resources (HR) to onboard new users. The customer wants to run two separate workflows from this mailbox, one for phishing and one for onboarding.
What will allow Cortex XSOAR to accomplish this in the most efficient way?

Answer options

• A. Create two instances of the email integration and classify one instance as ingesting incidents of type phishing and the other as ingesting incidents of type onboarding.
• B. Use an incident classifier based on a field in each type of email to classify those containing "Phish Alert" in the subject as phishing and those containing "Onboard Request" as onboarding.
• C. Create a playbook to process and determine incident type based on content of the email.
• D. Use machine learning (ML) to determine incident type.

Correct answer: B

Explanation

Option B is correct because it directly uses an incident classifier to categorize the emails based on specific keywords in the subject lines, allowing for clear and efficient organization. Option A would require managing multiple instances, which is less efficient. Option C, while useful, may not be as straightforward as using a classifier. Option D relies on machine learning, which may not be necessary for straightforward keyword identification.