Last Attempt XSIAM-Engineer Questions

For upgrading a non-Linux Kubernetes cluster, the correct installer type is Helm, since Helm charts are the supported method for deploying and managing Cortex XDR agents in Kubernetes environments.

A sudden data ingestion loss for a previously successful data source commonly occurs when the API key used for the integration has expired, breaking authentication and preventing further log collection.

To enforce least privilege for Building 3 administrators, SBAC must be enabled in Restrictive Mode and the administrators’ scope must be limited to EG:Building3. This ensures they can only manage endpoints within the Building 3 group, even if those endpoints are also part of other groups, while blocking access to endpoints outside their responsibility.

The XQL query uses regextract with conditions to check if the source IP begins with 149.235. When true, it assigns the replacement value 192.168.10.1, otherwise it extracts the source port. From the given logs, this produces 123 (from the port extraction in the second log) and 192.168.10.1 (replacement for the first log’s matching source IP).