PCDRA Exam - 20240324

2024/3/24 中午12:17 PCDRA Exam - Free Actual Q&As, Page 1 | ExamTopics
- Expert Verified, Online, Free.
 Custom View Settings
Topic 1 - Exam A
Question #1 Topic 1
Phishing belongs which of the following MITRE ATT&CK tactics?
A. Initial Access, Persistence
B. Persistence, Command and Control
C. Reconnaissance, Persistence
D. Reconnaissance, Initial Access
Correct Answer: D
Community vote distribution

D (100%)
  pkevinkou 8 months, 4 weeks ago
Selected Answer: D
D, Correct
upvoted 1 times
https://www.examtopics.com/exams/palo-alto-networks/pcdra/custom-view/ 1/57
Question #2 Topic 1
When creating a BIOC rule, which XQL query can be used?
A. dataset = xdr_data
| filter event_sub_type = PROCESS_START and
action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
B. dataset = xdr_data
| filter event_type = PROCESS and
event_sub_type = PROCESS_START and
C. dataset = xdr_data
| filter action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
| fields action_process_image
D. dataset = xdr_data
| filter event_behavior = true
event_sub_type = PROCESS_START and
Correct Answer: B

B (100%)
  nobody165456131354 2 months, 1 week ago
Selected Answer: B
Correct answer is: B

A: missing event_type
C: wrong action_process_image
D: wrong event_behaviour
upvoted 1 times
  9smiles 10 months ago

Correct answer is: B
"The XQL query must at a minimum filter on the event_type field in order for it to be a valid BIOC rule."
upvoted 1 times
Question #3 Topic 1
Which built-in dashboard would be the best option for an executive, if they were looking for the Mean Time to Resolution (MTTR) metric?
A. Security Manager Dashboard
B. Data Ingestion Dashboard
C. Security Admin Dashboard
D. Incident Management Dashboard
Correct Answer: A

C (100%)
  Chiquitabandita 5 days, 15 hours ago
Selected Answer: C
per the admin guide pg. 667

upvoted 1 times
  XuannnnOAO 5 months, 2 weeks ago

A is wrong. C is correct answer
upvoted 2 times
  unns12 6 months ago

A is wrong. C is correct answer
upvoted 2 times
  cneru1 9 months, 2 weeks ago

C is the Correct answers. It is on the Security Admin dashboard - upper right hand side
upvoted 1 times
  Indy_k 1 year ago

C is the right answer. Mean Time to Resolution (MTTR) metric are inside Security Admin Dashboard
upvoted 1 times
Question #4 Topic 1
What are two purposes of “Respond to Malicious Causality Chains” in a Cortex XDR Windows Malware profile? (Choose two.)
A. Automatically close the connections involved in malicious traffic.
B. Automatically kill the processes involved in malicious activity.
C. Automatically terminate the threads involved in malicious activity.
D. Automatically block the IP addresses involved in malicious traffic.
Correct Answer: AD

AD (100%)
  news088 4 months, 3 weeks ago

selected answer AD
https://live.paloaltonetworks.com/t5/community-blogs/cortex-xdr-agent-7-3-new-features/ba-p/383329
upvoted 2 times
  sharkk43 4 months, 3 weeks ago

Selected Answer: AD
I say it's A and D because of what I'm just reading off the official course in the section "Respond to Malicious Causality Chains". It goes like this:
"When the Cortex XDR agent detects a malicious activity, the Respond to Malicious Causality Chains module inspects the network connections
opened by the processes involved in the attack to identify malicious IP addresses."
To me that's A nd D not A and C.
upvoted 2 times

Forgot to add the second part:
"If such network connections are found, this protection module can automatically close all the network connections and block new connection
requests from these IP addresses."
upvoted 2 times

CD is correct
upvoted 1 times

CD is correct
upvoted 2 times
  Karreldanam 9 months, 3 weeks ago
Selected Answer: AD
(Windows only) Respond to Malicious Causality Chains.
When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files
—the agent can automatically block the IP address to close all existing communication and block new connections from this IP address to the
endpoint. When Cortex XDRblocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including
any host-firewall policy rules. You can view the list of all blocked IP addresses per endpoint from the Action Center, as well as unblock them to re-
enable communication as appropriate.
upvoted 3 times
Question #5 Topic 1
When creating a custom XQL query in a dashboard, how would a user save that XQL query to the Widget Library?
A. Click the three dots on the widget and then choose “Save” and this will link the query to the Widget Library.
B. This isn’t supported, you have to exit the dashboard and go into the Widget Library first to create it.
C. Click on “Save to Action Center” in the dashboard and you will be prompted to give the query a name and description.
D. Click on “Save to Widget Library” in the dashboard and you will be prompted to give the query a name and description.
Correct Answer: D

D (100%)
Selected Answer: D
Select
Save to Widget Library
to pivot to the Widget Library and generate a custom widget based on the query results. from admin guide pg. 212
upvoted 1 times

D - SAVE AS WITH 2 choices only 'QUERY library' or 'widget to library'
upvoted 1 times

its actually "save as" then 4 choices - BIOC Rule - Correlation Rule - Query to Library- Widget to Library.
upvoted 1 times
Question #6 Topic 1
What license would be required for ingesting external logs from various vendors?
A. Cortex XDR Pro per Endpoint
B. Cortex XDR Vendor Agnostic Pro
C. Cortex XDR Pro per TB
D. Cortex XDR Cloud per Host
Correct Answer: C

C (100%)
Selected Answer: C
LICENSE TYPE:
Ingesting Logs and Data from external sources requires a Cortex XDR Pro per GB license.
To receive Syslog data from an external source, you must fi rst set up the Syslog Collector applet on a Broker VM within your network.
upvoted 1 times
  9smiles 6 months, 3 weeks ago

From CXPAG: Ingesting logs and data requires a Cortex XDR Pro per GB license.
They have now changed the name of the license to "Pro per GB license" instead of TB.
upvoted 2 times
Question #7 Topic 1
An attacker tries to load dynamic libraries on macOS from an unsecure location. Which Cortex XDR module can prevent this attack?
A. DDL Security
B. Hot Patch Protection
C. Kernel Integrity Monitor (KIM)
D. Dylib Hijacking
Correct Answer: D

D (100%)
Selected Answer: D
Mac operating systems" from admin guide pg. 85

upvoted 1 times
Selected Answer: D
Dylib Hijacking
Prevents Dylib-hijacking attacks where the attacker attempts to load dynamic libraries on Mac operating systems from unsecured locations to gain
control of a process.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Endpoint-Protection-Modules
upvoted 3 times
Question #8 Topic 1
What is the purpose of the Unit 42 team?
A. Unit 42 is responsible for automation and orchestration of products
B. Unit 42 is responsible for the configuration optimization of the Cortex XDR server
C. Unit 42 is responsible for threat research, malware analysis and threat hunting
D. Unit 42 is responsible for the rapid deployment of Cortex XDR agents
Correct Answer: C

Correct answer is C
upvoted 1 times
Question #9 Topic 1
Which Type of IOC can you define in Cortex XDR?
A. destination port
B. e-mail address
C. full path
D. App-ID
Correct Answer: C

C (100%)
Selected Answer: C
ii. TYPE indicates the type of indicators, such as Full Path, File Name, Domain, and Hash.
upvoted 1 times
Selected Answer: C
5.1.1 Explain the purpose and use of the IOC technique

Indicators of compromise (IOCs) are the artifacts that are considered malicious or suspicious. IOCs are static and based on criteria such as:
● Full path
● File name
● Domain
● Destination IP address
● MD5 hash
● SHA-256
upvoted 2 times
Question #10 Topic 1
When viewing the incident directly, what is the “assigned to” field value of a new Incident that was just reported to Cortex?
A. Pending
B. It is blank
C. Unassigned
D. New
Correct Answer: D

