PCDRA
Free trial
Verified
Question 1
Phishing belongs which of the following MITRE ATT&CK tactics?
- A: Initial Access, Persistence
- B: Persistence, Command and Control
- C: Reconnaissance, Persistence
- D: Reconnaissance, Initial Access
Question 2
When viewing the incident directly, what is the “assigned to” field value of a new Incident that was just reported to Cortex?
- A: Pending
- B: It is blank
- C: Unassigned
- D: New
Question 3
In incident-related widgets, how would you filter the display to only show incidents that were “starred”?
- A: Create a custom XQL widget
- B: This is not currently supported
- C: Create a custom report and filter on starred incidents
- D: Click the star in the widget
Question 4
Where would you view the WildFire report in an incident?
- A: next to relevant Key Artifacts in the incidents details page
- B: under Response --> Action Center
- C: under the gear icon --> Agent Audit Logs
- D: on the HUB page at apps.paloaltonetworks.com
Question 5
What does the following output tell us?
- A: There is one low severity incident.
- B: Host shpapy_win10 had the most vulnerabilities.
- C: There is one informational severity alert.
- D: This is an actual output of the Top 10 hosts with the most malware.
Question 6
Which engine, of the following, in Cortex XDR determines the most relevant artifacts in each alert and aggregates all alerts related to an event into an incident?
- A: Sensor Engine
- B: Causality Analysis Engine
- C: Log Stitching Engine
- D: Causality Chain Engine
Question 7
Which type of BIOC rule is currently available in Cortex XDR?
- A: Threat Actor
- B: Discovery
- C: Network
- D: Dropper
Question 8
In Windows and macOS you need to prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. What is one way to add an exception for the singer?
- A: In the Restrictions Profile, add the file name and path to the Executable Files allow list.
- B: Create a new rule exception and use the singer as the characteristic.
- C: Add the signer to the allow list in the malware profile.
- D: Add the signer to the allow list under the action center page.
Question 9
As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to download Cobalt Strike on one of your servers. Days later, you learn about a massive ongoing supply chain attack. Using Cortex XDR you recognize that your server was compromised by the attack and that Cortex XDR prevented it. What steps can you take to ensure that the same protection is extended to all your servers?
- A: Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.
- B: Enable DLL Protection on all servers but there might be some false positives.
- C: Create IOCs of the malicious files you have found to prevent their execution.
- D: Enable Behavioral Threat Protection (BTP) with cytool to prevent the attack from spreading.
Question 10
Which statement is true based on the following Agent Auto Upgrade widget?
- A: There are a total of 689 Up To Date agents.
- B: Agent Auto Upgrade was enabled but not on all endpoints.
- C: Agent Auto Upgrade has not been enabled.
- D: There are more agents in Pending status than In Progress status.
Question 11
What is the purpose of targeting software vendors in a supply-chain attack?
- A: to take advantage of a trusted software delivery method.
- B: to steal users’ login credentials.
- C: to access source code.
- D: to report Zero-day vulnerabilities.
Question 12
When creating a BIOC rule, which XQL query can be used?
- A: dataset = xdr_data | filter event_sub_type = PROCESS_START and action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
- B: dataset = xdr_data | filter event_type = PROCESS and event_sub_type = PROCESS_START and action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
- C: dataset = xdr_data | filter action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe" | fields action_process_image
- D: dataset = xdr_data | filter event_behavior = true event_sub_type = PROCESS_START and action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
Question 13
What is the standard installation disk space recommended to install a Broker VM?
- A: 1GB disk space
- B: 2GB disk space
- C: 512GB disk space
- D: 256GB disk space
Question 14
Where can SHA256 hash values be used in Cortex XDR Malware Protection Profiles?
- A: in the macOS Malware Protection Profile to indicate allowed signers
- B: in the Linux Malware Protection Profile to indicate allowed Java libraries
- C: SHA256 hashes cannot be used in Cortex XDR Malware Protection Profiles
- D: in the Windows Malware Protection Profile to indicate allowed executables
Question 15
How does Cortex XDR agent for Windows prevent ransomware attacks from compromising the file system?
- A: by encrypting the disk first.
- B: by utilizing decoy Files.
- C: by retrieving the encryption key.
- D: by patching vulnerable applications.
Question 16
What functionality of the Broker VM would you use to ingest third-party firewall logs to the Cortex Data Lake?
- A: Netflow Collector
- B: Syslog Collector
- C: DB Collector
- D: Pathfinder
Question 17
In the deployment of which Broker VM applet are you required to install a strong cipher SHA256-based SSL certificate?
- A: Agent Proxy
- B: Agent Installer and Content Caching
- C: Syslog Collector
- D: CSV Collector
Question 18
When is the wss (WebSocket Secure) protocol used?
- A: when the Cortex XDR agent downloads new security content
- B: when the Cortex XDR agent uploads alert data
- C: when the Cortex XDR agent connects to WildFire to upload files for analysis
- D: when the Cortex XDR agent establishes a bidirectional communication channel
Question 19
With a Cortex XDR Prevent license, which objects are considered to be sensors?
- A: Syslog servers
- B: Third-Party security devices
- C: Cortex XDR agents
- D: Palo Alto Networks Next-Generation Firewalls
That’s the end of your free questions
You’ve reached the preview limit for PCDRAConsider upgrading to gain full access!
Free preview mode
Enjoy the free questions and consider upgrading to gain full access!