pcdra-topic-1
Question #: 86
Topic #: 1
Which Exploit Prevention Module (EPM) provides better entropy for randomization of memory locations?
A. UASLR
B. JIT Mitigation
C. Memory Limit Heap spray check
D. DLL Security
Question #: 85
Topic #: 1
What is the WildFire analysis file size limit for Windows PE files?
A. 500MB
B. 100MB
C. 1GB
D. No Limit
Question #: 64
Topic #: 1
What is an example of an attack vector for ransomware?
A. A URL filtering feature enabled on a firewall
B. Phishing emails containing malicious attachments
C. Performing DNS queries for suspicious domains
D. Performing SSL Decryption on an endpoint
Question #: 55
Topic #: 1
Which statement regarding scripts in Cortex XDR is true?
A. Any version of Python script can be run.
B. The level of risk is assigned to the script upon import.
C. Any script can be imported including Visual Basic (VB) scripts.
D. The script is run on the machine uploading the script to ensure that it is operational.
Question #: 54
Topic #: 1
When creating a scheduled report which is not an option?
A. Run weekly on a certain day and time.
B. Run quarterly on a certain day and time.
C. Run monthly on a certain day and time.
D. Run daily at a certain time (selectable hours and minutes).
Question #: 48
Topic #: 1
Live Terminal uses which type of protocol to communicate with the agent on the endpoint?
A. NetBIOS over TCP
B. WebSocket
C. UDP and a random port
D. TCP, over port 80
Question #: 38
Topic #: 1
Which of the following is an example of a successful exploit?
A. connecting unknown media to an endpoint that copied malware due to Autorun.
B. a user executing code which takes advantage of a vulnerability on a local service.
C. identifying vulnerable services on a server.
D. executing a process executable for well-known and signed software.
Question #: 96
Topic #: 1
Which statement best describes how Behavioral Threat Protection (BTP) works?
A. BTP injects into known vulnerable processes to detect malicious activity.
B. BTP runs on the Cortex XDR and distributes behavioral signatures to all agents.
C. BTP matches EDR data with rules provided by Cortex XDR.
D. BTP matches the signature with the existing database of malicious files.
Question #: 59
Topic #: 1
Which statement best describes how Behavioral Threat Protection (BTP) works?
A. BTP injects into known vulnerable processes to detect malicious activity.
B. BTP runs on the Cortex XDR and distributes behavioral signatures to all agents.
C. BTP matches EDR data with rules provided by Cortex XDR.
D. BTP uses machine Learning to recognize malicious activity even if it is not known.
Question #: 94
Topic #: 1
While working the alerts involved in a Cortex XDR incident, an analyst has found that every alert in this incident requires an exclusion. What will the Cortex XDR console automatically do to this incident if all alerts contained have exclusions?
A. mark the incident as Unresolved
B. create a BIOC rule excluding this behavior
C. create an exception to prevent future false positives
D. mark the incident as Resolved – Auto Resolve
Question #: 1
Topic #: 1
Phishing belongs which of the following MITRE ATT&CK tactics?
A. Initial Access, Persistence
B. Persistence, Command and Control
C. Reconnaissance, Persistence
D. Reconnaissance, Initial Access
Question #: 10
Topic #: 1
When viewing the incident directly, what is the “assigned to” field value of a new Incident that was just reported to Cortex?
A. Pending
B. It is blank
C. Unassigned
D. New
Question #: 80
Topic #: 1
Cortex XDR is deployed in the enterprise and you notice a cobalt strike attack via an ongoing supply chain compromise was prevented on 1 server. What steps can you take to ensure the same protection is extended to all your servers?
A. Enable DLL Protection on all servers but there might be some false positives.
B. Conduct a thorough Endpoint Malware scan.
C. Create IOCs of the malicious files you have found to prevent their execution.
D. Enable Behavioral Threat Protection (BTP) with cytool to prevent the attack from spreading.
Question #: 57
Topic #: 1
A Linux endpoint with a Cortex XDR Pro per Endpoint license and Enhanced Endpoint Data enabled has reported malicious activity, resulting in the creation of a file that you wish to delete. Which action could you take to delete the file?
A. Manually remediate the problem on the endpoint in question.
B. Open X2go from the Cortex XDR console and delete the file via X2go.
C. Initiate Remediate Suggestions to automatically delete the file.
D. Open an NFS connection from the Cortex XDR console and delete the file.
Question #: 12
Topic #: 1
Where would you view the WildFire report in an incident?
