Palo Alto PCDRA Study Guide and Beacon Questions
In which folder on the endpoint are the agent-configuration files located? %PROGRAMDATA%\Cyvera\LocalSystem %PROGRAMDATA%\CortexXDR\LocalSystem %PROGRAMDATA%\Traps\LocalSystem %PROGRAMDATA%\Palo Alto Networks\LocalSystem
%PROGRAMDATA%\Cyvera\LocalSystem
In which profile type can you configure Endpoint Scanning? Agent Settings Exploit Malware Restrictions
.
What are the two major groupings of types of behavioral threat detection methods? (Choose two.) alert-based rule-based incident-based baseline-based file-based
.
What are two ways to access raw log information from Cortex XDR? (Choose two.) Use the Query Builder. Download the raw logs via FTP. Receive a daily digest of raw logs from the Data Lake. Use XQL.
.
What defines a Causality Group Owner (CGO)? the root cause of the root process of a Causality Instance the Administrator in charge of a specific Causality Group the most recent process in a Causality Instance the Security Analyst assigned ownership over a Causality Instance
.
What do you use to reduce noise caused by unwanted alerts? an alert exception an alert exclusion an alert mitigation an alert starring
.
Where in the management console is the configuration for Cortex XDR Pro endpoints? > Settings > Agent Configuration Cortex XDR License Agents Settings Profile Malware Profile
.
Which Cytool command prints the list of processes where the Cortex XDR agent injects EPMs? cytool dump cytool enum cytool show cytool view
.
Which XDR component provides a rule-based behavioral threat detection method? the Analytics Engine the Management Console the Causality Analysis Engine the Broker VM the Cytool management tool
.
Which action can you use to expand any given incident by connecting other incidents with it? join incidents merge incidents combine incidents unify incidents
.
Which data source could provide useful insights into malicious lateral movements within a network protected by Cortex XDR? Cortex XDR Agent Endpoint Data Windows EC logs Palo Alto Networks FW Traffic logs GlobalProtect and Prisma Access logs
.
Which malware protection module is effective in the post-execution cycle? Local Analysis WildFire Behavioral Threat Protection Child Process Protection
.
Which malware protection module uses a machine learning technique to detect malware? Restrictions Child Process Protection Local Analysis Custom Prevention Rules
.
Which three profile types are provided in the Cortex XDR management console? (Choose three.) Exceptions Exploit Forensic Restrictions Settings
.
Which two attributes are common to all alerts in Cortex XDR? (Choose two.) timestamp severity source IP address destination IP address
.
Which two options are available for the command "cytool document all"? (Choose two.) list print show view
.
Which type of defense is successful against fileless-attacks techniques? signature-based lookups behavioral threat analysis file allow-listing static-dynamic analysis
.
Which action updates the lists that Palo Alto Networks firewalls use? Live Terminal Block Subnet Isolate Network Add to EDL
Add to EDL
What does the "expired" status mean when it is seen next to an action? The action was successfully completed only on some endpoints. An action timed out before an endpoint started to run it. The action was cancelled before it could complete. The action was taken more than 30 days ago.
An action timed out before an endpoint started to run it.
Which Cortex XDR feature mediates the traffic between third-party log senders and Cortex XDR instances? a. Broker VM b. Cortex Data Lake c. PathFinder d. Pro endpoint agent
Broker VM
Which three attributes belong to alerts? (Choose three.) CGO name Starred Assigned to Action Status
CGO name Starred Action
Which two actions can you perform on an incident? (Choose two.) Change severity Archive incidents Delete incident Star incident
Change severity Star incident
How can a user create a support file? Run the command "cytool support_file create". Click the link in the agent console. Navigate to the support page for Cortex XDR from the Palo Alto Networks homepage. Call or text the XDR support hotline.
Click the link in the agent console.
Which license type supports the Script execution? a. Cortex XDR Host Insights b. Cortex XDR Prevent c. Cortex XDR Pro per Endpoint d. Cortex XDR Pro per TB
Cortex XDR Pro per Endpoint
What does ED stand for in EDL? Embedded Driver Enhanced Data Extended Detection External Dynamic
External Dynamic
Which three capabilities can be disabled from the Disable Capabilities menu? (Choose 3.) Add to block list File Retrieval Isolate Endpoint Script Execution Live Terminal
File Retrieval Script Execution Live Terminal
Which two views are available in the management console to investigate threats? (Choose two.) Network View Hash View Malware View IP View
Hash View IP View
What two components make up the External Dynamic List (EDL)? (Choose two.) file hashes IP addresses domain names virus signatures
IP addresses domain names
From which two GUI locations can you initiate the action Remediation Suggestions? (Choose two.) Incident View > Actions shortcut menu of an alert shortcut of a process node the Action Center
Incident View > Actions shortcut of a process node
What does the lower part of the right pane in the investigation views display? Incidents Artifacts Alerts Assets
Incidents
Alert types with which two severity levels are shown in the Timeline view but not in the Causality view? (Choose two.) High Informational Low Medium
Informational Low
Which two steps are valid in DIReC troubleshooting approach? (Choose two.) Isolate Define Verify Quantify
Isolate Define
What does a process node in red in the causality graph indicate? It has high-severity alerts. It is a CGO. It is malware. It has stopped.