C (100%)
  cneru1 Highly Voted  8 months, 1 week ago
from Admin Guide: Assigned To: The user to which the incident is assigned. The assignee tracks which analyst is responsible for investigating the
threat. Incidents that have not been assigned have a status of Unassigned. https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-
Pro-Administrator-Guide/Incidents
upvoted 5 times
  Chiquitabandita Most Recent  5 days, 15 hours ago
Selected Answer: C
in the admin guide pg. 230

upvoted 1 times
  nobody165456131354 2 weeks, 5 days ago
Selected Answer: C
Unassigned
upvoted 1 times
  jose010696 2 months, 2 weeks ago
Selected Answer: C
C. is the right answer.

upvoted 2 times
  darylmaeb24 4 months ago

C. Unassigned
upvoted 1 times

C is the right answer. It's the status field that will be set to New. The assigned to field will be set to Unassigned
upvoted 4 times
In incident-related widgets, how would you filter the display to only show incidents that were “starred”?
A. Create a custom XQL widget
B. This is not currently supported
C. Create a custom report and filter on starred incidents
D. Click the star in the widget
Correct Answer: D

D (100%)
Selected Answer: D
pg. 675 in guide

upvoted 1 times
Selected Answer: D
D is correct. Tried this

upvoted 3 times
Where would you view the WildFire report in an incident?
A. next to relevant Key Artifacts in the incidents details page
B. under Response --> Action Center
C. under the gear icon --> Agent Audit Logs
D. on the HUB page at apps.paloaltonetworks.com
Correct Answer: B

A (100%)
  Davina07 Highly Voted  9 months, 1 week ago
Selected Answer: A
I vote A
upvoted 6 times
  cneru1 Highly Voted  9 months, 2 weeks ago
It is definitely A
upvoted 5 times
  Zubair2131 Most Recent  6 days, 22 hours ago
A is the Correct Answer

upvoted 1 times
  Chiquitabandita 1 week, 4 days ago

Selected Answer: A
"The WildFire verdict displays next to relevant Key Artifacts in the incidents details page, the causality view, and within the Live Terminal view of
processes."
From the cortex xdr admin guide

upvoted 1 times
  jose010696 3 months, 1 week ago
Selected Answer: A
that,s ok.
upvoted 1 times

This should be letter A
upvoted 2 times

Yeah, it's A
upvoted 2 times

A - open incident and check
upvoted 2 times
  im2ca 8 months ago

Correct Answer is A
upvoted 3 times
  escar 10 months, 3 weeks ago

the question is about wf report in the incident
Should be A
upvoted 4 times
  examlog 11 months, 2 weeks ago

D. on the HUB page at apps.paloaltonetworks.com
Correct Answer
upvoted 1 times

A seem to be the correct answer.
upvoted 4 times
What does the following output tell us?
A. There is one low severity incident.
B. Host shpapy_win10 had the most vulnerabilities.
C. There is one informational severity alert.
D. This is an actual output of the Top 10 hosts with the most malware.
Correct Answer: D

A (100%)
  9smiles Highly Voted  6 months, 3 weeks ago
Selected Answer: A
Answer should be A. The blue color codes for low severity incidents.
upvoted 7 times
  Conkerzin Most Recent  3 days, 12 hours ago
answer is A.
upvoted 1 times

Selected Answer: A
I agree that A is right for the 1 blue low severity

upvoted 1 times
  SpTester 2 months, 1 week ago
Selected Answer: A
Answer should be A. The blue color codes for low severity incidents.
upvoted 2 times
Which engine, of the following, in Cortex XDR determines the most relevant artifacts in each alert and aggregates all alerts related to an event into
an incident?
A. Sensor Engine
B. Causality Analysis Engine
C. Log Stitching Engine
D. Causality Chain Engine
Correct Answer: B

B (100%)
Selected Answer: B
pg . 12
upvoted 1 times
Selected Answer: B
From CXPAD:
The Causality Analysis Engine determines the most relevant artifacts in each alert and aggregates all alerts related to an event into an incident.
upvoted 4 times
Which type of BIOC rule is currently available in Cortex XDR?
A. Threat Actor
B. Discovery
C. Network
D. Dropper
Correct Answer: D

D (75%) B (25%)
  _tips 6 months ago
Selected Answer: D
Dropper
upvoted 1 times

D is the only correct answer.
Type of BIOC rule:
Collection
Credential Access
Dropper
Evasion
Execution
Evasive
Exfiltration
File Privilege Manipulation
File Type Obfuscation
Infiltration
Lateral Movement
Other
Persistence
Privilege Escalation
Reconnaissance
Tampering
upvoted 3 times
Selected Answer: D
Type of BIOC rule:

● Collection
● Credential Access
● Dropper
● Evasion
● Execution
● Evasive
● Exfiltration
● File Privilege Manipulation
● File Type Obfuscation
● Infiltration
● Lateral Movement
● Other
● Persistence
● Privilege Escalation
● Reconnaissance
● Tampering
upvoted 2 times
  PANW 8 months, 3 weeks ago

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/BIOC-Rule-Details
upvoted 1 times
Selected Answer: B
Both B & D are correct??
upvoted 1 times

No Just D
upvoted 1 times
In Windows and macOS you need to prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. What is one way to
add an exception for the singer?
A. In the Restrictions Profile, add the file name and path to the Executable Files allow list.
B. Create a new rule exception and use the singer as the characteristic.
C. Add the signer to the allow list in the malware profile.
D. Add the signer to the allow list under the action center page.
Correct Answer: C

C (100%)
  Chiquitabandita 1 day, 12 hours ago
Selected Answer: C
I agree with C based on links below

upvoted 1 times

I'd say C is for 3.5 version and older and B is for newer versions:
"Add a Disable Prevention Rule

Cortex XDR enables you to generate granular exceptions to prevention actions defined for your endpoints. You can specify signers, command line,
or processes to exclude from the prevention actions triggered by specific security modules. This may be useful when you have processes that are
essential to your organization and must not be terminated. Cortex XDR still generates Alerts from the disabled rules."
Checking inside my client's platform that's what I can see and we're running 3.7 currently.
Info taken from here:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Add-a-Disable-Prevention-Rule
upvoted 1 times

the correct option to prevent the Cortex XDR Agent from blocking the execution of a file based on the digital signer may vary depending on the
specific version and configuration of the Cortex XDR Agent. However, based on the given options, the most appropriate choice would be:
C. Add the signer to the allow list in the malware profile.
By adding the digital signer to the allow list in the malware profile, you are essentially telling the Cortex XDR Agent to trust files signed by that
specific signer and allow their execution without being blocked.
It's worth noting that cybersecurity measures and software configurations can change over time, so it's essential to refer to the official
documentation or the latest guidelines provided by the product's vendor for the most up-to-date information. Additionally, configuring security
software requires careful consideration and should be performed by knowledgeable and authorized personnel to ensure the system's security.
upvoted 2 times
As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to download Cobalt Strike on
one of your servers. Days later, you learn about a massive ongoing supply chain attack. Using Cortex XDR you recognize that your server was
compromised by the attack and that Cortex XDR prevented it. What steps can you take to ensure that the same protection is extended to all your
servers?
A. Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.
B. Enable DLL Protection on all servers but there might be some false positives.
C. Create IOCs of the malicious files you have found to prevent their execution.
D. Enable Behavioral Threat Protection (BTP) with cytool to prevent the attack from spreading.
Correct Answer: A

Please provide a reference for your claim im2ca. I have not been able to find any supporting documentation for this. Probably you are talking about
custom prevention rules, which are basically BIOC rules that you add to restriction profiles see [1], but BTP Rules are something else and their
database is not available to the public [2].
[1]: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-a-BIOC-Rule
[2]: https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/about-behavioral-threat-protection-btp-rules/td-p/395977
upvoted 2 times

Correct is A: You can create BTP Rules in Cortex XDR .
upvoted 2 times

About BTP rules:
Prevents sophisticated attacks that leverage built-in OS executables and common administration utilities by continuously monitoring endpoint
activity for malicious causality chains.
You are not able to create these - only create exceptions and turn them off so A cannot be correct.
C can also not be correct since IOCs lead to detections, and do not prevent the file from running.
My guess would be B
upvoted 2 times
Which statement is true based on the following Agent Auto Upgrade widget?
A. There are a total of 689 Up To Date agents.
B. Agent Auto Upgrade was enabled but not on all endpoints.
C. Agent Auto Upgrade has not been enabled.
D. There are more agents in Pending status than In Progress status.
Correct Answer: B

B (100%)
  Chiquitabandita 11 hours, 44 minutes ago
Selected Answer: B
admin guide pg. 287 and 128 clients are not configured according to this graph
upvoted 1 times

Correct answer: B
upvoted 2 times
What is the purpose of targeting software vendors in a supply-chain attack?
A. to take advantage of a trusted software delivery method.
B. to steal users’ login credentials.
C. to access source code.
D. to report Zero-day vulnerabilities.
Correct Answer: B

A (100%)
  examlog Highly Voted  11 months, 2 weeks ago
A. A. to take advantage of a trusted software delivery method.

Correct Answer
upvoted 6 times
  SpTester Most Recent  2 months, 1 week ago
Selected Answer: A
It's to mimic the trusted software/hardware and get into networks. Answer A
upvoted 1 times

Selected Answer: A
Correct answer: A
upvoted 1 times
  Davina07 9 months, 1 week ago
Selected Answer: A
Agree to A
upvoted 4 times
What is the standard installation disk space recommended to install a Broker VM?
A. 1GB disk space
B. 2GB disk space
C. 512GB disk space
D. 256GB disk space
Correct Answer: C

C (100%)
Selected Answer: C
admin guide pg. 603

upvoted 1 times

Correct answer is C
From the CXPAG (Cortex XDR Pro Administrator Guide):

Before you set up the broker VM, verify you meet the following requirements.
Hardware: For standard installation, use a minimum of a 4-core processor, 8GB RAM, and 512GB disk. If you only intend to use the broker VM for
agent proxy, you can use a 2-core processor. If you intend to use the broker VM for agent installer and content caching, you must use an 8-core
processor.
upvoted 3 times
Where can SHA256 hash values be used in Cortex XDR Malware Protection Profiles?
A. in the macOS Malware Protection Profile to indicate allowed signers
B. in the Linux Malware Protection Profile to indicate allowed Java libraries
C. SHA256 hashes cannot be used in Cortex XDR Malware Protection Profiles
D. in the Windows Malware Protection Profile to indicate allowed executables
Correct Answer: D
  Bradl 3 months, 2 weeks ago

C is the answer
upvoted 2 times

answer C
upvoted 1 times

Correct Answer: D
upvoted 1 times

Answer is C,
Allow list has been moved from Prevention Profiles to Exceptions Configuration
upvoted 2 times

I think it should be C, cannot find any configuration on malware profile related to hash value allow
upvoted 2 times
How does Cortex XDR agent for Windows prevent ransomware attacks from compromising the file system?
A. by encrypting the disk first.
B. by utilizing decoy Files.
C. by retrieving the encryption key.
D. by patching vulnerable applications.
Correct Answer: B
  nividan 6 months, 4 weeks ago

Correct Answer: B
Behavior-Based Ransomware Protection This module protects against encryption-based behavior associated with ransomware by analyzing and
stopping ransomware activity before any data loss occurs. To combat these attacks, Cortex XDR employs decoy files to attract the ransomware.
When the ransomware attempts to write to, rename, move, delete, or encrypt the decoy files, the Cortex XDR agent analyzes the behavior and
prevents the ransomware from encrypting and holding files hostage. When configured to operate in Prevention Mode, the Cortex XDR agent
blocks the process attempting to manipulate the decoy files. When you configure this module in Notification Mode, the agent logs a security event.
upvoted 1 times

My answer would be: B
upvoted 2 times
What functionality of the Broker VM would you use to ingest third-party firewall logs to the Cortex Data Lake?
A. Netflow Collector
B. Syslog Collector
C. DB Collector
D. Pathfinder
Correct Answer: B

B (100%)
Selected Answer: B
I agree with the link below

upvoted 1 times

B is correct~
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/External-Data-Ingestion-Vendor-Support
upvoted 1 times

Correct is B
upvoted 1 times

I think B:
"To ingest data, you must set up the Syslog Collector applet on a broker VM within your network."
upvoted 4 times

I mean: B
upvoted 2 times

Correct answer: C
From the PCDRA Study Guide:
7.5.2 Describe how to use the Broker to ingest third-party alerts

...
To ingest data, you must set up the Syslog Collector applet on a broker VM within your network.
upvoted 2 times
In the deployment of which Broker VM applet are you required to install a strong cipher SHA256-based SSL certificate?
A. Agent Proxy
B. Agent Installer and Content Caching
C. Syslog Collector
D. CSV Collector
Correct Answer: B

Correct answer: B
From the Cortex XDR Pro Administrators Guide (CXPAG):
Agent Installer and Content Caching: Requires you upload a strong cipher SHA256-based SSL certificates when you setup the Broker VM.
upvoted 2 times
When is the wss (WebSocket Secure) protocol used?
A. when the Cortex XDR agent downloads new security content
B. when the Cortex XDR agent uploads alert data
C. when the Cortex XDR agent connects to WildFire to upload files for analysis
D. when the Cortex XDR agent establishes a bidirectional communication channel
Correct Answer: D

Correct answer: D
From beacon:
WebSocket is a stateful, full-duplex communication protocol that allows a two-way interactive communication between a Cortex XDR instance and
Cortex XDR agents. This type of communication allows data transfers in real-time by keeping sessions for a longer durations. When you perform
one of these critical response actions from the Cortex XDR management console, the Cortex XDR instance establishes a session between the
instance itself and the targeted endpoint. Then, the session is kept alive even after the response action is complete. Live Terminal is among these
response actions.
upvoted 2 times
With a Cortex XDR Prevent license, which objects are considered to be sensors?
A. Syslog servers
B. Third-Party security devices
C. Cortex XDR agents
D. Palo Alto Networks Next-Generation Firewalls
Correct Answer: C

Answer I think is: C
Syslog Collector is not included in XDR Prevent, only Pro Pr. TB.
Pro Pr. TB is also required for External vendors, meaning Third Party security devices.
Prevent does not include a firewall, leaving only C since
"Cortex XDR uses your existing Palo Alto Networks products as sensors to collect logs and telemetry data."
upvoted 1 times
Which license is required when deploying Cortex XDR agent on Kubernetes Clusters as a DaemonSet?
A. Cortex XDR Pro per TB
B. Host Insights
C. Cortex XDR Pro per Endpoint
D. Cortex XDR Cloud per Host
Correct Answer: D

D (100%)
  Chiquitabandita 2 days ago

Selected Answer: D
admin pg 16
upvoted 1 times

Correct answer is: D
CXPAD:
"To protect a Kubernetes or similar container orchestrator endpoint, Cortex XDR requires a Cortex Cloud per Host license."
upvoted 4 times
What kind of the threat typically encrypts user files?
A. ransomware
B. SQL injection attacks
C. Zero-day exploits
D. supply-chain attacks
Correct Answer: A

A (100%)
  PaddyAdallah 6 months, 3 weeks ago

Correct answer is : A
upvoted 1 times
Selected Answer: A
Correct answer is: A

upvoted 1 times
When using the “File Search and Destroy” feature, which of the following search hash type is supported?
A. SHA256 hash of the file
B. AES256 hash of the file
C. MD5 hash of the file
D. SHA1 hash of the file
Correct Answer: A

A (100%)
Selected Answer: A

upvoted 1 times

Selected Answer: A
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Search-and-Destroy-Malicious-Files
Search File section
To search by hash, enter the file SHA256 value. When you search by hash, you can also search for deleted instances of this file on the endpoint.
upvoted 1 times
If you have an isolated network that is prevented from connecting to the Cortex Data Lake, which type of Broker VM setup can you use to facilitate
the communication?
A. Broker VM Pathfinder
B. Local Agent Proxy
C. Local Agent Installer and Content Caching
D. Broker VM Syslog Collector
Correct Answer: C

B (100%)
  b1gd1g Highly Voted  9 months ago
B. Cortex XDR in restricted networks where endpoints do not have a direct connection to the internet, setup the Broker VM to act as a proxy
upvoted 5 times
  Chiquitabandita Most Recent  2 days ago
Selected Answer: B
I agree it is B
upvoted 1 times

