Palo Alto Networks System Engineer – Cortex — Question 64

How can the required log ingestion license be determined when sizing a Cortex XSIAM deployment?

Answer options

• A. Use the Cortex Data Lake Calculator to estimate the volume of third-party logs.
• B. Count the number of correlation sources and multiply by desired retention days.
• C. Ask the customer for average log ingestion estimates from their existing SIEM.
• D. Ask the customer to provide average daily alert volume.

Correct answer: C

Explanation

The correct answer is C because obtaining average log ingestion estimates from the customer's existing SIEM provides a realistic basis for sizing the deployment. Option A is incorrect as it focuses only on third-party logs rather than overall log ingestion. Option B does not take into account the actual log volume, and option D pertains to alerts rather than log ingestion, making it irrelevant for determining the license size.