pcdra-topic-2
Question #: 45
Topic #: 1
Which profiles can the user use to configure malware protection in the Cortex XDR console?
A. Malware Protection profile
B. Malware profile
C. Malware Detection profile
D. Anti-Malware profile
Question #: 44
Topic #: 1
Which two types of exception profiles you can create in Cortex XDR? (Choose two.)
A. exception profiles that apply to specific endpoints
B. agent exception profiles that apply to specific endpoints
C. global exception profiles that apply to all endpoints
D. role-based profiles that apply to specific endpoints
Question #: 26
Topic #: 1
With a Cortex XDR Prevent license, which objects are considered to be sensors?
A. Syslog servers
B. Third-Party security devices
C. Cortex XDR agents
D. Palo Alto Networks Next-Generation Firewalls
Question #: 19
Topic #: 1
What is the purpose of targeting software vendors in a supply-chain attack?
A. to take advantage of a trusted software delivery method.
B. to steal users’ login credentials.
C. to access source code.
D. to report Zero-day vulnerabilities.
Question #: 18
Topic #: 1
Which statement is true based on the following Agent Auto Upgrade widget?
A. There are a total of 689 Up To Date agents.
B. Agent Auto Upgrade was enabled but not on all endpoints.
C. Agent Auto Upgrade has not been enabled.
D. There are more agents in Pending status than In Progress status.
Question #: 49
Topic #: 1
You can star security events in which two ways? (Choose two.)
A. Create an alert-starring configuration.
B. Create an Incident-starring configuration.
C. Manually star an alert.
D. Manually star an Incident.
Question #: 43
Topic #: 1
After scan, how does file quarantine function work on an endpoint?
A. Quarantine takes ownership of the files and folders and prevents execution through access control.
B. Quarantine disables the network adapters and locks down access preventing any communications with the endpoint.
C. Quarantine removes a specific file from its location on a local or removable drive to a protected folder and prevents it from being executed.
D. Quarantine prevents an endpoint from communicating with anything besides the listed exceptions in the agent profile and Cortex XDR.
Question #: 29
Topic #: 1
When using the “File Search and Destroy” feature, which of the following search hash type is supported?
A. SHA256 hash of the file
B. AES256 hash of the file
C. MD5 hash of the file
D. SHA1 hash of the file
Question #: 23
Topic #: 1
What functionality of the Broker VM would you use to ingest third-party firewall logs to the Cortex Data Lake?
A. Netflow Collector
B. Syslog Collector
C. DB Collector
D. Pathfinder
Question #: 47
Topic #: 1
Which of the following is NOT a precanned script provided by Palo Alto Networks?
A. delete_file
B. quarantine_file
C. process_kill_name
D. list_directories
Question #: 46
Topic #: 1
Which module provides the best visibility to view vulnerabilities?
A. Live Terminal module
B. Device Control Violations module
C. Host Insights module
D. Forensics module
Question #: 42
Topic #: 1
Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack will be neutralized. Which of the following statements is correct?
A. Cortex XDR Analytics allows to interfere with the pattern as soon as it is observed on the firewall.
B. Cortex XDR Analytics does not interfere with the pattern as soon as it is observed on the endpoint.
C. Cortex XDR Analytics does not have to interfere with the pattern as soon as it is observed on the endpoint in order to prevent the attack.
D. Cortex XDR Analytics allows to interfere with the pattern as soon as it is observed on the endpoint.
Question #: 41
Topic #: 1
While working the alerts involved in a Cortex XDR incident, an analyst has found that every alert in this incident requires an exclusion. What will the Cortex XDR console automatically do to this incident if all alerts contained have exclusions?
A. mark the incident as Unresolved
B. create a BIOC rule excluding this behavior
C. create an exception to prevent future false positives
D. mark the incident as Resolved – False Positive
Question #: 40
Topic #: 1
Which of the following protection modules is checked first in the Cortex XDR Windows agent malware protection flow?
A. Hash Verdict Determination
B. Behavioral Threat Protection
C. Restriction Policy
D. Child Process Protection
Question #: 39
Topic #: 1
Which of the following represents the correct relation of alerts to incidents?
