Palo Alto Networks Palo Alto Networks Certifications PCDRA Questions & Answers

• Question 71:

  You can star security events in which two ways? (Choose two.)

  A. Create an alert-starring configuration.

  B. Create an Incident-starring configuration.

  C. Manually star an alert.

  D. Manually star an Incident.

  Correct Answer: CD

  Explanation: You can star security events in Cortex XDR in two ways: manually star an alert or an incident, or create an alert-starring or incident-starring configuration. Starring security events helps you prioritize and track the events that are most important to you. You can also filter and sort the events by their star status in the Cortex XDR console. To manually star an alert or an incident, you can use the star icon in the Alerts table or the Incidents table. You can also star an alert from the Causality View or the Query Center Results table. You can star an incident from the Incident View or the Query Center Results table. You can also unstar an event by clicking the star icon again. To create an alert-starring or incident-starring configuration, you can use the Alert Starring Configuration or the Incident Starring Configuration pages in the Cortex XDR console. You can define the criteria for starring alerts or incidents based on their severity, category, source, or other attributes. You can also enable or disable the configurations as needed. References: Star Security Events Create an Alert Starring Configuration Create an Incident Starring Configuration

• Question 72:

  In Cortex XDR management console scheduled reports can be forwarded to which of the following applications/services?

  A. Salesforce

  B. Jira

  C. Service Now

  D. Slack

  Correct Answer: D

  Explanation: Cortex XDR allows you to schedule reports and forward them to Slack, a cloud-based collaboration platform. You can configure the Slack channel, frequency, and recipients of the scheduled reports. You can also view the report

  history and status in the Cortex XDR management console. References:

  Scheduled Queries: This document explains how to create, edit, and manage scheduled queries and reports in Cortex XDR.

  Forward Scheduled Reports to Slack: This document provides the steps to configure Slack integration and forward scheduled reports to a Slack channel.

• Question 73:

  What is the outcome of creating and implementing an alert exclusion?

  A. The Cortex XDR agent will allow the process that was blocked to run on the endpoint.

  B. The Cortex XDR console will hide those alerts.

  C. The Cortex XDR agent will not create an alert for this event in the future.

  D. The Cortex XDR console will delete those alerts and block ingestion of them in the future.

  Correct Answer: B

  Explanation: The outcome of creating and implementing an alert exclusion is that the Cortex XDR console will hide those alerts that match the exclusion criteria. An alert exclusion is a policy that allows you to filter out alerts that are not relevant, false positives, or low priority, and focus on the alerts that require your attention. When you create an alert exclusion, you can specify the criteria that define which alerts you want to exclude, such as alert name, severity, source, or endpoint. After you create an alert exclusion, Cortex XDR will hide any future alerts that match the criteria, and exclude them from incidents and search query results. However, the alert exclusion does not affect the behavior of the Cortex XDR agent or the security policy on the endpoint. The Cortex XDR agent will still create an alert for the event and apply the appropriate action, such as blocking or quarantining, according to the security policy. The alert exclusion only affects the visibility of the alert on the Cortex XDR console, not the actual protection of the endpoint. Therefore, the correct answer is B, the Cortex XDR console will hide those alerts12 References: Alert Exclusions Create an Alert Exclusion Policy

• Question 74:

  Which statement is true based on the following Agent Auto Upgrade widget?

  

  A. There are a total of 689 Up To Date agents.

  B. Agent Auto Upgrade was enabled but not on all endpoints.

  C. Agent Auto Upgrade has not been enabled.

  D. There are more agents in Pending status than In Progress status.

  Correct Answer: B

  Explanation: The Agent Auto Upgrade widget shows the status of the agent auto upgrade feature on the endpoints. The widget displays the number of agents that are up to date, in progress, pending, failed, and not configured. In this case,

  the widget shows that there are 450 agents that are up to date, 78 in progress, 15 pending, 18 failed, and 128 not configured. This means that the agent auto upgrade feature was enabled but not on all endpoints. References:

  Cortex XDR Agent Auto Upgrade

  PCDRA Study Guide

• Question 75:

  Where would you go to add an exception to exclude a specific file hash from examination by the Malware profile for a Windows endpoint?

  A. Find the Malware profile attached to the endpoint, Under Portable Executable and DLL Examination add the hash to the allow list.

  B. From the rules menu select new exception, fill out the criteria, choose the scope to apply it to, hit save.

  C. Find the exceptions profile attached to the endpoint, under process exceptions select local analysis, paste the hash and save.

  D. In the Action Center, choose Allow list, select new action, select add to allow list, add your hash to the list, and apply it.

  Correct Answer: D

  Explanation: To add an exception to exclude a specific file hash from examination by the Malware profile for a Windows endpoint, you need to use the Action Center in Cortex XDR. The Action Center allows you to create and manage actions that apply to endpoints, such as adding files or processes to the allow list or block list, isolating or unisolating endpoints, or initiating live terminal sessions. To add a file hash to the allow list, you need to choose Allow list, select new action, select add to allow list, add your hash to the list, and apply it. This will prevent the Malware profile from scanning or blocking the file on the endpoints that match the scope of the action. References: Cortex XDR 3: Responding to Attacks1, Action Center2

• Question 76:

  Which of the following represents a common sequence of cyber-attack tactics?

  A. Actions on the objective » Reconnaissance »Weaponizationand Delivery » Exploitation » Installation » Command and Control

  B. Installation >> Reconnaissance »Weaponizationand Delivery » Exploitation » Command and Control » Actions on the objective

  C. Reconnaissance »Weaponizationand Delivery » Exploitation » Installation » Command and Control » Actions on the objective

  D. Reconnaissance >> Installation »Weaponizationand Delivery » Exploitation » Command and Control » Actions on the objective

  Correct Answer: C

  Explanation: A common sequence of cyber-attack tactics is based on the Cyber Kill Chain model, which describes the stages of a cyber intrusion from the perspective of the attacker. The Cyber Kill Chain model consists of seven phases:

  reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective.

