Which statement is true for Application Exploits and Kernel Exploits?

A. The ultimate goal of any exploit is to reach the application.

B. Kernel exploits are easier to prevent then application exploits.

C. The ultimate goal of any exploit is to reach the kernel.

D. Application exploits leverage kernel vulnerability.

What contains a logical schema in an XQL query?

A. Field

B. Bin

C. Dataset

D. Arrayexpand

Which of the following protection modules is checked first in the Cortex XDR Windows agent malware protection flow?

A. Hash Verdict Determination

B. Behavioral Threat Protection

C. Restriction Policy

D. Child Process Protection

When creating a scheduled report which is not an option?

A. Run weekly on a certain day and time.

B. Run quarterly on a certain day and time.

C. Run monthly on a certain day and time.

D. Run daily at a certain time (selectable hours and minutes).

As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to download Cobalt Strike on one of your servers. Days later, you learn about a massive ongoing supply chain attack. Using Cortex XDR you recognize that your server was compromised by the attack and that Cortex XDR prevented it. What steps can you take to ensure that the same protection is extended to all your servers?

A. Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.

B. Enable DLL Protection on all servers but there might be some false positives.

C. Create IOCs of the malicious files you have found to prevent their execution.

D. Enable Behavioral Threat Protection (BTP) with cytool to prevent the attack from spreading.

To create a BIOC rule with XQL query you must at a minimum filter on which field in order for it to be a valid BIOC rule?

A. causality_chain

B. endpoint_name

C. threat_event

D. event_type

You can star security events in which two ways? (Choose two.)

A. Create an alert-starring configuration.

B. Create an Incident-starring configuration.

C. Manually star an alert.

D. Manually star an Incident.

When viewing the incident directly, what is the “assigned to” field value of a new Incident that was just reported to Cortex?

A. Pending

B. It is blank

C. Unassigned

D. New

As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to open a malicious Word document. You learn from the WildFire report and AutoFocus that this document is known to have been used in Phishing campaigns since 2018. What steps can you take to ensure that the same document is not opened by other users in your organization protected by the Cortex XDR agent?

A. Enable DLL Protection on all endpoints but there might be some false positives.

B. Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.

C. No step is required because Cortex shares IOCs with our fellow Cyber Threat Alliance members.

D. No step is required because the malicious document is already stopped.

Which statement is true based on the following Agent Auto Upgrade widget?
 

A. There are a total of 689 Up To Date agents.

B. Agent Auto Upgrade was enabled but not on all endpoints.

C. Agent Auto Upgrade has not been enabled.

D. There are more agents in Pending status than In Progress status.

Where would you go to add an exception to exclude a specific file hash from examination by the Malware profile for a Windows endpoint?

A. Find the Malware profile attached to the endpoint, Under Portable Executable and DLL Examination add the hash to the allow list.

B. From the rules menu select new exception, fill out the criteria, choose the scope to apply it to, hit save.

C. Find the exceptions profile attached to the endpoint, under process exceptions select local analysis, paste the hash and save.

D. In the Action Center, choose Allow list, select new action, select add to allow list, add your hash to the list, and apply it.

Which module provides the best visibility to view vulnerabilities?

A. Device Control Violations

B. Vulnerability Management

C. Host Insights

D. Forensics Insights

An attacker tries to load dynamic libraries on macOS from an unsecure location. Which Cortex XDR module can prevent this attack?

A. DDL Security

B. Hot Patch Protection

C. Kernel Integrity Monitor (KIM)

D. Dylib Hijacking

Which function describes the removal of a specific file from its location on a local or removable drive to a protected folder to prevent the file from being executed?

A. Search & destroy

B. Quarantine

C. Isolation

D. Flag for removal

Which of the following is NOT a precanned script provided by Palo Alto Networks?

A. delete_file

B. quarantine_file

C. process_kill_name

D. list_directories

Which built-in dashboard would be the best option for an executive, if they were looking for the Mean Time to Resolution (MTTR) metric?

A. Security Manager Dashboard

B. Data Ingestion Dashboard

C. Security Admin Dashboard

D. Incident Management Dashboard

What motivation do ransomware attackers have for returning access to systems once their victims have paid?

A. Failure to restore access to systems undermines the scheme because others will not believe their valuables would be returned.

