Exam SecOps-Pro Topic 1 Question 71 Discussion

Actual exam question for Palo Alto Networks's SecOps-Pro exam
Question #: 71
Topic #: 1

A threat hunting team is proactively searching for signs of 'Kerberoasting' attacks within their Active Directory environment using Cortex XSIAM. This involves an attacker requesting service tickets (TGS) for service principal names (SPNs) that have user accounts associated with them, then cracking the hash offline. Which of the following XSIAM data sources, XQL queries, and rule types would be most pertinent for detecting and correlating such activity, and how would XSIAM's 'Attack Surface Management' contribute to this hunt?

A. Only endpoint logs for process execution related to Kerberoasting tools.

B. Identity and Authentication logs (e.g., Active Directory, Azure AD) for suspicious TGS requests.

C. Network flow data for SMB traffic only.

D. Firewall logs for denied connections.

E. Cloud audit logs for S3 bucket access.

Suggested Answer: B Vote an answer

Kerberoasting is an identity-based attack. Therefore, the most critical data source is identity and authentication logs, specifically those detailing TGS requests in Active Directory. The XQL query in option B correctly targets TGS requests and looks for the '$' character in the service name, which is characteristic of SPNs, and then aggregates by user to identify users making an unusual number of such requests. This forms the basis for a BIOC rule. While some Kerberoasting tools might leave endpoint traces, focusing on the core authentication activity is more robust. Cortex XSIAM's Attack Surface Management (ASM) capability is highly relevant because it helps identify misconfigurations or risky assets. In the context of Kerberoasting, ASM can identify user accounts that have SPNs assigned to them (a common misconfiguration or legacy setup) that attackers might target, allowing the security team to harden these accounts proactively by ensuring strong passwords or removing unnecessary SPNs, thereby reducing the attack surface for Kerberoasting.

by Herman at Apr 05, 2026, 05:44 AM

Limited Time Offer

15%

Off

Get Premium SecOps-Pro Questions as Interactive Self Test Engine or PDF

Comments

Here are all the actual test exam dumps for IT exams. Most people prepare for the actual exams with our test dumps to pass their exams. So it's critical to choose and actual test pdf to succeed.

RECENT DISCUSSIONS

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Disclaimer:
Actual4test doesn't offer Real SANS and GIAC Exam Questions.
Oracle and Java are registered trademarks of Oracle and/or its affiliates
Actual4test material do not contain actual actual Oracle Exam Questions or material.
Actual4test doesn't offer Real Microsoft Exam Questions.
Microsoft®, Azure®, Windows®, Windows Vista®, and the Windows logo are registered trademarks of Microsoft Corporation
Actual4test Materials do not contain actual questions and answers from Cisco's Certification Exams. The brand Cisco is a registered trademark of CISCO, Inc
CFA Institute does not endorse, promote or warrant the accuracy or quality of these questions. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
Actual4test does not offer exam dumps or questions from actual exams. We offer learning material and practice tests created by subject matter experts to assist and help learners prepare for those exams. All certification brands used on the website are owned by the respective brand owners. Actual4test does not own or claim any ownership on any of the brands.