Palo Alto Networks PAN-XDRE Online Practice Questions and Exam Preparation

Palo Alto Networks PAN-XDRE Online Questions & Answers

• Question 1:

  In addition to using valid authentication credentials, what is required to enable the setup of the Database Collector applet on the Broker VM to ingest database activity?

  A. Valid SQL query targeting the desired data
  B. Access to the database audit log
  C. Database schema exported in the correct format
  D. Access to the database transaction log
  A. Valid SQL query targeting the desired data

• Question 2:

  Which XQL query can be saved as a behavioral indicator of compromise (BIOC) rule, then converted to a custom prevention rule?

  A. dataset = xdr_data | filter event_type = ENUM.DEVICE and action_process_image_name = "**" and action_process_image_command_line = "-e cmd*" and action_process_image_command_line != "*cmd.exe -a /c*"
  B. dataset = xdr_data | filter event_type = ENUM.PROCESS and event_type = ENUM.DEVICE and action_process_image_name = "**" and action_process_image_command_line = "-e cmd*" and action_process_image_command_line != "*cmd.exe -a /c*"
  C. dataset = xdr_data | filter event_type = FILE and (event_sub_type = FILE_CREATE_NEW or event_sub_type = FILE_WRITE or event_sub_type = FILE_REMOVE or event_sub_type = FILE_RENAME) and agent_hostname = "hostname" | filter lowercase(action_file_path) in ("/etc/*", "/usr/local/share/*", "/usr/share/*") and action_file_extension in ("conf", "txt") | fields action_file_name, action_file_path, action_file_type, agent_ip_addresses, agent_hostname, action_file_path
  D. dataset = xdr_data | filter event_type = ENUM.PROCESS and action_process_image_name = "**" and action_process_image_command_line = "-e cmd*" and action_process_image_command_line != "*cmd.exe -a /c*"
  D. dataset = xdr_data | filter event_type = ENUM.PROCESS and action_process_image_name = "**" and action_process_image_command_line = "-e cmd*" and action_process_image_command_line != "*cmd.exe -a /c*"

• Question 3:

  A static endpoint group is created by adding 321 endpoints using the Upload From File feature. However, after group creation, the members count field shows 244 endpoints. What are two possible reasons why endpoints were not added to the group? (Choose two.)

  A. Static groups have a limit of 250 endpoints when adding by file
  B. Endpoints added to the new group were previously added to an existing group
  C. Endpoints added to the group were in Disconnected or Connection Lost status when groupmembership was added
  D. The IP address, hostname, or alias of the endpoints must match an existing agent that has registered with the tenant
  C. Endpoints added to the group were in Disconnected or Connection Lost status when groupmembership was added
  D. The IP address, hostname, or alias of the endpoints must match an existing agent that has registered with the tenant

• Question 4:

  Using the Cortex XDR console, how can additional network access be allowed from a set of IP addresses to an isolated endpoint?

  A. Add entries in Configuration section of Security Settings
  B. Add entries in the Allowed Domains section of Security Settings for the tenant
  C. Add entries in Exceptions Configuration section of Isolation Exceptions
  D. Add entries in Response Actions section of Agent Settings profile
  C. Add entries in Exceptions Configuration section of Isolation Exceptions

• Question 5:

  Which statement describes the functionality of fixed filters and dashboard drilldowns in enhancing a dashboard's interactivity and data insights?

  A. Fixed filters allow users to select predefined data values, while dashboard drilldowns enable users to alter the scope of the data displayed by selecting filter values from the dashboard header
  B. Fixed filters limit the data visible in widgets, while dashboard drilldowns allow users to download data from the dashboard in various formats
  C. Fixed filters let users select predefined or dynamic values to adjust the scope, while dashboard drilldowns provide interactive insights or trigger contextual changes, like linking to XQL searches
  D. Fixed filters allow users to adjust the layout, while dashboard drilldowns provide links to external reports and/or dashboards
  C. Fixed filters let users select predefined or dynamic values to adjust the scope, while dashboard drilldowns provide interactive insights or trigger contextual changes, like linking to XQL searches

• Question 6:

  Based on the Malware profile image below, what happens when a new custom-developed application attempts to execute on an endpoint?

  

  A. It will immediately execute
  B. It will not execute
  C. It will execute after one hour
  D. It will execute after the second attempt
  B. It will not execute

• Question 7:

  An engineer wants to automate the handling of alerts in Cortex XDR and defines several automation rules with different actions to be triggered based on specific alert conditions. Some alerts do not trigger the automation rules as expected. Which statement explains why the automation rules might not apply to certain alerts?

  A. They are executed in sequential order, so alerts may not trigger the correct actions if the rules are not configured properly
  B. They only apply to new alerts grouped into incidents by the system and only alerts that generateincidents trigger automation actions
  C. They can only be triggered by alerts with high severity; alerts with low or informational severity will not trigger the automation rules
  D. They can be applied to any alert, but they only work if the alert is manually grouped into an incident by the analyst
  A. They are executed in sequential order, so alerts may not trigger the correct actions if the rules are not configured properly

• Question 8:

  A security audit determines that the Windows Cortex XDR host-based firewall is not blocking outbound RDP connections for certain remote workers. The audit report confirms the following:

  All devices are running healthy Cortex XDR agents. A single host-based firewall rule to block all outbound RDP is implemented. The policy hosting the profile containing the rule applies to all Windows endpoints.

  The logic within the firewall rule is adequate.

  Further testing concludes RDP is successfully being blocked on all devices tested at company HQ.

  Network location configuration in Agent Settings is enabled on all Windows endpoints.What is the likely reason the RDP connections are not being blocked?

  A. The profile's default action for outbound traffic is set to Allow
  B. The pertinent host-based firewall rule group is only applied to external rule groups
  C. Report mode is set to Enabled in the report settings under the profile configuration
  D. The pertinent host-based firewall rule group is only applied to internal rule groups
  D. The pertinent host-based firewall rule group is only applied to internal rule groups

• Question 9:

  During the deployment of a Broker VM in a high availability (HA) environment, after configuring the Broker VM FQDN, an XDR engineer must ensure agent installer availability and efficient content caching to maintain performance consistency across failovers. Which additionalconfiguration steps should the engineer take?

  A. Use shared SSL certificates and keys for all Broker VMs and configure a single IP address for failover
  B. Upload the-signed SSL server certificate and key and deploy a load balancer
  C. Deploy a load balancer and configure SSL termination at the load balancer
  D. Enable synchronized session persistence across Broker VMs and use a self-signed certificate and key
  B. Upload the-signed SSL server certificate and key and deploy a load balancer

• Question 10:

  What is a benefit of ingesting and forwarding Palo Alto Networks NGFW logs to Cortex XDR?

  A. Sending endpoint logs to the NGFW for analysis
  B. Blocking network traffic based on Cortex XDR detections
  C. Enabling additional analysis through enhanced application logging
  D. Automated downloading of malware signatures from the NGFW
  C. Enabling additional analysis through enhanced application logging