Palo Alto Networks Exam XDR-Engineer Topic 3 Question 3 Discussion

Actual exam question for Palo Alto Networks's XDR-Engineer exam

Question #: 3
Topic #: 3

[Detection Engineering]

A Custom Prevention rule that was determined to be a false positive alert needs to be tuned. The behavior was determined to be authorized and expected on the affected endpoint. Based on the image below, which two steps could be taken? (Choose two.)

[Image description: A Custom Prevention rule configuration, assumed to trigger a Behavioral Indicator of Compromise (BIOC) alert for authorized behavior]

AApply an alert exception

BApply an alert exclusion to the XDR behavioral indicator of compromise (BIOC) alert

CApply an alert exclusion to the XDR agent alert

DModify the behavioral indicator of compromise (BIOC) logic

Show Suggested Answer

Suggested Answer: A, B

by Wilburn at Jun 12, 2025, 10:28 PM

Limited Time Offer

25%

Off

Get Premium XDR-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Jamal

1 days ago

I'm with Junita on this one. A) and B) are the cleanest solutions. Plus, who wants to mess with the BIOC logic if you don't have to?

upvoted 0 times

...

Jani

7 days ago

Hah, these XDR agents, always causing trouble! A) and C) are the obvious choices here. No need to get your hands dirty with the BIOC logic.

upvoted 0 times

...

Ricarda

14 days ago

D) is a bit overkill for a simple false positive, don't you think? A) and C) are the way to go in my opinion.

upvoted 0 times

...

Bernadine

14 days ago

I believe modifying the behavioral indicator of compromise logic could also be helpful in this situation.

upvoted 0 times

...

Verlene

16 days ago

I agree with Suzan. Applying an alert exception seems like the right step.

upvoted 0 times

...

Suzan

21 days ago

I think we should apply an alert exception.

upvoted 0 times

...

Junita

1 months ago

Definitely go with A) and B). Applying an alert exception and exclusion is the way to go here. Don't want those false positives cluttering up my alerts!

upvoted 0 times

Janna

7 days ago

I always make sure to adjust the rules to avoid unnecessary alerts.

upvoted 0 times

...

Tijuana

8 days ago

It's important to tune those false positives to keep the alerts clean.

upvoted 0 times

...

Mitzie

1 months ago

I agree, applying an alert exception and exclusion is the best approach.

upvoted 0 times

...