Palo Alto Networks Palo Alto Networks Certifications PCDRA Questions & Answers

• Question 81:

  A file is identified as malware by the Local Analysis module whereas WildFire verdict is Benign, Assuming WildFire is accurate. Which statement is correct for the incident?

  A. It is true positive.

  B. It is false positive.

  C. It is a false negative.

  D. It is true negative.

  Correct Answer: B

  Explanation: A false positive is a situation where a file or activity is incorrectly identified as malicious by a security tool, when in fact it is benign or harmless. A false positive can cause unnecessary alerts, disruptions, or remediation actions, and reduce the confidence and efficiency of the security system. In this question, a file is identified as malware by the Local Analysis module, whereas WildFire verdict is Benign, assuming WildFire is accurate. This means that the Local Analysis module has made a mistake and flagged a legitimate file as malicious, while WildFire has correctly determined that the file is safe. Therefore, this is an example of a false positive. The Local Analysis module is a feature of the Cortex XDR agent that uses a static set of pattern-matching rules and a statistical model to determine if an unknown file is likely to be malware. The Local Analysis module can provide a fast and offline verdict for files that are not yet analyzed by WildFire, but it is not as accurate or comprehensive as WildFire, which uses dynamic analysis and machine learning to examine the behavior and characteristics of files in a sandbox environment. WildFire verdicts are considered more reliable and authoritative than Local Analysis verdicts, and can override them in case of a discrepancy. Therefore, if a file is identified as malware by the Local Analysis module, but as Benign by WildFire, the WildFire verdict should be trusted and the Local Analysis verdict should be disregarded123 References: False positive (security) - Wikipedia Local Analysis WildFire Overview

• Question 82:

  Which statement is true for Application Exploits and Kernel Exploits?

  A. The ultimate goal of any exploit is to reach the application.

  B. Kernel exploits are easier to prevent then application exploits.

  C. The ultimate goal of any exploit is to reach the kernel.

  D. Application exploits leverage kernel vulnerability.

  Correct Answer: C

  Explanation: The ultimate goal of any exploit is to reach the kernel, which is the core component of the operating system that has the highest level of privileges and access to the hardware resources. Application exploits are attacks that target vulnerabilities in specific applications, such as web browsers, email clients, or office suites. Kernel exploits are attacks that target vulnerabilities in the kernel itself, such as memory corruption, privilege escalation, or code execution. Kernel exploits are more difficult to prevent and detect than application exploits, because they can bypass security mechanisms and hide their presence from the user and the system. References: Palo Alto Networks Certified Detection and Remediation Analyst (PCDRA) Study Guide, page 8 Palo Alto Networks Cortex XDR Documentation, Exploit Protection Overview

• Question 83:

  When viewing the incident directly, what is the "assigned to" field value of a new Incident that was just reported to Cortex?

  A. Pending

  B. It is blank

  C. Unassigned

  D. New

  Correct Answer: C

  Explanation: The "assigned to" field value of a new incident that was just reported to Cortex is "Unassigned". This means that the incident has not been assigned to any analyst or group yet, and it is waiting for someone to take ownership of it. The "assigned to" field is one of the default fields that are displayed in the incident layout, and it can be used to filter and sort incidents in the incident list. The "assigned to" field can be changed manually by an analyst, or automatically by a playbook or a rule12. Let's briefly discuss the other options to provide a comprehensive explanation:

  A. Pending: This is not the correct answer. Pending is not a valid value for the "assigned to" field. Pending is a possible value for the "status" field, which indicates the current state of the incident. The status field can have values such as

  "New", "Active", "Done", "Closed", or "Pending"3.

  B. It is blank: This is not the correct answer. The "assigned to" field is never blank for any incident. It always has a default value of "Unassigned" for new incidents, unless a playbook or a rule assigns it to a specific analyst or group12. D. New:

  This is not the correct answer. New is not a valid value for the "assigned to" field. New is a possible value for the "status" field, which indicates the current state of the incident. The status field can have values such as "New", "Active", "Done",

  "Closed", or "Pending"3.

  In conclusion, the "assigned to" field value of a new incident that was just reported to Cortex is "Unassigned". This field can be used to manage the ownership and responsibility of incidents, and it can be changed manually or automatically.

  References:

  Cortex XDR Pro Admin Guide: Manage Incidents

  Cortex XDR Pro Admin Guide: Assign Incidents

  Cortex XDR Pro Admin Guide: Update Incident Status

• Question 84:

  As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to open a malicious Word document. You learn from the WildFire report and AutoFocus that this document is known to have been used in Phishing campaigns since 2018. What steps can you take to ensure that the same document is not opened by other users in your organization protected by the Cortex XDR agent?

