ExamGecko

Palo Alto Networks PCDRA Practice Test - Questions Answers, Page 4

Question list
Search
Search

Question 31

Report
Export
Collapse

Phishing belongs to which of the following MITRE ATT&CK tactics?

A.
Initial Access, Persistence
A.
Initial Access, Persistence
Answers
B.
Persistence, Command and Control
B.
Persistence, Command and Control
Answers
C.
Reconnaissance, Persistence
C.
Reconnaissance, Persistence
Answers
D.
Reconnaissance, Initial Access
D.
Reconnaissance, Initial Access
Answers
Suggested answer: D

Explanation:

Phishing is a technique that belongs to two MITRE ATT&CK tactics: Reconnaissance and Initial Access. Reconnaissance is the process of gathering information about a target before launching an attack. Phishing for information is a sub-technique of Reconnaissance that involves sending phishing messages to elicit sensitive information that can be used during targeting. Initial Access is the process of gaining a foothold in a network or system. Phishing is a sub-technique of Initial Access that involves sending phishing messages to execute malicious code on victim systems. Phishing can be used for both Reconnaissance and Initial Access depending on the objective and content of the phishing message.Reference:

Phishing, Technique T1566 - Enterprise | MITRE ATT&CK1

Phishing for Information, Technique T1598 - Enterprise | MITRE ATT&CK2

Phishing for information, Part 2: Tactics and techniques3

PHISHING AND THE MITREATT&CK FRAMEWORK - EnterpriseTalk4

Initial Access, Tactic TA0001 - Enterprise | MITRE ATT&CK5

asked 23/09/2024
Manuela Kays
36 questions

Question 32

Report
Export
Collapse

When creating a BIOC rule, which XQL query can be used?

A.
dataset = xdr_data | filter event_sub_type = PROCESS_START and action_process_image_name ~= '.*?\.(?:pdf|docx)\.exe'
A.
dataset = xdr_data | filter event_sub_type = PROCESS_START and action_process_image_name ~= '.*?\.(?:pdf|docx)\.exe'
Answers
B.
dataset = xdr_data | filter event_type = PROCESS and event_sub_type = PROCESS_START and action_process_image_name ~= '.*?\.(?:pdf|docx)\.exe'
B.
dataset = xdr_data | filter event_type = PROCESS and event_sub_type = PROCESS_START and action_process_image_name ~= '.*?\.(?:pdf|docx)\.exe'
Answers
C.
dataset = xdr_data | filter action_process_image_name ~= '.*?\.(?:pdf|docx)\.exe' | fields action_process_image
C.
dataset = xdr_data | filter action_process_image_name ~= '.*?\.(?:pdf|docx)\.exe' | fields action_process_image
Answers
D.
dataset = xdr_data | filter event_behavior = true event_sub_type = PROCESS_START and action_process_image_name ~= '.*?\.(?:pdf|docx)\.exe'
D.
dataset = xdr_data | filter event_behavior = true event_sub_type = PROCESS_START and action_process_image_name ~= '.*?\.(?:pdf|docx)\.exe'
Answers
Suggested answer: B

Explanation:

A BIOC rule is a custom detection rule that uses the Cortex Query Language (XQL) to define the behavior or actions that indicate a potential threat. A BIOC rule can use the xdr_data and cloud_audit_log datasets and presets for these datasets. A BIOC rule can also use the filter stage, alter stage, and functions without any aggregations in the XQL query. The query must return a single field named action_process_image, which is the process image name of the suspicious process. The query must also include the event_type and event_sub_type fields in the filter stage to specify the type and sub-type of the event that triggers the rule.

Option B is the correct answer because it meets all the requirements for a valid BIOC rule query. It uses the xdr_data dataset, the filter stage, the event_type and event_sub_type fields, and the action_process_image_name field with a regular expression to match any process image name that ends with .pdf.exe or .docx.exe, which are common indicators of malicious files.

Option A is incorrect because it does not include the event_type field in the filter stage, which is mandatory for a BIOC rule query.

