What is the purpose of the Cortex Data Lake?

a cloud-based storage facility where your firewall logs are stored

a local storage facility where your logs and alert data can be aggregated

a cloud-based storage facility where your firewall logs are stored

the interface between firewalls and the Cortex XDR agents

the workspace for your Cortex XDR agents to detonate potential malware files

When creating a scheduled report which is not an option?

Run quarterly on a certain day and time.

Run weekly on a certain day and time.

Run quarterly on a certain day and time.

Run monthly on a certain day and time.

Run daily at a certain time (selectable hours and minutes).

Which statement regarding scripts in Cortex XDR is true?

The level of risk is assigned to the script upon import.

Any version of Python script can be run.

The level of risk is assigned to the script upon import.

Any script can be imported including Visual Basic (VB) scripts.

The script is run on the machine uploading the script to ensure that it is operational.

What is the function of WildFire for Cortex XDR?

WildFire accepts and analyses a sample to provide a verdict.

WildFire runs in the cloud and analyses alert data from the XDR agent to check for behavioural threats.

WildFire is the engine that runs on the local agent and determines whether behavioural threats are occurring on the endpoint.

WildFire accepts and analyses a sample to provide a verdict.

WildFire runs entirely on the agent to quickly analyse samples and provide a verdict.

Which module provides the best visibility to view vulnerabilities?

Device Control Violations module

The Cortex XDR console has triggered an incident, blocking a vitally important piece of software in your organization that is known to be benign. Which of the following options would prevent Cortex XDR from blocking this software in the future, for all endpoints in your organization?

Create an individual alert exclusion.

Create an endpoint-specific exception.

Which of the following paths will successfully activate Remediation Suggestions?

Causality View > Actions > Remediation Suggestions

Incident View > Actions > Remediation Suggestions

Causality View > Actions > Remediation Suggestions

Alerts Table > Right-click on a process node > Remediation Suggestions

Alerts Table > Right-click on an alert > Remediation Suggestions

What is an example of an attack vector for ransomware?

Phishing emails containing malicious attachments

Performing DNS queries for suspicious domains

Performing SSL Decryption on an endpoint

Phishing emails containing malicious attachments

A URL filtering feature enabled on a firewall

How can you pivot within a row to Causality view and Timeline views for further investigate?

Using the Open Card and Open Timeline actions respectively

You can't pivot within a row to Causality view and Timeline views

Using Open Timeline Actions Only

Which of the following Live Terminal options are available for Android systems?

Live Terminal is not supported.

What motivation do ransomware attackers have for returning access to systems once their victims have paid?

Failure to restore access to systems undermines the scheme because others will not believe their valuables would be returned.

There is organized crime governance among attackers that requires the return of access to remain in good standing

Nation-states enforce the return of system access through the use of laws and regulation.

Failure to restore access to systems undermines the scheme because others will not believe their valuables would be returned.

The ransomware attackers hope to trace the financial trail back and steal more from traditional banking institutions.

You can star security events in which two ways? (Choose two.)

Create an alert-starring configuration.

Create an Incident-starring configuration.

Where would you go to add an exception to exclude a specific file hash from examination by the Malware profile for a Windows endpoint?

In the Action Center, choose Allow list, select new action, select add to allow list, add your hash to the list, and apply it.

Find the Malware profile attached to the endpoint, Under Portable Executable and DLL Examination add the hash to the allow list.

From the rules menu select new exception, fill out the criteria, choose the scope to apply it to, hit save.

Find the exceptions profile attached to the endpoint, under process exceptions select local analysis, paste the hash and save.

In the Action Center, choose Allow list, select new action, select add to allow list, add your hash to the list, and apply it.

As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to open a malicious Word document. You learn from the WildFire report and AutoFocus that this document is known to have been used in Phishing campaigns since 2018. What steps can you take to ensure that the same document is not opened by other users in your organization protected by the Cortex XDR agent?

Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.

Enable DLL Protection on all endpoints but there might be some false positives.

Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.

No step is required because Cortex shares IOCs with our fellow Cyber Threat Alliance members.

No step is required because the malicious document is already stopped.

What types of actions you can execute with live terminal session?

Manage Processes, Manage Files, Run Operating System Commands, Run Python Commands and Scripts

Manage Network configurations, Quarantine Files, Run PowerShell scripts

Manage Processes, Manage Files, Run Operating System Commands, Run Ruby Commands and Scripts

Apply patches, Reboot System, send notification for end user, Run Python Commands and Scripts

Manage Processes, Manage Files, Run Operating System Commands, Run Python Commands and Scripts

Which version of python is used in live terminal?

