When using the “File Search and Destroy” feature, which of the following search hash type is supported?

A. SHA256 hash of the file

B. AES256 hash of the file

C. MD5 hash of the file

D. SHA1 hash of the file

Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack will be neutralized. Which of the following statements is correct?

A. Cortex XDR Analytics allows to interfere with the pattern as soon as it is observed on the firewall.

B. Cortex XDR Analytics does not interfere with the pattern as soon as it is observed on the endpoint.

C. Cortex XDR Analytics does not have to interfere with the pattern as soon as it is observed on the endpoint in order to prevent the attack.

D. Cortex XDR Analytics allows to interfere with the pattern as soon as it is observed on the endpoint.

As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to open a malicious Word document. You learn from the WildFire report and AutoFocus that this document is known to have been used in Phishing campaigns since 2018. What steps can you take to ensure that the same document is not opened by other users in your organization protected by the Cortex XDR agent?

A. Enable DLL Protection on all endpoints but there might be some false positives.

B. Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.

C. No step is required because Cortex shares IOCs with our fellow Cyber Threat Alliance members.

D. No step is required because the malicious document is already stopped.

Which type of BIOC rule is currently available in Cortex XDR?

A. Threat Actor

B. Discovery

C. Network

D. Dropper

Which of the following is NOT a precanned script provided by Palo Alto Networks?

A. delete_file

B. quarantine_file

C. process_kill_name

D. list_directories

What license would be required for ingesting external logs from various vendors?

A. Cortex XDR Pro per Endpoint

B. Cortex XDR Vendor Agnostic Pro

C. Cortex XDR Pro per TB

D. Cortex XDR Cloud per Host

A Linux endpoint with a Cortex XDR Pro per Endpoint license and Enhanced Endpoint Data enabled has reported malicious activity, resulting in the creation of a file that you wish to delete. Which action could you take to delete the file?

A. Manually remediate the problem on the endpoint in question.

B. Open X2go from the Cortex XDR console and delete the file via X2go.

C. Initiate Remediate Suggestions to automatically delete the file.

D. Open an NFS connection from the Cortex XDR console and delete the file.

Phishing belongs which of the following MITRE ATT&CK tactics?

A. Initial Access, Persistence

B. Persistence, Command and Control

C. Reconnaissance, Persistence

D. Reconnaissance, Initial Access

In the deployment of which Broker VM applet are you required to install a strong cipher SHA256-based SSL certificate?

A. Agent Proxy

B. Agent Installer and Content Caching

C. Syslog Collector

D. CSV Collector

You can star security events in which two ways? (Choose two.)

A. Create an alert-starring configuration.

B. Create an Incident-starring configuration.

C. Manually star an alert.

D. Manually star an Incident.

Can you disable the ability to use the Live Terminal feature in Cortex XDR?

A. Yes, via Agent Settings Profile.

B. No, it is a required feature of the agent.

C. No, a separate installer package without Live Terminal is required.

D. Yes, via the Cortex XDR console or with an installation switch.

Which Exploit Protection Module (EPM) can be used to prevent attacks based on OS function?

A. Memory Limit Heap Spray Check

B. DLL Security

C. UASLR

D. JIT Mitigation

When reaching out to TAC for additional technical support related to a Security Event; what are two critical pieces of information you need to collect from the Agent? (Choose two.)

A. The prevention archive from the alert.

B. The unique agent id.

C. The distribution id of the agent.

D. The agent technical support file.

E. A list of all the current exceptions applied to the agent.

Which of the following represents the correct relation of alerts to incidents?

A. Only alerts with the same host are grouped together into one Incident in a given time frame.

B. Alerts that occur within a three hour time frame are grouped together into one Incident.

C. Alerts with same causality chains that occur within a given time frame are grouped together into an Incident.

D. Every alert creates a new Incident.

Which statement is correct based on the report output below?
 

A. Forensic inventory data collection is enabled.

B. 133 agents have full disk encryption.

C. 3,297 total incidents have been detected.

D. Host Inventory Data Collection is enabled.

What is the purpose of the Unit 42 team?

A. Unit 42 is responsible for automation and orchestration of products

B. Unit 42 is responsible for the configuration optimization of the Cortex XDR server

C. Unit 42 is responsible for threat research, malware analysis and threat hunting

D. Unit 42 is responsible for the rapid deployment of Cortex XDR agents

When creating a custom XQL query in a dashboard, how would a user save that XQL query to the Widget Library?

A. Click the three dots on the widget and then choose “Save” and this will link the query to the Widget Library.

B. This isn’t supported, you have to exit the dashboard and go into the Widget Library first to create it.

C. Click on “Save to Action Center” in the dashboard and you will be prompted to give the query a name and description.

D. Click on “Save to Widget Library” in the dashboard and you will be prompted to give the query a name and description.

What motivation do ransomware attackers have for returning access to systems once their victims have paid?