A. Only alerts with the same host are grouped together into one Incident in a given time frame.
B. Alerts that occur within a three hour time frame are grouped together into one Incident.
C. Alerts with same causality chains that occur within a given time frame are grouped together into an Incident.
D. Every alert creates a new Incident.
Question #: 62
Topic #: 1
Which type of IOC can you define in Cortex XDR?
A. Source port
B. Destination IP Address
C. Destination IP Address:Destination
D. Source IP Address
Question #: 68
Topic #: 1
What is the maximum number of agents one Broker VM local agent applet can support?
A. 10,000
B. 15,000
C. 5,000
D. 20,000
Question #: 70
Topic #: 1
Which Exploit Protection Module (EPM) can be used to prevent attacks based on OS function?
A. Memory Limit Heap Spray Check
B. DLL Security
C. UASLR
D. JIT Mitigation
Question #: 71
Topic #: 1
Which statement is correct based on the report output below?
A. Forensic inventory data collection is enabled.
B. 133 agents have full disk encryption.
C. 3,297 total incidents have been detected.
D. Host Inventory Data Collection is enabled.
Question #: 35
Topic #: 1
What is the outcome of creating and implementing an alert exclusion?
A. The Cortex XDR agent will allow the process that was blocked to run on the endpoint.
B. The Cortex XDR console will hide those alerts.
C. The Cortex XDR agent will not create an alert for this event in the future.
D. The Cortex XDR console will delete those alerts and block ingestion of them in the future.
Question #: 34
Topic #: 1
A file is identified as malware by the Local Analysis module whereas WildFire verdict is Benign, Assuming WildFire is accurate. Which statement is correct for the incident?
A. It is true positive.
B. It is false positive.
C. It is a false negative.
D. It is true negative.
Question #: 33
Topic #: 1
When selecting multiple Incidents at a time, what options are available from the menu when a user right-clicks the incidents? (Choose two.)
A. Assign incidents to an analyst in bulk.
B. Change the status of multiple incidents.
C. Investigate several Incidents at once.
D. Delete the selected Incidents.
Question #: 31
Topic #: 1
What is by far the most common tactic used by ransomware to shut down a victim’s operation?
A. preventing the victim from being able to access APIs to cripple infrastructure
B. denying traffic out of the victims network until payment is received
C. restricting access to administrative accounts to the victim
D. encrypting certain files to prevent access by the victim
Question #: 30
Topic #: 1
If you have an isolated network that is prevented from connecting to the Cortex Data Lake, which type of Broker VM setup can you use to facilitate the communication?
A. Broker VM Pathfinder
B. Local Agent Proxy
C. Local Agent Installer and Content Caching
D. Broker VM Syslog Collector
Question #: 27
Topic #: 1
Which license is required when deploying Cortex XDR agent on Kubernetes Clusters as a DaemonSet?
A. Cortex XDR Pro per TB
B. Host Insights
C. Cortex XDR Pro per Endpoint
D. Cortex XDR Cloud per Host
Question #: 20
Topic #: 1
What is the standard installation disk space recommended to install a Broker VM?
A. 1GB disk space
B. 2GB disk space
C. 512GB disk space
D. 256GB disk space
Question #: 11
Topic #: 1
In incident-related widgets, how would you filter the display to only show incidents that were “starred”?
A. Create a custom XQL widget
B. This is not currently supported
C. Create a custom report and filter on starred incidents
D. Click the star in the widget
Question #: 9
Topic #: 1
Which Type of IOC can you define in Cortex XDR?
A. destination port
B. e-mail address
C. full path
D. App-ID
Question #: 7
Topic #: 1
An attacker tries to load dynamic libraries on macOS from an unsecure location. Which Cortex XDR module can prevent this attack?
A. DDL Security
B. Hot Patch Protection
C. Kernel Integrity Monitor (KIM)
D. Dylib Hijacking
Question #: 6
Topic #: 1
What license would be required for ingesting external logs from various vendors?
A. Cortex XDR Pro per Endpoint
B. Cortex XDR Vendor Agnostic Pro
C. Cortex XDR Pro per TB
D. Cortex XDR Cloud per Host
Question #: 5
Topic #: 1
When creating a custom XQL query in a dashboard, how would a user save that XQL query to the Widget Library?
