Palo Alto Networks XSIAM Engineer — Question 28

A Cortex XSIAM engineer adds a disable injection and prevention rule for a specific running process. After an hour, the engineer disables the rule to reinstate the security capabilities, but the capabilities are not applied.
What is the explanation for this behavior?

Answer options

• A. The engineer needs to restart the process to get back the security capabilities.
• B. The engineer needs a support exception to get back the security capabilities.
• C. The engineer needs to wait for the time period configured in the rule to pass first.
• D. The engineer can disable the rule, but security capabilities are not applied to the process.

Correct answer: A

Explanation

The correct answer is A because security capabilities will not reapply to a process until it has been restarted after the rule is disabled. Options B and C are incorrect as they imply unnecessary steps that do not pertain to the immediate reinstatement of capabilities. Option D is misleading, as it suggests that disabling the rule does not allow capabilities to be reapplied, which is not true if the process is restarted.