Question 13 - Palo Alto Networks XSIAM Engineer Real Exam Questions [Jan 2026 Update]

Q: 13

A security engineer notices that in the past week ingestion has spiked significantly. Upon investigating the anomaly, it is determined that a custom application developed in-house caused the spike. The custom application is sending syslog to the Broker VM Syslog Collector applet. The engineer consults with the SOC analyst, who determines that 90% of the logs from the custom application are not used. What can the engineer configure to reduce the ingestion?

Options

Correct Answer:

Explanation

To reduce data ingestion, filtering should occur at the earliest point possible. In this scenario, the Broker VM is collecting syslog data. By configuring a Parsing Rule on the Broker VM, the engineer can use the drop() function to discard the unnecessary log entries before they are forwarded to the Cortex XSIAM cloud instance. This directly addresses the problem by preventing the unwanted data from ever being ingested, thus reducing the ingestion volume and associated costs. This is the most efficient method for filtering data collected by the Broker VM.

Why Incorrect

B. Data model rule to drop the unnecessary data: Data modeling occurs after data has already been ingested into the XSIAM data lake. This process normalizes data but does not reduce the initial ingestion volume.

C. Correlation rule on the Cortex XSIAM server to drop the unnecessary data: Correlation rules are a detection mechanism that operates on already ingested data to identify threats. They do not have the functionality to drop or reduce ingested data.

D. Data model rule to map the useful data: While mapping useful data is a necessary step, it does not prevent the ingestion of the raw logs containing unnecessary data. The entire raw log is still ingested.

References

1. Palo Alto Networks Cortex XSIAM Administrator's Guide: In the section on "Parsing Rules", the documentation details the use of functions. The drop() function is explicitly described: "Discards the current event. This function is useful for filtering out events that you do not want to forward to Cortex XSIAM." This confirms that parsing rules are the correct mechanism for pre-ingestion filtering on the Broker VM. (Reference: Cortex XSIAM Administrator's Guide > Data Ingestion > Parsing Rules > Parsing Rule Functions).

2. Palo Alto Networks Cortex XSIAM Administrator's Guide: The section on the "Data Ingestion Workflow" illustrates that parsing and filtering on the Broker VM happen before the data is sent to the XSIAM tenant for storage and data modeling. This architectural flow supports using a parsing rule to reduce ingestion. (Reference: Cortex XSIAM Administrator's Guide > Get Started with Cortex XSIAM > Cortex XSIAM Architecture and Components).

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE