Palo Alto Networks Palo Alto Networks Certifications PCDRA Questions & Answers

• Question 1:

  When creating a custom XQL query in a dashboard, how would a user save that XQL query to the Widget Library?

  A. Click the three dots on the widget and then choose "Save" and this will link the query to the Widget Library.

  B. This isn't supported, you have to exit the dashboard and go into the Widget Library first to create it.

  C. Click on "Save to Action Center" in the dashboard and you will be prompted to give the query a name and description.

  D. Click on "Save to Widget Library" in the dashboard and you will be prompted to give the query a name and description.

  Correct Answer: D

  Explanation: To save a custom XQL query to the Widget Library, you need to click on "Save to Widget Library" in the dashboard and you will be prompted to give the query a name and description. This will allow you to reuse the query in other dashboards or reports. You cannot save a query to the Widget Library by clicking the three dots on the widget, as this will only give you options to edit, delete, or clone the widget. You also cannot save a query to the Action Center, as this is a different feature that allows you to create alerts or remediation actions based on the query results. You do not have to exit the dashboard and go into the Widget Library first to create a query, as you can do it directly from the dashboard. References: Cortex XDR Pro Admin Guide: Save a Custom Query to the Widget Library Cortex XDR Pro Admin Guide: Create a Dashboard

• Question 2:

  After scan, how does file quarantine function work on an endpoint?

  A. Quarantine takes ownership of the files and folders and prevents execution through access control.

  B. Quarantine disables the network adapters and locks down access preventing any communications with the endpoint.

  C. Quarantine removes a specific file from its location on a local or removable drive to a protected folder and prevents it from being executed.

  D. Quarantine prevents an endpoint from communicating with anything besides the listed exceptions in the agent profile and Cortex XDR.

  Correct Answer: C

  Explanation: Quarantine is a feature of Cortex XDR that allows you to isolate a malicious file from its original location and prevent it from being executed. Quarantine works by moving the file to a protected folder on the endpoint and changing its permissions and attributes. Quarantine can be applied to files detected by periodic scans or by behavioral threat protection (BTP) rules. Quarantine is only supported for portable executable (PE) and dynamic link library (DLL) files. Quarantine does not affect the network connectivity or the communication of the endpoint with Cortex XDR. References: Quarantine Malicious Files Manage Quarantined Files

• Question 3:

  In the deployment of which Broker VM applet are you required to install a strong cipher SHA256-based SSL certificate?

  A. Agent Proxy

  B. Agent Installer and Content Caching

  C. Syslog Collector

  D. CSV Collector

  Correct Answer: B

  Explanation: The Agent Installer and Content Caching applet of the Broker VM is used to download and cache the Cortex XDR agent installation packages and content updates from Palo Alto Networks servers. This applet also acts as a proxy server for the Cortex XDR agents to communicate with the Cortex Data Lake and the Cortex XDR management console. To ensure secure communication between the Broker VM and the Cortex XDR agents, you are required to install a strong cipher SHA256-based SSL certificate on the Broker VM. The SSL certificate must have a common name or subject alternative name that matches the Broker VM FQDN or IP address. The SSL certificate must also be trusted by the Cortex XDR agents, either by using a certificate signed by a public CA or by manually installing the certificate on the endpoints. References: Agent Installer and Content Caching Install an SSL Certificate on the Broker VM

• Question 4:

  What kind of malware uses encryption, data theft, denial of service, and possibly harassment to take advantage of a victim?

  A. Ransomware

  B. Worm

  C. Keylogger

  D. Rootkit

  Correct Answer: A

  Explanation: The kind of malware that uses encryption, data theft, denial of service, and possibly harassment to take advantage of a victim is ransomware. Ransomware is a type of malware that encrypts the victim's files or blocks access to

  their system, and then demands a ransom for the decryption key or the restoration of access. Ransomware can also threaten to expose or delete the victim's data if the ransom is not paid. Ransomware can cause significant damage and

  disruption to individuals, businesses, and organizations, and can be difficult to remove or recover from. Some examples of ransomware are CryptoLocker, WannaCry, Ryuk, and REvil.