It is malware.
The Disable Capabilities action disables which two features? (Choose two.) Live Terminal Isolate Script Execution Agent Upgrade
Live Terminal Script Execution
Which two analysis methods are among the Cortex XDR agent's multi-method malware prevention features? (Choose two.) a. Dynamic Sandbox Analysis b. Heuristic Analysis c. Local Analysis d. WildFire Analysis
Local Analysis WildFire Analysis
Which action opens an alert in the causality view? Analyze Investigate Open Card Remediate
Open Card
Which two actions can you perform on an alert? (Choose two.) Assign to investigator Open card in same tab Retrieve related files Change status
Open card in same tab Retrieve related files
Which two actions are available in the shortcut menu of a process node in the causality view? (Choose two.) Pivot to Query Builder Open in VirusTotal Open WildFire Report Expand Tree
Open in VirusTotal Expand Tree
When an endpoint is isolated from the network, which functionality remains? The Cortex XDR agent has fully isolated the endpoint and it cannot be reached over the network at all. The endpoint can still reach the external internet. The Cortex XDR agent can still connect to the Cortex XDR instance. The endpoint can still receive operating system updates.
The Cortex XDR agent can still connect to the Cortex XDR instance
How is the list of Spawners updated? You download updates from the CSP site. You download updates from threat intelligence services. Updates arrive through content updates. Updates arrive through product upgrades.
Updates arrive through content updates.
Which two entity types can be displayed in the Key assets section of the Artifacts and Key Assets pane of an incident's details page? (Choose two.) Username IP address Endpoint name File name Process name
Username Endpoint name
Which of the following actions can the "viewer" role initiate? Add an item to a "block list." Initiate "Live Terminal." Force the "Isolate Endpoint" command. View available information.
View available information.
Which protocol does Cortex XDR use to open live connections between the instance and the agents? HTML5 and Node.js HTML5 with AJAX HTTP 2.0 WebSocket
WebSocket
Which infrastructure is provided as a regional shared cloud service? a. Cortex Data Lake b. Directory Sync Service c. Log Forwarding d. WildFire
WildFire
What is one benefit of running a script in "Interactive Mode," compared to running it through the "Run Endpoint Script" action? You can run multiple scripts at the same time. You can run scripts as administrator. You can interrupt scripts in the middle of their deployment. You can save the results of the script to the Data Lake.
You can run multiple scripts at the same time.
What are the Exceptions in the Cortex XDR management console? a group of settings in > Settings > General a group of settings in Agent Settings Profile a policy type a profile type
a policy type
What is a spawner in the context of Cortex XDR? an exploit a file a malware a process
a process
Which of the following are required for the one-time activation of a Cortex XDR instance? a. a serial number b. a hardware security key fob c. a dedicated server d. Cortex XDR Express License
a serial number
Which of the following statements about ransomware is correct? (Choose two.) a. Can encrypt files and demand money in order to restore them. b. Focuses on weaker connections in an organization's supply chain. c. Has the potential to harm an organization's reputation. d. Act of sending fraudulent communications that appear to be from a reputable source.
a. Can encrypt files and demand money in order to restore them. c. Has the potential to harm an organization's reputation.
If either a false positive alert or crashing in a specific application due to incompatibility with the XDR Agent were to occur, which steps could be taken to resolve this issue with the least impact? a. Disable Child Process Protection on a specific process b. Include a Network Packet Inspection Engine Exception c. Disable all local analysis rules d. Disable all Behavioral IOC rules
a. Disable Child Process Protection on a specific process
You notice that a hardware device is damaged and important data files have been completely erased from the system. What kind of threat appears to be present here? a. Interruption b. Interception c. Fabrication d. Modification
a. Interruption
Which two Cortex XDR license types support endpoint management? (Choose two.) a. Pro per Endpoint b. Professional Protection c. Prevent d. Pro per TB
a. Pro per Endpoint c. Prevent
Which two options can be opened under Endpoints > Endpoint Management in the Cortex XDR management console? (Choose two.) a. endpoint groups b. policy management c. device controls d. agent installations
a. endpoint groups d. agent installations
Which two options show the types of data that Cortex XDR log stitching correlates? (Choose two.) alerts logs uptime indicators SQL entries
alerts logs
How does an attacker prefer to carry out supply chain attacks? a. By targeting an organization directly through phishing or exploitation of vulnerabilities. b. By targeting employees (software developers) of the target organization. c. By targeting items that aren't written to disk. d. By targeting organization's upper management directly.
b. By targeting employees (software developers) of the target organization.
