When selecting multiple Incidents at a time, what options are available from the menu when a user right-clicks the incidents? (Choose two.)

A. Assign incidents to an analyst in bulk.

B. Change the status of multiple incidents.

C. Investigate several Incidents at once.

D. Delete the selected Incidents.

Which function describes the removal of a specific file from its location on a local or removable drive to a protected folder to prevent the file from being executed?

A. Search & destroy

B. Quarantine

C. Isolation

D. Flag for removal

With a Cortex XDR Prevent license, which objects are considered to be sensors?

A. Syslog servers

B. Third-Party security devices

C. Cortex XDR agents

D. Palo Alto Networks Next-Generation Firewalls

Which statement is true based on the following Agent Auto Upgrade widget?
 

A. There are a total of 689 Up To Date agents.

B. Agent Auto Upgrade was enabled but not on all endpoints.

C. Agent Auto Upgrade has not been enabled.

D. There are more agents in Pending status than In Progress status.

Which module provides the best visibility to view vulnerabilities?

A. Device Control Violations

B. Vulnerability Management

C. Host Insights

D. Forensics Insights

When is the wss (WebSocket Secure) protocol used?

A. when the Cortex XDR agent downloads new security content

B. when the Cortex XDR agent uploads alert data

C. when the Cortex XDR agent connects to WildFire to upload files for analysis

D. when the Cortex XDR agent establishes a bidirectional communication channel

What is the purpose of the Cortex Data Lake?

A. a local storage facility where your logs and alert data can be aggregated

B. a cloud-based storage facility where your firewall logs are stored

C. the interface between firewalls and the Cortex XDR agents

D. the workspace for your Cortex XDR agents to detonate potential malware files

Where can SHA256 hash values be used in Cortex XDR Malware Protection Profiles?

A. in the macOS Malware Protection Profile to indicate allowed signers

B. in the Linux Malware Protection Profile to indicate allowed Java libraries

C. SHA256 hashes cannot be used in Cortex XDR Malware Protection Profiles

D. in the Windows Malware Protection Profile to indicate allowed executables

Where would you view the WildFire report in an incident?

A. next to relevant Key Artifacts in the incidents details page

B. under Response –> Action Center

C. under the gear icon –> Agent Audit Logs

D. on the HUB page at apps.paloaltonetworks.com

The Cortex XDR console has triggered an incident, blocking a vitally important piece of software in your organization that is known to be benign. Which of the following options would prevent Cortex XDR from blocking this software in the future, for all endpoints in your organization?

A. Create an endpoint-specific exception.

B. Create a global inclusion.

C. Create an individual alert exclusion.

D. Create a global exception.

When creating a scheduled report which is not an option?

A. Run weekly on a certain day and time.

B. Run quarterly on a certain day and time.

C. Run monthly on a certain day and time.

D. Run daily at a certain time (selectable hours and minutes).

Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack will be neutralized. Which of the following statements is correct?

A. Cortex XDR Analytics allows to interfere with the pattern as soon as it is observed on the firewall.

B. Cortex XDR Analytics does not interfere with the pattern as soon as it is observed on the endpoint.

C. Cortex XDR Analytics does not have to interfere with the pattern as soon as it is observed on the endpoint in order to prevent the attack.

D. Cortex XDR Analytics allows to interfere with the pattern as soon as it is observed on the endpoint.

While working the alerts involved in a Cortex XDR incident, an analyst has found that every alert in this incident requires an exclusion. What will the Cortex XDR console automatically do to this incident if all alerts contained have exclusions?

A. mark the incident as Unresolved

B. create a BIOC rule excluding this behavior

C. create an exception to prevent future false positives

D. mark the incident as Resolved – False Positive

What is the outcome of creating and implementing an alert exclusion?

A. The Cortex XDR agent will allow the process that was blocked to run on the endpoint.

B. The Cortex XDR console will hide those alerts.

C. The Cortex XDR agent will not create an alert for this event in the future.

D. The Cortex XDR console will delete those alerts and block ingestion of them in the future.

After scan, how does file quarantine function work on an endpoint?

A. Quarantine takes ownership of the files and folders and prevents execution through access control.

B. Quarantine disables the network adapters and locks down access preventing any communications with the endpoint.

C. Quarantine removes a specific file from its location on a local or removable drive to a protected folder and prevents it from being executed.

