Palo Alto Networks XSIAM Analyst — Question 20

During an investigation of an alert with a completed playbook, it is determined that no indicators exist from the email "[email protected]” in the Key Assets & Artifacts tab of the parent incident.
Which command will determine if Cortex XSIAM has been configured to extract indicators as expected?

Answer options

• A. !createNewIndicator value="[email protected]"
• B. !checkIndicatorExtraction text="[email protected]"
• C. !extractIndicators text="[email protected]" auto-extract=inline
• D. !emailvalue="[email protected]"

Correct answer: B

Explanation

The correct command, !checkIndicatorExtraction text="[email protected]", checks the configuration of Cortex XSIAM to ensure it is capable of extracting indicators. The other options either create new indicators, attempt to extract indicators without verifying the configuration, or are incorrectly formatted commands that do not perform the desired check.