Correct Answer B
upvoted 1 times
  Blahziblah 4 months, 1 week ago

Selected Answer: B
I believe the answer is B.
Here is the admin guide, see the second bullet: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-

Guide/Activate-the-Local-Agent-Settings
Caching just means it will cache the data, but if it doesn't have the data it will try to go get it. This won't work in an isolated network so C isn't
correct.
upvoted 2 times
What is by far the most common tactic used by ransomware to shut down a victim’s operation?
A. preventing the victim from being able to access APIs to cripple infrastructure
B. denying traffic out of the victims network until payment is received
C. restricting access to administrative accounts to the victim
D. encrypting certain files to prevent access by the victim
Correct Answer: D

D (100%)

admin guide pg/ 82 hints that this might be the answer
upvoted 1 times
Selected Answer: D
I didn't find it the guide but I think it is common knowledge that ransomware does this action
upvoted 1 times
  GGP23 3 weeks, 3 days ago
Selected Answer: D
D is correct.
upvoted 1 times
  ninya69 4 months, 2 weeks ago

D - correct
upvoted 2 times
Cortex XDR Analytics can alert when detecting activity matching the following MITRE ATT&CKTM techniques.
A. Exfiltration, Command and Control, Collection
B. Exfiltration, Command and Control, Privilege Escalation
C. Exfiltration, Command and Control, Impact
D. Exfiltration, Command and Control, Lateral Movement
Correct Answer: D

D (100%)

Selected Answer: D
it does list those three but in the picture next to it in the guide, it shows impact as well but does not describe it.
upvoted 1 times

D is correct, refer to the official document:https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Analytics-
Concepts
upvoted 1 times
When selecting multiple Incidents at a time, what options are available from the menu when a user right-clicks the incidents? (Choose two.)
A. Assign incidents to an analyst in bulk.
B. Change the status of multiple incidents.
C. Investigate several Incidents at once.
D. Delete the selected Incidents.
Correct Answer: AB

AB (100%)
Selected Answer: AB
I agree it is AB
upvoted 1 times
  MatchaLatte 4 days, 20 hours ago
Selected Answer: AB
A, B
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Incidents
Check box to select one or more incidents on which to perform the following actions.
- Assign incidents to an analyst in bulk

- Change the status of multiple incidents
- Change the severity of multiple incidents
upvoted 2 times

A, B - You can change status/severity/assignee for all incidents as well as star/merge the incidents.
upvoted 1 times
A file is identified as malware by the Local Analysis module whereas WildFire verdict is Benign, Assuming WildFire is accurate. Which statement is
correct for the incident?
A. It is true positive.
B. It is false positive.
C. It is a false negative.
D. It is true negative.
Correct Answer: B

B (100%)
Selected Answer: B
the follow up question is what to do about this. I think you would put an exception to the policy, not touch wildfire.
upvoted 1 times

B
Palo alto study guide - 4.1.4: False positive—An event that produces an alarm when no attack has taken place
upvoted 1 times
What is the outcome of creating and implementing an alert exclusion?
A. The Cortex XDR agent will allow the process that was blocked to run on the endpoint.
B. The Cortex XDR console will hide those alerts.
C. The Cortex XDR agent will not create an alert for this event in the future.
D. The Cortex XDR console will delete those alerts and block ingestion of them in the future.
Correct Answer: B

B (100%)

Selected Answer: B
"Alert Exclusion rules specify match criteria for alerts that you want to suppress."
upvoted 1 times

B is correct, refer to the official document:https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-
Guide/Exception-Configuration
upvoted 1 times
Which statement is true for Application Exploits and Kernel Exploits?
A. The ultimate goal of any exploit is to reach the application.
B. Kernel exploits are easier to prevent then application exploits.
C. The ultimate goal of any exploit is to reach the kernel.
D. Application exploits leverage kernel vulnerability.
Correct Answer: A

A (56%) C (44%)
Selected Answer: A
I think it is A, only because the other answers feel wrong but I can't find definite reason why A is right
upvoted 1 times
  besik 2 weeks, 4 days ago
Selected Answer: C
The attacker's ultimate goal is to reach the kernel because if he reaches the kernel, he can do anything he wants and to execute something he will
not need privileged access. There are many mitigation techniques with Application Exploits but not many for the kernel.
upvoted 1 times
  7e078ca 1 month, 3 weeks ago

C, From https://beacon.paloaltonetworks.com
upvoted 2 times
Selected Answer: A
I vote A because exploit does NOT nead to reach the kernel. So not C. Kernel exploits are really hard to defend against as it's the very root of the
OS. So not B. Definitively not D. So remains an A.
So how can I explain that it is A? I would say with this circle that Palo Alto commonly spreads on the internet:
https://www.paloaltonetworks.co.uk/research/apac-ondemand-webinar-2016-how-to-complete-the-security-puzzle-with-wildfire-and-traps
Usually they say if we can interrupt one part of the exploit the chain will be broken. So in the center we got the application of an exploit permitted.
Hence why I vote A. Ultimate goal of an exploit is to reach application.
upvoted 2 times

Regarding to this page
https://www.csoonline.com/article/571799/exploit-chains-explained-how-and-why-attackers-target-multiple-vulnerabilities.html
“The goal with exploit chain attacks is to gain kernel/root/system level access to compromise a system in order to execute an attack,”
he answer is C
upvoted 1 times
Selected Answer: A
Exploit Protection Overview

An exploit is a sequence of commands that takes advantage of a bug or vulnerability in a software application or process. Attackers use these
exploits to access and use a system to their advantage. Blocking any attempt to exploit a vulnerability in the chain will block the entire exploitation
attempt.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Endpoint-Protection
upvoted 2 times
  Torben10 8 months, 1 week ago

Selected Answer: C
C should be right.
upvoted 3 times
To create a BIOC rule with XQL query you must at a minimum filter on which field in order for it to be a valid BIOC rule?
A. causality_chain
B. endpoint_name
C. threat_event
D. event_type
Correct Answer: D

D (100%)
  PANW 8 months, 2 weeks ago
Selected Answer: D
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-a-BIOC-Rule
upvoted 1 times
Which of the following is an example of a successful exploit?
A. connecting unknown media to an endpoint that copied malware due to Autorun.
B. a user executing code which takes advantage of a vulnerability on a local service.
C. identifying vulnerable services on a server.
D. executing a process executable for well-known and signed software.
Correct Answer: C

B (100%)
Selected Answer: B
b seems like best answer but A is not a good thing either, A at least did not get executed, only uploaded.
upvoted 1 times
  Flky 6 months ago
Selected Answer: B
From documentation :
"An exploit is a piece of code or a program that takes advantage of a weakness (aka vulnerability) in an application or system."
https://www.paloaltonetworks.com/cyberpedia/malware-vs-exploits
upvoted 2 times
  SR_RS 7 months, 1 week ago

unless we see it differently.
executing a code that take advantage of a vulnerability (does not mean it will be successful)
but able to identify vulnerabilities in a SERVER (mean that a bad actor manages to get past security)
upvoted 1 times
  SR_RS 7 months, 1 week ago

should be B.
identifying a vulnerability is not a successful exploit.
executing code to take advantage of the vulnerability should be a successful exploit.
unless i am reading it wrongly

upvoted 2 times
Which of the following represents the correct relation of alerts to incidents?
A. Only alerts with the same host are grouped together into one Incident in a given time frame.
B. Alerts that occur within a three hour time frame are grouped together into one Incident.
C. Alerts with same causality chains that occur within a given time frame are grouped together into an Incident.
D. Every alert creates a new Incident.
Correct Answer: A

C (100%)
  escar Highly Voted  10 months, 2 weeks ago
Selected Answer: C
Alerts on the same causality chain are grouped with the same incident if an open incident already exists. Otherwise, the new incoming alert will
create a new incident.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Investigate-Incidents
upvoted 5 times
  Chiquitabandita Most Recent  1 day, 23 hours ago
Selected Answer: C
found in the admin guide link

upvoted 1 times

Selected Answer: C
I vote C
upvoted 1 times
  Flky 6 months ago

Selected Answer: C
I vote C
upvoted 2 times
  mogulmungi 6 months, 3 weeks ago

I vote C
upvoted 1 times
Selected Answer: C
I vote C
upvoted 1 times
Which of the following protection modules is checked first in the Cortex XDR Windows agent malware protection flow?
A. Hash Verdict Determination
B. Behavioral Threat Protection
C. Restriction Policy
D. Child Process Protection
Correct Answer: B

