Palo Alto Networks Palo Alto Networks Certifications PCDRA Questions & Answers

• Question 21:

  Which of the following protection modules is checked first in the Cortex XDR Windows agent malware protection flow?

  A. Hash Verdict Determination

  B. Behavioral Threat Protection

  C. Restriction Policy

  D. Child Process Protection

  Correct Answer: A

  Explanation: The first protection module that is checked in the Cortex XDR Windows agent malware protection flow is the Hash Verdict Determination. This module compares the hash of the executable file that is about to run on the endpoint with a list of known malicious hashes stored in the Cortex XDR cloud. If the hash matches a malicious hash, the agent blocks the execution and generates an alert. If the hash does not match a malicious hash, the agent proceeds to the next protection module, which is the Restriction Policy1. The Hash Verdict Determination module is the first line of defense against malware, as it can quickly and efficiently prevent known threats from running on the endpoint. However, this module cannot protect against unknown or zero-day threats, which have no known hash signature. Therefore, the Cortex XDR agent relies on other protection modules, such as Behavioral Threat Protection, Child Process Protection, and Exploit Protection, to detect and block malicious behaviors and exploits that may occur during the execution of the file1. References: Palo Alto Networks Cortex XDR Documentation, File Analysis and Protection Flow

• Question 22:

  Which license is required when deploying Cortex XDR agent on Kubernetes Clusters as a DaemonSet?

  A. Cortex XDR Pro per TB

  B. Host Insights

  C. Cortex XDR Pro per Endpoint

  D. Cortex XDR Cloud per Host

  Correct Answer: D

  Explanation: When deploying Cortex XDR agent on Kubernetes clusters as a DaemonSet, the license required is Cortex XDR Cloud per Host. This license allows you to protect and monitor your cloud workloads, such as Kubernetes clusters, containers, and serverless functions, using Cortex XDR. With Cortex XDR Cloud per Host license, you can deploy Cortex XDR agents as DaemonSets on your Kubernetes clusters, which ensures that every node in the cluster runs a copy of the agent. The Cortex XDR agent collects and sends data from the Kubernetes cluster, such as pod events, container logs, and network traffic, to the Cortex Data Lake for analysis and correlation. Cortex XDR can then detect and respond to threats across your cloud environment, and provide visibility and context into your cloud workloads. The Cortex XDR Cloud per Host license is based on the number of hosts that run the Cortex XDR agent, regardless of the number of containers or functions on each host. A host is defined as a virtual machine, a physical server, or a Kubernetes node that runs the Cortex XDR agent. You can read more about the Cortex XDR Cloud per Host license and how to deploy Cortex XDR agent on Kubernetes clusters here1 and here2. References: Cortex XDR Cloud per Host License Deploy Cortex XDR Agent on Kubernetes Clusters as a DaemonSet

• Question 23:

  Which module provides the best visibility to view vulnerabilities?

  A. Live Terminal module

  B. Device Control Violations module

  C. Host Insights module

  D. Forensics module

  Correct Answer: C

  The Host Insights module provides the best visibility to view vulnerabilities on your endpoints. The Host Insights module is an add-on feature for Cortex XDR that combines vulnerability management, application and system visibility, and a Search and Destroy feature to help you identify and contain threats. The vulnerability management feature allows you to scan your Windows endpoints for known vulnerabilities and missing patches, and view the results in the Cortex XDR console. You can also filter and sort the vulnerabilities by severity, CVSS score, CVE ID, or patch availability. The Host Insights module helps you reduce your exposure to threats and improve your security posture. References: Host Insights Vulnerability Management

• Question 24:

  Which type of IOC can you define in Cortex XDR?

  A. Destination IP Address

  B. Source IP Address

  C. Source port

  D. Destination IPAddress: Destination

  Correct Answer: A

  Explanation: Cortex XDR allows you to define IOC rules based on various types of indicators of compromise (IOC) that you can use to detect and respond to threats in your network. One of the types of IOC that you can define in Cortex XDR is destination IP address, which is the IP address of the remote host that a local endpoint is communicating with. You can use this type of IOC to identify malicious network activity, such as connections to command and control servers, phishing sites, or malware distribution hosts. You can also specify the direction of the network traffic (inbound or outbound) and the protocol (TCP or UDP) for the destination IP address IOC. References: Cortex XDR documentation portal Is there a possibility to create an IOC list to employ it in a query? Cortex XDR Datasheet

• Question 25:

  To create a BIOC rule with XQL query you must at a minimum filter on which field in order for it to be a valid BIOC rule?

  A. causality_chain

  B. endpoint_name

  C. threat_event

  D. event_type

  Correct Answer: D

  Explanation: To create a BIOC rule with XQL query, you must at a minimum filter on the event_type field in order for it to be a valid BIOC rule. The event_type field indicates the type of event that triggered the alert, such as PROCESS, FILE, REGISTRY, NETWORK, or USER_ACCOUNT. Filtering on this field helps you narrow down the scope of your query and focus on the relevant events for your use case. Other fields, such as causality_chain, endpoint_name, threat_event, are optional and can be used to further refine your query or display additional information in the alert. References: Palo Alto Networks Certified Detection and Remediation Analyst (PCDRA) Study Guide, page 9 Palo Alto Networks Cortex XDR Documentation, BIOC Rule Query Syntax

• Question 26:

  What is the Wildfire analysis file size limit for Windows PE files?