A. Failure to restore access to systems undermines the scheme because others will not believe their valuables would be returned.

B. The ransomware attackers hope to trace the financial trail back and steal more from traditional banking institutions.

C. There is organized crime governance among attackers that requires the return of access to remain in good standing.

D. Nation-states enforce the return of system access through the use of laws and regulation.

A file is identified as malware by the Local Analysis module whereas WildFire verdict is Benign, Assuming WildFire is accurate. Which statement is correct for the incident?

A. It is true positive.

B. It is false positive.

C. It is a false negative.

D. It is true negative.

Which version of python is used in live terminal?

A. Python 3 with specific XDR Python libraries developed by Palo Alto Networks

B. Python 3 with standard Python libraries

C. Python 2 and 3 with standard Python libraries

D. Python 2 and 3 with specific XDR Python libraries developed by Palo Alto Networks

How does Cortex XDR agent for Windows prevent ransomware attacks from compromising the file system?

A. by encrypting the disk first.

B. by utilizing decoy Files.

C. by retrieving the encryption key.

D. by patching vulnerable applications.

In Windows and macOS you need to prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. What is one way to add an exception for the singer?

A. In the Restrictions Profile, add the file name and path to the Executable Files allow list.

B. Create a new rule exception and use the singer as the characteristic.

C. Add the signer to the allow list in the malware profile.

D. Add the signer to the allow list under the action center page.

Which of the following protection modules is checked first in the Cortex XDR Windows agent malware protection flow?

A. Hash Verdict Determination

B. Behavioral Threat Protection

C. Restriction Policy

D. Child Process Protection

Which type of IOC can you define in Cortex XDR?

A. Source port

B. Destination IP Address

C. Destination IP Address:Destination

D. Source IP Address

Which of the following paths will successfully activate Remediation Suggestions?

A. Alerts Table > Right-click on a process node > Remediation Suggestions

B. Incident View > Actions > Remediation Suggestions

C. Causality View > Actions > Remediation Suggestions

D. Alerts Table > Right-click on an alert > Remediation Suggestions

Which of the following Live Terminal options are available for Android systems?

A. Run Android commands.

B. Live Terminal is not supported.

C. Run APK scripts.

D. Stop an app.

Which statement regarding scripts in Cortex XDR is true?

A. Any version of Python script can be run.

B. The level of risk is assigned to the script upon import.

C. Any script can be imported including Visual Basic (VB) scripts.

D. The script is run on the machine uploading the script to ensure that it is operational.

In the Cortex XDR console, from which two pages are you able to manually perform the agent upgrade action? (Choose two.)

A. Endpoint Administration

B. Asset Management

C. Action Center

D. Agent Installations

Which of the following represents a common sequence of cyber attack tactics?

A. Actions on the objective >> Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Installation >> Command & Control

B. Installation >> Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Command & Control >> Actions on the objective

C. Reconnaissance >> Installation >> Weaponisation & Delivery >> Exploitation >> Command & Control >> Actions on the objective

D. Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Installation >> Command & Control >> Actions on the objective

An attacker tries to load dynamic libraries on macOS from an unsecure location. Which Cortex XDR module can prevent this attack?

A. DDL Security

B. Hot Patch Protection

C. Kernel Integrity Monitor (KIM)

D. Dylib Hijacking

What is the function of WildFire for Cortex XDR?

A. WildFire runs in the cloud and analyses alert data from the XDR agent to check for behavioural threats.

B. WildFire is the engine that runs on the local agent and determines whether behavioural threats are occurring on the endpoint.

C. WildFire accepts and analyses a sample to provide a verdict.

D. WildFire runs entirely on the agent to quickly analyse samples and provide a verdict.

Which minimum Cortex XDR agent version is required for Kubernetes Cluster?

A. Cortex XDR 7.4

B. Cortex XDR 5.0

C. Cortex XDR 7.5

D. Cortex XDR 6.1

To create a BIOC rule with XQL query you must at a minimum filter on which field in order for it to be a valid BIOC rule?

A. causality_chain

B. endpoint_name

C. threat_event

D. event_type

What types of actions you can execute with live terminal session?

A. Manage Processes, Manage Files, Run Operating System Commands, Run Python Commands and Scripts

B. Manage Network configurations, Quarantine Files, Run Powershell scripts

C. Apply patches, Reboot System, Send notification for end user, Run Python Commands and Scripts

D. Manage Processes, Manage Files, Run Operating System Commands, Run Ruby Commands and Scripts

How can you pivot within a row to Causality view and Timeline views for further investigate?

