[Apr 16, 2026] Valid XDR-Analyst Test Answers Full-length Practice Certification Exams
Accurate & Verified 2026 New XDR-Analyst Answers As Experienced in the Actual Test!
NEW QUESTION # 42
What functionality of the Broker VM would you use to ingest third-party firewall logs to the Cortex Data Lake?
- A. Pathfinder
- B. DB Collector
- C. Netflow Collector
- D. Syslog Collector
Answer: D
Explanation:
The Broker VM is a virtual machine that acts as a data broker between third-party data sources and the Cortex Data Lake. It can ingest different types of data, such as syslog, netflow, database, and pathfinder. The Syslog Collector functionality of the Broker VM allows it to receive syslog messages from third-party devices, such as firewalls, routers, switches, and servers, and forward them to the Cortex Data Lake. The Syslog Collector can be configured to filter, parse, and enrich the syslog messages before sending them to the Cortex Data Lake. The Syslog Collector can also be used to ingest logs from third-party firewall vendors, such as Cisco, Fortinet, and Check Point, to the Cortex Data Lake. This enables Cortex XDR to analyze the firewall logs and provide visibility and threat detection across the network perimeter. Reference:
Cortex XDR Data Broker VM
Syslog Collector
Supported Third-Party Firewall Vendors
NEW QUESTION # 43
Which Exploit Protection Module (EPM) can be used to prevent attacks based on OS function?
- A. JIT Mitigation
- B. UASLR
- C. Memory Limit Heap Spray Check
- D. DLL Security
Answer: A
Explanation:
JIT Mitigation is an Exploit Protection Module (EPM) that can be used to prevent attacks based on OS function. JIT Mitigation protects against exploits that use the Just-In-Time (JIT) compiler of the OS to execute malicious code. JIT Mitigation monitors the memory pages that are allocated by the JIT compiler and blocks any attempts to execute code from those pages. This prevents attackers from using the JIT compiler as a way to bypass other security mechanisms such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). Reference:
Palo Alto Networks. (2023). PCDRA Study Guide. PDF file. Retrieved from https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcdra-study-guide.pdf Palo Alto Networks. (2021). Exploit Protection Modules. Web page. Retrieved from https://docs.paloaltonetworks.com/traps/6-0/traps-endpoint-security-manager-admin/traps-endpoint-security-policies/exploit-protection-modules.html
NEW QUESTION # 44
In Cortex XDR management console scheduled reports can be forwarded to which of the following applications/services?
- A. Service Now
- B. Jira
- C. Salesforce
- D. Slack
Answer: D
Explanation:
Cortex XDR allows you to schedule reports and forward them to Slack, a cloud-based collaboration platform. You can configure the Slack channel, frequency, and recipients of the scheduled reports. You can also view the report history and status in the Cortex XDR management console. Reference:
Scheduled Queries: This document explains how to create, edit, and manage scheduled queries and reports in Cortex XDR.
Forward Scheduled Reports to Slack: This document provides the steps to configure Slack integration and forward scheduled reports to a Slack channel.
NEW QUESTION # 45
Which built-in dashboard would be the best option for an executive, if they were looking for the Mean Time to Resolution (MTTR) metric?
- A. Security Manager Dashboard
- B. Data Ingestion Dashboard
- C. Incident Management Dashboard
- D. Security Admin Dashboard
Answer: C
Explanation:
The Incident Management Dashboard provides a high-level overview of the incident response process, including the Mean Time to Resolution (MTTR) metric. This metric measures the average time it takes to resolve an incident from the moment it is created to the moment it is closed. The dashboard also shows the number of incidents by status, severity, and assigned analyst, as well as the top alerts by category, source, and destination. The Incident Management Dashboard is designed for executives and managers who want to monitor the performance and efficiency of their security teams. Reference: [PCDRA Study Guide], page 18.
NEW QUESTION # 46
Which statement is true for Application Exploits and Kernel Exploits?
- A. The ultimate goal of any exploit is to reach the kernel.
- B. The ultimate goal of any exploit is to reach the application.
- C. Application exploits leverage kernel vulnerability.
- D. Kernel exploits are easier to prevent then application exploits.