D. Quarantine prevents an endpoint from communicating with anything besides the listed exceptions in the agent profile and Cortex XDR.

What motivation do ransomware attackers have for returning access to systems once their victims have paid?

A. Failure to restore access to systems undermines the scheme because others will not believe their valuables would be returned.

B. The ransomware attackers hope to trace the financial trail back and steal more from traditional banking institutions.

C. There is organized crime governance among attackers that requires the return of access to remain in good standing.

D. Nation-states enforce the return of system access through the use of laws and regulation.

What is the standard installation disk space recommended to install a Broker VM?

A. 1GB disk space

B. 2GB disk space

C. 512GB disk space

D. 256GB disk space

Which statement regarding scripts in Cortex XDR is true?

A. Any version of Python script can be run.

B. The level of risk is assigned to the script upon import.

C. Any script can be imported including Visual Basic (VB) scripts.

D. The script is run on the machine uploading the script to ensure that it is operational.

Cortex XDR is deployed in the enterprise and you notice a cobalt strike attack via an ongoing supply chain compromise was prevented on 1 server. What steps can you take to ensure the same protection is extended to all your servers?

A. Enable DLL Protection on all servers but there might be some false positives.

B. Conduct a thorough Endpoint Malware scan.

C. Create IOCs of the malicious files you have found to prevent their execution.

D. Enable Behavioral Threat Protection (BTP) with cytool to prevent the attack from spreading.

Which of the following Live Terminal options are available for Android systems?

A. Run Android commands.

B. Live Terminal is not supported.

C. Run APK scripts.

D. Stop an app.

In Cortex XDR management console scheduled reports can be forwarded to which of the following applications/services?

A. Service Now

B. Slack

C. Salesforce

D. Jira

Which minimum Cortex XDR agent version is required for Kubernetes Cluster?

A. Cortex XDR 7.4

B. Cortex XDR 5.0

C. Cortex XDR 7.5

D. Cortex XDR 6.1

Live Terminal uses which type of protocol to communicate with the agent on the endpoint?

A. NetBIOS over TCP

B. WebSocket

C. UDP and a random port

D. TCP, over port 80

Which two types of exception profiles you can create in Cortex XDR? (Choose two.)

A. exception profiles that apply to specific endpoints

B. agent exception profiles that apply to specific endpoints

C. global exception profiles that apply to all endpoints

D. role-based profiles that apply to specific endpoints

How does Cortex XDR agent for Windows prevent ransomware attacks from compromising the file system?

A. by encrypting the disk first.

B. by utilizing decoy Files.

C. by retrieving the encryption key.

D. by patching vulnerable applications.

Which of the following protection modules is checked first in the Cortex XDR Windows agent malware protection flow?

A. Hash Verdict Determination

B. Behavioral Threat Protection

C. Restriction Policy

D. Child Process Protection

Which module provides the best visibility to view vulnerabilities?

A. Live Terminal module

B. Device Control Violations module

C. Host Insights module

D. Forensics module

Which Exploit Prevention Module (EPM) provides better entropy for randomization of memory locations?

A. UASLR

B. JIT Mitigation

C. Memory Limit Heap spray check

D. DLL Security

What license would be required for ingesting external logs from various vendors?

A. Cortex XDR Pro per Endpoint

B. Cortex XDR Vendor Agnostic Pro

C. Cortex XDR Pro per TB

D. Cortex XDR Cloud per Host

An attacker tries to load dynamic libraries on macOS from an unsecure location. Which Cortex XDR module can prevent this attack?

A. DDL Security

B. Hot Patch Protection

C. Kernel Integrity Monitor (KIM)

D. Dylib Hijacking

Which search methods is supported by File Search and Destroy?

A. File Search and Repair

B. File Seek and Destroy

C. File Search and Destroy

D. File Seek and Repair

To stop a network-based attack, any interference with a portion of the attack pattern is enough to prevent it from succeeding. Which statement is correct regarding the Cortex XDR Analytics module?

A. It interferes with the pattern as soon as it is observed on the endpoint.

B. It does not interfere with any portion of the pattern on the endpoint.

C. It does not need to interfere with the any portion of the pattern to prevent the attack.

D. It interferes with the pattern as soon as it is observed by the firewall.

Which of the following best defines the Windows Registry as used by the Cortex XDR agent?