Python 3 with standard Python libraries

Python 2 and 3 with standard Python libraries

Python 2 and 3 with specific XDR Python libraries developed by Palo Alto Networks

Python 3 with specific XDR Python libraries developed by Palo Alto Networks

Python 3 with standard Python libraries

A Linux endpoint with a Cortex XDR Pro per Endpoint license and Enhanced Endpoint Data enabled has reported malicious activity, resulting in the creation of a file that you wish to delete. Which action could you take to delete the file?

Initiate Remediate Suggestions to automatically delete the file.

Manually remediate the problem on the endpoint in question.

Open X2go from the Cortex XDR console and delete the file via X2go.

Initiate Remediate Suggestions to automatically delete the file.

Open an NFS connection from the Cortex XDR console and delete the file.

Which of the following best defines the Windows Registry as used by the Cortex XDR agent?

a hierarchical database that stores settings for the operating system and for applications

a system of files used by the operating system to commit memory that exceeds the available hardware resources. Also known as the ''swap''

a central system, available via the internet, for registering officially licensed versions of software to prove ownership

a ledger for maintaining accurate and up-to-date information on total disk usage and disk space remaining available to the operating system

Which statement best describes how Behavioral Threat Protection (BTP) works?

BTP uses machine Learning to recognize malicious activity even if it is not known.

BTP injects into known vulnerable processes to detect malicious activity.

BTP runs on the Cortex XDR and distributes behavioral signatures to all agents.

BTP matches EDR data with rules provided by Cortex XDR.

BTP uses machine Learning to recognize malicious activity even if it is not known.

Which of the following policy exceptions applies to the following description?'An exception allowing specific PHP files'

Local file threat examination exception

Behavioral threat protection rule exception

When reaching out to TAC for additional technical support related to a Security Event; what are two critical pieces of information you need to collect from the Agent? (Choose Two)

The agent technical support file.

The prevention archive from the alert.

The agent technical support file.

The prevention archive from the alert.

The distribution id of the agent.

A list of all the current exceptions applied to the agent.

Phishing belongs to which of the following MITRE ATT&CK tactics?

Persistence, Command and Control

When creating a BIOC rule, which XQL query can be used?

dataset = xdr_data | filter event_type = PROCESS and event_sub_type = PROCESS_START and action_process_image_name ~= '.*?\.(?:pdf|docx)\.exe'

dataset = xdr_data | filter event_sub_type = PROCESS_START and action_process_image_name ~= '.*?\.(?:pdf|docx)\.exe'

dataset = xdr_data | filter event_type = PROCESS and event_sub_type = PROCESS_START and action_process_image_name ~= '.*?\.(?:pdf|docx)\.exe'

dataset = xdr_data | filter action_process_image_name ~= '.*?\.(?:pdf|docx)\.exe' | fields action_process_image

dataset = xdr_data | filter event_behavior = true event_sub_type = PROCESS_START and action_process_image_name ~= '.*?\.(?:pdf|docx)\.exe'

What are two purposes of ''Respond to Malicious Causality Chains'' in a Cortex XDR Windows Malware profile? (Choose two.)

Automatically kill the processes involved in malicious activity.

Automatically block the IP addresses involved in malicious traffic.

Automatically close the connections involved in malicious traffic.

Automatically kill the processes involved in malicious activity.

Automatically terminate the threads involved in malicious activity.

Automatically block the IP addresses involved in malicious traffic.

When creating a custom XQL query in a dashboard, how would a user save that XQL query to the Widget Library?

Click on ''Save to Widget Library'' in the dashboard and you will be prompted to give the query a name and description.

Click the three dots on the widget and then choose ''Save'' and this will link the query to the Widget Library.

This isn't supported, you have to exit the dashboard and go into the Widget Library first to create it.

Click on ''Save to Action Center'' in the dashboard and you will be prompted to give the query a name and description.

Click on ''Save to Widget Library'' in the dashboard and you will be prompted to give the query a name and description.

What is the purpose of the Unit42 team?

Unit42 is responsible for threat research, malware analysis and threat hunting

Unit42 is responsible for automation and orchestration of products

Unit42 is responsible for the configuration optimization of the Cortex XDR server

Unit42 is responsible for threat research, malware analysis and threat hunting

Unit42 is responsible for the rapid deployment of Cortex XDR agents

Palo Alto Networks PCDRA Practice Test 1 - Free Online Exam Prep & Questions

Question 1 / 40

When investigating security events, which feature in Cortex XDR is useful for reverting the changes on the endpoint?

Remediation Automation

Machine Remediation

Automatic Remediation

Remediation Suggestions

Comment (0)

Palo Alto Networks PCDRA Practice Test 1

Question

Palo Alto Networks PCDRA Practice Tests

Practice Tests