Cortex XDR Analytics can alert when detecting activity matching the following MITRE ATTandCKTM techniques.
A. Exfiltration, Command and Control, Collection
B. Exfiltration, Command and Control, Privilege Escalation
C. Exfiltration, Command and Control, Impact
D. Exfiltration, Command and Control, Lateral Movement
Correct Answer: D
Explanation: Cortex XDR Analytics is a feature of Cortex XDR that leverages machine learning and behavioral analytics to detect and alert on malicious activity across the network and endpoint layers. Cortex XDR Analytics can alert when detecting activity matching the following MITRE ATTandCKTM techniques: Exfiltration, Command and Control, Lateral Movement, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, and Collection. However, among the options given in the question, the correct answer is D, Exfiltration, Command and Control, Lateral Movement. These are three of the most critical techniques that indicate an advanced and persistent threat (APT) in the environment. Exfiltration refers to the technique of transferring data or information from the compromised system or network to an external location controlled by the adversary. Command and Control refers to the technique of communicating with the compromised system or network to provide instructions, receive data, or update malware. Lateral Movement refers to the technique of moving from one system or network to another within the same environment, usually to gain access to more resources or data. Cortex XDR Analytics can alert on these techniques by analyzing various data sources, such as network traffic, firewall logs, endpoint events, and threat intelligence, and applying behavioral models, anomaly detection, and correlation rules. Cortex XDR Analytics can also map the alerts to the corresponding MITRE ATTandCKTM techniques and provide additional context and visibility into the attack chain1234 References: Cortex XDR Analytics MITRE ATTandCKTM Cortex XDR Analytics MITRE ATTandCKTM Techniques Cortex XDR Analytics Alert Categories
Question 52:
What should you do to automatically convert leads into alerts after investigating a lead?
A. Lead threats can't be prevented in the future because they already exist in the environment.
B. Create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.
C. Create BIOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.
D. Build a search query using Query Builder or XQL using a list of lOCs.
Correct Answer: B
Explanation: To automatically convert leads into alerts after investigating a lead, you should create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting. IOC rules are used to detect known threats based on indicators of compromise (IOCs) such as file hashes, IP addresses, domain names, etc. By creating IOC rules from the leads, you can prevent future occurrences of the same threats and generate alerts for them. References: PCDRA Study Guide, page 25 Cortex XDR 3: Handling Cortex XDR Alerts, section 3.2 Cortex XDR Documentation, section "Create IOC Rules"
Question 53:
In incident-related widgets, how would you filter the display to only show incidents that were "starred"?
A. Create a custom XQL widget
B. This is not currently supported
C. Create a custom report and filter on starred incidents
D. Click the star in the widget
Correct Answer: D
Explanation: To filter the display to only show incidents that were "starred", you need to click the star in the widget. This will apply a filter that shows only the incidents that contain a starred alert, which is an alert that matches a specific condition that you define in the incident starring configuration. You can use the incident starring feature to prioritize and focus on the most important or relevant incidents in your environment1. Let's briefly discuss the other options to provide a comprehensive explanation:
A. Create a custom XQL widget: This is not the correct answer. Creating a custom XQL widget is not necessary to filter the display to only show starred incidents. A custom XQL widget is a widget that you create by using the XQL query language to define the data source and the visualization type. You can use custom XQL widgets to create your own dashboards or reports, but they are not required for filtering incidents by stars2. B. This is not currently supported: This is not the correct answer. Filtering the display to only show starred incidents is currently supported by Cortex XDR. You can use the star icon in the widget to apply this filter, or you can use the Filter Builder to create a custom filter based on the Starred field1.
C. Create a custom report and filter on starred incidents: This is not the correct answer. Creating a custom report and filtering on starred incidents is not the only way to filter the display to only show starred incidents. A custom report is a report that you create by using the Report Builder to define the data source, the layout, and the schedule. You can use custom reports to generate and share periodic reports on your Cortex XDR data, but they are not the only option for filtering incidents by stars3. In conclusion, clicking the star in the widget is the simplest and easiest way to filter the display to only show incidents that were "starred". By using this feature, you can quickly identify and focus on the most critical or relevant incidents in your environment. References: Filter Incidents by Stars Create a Custom XQL Widget Create a Custom Report
Question 54:
Which function describes the removal of a specific file from its location on a local or removable drive to a protected folder to prevent the file from being executed?