D (100%)
Selected Answer: D
saw this in admin guide https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/File-Analysis-and-

Protection-Flow
upvoted 1 times

Selected Answer: D
Phase 1: Evaluation of Child Process Protection Policy

When a user attempts to run an executable, the operating system attempts to run the executable as a process. If the process tries to launch any
child processes, the Cortex XDR agent first evaluates the child process protection policy. If the parent process is a known targeted process that
attempts to launch a restricted child process, the Cortex XDR agent blocks the child processes from running and reports the security event to
Cortex XDR.
upvoted 3 times
  darylmaeb24 3 months, 1 week ago

D is the correct answer
upvoted 1 times

Correct Answer D. Child Process Protection
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/File-Analysis-and-Protection-Flow
If the process tries to launch any child processes, the Cortex XDR agent first evaluates the child process protection policy. If the parent process is a
known targeted process that attempts to launch a restricted child process, the Cortex XDR agent blocks the child processes from running and
reports the security event to Cortex XDR.
upvoted 1 times
  Davina07 7 months, 3 weeks ago
Selected Answer: D
See link from escar

upvoted 1 times
Selected Answer: D
should be - Evaluation of Child Process Protection Policy
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/File-Analysis-and-Protection-Flow
upvoted 3 times
While working the alerts involved in a Cortex XDR incident, an analyst has found that every alert in this incident requires an exclusion. What will
the Cortex XDR console automatically do to this incident if all alerts contained have exclusions?
A. mark the incident as Unresolved
B. create a BIOC rule excluding this behavior
C. create an exception to prevent future false positives
D. mark the incident as Resolved – False Positive
Correct Answer: D

D (100%)
Selected Answer: D
I agree it is D in the admin guide link

upvoted 1 times

D - "If an incident contains only alerts with exclusions, Cortex XDR changes the incident status to Resolved - False Positive and sends an email
notification to the incident assignee (if set)."
Ref: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Add-an-Alert-Exclusion-Rule
upvoted 1 times
Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack will be neutralized. Which of the following
statements is correct?
A. Cortex XDR Analytics allows to interfere with the pattern as soon as it is observed on the firewall.
B. Cortex XDR Analytics does not interfere with the pattern as soon as it is observed on the endpoint.
C. Cortex XDR Analytics does not have to interfere with the pattern as soon as it is observed on the endpoint in order to prevent the attack.
D. Cortex XDR Analytics allows to interfere with the pattern as soon as it is observed on the endpoint.
Correct Answer: A

B (50%) D (50%)
  sharkk43 Highly Voted  4 months, 3 weeks ago
If you go here: https://www.paloaltonetworks.com/services/education/palo-alto-networks-certified-detection-and-remediation-analyst

And then go to Sample questions (specifically here:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcdra-sample-questions.pdf), there's 7 questions,
one of them being:
Which statement is valid regarding the Cortex XDR Analytics module?

A. It interferes with an attack pattern as soon as it is observed on the endpoint.
B. It does not interfere with any portion of the attack pattern on the endpoint.
C. It does not need to interfere with any portion of the pattern to prevent the attack.
D. It interferes with the attack pattern as soon as it is observed on the firewall.
Palo Alto says the answer here is B.
Therefore, for this question on ExamTopics I'd say the answer is B as well.
upvoted 5 times
  deyabeel22 4 months, 3 weeks ago

In which module?
upvoted 1 times
  Chiquitabandita Most Recent  1 day, 23 hours ago
Selected Answer: B
looking at the links below I think it is B

upvoted 1 times

Selected Answer: B
Coverage of MITRE Attack Tactics:

Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack is neutralized.
The Cortex XDR Analytics Engine retrieves logs from the Cortex XDR tenant to create a baseline so that it can raise alerts when abnormal activity
occurs. This analysis is highly sophisticated and performed on more than a thousand dimensions of data. Internally, Cortex XDR organizes its
analytics activity into algorithms called detectors. Each detector is responsible for raising an alert when suspicious behavior is detected.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Analytics-Concepts
So I vote B. It enables the possibility but not to do anything on the Firewall itself or Endpoint itself. So it cannot act as soon as pattern is detected.
upvoted 2 times
Selected Answer: D
Coverage of MITRE Attack Tactics:

Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack is neutralized.
The Cortex XDR Analytics Engine retrieves logs from the Cortex XDR tenant to create a baseline so that it can raise alerts when abnormal activity
occurs. This analysis is highly sophisticated and performed on more than a thousand dimensions of data. Internally, Cortex XDR organizes its
analytics activity into algorithms called detectors. Each detector is responsible for raising an alert when suspicious behavior is detected.
So I vote D. It enables the possibility but not to do anything on the Firewall itself.
upvoted 2 times

BIOC Analytics is just a detection alert. Unless you have set a custom BIOC Prevention rules.
My answer would be B.
upvoted 2 times

The question is talking about Network Attacks, so I think, it is talking about Firewalls,
The Cortex XDR app uses its Analytics Engine to examine logs and data retrieved from your sensors on the Cortex XDR tenants to build an activity
baseline, and recognize abnormal activity when it occurs. The Analytics Engine accesses your logs as they are streamed to the Cortex XDR tenant,
including any Firewall data, and analyzes the data as soon as it arrives. Cortex XDR raises an Analytics alert when the Analytics Engine determines
an anomaly.
I guess the answer is A.

upvoted 2 times

Selected Answer: D
upvoted 1 times
After scan, how does file quarantine function work on an endpoint?
A. Quarantine takes ownership of the files and folders and prevents execution through access control.
B. Quarantine disables the network adapters and locks down access preventing any communications with the endpoint.
C. Quarantine removes a specific file from its location on a local or removable drive to a protected folder and prevents it from being executed.
D. Quarantine prevents an endpoint from communicating with anything besides the listed exceptions in the agent profile and Cortex XDR.
Correct Answer: C

C (100%)
Selected Answer: C
"it moves the file from the location on a local or removable drive to a local quarantine folder (%PROGRAMDATA%\Cyvera\Quarantine) where it
isolates the file." in admin guide link
upvoted 1 times
  jose010696 2 months, 2 weeks ago
Selected Answer: C
c. thas rigth
upvoted 1 times
  Bradl 3 months, 2 weeks ago

When the agent detects malware on a Windows endpoint, you can take additional precautions to quarantine the file. When the agent quarantines
malware, it moves the file from the location on a local or removable drive to a local quarantine folder (%PROGRAMDATA%\Cyvera\Quarantine)
where it isolates the file. This prevents the file from attempting to run again from the same path or causing any harm to your endpoints.
upvoted 2 times

C. Quarantine removes a specific file from its location on a local or removable drive to a protected folder and prevents it from being executed.
upvoted 1 times
  PANW 8 months, 1 week ago

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Manage-Quarantined-Files
upvoted 2 times
Which two types of exception profiles you can create in Cortex XDR? (Choose two.)
A. exception profiles that apply to specific endpoints
B. agent exception profiles that apply to specific endpoints
C. global exception profiles that apply to all endpoints
D. role-based profiles that apply to specific endpoints
Correct Answer: AC

AC (100%)
Selected Answer: AC
Just tested in XDR for a behavioral threat

upvoted 1 times
Which profiles can the user use to configure malware protection in the Cortex XDR console?
A. Malware Protection profile
B. Malware profile
C. Malware Detection profile
D. Anti-Malware profile
Correct Answer: B
Currently there are no comments in this discussion, be the first to comment!
Which module provides the best visibility to view vulnerabilities?
A. Live Terminal module
B. Device Control Violations module
C. Host Insights module
D. Forensics module
Correct Answer: C

C (100%)
Selected Answer: C
it has the vulnerability management so best answer out of the choices.