  References:

  12 Types of Malware + Examples That You Should Know - CrowdStrike What is Malware? Malware Definition, Types and Protection 12+ Types of Malware Explained with Examples (Complete List)

• Question 5:

  In the Cortex XDR console, from which two pages are you able to manually perform the agent upgrade action? (Choose two.)

  A. Asset Management

  B. Agent Installations

  C. Action Center

  D. Endpoint Administration

  Correct Answer: AD

  Explanation: To manually upgrade the Cortex XDR agents, you can use the Asset Management page or the Endpoint Administration page in the Cortex XDR console. On the Asset Management page, you can select one or more endpoints and click Actions > Upgrade Agent. On the Endpoint Administration page, you can select one or more agent versions and click Upgrade. You can also schedule automatic agent upgrades using the Agent Installations page. References: Asset Management Endpoint Administration Agent Installations

• Question 6:

  With a Cortex XDR Prevent license, which objects are considered to be sensors?

  A. Syslog servers

  B. Third-Party security devices

  C. Cortex XDR agents

  D. Palo Alto Networks Next-Generation Firewalls

  Correct Answer: C

  Explanation: The objects that are considered to be sensors with a Cortex XDR Prevent license are Cortex XDR agents and Palo Alto Networks Next-Generation Firewalls. These are the two sources of data that Cortex XDR can collect and analyze for threat detection and response. Cortex XDR agents are software components that run on endpoints, such as Windows, Linux, and Mac devices, and provide protection against malware, exploits, and fileless attacks. Cortex XDR agents also collect and send endpoint data, such as process activity, network traffic, registry changes, and user actions, to the Cortex Data Lake for analysis and correlation. Palo Alto Networks Next-Generation Firewalls are network security devices that provide visibility and control over network traffic, and enforce security policies based on applications, users, and content. Next-Generation Firewalls also collect and send network data, such as firewall logs, DNS logs, HTTP headers, and WildFire verdicts, to the Cortex Data Lake for analysis and correlation. By integrating data from both Cortex XDR agents and Next-Generation Firewalls, Cortex XDR can provide a comprehensive view of the attack surface and detect threats across the network and endpoint layers. References: Cortex XDR Prevent License Cortex XDR Agent Features Next-Generation Firewall Features

• Question 7:

  Which of the following is NOT a precanned script provided by Palo Alto Networks?

  A. delete_file

  B. quarantine_file

  C. process_kill_name

  D. list_directories

  Correct Answer: D

  Explanation: Palo Alto Networks provides a set of precanned scripts that you can use to perform various actions on your endpoints, such as deleting files, killing processes, or quarantining malware. The precanned scripts are written in Python

  and are available in the Agent Script Library in the Cortex XDR console. You can use the precanned scripts as they are, or you can customize them to suit your needs. The precanned scripts are:

  delete_file: Deletes a specific file from a local or removable drive. quarantine_file: Moves a specific file from its location on a local or removable drive to a protected folder and prevents it from being executed. process_kill_name: Kills a

  process by its name on the endpoint. process_kill_pid: Kills a process by its process ID (PID) on the endpoint. process_kill_tree: Kills a process and all its child processes by its name on the endpoint.

  process_kill_tree_pid: Kills a process and all its child processes by its PID on the endpoint.

  process_list: Lists all the processes running on the endpoint, along with their names, PIDs, and command lines.

  process_list_tree: Lists all the processes running on the endpoint, along with their names, PIDs, command lines, and parent processes.

  process_start: Starts a process on the endpoint by its name or path. registry_delete_key: Deletes a registry key and all its subkeys and values from the Windows registry.

  registry_delete_value: Deletes a registry value from the Windows registry. registry_list_key: Lists all the subkeys and values under a registry key in the Windows registry.

  registry_list_value: Lists the value and data of a registry value in the Windows registry.

  registry_set_value: Sets the value and data of a registry value in the Windows registry.

  The script list_directories is not a precanned script provided by Palo Alto Networks. It is a custom script that you can write yourself using Python commands.

  References:

  Run Scripts on an Endpoint

  Agent Script Library

  Precanned Scripts

• Question 8:

  In Windows and macOS you need to prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. What is one way to add an exception for the singer?