A. Click the three dots on the widget and then choose “Save” and this will link the query to the Widget Library.
B. This isn’t supported, you have to exit the dashboard and go into the Widget Library first to create it.
C. Click on “Save to Action Center” in the dashboard and you will be prompted to give the query a name and description.
D. Click on “Save to Widget Library” in the dashboard and you will be prompted to give the query a name and description.
Question #: 3
Topic #: 1
Which built-in dashboard would be the best option for an executive, if they were looking for the Mean Time to Resolution (MTTR) metric?
A. Security Manager Dashboard
B. Data Ingestion Dashboard
C. Security Admin Dashboard
D. Incident Management Dashboard
Question #: 74
Topic #: 1
What contains a logical schema in an XQL query?
A. Field
B. Bin
C. Dataset
D. Arrayexpand
Question #: 65
Topic #: 1
What should you do to automatically convert leads into alerts after investigating a lead?
A. Lead threats can’t be prevented in the future because they already exist in the environment.
B. Build a search query using Query Builder or XQL using a list of IOCs.
C. Create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.
D. Create BIOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.
Question #: 50
Topic #: 1
Where would you go to add an exception to exclude a specific file hash from examination by the Malware profile for a Windows endpoint?
A. Find the Malware profile attached to the endpoint, Under Portable Executable and DLL Examination add the hash to the allow list.
B. From the rules menu select new exception, fill out the criteria, choose the scope to apply it to, hit save.
C. Find the exceptions profile attached to the endpoint, under process exceptions select local analysis, paste the hash and save.
D. In the Action Center, choose Allow list, select new action, select add to allow list, add your hash to the list, and apply it.
Question #: 2
Topic #: 1
When creating a BIOC rule, which XQL query can be used?
A. dataset = xdr_data
| filter event_sub_type = PROCESS_START and
action_process_image_name ~= “.*?\.(?:pdf|docx)\.exe”
B. dataset = xdr_data
| filter event_type = PROCESS and
event_sub_type = PROCESS_START and
action_process_image_name ~= “.*?\.(?:pdf|docx)\.exe”
C. dataset = xdr_data
| filter action_process_image_name ~= “.*?\.(?:pdf|docx)\.exe”
| fields action_process_image
D. dataset = xdr_data
| filter event_behavior = true
event_sub_type = PROCESS_START and
action_process_image_name ~= “.*?\.(?:pdf|docx)\.exe”
Question #: 4
Topic #: 1
What are two purposes of “Respond to Malicious Causality Chains” in a Cortex XDR Windows Malware profile? (Choose two.)
A. Automatically close the connections involved in malicious traffic.
B. Automatically kill the processes involved in malicious activity.
C. Automatically terminate the threads involved in malicious activity.
D. Automatically block the IP addresses involved in malicious traffic.
Question #: 28
Topic #: 1
What kind of the threat typically encrypts user files?
A. ransomware
B. SQL injection attacks
C. Zero-day exploits
D. supply-chain attacks
Question #: 8
Topic #: 1
What is the purpose of the Unit 42 team?
A. Unit 42 is responsible for automation and orchestration of products
B. Unit 42 is responsible for the configuration optimization of the Cortex XDR server
C. Unit 42 is responsible for threat research, malware analysis and threat hunting
D. Unit 42 is responsible for the rapid deployment of Cortex XDR agents
Question #: 22
Topic #: 1
How does Cortex XDR agent for Windows prevent ransomware attacks from compromising the file system?
A. by encrypting the disk first.
B. by utilizing decoy Files.
C. by retrieving the encryption key.
D. by patching vulnerable applications.
Question #: 25
Topic #: 1
When is the wss (WebSocket Secure) protocol used?
A. when the Cortex XDR agent downloads new security content
B. when the Cortex XDR agent uploads alert data
C. when the Cortex XDR agent connects to WildFire to upload files for analysis
D. when the Cortex XDR agent establishes a bidirectional communication channel
Question #: 24
Topic #: 1
In the deployment of which Broker VM applet are you required to install a strong cipher SHA256-based SSL certificate?
A. Agent Proxy
B. Agent Installer and Content Caching
C. Syslog Collector
D. CSV Collector