upvoted 1 times
Selected Answer: C
https://www.boll.ch/datasheets/Cortex_XDR_Host_Insights.pdf
upvoted 1 times
Which of the following is NOT a precanned script provided by Palo Alto Networks?
A. delete_file
B. quarantine_file
C. process_kill_name
D. list_directories
Correct Answer: B

B (100%)
Selected Answer: B

upvoted 1 times

Selected Answer: B
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Run-Scripts-on-an-Endpoint under "Run Scripts on

an Endpoint"
upvoted 3 times
Live Terminal uses which type of protocol to communicate with the agent on the endpoint?
A. NetBIOS over TCP
B. WebSocket
C. UDP and a random port
D. TCP, over port 80
Correct Answer: B
You can star security events in which two ways? (Choose two.)
A. Create an alert-starring configuration.
B. Create an Incident-starring configuration.
C. Manually star an alert.
D. Manually star an Incident.
Correct Answer: BD

BD (50%) AD (50%)
  steven1995 1 day, 4 hours ago

AD for sure
upvoted 1 times
  Chiquitabandita 1 week, 1 day ago
Selected Answer: BD
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Manage-Incident-Starring
You can manually star an incident after reviewing it, or you can create an incident starring configuration that automatically categorizes and stars
incidents when a related alert contains the specific attributes that you decide are important.
upvoted 1 times
  darylmaeb24 3 months, 1 week ago

The correct answer is B and D. From the Study Guide. Incident related starring
upvoted 1 times

AD: You can star incidents in two ways: You can manually star an incident after reviewing it, or you can create an incident starring configuration
upvoted 1 times

I am confused here, the documentation says to create an incident starring configuration, but in the configuration setting it says "Create New Alert
Starring Configuration"
upvoted 2 times
  _tips 6 months, 1 week ago

I guess B and D are correct.
upvoted 1 times
  _tips 6 months, 1 week ago

You can manually star an incident after reviewing it, or you can create an incident starring configuration that automatically categorizes and stars
incidents when a related alert contains the specific attributes that you decide are important.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Manage-Incident-Starring
upvoted 1 times
Selected Answer: AD
can manually star incident and using Starred Alerts rule under Incident Configuration
upvoted 1 times
Where would you go to add an exception to exclude a specific file hash from examination by the Malware profile for a Windows endpoint?
A. Find the Malware profile attached to the endpoint, Under Portable Executable and DLL Examination add the hash to the allow list.
B. From the rules menu select new exception, fill out the criteria, choose the scope to apply it to, hit save.
C. Find the exceptions profile attached to the endpoint, under process exceptions select local analysis, paste the hash and save.
D. In the Action Center, choose Allow list, select new action, select add to allow list, add your hash to the list, and apply it.
Correct Answer: B

D (100%)
  Zubair2131 1 week ago

It's B as its only asking create an exception for Windows Endpoint.Can't be D as it will create exeption for all endpoint regardless of the Platform
Type.
upvoted 1 times
  darylmaeb24 3 months, 3 weeks ago

I will go for D
upvoted 2 times

D: Investigate Files:
You can manage file execution on your endpoints by using file hashes that are included in
your allow and block lists. If you trust a certain file and know it to be benign, you can add the
file hash to the allow list and allow it to be executed on all your endpoints regardless of the
WildFire or local analysis verdict. Similarly, if you want to always block a file from running on
any of your endpoints, you can add the associated hash to the block list.
upvoted 2 times

I say B based on: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Add-an-IOC-or-BIOC-Rule-
Exception
"If you want to create a rule to take action on specific behaviors but also want to exclude one or more indicators from the rule, you can create an
IOC or BIOC rule exception. An indicator can include the SHA256 hash of a process, process name, process path, vendor name, user name, causality
group owner (CGO) full path, or process command-line arguments. For more information about these indicators, see Rules. For each exception, you
also specify the rule scope to which the exception applies."
"Select Settings → Exception Configuration → IOC/BIOC Suppression Rules.
Click + New Exception.
Specify a Rule Name and an optional Description.
etc."
upvoted 3 times
Selected Answer: D
2.3.3 Outline malware protection flow

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcdra-study-guide.pdf
Hash exception - A hash exception enables you to override the verdict for a specific file
without affecting the settings in your Malware Security profile. The Hash Exception policy is
evaluated first and takes precedence over all other methods to determine the hash verdict.
The exception does not allow Hash value

upvoted 2 times
As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to open a malicious Word
document. You learn from the WildFire report and AutoFocus that this document is known to have been used in Phishing campaigns since 2018.
What steps can you take to ensure that the same document is not opened by other users in your organization protected by the Cortex XDR agent?
A. Enable DLL Protection on all endpoints but there might be some false positives.
B. Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.
C. No step is required because Cortex shares IOCs with our fellow Cyber Threat Alliance members.
D. No step is required because the malicious document is already stopped.
Correct Answer: B
When investigating security events, which feature in Cortex XDR is useful for reverting the changes on the endpoint?
A. Remediation Automation
B. Machine Remediation
C. Automatic Remediation
D. Remediation Suggestions
Correct Answer: D

D (100%)
  MatchaLatte 1 day, 19 hours ago
Selected Answer: D
I will pick D
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Remediate-Changes-from-Malicious-Activity
When investigating suspicious incidents and causality chains you often need to restore and revert changes made to your endpoints as result of a
malicious activity. To avoid manually searching for the affected files and registry keys on your endpoints, you can request Cortex XDR for
remediation suggestions.
upvoted 1 times
What is the purpose of the Cortex Data Lake?
A. a local storage facility where your logs and alert data can be aggregated
B. a cloud-based storage facility where your firewall logs are stored
C. the interface between firewalls and the Cortex XDR agents
D. the workspace for your Cortex XDR agents to detonate potential malware files
Correct Answer: B
When creating a scheduled report which is not an option?
A. Run weekly on a certain day and time.
B. Run quarterly on a certain day and time.
C. Run monthly on a certain day and time.
D. Run daily at a certain time (selectable hours and minutes).
Correct Answer: B
Which statement regarding scripts in Cortex XDR is true?
A. Any version of Python script can be run.
B. The level of risk is assigned to the script upon import.
C. Any script can be imported including Visual Basic (VB) scripts.
D. The script is run on the machine uploading the script to ensure that it is operational.
Correct Answer: A

Yes, I think B.
upvoted 2 times
  Davina07 6 months, 3 weeks ago

I think B. A is wrong for sure, you need at least Python 3.7 to run scripts on your endpoint directly. https://docs-
cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Run-Scripts-on-an-Endpoint
upvoted 2 times
What is the function of WildFire for Cortex XDR?
A. WildFire runs in the cloud and analyses alert data from the XDR agent to check for behavioural threats.
B. WildFire is the engine that runs on the local agent and determines whether behavioural threats are occurring on the endpoint.
C. WildFire accepts and analyses a sample to provide a verdict.
D. WildFire runs entirely on the agent to quickly analyse samples and provide a verdict.
Correct Answer: C
A Linux endpoint with a Cortex XDR Pro per Endpoint license and Enhanced Endpoint Data enabled has reported malicious activity, resulting in the
creation of a file that you wish to delete. Which action could you take to delete the file?
A. Manually remediate the problem on the endpoint in question.
B. Open X2go from the Cortex XDR console and delete the file via X2go.
C. Initiate Remediate Suggestions to automatically delete the file.
D. Open an NFS connection from the Cortex XDR console and delete the file.
Correct Answer: A

C (100%)
  Blahziblah 4 months, 1 week ago
Selected Answer: C
I think the answer is C. See this overview from Palo Alto: https://youtu.be/HBzxmSjHYt4?si=JqjrLZkLTXBeqXpp&t=452. Here he talks about deleting
a file through the Remediation Suggestions.
upvoted 3 times
Which of the following best defines the Windows Registry as used by the Cortex XDR agent?
A. a hierarchical database that stores settings for the operating system and for applications
B. a system of files used by the operating system to commit memory that exceeds the available hardware resources. Also known as the
“swap”
C. a central system, available via the internet, for registering officially licensed versions of software to prove ownership
D. a ledger for maintaining accurate and up-to-date information on total disk usage and disk space remaining available to the operating
system
Correct Answer: A
Which statement best describes how Behavioral Threat Protection (BTP) works?
A. BTP injects into known vulnerable processes to detect malicious activity.
B. BTP runs on the Cortex XDR and distributes behavioral signatures to all agents.
C. BTP matches EDR data with rules provided by Cortex XDR.
D. BTP uses machine Learning to recognize malicious activity even if it is not known.
Correct Answer: D
Which of the following paths will successfully activate Remediation Suggestions?
A. Alerts Table > Right-click on a process node > Remediation Suggestions
B. Incident View > Actions > Remediation Suggestions
C. Causality View > Actions > Remediation Suggestions
D. Alerts Table > Right-click on an alert > Remediation Suggestions
Correct Answer: C

