Palo Alto PCDRA Study Guide and Beacon Questions

¡Supera tus tareas y exámenes ahora con Quizwiz!

In which folder on the endpoint are the agent-configuration files located? %PROGRAMDATA%\Cyvera\LocalSystem %PROGRAMDATA%\CortexXDR\LocalSystem %PROGRAMDATA%\Traps\LocalSystem %PROGRAMDATA%\Palo Alto Networks\LocalSystem

%PROGRAMDATA%\Cyvera\LocalSystem

In which profile type can you configure Endpoint Scanning? Agent Settings Exploit Malware Restrictions

.

What are the two major groupings of types of behavioral threat detection methods? (Choose two.) alert-based rule-based incident-based baseline-based file-based

.

What are two ways to access raw log information from Cortex XDR? (Choose two.) Use the Query Builder. Download the raw logs via FTP. Receive a daily digest of raw logs from the Data Lake. Use XQL.

.

What defines a Causality Group Owner (CGO)? the root cause of the root process of a Causality Instance the Administrator in charge of a specific Causality Group the most recent process in a Causality Instance the Security Analyst assigned ownership over a Causality Instance

.

What do you use to reduce noise caused by unwanted alerts? an alert exception an alert exclusion an alert mitigation an alert starring

.

Where in the management console is the configuration for Cortex XDR Pro endpoints? > Settings > Agent Configuration Cortex XDR License Agents Settings Profile Malware Profile

.

Which Cytool command prints the list of processes where the Cortex XDR agent injects EPMs? cytool dump cytool enum cytool show cytool view

.

Which XDR component provides a rule-based behavioral threat detection method? the Analytics Engine the Management Console the Causality Analysis Engine the Broker VM the Cytool management tool

.

Which action can you use to expand any given incident by connecting other incidents with it? join incidents merge incidents combine incidents unify incidents

.

Which data source could provide useful insights into malicious lateral movements within a network protected by Cortex XDR? Cortex XDR Agent Endpoint Data Windows EC logs Palo Alto Networks FW Traffic logs GlobalProtect and Prisma Access logs

.

Which malware protection module is effective in the post-execution cycle? Local Analysis WildFire Behavioral Threat Protection Child Process Protection

.

Which malware protection module uses a machine learning technique to detect malware? Restrictions Child Process Protection Local Analysis Custom Prevention Rules

.

Which three profile types are provided in the Cortex XDR management console? (Choose three.) Exceptions Exploit Forensic Restrictions Settings

.

Which two attributes are common to all alerts in Cortex XDR? (Choose two.) timestamp severity source IP address destination IP address

.

Which two options are available for the command "cytool document all"? (Choose two.) list print show view

.

Which type of defense is successful against fileless-attacks techniques? signature-based lookups behavioral threat analysis file allow-listing static-dynamic analysis

.

Which action updates the lists that Palo Alto Networks firewalls use? Live Terminal Block Subnet Isolate Network Add to EDL

Add to EDL

What does the "expired" status mean when it is seen next to an action? The action was successfully completed only on some endpoints. An action timed out before an endpoint started to run it. The action was cancelled before it could complete. The action was taken more than 30 days ago.

An action timed out before an endpoint started to run it.

Which Cortex XDR feature mediates the traffic between third-party log senders and Cortex XDR instances? a. Broker VM b. Cortex Data Lake c. PathFinder d. Pro endpoint agent

Broker VM

Which three attributes belong to alerts? (Choose three.) CGO name Starred Assigned to Action Status

CGO name Starred Action

Which two actions can you perform on an incident? (Choose two.) Change severity Archive incidents Delete incident Star incident

Change severity Star incident

How can a user create a support file? Run the command "cytool support_file create". Click the link in the agent console. Navigate to the support page for Cortex XDR from the Palo Alto Networks homepage. Call or text the XDR support hotline.

Click the link in the agent console.

Which license type supports the Script execution? a. Cortex XDR Host Insights b. Cortex XDR Prevent c. Cortex XDR Pro per Endpoint d. Cortex XDR Pro per TB

Cortex XDR Pro per Endpoint

What does ED stand for in EDL? Embedded Driver Enhanced Data Extended Detection External Dynamic

External Dynamic

Which three capabilities can be disabled from the Disable Capabilities menu? (Choose 3.) Add to block list File Retrieval Isolate Endpoint Script Execution Live Terminal

File Retrieval Script Execution Live Terminal

Which two views are available in the management console to investigate threats? (Choose two.) Network View Hash View Malware View IP View

Hash View IP View

What two components make up the External Dynamic List (EDL)? (Choose two.) file hashes IP addresses domain names virus signatures

IP addresses domain names

From which two GUI locations can you initiate the action Remediation Suggestions? (Choose two.) Incident View > Actions shortcut menu of an alert shortcut of a process node the Action Center

Incident View > Actions shortcut of a process node

What does the lower part of the right pane in the investigation views display? Incidents Artifacts Alerts Assets

Incidents

Alert types with which two severity levels are shown in the Timeline view but not in the Causality view? (Choose two.) High Informational Low Medium

Informational Low

Which two steps are valid in DIReC troubleshooting approach? (Choose two.) Isolate Define Verify Quantify

Isolate Define

What does a process node in red in the causality graph indicate? It has high-severity alerts. It is a CGO. It is malware. It has stopped.

