Under which conditions is Local Analysis evoked to evaluate a file before the file is allowed to run?

A. The endpoint is disconnected or the verdict from WildFire is of a type malware.

B. The endpoint is disconnected or the verdict from WildFire is of a type unknown.

C. The endpoint is disconnected or the verdict from WildFire is of a type grayware.

D. The endpoint is disconnected or the verdict from WildFire is of a type benign.

The Cortex XDR console has triggered an incident, blocking a vitally important piece of software in your organization that is known to be benign. Which of the following options would prevent Cortex XDR from blocking this software in the future, for all endpoints in your organization?

A. Create an endpoint-specific exception.

B. Create a global inclusion.

C. Create an individual alert exclusion.

D. Create a global exception.

What license would be required for ingesting external logs from various vendors?

A. Cortex XDR Pro per Endpoint

B. Cortex XDR Vendor Agnostic Pro

C. Cortex XDR Pro per TB

D. Cortex XDR Cloud per Host

When creating a scheduled report which is not an option?

A. Run weekly on a certain day and time.

B. Run quarterly on a certain day and time.

C. Run monthly on a certain day and time.

D. Run daily at a certain time (selectable hours and minutes).

When reaching out to TAC for additional technical support related to a Security Event; what are two critical pieces of information you need to collect from the Agent? (Choose two.)

A. The prevention archive from the alert.

B. The unique agent id.

C. The distribution id of the agent.

D. The agent technical support file.

E. A list of all the current exceptions applied to the agent.

Which of the following best defines the Windows Registry as used by the Cortex XDR agent?

A. a hierarchical database that stores settings for the operating system and for applications

B. a system of files used by the operating system to commit memory that exceeds the available hardware resources. Also known as the “swap”

C. a central system, available via the internet, for registering officially licensed versions of software to prove ownership

D. a ledger for maintaining accurate and up-to-date information on total disk usage and disk space remaining available to the operating system

In the deployment of which Broker VM applet are you required to install a strong cipher SHA256-based SSL certificate?

A. Agent Proxy

B. Agent Installer and Content Caching

C. Syslog Collector

D. CSV Collector

Which of the following paths will successfully activate Remediation Suggestions?

A. Alerts Table > Right-click on a process node > Remediation Suggestions

B. Incident View > Actions > Remediation Suggestions

C. Causality View > Actions > Remediation Suggestions

D. Alerts Table > Right-click on an alert > Remediation Suggestions

What are two purposes of “Respond to Malicious Causality Chains” in a Cortex XDR Windows Malware profile? (Choose two.)

A. Automatically close the connections involved in malicious traffic.

B. Automatically kill the processes involved in malicious activity.

C. Automatically terminate the threads involved in malicious activity.

D. Automatically block the IP addresses involved in malicious traffic.

Where can SHA256 hash values be used in Cortex XDR Malware Protection Profiles?

A. in the macOS Malware Protection Profile to indicate allowed signers

B. in the Linux Malware Protection Profile to indicate allowed Java libraries

C. SHA256 hashes cannot be used in Cortex XDR Malware Protection Profiles

D. in the Windows Malware Protection Profile to indicate allowed executables

Which Type of IOC can you define in Cortex XDR?

A. destination port

B. e-mail address

C. full path

D. App-ID

In Cortex XDR management console scheduled reports can be forwarded to which of the following applications/services?

A. Service Now

B. Slack

C. Salesforce

D. Jira

What kind of the threat typically encrypts user files?

A. ransomware

B. SQL injection attacks

C. Zero-day exploits

D. supply-chain attacks

Which statement best describes how Behavioral Threat Protection (BTP) works?

A. BTP injects into known vulnerable processes to detect malicious activity.

B. BTP runs on the Cortex XDR and distributes behavioral signatures to all agents.

C. BTP matches EDR data with rules provided by Cortex XDR.

D. BTP uses machine Learning to recognize malicious activity even if it is not known.

Which license is required when deploying Cortex XDR agent on Kubernetes Clusters as a DaemonSet?

A. Cortex XDR Pro per TB

B. Host Insights

C. Cortex XDR Pro per Endpoint

D. Cortex XDR Cloud per Host

Which module provides the best visibility to view vulnerabilities?

A. Device Control Violations

B. Vulnerability Management

C. Host Insights

D. Forensics Insights

When using the “File Search and Destroy” feature, which of the following search hash type is supported?

