Palo Alto Networks XSIAM Engineer — Question 15

An engineer wants to onboard data from a third-party vendor’s firewall. There is no content pack available for it, so the engineer creates custom data source integration and parsing rules to generate a dataset with the firewall data.
How can the analytics capabilities of Cortex XSIAM be used on the data?

Answer options

• A. Create a behavioral indicator of compromise (BIOC) rule on the network fields (source IP, source port, target IP, target port, IP protocol).
• B. Create a data model rule with network fields mapped (source IP, source port, target IP, target port, IP protocol).
• C. Create a correlation rule on the network fields (source IP, source port, target IP, target port, IP protocol).
• D. Create a parsing rule and ensure the network fields exist (source IP, source port, target IP, target port, IP protocol).

Correct answer: B

Explanation

The correct answer is B because creating a data model rule allows for structured mapping of the network fields, enabling effective analytics on the imported data. Options A and C focus on rules that are more suited for detection and correlation, while D only addresses data formatting without establishing the necessary structured model for analysis.