It is malware.

The Disable Capabilities action disables which two features? (Choose two.) Live Terminal Isolate Script Execution Agent Upgrade

Live Terminal Script Execution

Which two analysis methods are among the Cortex XDR agent's multi-method malware prevention features? (Choose two.) a. Dynamic Sandbox Analysis b. Heuristic Analysis c. Local Analysis d. WildFire Analysis

Local Analysis WildFire Analysis

Which action opens an alert in the causality view? Analyze Investigate Open Card Remediate

Open Card

Which two actions can you perform on an alert? (Choose two.) Assign to investigator Open card in same tab Retrieve related files Change status

Open card in same tab Retrieve related files

Which two actions are available in the shortcut menu of a process node in the causality view? (Choose two.) Pivot to Query Builder Open in VirusTotal Open WildFire Report Expand Tree

Open in VirusTotal Expand Tree

When an endpoint is isolated from the network, which functionality remains? The Cortex XDR agent has fully isolated the endpoint and it cannot be reached over the network at all. The endpoint can still reach the external internet. The Cortex XDR agent can still connect to the Cortex XDR instance. The endpoint can still receive operating system updates.

The Cortex XDR agent can still connect to the Cortex XDR instance

How is the list of Spawners updated? You download updates from the CSP site. You download updates from threat intelligence services. Updates arrive through content updates. Updates arrive through product upgrades.

Updates arrive through content updates.

Which two entity types can be displayed in the Key assets section of the Artifacts and Key Assets pane of an incident's details page? (Choose two.) Username IP address Endpoint name File name Process name

Username Endpoint name

Which of the following actions can the "viewer" role initiate? Add an item to a "block list." Initiate "Live Terminal." Force the "Isolate Endpoint" command. View available information.

View available information.

Which protocol does Cortex XDR use to open live connections between the instance and the agents? HTML5 and Node.js HTML5 with AJAX HTTP 2.0 WebSocket

WebSocket

Which infrastructure is provided as a regional shared cloud service? a. Cortex Data Lake b. Directory Sync Service c. Log Forwarding d. WildFire

WildFire

What is one benefit of running a script in "Interactive Mode," compared to running it through the "Run Endpoint Script" action? You can run multiple scripts at the same time. You can run scripts as administrator. You can interrupt scripts in the middle of their deployment. You can save the results of the script to the Data Lake.

You can run multiple scripts at the same time.

What are the Exceptions in the Cortex XDR management console? a group of settings in > Settings > General a group of settings in Agent Settings Profile a policy type a profile type

a policy type

What is a spawner in the context of Cortex XDR? an exploit a file a malware a process

a process

Which of the following are required for the one-time activation of a Cortex XDR instance? a. a serial number b. a hardware security key fob c. a dedicated server d. Cortex XDR Express License

a serial number

Which of the following statements about ransomware is correct? (Choose two.) a. Can encrypt files and demand money in order to restore them. b. Focuses on weaker connections in an organization's supply chain. c. Has the potential to harm an organization's reputation. d. Act of sending fraudulent communications that appear to be from a reputable source.

a. Can encrypt files and demand money in order to restore them. c. Has the potential to harm an organization's reputation.

If either a false positive alert or crashing in a specific application due to incompatibility with the XDR Agent were to occur, which steps could be taken to resolve this issue with the least impact? a. Disable Child Process Protection on a specific process b. Include a Network Packet Inspection Engine Exception c. Disable all local analysis rules d. Disable all Behavioral IOC rules

a. Disable Child Process Protection on a specific process

You notice that a hardware device is damaged and important data files have been completely erased from the system. What kind of threat appears to be present here? a. Interruption b. Interception c. Fabrication d. Modification

a. Interruption

Which two Cortex XDR license types support endpoint management? (Choose two.) a. Pro per Endpoint b. Professional Protection c. Prevent d. Pro per TB

a. Pro per Endpoint c. Prevent

Which two options can be opened under Endpoints > Endpoint Management in the Cortex XDR management console? (Choose two.) a. endpoint groups b. policy management c. device controls d. agent installations

a. endpoint groups d. agent installations

Which two options show the types of data that Cortex XDR log stitching correlates? (Choose two.) alerts logs uptime indicators SQL entries

alerts logs

How does an attacker prefer to carry out supply chain attacks? a. By targeting an organization directly through phishing or exploitation of vulnerabilities. b. By targeting employees (software developers) of the target organization. c. By targeting items that aren't written to disk. d. By targeting organization's upper management directly.

b. By targeting employees (software developers) of the target organization.

