Which statement regarding scripts in Cortex XDR is true?

A. Any version of Python script can be run.

B. The level of risk is assigned to the script upon import.

C. Any script can be imported including Visual Basic (VB) scripts.

D. The script is run on the machine uploading the script to ensure that it is operational.

Why would one threaten to encrypt a hypervisor or, potentially, a multiple number of virtual machines running on a server?

A. To extort a payment from a victim or potentially embarrass the owners.

B. To gain notoriety and potentially a consulting position.

C. To better understand the underlying virtual infrastructure.

D. To potentially perform a Distributed Denial of Attack.

To stop a network-based attack, any interference with a portion of the attack pattern is enough to prevent it from succeeding. Which statement is correct regarding the Cortex XDR Analytics module?

A. It interferes with the pattern as soon as it is observed on the endpoint.

B. It does not interfere with any portion of the pattern on the endpoint.

C. It does not need to interfere with the any portion of the pattern to prevent the attack.

D. It interferes with the pattern as soon as it is observed by the firewall.

Which two types of exception profiles you can create in Cortex XDR? (Choose two.)

A. exception profiles that apply to specific endpoints

B. agent exception profiles that apply to specific endpoints

C. global exception profiles that apply to all endpoints

D. role-based profiles that apply to specific endpoints

In incident-related widgets, how would you filter the display to only show incidents that were “starred”?

A. Create a custom XQL widget

B. This is not currently supported

C. Create a custom report and filter on starred incidents

D. Click the star in the widget

Which type of IOC can you define in Cortex XDR?

A. Source port

B. Destination IP Address

C. Destination IP Address:Destination

D. Source IP Address

When creating a custom XQL query in a dashboard, how would a user save that XQL query to the Widget Library?

A. Click the three dots on the widget and then choose “Save” and this will link the query to the Widget Library.

B. This isn’t supported, you have to exit the dashboard and go into the Widget Library first to create it.

C. Click on “Save to Action Center” in the dashboard and you will be prompted to give the query a name and description.

D. Click on “Save to Widget Library” in the dashboard and you will be prompted to give the query a name and description.

Which function describes the removal of a specific file from its location on a local or removable drive to a protected folder to prevent the file from being executed?

A. Search & destroy

B. Quarantine

C. Isolation

D. Flag for removal

With a Cortex XDR Prevent license, which objects are considered to be sensors?

A. Syslog servers

B. Third-Party security devices

C. Cortex XDR agents

D. Palo Alto Networks Next-Generation Firewalls

When reaching out to TAC for additional technical support related to a Security Event; what are two critical pieces of information you need to collect from the Agent? (Choose two.)

A. The prevention archive from the alert.

B. The unique agent id.

C. The distribution id of the agent.

D. The agent technical support file.

E. A list of all the current exceptions applied to the agent.

What should you do to automatically convert leads into alerts after investigating a lead?

A. Lead threats can’t be prevented in the future because they already exist in the environment.

B. Build a search query using Query Builder or XQL using a list of IOCs.

C. Create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.

D. Create BIOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.

Which type of BIOC rule is currently available in Cortex XDR?

A. Threat Actor

B. Discovery

C. Network

D. Dropper

What is the difference between presets and datasets in XQL?

A. A dataset is a Cortex data lake data source only; presets are built-in data source.

B. A dataset is a database; presets is a field.

C. A dataset is a built-in or third party source; presets group XDR data fields.

D. A dataset is a third-party data source; presets are built-in data source.

To create a BIOC rule with XQL query you must at a minimum filter on which field in order for it to be a valid BIOC rule?

A. causality_chain

B. endpoint_name

C. threat_event

D. event_type

Which of the following represents a common sequence of cyber attack tactics?

A. Actions on the objective >> Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Installation >> Command & Control

B. Installation >> Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Command & Control >> Actions on the objective

C. Reconnaissance >> Installation >> Weaponisation & Delivery >> Exploitation >> Command & Control >> Actions on the objective

D. Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Installation >> Command & Control >> Actions on the objective

Which of the following protection modules is checked first in the Cortex XDR Windows agent malware protection flow?

A. Hash Verdict Determination

B. Behavioral Threat Protection

C. Restriction Policy

D. Child Process Protection

Which of the following best defines the Windows Registry as used by the Cortex XDR agent?

A. a hierarchical database that stores settings for the operating system and for applications

B. a system of files used by the operating system to commit memory that exceeds the available hardware resources. Also known as the “swap”

C. a central system, available via the internet, for registering officially licensed versions of software to prove ownership

D. a ledger for maintaining accurate and up-to-date information on total disk usage and disk space remaining available to the operating system

An attacker tries to load dynamic libraries on macOS from an unsecure location. Which Cortex XDR module can prevent this attack?