Answer: A
Explanation:
The ultimate goal of any exploit is to reach the kernel, which is the core component of the operating system that has the highest level of privileges and access to the hardware resources. Application exploits are attacks that target vulnerabilities in specific applications, such as web browsers, email clients, or office suites. Kernel exploits are attacks that target vulnerabilities in the kernel itself, such as memory corruption, privilege escalation, or code execution. Kernel exploits are more difficult to prevent and detect than application exploits, because they can bypass security mechanisms and hide their presence from the user and the system. Reference:
Palo Alto Networks Certified Detection and Remediation Analyst (PCDRA) Study Guide, page 8 Palo Alto Networks Cortex XDR Documentation, Exploit Protection Overview
NEW QUESTION # 47
What license would be required for ingesting external logs from various vendors?
- A. Cortex XDR Pro per TB
- B. Cortex XDR Pro per Endpoint
- C. Cortex XDR Cloud per Host
- D. Cortex XDR Vendor Agnostic Pro
Answer: A
Explanation:
To ingest external logs from various vendors, you need a Cortex XDR Pro per TB license. This license allows you to collect and analyze logs from Palo Alto Networks and third-party sources, such as firewalls, proxies, endpoints, cloud services, and more. You can use the Log Forwarding app to forward logs from the Logging Service to an external syslog receiver. The Cortex XDR Pro per Endpoint license only supports logs from Cortex XDR agents installed on endpoints. The Cortex XDR Vendor Agnostic Pro and Cortex XDR Cloud per Host licenses do not exist. Reference:
Features by Cortex XDR License Type
Log Forwarding App for Cortex XDR Analytics
SaaS Log Collection
NEW QUESTION # 48
The Cortex XDR console has triggered an incident, blocking a vitally important piece of software in your organization that is known to be benign. Which of the following options would prevent Cortex XDR from blocking this software in the future, for all endpoints in your organization?
- A. Create a global inclusion.
- B. Create a global exception.
- C. Create an individual alert exclusion.
- D. Create an endpoint-specific exception.
Answer: B
Explanation:
A global exception is a rule that allows you to exclude specific files, processes, or behaviors from being blocked or detected by Cortex XDR. A global exception applies to all endpoints in your organization that are protected by Cortex XDR. Creating a global exception for a vitally important piece of software that is known to be benign would prevent Cortex XDR from blocking this software in the future, for all endpoints in your organization.
To create a global exception, you need to follow these steps:
In the Cortex XDR management console, go to Policy Management > Exceptions and click Add Exception.
Select the Global Exception option and click Next.
Enter a name and description for the exception and click Next.
Select the type of exception you want to create, such as file, process, or behavior, and click Next.
Specify the criteria for the exception, such as file name, hash, path, process name, command line, or behavior name, and click Next.
Review the summary of the exception and click Finish.
Reference:
Create Global Exceptions: This document explains how to create global exceptions to exclude specific files, processes, or behaviors from being blocked or detected by Cortex XDR.
Exceptions Overview: This document provides an overview of exceptions and how they can be used to fine-tune the Cortex XDR security policy.
NEW QUESTION # 49
Which of the following protection modules is checked first in the Cortex XDR Windows agent malware protection flow?
- A. Restriction Policy
- B. Behavioral Threat Protection
- C. Hash Verdict Determination
- D. Child Process Protection
Answer: C
Explanation:
The first protection module that is checked in the Cortex XDR Windows agent malware protection flow is the Hash Verdict Determination. This module compares the hash of the executable file that is about to run on the endpoint with a list of known malicious hashes stored in the Cortex XDR cloud. If the hash matches a malicious hash, the agent blocks the execution and generates an alert. If the hash does not match a malicious hash, the agent proceeds to the next protection module, which is the Restriction Policy1.
The Hash Verdict Determination module is the first line of defense against malware, as it can quickly and efficiently prevent known threats from running on the endpoint. However, this module cannot protect against unknown or zero-day threats, which have no known hash signature. Therefore, the Cortex XDR agent relies on other protection modules, such as Behavioral Threat Protection, Child Process Protection, and Exploit Protection, to detect and block malicious behaviors and exploits that may occur during the execution of the file1.
Reference:
Palo Alto Networks Cortex XDR Documentation, File Analysis and Protection Flow
NEW QUESTION # 50
When creating a BIOC rule, which XQL query can be used?