A. Search and destroy
B. Isolation
C. Quarantine
D. Flag for removal
Correct Answer: C
Explanation: The function that describes the removal of a specific file from its location on a local or removable drive to a protected folder to prevent the file from being executed is quarantine. Quarantine is a feature of Cortex XDR that allows you to isolate malicious or suspicious files from the endpoint and prevent them from running or spreading. You can quarantine files manually from the Cortex XDR console, or automatically based on the malware analysis profile or the remediation suggestions. When you quarantine a file, the Cortex XDR agent encrypts the file and moves it to a hidden folder under the agent installation directory. The file is also renamed with a random string and a .quarantine extension. You can view, restore, or delete the quarantined files from the Cortex XDR console. References: Quarantine Files Manage Quarantined Files
Question 55:
Why would one threaten to encrypt a hypervisor or, potentially, a multiple number of virtual machines running on a server?
A. To extort a payment from a victim or potentially embarrass the owners.
B. To gain notoriety and potentially a consulting position.
C. To better understand the underlying virtual infrastructure.
D. To potentially perform a Distributed Denial of Attack.
Correct Answer: A
Explanation: Encrypting a hypervisor or a multiple number of virtual machines running on a server is a form of ransomware attack, which is a type of cyberattack that involves locking or encrypting the victim's data or system and demanding a ransom for its release. The attacker may threaten to encrypt the hypervisor or the virtual machines to extort a payment from the victim or potentially embarrass the owners by exposing their sensitive or confidential information. Encrypting a hypervisor or a multiple number of virtual machines can have a severe impact on the victim's business operations, as it can affect the availability, integrity, and confidentiality of their data and applications. The attacker may also use the encryption as a leverage to negotiate a higher ransom or to coerce the victim into complying with their demands. References: Encrypt an Existing Virtual Machine or Virtual Disk: This document explains how to encrypt an existing virtual machine or virtual disk using the vSphere Client. How to Encrypt an Existing or New Virtual Machine: This article provides a guide on how to encrypt an existing or new virtual machine using AOMEI Backupper. Ransomware: This document provides an overview of ransomware, its types, impacts, and prevention methods.
Question 56:
What functionality of the Broker VM would you use to ingest third-party firewall logs to the Cortex Data Lake?
A. Netflow Collector
B. Syslog Collector
C. DB Collector
D. Pathfinder
Correct Answer: B
Explanation: The Broker VM is a virtual machine that acts as a data broker between third- party data sources and the Cortex Data Lake. It can ingest different types of data, such as syslog, netflow, database, and pathfinder. The Syslog Collector functionality of the Broker VM allows it to receive syslog messages from third-party devices, such as firewalls, routers, switches, and servers, and forward them to the Cortex Data Lake. The Syslog Collector can be configured to filter, parse, and enrich the syslog messages before sending them to the Cortex Data Lake. The Syslog Collector can also be used to ingest logs from third-party firewall vendors, such as Cisco, Fortinet, and Check Point, to the Cortex Data Lake. This enables Cortex XDR to analyze the firewall logs and provide visibility and threat detection across the network perimeter. References: Cortex XDR Data Broker VM Syslog Collector Supported Third-Party Firewall Vendors
Question 57:
When investigating security events, which feature in Cortex XDR is useful for reverting the changes on the endpoint?
A. Remediation Automation
B. Machine Remediation
C. Automatic Remediation
D. Remediation Suggestions
Correct Answer: D
Explanation: When investigating security events, the feature in Cortex XDR that is useful for reverting the changes on the endpoint is Remediation Suggestions. Remediation Suggestions are a feature of Cortex XDR that provide you with recommended actions to undo the effects of malicious activity on your endpoints. You can view the remediation suggestions for each alert or incident in the Cortex XDR console, and decide whether to apply them or not. Remediation Suggestions can help you restore the endpoint to its original state, remove malicious files or processes, or fix registry or system settings. Remediation Suggestions are based on the forensic data collected by the Cortex XDR agent and the analysis performed by Cortex XDR. References: Remediation Suggestions Apply Remediation Suggestions
Question 58:
Cortex XDR is deployed in the enterprise and you notice a cobalt strike attack via an ongoing supply chain compromise was prevented on 1 server. What steps can you take to ensure the same protection is extended to all your servers?