A. DDL Security

B. Hot Patch Protection

C. Kernel Integrity Monitor (KIM)

D. Dylib Hijacking

When is the wss (WebSocket Secure) protocol used?

A. when the Cortex XDR agent downloads new security content

B. when the Cortex XDR agent uploads alert data

C. when the Cortex XDR agent connects to WildFire to upload files for analysis

D. when the Cortex XDR agent establishes a bidirectional communication channel

Cortex XDR Analytics can alert when detecting activity matching the following MITRE ATT&CKTM techniques.

A. Exfiltration, Command and Control, Collection

B. Exfiltration, Command and Control, Privilege Escalation

C. Exfiltration, Command and Control, Impact

D. Exfiltration, Command and Control, Lateral Movement

Which Exploit Prevention Module (EPM) provides better entropy for randomization of memory locations?

A. UASLR

B. JIT Mitigation

C. Memory Limit Heap spray check

D. DLL Security

Which Type of IOC can you define in Cortex XDR?

A. destination port

B. e-mail address

C. full path

D. App-ID

If you have an isolated network that is prevented from connecting to the Cortex Data Lake, which type of Broker VM setup can you use to facilitate the communication?

A. Broker VM Pathfinder

B. Local Agent Proxy

C. Local Agent Installer and Content Caching

D. Broker VM Syslog Collector

Where can SHA256 hash values be used in Cortex XDR Malware Protection Profiles?

A. in the macOS Malware Protection Profile to indicate allowed signers

B. in the Linux Malware Protection Profile to indicate allowed Java libraries

C. SHA256 hashes cannot be used in Cortex XDR Malware Protection Profiles

D. in the Windows Malware Protection Profile to indicate allowed executables

What functionality of the Broker VM would you use to ingest third-party firewall logs to the Cortex Data Lake?

A. Netflow Collector

B. Syslog Collector

C. DB Collector

D. Pathfinder

Which statement is true for Application Exploits and Kernel Exploits?

A. The ultimate goal of any exploit is to reach the application.

B. Kernel exploits are easier to prevent then application exploits.

C. The ultimate goal of any exploit is to reach the kernel.

D. Application exploits leverage kernel vulnerability.

When selecting multiple Incidents at a time, what options are available from the menu when a user right-clicks the incidents? (Choose two.)

A. Assign incidents to an analyst in bulk.

B. Change the status of multiple incidents.

C. Investigate several Incidents at once.

D. Delete the selected Incidents.

After scan, how does file quarantine function work on an endpoint?

A. Quarantine takes ownership of the files and folders and prevents execution through access control.

B. Quarantine disables the network adapters and locks down access preventing any communications with the endpoint.

C. Quarantine removes a specific file from its location on a local or removable drive to a protected folder and prevents it from being executed.

D. Quarantine prevents an endpoint from communicating with anything besides the listed exceptions in the agent profile and Cortex XDR.

Which of the following represents the correct relation of alerts to incidents?

A. Only alerts with the same host are grouped together into one Incident in a given time frame.

B. Alerts that occur within a three hour time frame are grouped together into one Incident.

C. Alerts with same causality chains that occur within a given time frame are grouped together into an Incident.

D. Every alert creates a new Incident.

What is an example of an attack vector for ransomware?

A. A URL filtering feature enabled on a firewall

B. Phishing emails containing malicious attachments

C. Performing DNS queries for suspicious domains

D. Performing SSL Decryption on an endpoint

Which engine, of the following, in Cortex XDR determines the most relevant artifacts in each alert and aggregates all alerts related to an event into an incident?

A. Sensor Engine

B. Causality Analysis Engine

C. Log Stitching Engine

D. Causality Chain Engine

What is the purpose of the Unit 42 team?

A. Unit 42 is responsible for automation and orchestration of products

B. Unit 42 is responsible for the configuration optimization of the Cortex XDR server

C. Unit 42 is responsible for threat research, malware analysis and threat hunting

D. Unit 42 is responsible for the rapid deployment of Cortex XDR agents

Which of the following Live Terminal options are available for Android systems?

A. Run Android commands.

B. Live Terminal is not supported.

C. Run APK scripts.

D. Stop an app.

Which statement is true based on the following Agent Auto Upgrade widget?
 

