Palo Alto Networks XSIAM Analyst — Question 2

An analyst conducting a threat hunt needs to collect multiple files from various endpoints. The analyst begins the file retrieval process by using the Action Center, but upon review of the retrieved files, notices that the list is incomplete and missing files, including kernel files.
What could be the reason for this issue?

Answer options

• A. The file retrieval policy applied to the endpoints may restrict access to certain system or kernel files.
• B. The retrieval process is limited to 500 MB in total file size.
• C. The endpoint agents were in offline mode during the file retrieval process, causing some files to be skipped.
• D. The analyst must manually retrieve kernel files by accessing the machine directly.

Correct answer: A

Explanation

The correct answer is A, as file retrieval policies can indeed impose restrictions on accessing sensitive system or kernel files. Options B and C are irrelevant because they refer to limitations on file size and agent status, which do not directly address the policy restrictions. Option D is incorrect since it suggests a manual process when the issue stems from policy restrictions.