Palo Alto Networks PCDRA Practice Test - Questions Answers

The purpose of the Cortex Data Lake is to provide a cloud-based storage facility where your firewall logs are stored. Cortex Data Lake is a service that collects, transforms, and integrates your enterprise's security data to enable Palo Alto Networks solutions. It powers AI and machine learning, detection accuracy, and app and service innovation. Cortex Data Lake automatically collects, integrates, and normalizes data across your security infrastructure, including your next-generation firewalls, Prisma Access, and Cortex XDR. With unified data, you can run advanced AI and machine learning to radically simplify security operations with apps built on Cortex. Cortex Data Lake is available in multiple regions and supports data residency and privacy requirements.Reference:

Cortex Data Lake - Palo Alto Networks

Cortex Data Lake - Palo Alto Networks

Cortex Data Lake, the technology behind Cortex XDR - Palo Alto Networks

CORTEX DATA LAKE - Palo Alto Networks

Sizing for Cortex Data Lake Storage - Palo Alto Networks

When creating a scheduled report in Cortex XDR, the option to run quarterly on a certain day and time isnotavailable. You can only schedule reports to run daily, weekly, or monthly. You can also specify the start and end dates, the time zone, and the recipients of the report. Scheduled reports are useful for generating regular reports on the security events, incidents, alerts, or endpoints in your network. You can create scheduled reports from the Reports page in the Cortex XDR console, or from the Query Center by saving a query as a report.Reference:

Run or Schedule Reports

Create a Scheduled Report

The correct answer is B, the level of risk is assigned to the script upon import. When you import a script to the Agent Script Library in Cortex XDR, you need to specify the level of risk associated with the script. The level of risk determines the permissions and restrictions for running the script on endpoints. The levels of risk are:

Low: The script can be run on any endpoint without requiring approval from the Cortex XDR administrator. The script can also be used in remediation suggestions or automation actions.

Medium: The script can be run on any endpoint, but requires approval from the Cortex XDR administrator. The script can also be used in remediation suggestions or automation actions.

High: The script can only be run on isolated endpoints, and requires approval from the Cortex XDR administrator. The script cannot be used in remediation suggestions or automation actions.

The other options are incorrect for the following reasons:

A is incorrect because not any version of Python script can be run in Cortex XDR. The scripts must be written in Python 2.7, and must follow the guidelines and limitations described in the Cortex XDR documentation. For example, the scripts must not exceed 64 KB in size, must not use external libraries or modules, and must not contain malicious or harmful code.

C is incorrect because not any script can be imported to Cortex XDR, including Visual Basic (VB) scripts. The scripts must be written in Python 2.7, and must follow the guidelines and limitations described in the Cortex XDR documentation. VB scripts are not supported by Cortex XDR, and will not run on the endpoints.

D is incorrect because the script is not run on the machine uploading the script to ensure that it is operational. The script is only validated for syntax errors and size limitations when it is imported to the Agent Script Library. The script is not executed or tested on the machine uploading the script, and the script may still fail or cause errors when it is run on the endpoints.

Agent Script Library

Import a Script

Run Scripts on an Endpoint

WildFire is a cloud-based service that accepts and analyses samples from various sources, including Cortex XDR, to provide a verdict of malware, benign, or grayware. WildFire also generates detailed analysis reports that show the behaviour and characteristics of the samples. Cortex XDR uses WildFire verdicts and reports to enhance its detection and prevention capabilities, as well as to provide more visibility and context into the threats.Reference:

WildFire Analysis Concepts

WildFire Overview

The user can use theMalware Protection profileto configure malware protection in the Cortex XDR console. The Malware Protection profile defines the actions that Cortex XDR takes when it detects malware on your endpoints. You can configure different actions for different types of malware, such as ransomware, password theft, or child process. You can also configure the scan frequency and scope for periodic malware scans. The Malware Protection profile is part of the Endpoint Security policy that you assign to your endpoints.Reference:

Malware Protection Profile

Endpoint Security Policy

TheHost Insights moduleprovides the best visibility to view vulnerabilities on your endpoints. The Host Insights module is an add-on feature for Cortex XDR that combines vulnerability management, application and system visibility, and a Search and Destroy feature to help you identify and contain threats. The vulnerability management feature allows you to scan your Windows endpoints for known vulnerabilities and missing patches, and view the results in the Cortex XDR console. You can also filter and sort the vulnerabilities by severity, CVSS score, CVE ID, or patch availability. The Host Insights module helps you reduce your exposure to threats and improve your security posture.Reference:

Host Insights

Vulnerability Management

Palo Alto Networks provides a set of precanned scripts that you can use to perform various actions on your endpoints, such as deleting files, killing processes, or quarantining malware. The precanned scripts are written in Python and are available in the Agent Script Library in the Cortex XDR console. You can use the precanned scripts as they are, or you can customize them to suit your needs. The precanned scripts are:

delete_file: Deletes a specific file from a local or removable drive.

quarantine_file: Moves a specific file from its location on a local or removable drive to a protected folder and prevents it from being executed.

process_kill_name: Kills a process by its name on the endpoint.

process_kill_pid: Kills a process by its process ID (PID) on the endpoint.

process_kill_tree: Kills a process and all its child processes by its name on the endpoint.

process_kill_tree_pid: Kills a process and all its child processes by its PID on the endpoint.

process_list: Lists all the processes running on the endpoint, along with their names, PIDs, and command lines.

process_list_tree: Lists all the processes running on the endpoint, along with their names, PIDs, command lines, and parent processes.

process_start: Starts a process on the endpoint by its name or path.

registry_delete_key: Deletes a registry key and all its subkeys and values from the Windows registry.

registry_delete_value: Deletes a registry value from the Windows registry.

registry_list_key: Lists all the subkeys and values under a registry key in the Windows registry.

registry_list_value: Lists the value and data of a registry value in the Windows registry.

registry_set_value: Sets the value and data of a registry value in the Windows registry.

The script list_directories isnota precanned script provided by Palo Alto Networks. It is a custom script that you can write yourself using Python commands.

Run Scripts on an Endpoint

Agent Script Library

Precanned Scripts

A global exception is a rule that allows you to exclude specific files, processes, or behaviors from being blocked or detected by Cortex XDR. A global exception applies to all endpoints in your organization that are protected by Cortex XDR. Creating a global exception for a vitally important piece of software that is known to be benign would prevent Cortex XDR from blocking this software in the future, for all endpoints in your organization.

To create a global exception, you need to follow these steps:

In the Cortex XDR management console, go toPolicy Management > Exceptionsand clickAdd Exception.

Select theGlobal Exceptionoption and clickNext.

Enter a name and description for the exception and clickNext.

Select the type of exception you want to create, such as file, process, or behavior, and clickNext.

Specify the criteria for the exception, such as file name, hash, path, process name, command line, or behavior name, and clickNext.

Review the summary of the exception and clickFinish.

Create Global Exceptions: This document explains how to create global exceptions to exclude specific files, processes, or behaviors from being blocked or detected by Cortex XDR.

Exceptions Overview: This document provides an overview of exceptions and how they can be used to fine-tune the Cortex XDR security policy.

Remediation Suggestions is a feature of Cortex XDR that provides you with recommended actions to remediate the root cause and impact of an incident. Remediation Suggestions are based on the analysis of the causality chain, the behavior of the malicious files or processes, and the best practices for incident response. Remediation Suggestions can help you to quickly and effectively contain and resolve an incident, as well as prevent future recurrence.

To activate Remediation Suggestions, you need to follow these steps:

In the Cortex XDR management console, go toIncidentsand select an incident that you want to remediate.

ClickCausality Viewto see the graphical representation of the causality chain of the incident.

ClickActionsand selectRemediation Suggestions. This will open a new window that shows the suggested actions for each node in the causality chain.

Review the suggested actions and select the ones that you want to apply. You can also edit or delete the suggested actions, or add your own custom actions.

ClickApplyto execute the selected actions on the affected endpoints. You can also schedule the actions to run at a later time or date.

Remediate Changes from Malicious Activity: This document explains how to use Remediation Suggestions to remediate the root cause and impact of an incident.

Causality View: This document describes how to use Causality View to investigate the causality chain of an incident.