Option C is incorrect because it does not include the event_type and event_sub_type fields in the filter stage, and it uses the fields stage, which is not supported for a BIOC rule query. It also returns the action_process_image field instead of the action_process_image_name field, which is the expected output for a BIOC rule query.

Option D is incorrect because it uses the event_behavior field, which is not supported for a BIOC rule query. It also does not include the event_type field in the filter stage, and it uses the event_sub_type field incorrectly. The event_sub_type field should be equal to PROCESS_START, not true.

Working with BIOCs

Cortex Query Language (XQL) Reference

asked 23/09/2024
Herbert Hartwell
38 questions

Question 33

Report
Export
Collapse

Which built-in dashboard would be the best option for an executive, if they were looking for the Mean Time to Resolution (MTTR) metric?

A.
Security Manager Dashboard
A.
Security Manager Dashboard
Answers
B.
Data Ingestion Dashboard
B.
Data Ingestion Dashboard
Answers
C.
Security Admin Dashboard
C.
Security Admin Dashboard
Answers
D.
Incident Management Dashboard
D.
Incident Management Dashboard
Answers
Suggested answer: D

Explanation:

The Incident Management Dashboard provides a high-level overview of the incident response process, including the Mean Time to Resolution (MTTR) metric. This metric measures the average time it takes to resolve an incident from the moment it is created to the moment it is closed. The dashboard also shows the number of incidents by status, severity, and assigned analyst, as well as the top alerts by category, source, and destination. The Incident Management Dashboard is designed for executives and managers who want to monitor the performance and efficiency of their security teams.Reference: [PCDRA Study Guide], page 18.

asked 23/09/2024
Emmanuel Yeboah
38 questions

Question 34

Report
Export
Collapse

What are two purposes of ''Respond to Malicious Causality Chains'' in a Cortex XDR Windows Malware profile? (Choose two.)

A.
Automatically close the connections involved in malicious traffic.
A.
Automatically close the connections involved in malicious traffic.
Answers
B.
Automatically kill the processes involved in malicious activity.
B.
Automatically kill the processes involved in malicious activity.
Answers
C.
Automatically terminate the threads involved in malicious activity.
C.
Automatically terminate the threads involved in malicious activity.
Answers
D.
Automatically block the IP addresses involved in malicious traffic.
D.
Automatically block the IP addresses involved in malicious traffic.
Answers
Suggested answer: B, D

Explanation:

The ''Respond to Malicious Causality Chains'' feature in a Cortex XDR Windows Malware profile allows the agent to take automatic actions against network connections and processes that are involved in malicious activity on the endpoint.The feature has two modes: Block IP Address and Kill Process1.

The two purposes of ''Respond to Malicious Causality Chains'' in a Cortex XDR Windows Malware profile are:

Automatically kill the processes involved in malicious activity. This can help to stop the malware from spreading or doing any further damage.

Automatically block the IP addresses involved in malicious traffic. This can help to prevent the malware from communicating with its command and control server or other malicious hosts.

The other two options, automatically close the connections involved in malicious traffic and automatically terminate the threads involved in malicious activity, are not specific to ''Respond to Malicious Causality Chains''. They are general security measures that the agent can perform regardless of the feature.

Cortex XDR Agent Security Profiles

Cortex XDR Agent 7.5 Release Notes

PCDRA: What are purposes of ''Respond to Malicious Causality Chains'' in ...

asked 23/09/2024
Verónica Crespo
36 questions

Question 35

Report
Export
Collapse

When creating a custom XQL query in a dashboard, how would a user save that XQL query to the Widget Library?