B (100%)

But C is also a Correct one. :D Either through Causality and Incidents, you can perform Remediation Suggestions
upvoted 1 times

This should be B. Incidents > click the 3 dots > Remediation Suggestions
upvoted 1 times
  kareem101 4 months ago
Selected Answer: B
Should be B. "You can initiate a remediation suggestions analysis from either of the following places:
In the Incident View, navigate to Actions → Remediation Suggestions."
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Remediate-Changes-from-Malicious-
Activity#:~:text=In%20the%20Incident%20View%2C%20navigate%20to%20Actions%20%E2%86%92%20Remediation%20Suggestions.
upvoted 2 times
In Cortex XDR management console scheduled reports can be forwarded to which of the following applications/services?
A. Service Now
B. Slack
C. Salesforce
D. Jira
Correct Answer: B
Which type of IOC can you define in Cortex XDR?
A. Source port
B. Destination IP Address
C. Destination IP Address:Destination
D. Source IP Address
Correct Answer: B

B (100%)
Selected Answer: B
I agree for B
upvoted 1 times
  Axell9412 3 months, 2 weeks ago
Selected Answer: B
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Working-with-
IOCs#:~:text=Domain-,Destination%20IP%20address,-MD5%20hash
upvoted 2 times
What is the action taken out by Managed Threat Hunting team for Zero Day Exploits?
A. MTH runs queries and investigative actions and no further action is taken.
B. MTH researches for threats in the logs and reports to engineering.
C. MTH researches for threats in the tenant and generates a report with the findings.
D. MTH pushes content updates to prevent against the zero day exploits.
Correct Answer: C
What is an example of an attack vector for ransomware?
A. A URL filtering feature enabled on a firewall
B. Phishing emails containing malicious attachments
C. Performing DNS queries for suspicious domains
D. Performing SSL Decryption on an endpoint
Correct Answer: B
What should you do to automatically convert leads into alerts after investigating a lead?
A. Lead threats can't be prevented in the future because they already exist in the environment.
B. Build a search query using Query Builder or XQL using a list of IOCs.
C. Create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.
D. Create BIOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.
Correct Answer: C

D (100%)
  Chiquitabandita 1 week ago
Selected Answer: D
Create BIOC rules based on the set of attribute-value pairs to automatically convert the leads into alerts.
upvoted 1 times
  kareem101 4 months ago
Selected Answer: D
I believe this should be D.

Leads are not static IOCs.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Research-a-Known-
Threat#:~:text=Inspect%20the%20information%20again%2C%20and%20identify%20any%20characteristics%20you%20can%20use%20to%20Creat
e%20a%20BIOC%20Rule%20or%20Create%20a%20Correlation%20Rule.
upvoted 2 times
When reaching out to TAC for additional technical support related to a Security Event; what are two critical pieces of information you need to
collect from the Agent? (Choose two.)
A. The prevention archive from the alert.
B. The unique agent id.
C. The distribution id of the agent.
D. The agent technical support file.
E. A list of all the current exceptions applied to the agent.
Correct Answer: BD

BD (100%)
Selected Answer: BD
I can't cite the source, but I believe the answers should be B and D
upvoted 1 times

This should be A and D
Alert Data dump
Agent Tech support file
upvoted 1 times
Which function describes the removal of a specific file from its location on a local or removable drive to a protected folder to prevent the file from
being executed?
A. Search & destroy
B. Quarantine
C. Isolation
D. Flag for removal
Correct Answer: B

B (100%)
Selected Answer: B
I can't list source, but I believe it is B

upvoted 1 times
What is the maximum number of agents one Broker VM local agent applet can support?
A. 10,000
B. 15,000
C. 5,000
D. 20,000
Correct Answer: C

C (100%)
Selected Answer: C
I agree this is old so probably won't be on the test but good to know if it is.
upvoted 1 times

This is already obsolete, the BVM local agent can cater 50, 000
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Activate-the-Local-Agent-Settings
upvoted 1 times

I don't see an option for 50,000. I'm assuming 10,000 is the answer based on when the test was created.
upvoted 1 times
Which of the following represents a common sequence of cyber attack tactics?
A. Actions on the objective >> Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Installation >> Command & Control
B. Installation >> Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Command & Control >> Actions on the objective
C. Reconnaissance >> Installation >> Weaponisation & Delivery >> Exploitation >> Command & Control >> Actions on the objective
D. Reconnaissance >> Weaponisation & Delivery >> Exploitation >> Installation >> Command & Control >> Actions on the objective
Correct Answer: D

D (100%)
Selected Answer: D
I can't list source but I think it is D

upvoted 1 times
Which Exploit Protection Module (EPM) can be used to prevent attacks based on OS function?
A. Memory Limit Heap Spray Check
B. DLL Security
C. UASLR
D. JIT Mitigation
Correct Answer: B

B (100%)
Selected Answer: B
DLL security is part of the EPM

upvoted 1 times
  nobody165456131354 2 weeks, 5 days ago
Selected Answer: B
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Endpoint-Protection-Modules
upvoted 1 times
Which statement is correct based on the report output below?
A. Forensic inventory data collection is enabled.
B. 133 agents have full disk encryption.
C. 3,297 total incidents have been detected.
D. Host Inventory Data Collection is enabled.
Correct Answer: D

D (100%)

*graph
upvoted 1 times
Selected Answer: D
I believe it is D, not able to cite source only looking at graphy

upvoted 1 times
Which search methods is supported by File Search and Destroy?
A. File Search and Repair
B. File Seek and Destroy
C. File Search and Destroy
D. File Seek and Repair
Correct Answer: C
Which of the following Live Terminal options are available for Android systems?
A. Run Android commands.
B. Live Terminal is not supported.
C. Run APK scripts.
D. Stop an app.
Correct Answer: B
What contains a logical schema in an XQL query?
A. Field
B. Bin
C. Dataset
D. Arrayexpand
Correct Answer: C

C (100%)
  Chiquitabandita 1 week ago
Selected Answer: C
from coursework
upvoted 1 times
Which minimum Cortex XDR agent version is required for Kubernetes Cluster?
A. Cortex XDR 7.4
B. Cortex XDR 5.0
C. Cortex XDR 7.5
D. Cortex XDR 6.1
Correct Answer: C
  ivanlean55 2 months, 1 week ago

Right Answer C.
Compare between 7.4 and 7.5 Agent Administrator Guide, you'll find the difference
https://docs-cortex.paloaltonetworks.com/v/u/Cortex-XDR-Agent-Administrator-Guide-7.4
https://docs-cortex.paloaltonetworks.com/v/u/Cortex-XDR-Agent-Administrator-Guide-7.5
upvoted 1 times
In the Cortex XDR console, from which two pages are you able to manually perform the agent upgrade action? (Choose two.)
A. Endpoint Administration
B. Asset Management
C. Action Center
D. Agent Installations
Correct Answer: AC
Which version of python is used in live terminal?
A. Python 3 with specific XDR Python libraries developed by Palo Alto Networks
B. Python 3 with standard Python libraries
C. Python 2 and 3 with standard Python libraries
D. Python 2 and 3 with specific XDR Python libraries developed by Palo Alto Networks
Correct Answer: A

