Palo Alto Networks XSIAM Engineer — Question 27

An engineer is conducting a threat actor emulated test to determine which Cortex XDR module would provide protection or alert on a real-world attack. The first test was prevented.
Which action must the engineer take to enable continued testing?

Answer options

• A. Remove the hash from the restrictions profile.
• B. Add an indicator exclusion.
• C. Add a prevention rule.
• D. Change the profile from "alert" to "prevent" for the BTP module.

Correct answer: B

Explanation

The correct action is to add an indicator exclusion, which allows the test to bypass the current restrictions and continue testing. Removing the hash from the restrictions profile (option A) may not specifically address the need to continue testing, while adding a prevention rule (option C) and changing the profile for the BTP module (option D) do not facilitate ongoing testing in this context.