  A. Enable DLL Protection on all endpoints but there might be some false positives.

  B. Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.

  C. No step is required because Cortex shares IOCs with our fellow Cyber Threat Alliance members.

  D. No step is required because the malicious document is already stopped.

  Correct Answer: B

  Explanation: The correct answer is B, create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity. BTP rules are a powerful feature of Cortex XDR that allow you to define custom rules to detect and block malicious behaviors on endpoints. You can use BTP rules to create indicators of compromise (IOCs) based on file attributes, registry keys, processes, network connections, and other criteria. By creating BTP rules, you can prevent the same malicious Word document from being opened by other users in your organization, even if the document has a different name or hash value. BTP rules are updated through content updates and can be managed from the Cortex XDR console. The other options are incorrect for the following reasons: A is incorrect because enabling DLL Protection on all endpoints is not a specific or effective way to prevent the malicious Word document. DLL Protection is a feature of Cortex XDR that prevents the loading of unsigned or untrusted DLLs by protected processes. However, this feature does not apply to Word documents or macros, and may cause false positives or compatibility issues with legitimate applications. C is incorrect because relying on Cortex to share IOCs with the Cyber Threat Alliance members is not a proactive or sufficient way to prevent the malicious Word document. The Cyber Threat Alliance is a group of cybersecurity vendors that share threat intelligence and best practices to improve their products and services. However, not all vendors are members of the alliance, and not all IOCs are shared or updated in a timely manner. Therefore, you cannot assume that other users in your organization are protected by the same IOCs as Cortex XDR. D is incorrect because doing nothing is not a responsible or secure way to prevent the malicious Word document. Even though Cortex XDR agent prevented the attempt to open the document on one endpoint, it does not mean that the document is no longer a threat. The document may still be circulating in your network or email system, and may be opened by other users who have different agent profiles or policies. Therefore, you should take steps to identify and block the document across your organization. References: Cortex XDR Agent Administrator Guide: Behavioral Threat Protection Cortex XDR Agent Administrator Guide: DLL Protection Palo Alto Networks: Cyber Threat Alliance

• Question 85:

  Which Exploit Prevention Module (EPM) provides better entropy for randomization of memory locations?

  A. Memory Limit Heap spray check

  B. UASLR

  C. JIT Mitigation

  D. DLL Security

  Correct Answer: B

  Explanation: UASLR stands for User Address Space Layout Randomization, which is a feature of Exploit Prevention Module (EPM) that provides better entropy for randomization of memory locations. UASLR adds entropy to the base address of the executable image and the heap, making it harder for attackers to predict the memory layout of a process. UASLR is enabled by default for all processes, but can be disabled or customized for specific applications using the EPM policy settings. References: Exploit Prevention Module (EPM) entropy randomization memory locations Exploit protection reference

• Question 86:

  Which minimum Cortex XDR agent version is required for Kubernetes Cluster?

  A. Cortex XDR 6.1

  B. Cortex XDR 7.4

  C. Cortex XDR 7.5

  D. Cortex XDR 5.0

  Correct Answer: C

  Explanation: The minimum Cortex XDR agent version required for Kubernetes Cluster is Cortex XDR 7.5. This version introduces the Cortex XDR agent for Kubernetes hosts, which provides protection and visibility for Linux hosts that run on Kubernetes clusters. The Cortex XDR agent for Kubernetes hosts supports the following features: Anti-malware protection Behavioral threat protection Exploit protection File integrity monitoring Network security Audit and remediation Live terminal To install the Cortex XDR agent for Kubernetes hosts, you need to deploy the Cortex XDR agent as a DaemonSet on your Kubernetes cluster. You also need to configure the agent settings profile and the agent installer in the Cortex XDR management console. References: Cortex XDR Agent Release Notes: This document provides the release notes for Cortex XDR agent versions, including the new features, enhancements, and resolved issues. Install the Cortex XDR Agent for Kubernetes Hosts: This document explains how to install and configure the Cortex XDR agent for Kubernetes hosts using the Cortex XDR management console and the Kubernetes command-line tool.

• Question 87:

  Which of the following best defines the Windows Registry as used by the Cortex XDR agent?

  A. a hierarchical database that stores settings for the operating system and for applications

  B. a system of files used by the operating system to commit memory that exceeds the available hardware resources. Also known as the "swap"

  C. a central system, available via the internet, for registering officially licensed versions of software to prove ownership

  D. a ledger for maintaining accurate and up-to-date information on total disk usage and disk space remaining available to the operating system

  Correct Answer: A

  Explanation: The Windows Registry is a hierarchical database that stores settings for the operating system and for applications that run on Windows. The registry contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows operating systems. The registry is organized into five main sections, called hives, each of which contains keys, subkeys, and values. The Cortex XDR agent uses the registry to store its configuration, status, and logs, as well as to monitor and control the endpoint's security features. The Cortex XDR agent also allows you to run scripts that can read, write, or delete registry keys and values on the endpoint. References : Windows Registry - Wikipedia Registry Operations

• Question 88:

  The Cortex XDR console has triggered an incident, blocking a vitally important piece of software in your organization that is known to be benign. Which of the following options would prevent Cortex XDR from blocking this software in the future, for all endpoints in your organization?

