Which component of Cortex XDR is designed to detect insider threats?
AForensics
BIdentity Analytics
CCloud Identity Engine
DHost Insights
A customer is investigating a security incident in which unusual network traffic is observed and a malicious process is identified on an endpoint.
Which Cortex XDR capability assists with correlating firewall network logs and endpoint data in this environment?
ALog stitching
BUser authentication management
CIndicator of compromise (IOC) rule
DAnalytics
Which sensor is used by Cortex XSIAM to identify and collect DNS queries, HTTP header, and DHCP information?
AWindows Event Collector logs
BDirectory Sync logs
CPathfinder data collector
DEnhanced application logs
What is enabled by Role Based Access Control (RBAC) in Cortex XDR?
AManagement of permissions and assignment of administrator access rights.
BUserility to manage Cortex XDR features based on job function.
CAutomated response to detected threats based on user roles.
DGranular control and visibility over network traffic policies based on user roles.
Which two steps belong in the Cortex XSOAR incident lifecycle? (Choose two.)
APlanning
BIncident creation
CIncident notification
DPreparation
Which scripting language would create a custom widget in Cortex XDR that shows the top five accounts with failed Windows logons in the past 24 hours?
AXQL
BJavaScript
CPython
DPowerShell
Which response action in Cortex XSIAM would be unavailable to a SOC analyst investigating an incident involving a Linux server?
AFile search and destroy
BLive Terminal session initiation
CRunning a script
DHalting network access
What is the role of content packs in Cortex XSOAR?
ATo provide rebuilt bundles for supporting security orchestration use cases
BTo support technical support teams with relevant information required to troubleshoot
CTo serve as a central location for installing, exchanging, and contributing content
DTo serve as a major software versioning update
A file hash is evaluated a Cortex XSOAR by using two unique threat feeds:
VirusTotal feed (rating of B- usually reliable) and the file verdict is malicious
AlienVault feed (rating of B- usually reliable) and the file verdict is benign
What is the file verdict in XSOAR?
ABenign
BMalicious
CUnknown
DSuspicious
Which incident should a responder prioritize based on overall functional and informational impact to the company?
AA user in the accounting department receives a pop-up message after visiting a website.
BA public-facing web server has multiple failed login attempts over a short period of time.
CAn external-facing company website is currently unavailable.
DA large upload of user data from an internal file server to a public website occurs.
Which action should an administrator take to create automated response actions when a user account is compromised, allowing attacker to upload data to an external IP address and infect a machine on the company network with malware?
ACreate automation rules in Cortex XDR that will trigger for each alert.
BCreate a script in Cortex XSOAR that will run a playbook based on the scenario.
CCreate playbook triggers in Cortex XSIAM and run playbooks for each alert.
DMap the events as type of Cortex XSOAR incident, then run a playbook.
During a sophisticated cyber attack, a company experiences a stealthy, multivector intrusion that evades detection by traditional security tools.
The company requires a solution that will correlate and analyze the disparate attack indicators across its network, endpoints, and cloud environments to uncover the full scope of the breach and take immediate automated response actions.
Which solution should be recommended?
AXDR
BSIEM
CEDR
DXSOAR
What is a difference between cold storage and hot storage in Cortex?
ACold storage is required, while hot storage is optional.
BCold storage and hot storage can be stored in different cloud locations.
CLogs in cold storage have more details than logs stored in hot storage.
DQuerying logs in cold storage takes more time than querying logs in hot storage.
Where in Cortex XSOAR are analystsle to collaborate and converse with others for joint real-time investigations?
AInvestigations tab
BWar Room
CEvidence Board
DWork plan
Which Cortex XDR component raises an alert when suspicious activity composed of multiple events is detected and deviates from established baseline behavior?
AAnalytics Engine
BCausality Analysis Engine
CXQL Query Engine
DCloud Identity Engine
Which two types of content can be installed or upgraded through a Cortex XSIAM content pack? (Choose two.)
AAnalytics alerts
BPlaybook triggers
CData Model rules
DBehavioral Threat Protection (BTP)
What is required to enable ingestion of on-premises firewall logs into Cortex XDR?
ABroker VM
BAPI
CPAN-OS content pack
DCloud Identity Engine
A new incident in Cortex XSIAM contains WildFire malware and Behavioral Threat Protection (BTP) alertsout an unsigned process attempting to dump the memory of Isass.exe.
Which initial verdict applies to this incident?
AFalse positive
BTrue positive
CFalse negative
DTrue negative
Where can an administrator begin to grant a new non-SSO user access to a Cortex XDR tenant?
ACortex XDR tenant settings under Access Management
BCortex Gateway
CCustomer Support Portal
DIT Service Portal
Where can the actions taken to stitch alerts together in Cortex XSIAM be viewed?
AAlerts and Insights
BTimeline
CCausality chain
DKey Assets & Artifacts
What determines the indicator layout displayed and the scripts that will run on an indicator of compromise (IOC) in Cortex XSIAM?
ASize
BType
CDate
DOrigin
Which action is performed as the final step of the NIST incident response plan?
AUpdating incident response procedures
BGathering evidence
CRestoring from backups
DConducting incident response training exercises
What is the purpose of incident types in Cortex XSOAR?
AThey categorize manual and automated incidents, trigger playbooks automatically, and require predefined fields and integrations.
BThey assist in mapping manual incidents, assign default playbooks, and require inline auto-extraction of indicators.
CThey classify events ingested through integrations or the REST API, can trigger specific playbooks, and include customizable layouts and service-level agreement (SLA) parameters.
DThey manually create incidents, configure universal playbooks, and enforce strict adherence to preset service-level agreement (SLA) reminders.
Which activities are facilitated through the War Room in Cortex XSOAR?
ACreating, editing, and deleting tasks in the workplan
BRunning security playbooks, scripts, and commands
CConducting initial investigation of incident data and threat intelligence
Preview