Which of the following statements does not describe an attack? a. An attacker has a motive and plans the attack accordingly. b. Chance to damage or information alteration varies from low to very high. c. Cannot be prevented by controlling the vulnerabilities. d. It is always malicious.
b. Chance to damage or information alteration varies from low to very high.
Which MITRE ATT&CK tactic is being used if the adversary is attempting to communicate with compromised systems to control them? a. Exfiltration b. Command and Control c. Execution d. Persistence e. Lateral Movement
b. Command and Control
Which two mandatory infrastructure services does Cortex XDR depend on? (Choose two.) a. Directory Sync Service b. Cortex Data Lake c. WildFire d. Broker VM
b. Cortex Data Lake c. WildFire
From where do you control authorizations of a Cortex XDR instance? a. Customer Support Portal b. Cortex XDR Gateway c. Cloud Services Portal d. the hub
b. Cortex XDR Gateway
Which two options are extensions to harden endpoint security by reducing the attack surface? (Choose two.) a. Host Insights b. Device Control c. Host Firewall d. Asset Control
b. Device Control c. Host Firewall
When disabling only Exploitation Prevention Modules (EPMs) with a process exception, what option would a user select? a. Anti-Malware Protection b. Disable Injection c. APC Guard d. Enable Injection
b. Disable Injection
Which three prevention profile types are available in the Cortex XDR management console? (Choose three.) a. Analytics b. Exceptions c. Extensions d. Restrictions e. Exploit
b. Exceptions d. Restrictions e. Exploit
Which two roles are common to all Cortex applications? (Choose two.) a. Security Administrator b. Instance Administrator c. Deployment Administrator d. Account Administrator
b. Instance Administrator d. Account Administrator
Which two menus are available in the top menu bar of the Cortex XDR management console? (Choose two.) a. Policies b. Investigation c. Dashboards d. Alerts e. Assets
b. Investigation e. Assets
Which option is a valid exception type in the Cortex XDR management console? a. Administrator b. Process c. Trusted Signer d. Hash
b. Process
Which of the following comes under exploit protection? (Choose two.) a. Ransomware protection b. Reconnaissance protection c. Kernel protection d. Behavioral Threat Protection
b. Reconnaissance protection c. Kernel protection
The term "TCP/IP" stands for_____? a. Transmission Contribution protocol/ internet protocol b. Transmission Control Protocol/ internet protocol c. Transaction Control protocol/ internet protocol d. Transmission Control Prevention/ internet protocol
b. Transmission Control Protocol/ internet protocol
Which option is a method or tool that applies in the Delivery phase of the cyberattack lifecycle? a. shell access b. USB c. root kit d. port scan
b. USB
Which two components or apps can assign a verdict to a file? (Choose two.) a. Behavioral Threat Protection b. WildFire c. Local Analysis d. AutoFocus
b. WildFire c. Local Analysis
Which three malware-protection modules can move a malicious executable file to the quarantine folder? (Choose three.) a. Execution Restrictions b. WildFire c. Local Analysis d. Hash Exceptions e. Path Allow List
b. WildFire c. Local Analysis d. Hash Exceptions
In the Cortex XDR management console, in Action Center, you can take which two actions? (Choose two.) a. block list file b. isolate endpoint c. run endpoint script d. install agent
b. isolate endpoint c. run endpoint script
Which two options are required when configuring a policy rule in the Cortex XDR management console? (Choose two.) a. action names b. profile names c. data types d. targeted endpoints
b. profile names d. targeted endpoints
Which exploitation technique is based on finding small useful chunks of code, known as gadgets, in the shared libraries of the operating system? a. NOP sled b. return-oriented programming c. heap spray d. Data Execution Prevention Circumvention
b. return-oriented programming
Which technique can detect fileless attacks? continuous malware scanning behavioral threat analysis heuristic analysis dynamic analysis
behavioral threat analysis
How are the effects of an action cancelled? by taking its reverse actions from the shortcut menu of the already performed action by clicking the "cancel action" option from the dropdown menu by clicking the "x" icon in the corner of the on-going action item by removing the action from the action queue
by taking its reverse actions from the shortcut menu of the already performed action
Which section in the Exploit profile prevents attacks that use exploit kits? a. Operating System Exploit Protection b. Known Vulnerable Processes Protection c. Browser Exploits Protection d. Logical Exploits Protection
c. Browser Exploits Protection