A. Using the Open Card Only

B. Using Open Timeline actions Only

C. Using the Open Card and Open Timeline actions respectively

D. You can’t pivot within a row to Causality view and Timeline views

Under which conditions is Local Analysis evoked to evaluate a file before the file is allowed to run?

A. The endpoint is disconnected or the verdict from WildFire is of a type malware.

B. The endpoint is disconnected or the verdict from WildFire is of a type unknown.

C. The endpoint is disconnected or the verdict from WildFire is of a type grayware.

D. The endpoint is disconnected or the verdict from WildFire is of a type benign.

What kind of the threat typically encrypts user files?

A. ransomware

B. SQL injection attacks

C. Zero-day exploits

D. supply-chain attacks

Which module provides the best visibility to view vulnerabilities?

A. Device Control Violations

B. Vulnerability Management

C. Host Insights

D. Forensics Insights

Why would one threaten to encrypt a hypervisor or, potentially, a multiple number of virtual machines running on a server?

A. To extort a payment from a victim or potentially embarrass the owners.

B. To gain notoriety and potentially a consulting position.

C. To better understand the underlying virtual infrastructure.

D. To potentially perform a Distributed Denial of Attack.

If you have an isolated network that is prevented from connecting to the Cortex Data Lake, which type of Broker VM setup can you use to facilitate the communication?

A. Broker VM Pathfinder

B. Local Agent Proxy

C. Local agent installer

D. Broker VM Syslog Collector

Which two types of exception profiles you can create in Cortex XDR? (Choose two.)

A. exception profiles that apply to specific endpoints

B. agent exception profiles that apply to specific endpoints

C. global exception profiles that apply to all endpoints

D. role-based profiles that apply to specific endpoints

When creating a BIOC rule, which XQL query can be used?

A. dataset = xdr_data| filter event_sub_type = PROCESS_START andaction_process_image_name ~= “.*?.(?:pdf|docx).exe”

B. dataset = xdr_data| filter event_type = PROCESS andevent_sub_type = PROCESS_START andaction_process_image_name ~= “.*?.(?:pdf|docx).exe”

C. dataset = xdr_data| filter action_process_image_name ~= “.*?.(?:pdf|docx).exe”| fields action_process_image

D. dataset = xdr_data| filter event_behavior = trueevent_sub_type = PROCESS_START andaction_process_image_name ~= “.*?.(?:pdf|docx).exe”

What is the outcome of creating and implementing an alert exclusion?

A. The Cortex XDR agent will allow the process that was blocked to run on the endpoint.

B. The Cortex XDR console will hide those alerts.

C. The Cortex XDR agent will not create an alert for this event in the future.

D. The Cortex XDR console will delete those alerts and block ingestion of them in the future.

To stop a network-based attack, any interference with a portion of the attack pattern is enough to prevent it from succeeding. Which statement is correct regarding the Cortex XDR Analytics module?

A. It interferes with the pattern as soon as it is observed on the endpoint.

B. It does not interfere with any portion of the pattern on the endpoint.

C. It does not need to interfere with the any portion of the pattern to prevent the attack.

D. It interferes with the pattern as soon as it is observed by the firewall.

Live Terminal uses which type of protocol to communicate with the agent on the endpoint?

A. NetBIOS over TCP

B. WebSocket

C. UDP and a random port

D. TCP, over port 80

What are two purposes of “Respond to Malicious Causality Chains” in a Cortex XDR Windows Malware profile? (Choose two.)

A. Automatically close the connections involved in malicious traffic.

B. Automatically kill the processes involved in malicious activity.

C. Automatically terminate the threads involved in malicious activity.

D. Automatically block the IP addresses involved in malicious traffic.

When creating a scheduled report which is not an option?

A. Run weekly on a certain day and time.

B. Run quarterly on a certain day and time.

C. Run monthly on a certain day and time.

D. Run daily at a certain time (selectable hours and minutes).

When investigating security events, which feature in Cortex XDR is useful for reverting the changes on the endpoint?

A. Remediation Automation

B. Machine Remediation

C. Automatic Remediation

D. Remediation Suggestions

Which Exploit Prevention Module (EPM) provides better entropy for randomization of memory locations?

A. UASLR

B. JIT Mitigation

C. Memory Limit Heap spray check

D. DLL Security

Which of the following best defines the Windows Registry as used by the Cortex XDR agent?

A. a hierarchical database that stores settings for the operating system and for applications

B. a system of files used by the operating system to commit memory that exceeds the available hardware resources. Also known as the “swap”

C. a central system, available via the internet, for registering officially licensed versions of software to prove ownership

D. a ledger for maintaining accurate and up-to-date information on total disk usage and disk space remaining available to the operating system