Palo Alto Networks XSIAM-Analyst Exam - Topic 4 Question 2 Discussion

Actual exam question for Palo Alto Networks's XSIAM-Analyst exam

Question #: 2
Topic #: 4

A Cortex XSIAM analyst in a SOC is reviewing an incident involving a workstation showing signs of a potential breach. The incident includes an alert from Cortex XDR Analytics Alert source "Remote service command execution from an uncommon source." As part of the incident handling process, the analyst must apply response actions to contain the threat effectively.

Which initial Cortex XDR agent response action should be taken to reduce attacker mobility on the network?

AIsolate Endpoint: Prevent the endpoint from communicating with the network

BRemove Malicious File: Delete the malicious file detected

CTerminate Process: Stop the suspicious processes identified

DBlock IP Address: Prevent future connections to the IP from the workstation

Show Suggested Answer

Suggested Answer: A

The correct answer is A -- Isolate Endpoint.

The most effective initial response to contain a breach and reduce attacker mobility is to isolate the endpoint. This action ensures that the compromised machine can no longer communicate with the network or external systems, effectively cutting off lateral movement and exfiltration by attackers, while still allowing controlled response operations.

'Isolate Endpoint is the primary response action used to immediately contain a threat by severing all network communication, thus limiting attacker movement during active incidents.'

Document Reference: EDU-270c-10-lab-guide_02.docx (1).pdf

Page: Page 40 (Incident Handling/SOC section)

by Bernardine at Nov 26, 2025, 01:13 AM

Limited Time Offer

25%

Off

Get Premium XSIAM-Analyst Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Hyun

3 days ago

Terminating the process could also help.

upvoted 0 times

...

Lou

9 days ago

But what about removing the malicious file?

upvoted 0 times

...

Abel

14 days ago

Agreed, it stops further damage.

upvoted 0 times

...

Blythe

19 days ago

D) Block IP Address could help too, but isolating is more immediate.

upvoted 0 times

...

Michal

24 days ago

B) Remove Malicious File seems risky, what if it’s not the only issue?

upvoted 0 times

...

Wava

29 days ago

I’m not so sure about that, what if it’s a false alarm?

upvoted 0 times

...

Nathalie

2 months ago

Totally agree, isolating stops the attacker from moving around.

upvoted 0 times

...

Mira

2 months ago

A) Isolate Endpoint is the best move to contain the threat.

upvoted 0 times

...

Nickolas

2 months ago

Isolating the endpoint is the way to go. Can't let the attacker roam free on the network, am I right?

upvoted 0 times

...

Jettie

2 months ago

Haha, I bet the attacker is like, "Aw man, they blocked my IP! Time to try a different one." Isolate that endpoint, folks!

upvoted 0 times

...

Virgina

2 months ago

Deleting the malicious file is important, but it won't stop the attacker from potentially executing more commands. Isolate the endpoint!

upvoted 0 times

...

Roselle

2 months ago

Blocking the IP address could be helpful, but it might not be enough on its own. Isolating the endpoint is the way to go.

upvoted 0 times

...

Lavonna

3 months ago

Blocking the IP address might be useful later, but I think we need to contain the threat first by isolating the endpoint.

upvoted 0 times

...

Brock

3 months ago

I feel like removing the malicious file could be important too, but if the attacker is still active, it might not help much.

upvoted 0 times

...

Lorean

3 months ago

I remember a practice question where we had to decide between isolating an endpoint and blocking an IP address. Isolating seemed to be the more immediate action.

upvoted 0 times

...

Dyan

3 months ago

I think isolating the endpoint is crucial here to prevent further damage, but I'm not entirely sure if that's the first step we should take.

upvoted 0 times

...

Dulce

3 months ago

I'm a bit confused on the best approach here. Should we focus on removing the malicious file, terminating the processes, or isolating the endpoint? I'll need to think through the pros and cons of each option.

upvoted 0 times

...

Daniel

3 months ago

Blocking the IP address could be a quick way to stop future connections, but I'm worried that might not address the immediate threat on the workstation. Isolating the endpoint feels like the safest option.

upvoted 0 times

...

Tyisha

4 months ago

Terminating the suspicious processes is a good start, but I'd also recommend isolating the endpoint to be on the safe side.

upvoted 0 times

...

Michel

4 months ago

I think isolating the endpoint is crucial.

upvoted 0 times

...

Gertude

4 months ago

Isolating the endpoint seems like the best move to contain the threat and limit the attacker's mobility.

upvoted 0 times

...

Kati

4 months ago

Isolating the endpoint seems like a good first step, but I'm also wondering if we should consider terminating the suspicious processes to disrupt the attacker's activities.

upvoted 0 times

...

Jenelle

5 months ago

Hmm, I'm not sure if isolating the endpoint is the right move here. Shouldn't we try to remove the malicious file first to eliminate the root cause?

upvoted 0 times

...

Gilma

5 months ago

I think isolating the endpoint would be the best initial response to contain the threat and prevent the attacker from moving laterally on the network.

upvoted 0 times

Minna

4 months ago

Definitely, better safe than sorry.

upvoted 0 times

...