B. The ransomware attackers hope to trace the financial trail back and steal more from traditional banking institutions.

C. There is organized crime governance among attackers that requires the return of access to remain in good standing.

D. Nation-states enforce the return of system access through the use of laws and regulation.

What functionality of the Broker VM would you use to ingest third-party firewall logs to the Cortex Data Lake?

A. Netflow Collector

B. Syslog Collector

C. DB Collector

D. Pathfinder

What is by far the most common tactic used by ransomware to shut down a victim’s operation?

A. preventing the victim from being able to access APIs to cripple infrastructure

B. denying traffic out of the victims network until payment is received

C. restricting access to administrative accounts to the victim

D. encrypting certain files to prevent access by the victim

In Windows and macOS you need to prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. What is one way to add an exception for the singer?

A. In the Restrictions Profile, add the file name and path to the Executable Files allow list.

B. Create a new rule exception and use the singer as the characteristic.

C. Add the signer to the allow list in the malware profile.

D. Add the signer to the allow list under the action center page.

What is the function of WildFire for Cortex XDR?

A. WildFire runs in the cloud and analyses alert data from the XDR agent to check for behavioural threats.

B. WildFire is the engine that runs on the local agent and determines whether behavioural threats are occurring on the endpoint.

C. WildFire accepts and analyses a sample to provide a verdict.

D. WildFire runs entirely on the agent to quickly analyse samples and provide a verdict.

Which version of python is used in live terminal?

A. Python 3 with specific XDR Python libraries developed by Palo Alto Networks

B. Python 3 with standard Python libraries

C. Python 2 and 3 with standard Python libraries

D. Python 2 and 3 with specific XDR Python libraries developed by Palo Alto Networks

What is the difference between presets and datasets in XQL?

A. A dataset is a Cortex data lake data source only; presets are built-in data source.

B. A dataset is a database; presets is a field.

C. A dataset is a built-in or third party source; presets group XDR data fields.

D. A dataset is a third-party data source; presets are built-in data source.

In the Cortex XDR console, from which two pages are you able to manually perform the agent upgrade action? (Choose two.)

A. Endpoint Administration

B. Asset Management

C. Action Center

D. Agent Installations

Which profiles can the user use to configure malware protection in the Cortex XDR console?

A. Malware Protection profile

B. Malware profile

C. Malware Detection profile

D. Anti-Malware profile

Which license is required when deploying Cortex XDR agent on Kubernetes Clusters as a DaemonSet?

A. Cortex XDR Pro per TB

B. Host Insights

C. Cortex XDR Pro per Endpoint

D. Cortex XDR Cloud per Host

How can you pivot within a row to Causality view and Timeline views for further investigate?

A. Using the Open Card Only

B. Using Open Timeline actions Only

C. Using the Open Card and Open Timeline actions respectively

D. You can’t pivot within a row to Causality view and Timeline views

Which of the following Live Terminal options are available for Android systems?

A. Run Android commands.

B. Live Terminal is not supported.

C. Run APK scripts.

D. Stop an app.

If you have an isolated network that is prevented from connecting to the Cortex Data Lake, which type of Broker VM setup can you use to facilitate the communication?

A. Broker VM Pathfinder

B. Local Agent Proxy

C. Local agent installer

D. Broker VM Syslog Collector

Which of the following represents the correct relation of alerts to incidents?

A. Only alerts with the same host are grouped together into one Incident in a given time frame.

B. Alerts that occur within a three hour time frame are grouped together into one Incident.

C. Alerts with same causality chains that occur within a given time frame are grouped together into an Incident.

D. Every alert creates a new Incident.

Which Exploit Protection Module (EPM) can be used to prevent attacks based on OS function?

A. Memory Limit Heap Spray Check

B. DLL Security

C. UASLR

D. JIT Mitigation

What license would be required for ingesting external logs from various vendors?

A. Cortex XDR Pro per Endpoint

B. Cortex XDR Vendor Agnostic Pro

C. Cortex XDR Pro per TB

D. Cortex XDR Cloud per Host

With a Cortex XDR Prevent license, which objects are considered to be sensors?

A. Syslog servers

B. Third-Party security devices

C. Cortex XDR agents

D. Palo Alto Networks Next-Generation Firewalls

Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack will be neutralized. Which of the following statements is correct?

A. Cortex XDR Analytics allows to interfere with the pattern as soon as it is observed on the firewall.

B. Cortex XDR Analytics does not interfere with the pattern as soon as it is observed on the endpoint.

C. Cortex XDR Analytics does not have to interfere with the pattern as soon as it is observed on the endpoint in order to prevent the attack.