A. There are a total of 689 Up To Date agents.

B. Agent Auto Upgrade was enabled but not on all endpoints.

C. Agent Auto Upgrade has not been enabled.

D. There are more agents in Pending status than In Progress status.

What contains a logical schema in an XQL query?

A. Field

B. Bin

C. Dataset

D. Arrayexpand

In Windows and macOS you need to prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. What is one way to add an exception for the singer?

A. In the Restrictions Profile, add the file name and path to the Executable Files allow list.

B. Create a new rule exception and use the singer as the characteristic.

C. Add the signer to the allow list in the malware profile.

D. Add the signer to the allow list under the action center page.

While working the alerts involved in a Cortex XDR incident, an analyst has found that every alert in this incident requires an exclusion. What will the Cortex XDR console automatically do to this incident if all alerts contained have exclusions?

A. mark the incident as Unresolved

B. create a BIOC rule excluding this behavior

C. create an exception to prevent future false positives

D. mark the incident as Resolved – Auto Resolve

Which module provides the best visibility to view vulnerabilities?

A. Device Control Violations

B. Vulnerability Management

C. Host Insights

D. Forensics Insights

Which of the following is an example of a successful exploit?

A. connecting unknown media to an endpoint that copied malware due to Autorun.

B. a user executing code which takes advantage of a vulnerability on a local service.

C. identifying vulnerable services on a server.

D. executing a process executable for well-known and signed software.

You can star security events in which two ways? (Choose two.)

A. Create an alert-starring configuration.

B. Create an Incident-starring configuration.

C. Manually star an alert.

D. Manually star an Incident.

While working the alerts involved in a Cortex XDR incident, an analyst has found that every alert in this incident requires an exclusion. What will the Cortex XDR console automatically do to this incident if all alerts contained have exclusions?

A. mark the incident as Unresolved

B. create a BIOC rule excluding this behavior

C. create an exception to prevent future false positives

D. mark the incident as Resolved – False Positive

Which statement best describes how Behavioral Threat Protection (BTP) works?

A. BTP injects into known vulnerable processes to detect malicious activity.

B. BTP runs on the Cortex XDR and distributes behavioral signatures to all agents.

C. BTP matches EDR data with rules provided by Cortex XDR.

D. BTP uses machine Learning to recognize malicious activity even if it is not known.

Under which conditions is Local Analysis evoked to evaluate a file before the file is allowed to run?

A. The endpoint is disconnected or the verdict from WildFire is of a type malware.

B. The endpoint is disconnected or the verdict from WildFire is of a type unknown.

C. The endpoint is disconnected or the verdict from WildFire is of a type grayware.

D. The endpoint is disconnected or the verdict from WildFire is of a type benign.

What are two purposes of “Respond to Malicious Causality Chains” in a Cortex XDR Windows Malware profile? (Choose two.)

A. Automatically close the connections involved in malicious traffic.

B. Automatically kill the processes involved in malicious activity.

C. Automatically terminate the threads involved in malicious activity.

D. Automatically block the IP addresses involved in malicious traffic.

In the deployment of which Broker VM applet are you required to install a strong cipher SHA256-based SSL certificate?

A. Agent Proxy

B. Agent Installer and Content Caching

C. Syslog Collector

D. CSV Collector

Where would you view the WildFire report in an incident?

A. next to relevant Key Artifacts in the incidents details page

B. under Response –> Action Center

C. under the gear icon –> Agent Audit Logs

D. on the HUB page at apps.paloaltonetworks.com

What does the following output tell us?
 

A. There is one low severity incident.

B. Host shpapy_win10 had the most vulnerabilities.

C. There is one informational severity alert.

D. This is an actual output of the Top 10 hosts with the most malware.

Phishing belongs which of the following MITRE ATT&CK tactics?

A. Initial Access, Persistence

B. Persistence, Command and Control

C. Reconnaissance, Persistence

D. Reconnaissance, Initial Access

Where would you go to add an exception to exclude a specific file hash from examination by the Malware profile for a Windows endpoint?

A. Find the Malware profile attached to the endpoint, Under Portable Executable and DLL Examination add the hash to the allow list.

B. From the rules menu select new exception, fill out the criteria, choose the scope to apply it to, hit save.

C. Find the exceptions profile attached to the endpoint, under process exceptions select local analysis, paste the hash and save.

D. In the Action Center, choose Allow list, select new action, select add to allow list, add your hash to the list, and apply it.

When using the “File Search and Destroy” feature, which of the following search hash type is supported?

A. SHA256 hash of the file

B. AES256 hash of the file

C. MD5 hash of the file

D. SHA1 hash of the file