A.
Click the three dots on the widget and then choose ''Save'' and this will link the query to the Widget Library.
A.
Click the three dots on the widget and then choose ''Save'' and this will link the query to the Widget Library.
Answers
B.
This isn't supported, you have to exit the dashboard and go into the Widget Library first to create it.
B.
This isn't supported, you have to exit the dashboard and go into the Widget Library first to create it.
Answers
C.
Click on ''Save to Action Center'' in the dashboard and you will be prompted to give the query a name and description.
C.
Click on ''Save to Action Center'' in the dashboard and you will be prompted to give the query a name and description.
Answers
D.
Click on ''Save to Widget Library'' in the dashboard and you will be prompted to give the query a name and description.
D.
Click on ''Save to Widget Library'' in the dashboard and you will be prompted to give the query a name and description.
Answers
Suggested answer: D

Explanation:

To save a custom XQL query to the Widget Library, you need to click on ''Save to Widget Library'' in the dashboard and you will be prompted to give the query a name and description. This will allow you to reuse the query in other dashboards or reports. You cannot save a query to the Widget Library by clicking the three dots on the widget, as this will only give you options to edit, delete, or clone the widget. You also cannot save a query to the Action Center, as this is a different feature that allows you to create alerts or remediation actions based on the query results. You do not have to exit the dashboard and go into the Widget Library first to create a query, as you can do it directly from the dashboard.Reference:

Cortex XDR Pro Admin Guide: Save a Custom Query to the Widget Library

Cortex XDR Pro Admin Guide: Create a Dashboard

asked 23/09/2024
Anand Prakash
31 questions

Question 36

Report
Export
Collapse

What license would be required for ingesting external logs from various vendors?

A.
Cortex XDR Pro per Endpoint
A.
Cortex XDR Pro per Endpoint
Answers
B.
Cortex XDR Vendor Agnostic Pro
B.
Cortex XDR Vendor Agnostic Pro
Answers
C.
Cortex XDR Pro per TB
C.
Cortex XDR Pro per TB
Answers
D.
Cortex XDR Cloud per Host
D.
Cortex XDR Cloud per Host
Answers
Suggested answer: C

Explanation:

To ingest external logs from various vendors, you need a Cortex XDR Pro per TB license. This license allows you to collect and analyze logs from Palo Alto Networks and third-party sources, such as firewalls, proxies, endpoints, cloud services, and more. You can use the Log Forwarding app to forward logs from the Logging Service to an external syslog receiver. The Cortex XDR Pro per Endpoint license only supports logs from Cortex XDR agents installed on endpoints. The Cortex XDR Vendor Agnostic Pro and Cortex XDR Cloud per Host licenses do not exist.Reference:

Features by Cortex XDR License Type

Log Forwarding App for Cortex XDR Analytics

SaaS Log Collection

asked 23/09/2024
Rachana Kesarkar
31 questions

Question 37

Report
Export
Collapse

An attacker tries to load dynamic libraries on macOS from an unsecure location. Which Cortex XDR module can prevent this attack?

A.
DDL Security
A.
DDL Security
Answers
B.
Hot Patch Protection
B.
Hot Patch Protection
Answers
C.
Kernel Integrity Monitor (KIM)
C.
Kernel Integrity Monitor (KIM)
Answers
D.
Dylib Hijacking
D.
Dylib Hijacking
Answers
Suggested answer: D

Explanation:

The correct answer is D. Dylib Hijacking. Dylib Hijacking, also known as Dynamic Library Hijacking, is a technique used by attackers to load malicious dynamic libraries on macOS from an unsecure location. This technique takes advantage of the way macOS searches for dynamic libraries to load when an application is executed. To prevent such attacks, Palo Alto Networks offers the Dylib Hijacking prevention capability as part of their Cortex XDR platform.This capability is designed to detect and block attempts to load dynamic libraries from unauthorized or unsecure locations1.

Let's briefly discuss the other options to provide a comprehensive explanation:

A) DDL Security: This is not the correct answer. DDL Security is not specifically designed to prevent dynamic library loading attacks on macOS.DDL Security is focused on protecting against DLL (Dynamic Link Library) hijacking on Windows systems2.