- A. dataset = xdr_data
| filter event_type = PROCESS and
event_sub_type = PROCESS_START and
action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe" - B. dataset = xdr_data
| filter event_behavior = true
event_sub_type = PROCESS_START and
action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe" - C. dataset = xdr_data
| filter action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
| fields action_process_image - D. dataset = xdr_data
| filter event_sub_type = PROCESS_START and
action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
Answer: A
Explanation:
A BIOC rule is a custom detection rule that uses the Cortex Query Language (XQL) to define the behavior or actions that indicate a potential threat. A BIOC rule can use the xdr_data and cloud_audit_log datasets and presets for these datasets. A BIOC rule can also use the filter stage, alter stage, and functions without any aggregations in the XQL query. The query must return a single field named action_process_image, which is the process image name of the suspicious process. The query must also include the event_type and event_sub_type fields in the filter stage to specify the type and sub-type of the event that triggers the rule.
Option B is the correct answer because it meets all the requirements for a valid BIOC rule query. It uses the xdr_data dataset, the filter stage, the event_type and event_sub_type fields, and the action_process_image_name field with a regular expression to match any process image name that ends with .pdf.exe or .docx.exe, which are common indicators of malicious files.
Option A is incorrect because it does not include the event_type field in the filter stage, which is mandatory for a BIOC rule query.
Option C is incorrect because it does not include the event_type and event_sub_type fields in the filter stage, and it uses the fields stage, which is not supported for a BIOC rule query. It also returns the action_process_image field instead of the action_process_image_name field, which is the expected output for a BIOC rule query.
Option D is incorrect because it uses the event_behavior field, which is not supported for a BIOC rule query. It also does not include the event_type field in the filter stage, and it uses the event_sub_type field incorrectly. The event_sub_type field should be equal to PROCESS_START, not true.
Reference:
Working with BIOCs
Cortex Query Language (XQL) Reference
NEW QUESTION # 51
Which of the following represents a common sequence of cyber-attack tactics?
- A. Installation - Reconnaissance - Weaponization & Delivery - Exploitation - Command & Control - Actions on the objective
- B. Reconnaissance - Weaponization & Delivery - Exploitation - Installation - Command & Control - Actions on the objective
- C. Actions on the objective - Reconnaissance - Weaponization & Delivery - Exploitation - Installation - Command & Control
- D. Reconnaissance - Installation - Weaponization & Delivery -Exploitation - Command & Control - Actions on the objective
Answer: B
Explanation:
A common sequence of cyber-attack tactics is based on the Cyber Kill Chain model, which describes the stages of a cyber intrusion from the perspective of the attacker. The Cyber Kill Chain model consists of seven phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on the objective. These phases are briefly explained below:
Reconnaissance: The attacker gathers information about the target, such as its network, systems, vulnerabilities, employees, and business operations. The attacker may use various methods, such as scanning, phishing, or searching open sources, to collect data that can help them plan the attack.
Weaponization: The attacker creates or obtains a malicious payload, such as malware, exploit, or script, that can be used to compromise the target. The attacker may also embed the payload into a delivery mechanism, such as an email attachment, a web link, or a removable media.
Delivery: The attacker sends or delivers the weaponized payload to the target, either directly or indirectly. The attacker may use various channels, such as email, web, or physical access, to reach the target's network or system.
Exploitation: The attacker exploits a vulnerability or weakness in the target's network or system to execute the payload. The vulnerability may be technical, such as a software flaw, or human, such as a social engineering trick.
Installation: The attacker installs or drops additional malware or tools on the target's network or system to establish a foothold and maintain persistence. The attacker may use various techniques, such as registry modification, file manipulation, or process injection, to hide their presence and evade detection.
Command and Control: The attacker establishes a communication channel between the compromised target and a remote server or controller. The attacker may use various protocols, such as HTTP, DNS, or IRC, to send commands and receive data from the target.
Actions on the objective: The attacker performs the final actions that achieve their goal, such as stealing data, destroying files, encrypting systems, or disrupting services. The attacker may also try to move laterally within the target's network or system to access more resources or data.
Reference:
Cyber Kill Chain: This document explains the Cyber Kill Chain model and how it can be used to analyze and respond to cyberattacks.
Cyber Attack Tactics: This document provides an overview of some common cyber attack tactics and examples of how they are used by threat actors.
