Palo Alto Networks XSIAM Engineer — Question 26

A security engineer notices that in the past week ingestion has spiked significantly. Upon investigating the anomaly, it is determined that a custom application developed in-house caused the spike. The custom application is sending syslog to the Broker VM Syslog Collector applet. The engineer consults with the SOC analyst, who determines that 90% of the logs from the custom application are not used.
What can the engineer configure to reduce the ingestion?

Answer options

• A. Parsing rule to drop the unnecessary data at the Broker VM
• B. Data model rule to drop the unnecessary data
• C. Correlation rule on the Cortex XSIAM server to drop the unnecessary data
• D. Data model rule to map the useful data

Correct answer: A

Explanation

The correct answer is A because configuring a parsing rule at the Broker VM allows the engineer to filter out the unnecessary logs before they are ingested, effectively reducing the volume of data. Options B and D relate to data models but do not address the immediate need to reduce the ingestion of logs. Option C involves correlation rules which are not designed for filtering out unneeded logs at the point of ingestion.