Deal of The Day! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25
Welcome to Pass4Success

- Free Preparation Discussions
Mail Us support@pass4success.com
Location US
Mob_nav_barsMENU

Palo Alto Networks XSIAM-Engineer Exam - Topic 4 Question 15 Discussion

A Behavioral Threat Protection (BTP) alert is triggered with an action of "Prevented (Blocked)" on one of several application servers running Windows Server 2022. The investigation determines the involved processes to be legitimate core OS binaries, and the description from the triggered BTP rule is an acceptable risk for the company to allow the same activity in the future.This type of activity is only expected on the endpoints that are members of the endpoint group "AppServers," which already has a separate prevention policy rule with an exceptions profile named "Exceptions-AppServers" and a malware profile named "Malware-AppServers."The CGO that was terminated has the following properties:SHA256: eb71ea69dd19f728ab9240565e8c7efb59821e19e3788e289301e1e74940c208File path: C:\Windows\System32\cmd.exeDigital Signer: Microsoft CorporationHow should the exception be created so that it is scoped as narrowly as possible to minimize the security gap?
B) Create a Disable Prevention Rule via Exceptions Configuration with the following selections:
A) Create the exception via the alert itself, selecting the CGO hash, CGO signer, CGO process path, and applying the scope to the 'Exceptions-AppServers' profile.
C) Create a Legacy Agent Exception via Exceptions Configuration with the following selections:
D) Create the exception via the alert itself, selecting the CGO hash, CGO signer, CGO process path, and applying the scope to 'Global.'

Palo Alto Networks XSIAM-Engineer Exam - Topic 4 Question 15 Discussion

Actual exam question for Palo Alto Networks's XSIAM-Engineer exam
Question #: 15
Topic #: 4
[All XSIAM-Engineer Questions]

A Behavioral Threat Protection (BTP) alert is triggered with an action of "Prevented (Blocked)" on one of several application servers running Windows Server 2022. The investigation determines the involved processes to be legitimate core OS binaries, and the description from the triggered BTP rule is an acceptable risk for the company to allow the same activity in the future.

This type of activity is only expected on the endpoints that are members of the endpoint group "AppServers," which already has a separate prevention policy rule with an exceptions profile named "Exceptions-AppServers" and a malware profile named "Malware-AppServers."

The CGO that was terminated has the following properties:

SHA256: eb71ea69dd19f728ab9240565e8c7efb59821e19e3788e289301e1e74940c208

File path: C:\Windows\System32\cmd.exe

Digital Signer: Microsoft Corporation

How should the exception be created so that it is scoped as narrowly as possible to minimize the security gap?

Show Suggested Answer Hide Answer
Suggested Answer: B

The most secure approach is to create a Disable Prevention Rule via Exceptions Configuration, scoped specifically to the Exceptions-AppServers profile. This rule should include the hash (SHA256), signer (Microsoft Corporation), and file path (C:WindowsSystem32cmd.exe). This ensures the exception is applied only to the trusted, legitimate process on the AppServers group while minimizing the security gap.


by Hubert at Jun 17, 2026, 06:57 PM

Limited Time Offer

25%

Off

Get Premium XSIAM-Engineer Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

0/2000 characters
Submit Cancel

Currently there are no comments in this discussion, be the first to comment!


Save Cancel