A. SHA256 hash of the file

B. AES256 hash of the file

C. MD5 hash of the file

D. SHA1 hash of the file

Which engine, of the following, in Cortex XDR determines the most relevant artifacts in each alert and aggregates all alerts related to an event into an incident?

A. Sensor Engine

B. Causality Analysis Engine

C. Log Stitching Engine

D. Causality Chain Engine

While working the alerts involved in a Cortex XDR incident, an analyst has found that every alert in this incident requires an exclusion. What will the Cortex XDR console automatically do to this incident if all alerts contained have exclusions?

A. mark the incident as Unresolved

B. create a BIOC rule excluding this behavior

C. create an exception to prevent future false positives

D. mark the incident as Resolved – Auto Resolve

Which minimum Cortex XDR agent version is required for Kubernetes Cluster?

A. Cortex XDR 7.4

B. Cortex XDR 5.0

C. Cortex XDR 7.5

D. Cortex XDR 6.1

If you have an isolated network that is prevented from connecting to the Cortex Data Lake, which type of Broker VM setup can you use to facilitate the communication?

A. Broker VM Pathfinder

B. Local Agent Proxy

C. Local Agent Installer and Content Caching

D. Broker VM Syslog Collector

Which version of python is used in live terminal?

A. Python 3 with specific XDR Python libraries developed by Palo Alto Networks

B. Python 3 with standard Python libraries

C. Python 2 and 3 with standard Python libraries

D. Python 2 and 3 with specific XDR Python libraries developed by Palo Alto Networks

Which type of IOC can you define in Cortex XDR?

A. Source port

B. Destination IP Address

C. Destination IP Address:Destination

D. Source IP Address

A file is identified as malware by the Local Analysis module whereas WildFire verdict is Benign, Assuming WildFire is accurate. Which statement is correct for the incident?

A. It is true positive.

B. It is false positive.

C. It is a false negative.

D. It is true negative.

Which of the following represents a common sequence of cyber attack tactics?

A. Actions on the objective >> Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Installation >> Command & Control

B. Installation >> Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Command & Control >> Actions on the objective

C. Reconnaissance >> Installation >> Weaponisation & Delivery >> Exploitation >> Command & Control >> Actions on the objective

D. Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Installation >> Command & Control >> Actions on the objective

In incident-related widgets, how would you filter the display to only show incidents that were “starred”?

A. Create a custom XQL widget

B. This is not currently supported

C. Create a custom report and filter on starred incidents

D. Click the star in the widget

What is the standard installation disk space recommended to install a Broker VM?

A. 1GB disk space

B. 2GB disk space

C. 512GB disk space

D. 256GB disk space

Cortex XDR Analytics can alert when detecting activity matching the following MITRE ATT&CKTM techniques.

A. Exfiltration, Command and Control, Collection

B. Exfiltration, Command and Control, Privilege Escalation

C. Exfiltration, Command and Control, Impact

D. Exfiltration, Command and Control, Lateral Movement

To create a BIOC rule with XQL query you must at a minimum filter on which field in order for it to be a valid BIOC rule?

A. causality_chain

B. endpoint_name

C. threat_event

D. event_type

Which type of BIOC rule is currently available in Cortex XDR?

A. Threat Actor

B. Discovery

C. Network

D. Dropper

With a Cortex XDR Prevent license, which objects are considered to be sensors?

A. Syslog servers

B. Third-Party security devices

C. Cortex XDR agents

D. Palo Alto Networks Next-Generation Firewalls

Which of the following Live Terminal options are available for Android systems?

A. Run Android commands.

B. Live Terminal is not supported.

C. Run APK scripts.

D. Stop an app.

What types of actions you can execute with live terminal session?

A. Manage Processes, Manage Files, Run Operating System Commands, Run Python Commands and Scripts

B. Manage Network configurations, Quarantine Files, Run Powershell scripts

C. Apply patches, Reboot System, Send notification for end user, Run Python Commands and Scripts

D. Manage Processes, Manage Files, Run Operating System Commands, Run Ruby Commands and Scripts

When is the wss (WebSocket Secure) protocol used?

A. when the Cortex XDR agent downloads new security content

B. when the Cortex XDR agent uploads alert data

C. when the Cortex XDR agent connects to WildFire to upload files for analysis

D. when the Cortex XDR agent establishes a bidirectional communication channel

What is the function of WildFire for Cortex XDR?