B) Hot Patch Protection: Hot Patch Protection is not directly related to preventing dynamic library loading attacks.It is a security feature that protects against runtime patching or modification of code in memory, often used by advanced attackers to bypass security measures3. While Hot Patch Protection is a valuable security feature, it is not directly relevant to the scenario described.

C) Kernel Integrity Monitor (KIM): Kernel Integrity Monitor is also not the correct answer. KIM is a module in Cortex XDR that focuses on monitoring and protecting the integrity of the macOS kernel.It detects and prevents unauthorized modifications to critical kernel components4. While KIM plays an essential role in overall macOS security, it does not specifically address the prevention of dynamic library loading attacks.

In conclusion, Dylib Hijacking is the Cortex XDR module that specifically addresses the prevention of attackers loading dynamic libraries from unsecure locations on macOS. By leveraging this module, organizations can enhance their security posture and protect against this specific attack vector.

Endpoint Protection Modules

DDL Security

Hot Patch Protection

Kernel Integrity Monitor

asked 23/09/2024
Brandon Walters
36 questions

Question 38

Report
Export
Collapse

What is the purpose of the Unit42 team?

A.
Unit42 is responsible for automation and orchestration of products
A.
Unit42 is responsible for automation and orchestration of products
Answers
B.
Unit42 is responsible for the configuration optimization of the Cortex XDR server
B.
Unit42 is responsible for the configuration optimization of the Cortex XDR server
Answers
C.
Unit42 is responsible for threat research, malware analysis and threat hunting
C.
Unit42 is responsible for threat research, malware analysis and threat hunting
Answers
D.
Unit42 is responsible for the rapid deployment of Cortex XDR agents
D.
Unit42 is responsible for the rapid deployment of Cortex XDR agents
Answers
Suggested answer: C

Explanation:

Unit 42 is the threat intelligence and response team of Palo Alto Networks. The purpose of Unit 42 is to collect and analyze the most up-to-date threat intelligence and apply it to respond to cyberattacks. Unit 42 is composed of world-renowned threat researchers, incident responders and security consultants who help organizations proactively manage cyber risk.Unit 42 is responsible for threat research, malware analysis and threat hunting, among other activities12.

Let's briefly discuss the other options to provide a comprehensive explanation:

A) Unit 42 is not responsible for automation and orchestration of products.Automation and orchestration are capabilities that are provided by Palo Alto Networks products such as Cortex XSOAR, which is a security orchestration, automation and response platform that helps security teams automate tasks, coordinate actions and manage incidents3.

B) Unit 42 is not responsible for the configuration optimization of the Cortex XDR server. The Cortex XDR server is the cloud-based platform that provides detection and response capabilities across network, endpoint and cloud data sources.The configuration optimization of the Cortex XDR server is the responsibility of the Cortex XDR administrators, who can use the Cortex XDR app to manage the settings and policies of the Cortex XDR server4.

C) Unit 42 is not responsible for the rapid deployment of Cortex XDR agents. The Cortex XDR agents are the software components that are installed on endpoints to provide protection and visibility.The rapid deployment of Cortex XDR agents is the responsibility of the Cortex XDR administrators, who can use various methods such as group policy objects, scripts, or third-party tools to deploy the Cortex XDR agents to multiple endpoints5.

In conclusion, Unit 42 is the threat intelligence and response team of Palo Alto Networks that is responsible for threat research, malware analysis and threat hunting. By leveraging the expertise and insights of Unit 42, organizations can enhance their security posture and protect against the latest cyberthreats.

About Unit 42: Our Mission and Team

Unit 42: Threat Intelligence & Response

Cortex XSOAR

Cortex XDR Pro Admin Guide: Manage Cortex XDR Settings and Policies

Cortex XDR Pro Admin Guide: Deploy Cortex XDR Agents

asked 23/09/2024
gayathri devi
38 questions

Question 39

Report
Export
Collapse

Which Type of IOC can you define in Cortex XDR?