A. a hierarchical database that stores settings for the operating system and for applications

B. a system of files used by the operating system to commit memory that exceeds the available hardware resources. Also known as the “swap”

C. a central system, available via the internet, for registering officially licensed versions of software to prove ownership

D. a ledger for maintaining accurate and up-to-date information on total disk usage and disk space remaining available to the operating system

In Windows and macOS you need to prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. What is one way to add an exception for the singer?

A. In the Restrictions Profile, add the file name and path to the Executable Files allow list.

B. Create a new rule exception and use the singer as the characteristic.

C. Add the signer to the allow list in the malware profile.

D. Add the signer to the allow list under the action center page.

What should you do to automatically convert leads into alerts after investigating a lead?

A. Lead threats can’t be prevented in the future because they already exist in the environment.

B. Build a search query using Query Builder or XQL using a list of IOCs.

C. Create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.

D. Create BIOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.

What kind of the threat typically encrypts user files?

A. ransomware

B. SQL injection attacks

C. Zero-day exploits

D. supply-chain attacks

What kind of malware uses encryption, data theft, denial of service, and possibly harassment to take advantage of a victim?

A. Rootkit

B. Keylogger

C. Ransomware

D. Worm

What types of actions you can execute with live terminal session?

A. Manage Processes, Manage Files, Run Operating System Commands, Run Python Commands and Scripts

B. Manage Network configurations, Quarantine Files, Run Powershell scripts

C. Apply patches, Reboot System, Send notification for end user, Run Python Commands and Scripts

D. Manage Processes, Manage Files, Run Operating System Commands, Run Ruby Commands and Scripts

Which statement best describes how Behavioral Threat Protection (BTP) works?

A. BTP injects into known vulnerable processes to detect malicious activity.

B. BTP runs on the Cortex XDR and distributes behavioral signatures to all agents.

C. BTP matches EDR data with rules provided by Cortex XDR.

D. BTP matches the signature with the existing database of malicious files.

Which license is required when deploying Cortex XDR agent on Kubernetes Clusters as a DaemonSet?

A. Cortex XDR Pro per TB

B. Host Insights

C. Cortex XDR Pro per Endpoint

D. Cortex XDR Cloud per Host

What are two purposes of “Respond to Malicious Causality Chains” in a Cortex XDR Windows Malware profile? (Choose two.)

A. Automatically close the connections involved in malicious traffic.

B. Automatically kill the processes involved in malicious activity.

C. Automatically terminate the threads involved in malicious activity.

D. Automatically block the IP addresses involved in malicious traffic.

What is the purpose of the Unit 42 team?

A. Unit 42 is responsible for automation and orchestration of products

B. Unit 42 is responsible for the configuration optimization of the Cortex XDR server

C. Unit 42 is responsible for threat research, malware analysis and threat hunting

D. Unit 42 is responsible for the rapid deployment of Cortex XDR agents

What is an example of an attack vector for ransomware?

A. A URL filtering feature enabled on a firewall

B. Phishing emails containing malicious attachments

C. Performing DNS queries for suspicious domains

D. Performing SSL Decryption on an endpoint

Which type of IOC can you define in Cortex XDR?

A. Source port

B. Destination IP Address

C. Destination IP Address:Destination

D. Source IP Address

Which engine, of the following, in Cortex XDR determines the most relevant artifacts in each alert and aggregates all alerts related to an event into an incident?

A. Sensor Engine

B. Causality Analysis Engine

C. Log Stitching Engine

D. Causality Chain Engine

Which type of BIOC rule is currently available in Cortex XDR?

A. Threat Actor

B. Discovery

C. Network

D. Dropper

When reaching out to TAC for additional technical support related to a Security Event; what are two critical pieces of information you need to collect from the Agent? (Choose two.)

A. The prevention archive from the alert.

B. The unique agent id.

C. The distribution id of the agent.

D. The agent technical support file.

E. A list of all the current exceptions applied to the agent.

Which built-in dashboard would be the best option for an executive, if they were looking for the Mean Time to Resolution (MTTR) metric?

A. Security Manager Dashboard

B. Data Ingestion Dashboard

C. Security Admin Dashboard

D. Incident Management Dashboard

What is the maximum number of agents one Broker VM local agent applet can support?

A. 10,000

B. 15,000

C. 5,000

D. 20,000

What contains a logical schema in an XQL query?

A. Field

B. Bin

C. Dataset

D. Arrayexpand