Which of the following is not considered malware? a. Virus b. Worms c. Cookies d. Spyware e. Trojans
c. Cookies
Which EPM prevents exploits from using OS functions? a. UASLR b. ROP Mitigation c. DLL Security d. JIT Mitigation
c. DLL Security
Which MITRE ATT&CK tactic is being used if the adversary is trying to run malicious code? a. Exfiltration b. Command and Control c. Execution d. Persistence e. Lateral Movement
c. Execution
Which of the following is a piece of software or a command that takes advantage of a bug in order to trigger undesired actions and behaviors? a. Malware b. Trojan c. Exploit d. Worms
c. Exploit
Which of the following is a ransomware example? (Choose two.) a. Malvertising b. Trojan Horse c. Petya d. Locky
c. Petya d. Locky
Which profiles prevents attempts to exploit system flaws or obtain unauthorized access to systems? a. Antivirus profiles b. Anti-Spyware profiles c. Vulnerability protection profiles d. URL filtering profiles
c. Vulnerability protection profiles
What outlines the attack region? causality group owner causality instance Final Spawner Spawner
causality instance
At what phase in the malware protection flow does the Cortex XDR agent observe the file's behavior and apply additional malware protection rules? a. Evaluation of Child Process Protection Policy b. Evaluation of the Restriction Policy c. Hash Verdict Determination d. Evaluation of Malware Security Policy
d. Evaluation of Malware Security Policy
Which Cortex XDR protection module limits the attack surface by defining where and how users can run files? a. Trusted Signers b. Local Analysis c. Path Allow List d. Execution Restrictions
d. Execution Restrictions
In the following statement, which of the following attacks is associated? 'The attacker identifies and targets software developers who are actively working on the project.' a. Eavesdropping attack b. Ransomware c. Phishing attack d. Supply chain attack
d. Supply chain attack
Which type of analysis methods does the Cortex XDR agent provide locally on the endpoint? a. heuristic b. sandboxing c. dynamic d. behavioral
d. behavioral
What does the Analytics Engine use to organize its behavioral analytics activities? signatures detectors SHA256 hashes threat intelligence reports
detectors
What is the first phase of the multi-stage attacks WannaCry and Petya? reflective DLL loading implanting DoublePulsar into the SMB table exploit in HAL memory injecting user shellcode into lsass.exe
exploit in HAL memory
Which is one use of the "Live Terminal" action? run applications from the desktop of the endpoint shutdown or restart the endpoint mirror the screen of the endpoint and move it's mouse via RDP investigate and manage processes, such as performing terminate, suspend, or resume processes
investigate and manage processes, such as performing terminate, suspend, or resume processes
What does the number inside a process node indicate? number of files opened number of injections number of threads number of child processes
number of child processes
Which two fields are required during activation of a Cortex XDR instance? (Choose two.) a. IP address range b. region c. subdomain d. username
region subdomain
Which of the following are used to create behavioral threat detections? signature-based detection rules-based occurrences file-based detection techniques SHA256 hash-based lookups
rules-based occurrences
What two ways can scripts be run on endpoints? (choose two). run from the Action Center automatically run in response to an alert run in interactive mode run by right-clicking on an alert
run from the Action Center run in interactive mode
Which two Cytool commands are valid? (Choose two.) connect runtime fileinfo wildfire
runtime fileinfo
Where are scripts executed from? the Action Center a Prisma Cloud storage area designed specifically for scripts the Data Lake the Broker VM
the Action Center
In which two places can a user add malicious IP addresses and domains to the EDL from the XDR management console? (Choose two.) the Action Center the Quick Launcher dialog box after searching for an IP address a NGFW alert the incident console the Cortex XDR Agent
the Action Center the incident console
What is the most reliable source for documentation on Cortex XDR? the Cytool command "documentation all" the Cortex XDR Administrator's Guide YouTube videos internet forums
the Cortex XDR Administrator's Guide
What does the "cytool runtime stop" command require? an argument detailing how long to stop the service for before restarting the supervisor password a SHA256 file hash a process ID (PID) that will be stopped
the supervisor password
How can you open the "Go To" mode in the Quick Launcher? type a forward slash click the Go To mode icon use the keyboard shortcut Ctrl+Shift+X open the Quick Launcher by pressing the Shift key
type a forward slash