A. next to relevant Key Artifacts in the incidents details page
B. under Response –> Action Center
C. under the gear icon –> Agent Audit Logs
D. on the HUB page at apps.paloaltonetworks.com
Question #: 32
Topic #: 1
Cortex XDR Analytics can alert when detecting activity matching the following MITRE ATT&CKTM techniques.
A. Exfiltration, Command and Control, Collection
B. Exfiltration, Command and Control, Privilege Escalation
C. Exfiltration, Command and Control, Impact
D. Exfiltration, Command and Control, Lateral Movement
Question #: 15
Topic #: 1
Which type of BIOC rule is currently available in Cortex XDR?
A. Threat Actor
B. Discovery
C. Network
D. Dropper
Question #: 14
Topic #: 1
Which engine, of the following, in Cortex XDR determines the most relevant artifacts in each alert and aggregates all alerts related to an event into an incident?
A. Sensor Engine
B. Causality Analysis Engine
C. Log Stitching Engine
D. Causality Chain Engine
Question #: 13
Topic #: 1
What does the following output tell us?
A. There is one low severity incident.
B. Host shpapy_win10 had the most vulnerabilities.
C. There is one informational severity alert.
D. This is an actual output of the Top 10 hosts with the most malware.
Question #: 16
Topic #: 1
In Windows and macOS you need to prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. What is one way to add an exception for the singer?
A. In the Restrictions Profile, add the file name and path to the Executable Files allow list.
B. Create a new rule exception and use the singer as the characteristic.
C. Add the signer to the allow list in the malware profile.
D. Add the signer to the allow list under the action center page.
Question #: 36
Topic #: 1
Which statement is true for Application Exploits and Kernel Exploits?
A. The ultimate goal of any exploit is to reach the application.
B. Kernel exploits are easier to prevent then application exploits.
C. The ultimate goal of any exploit is to reach the kernel.
D. Application exploits leverage kernel vulnerability.
Question #: 17
Topic #: 1
As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to download Cobalt Strike on one of your servers. Days later, you learn about a massive ongoing supply chain attack. Using Cortex XDR you recognize that your server was compromised by the attack and that Cortex XDR prevented it. What steps can you take to ensure that the same protection is extended to all your servers?
A. Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.
B. Enable DLL Protection on all servers but there might be some false positives.
C. Create IOCs of the malicious files you have found to prevent their execution.
D. Enable Behavioral Threat Protection (BTP) with cytool to prevent the attack from spreading.
Question #: 84
Topic #: 1
What motivation do ransomware attackers have for returning access to systems once their victims have paid?
A. Failure to restore access to systems undermines the scheme because others will not believe their valuables would be returned.
B. The ransomware attackers hope to trace the financial trail back and steal more from traditional banking institutions.
C. There is organized crime governance among attackers that requires the return of access to remain in good standing.
D. Nation-states enforce the return of system access through the use of laws and regulation.
Question #: 76
Topic #: 1
In the Cortex XDR console, from which two pages are you able to manually perform the agent upgrade action? (Choose two.)
A. Endpoint Administration
B. Asset Management
C. Action Center
D. Agent Installations
Question #: 69
Topic #: 1
Which of the following represents a common sequence of cyber attack tactics?
A. Actions on the objective >> Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Installation >> Command & Control
B. Installation >> Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Command & Control >> Actions on the objective
C. Reconnaissance >> Installation >> Weaponisation & Delivery >> Exploitation >> Command & Control >> Actions on the objective
D. Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Installation >> Command & Control >> Actions on the objective
Question #: 67
Topic #: 1
Which function describes the removal of a specific file from its location on a local or removable drive to a protected folder to prevent the file from being executed?
A. Search & destroy
B. Quarantine
C. Isolation
D. Flag for removal
Question #: 66
Topic #: 1
When reaching out to TAC for additional technical support related to a Security Event; what are two critical pieces of information you need to collect from the Agent? (Choose two.)
A. The prevention archive from the alert.
B. The unique agent id.
C. The distribution id of the agent.
D. The agent technical support file.
E. A list of all the current exceptions applied to the agent.
Question #: 72
Topic #: 1
Which search methods is supported by File Search and Destroy?
A. File Search and Repair
B. File Seek and Destroy
C. File Search and Destroy
D. File Seek and Repair
Question #: 61
Topic #: 1
In Cortex XDR management console scheduled reports can be forwarded to which of the following applications/services?
A. Service Now
B. Slack
C. Salesforce
D. Jira
Question #: 56
Topic #: 1
What is the function of WildFire for Cortex XDR?