A. WildFire runs in the cloud and analyses alert data from the XDR agent to check for behavioural threats.

B. WildFire is the engine that runs on the local agent and determines whether behavioural threats are occurring on the endpoint.

C. WildFire accepts and analyses a sample to provide a verdict.

D. WildFire runs entirely on the agent to quickly analyse samples and provide a verdict.

What is the difference between presets and datasets in XQL?

A. A dataset is a Cortex data lake data source only; presets are built-in data source.

B. A dataset is a database; presets is a field.

C. A dataset is a built-in or third party source; presets group XDR data fields.

D. A dataset is a third-party data source; presets are built-in data source.

Where would you go to add an exception to exclude a specific file hash from examination by the Malware profile for a Windows endpoint?

A. Find the Malware profile attached to the endpoint, Under Portable Executable and DLL Examination add the hash to the allow list.

B. From the rules menu select new exception, fill out the criteria, choose the scope to apply it to, hit save.

C. Find the exceptions profile attached to the endpoint, under process exceptions select local analysis, paste the hash and save.

D. In the Action Center, choose Allow list, select new action, select add to allow list, add your hash to the list, and apply it.

A Linux endpoint with a Cortex XDR Pro per Endpoint license and Enhanced Endpoint Data enabled has reported malicious activity, resulting in the creation of a file that you wish to delete. Which action could you take to delete the file?

A. Manually remediate the problem on the endpoint in question.

B. Open X2go from the Cortex XDR console and delete the file via X2go.

C. Initiate Remediate Suggestions to automatically delete the file.

D. Open an NFS connection from the Cortex XDR console and delete the file.

Which built-in dashboard would be the best option for an executive, if they were looking for the Mean Time to Resolution (MTTR) metric?

A. Security Manager Dashboard

B. Data Ingestion Dashboard

C. Security Admin Dashboard

D. Incident Management Dashboard

Which of the following protection modules is checked first in the Cortex XDR Windows agent malware protection flow?

A. Hash Verdict Determination

B. Behavioral Threat Protection

C. Restriction Policy

D. Child Process Protection

What is the purpose of the Cortex Data Lake?

A. a local storage facility where your logs and alert data can be aggregated

B. a cloud-based storage facility where your firewall logs are stored

C. the interface between firewalls and the Cortex XDR agents

D. the workspace for your Cortex XDR agents to detonate potential malware files

If you have an isolated network that is prevented from connecting to the Cortex Data Lake, which type of Broker VM setup can you use to facilitate the communication?

A. Broker VM Pathfinder

B. Local Agent Proxy

C. Local agent installer

D. Broker VM Syslog Collector

What should you do to automatically convert leads into alerts after investigating a lead?

A. Lead threats can’t be prevented in the future because they already exist in the environment.

B. Build a search query using Query Builder or XQL using a list of IOCs.

C. Create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.

D. Create BIOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.

Which Exploit Protection Module (EPM) can be used to prevent attacks based on OS function?

A. Memory Limit Heap Spray Check

B. DLL Security

C. UASLR

D. JIT Mitigation

What is the purpose of targeting software vendors in a supply-chain attack?

A. to take advantage of a trusted software delivery method.

B. to steal users’ login credentials.

C. to access source code.

D. to report Zero-day vulnerabilities.

In the Cortex XDR console, from which two pages are you able to manually perform the agent upgrade action? (Choose two.)

A. Endpoint Administration

B. Asset Management

C. Action Center

D. Agent Installations

Which of the following is NOT a precanned script provided by Palo Alto Networks?

A. delete_file

B. quarantine_file

C. process_kill_name

D. list_directories

Which two types of exception profiles you can create in Cortex XDR? (Choose two.)

A. exception profiles that apply to specific endpoints

B. agent exception profiles that apply to specific endpoints

C. global exception profiles that apply to all endpoints

D. role-based profiles that apply to specific endpoints

You can star security events in which two ways? (Choose two.)

A. Create an alert-starring configuration.

B. Create an Incident-starring configuration.

C. Manually star an alert.

D. Manually star an Incident.

Why would one threaten to encrypt a hypervisor or, potentially, a multiple number of virtual machines running on a server?

A. To extort a payment from a victim or potentially embarrass the owners.

B. To gain notoriety and potentially a consulting position.

C. To better understand the underlying virtual infrastructure.

D. To potentially perform a Distributed Denial of Attack.