Which of the following statements does not describe an attack? a. An attacker has a motive and plans the attack accordingly. b. Chance to damage or information alteration varies from low to very high. c. Cannot be prevented by controlling the vulnerabilities. d. It is always malicious.

b. Chance to damage or information alteration varies from low to very high.

Which MITRE ATT&CK tactic is being used if the adversary is attempting to communicate with compromised systems to control them? a. Exfiltration b. Command and Control c. Execution d. Persistence e. Lateral Movement

b. Command and Control

Which two mandatory infrastructure services does Cortex XDR depend on? (Choose two.) a. Directory Sync Service b. Cortex Data Lake c. WildFire d. Broker VM

b. Cortex Data Lake c. WildFire

From where do you control authorizations of a Cortex XDR instance? a. Customer Support Portal b. Cortex XDR Gateway c. Cloud Services Portal d. the hub

b. Cortex XDR Gateway

Which two options are extensions to harden endpoint security by reducing the attack surface? (Choose two.) a. Host Insights b. Device Control c. Host Firewall d. Asset Control

b. Device Control c. Host Firewall

When disabling only Exploitation Prevention Modules (EPMs) with a process exception, what option would a user select? a. Anti-Malware Protection b. Disable Injection c. APC Guard d. Enable Injection

b. Disable Injection

Which three prevention profile types are available in the Cortex XDR management console? (Choose three.) a. Analytics b. Exceptions c. Extensions d. Restrictions e. Exploit

b. Exceptions d. Restrictions e. Exploit

Which two roles are common to all Cortex applications? (Choose two.) a. Security Administrator b. Instance Administrator c. Deployment Administrator d. Account Administrator

b. Instance Administrator d. Account Administrator

Which two menus are available in the top menu bar of the Cortex XDR management console? (Choose two.) a. Policies b. Investigation c. Dashboards d. Alerts e. Assets

b. Investigation e. Assets

Which option is a valid exception type in the Cortex XDR management console? a. Administrator b. Process c. Trusted Signer d. Hash

b. Process

Which of the following comes under exploit protection? (Choose two.) a. Ransomware protection b. Reconnaissance protection c. Kernel protection d. Behavioral Threat Protection

b. Reconnaissance protection c. Kernel protection

The term "TCP/IP" stands for_____? a. Transmission Contribution protocol/ internet protocol b. Transmission Control Protocol/ internet protocol c. Transaction Control protocol/ internet protocol d. Transmission Control Prevention/ internet protocol

b. Transmission Control Protocol/ internet protocol

Which option is a method or tool that applies in the Delivery phase of the cyberattack lifecycle? a. shell access b. USB c. root kit d. port scan

b. USB

Which two components or apps can assign a verdict to a file? (Choose two.) a. Behavioral Threat Protection b. WildFire c. Local Analysis d. AutoFocus

b. WildFire c. Local Analysis

Which three malware-protection modules can move a malicious executable file to the quarantine folder? (Choose three.) a. Execution Restrictions b. WildFire c. Local Analysis d. Hash Exceptions e. Path Allow List

b. WildFire c. Local Analysis d. Hash Exceptions

In the Cortex XDR management console, in Action Center, you can take which two actions? (Choose two.) a. block list file b. isolate endpoint c. run endpoint script d. install agent

b. isolate endpoint c. run endpoint script

Which two options are required when configuring a policy rule in the Cortex XDR management console? (Choose two.) a. action names b. profile names c. data types d. targeted endpoints

b. profile names d. targeted endpoints

Which exploitation technique is based on finding small useful chunks of code, known as gadgets, in the shared libraries of the operating system? a. NOP sled b. return-oriented programming c. heap spray d. Data Execution Prevention Circumvention

b. return-oriented programming

Which technique can detect fileless attacks? continuous malware scanning behavioral threat analysis heuristic analysis dynamic analysis

behavioral threat analysis

How are the effects of an action cancelled? by taking its reverse actions from the shortcut menu of the already performed action by clicking the "cancel action" option from the dropdown menu by clicking the "x" icon in the corner of the on-going action item by removing the action from the action queue

by taking its reverse actions from the shortcut menu of the already performed action

Which section in the Exploit profile prevents attacks that use exploit kits? a. Operating System Exploit Protection b. Known Vulnerable Processes Protection c. Browser Exploits Protection d. Logical Exploits Protection

c. Browser Exploits Protection

Which of the following is not considered malware? a. Virus b. Worms c. Cookies d. Spyware e. Trojans

c. Cookies

Which EPM prevents exploits from using OS functions? a. UASLR b. ROP Mitigation c. DLL Security d. JIT Mitigation

c. DLL Security

Which MITRE ATT&CK tactic is being used if the adversary is trying to run malicious code? a. Exfiltration b. Command and Control c. Execution d. Persistence e. Lateral Movement

c. Execution

Which of the following is a piece of software or a command that takes advantage of a bug in order to trigger undesired actions and behaviors? a. Malware b. Trojan c. Exploit d. Worms

c. Exploit

Which of the following is a ransomware example? (Choose two.) a. Malvertising b. Trojan Horse c. Petya d. Locky

c. Petya d. Locky

Which profiles prevents attempts to exploit system flaws or obtain unauthorized access to systems? a. Antivirus profiles b. Anti-Spyware profiles c. Vulnerability protection profiles d. URL filtering profiles

c. Vulnerability protection profiles

What outlines the attack region? causality group owner causality instance Final Spawner Spawner

causality instance

At what phase in the malware protection flow does the Cortex XDR agent observe the file's behavior and apply additional malware protection rules? a. Evaluation of Child Process Protection Policy b. Evaluation of the Restriction Policy c. Hash Verdict Determination d. Evaluation of Malware Security Policy

d. Evaluation of Malware Security Policy

Which Cortex XDR protection module limits the attack surface by defining where and how users can run files? a. Trusted Signers b. Local Analysis c. Path Allow List d. Execution Restrictions

d. Execution Restrictions

In the following statement, which of the following attacks is associated? 'The attacker identifies and targets software developers who are actively working on the project.' a. Eavesdropping attack b. Ransomware c. Phishing attack d. Supply chain attack

d. Supply chain attack

Which type of analysis methods does the Cortex XDR agent provide locally on the endpoint? a. heuristic b. sandboxing c. dynamic d. behavioral

d. behavioral

What does the Analytics Engine use to organize its behavioral analytics activities? signatures detectors SHA256 hashes threat intelligence reports

detectors

What is the first phase of the multi-stage attacks WannaCry and Petya? reflective DLL loading implanting DoublePulsar into the SMB table exploit in HAL memory injecting user shellcode into lsass.exe

exploit in HAL memory

Which is one use of the "Live Terminal" action? run applications from the desktop of the endpoint shutdown or restart the endpoint mirror the screen of the endpoint and move it's mouse via RDP investigate and manage processes, such as performing terminate, suspend, or resume processes

investigate and manage processes, such as performing terminate, suspend, or resume processes

What does the number inside a process node indicate? number of files opened number of injections number of threads number of child processes

number of child processes

Which two fields are required during activation of a Cortex XDR instance? (Choose two.) a. IP address range b. region c. subdomain d. username

region subdomain

Which of the following are used to create behavioral threat detections? signature-based detection rules-based occurrences file-based detection techniques SHA256 hash-based lookups

rules-based occurrences

What two ways can scripts be run on endpoints? (choose two). run from the Action Center automatically run in response to an alert run in interactive mode run by right-clicking on an alert

run from the Action Center run in interactive mode

Which two Cytool commands are valid? (Choose two.) connect runtime fileinfo wildfire

runtime fileinfo

Where are scripts executed from? the Action Center a Prisma Cloud storage area designed specifically for scripts the Data Lake the Broker VM

the Action Center

In which two places can a user add malicious IP addresses and domains to the EDL from the XDR management console? (Choose two.) the Action Center the Quick Launcher dialog box after searching for an IP address a NGFW alert the incident console the Cortex XDR Agent

the Action Center the incident console

What is the most reliable source for documentation on Cortex XDR? the Cytool command "documentation all" the Cortex XDR Administrator's Guide YouTube videos internet forums

the Cortex XDR Administrator's Guide

What does the "cytool runtime stop" command require? an argument detailing how long to stop the service for before restarting the supervisor password a SHA256 file hash a process ID (PID) that will be stopped

the supervisor password

How can you open the "Go To" mode in the Quick Launcher? type a forward slash click the Go To mode icon use the keyboard shortcut Ctrl+Shift+X open the Quick Launcher by pressing the Shift key

type a forward slash


Conjuntos de estudio relacionados

Chapter 7: The Blood, Lymphatic, and Immune Systems

View Set

Principles of Management: History of Management

View Set

Unit 3: Physical Development and Parenting Styles

View Set

Using Word to Apply Letter Formats

View Set

Sets, Subsets, Power Sets, Cardinality

View Set