What types of actions you can execute with live terminal session?
A. Manage Network configurations, Quarantine Files, Run PowerShell scripts
B. Manage Processes, Manage Files, Run Operating System Commands, Run Ruby Commands and Scripts
C. Apply patches, Reboot System, send notification for end user, Run Python Commands and Scripts
D. Manage Processes, Manage Files, Run Operating System Commands, Run Python Commands and Scripts
Correct Answer: D
Explanation: Live terminal session is a feature of Cortex XDR that allows you to remotely access and control endpoints from the Cortex XDR console. With live terminal session, you can execute various actions on the endpoints, such as: Manage Processes: You can view, start, or kill processes on the endpoint, and monitor their CPU and memory usage. Manage Files: You can view, create, delete, or move files and folders on the endpoint, and upload or download files to or from the endpoint. Run Operating System Commands: You can run commands on the endpoint using the native command-line interface of the operating system, such as cmd.exe for Windows, bash for Linux, or zsh for macOS. Run Python Commands and Scripts: You can run Python commands and scripts on the endpoint using the Python interpreter embedded in the Cortex XDR agent. You can use the Python commands and scripts to perform advanced tasks or automation on the endpoint. References: Initiate a Live Terminal Session Manage Processes Manage Files Run Operating System Commands Run Python Commands and Scripts
Question 32:
Which engine, of the following, in Cortex XDR determines the most relevant artifacts in each alert and aggregates all alerts related to an event into an incident?
A. Sensor Engine
B. Causality Analysis Engine
C. Log Stitching Engine
D. Causality Chain Engine
Correct Answer: B
Explanation: The engine that determines the most relevant artifacts in each alert and aggregates all alerts related to an event into an incident is the Causality Analysis Engine. The Causality Analysis Engine is one of the core components of Cortex XDR that performs advanced analytics on the data collected from various sources, such as endpoints, networks, and clouds. The Causality Analysis Engine uses machine learning and behavioral analysis to identify the root cause, the attack chain, and the impact of each alert. It also groups related alerts into incidents based on the temporal and logical relationships among the alerts. The Causality Analysis Engine helps to reduce the noise and complexity of alerts and incidents, and provides a clear and concise view of the attack story12. Let's briefly discuss the other options to provide a comprehensive explanation:
A. Sensor Engine: This is not the correct answer. The Sensor Engine is not responsible for determining the most relevant artifacts in each alert and aggregating all alerts related to an event into an incident. The Sensor Engine is the component that runs on the Cortex XDR agents installed on the endpoints. The Sensor Engine collects and analyzes endpoint data, such as processes, files, registry keys, network connections, and user activities. The Sensor Engine also enforces the endpoint security policies and performs prevention and response actions3.
C. Log Stitching Engine: This is not the correct answer. The Log Stitching Engine is not responsible for determining the most relevant artifacts in each alert and aggregating all alerts related to an event into an incident. The Log Stitching Engine is the component that runs on the Cortex Data Lake, which is the cloud-based data storage and processing platform for Cortex XDR. The Log Stitching Engine normalizes and stitches together the data from different sources, such as firewalls, proxies, endpoints, and clouds. The Log Stitching Engine enables Cortex XDR to correlate and analyze data from multiple sources and provide a unified view of the network activity and threat landscape4. D. Causality Chain Engine: This is not the correct answer. Causality Chain Engine is not a valid name for any of the Cortex XDR engines. There is no such engine in Cortex XDR that performs the function of determining the most relevant artifacts in each alert and aggregating all alerts related to an event into an incident. In conclusion, the Causality Analysis Engine is the engine that determines the most relevant artifacts in each alert and aggregates all alerts related to an event into an incident. By using the Causality Analysis Engine, Cortex XDR can provide a comprehensive and accurate detection and response capability for security analysts. References: Cortex XDR Pro Admin Guide: Causality Analysis Engine Cortex XDR Pro Admin Guide: View Incident Details Cortex XDR Pro Admin Guide: Sensor Engine Cortex XDR Pro Admin Guide: Log Stitching Engine
Question 33:
While working the alerts involved in a Cortex XDR incident, an analyst has found that every alert in this incident requires an exclusion. What will the Cortex XDR console automatically do to this incident if all alerts contained have exclusions?