  A. Create an individual alert exclusion.

  B. Create a global inclusion.

  C. Create an endpoint-specific exception.

  D. Create a global exception.

  Correct Answer: D

  Explanation: A global exception is a rule that allows you to exclude specific files, processes, or behaviors from being blocked or detected by Cortex XDR. A global exception applies to all endpoints in your organization that are protected by

  Cortex XDR. Creating a global exception for a vitally important piece of software that is known to be benign would prevent Cortex XDR from blocking this software in the future, for all endpoints in your organization.

  To create a global exception, you need to follow these steps:

  In the Cortex XDR management console, go to Policy Management > Exceptions and click Add Exception.

  Select the Global Exception option and click Next. Enter a name and description for the exception and click Next. Select the type of exception you want to create, such as file, process, or behavior, and click Next.

  Specify the criteria for the exception, such as file name, hash, path, process name, command line, or behavior name, and click Next.

  Review the summary of the exception and click Finish.

  References:

  Create Global Exceptions: This document explains how to create global exceptions to exclude specific files, processes, or behaviors from being blocked or detected by Cortex XDR.

  Exceptions Overview: This document provides an overview of exceptions and how they can be used to fine-tune the Cortex XDR security policy.

• Question 89:

  If you have an isolated network that is prevented from connecting to the Cortex Data Lake, which type of Broker VM setup can you use to facilitate the communication?

  A. Broker VM Pathfinder

  B. Local Agent Proxy

  C. Local Agent Installer and Content Caching

  D. Broker VM Syslog Collector

  Correct Answer: B

  Explanation: If you have an isolated network that is prevented from connecting to the Cortex Data Lake, you can use the Local Agent Proxy setup to facilitate the communication. The Local Agent Proxy is a type of Broker VM that acts as a proxy server for the Cortex XDR agents that are deployed on the isolated network. The Local Agent Proxy enables the Cortex XDR agents to communicate securely with the Cortex Data Lake and the Cortex XDR management console over the internet, without requiring direct access to the internet from the isolated network. The Local Agent Proxy also allows the Cortex XDR agents to download installation packages and content updates from the Cortex XDR management console. To use the Local Agent Proxy setup, you need to deploy a Broker VM on the isolated network and configure it as a Local Agent Proxy. You also need to deploy another Broker VM on a network that has internet access and configure it as a Remote Agent Proxy. The Remote Agent Proxy acts as a relay between the Local Agent Proxy and the Cortex Data Lake. You also need to install a strong cipher SHA256-based SSL certificate on both the Local Agent Proxy and the Remote Agent Proxy to ensure secure communication. You can read more about the Local Agent Proxy setup and how to configure it here1 and here2. References: Local Agent Proxy Configure the Local Agent Proxy Setup

• Question 90:

  What is by far the most common tactic used by ransomware to shut down a victim's operation?

  A. preventing the victim from being able to access APIs to cripple infrastructure

  B. denying traffic out of the victims network until payment is received

  C. restricting access to administrative accounts to the victim

  D. encrypting certain files to prevent access by the victim

  Correct Answer: D

  Explanation: Ransomware is a type of malicious software, or malware, that encrypts certain files or data on the victim's system or network and prevents them from accessing their data until they pay a ransom. This is by far the most common tactic used by ransomware to shut down a victim's operation, as it can cause costly disruptions, data loss, and reputational damage. Ransomware can affect individual users, businesses, and organizations of all kinds. Ransomware can spread through various methods, such as phishing emails, malicious attachments, compromised websites, or network vulnerabilities. Some ransomware variants can also self-propagate and infect other devices or networks. Ransomware authors typically demand payment in cryptocurrency or other untraceable methods, and may threaten to delete or expose the encrypted data if the ransom is not paid within a certain time frame. However, paying the ransom does not guarantee that the files will be decrypted or that the attackers will not target the victim again. Therefore, the best way to protect against ransomware is to prevent infection in the first place, and to have a backup of the data in case of an attack1234 References: What is Ransomware? | How to Protect Against Ransomware in 2023 Ransomware - Wikipedia What is ransomware? | Ransomware meaning | Cloudflare [What Is Ransomware? | Ransomware.org] [Ransomware -- FBI]