B (100%)
  kareem101 Highly Voted  4 months ago
Selected Answer: B
The Answer is B.
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Initiate-a-Live-Terminal-
Session#:~:text=The%20Python%20command%20interpreter%20uses%20Unix%20command%20syntax%20and%20supports%20Python%203%20
with%20standard%20Python%20libraries
upvoted 6 times
Under which conditions is Local Analysis evoked to evaluate a file before the file is allowed to run?
A. The endpoint is disconnected or the verdict from WildFire is of a type malware.
B. The endpoint is disconnected or the verdict from WildFire is of a type unknown.
C. The endpoint is disconnected or the verdict from WildFire is of a type grayware.
D. The endpoint is disconnected or the verdict from WildFire is of a type benign.
Correct Answer: B
What is the difference between presets and datasets in XQL?
A. A dataset is a Cortex data lake data source only; presets are built-in data source.
B. A dataset is a database; presets is a field.
C. A dataset is a built-in or third party source; presets group XDR data fields.
D. A dataset is a third-party data source; presets are built-in data source.
Correct Answer: C

C (100%)
  MatchaLatte 1 day, 19 hours ago
Selected Answer: C
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Datasets-and-Presets
Datasets - The standard, built-in data source that is available in every Cortex XDR instance is the xdr_data dataset.This dataset is comprised of both
raw EDR events reported by the Cortex XDR agent, and of logs from different sources such as third-party logs.
Presets - Presets offer groupings of xdr_data fields that are useful for analyzing specific areas of network and endpoint activity.
upvoted 1 times
  7e078ca 1 month, 3 weeks ago

Use preset to use a pre-defined datasets in which data is stored from console description
Answer: D
upvoted 1 times
Cortex XDR is deployed in the enterprise and you notice a cobalt strike attack via an ongoing supply chain compromise was prevented on 1 server.
What steps can you take to ensure the same protection is extended to all your servers?
A. Enable DLL Protection on all servers but there might be some false positives.
B. Conduct a thorough Endpoint Malware scan.
C. Create IOCs of the malicious files you have found to prevent their execution.
D. Enable Behavioral Threat Protection (BTP) with cytool to prevent the attack from spreading.
Correct Answer: D
Why would one threaten to encrypt a hypervisor or, potentially, a multiple number of virtual machines running on a server?
A. To extort a payment from a victim or potentially embarrass the owners.
B. To gain notoriety and potentially a consulting position.
C. To better understand the underlying virtual infrastructure.
D. To potentially perform a Distributed Denial of Attack.
Correct Answer: A
What types of actions you can execute with live terminal session?
A. Manage Processes, Manage Files, Run Operating System Commands, Run Python Commands and Scripts
B. Manage Network configurations, Quarantine Files, Run Powershell scripts
C. Apply patches, Reboot System, Send notification for end user, Run Python Commands and Scripts
D. Manage Processes, Manage Files, Run Operating System Commands, Run Ruby Commands and Scripts
Correct Answer: A
How can you pivot within a row to Causality view and Timeline views for further investigate?
A. Using the Open Card Only
B. Using Open Timeline actions Only
C. Using the Open Card and Open Timeline actions respectively
D. You can't pivot within a row to Causality view and Timeline views
Correct Answer: C
What motivation do ransomware attackers have for returning access to systems once their victims have paid?
A. Failure to restore access to systems undermines the scheme because others will not believe their valuables would be returned.
B. The ransomware attackers hope to trace the financial trail back and steal more from traditional banking institutions.
C. There is organized crime governance among attackers that requires the return of access to remain in good standing.
D. Nation-states enforce the return of system access through the use of laws and regulation.
Correct Answer: A
What is the WildFire analysis file size limit for Windows PE files?
A. 500MB
B. 100MB
C. 1GB
D. No Limit
Correct Answer: B
Which Exploit Prevention Module (EPM) provides better entropy for randomization of memory locations?
A. UASLR
B. JIT Mitigation
C. Memory Limit Heap spray check
D. DLL Security
Correct Answer: A
To stop a network-based attack, any interference with a portion of the attack pattern is enough to prevent it from succeeding. Which statement is
correct regarding the Cortex XDR Analytics module?
A. It interferes with the pattern as soon as it is observed on the endpoint.
B. It does not interfere with any portion of the pattern on the endpoint.
C. It does not need to interfere with the any portion of the pattern to prevent the attack.
D. It interferes with the pattern as soon as it is observed by the firewall.
Correct Answer: B
The Cortex XDR console has triggered an incident, blocking a vitally important piece of software in your organization that is known to be benign.
Which of the following options would prevent Cortex XDR from blocking this software in the future, for all endpoints in your organization?
A. Create an endpoint-specific exception.
B. Create a global inclusion.
C. Create an individual alert exclusion.
D. Create a global exception.
Correct Answer: D
What kind of malware uses encryption, data theft, denial of service, and possibly harassment to take advantage of a victim?
A. Rootkit
B. Keylogger
C. Ransomware
D. Worm
Correct Answer: C
As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to open a malicious Word
document. You learn from the WildFire report and AutoFocus that this document is known to have been used in Phishing campaigns since 2018.
What steps can you take to ensure that the same document is not opened by other users in your organization protected by the Cortex XDR agent?
A. Enable DLL Protection on all endpoints but there might be some false positives.
B. No step is required because Cortex shares IOCs with our fellow Cyber Threat Alliance members.
C. No step is required because the malicious document is already stopped.
D. Install latest content updates to recognize and prevent the activity.
Correct Answer: D
Can you disable the ability to use the Live Terminal feature in Cortex XDR?
A. Yes, via Agent Settings Profile.
B. No, it is a required feature of the agent.
C. No, a separate installer package without Live Terminal is required.
D. Yes, via the Cortex XDR console or with an installation switch.
Correct Answer: D

PCDRA Exam - 20240324

Uploaded by

Copyright:

Available Formats

PCDRA Exam - 20240324

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PCDRA Exam - 20240324

Uploaded by

Copyright:

Available Formats

2024/3/24 中午12:17 PCDRA Exam - Free Actual Q&As, Page 1 | ExamTopics

- Expert Verified, Online, Free.

 Custom View Settings

Phishing belongs which of the following MITRE ATT&CK tactics?

A. Initial Access, Persistence

B. Persistence, Command and Control

D. Reconnaissance, Initial Access

Community vote distribution

  pkevinkou 8 months, 4 weeks ago

When creating a BIOC rule, which XQL query can be used?

| filter event_sub_type = PROCESS_START and

| filter event_type = PROCESS and

event_sub_type = PROCESS_START and

| filter action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"

| filter event_behavior = true

event_sub_type = PROCESS_START and

Community vote distribution

  nobody165456131354 2 months, 1 week ago

Correct answer is: B

  9smiles 10 months ago

A. Security Manager Dashboard

B. Data Ingestion Dashboard

C. Security Admin Dashboard

D. Incident Management Dashboard

Community vote distribution

  Chiquitabandita 5 days, 15 hours ago

per the admin guide pg. 667

  XuannnnOAO 5 months, 2 weeks ago

  unns12 6 months ago

  cneru1 9 months, 2 weeks ago

  Indy_k 1 year ago

A. Automatically close the connections involved in malicious traffic.

B. Automatically kill the processes involved in malicious activity.

C. Automatically terminate the threads involved in malicious activity.

D. Automatically block the IP addresses involved in malicious traffic.

Community vote distribution

  news088 4 months, 3 weeks ago

  sharkk43 4 months, 3 weeks ago

  sharkk43 4 months, 3 weeks ago

  XuannnnOAO 5 months, 2 weeks ago

  unns12 6 months ago

  Karreldanam 9 months, 3 weeks ago

(Windows only) Respond to Malicious Causality Chains.

Community vote distribution

  Chiquitabandita 5 days, 15 hours ago

  unns12 6 months ago

  cneru1 9 months, 2 weeks ago

A. Cortex XDR Pro per Endpoint

B. Cortex XDR Vendor Agnostic Pro

C. Cortex XDR Pro per TB

D. Cortex XDR Cloud per Host

Community vote distribution

  Chiquitabandita 5 days, 15 hours ago

  9smiles 6 months, 3 weeks ago

B. Hot Patch Protection

C. Kernel Integrity Monitor (KIM)

Community vote distribution

  Chiquitabandita 5 days, 15 hours ago

Mac operating systems" from admin guide pg. 85