A. mark the incident as Unresolved
B. create a BIOC rule excluding this behavior
C. create an exception to prevent future false positives
D. mark the incident as Resolved -False Positive
Correct Answer: D
Explanation: If all alerts contained in a Cortex XDR incident have exclusions, the Cortex XDR console will automatically mark the incident as Resolved ?False Positive. This means that the incident was not a real threat, but a benign or legitimate activity that triggered an alert. By marking the incident as Resolved?False Positive, the Cortex XDR console removes the incident from the list of unresolved incidents and does not count it towards the incident statistics. This helps the analyst to focus on the true positive incidents that require further investigation and response1. An exclusion is a rule that hides an alert from the Cortex XDR console, based on certain criteria, such as the alert source, type, severity, or description. An exclusion does not change the security policy or prevent the alert from firing, it only suppresses the alert from the console. An exclusion is useful when the analyst wants to reduce the noise of false positive alerts that are not relevant or important2. An exception, on the other hand, is a rule that overrides the security policy and allows or blocks a process or file from running on an endpoint, based on certain attributes, such as the file hash, path, name, or signer. An exception is useful when the analyst wants to prevent false negative alerts that are caused by malicious or unwanted files or processes that are not detected by the security policy3. A BIOC rule is a rule that creates an alert based on a custom XQL query that defines a specific behavior of interest or concern. A BIOC rule is useful when the analyst wants to detect and alert on anomalous or suspicious activities that are not covered by the default Cortex XDR rules4. References: Palo Alto Networks Cortex XDR Documentation, Resolve an Incident1 Palo Alto Networks Cortex XDR Documentation, Alert Exclusions2 Palo Alto Networks Cortex XDR Documentation, Exceptions3 Palo Alto Networks Cortex XDR Documentation, BIOC Rules4
Question 34:
A Linux endpoint with a Cortex XDR Pro per Endpoint license and Enhanced Endpoint Data enabled has reported malicious activity, resulting in the creation of a file that you wish to delete. Which action could you take to delete the file?
A. Manually remediate the problem on the endpoint in question.
B. Open X2go from the Cortex XDR console and delete the file via X2go.
C. Initiate Remediate Suggestions to automatically delete the file.
D. Open an NFS connection from the Cortex XDR console and delete the file.
Correct Answer: C
Explanation: The best action to delete the file on the Linux endpoint is to initiate Remediation Suggestions from the Cortex XDR console. Remediation Suggestions are a feature of Cortex XDR that provide you with recommended actions to
undo the effects of malicious activity on your endpoints. You can view the remediation suggestions for each alert or incident in the Cortex XDR console, and decide whether to apply them or not. Remediation Suggestions can help you restore
the endpoint to its original state, remove malicious files or processes, or fix registry or system settings. Remediation Suggestions are based on the forensic data collected by the Cortex XDR agent and the analysis performed by Cortex XDR.
The other options are incorrect for the following reasons:
A is incorrect because manually remediating the problem on the endpoint is not a convenient or efficient way to delete the file. Manually remediating the problem would require you to access the endpoint directly, log in as root, locate the file,
and delete it. This would also require you to have the necessary permissions and credentials to access the endpoint, and to know the exact path and name of the file. Manually remediating the problem would also not provide you with any
audit trail or confirmation of the deletion.
B is incorrect because opening X2go from the Cortex XDR console is not a supported or secure way to delete the file. X2go is a third-party remote desktop software that allows you to access Linux endpoints from a graphical user interface.
However, X2go is not integrated with Cortex XDR, and using it would require you to install and configure it on both the Cortex XDR console and the endpoint. Using X2go would also expose the endpoint to potential network attacks or
unauthorized access, and would not provide you with any audit trail or confirmation of the deletion.
D is incorrect because opening an NFS connection from the Cortex XDR console is not a feasible or reliable way to delete the file. NFS is a network file system protocol that allows you to access files on remote servers as if they were local.
However, NFS is not integrated with Cortex XDR, and using it would require you to set up and maintain an NFS server and client on both the Cortex XDR console and the endpoint. Using NFS would also depend on the network availability
and performance, and would not provide you with any audit trail or confirmation of the deletion.
References:
Remediation Suggestions
Apply Remediation Suggestions
Question 35:
Can you disable the ability to use the Live Terminal feature in Cortex XDR?
A. Yes, via the Cortex XDR console or with an installation switch.
B. No, a separate installer package without Live Terminal is required.
C. No, it is a required feature of the agent.
D. Yes, via Agent Settings Profile.
Correct Answer: D
Explanation: The Live Terminal feature in Cortex XDR allows you to initiate a remote connection to an endpoint and perform various actions such as running commands, uploading and downloading files, and terminating processes. You can disable the ability to use the Live Terminal feature in Cortex XDR by configuring the Agent Settings Profile. The Agent Settings Profile defines the behavior and functionality of the Cortex XDR agent on the endpoint. You can create different profiles for different groups of endpoints and assign them accordingly. To disable the Live Terminal feature, you need to uncheck the Enable Live Terminal option in the Agent Settings Profile and save the changes. This will prevent the Cortex XDR agent from accepting any Live Terminal requests from the Cortex XDR management console. References: Live Terminal: This document explains how to use the Live Terminal feature to investigate and respond to security events on Windows endpoints. Agent Settings Profile: This document describes how to create and manage Agent Settings Profiles to define the behavior and functionality of the Cortex XDR agent on the endpoint.
Question 36:
What are two purposes of "Respond to Malicious Causality Chains" in a Cortex XDR Windows Malware profile? (Choose two.)
