Palo Alto Networks XSIAM Analyst — Question 16

An analyst is responding to a critical incident involving a potential ransomware attack. The analyst immediately initiates full isolation on the compromised endpoint using Cortex XSIAM to prevent the malware from spreading across the network. However, the analyst now needs to collect additional forensic evidence from the isolated machine, including memory dumps and disk images, without reconnecting it to the network.
Which action will allow the analyst to collect the required forensic evidence while ensuring the endpoint remains fully isolated?

Answer options

• A. Using the management console to remotely run a predefined forensic playbook on the associated alert
• B. Collecting the evidence manually through the agent by accessing the machine directly and running "Generate Support File"
• C. Using the endpoint isolation feature to create a secure tunnel for evidence collection
• D. Disabling full isolation temporarily to allow forensic tools to communicate with the endpoint

Correct answer: A

Explanation

The correct answer is A, as using the management console to run a predefined forensic playbook allows the analyst to collect evidence without compromising the isolation. Option B requires direct access, which may not be possible without network reconnection. Option C suggests creating a secure tunnel, which contradicts the need for full isolation, and option D would expose the endpoint to potential threats by disabling isolation.