ExamGecko
Search Search Login
Home Home / Palo Alto Networks / PCDRA
Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Which of the following protection modules is checked first in the Cortex XDR Windows agent malware protection flow?
When is the wss (WebSocket Secure) protocol used?
When reaching out to TAC for additional technical support related to a Security Event; what are two critical pieces of information you need to collect from the Agent? (Choose Two)
You can star security events in which two ways? (Choose two.)
Why would one threaten to encrypt a hypervisor or, potentially, a multiple number of virtual machines running on a server?
What is the maximum number of agents one Broker VM local agent applet can support?
Where would you go to add an exception to exclude a specific file hash from examination by the Malware profile for a Windows endpoint?
What is the Wildfire analysis file size limit for Windows PE files?
In Windows and macOS you need to prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. What is one way to add an exception for the singer?
How can you pivot within a row to Causality view and Timeline views for further investigate?

Question 69 - PCDRA discussion

Report
Export

Which of the following represents the correct relation of alerts to incidents?

A.
Only alerts with the same host are grouped together into one Incident in a given time frame.
Answers
A.
Only alerts with the same host are grouped together into one Incident in a given time frame.
B.
Alerts that occur within a three-hour time frame are grouped together into one Incident.
Answers
B.
Alerts that occur within a three-hour time frame are grouped together into one Incident.
C.
Alerts with same causality chains that occur within a given time frame are grouped together into an Incident.
Answers
C.
Alerts with same causality chains that occur within a given time frame are grouped together into an Incident.
D.
Every alert creates a new Incident.
Answers
D.
Every alert creates a new Incident.
Suggested answer: C

Explanation:

The correct relation of alerts to incidents is that alerts with same causality chains that occur within a given time frame are grouped together into an incident. A causality chain is a sequence of events that are related to the same malicious activity, such as a malware infection, a lateral movement, or a data exfiltration. Cortex XDR uses a set of rules that take into account different attributes of the alerts, such as the alert source, type, and time period, to determine if they belong to the same causality chain.By grouping related alerts into incidents, Cortex XDR reduces the number of individual events to review and provides a complete picture of the attack with rich investigative details1.

Option A is incorrect, because alerts with the same host are not necessarily grouped together into one incident in a given time frame. Alerts with the same host may belong to different causality chains, or may be unrelated to any malicious activity. For example, if a host has a malware infection and a network anomaly, these alerts may not be grouped into the same incident, unless they are part of the same attack.

Option B is incorrect, because alerts that occur within a three hour time frame are not always grouped together into one incident. The time frame is not the only criterion for grouping alerts into incidents. Alerts that occur within a three hour time frame may belong to different causality chains, or may be unrelated to any malicious activity. For example, if a host has a file download and a registry modification within a three hour time frame, these alerts may not be grouped into the same incident, unless they are part of the same attack.

Option D is incorrect, because every alert does not create a new incident. Creating a new incident for every alert would result in alert fatigue and inefficient investigations. Cortex XDR aims to reduce the number of incidents by grouping related alerts into one incident, based on their causality chains and other attributes.

Palo Alto Networks Certified Detection and Remediation Analyst (PCDRA) Study Guide, page 9

Palo Alto Networks Cortex XDR Documentation, Incident Management Overview2

Cortex XDR: Stop Breaches with AI-Powered Cybersecurity1

Show Answer
asked 23/09/2024
Tuan Nguyen
41 questions
PreviousPreviousNextNext
User
Your answer:
0 comments
Sorted by

Leave a comment first

ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms