Paloalto Networks XSIAM-Engineer - Palo Alto Networks XSIAM Engineer

When creating a data model rule, the field _event_type is automatically mapped from the dataset to the data model. This ensures events are categorized correctly in alignment with the Cortex XSIAM Data Model (XDM).

The correct query is the preset = host_inventory_applications with filters for application_name contains "ai_app" and version in ("12.1", "12.2", "12.4", "12.5"). This directly identifies hosts that have the vulnerable application and specific versions installed, matching the analyst’s request to find assets exposed to the zero-day CVE.

A Marketplace content pack in Cortex XSIAM can include scripts, playbooks, integrations, and correlation rules. These packaged content items extend platform functionality, automate workflows, and enhance detection and response capabilities.

When installing optional content packs in Cortex XSIAM, any mandatory dependencies are automatically included. The engineer’s main consideration is whether the additional functionality is needed and whether it may have a performance impact on the system.

Setting the "--memory-swap" option to "-1" during Cortex XSIAM engine deployment configures the container to run without requiring swap capabilities. This ensures the engine operates fully within allocated RAM, improving stability and avoiding issues related to memory swapping.

To restore the content pack to its previously installed version, the engineer can directly reinstall the desired version from the Cortex Marketplace. Content packs support version management, allowing rollback or upgrade without requiring support intervention or removing existing configurations.

The correct command is !ToTable data=${parentIncidentFields.custom_fields.incidentassignment}, which converts the specified context data into a tabular format. This allows fields such as runStatus and startDate to be clearly displayed in a table when troubleshooting playbook tasks.

Cortex XSIAM allows configuring Email and Slack as direct alert notification options without requiring a playbook. PagerDuty and SMS integrations, however, require orchestration through playbooks.

Broker VM options appear greyed out in the Agent Settings profile when the Local Agent Settings applet is activated without an FQDN. An FQDN is required for agents to resolve and connect to the Broker VM as a download source.