  A. No Limit

  B. 500MB

  C. 100MB

  D. 1GB

  Correct Answer: C

  Explanation: The Wildfire analysis file size limit for Windows PE files is 100MB. Windows PE files are executable files that run on the Windows operating system, such as .exe, .dll, .sys, or .scr files. Wildfire is a cloud-based service that analyzes files and URLs for malicious behavior and generates signatures and protections for them. Wildfire can analyze various file types, such as PE, APK, PDF, MS Office, and others, but each file type has a different file size limit. The file size limit determines the maximum size of the file that can be uploaded or forwarded to Wildfire for analysis. If the file size exceeds the limit, Wildfire will not analyze the file and will return an error message. According to the Wildfire documentation1, the file size limit for Windows PE files is 100MB. This means that any PE file that is larger than 100MB will not be analyzed by Wildfire. However, the firewall can still apply other security features, such as antivirus, antispyware, vulnerability protection, and file blocking, to the PE file based on the security policy settings. The firewall can also perform local analysis on the PE file using the Cortex XDR agent, which uses machine learning models to assess the file and assign it a verdict2. References: WildFire File Size Limits: This document provides the file size limits for different file types that can be analyzed by Wildfire. Local Analysis: This document explains how the Cortex XDR agent performs local analysis on files that cannot be sent to Wildfire for analysis.

• Question 27:

  Which of the following policy exceptions applies to the following description?

  `An exception allowing specific PHP files'

  A. Support exception

  B. Local file threat examination exception

  C. Behavioral threat protection rule exception

  D. Process exception

  Correct Answer: B

  Explanation: The policy exception that applies to the following description is B, local file threat examination exception. A local file threat examination exception is an exception that allows you to exclude specific files or folders from being scanned by the Cortex XDR agent for malware or threats. You can use this exception to prevent false positives, performance issues, or compatibility problems with legitimate files or applications. You can define the local file threat examination exception by file name, file path, file hash, or digital signer. For example, you can create a local file threat examination exception for specific PHP files by entering their file names or paths in the exception configuration. References: Local File Threat Examination Exceptions Create a Local File Threat Examination Exception

• Question 28:

  Which Exploit ProtectionModule (EPM) can be used to prevent attacks based on OS function?

  A. UASLR

  B. JIT Mitigation

  C. Memory Limit Heap Spray Check

  D. DLL Security

  Correct Answer: B

  Explanation: JIT Mitigation is an Exploit Protection Module (EPM) that can be used to prevent attacks based on OS function. JIT Mitigation protects against exploits that use the Just-In-Time (JIT) compiler of the OS to execute malicious code. JIT Mitigation monitors the memory pages that are allocated by the JIT compiler and blocks any attempts to execute code from those pages. This prevents attackers from using the JIT compiler as a way to bypass other security mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). References: Palo Alto Networks. (2023). PCDRA Study Guide. PDF file. Retrieved from https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/ education/pcdra-study-guide.pdf Palo Alto Networks. (2021). Exploit Protection Modules. Web page. Retrieved from https://docs.paloaltonetworks.com/traps/6-0/traps-endpoint-security-manager- admin/traps-endpoint-security-policies/exploit-protection-modules.html

• Question 29:

  Which statement regarding scripts in Cortex XDR is true?

  A. Any version of Python script can be run.

  B. The level of risk is assigned to the script upon import.

  C. Any script can be imported including Visual Basic (VB) scripts.

  D. The script is run on the machine uploading the script to ensure that it is operational.

  Correct Answer: B

  Explanation: The correct answer is B, the level of risk is assigned to the script upon import. When you import a script to the Agent Script Library in Cortex XDR, you need to specify the level of risk associated with the script. The level of risk

  determines the permissions and restrictions for running the script on endpoints. The levels of risk are:

  Low: The script can be run on any endpoint without requiring approval from the Cortex XDR administrator. The script can also be used in remediation suggestions or automation actions.

  Medium: The script can be run on any endpoint, but requires approval from the Cortex XDR administrator. The script can also be used in remediation suggestions or automation actions.

  High: The script can only be run on isolated endpoints, and requires approval from the Cortex XDR administrator. The script cannot be used in remediation suggestions or automation actions.

  The other options are incorrect for the following reasons:

  A is incorrect because not any version of Python script can be run in Cortex XDR. The scripts must be written in Python 2.7, and must follow the guidelines and limitations described in the Cortex XDR documentation. For example, the scripts

  must not exceed 64 KB in size, must not use external libraries or modules, and must not contain malicious or harmful code.

  C is incorrect because not any script can be imported to Cortex XDR, including Visual Basic (VB) scripts. The scripts must be written in Python 2.7, and must follow the guidelines and limitations described in the Cortex XDR documentation.

  VB scripts are not supported by Cortex XDR, and will not run on the endpoints. D is incorrect because the script is not run on the machine uploading the script to ensure that it is operational. The script is only validated for syntax errors and

  size limitations when it is imported to the Agent Script Library. The script is not executed or tested on the machine uploading the script, and the script may still fail or cause errors when it is run on the endpoints.

  References:

  Agent Script Library

  Import a Script

  Run Scripts on an Endpoint

• Question 30:

  Which search methods is supported by File Search and Destroy?

  A. File Seek and Destroy

  B. File Search and Destroy

  C. File Seek and Repair

  D. File Search and Repair

  Correct Answer: B

  Explanation: File Search and Destroy is a feature of Cortex XDR that allows you to search for and remove malicious files from endpoints. You can use this feature to find files by their hash, full path, or partial path using regex parameters. You can then select the files from the search results and destroy them by hash or by path. When you destroy a file by hash, all the file instances on the endpoint are removed. File Search and Destroy is useful for quickly responding to threats and preventing further damage. References: Search and Destroy Malicious Files Cortex XDR Pro Administrator Guide