The correct answers are A (Feed Integration settings) and B (Classification & Mapping tab) .

Feed Integration settings: Mapping of indicator fields can be configured directly within the feed integration configuration, allowing incoming threat intelligence feeds to be parsed and mapped correctly to XSIAM fields.

Classification & Mapping tab: This tab is available in various integration and indicator settings, enabling detailed field mapping and classification logic for incoming indicators.

"Mapping for indicators can be set within the Classification & Mapping tab or during Feed Integration setup to ensure proper parsing and normalization."

Document Reference: XSIAM Analyst ILT Lab Guide.pdf

Page: Page 36 (Threat Intel Management section)

===========

The correct answer is D – Shell history .

The Shell history artifact provides a detailed record of commands executed during interactive shell sessions (such as via PowerShell or command prompt) on Windows and Linux systems. Reviewing this artifact enables responders to reconstruct the attacker's activity during the discovery phase , showing exactly what directories, files, and commands were accessed or run, and what the attackers were searching for.

"The Shell history artifact allows responders to see what commands were executed during the attack, providing insight into attacker intent and discovery activities."

Document Reference: XSIAM Analyst ILT Lab Guide.pdf

Page: Page 46 (Incident Handling section, Causality and Forensics)

The correct answer is D – View Actions .

Within the Cortex XSIAM Endpoints table, the View Actions context menu allows analysts to review historical actions performed on an endpoint, including Live Terminal access. This menu logs all actions such as isolations, scans, and terminal sessions, along with the user who initiated each action, making it the source for tracking who accessed the endpoint via Live Terminal.

"The View Actions option in the endpoints table displays a history of all performed actions, including Live Terminal sessions and the corresponding users."

Document Reference: EDU-270c-10-lab-guide_02.docx (1).pdf

Page: Page 13 (Agent Deployment and Configuration section)

(Both steps together are needed for accurate configuration: "Filter and select one or more file, IP address, and domain indicators." AND "Select profiles for prevention")

The correct steps are to filter and select one or more file, IP address, and domain indicators (C) and then select profiles for prevention (D).

When configuring an indicator prevention rule in Cortex XSIAM/XDR, after naming the rule and setting its severity, the analyst should:

Filter and select the specific indicators (e.g., file hashes, IP addresses, domains) that are to be blocked or prevented.

Select the appropriate endpoint profiles or groups where the rule should be enforced for active prevention.

"Before saving an indicator prevention rule, filter and select the relevant indicators (file, IP address, and domain), then assign the prevention profiles that will enforce the rule on endpoints."

Document Reference: EDU-270c-10-lab-guide_02.docx (1).pdf

Page: Page 16-17 (Endpoint Policy Management section)

The correct answer is B - Daily .

In Cortex XSIAM's Attack Surface Management (ASM), external scans and associated attack surface rules are refreshed and updated on a daily basis . Daily updates ensure that security analysts are provided with timely and relevant insights regarding exposed assets and potential vulnerabilities that could impact the organization's security posture.

"External scans for Attack Surface Rules are updated daily to ensure the latest and most relevant security visibility."

Document Reference: XSIAM Analyst ILT Lab Guide.pdf

Exact Page: Page 41 (Attack Surface Management Section)

The correct answer is D – The xdm_core fieldset will be returned by default.

In Cortex XSIAM, when no specific fields are selected in a data model query, the xdm_core fieldset (which contains essential, core fields of the dataset) is automatically returned. This ensures analysts always have a baseline set of meaningful information in the results, even when fields are not explicitly specified.

"When no fields are specified in a data model query, Cortex XSIAM defaults to returning the xdm_core fieldset, which contains key metadata and context."

Document Reference: EDU-270c-10-lab-guide_02.docx (1).pdf

Page: Page 29 (Data Model section)

===========

The correct answer is A – Initiate the endpoint isolate action to contain the threat.

For incidents indicating possible remote compromise or unauthorized task creation, the most effective initial response is endpoint isolation . This cuts off the endpoint’s network access, preventing lateral movement and limiting attacker activity until further investigation and remediation.

“The endpoint isolate action is the primary containment step in incidents involving suspected remote compromise, halting network communication to reduce further risk.”

Document Reference: XSIAM Analyst ILT Lab Guide.pdf

Page: Page 40 (Incident Handling/SOC section)