A. Conduct a thorough Endpoint Malware scan.
B. Enable DLL Protection on all servers but there might be some false positives.
C. Enable Behavioral Threat Protection (BTP) with cytool to prevent the attack from spreading.
D. Create lOCs of the malicious files you have found to prevent their execution.
Correct Answer: D
Explanation: The best step to ensure the same protection is extended to all your servers is to create indicators of compromise (IOCs) of the malicious files you have found to prevent their execution. IOCs are pieces of information that indicate a potential threat or compromise on an endpoint, such as file hashes, IP addresses, domain names, or registry keys. You can create IOCs in Cortex XDR to block or alert on any file or network activity that matches the IOCs. By creating IOCs of the malicious files involved in the cobalt strike attack, you can prevent them from running or spreading on any of your servers. The other options are not the best steps for the following reasons: A is not the best step because conducting a thorough Endpoint Malware scan may not detect or prevent the cobalt strike attack if the malicious files are obfuscated, encrypted, or hidden. Endpoint Malware scan is a feature of Cortex XDR that allows you to scan endpoints for known malware and quarantine any malicious files found. However, Endpoint Malware scan may not be effective against unknown or advanced threats that use evasion techniques to avoid detection. B is not the best step because enabling DLL Protection on all servers may cause some false positives and disrupt legitimate applications. DLL Protection is a feature of Cortex XDR that allows you to block or alert on any DLL loading activity that matches certain criteria, such as unsigned DLLs, DLLs loaded from network locations, or DLLs loaded by specific processes. However, DLL Protection may also block or alert on benign DLL loading activity that is part of normal system or application operations, resulting in false positives and performance issues. C is not the best step because enabling Behavioral Threat Protection (BTP) with cytool may not prevent the attack from spreading if the malicious files are already on the endpoints or if the attack uses other methods to evade detection. Behavioral Threat Protection is a feature of Cortex XDR that allows you to block or alert on any endpoint behavior that matches certain patterns, such as ransomware, credential theft, or lateral movement. Cytool is a command-line tool that allows you to configure and manage the Cortex XDR agent on the endpoint. However, Behavioral Threat Protection may not prevent the attack from spreading if the malicious files are already on the endpoints or if the attack uses other methods to evade detection, such as encryption, obfuscation, or proxy servers. References: Create IOCs Scan an Endpoint for Malware DLL Protection Behavioral Threat Protection Cytool for Windows
Question 59:
What motivation do ransomware attackers have for returning access to systems once their victims have paid?
A. There is organized crime governance among attackers that requires the return of access to remain in good standing. B. Nation-states enforce the return of system access through the use of laws and regulation.
B. Failure to restore access to systems undermines the scheme because others will not believe their valuables would be returned.
C. The ransomware attackers hope to trace the financial trail back and steal more from traditional banking institutions.
Correct Answer: C
Explanation: Ransomware attackers have a motivation to return access to systems once their victims have paid because they want to maintain their reputation and credibility. If they fail to restore access to systems, they risk losing the trust of future victims who may not believe that paying the ransom will result in getting their data back. This would reduce the effectiveness and profitability of their scheme. Therefore, ransomware attackers have an incentive to honor their promises and decrypt the data after receiving the ransom. References: What is the motivation behind ransomware? | Foresite As Ransomware Attackers' Motives Change, So Should Your Defense - Forbes
Question 60:
What is the standard installation disk space recommended to install a Broker VM?
A. 1GB disk space
B. 2GB disk space
C. 512GB disk space
D. 256GB disk space
Correct Answer: D
Explanation: The Broker VM for Cortex XDR is a virtual machine that serves as the central communication hub for all Cortex XDR agents deployed in your organization. It enables agents to communicate with the Cortex XDR cloud service and allows you to manage and monitor the agents' activities from a centralized location. The system requirements for the Broker VM are as follows: CPU: 4 cores RAM: 8 GB Disk space: 256 GB Network: Internet access and connectivity to all Cortex XDR agents The disk space requirement is based on the number of agents and the frequency of content updates. The Broker VM stores the content updates locally and distributes them to the agents. The disk spacealso depends on the retention period of the content updates, which can be configured in the Broker VM settings. The default retention period is 30 days. References: Broker VM for Cortex XDR PCDRA Study Guide
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Palo Alto Networks exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your PCDRA exam preparations and Palo Alto Networks certification application, do not hesitate to visit our Vcedump.com to find your solutions here.