What is the purpose of detection indicator rules?
Response:

• A.To manage threat hunting queries
• B.To correlate XDR agent policies
• C.To define alert suppression criteria
• D.To detect specific behaviors and generate alerts

Comment: *

Name: *

Email: *

Verification: *

What can be used to filter out empty values in the query results table?

• A.<name of field> != null or <field name> !=
• B.<name of field> != empty or <field name> != "NA"
• C.<name of field> != null or <field name> != "NA"
• D.<name of field> != empty or <field name> != ""

Comment: *

Name: *

Email: *

Verification: *

A security analyst reviews two alerts:
- Alert A was triggered by a suspicious process execution pattern across multiple endpoints.
- Alert B was triggered by the presence of a known malicious hash in network traffic.
Which are true regarding these alerts?
(Choose two)
Response:

• A.Alert B is likely an IOC alert
• B.Alert B is likely a BIOC alert
• C.Alert A demonstrates behavioral linkage
• D.Alert A is likely a correlation rule alert

Comment: *

Name: *

Email: *

Verification: *

What is the core purpose of attack surface rules?
Response:

• A.To define user access roles
• B.To apply endpoint policy configurations
• C.To monitor email phishing attacks
• D.To detect and classify exposed services or CVEs

Comment: *

Name: *

Email: *

Verification: *

A threat hunter discovers a true negative event from a zero-day exploit that is using privilege escalation to launch "Malware pdf.exe". Which XQL query will always show the correct user context used to launch
"Malware pdf.exe"?

• A.config case_sensitive = false | dataset = xdr_data | filter event_type = ENUM.PROCESS | filter action_process_image_name = "Malware.pdf.exe" | fields causality_actor_effective_username
• B.config case_sensitive = false | dataset = xdr_data | filter event_type = ENUM.PROCESS | filter action_process_image_name = "Malware.pdf.exe" | fields actor_process_username
• C.config case_sensitive = false | datamodel dataset = xdrdata | filter xdm.source.process.name = "Malware.
  pdf.exe" | fields xdm.target.user.username
• D.config case_sensitive = false | dataset = xdr_data | filter event_type = ENUM.PROCESS | filter action_process_image_name = "Malware.pdf.exe" | fields action_process_username

Comment: *

Name: *

Email: *

Verification: *