Q: 2
[Detection Engineering]
An analyst considers an alert with the category of lateral movement to be allowed and not needing
to be checked in the future. Based on the image below, which action can an engineer take to address
the requirement?
Options
Discussion
Option B is best here since it excludes alerts by source and name, covering all similar future lateral movement alerts. D would only handle a specific parent process or command. Pretty sure B matches Palo Alto's expected workflow, but let me know if you see it differently.
B . Blocking by alert source and name is what you need if you want to stop this category from alerting again. D's more for single process/command use, trap for broader cases.
B . Alert exclusion rule by source and name stops future alerts of this category from popping up, which is what the question is asking for. The other options are more restrictive or target specific processes, but here they want to allow similar lateral movement events fully. Pretty sure Palo Alto wants B in this scenario, but open to corrections if anyone's done it another way.
B , saw a similar question on a practice and alert exclusion by source and name is what Palo Alto expects if you want to skip all future alerts for a specific category. D's for more targeted scenarios. Seen this logic in exam dumps before. Agree?
D imo. I remember in a lab we handled similar alert suppression with an exception rule focused on the parent process and command, which matched what the analyst wanted. The admin guide talks about exclusions, but for one-off scenarios, D feels right to me. Might be missing a nuance though, official practice test could help confirm.
D , since that exception targets the parent process and command so should suppress alerts for that specific scenario. Right?
Pretty sure it's D. That rule would cover the parent process and exact command, so you wouldn't see this alert for that specific case again. I saw a similar question in old practice sets and D was close to what they wanted, but maybe I'm missing something about category-wide suppression? Disagree?
B makes sense here. The question wants to allow all similar lateral movement alerts in the future, not just for one process or command. Creating an alert exclusion rule by source and name covers that category across the board, which matches how XDR handles alert silencing at scale. I think that’s what Palo Alto expects but wouldn’t mind seeing confirmation from the official guide or lab materials if anyone has them.
Needs to be B. That exclusion rule by source and name fits since they want to allow all future similar alerts.
B, not D. Exclusion rule by alert source and name will stop these from triggering in the future, which matches the ask. Pretty sure that's what Palo Alto wants here, but correct me if I'm off.
Be respectful. No spam.