D. Cortex XDR Analytics allows to interfere with the pattern as soon as it is observed on the endpoint.

Under which conditions is Local Analysis evoked to evaluate a file before the file is allowed to run?

A. The endpoint is disconnected or the verdict from WildFire is of a type malware.

B. The endpoint is disconnected or the verdict from WildFire is of a type unknown.

C. The endpoint is disconnected or the verdict from WildFire is of a type grayware.

D. The endpoint is disconnected or the verdict from WildFire is of a type benign.

What kind of malware uses encryption, data theft, denial of service, and possibly harassment to take advantage of a victim?

A. Rootkit

B. Keylogger

C. Ransomware

D. Worm

Which engine, of the following, in Cortex XDR determines the most relevant artifacts in each alert and aggregates all alerts related to an event into an incident?

A. Sensor Engine

B. Causality Analysis Engine

C. Log Stitching Engine

D. Causality Chain Engine

Which search methods is supported by File Search and Destroy?

A. File Search and Repair

B. File Seek and Destroy

C. File Search and Destroy

D. File Seek and Repair

Which of the following is an example of a successful exploit?

A. connecting unknown media to an endpoint that copied malware due to Autorun.

B. a user executing code which takes advantage of a vulnerability on a local service.

C. identifying vulnerable services on a server.

D. executing a process executable for well-known and signed software.

When is the wss (WebSocket Secure) protocol used?

A. when the Cortex XDR agent downloads new security content

B. when the Cortex XDR agent uploads alert data

C. when the Cortex XDR agent connects to WildFire to upload files for analysis

D. when the Cortex XDR agent establishes a bidirectional communication channel

What is the WildFire analysis file size limit for Windows PE files?

A. 500MB

B. 100MB

C. 1GB

D. No Limit

Where would you view the WildFire report in an incident?

A. next to relevant Key Artifacts in the incidents details page

B. under Response –> Action Center

C. under the gear icon –> Agent Audit Logs

D. on the HUB page at apps.paloaltonetworks.com

How does Cortex XDR agent for Windows prevent ransomware attacks from compromising the file system?

A. by encrypting the disk first.

B. by utilizing decoy Files.

C. by retrieving the encryption key.

D. by patching vulnerable applications.

When creating a custom XQL query in a dashboard, how would a user save that XQL query to the Widget Library?

A. Click the three dots on the widget and then choose “Save” and this will link the query to the Widget Library.

B. This isn’t supported, you have to exit the dashboard and go into the Widget Library first to create it.

C. Click on “Save to Action Center” in the dashboard and you will be prompted to give the query a name and description.

D. Click on “Save to Widget Library” in the dashboard and you will be prompted to give the query a name and description.

What is an example of an attack vector for ransomware?

A. A URL filtering feature enabled on a firewall

B. Phishing emails containing malicious attachments

C. Performing DNS queries for suspicious domains

D. Performing SSL Decryption on an endpoint

In incident-related widgets, how would you filter the display to only show incidents that were “starred”?

A. Create a custom XQL widget

B. This is not currently supported

C. Create a custom report and filter on starred incidents

D. Click the star in the widget

What should you do to automatically convert leads into alerts after investigating a lead?

A. Lead threats can’t be prevented in the future because they already exist in the environment.

B. Build a search query using Query Builder or XQL using a list of IOCs.

C. Create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.

D. Create BIOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.

Which statement best describes how Behavioral Threat Protection (BTP) works?

A. BTP injects into known vulnerable processes to detect malicious activity.

B. BTP runs on the Cortex XDR and distributes behavioral signatures to all agents.

C. BTP matches EDR data with rules provided by Cortex XDR.

D. BTP uses machine Learning to recognize malicious activity even if it is not known.

What does the following output tell us?
 

A. There is one low severity incident.

B. Host shpapy_win10 had the most vulnerabilities.

C. There is one informational severity alert.

D. This is an actual output of the Top 10 hosts with the most malware.

When reaching out to TAC for additional technical support related to a Security Event; what are two critical pieces of information you need to collect from the Agent? (Choose two.)

A. The prevention archive from the alert.

B. The unique agent id.

C. The distribution id of the agent.

D. The agent technical support file.

E. A list of all the current exceptions applied to the agent.