A. Automatically close the connections involved in malicious traffic.
B. Automatically kill the processes involved in malicious activity.
C. Automatically terminate the threads involved in malicious activity.
D. Automatically block the IP addresses involved in malicious traffic.
Correct Answer: BD
Explanation: The "Respond to Malicious Causality Chains" feature in a Cortex XDR Windows Malware profile allows the agent to take automatic actions against network connections and processes that are involved in malicious activity on the
endpoint. The feature has two modes: Block IP Address and Kill Process1. The two purposes of "Respond to Malicious Causality Chains" in a Cortex XDR Windows Malware profile are:
Automatically kill the processes involved in malicious activity. This can help to stop the malware from spreading or doing any further damage. Automatically block the IP addresses involved in malicious traffic. This can help to prevent the
malware from communicating with its command and control server or other malicious hosts.
The other two options, automatically close the connections involved in malicious traffic and automatically terminate the threads involved in malicious activity, are not specific to "Respond to Malicious Causality Chains". They are general
security measures that the agent can perform regardless of the feature.
References:
Cortex XDR Agent Security Profiles
Cortex XDR Agent 7.5 Release Notes
PCDRA: What are purposes of "Respond to Malicious Causality Chains" in ...
Question 37:
What does the following output tell us?
A. There is one low severity incident.
B. Host shpapy_win10 had the most vulnerabilities.
C. There is one informational severity alert.
D. This is an actual output of the Top 10 hosts with the most malware.
Correct Answer: D
Explanation: The output shows the top 10 hosts with the most malware in the last 30 days, based on the Cortex XDR data. The output is sorted by the number of incidents, with the host with the most incidents at the top. The output also shows the number of alerts, the number of endpoints, and the percentage of endpoints for each host. The output is generated by using the ACC (Application Command Center) feature of Cortex XDR, which provides a graphical representation of the network activity and threat landscape. The ACC allows you to view and analyze various widgets, such as the Top 10 hosts with the most malware, the Top 10 applications by bandwidth, the Top 10 threats by count, and more . References: Use the ACC to Analyze Network Activity Top 10 Hosts with the Most Malware
Question 38:
Phishing belongstowhich of the following MITRE ATTandCK tactics?
A. Initial Access, Persistence
B. Persistence, Command and Control
C. Reconnaissance, Persistence
D. Reconnaissance, Initial Access
Correct Answer: D
Explanation: Phishing is a technique that belongs to two MITRE ATTandCK tactics: Reconnaissance and Initial Access. Reconnaissance is the process of gathering information about a target before launching an attack. Phishing for information is a sub- technique of Reconnaissance that involves sending phishing messages to elicit sensitive information that can be used during targeting. Initial Access is the process of gaining a foothold in a network or system. Phishing is a sub-technique of Initial Access that involves sending phishing messages to execute malicious code on victim systems. Phishing can be used for both Reconnaissance and Initial Access depending on the objective and content of the phishing message. References: Phishing, Technique T1566 - Enterprise | MITRE ATTandCK?1 Phishing for Information, Technique T1598 - Enterprise | MITRE ATTandCK?2 Phishing for information, Part 2: Tactics and techniques 3 PHISHING AND THE MITREATTandCK FRAMEWORK - EnterpriseTalk 4 Initial Access, Tactic TA0001 - Enterprise | MITRE ATTandCK?5
Question 39:
What is the action taken out by Managed Threat Hunting team for Zero Day Exploits?
A. MTH researches for threats in the tenant and generates a report with the findings.
B. MTH researches for threats in the logs and reports to engineering.
C. MTH runs queries and investigative actions and no further action is taken.
D. MTH pushes content updates to prevent against thezero-dayexploits.
Correct Answer: A
Explanation: The Managed Threat Hunting (MTH) team is a group of security experts who proactively hunt for threats in the Cortex XDR tenant and generate a report with the findings. The MTH team uses advanced queries and investigative actions to identify and analyze potential threats, such as zero-day exploits, that may have bypassed the prevention and detection capabilities of Cortex XDR. The MTH team also provides recommendations and best practices to help customers remediate the threats and improve their security posture. References: Managed Threat Hunting Service Managed Threat Hunting Report
Question 40:
Which built-in dashboard would be the best option for an executive, if they were looking for the Mean Time to Resolution (MTTR) metric?
A. Security Manager Dashboard
B. Data Ingestion Dashboard
C. Security Admin Dashboard D. Incident Management Dashboard
Correct Answer: D
Explanation: The Incident Management Dashboard provides a high-level overview of the incident response process, including the Mean Time to Resolution (MTTR) metric. This metric measures the average time it takes to resolve an incident from the moment it is created to the moment it is closed. The dashboard also shows the number of incidents by status, severity, and assigned analyst, as well as the top alerts by category, source, and destination. The Incident Management Dashboard is designed for executives and managers who want to monitor the performance and efficiency of their security teams. References: [PCDRA Study Guide], page 18.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Palo Alto Networks exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PCDRA exam preparations and Palo Alto Networks certification application, do not hesitate to visit our Vcedump.com to find your solutions here.
