XSIAM-Engineer Questions and Answers

The integrationContext object in Cortex XSIAM is persistent across integration command runs and is managed using get_integration_context() and set_integration_context(). This allows data (such as key-value dictionaries) to be stored and retrieved reliably between executions.

Correlation rule errors can be tracked in XDR Collector audit logs (type = Rules, subtype = Error) and by querying the correlations_auditing dataset through XQL. These provide visibility into execution issues and failures for correlation rules.

For Cortex XDR agents to use the Broker VM as a download source, the Agent Settings profile must specify the Broker VM as the update source, and the Broker VM must be configured with an FQDN so agents can reliably resolve and connect to it.

Setting the "--memory-swap" option to "-1" during Cortex XSIAM engine deployment configures the container to run without requiring swap capabilities. This ensures the engine operates fully within allocated RAM, improving stability and avoiding issues related to memory swapping.

The correct command is cytool import suex -path , which imports a supplied support exception (suex) file onto a Linux endpoint, ensuring the exception is applied locally.

To meet the requirements, the engineer must enable scope enforcement by setting SBAC mode to Restrictive and assigning the Europe endpoint group (EG:Europe) as the scope. For role assignment, the correct predefined role is Privileged IT Admin, since it allows endpoint management, policy creation, and Live Terminal but does not permit user role management.

The "partially protected" status on a Linux endpoint typically occurs when the kernel modules fail to load because of unsupported kernel versions or when the agent is outdated and requires an upgrade. Both conditions prevent the agent from providing full protection capabilities.

For Cortex XDR agents running on servers in zones without internet access, a Broker VM is used as a communication bridge. The Broker VM securely relays traffic between the isolated agents and the Cortex platform, maintaining connectivity without requiring direct internet access from the servers.

The correct query is the one using preset = metrics_view with

comp sum(total_event_count) as total_events by _reporting_device_name and filtering total_events = 0.

This query directly checks event counts reported by the NGFW ("MainFW"). If no logs are received in the last 30 minutes, the total event count will be 0, which triggers the correlation rule alert.

When running the playbook debugger with attached test data, Cortex XSIAM operates entirely in debug mode, meaning neither the original list objects nor the original context are altered. All interactions happen in an isolated debug environment to avoid impacting production data.

To use a custom script in an alert layout, the script must be tagged with "general-purpose-dynamic-section", then a general purpose dynamic section is added to the layout, and finally the section settings are edited to attach the automation script. This ensures the script executes and displays results dynamically within the alert layout.

The XQL query uses regextract with conditions to check if the source IP begins with 149.235. When true, it assigns the replacement value 192.168.10.1, otherwise it extracts the source port. From the given logs, this produces 123 (from the port extraction in the second log) and 192.168.10.1 (replacement for the first log’s matching source IP).