  A. In the Restrictions Profile, add the file name and path to the Executable Files allow list.

  B. Create a new rule exception and use the singer as the characteristic.

  C. Add the signer to the allow list in the malware profile.

  D. Add the signer to the allow list under the action center page.

  Correct Answer: C

  Explanation: To prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer in Windows and macOS, one way to add an exception for the signer is to add the signer to the allow list in the malware profile. A

  malware profile is a profile that defines the settings and actions for malware prevention and detection on the endpoints. A malware profile allows you to specify a list of files, folders, or signers that you want to exclude from malware scanning

  and blocking. By adding the signer to the allow list in the malware profile, you can prevent the Cortex XDR Agent from blocking any file that is signed by that signer1.

  Let's briefly discuss the other options to provide a comprehensive explanation:

  A. In the Restrictions Profile, add the file name and path to the Executable Files allow list: This is not the correct answer. Adding the file name and path to the Executable Files allow list in the Restrictions Profile will not prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. A Restrictions Profile is a profile that defines the settings and actions for restricting the execution of files or processes on the endpoints. A Restrictions Profile allows you to specify a list of executable files that you want to allow or block based on the file name and path. However, this method does not take into account the digital signer of the file, and it may not be effective if the file name or path changes2. B. Create a new rule exception and use the signer as the characteristic: This is not the correct answer. Creating a new rule exception and using the signer as the characteristic will not prevent theCortex XDR Agent from blocking execution of a file based on the digital signer. A rule exception is an exception that you can create to modify the behavior of a specific prevention rule or BIOC rule. A rule exception allows you to specify the characteristics and the actions that you want to apply to the exception, such as file hash, process name, IP address, or domain name. However, this method does not support using the signer as a characteristic, and it may not be applicable to all prevention rules or BIOC rules3.

  D. Add the signer to the allow list under the action center page: This is not the correct answer. Adding the signer to the allow list under the action center page will not prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. The action center page is a page that allows you to create and manage actions that you can perform on your endpoints, such as isolating, scanning, collecting files, or executing scripts. The action center page does not have an option to add a signer to the allow list, and it is not related to the malware prevention or detection functionality4. In conclusion, to prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer in Windows and macOS, one way to add an exception for the signer is to add the signer to the allow list in the malware profile. By using this method, you can exclude the files that are signed by the trusted signer from the malware scanning and blocking. References: Add a New Malware Security Profile Add a New Restrictions Security Profile Create a Rule Exception Action Center

• Question 9:

  When creating a scheduled report which is not an option?

  A. Run weekly on a certain day and time.

  B. Run quarterly on a certain day and time.

  C. Run monthly on a certain day and time.

  D. Run daily at a certain time (selectable hours and minutes).

  Correct Answer: B

  Explanation: When creating a scheduled report in Cortex XDR, the option to run quarterly on a certain day and time is not available. You can only schedule reports to run daily, weekly, or monthly. You can also specify the start and end dates, the time zone, and the recipients of the report. Scheduled reports are useful for generating regular reports on the security events, incidents, alerts, or endpoints in your network. You can create scheduled reports from the Reports page in the Cortex XDR console, or from the Query Center by saving a query as a report. References: Run or Schedule Reports Create a Scheduled Report

• Question 10:

  What license would be required for ingesting external logs from various vendors?

  A. Cortex XDR Pro per Endpoint

  B. Cortex XDR Vendor Agnostic Pro

  C. Cortex XDR Pro per TB

  D. Cortex XDR Cloud per Host

  Correct Answer: C

  Explanation: To ingest external logs from various vendors, you need a Cortex XDR Pro per TB license. This license allows you to collect and analyze logs from Palo Alto Networks and third-party sources, such as firewalls, proxies, endpoints, cloud services, and more. You can use the Log Forwarding app to forward logs from the Logging Service to an external syslog receiver. The Cortex XDR Pro per Endpoint license only supports logs from Cortex XDR agents installed on endpoints. The Cortex XDR Vendor Agnostic Pro and Cortex XDR Cloud per Host licenses do not exist. References: Features by Cortex XDR License Type Log Forwarding App for Cortex XDR Analytics SaaS Log Collection