A. WildFire runs in the cloud and analyses alert data from the XDR agent to check for behavioural threats.
B. WildFire is the engine that runs on the local agent and determines whether behavioural threats are occurring on the endpoint.
C. WildFire accepts and analyses a sample to provide a verdict.
D. WildFire runs entirely on the agent to quickly analyse samples and provide a verdict.
Question #: 53
Topic #: 1
What is the purpose of the Cortex Data Lake?
A. a local storage facility where your logs and alert data can be aggregated
B. a cloud-based storage facility where your firewall logs are stored
C. the interface between firewalls and the Cortex XDR agents
D. the workspace for your Cortex XDR agents to detonate potential malware files
Question #: 78
Topic #: 1
Under which conditions is Local Analysis evoked to evaluate a file before the file is allowed to run?
A. The endpoint is disconnected or the verdict from WildFire is of a type malware.
B. The endpoint is disconnected or the verdict from WildFire is of a type unknown.
C. The endpoint is disconnected or the verdict from WildFire is of a type grayware.
D. The endpoint is disconnected or the verdict from WildFire is of a type benign.
Question #: 87
Topic #: 1
To stop a network-based attack, any interference with a portion of the attack pattern is enough to prevent it from succeeding. Which statement is correct regarding the Cortex XDR Analytics module?
A. It interferes with the pattern as soon as it is observed on the endpoint.
B. It does not interfere with any portion of the pattern on the endpoint.
C. It does not need to interfere with the any portion of the pattern to prevent the attack.
D. It interferes with the pattern as soon as it is observed by the firewall.
Question #: 75
Topic #: 1
Which minimum Cortex XDR agent version is required for Kubernetes Cluster?
A. Cortex XDR 7.4
B. Cortex XDR 5.0
C. Cortex XDR 7.5
D. Cortex XDR 6.1
Question #: 60
Topic #: 1
Which of the following paths will successfully activate Remediation Suggestions?
A. Alerts Table > Right-click on a process node > Remediation Suggestions
B. Incident View > Actions > Remediation Suggestions
C. Causality View > Actions > Remediation Suggestions
D. Alerts Table > Right-click on an alert > Remediation Suggestions
Question #: 52
Topic #: 1
When investigating security events, which feature in Cortex XDR is useful for reverting the changes on the endpoint?
A. Remediation Automation
B. Machine Remediation
C. Automatic Remediation
D. Remediation Suggestions
Question #: 79
Topic #: 1
What is the difference between presets and datasets in XQL?
A. A dataset is a Cortex data lake data source only; presets are built-in data source.
B. A dataset is a database; presets is a field.
C. A dataset is a built-in or third party source; presets group XDR data fields.
D. A dataset is a third-party data source; presets are built-in data source.
Question #: 91
Topic #: 1
Can you disable the ability to use the Live Terminal feature in Cortex XDR?
A. Yes, via Agent Settings Profile.
B. No, it is a required feature of the agent.
C. No, a separate installer package without Live Terminal is required.
D. Yes, via the Cortex XDR console or with an installation switch.
Question #: 82
Topic #: 1
What types of actions you can execute with live terminal session?
A. Manage Processes, Manage Files, Run Operating System Commands, Run Python Commands and Scripts
B. Manage Network configurations, Quarantine Files, Run Powershell scripts
C. Apply patches, Reboot System, Send notification for end user, Run Python Commands and Scripts
D. Manage Processes, Manage Files, Run Operating System Commands, Run Ruby Commands and Scripts
Question #: 77
Topic #: 1
Which version of python is used in live terminal?
A. Python 3 with specific XDR Python libraries developed by Palo Alto Networks
B. Python 3 with standard Python libraries
C. Python 2 and 3 with standard Python libraries
D. Python 2 and 3 with specific XDR Python libraries developed by Palo Alto Networks
Question #: 73
Topic #: 1
Which of the following Live Terminal options are available for Android systems?
A. Run Android commands.
B. Live Terminal is not supported.
C. Run APK scripts.
D. Stop an app.
Question #: 37
Topic #: 1
To create a BIOC rule with XQL query you must at a minimum filter on which field in order for it to be a valid BIOC rule?
A. causality_chain
B. endpoint_name
C. threat_event
D. event_type
Question #: 21
Topic #: 1
Where can SHA256 hash values be used in Cortex XDR Malware Protection Profiles?
A. in the macOS Malware Protection Profile to indicate allowed signers
B. in the Linux Malware Protection Profile to indicate allowed Java libraries
C. SHA256 hashes cannot be used in Cortex XDR Malware Protection Profiles
D. in the Windows Malware Protection Profile to indicate allowed executables
