(Both steps together are needed for accurate configuration: "Filter and select one or more file, IP address, and domain indicators." AND "Select profiles for prevention")
The correct steps are tofilter and select one or more file, IP address, and domain indicators(C) and thenselect profiles for prevention(D).
When configuring an indicator prevention rule in Cortex XSIAM/XDR, after naming the rule and setting its severity, the analyst should:
Filter and select the specific indicators(e.g., file hashes, IP addresses, domains) that are to be blocked or prevented.
Select the appropriate endpoint profiles or groupswhere the rule should be enforced for active prevention.
"Before saving an indicator prevention rule, filter and select the relevant indicators (file, IP address, and domain), then assign the prevention profiles that will enforce the rule on endpoints."
Document Reference:EDU-270c-10-lab-guide_02.docx (1).pdf
Page:Page 16-17 (Endpoint Policy Management section)
