Palo Alto Networks XSIAM Engineer — Question 46

What is a key characteristic of a parsing rule in Cortex XSIAM?

Answer options

• A. It uses regular expressions exclusively for data modifications, discards unmatched logs by default, and only retains fields with non-null values.
• B. It is bound to all vendors and products, performs data parsing once per log, and does not allow grouping.
• C. It is bound to a specific vendor and product, performs data parsing once per log, and does not allow grouping.
• D. It is bound to a specific vendor and product which allow grouping with a no-match policy, and retains all fields.

Correct answer: C

Explanation

The correct answer is C because parsing rules in Cortex XSIAM are indeed designed to be specific to a particular vendor and product, ensuring that data parsing occurs only once per log. Options A, B, and D incorrectly describe the characteristics of parsing rules, either by misrepresenting their vendor specificity or their grouping capabilities.