New Year Sale 2026! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Palo Alto Networks XDR-Engineer Exam - Topic 3 Question 3 Discussion

Actual exam question for Palo Alto Networks's XDR-Engineer exam
Question #: 3
Topic #: 3
[All XDR-Engineer Questions]

[Detection Engineering]

A Custom Prevention rule that was determined to be a false positive alert needs to be tuned. The behavior was determined to be authorized and expected on the affected endpoint. Based on the image below, which two steps could be taken? (Choose two.)

[Image description: A Custom Prevention rule configuration, assumed to trigger a Behavioral Indicator of Compromise (BIOC) alert for authorized behavior]

Show Suggested Answer Hide Answer
Suggested Answer: A, B

by Wilburn at Jun 12, 2025, 10:28 PM

Limited Time Offer

25%

Off

Get Premium XDR-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel
Lacresha
2 months ago
A and C seem like the safest choices here.
upvoted 0 times
...
Aracelis
2 months ago
Surprised that tuning is even needed for authorized behavior!
upvoted 0 times
...
Emeline
3 months ago
I think D could be a better option.
upvoted 0 times
...
Solange
3 months ago
Not sure about B, feels like it might miss something important.
upvoted 0 times
...
Dorthy
3 months ago
Definitely go with A and B!
upvoted 0 times
...
Kirk
3 months ago
I feel like both applying an alert exclusion and modifying the logic could work, but I need to double-check which one is more appropriate for this scenario.
upvoted 0 times
...
Latricia
4 months ago
I'm a bit confused about whether modifying the BIOC logic is necessary. Wouldn't that be more complicated than just excluding the alert?
upvoted 0 times
...
Luther
4 months ago
I remember a similar practice question where we had to exclude alerts, so maybe applying an alert exclusion to the BIOC alert is a good choice here.
upvoted 0 times
...
Kati
4 months ago
I think applying an alert exception could be one option, but I'm not entirely sure if that's the best approach for a false positive.
upvoted 0 times
...
Lashaun
4 months ago
I'm a little confused on the difference between an alert exception and an alert exclusion. I'll need to double-check the definitions to make sure I select the right option here.
upvoted 0 times
...
Sharmaine
4 months ago
Okay, let's think this through step-by-step. Since the behavior was determined to be authorized, I'd start by applying an alert exception. If that doesn't work, then modifying the BIOC logic could be the next step to fine-tune the rule.
upvoted 0 times
...
Viki
5 months ago
Hmm, I'm a bit unsure here. I know we need to address the false positive, but I'm not sure if I should apply an exception or exclusion. Maybe I'll review the details of each option to decide the best approach.
upvoted 0 times
...
Aaron
5 months ago
This looks straightforward. I'd go with applying an alert exception or modifying the BIOC logic to tune the rule and prevent future false positives.
upvoted 0 times
...
Jamal
7 months ago
I'm with Junita on this one. A) and B) are the cleanest solutions. Plus, who wants to mess with the BIOC logic if you don't have to?
upvoted 0 times
Yoko
7 months ago
Yeah, I think those are the safest choices. Modifying the BIOC logic could cause more issues.
upvoted 0 times
...
Derrick
7 months ago
I agree, A) Apply an alert exception and B) Apply an alert exclusion seem like the best options.
upvoted 0 times
...
...
Jani
8 months ago
Hah, these XDR agents, always causing trouble! A) and C) are the obvious choices here. No need to get your hands dirty with the BIOC logic.
upvoted 0 times
Ronna
7 months ago
Yeah, no need to mess with the BIOC logic. Those XDR agents can be a pain sometimes.
upvoted 0 times
...
Rima
7 months ago
I agree, A) Apply an alert exception and C) Apply an alert exclusion to the XDR agent alert are the way to go.
upvoted 0 times
...
...
Ricarda
8 months ago
D) is a bit overkill for a simple false positive, don't you think? A) and C) are the way to go in my opinion.
upvoted 0 times
Erasmo
7 months ago
Definitely, D) seems like it would be too drastic. A) and C) are the more reasonable choices.
upvoted 0 times
...
Loren
7 months ago
Yeah, I think A) and C) are the more practical options in this case.
upvoted 0 times
...
Marguerita
7 months ago
I agree, D) does seem like too much for just a false positive. A) and C) should do the trick.
upvoted 0 times
...
...
Bernadine
8 months ago
I believe modifying the behavioral indicator of compromise logic could also be helpful in this situation.
upvoted 0 times
...
Verlene
8 months ago
I agree with Suzan. Applying an alert exception seems like the right step.
upvoted 0 times
...
Suzan
8 months ago
I think we should apply an alert exception.
upvoted 0 times
...
Junita
9 months ago
Definitely go with A) and B). Applying an alert exception and exclusion is the way to go here. Don't want those false positives cluttering up my alerts!
upvoted 0 times
Janna
8 months ago
I always make sure to adjust the rules to avoid unnecessary alerts.
upvoted 0 times
...
Tijuana
8 months ago
It's important to tune those false positives to keep the alerts clean.
upvoted 0 times
...
Mitzie
8 months ago
I agree, applying an alert exception and exclusion is the best approach.
upvoted 0 times
...
...

Save Cancel