A.
destination port
A.
destination port
Answers
B.
e-mail address
B.
e-mail address
Answers
C.
full path
C.
full path
Answers
D.
App-ID
D.
App-ID
Answers
Suggested answer: C

Explanation:

Cortex XDR allows you to define IOCs based on various criteria, such as file hashes, registry keys, IP addresses, domain names, and full paths. A full path IOC is a specific location of a file or folder on an endpoint, such as C:\Windows\System32\calc.exe.You can use full path IOCs to detect and respond to malicious files or folders that are located in known locations on your endpoints12.

Let's briefly discuss the other options to provide a comprehensive explanation:

A) destination port: This is not the correct answer. Destination port is not a type of IOC that you can define in Cortex XDR. Destination port is a network attribute that indicates the port number to which a packet is sent.Cortex XDR does not support defining IOCs based on destination ports, but you can use XQL queries to filter network events by destination ports3.

B) e-mail address: This is not the correct answer. E-mail address is not a type of IOC that you can define in Cortex XDR. E-mail address is an identifier that is used to send and receive e-mails.Cortex XDR does not support defining IOCs based on e-mail addresses, but you can use the Cortex XDR - IOC integration with Cortex XSOAR to ingest IOCs from various sources, including e-mail addresses4.

D) App-ID: This is not the correct answer. App-ID is not a type of IOC that you can define in Cortex XDR. App-ID is a feature of Palo Alto Networks firewalls that identifies and controls applications on the network.Cortex XDR does not support defining IOCs based on App-IDs, but you can use the Cortex XDR Analytics app to create custom rules that use App-IDs as part of the rule logic5.

In conclusion, full path is the type of IOC that you can define in Cortex XDR. By using full path IOCs, you can enhance your detection and response capabilities and protect your endpoints from malicious files or folders.

Create an IOC Rule

XQL Reference Guide: Network Events Schema

Cortex XDR - IOC

Cortex XDR Analytics App

PCDRA: Which Type of IOC can define in Cortex XDR?

asked 23/09/2024
Latonya Ganison
27 questions

Question 40

Report
Export
Collapse

When viewing the incident directly, what is the ''assigned to'' field value of a new Incident that was just reported to Cortex?

A.
Pending
A.
Pending
Answers
B.
It is blank
B.
It is blank
Answers
C.
Unassigned
C.
Unassigned
Answers
D.
New
D.
New
Answers
Suggested answer: C

Explanation:

The ''assigned to'' field value of a new incident that was just reported to Cortex is ''Unassigned''. This means that the incident has not been assigned to any analyst or group yet, and it is waiting for someone to take ownership of it. The ''assigned to'' field is one of the default fields that are displayed in the incident layout, and it can be used to filter and sort incidents in the incident list.The ''assigned to'' field can be changed manually by an analyst, or automatically by a playbook or a rule12.

Let's briefly discuss the other options to provide a comprehensive explanation:

A) Pending: This is not the correct answer. Pending is not a valid value for the ''assigned to'' field. Pending is a possible value for the ''status'' field, which indicates the current state of the incident.The status field can have values such as ''New'', ''Active'', ''Done'', ''Closed'', or 'Pending'3.

B) It is blank: This is not the correct answer. The ''assigned to'' field is never blank for any incident.It always has a default value of ''Unassigned'' for new incidents, unless a playbook or a rule assigns it to a specific analyst or group12.

D) New: This is not the correct answer. New is not a valid value for the ''assigned to'' field. New is a possible value for the ''status'' field, which indicates the current state of the incident.The status field can have values such as ''New'', ''Active'', ''Done'', ''Closed'', or 'Pending'3.

In conclusion, the ''assigned to'' field value of a new incident that was just reported to Cortex is ''Unassigned''. This field can be used to manage the ownership and responsibility of incidents, and it can be changed manually or automatically.

Cortex XDR Pro Admin Guide: Manage Incidents

Cortex XDR Pro Admin Guide: Assign Incidents

Cortex XDR Pro Admin Guide: Update Incident Status

asked 23/09/2024
Robert L Swafford
38 questions
Total 91 questions
Go to page: of 10