  These phases are briefly explained below:

  Reconnaissance: The attacker gathers information about the target, such as its network, systems, vulnerabilities, employees, and business operations. The attacker may use various methods, such as scanning, phishing, or searching open

  sources, to collect data that can help them plan the attack. Weaponization: The attacker creates or obtains a malicious payload, such as malware, exploit, or script, that can be used to compromise the target. The attacker may also embed the

  payload into a delivery mechanism, such as an email attachment, a web link, or a removable media.

  Delivery: The attacker sends or delivers the weaponized payload to the target, either directly or indirectly. The attacker may use various channels, such as email, web, or physical access, to reach the target's network or system. Exploitation:

  The attacker exploits a vulnerability or weakness in the target's network or system to execute the payload. The vulnerability may be technical, such as a software flaw, or human, such as a social engineering trick. Installation: The attacker

  installs or drops additional malware or tools on the target's network or system to establish a foothold and maintain persistence. The attacker may use various techniques, such as registry modification, file manipulation, or process injection, to

  hide their presence and evade detection. Command and Control: The attacker establishes a communication channel between the compromised target and a remote server or controller. The attacker may use various protocols, such as HTTP,

  DNS, or IRC, to send commands and receive data from the target.

  Actions on the objective: The attacker performs the final actions that achieve their goal, such as stealing data, destroying files, encrypting systems, or disrupting services. The attacker may also try to move laterally within the target's network

  or system to access more resources or data.

  References:

  Cyber Kill Chain: This document explains the Cyber Kill Chain model and how it can be used to analyze and respond to cyberattacks. Cyber Attack Tactics: This document provides an overview of some common cyber attack tactics and

  examples of how they are used by threat actors.

• Question 77:

  Live Terminal uses which type of protocol to communicate with the agent on the endpoint?

  A. NetBIOS over TCP

  B. WebSocket

  C. UDP and a random port

  D. TCP, over port 80

  Correct Answer: B

  Explanation: Live Terminal uses the WebSocket protocol to communicate with the agent on the endpoint. WebSocket is a full-duplex communication protocol that enables bidirectional data exchange between a client and a server over a single TCP connection. WebSocket is designed to be implemented in web browsers and web servers, but it can be used by any client or server application. WebSocket provides a persistent connection between the Cortex XDR console and the endpoint, allowing you to execute commands and receive responses in real time. Live Terminal uses port 443 for WebSocket communication, which is the same port used for HTTPS traffic. References: Initiate a Live Terminal Session WebSocket

• Question 78:

  Which of the following Live Terminal options are available for Android systems?

  A. Live Terminal is not supported.

  B. Stop an app.

  C. Run APK scripts.

  D. Run Android commands.

  Correct Answer: D

  Explanation: Cortex XDR supports Live Terminal for Android systems, which allows you to remotely access and manage Android endpoints using a command-line interface. You can use Live Terminal to run Android commands, such as adb shell, adb logcat, adb install, and adb uninstall. You can also use Live Terminal to view and modify files, directories, and permissions on the Android endpoints. Live Terminal for Android systems does not support stopping an app or running APK scripts. References: Cortex XDR documentation portal Initiate a Live Terminal Session Live Terminal Commands

• Question 79:

  Where can SHA256 hash values be used in Cortex XDR Malware Protection Profiles?

  A. in the macOS Malware Protection Profile to indicate allowed signers

  B. in the Linux Malware Protection Profile to indicate allowed Java libraries

  C. SHA256 hashes cannot be used in Cortex XDR Malware Protection Profiles

  D. in the Windows Malware Protection Profile to indicate allowed executables

  Correct Answer: D

  Explanation: Cortex XDR Malware Protection Profiles allow you to configure the malware prevention settings for Windows, Linux, and macOS endpoints. You can use SHA256 hash values in the Windows Malware Protection Profile to indicate allowed executables that you want to exclude from malware scanning. This can help you reduce false positives and improve performance by skipping the scanning of known benign files. You can add up to 1000 SHA256 hash values per profile. You cannot use SHA256 hash values in the Linux or macOS Malware Protection Profiles, but you can use other criteria such as file path, file name, or signer to exclude files from scanning. References: Malware Protection Profiles Configure a Windows Malware Protection Profile PCDRA Study Guide

• Question 80:

  What kind of the threat typically encrypts user files?

  A. ransomware

  B. SQL injection attacks

  C. Zero-day exploits

  D. supply-chain attacks

  Correct Answer: A

  Explanation: Ransomware is a type of malicious software, or malware, that encrypts user files and prevents them from accessing their data until they pay a ransom. Ransomware can affect individual users, businesses, and organizations of all kinds. Ransomware attacks can cause costly disruptions, data loss, and reputational damage. Ransomware can spread through various methods, such as phishing emails, malicious attachments, compromised websites, or network vulnerabilities. Some ransomware variants can also self-propagate and infect other devices or networks. Ransomware authors typically demand payment in cryptocurrency or other untraceable methods, and may threaten to delete or expose the encrypted data if the ransom is not paid within a certain time frame. However, paying the ransom does not guarantee that the files will be decrypted or that the attackers will not target the victim again. Therefore, the best way to protect against ransomware is to prevent infection in the first place, and to have a backup of the data in case of an attack123456 References: What is Ransomware? | How to Protect Against Ransomware in 2023 Ransomware - Wikipedia What is ransomware? | Ransomware meaning | Cloudflare What Is Ransomware? | Ransomware.org Ransomware -- FBI