NEW QUESTION # 52
What is the outcome of creating and implementing an alert exclusion?
- A. The Cortex XDR agent will allow the process that was blocked to run on the endpoint.
- B. The Cortex XDR console will delete those alerts and block ingestion of them in the future.
- C. The Cortex XDR agent will not create an alert for this event in the future.
- D. The Cortex XDR console will hide those alerts.
Answer: D
Explanation:
The outcome of creating and implementing an alert exclusion is that the Cortex XDR console will hide those alerts that match the exclusion criteria. An alert exclusion is a policy that allows you to filter out alerts that are not relevant, false positives, or low priority, and focus on the alerts that require your attention. When you create an alert exclusion, you can specify the criteria that define which alerts you want to exclude, such as alert name, severity, source, or endpoint. After you create an alert exclusion, Cortex XDR will hide any future alerts that match the criteria, and exclude them from incidents and search query results. However, the alert exclusion does not affect the behavior of the Cortex XDR agent or the security policy on the endpoint. The Cortex XDR agent will still create an alert for the event and apply the appropriate action, such as blocking or quarantining, according to the security policy. The alert exclusion only affects the visibility of the alert on the Cortex XDR console, not the actual protection of the endpoint. Therefore, the correct answer is B, the Cortex XDR console will hide those alerts12 Reference:
Alert Exclusions
Create an Alert Exclusion Policy
NEW QUESTION # 53
What is the purpose of the Unit 42 team?
- A. Unit 42 is responsible for automation and orchestration of products
- B. Unit 42 is responsible for threat research, malware analysis and threat hunting
- C. Unit 42 is responsible for the configuration optimization of the Cortex XDR server
- D. Unit 42 is responsible for the rapid deployment of Cortex XDR agents
Answer: B
Explanation:
Unit 42 is the threat intelligence and response team of Palo Alto Networks. The purpose of Unit 42 is to collect and analyze the most up-to-date threat intelligence and apply it to respond to cyberattacks. Unit 42 is composed of world-renowned threat researchers, incident responders and security consultants who help organizations proactively manage cyber risk. Unit 42 is responsible for threat research, malware analysis and threat hunting, among other activities12.
Let's briefly discuss the other options to provide a comprehensive explanation:
A . Unit 42 is not responsible for automation and orchestration of products. Automation and orchestration are capabilities that are provided by Palo Alto Networks products such as Cortex XSOAR, which is a security orchestration, automation and response platform that helps security teams automate tasks, coordinate actions and manage incidents3.
B . Unit 42 is not responsible for the configuration optimization of the Cortex XDR server. The Cortex XDR server is the cloud-based platform that provides detection and response capabilities across network, endpoint and cloud data sources. The configuration optimization of the Cortex XDR server is the responsibility of the Cortex XDR administrators, who can use the Cortex XDR app to manage the settings and policies of the Cortex XDR server4.
C . Unit 42 is not responsible for the rapid deployment of Cortex XDR agents. The Cortex XDR agents are the software components that are installed on endpoints to provide protection and visibility. The rapid deployment of Cortex XDR agents is the responsibility of the Cortex XDR administrators, who can use various methods such as group policy objects, scripts, or third-party tools to deploy the Cortex XDR agents to multiple endpoints5.
In conclusion, Unit 42 is the threat intelligence and response team of Palo Alto Networks that is responsible for threat research, malware analysis and threat hunting. By leveraging the expertise and insights of Unit 42, organizations can enhance their security posture and protect against the latest cyberthreats.
Reference:
About Unit 42: Our Mission and Team
Unit 42: Threat Intelligence & Response
Cortex XSOAR
Cortex XDR Pro Admin Guide: Manage Cortex XDR Settings and Policies
Cortex XDR Pro Admin Guide: Deploy Cortex XDR Agents
NEW QUESTION # 54
If you have an isolated network that is prevented from connecting to the Cortex Data Lake, which type of Broker VM setup can you use to facilitate the communication?
- A. Local Agent Installer and Content Caching
- B. Local Agent Proxy
- C. Broker VM Syslog Collector
- D. Broker VM Pathfinder
Answer: B
Explanation:
If you have an isolated network that is prevented from connecting to the Cortex Data Lake, you can use the Local Agent Proxy setup to facilitate the communication. The Local Agent Proxy is a type of Broker VM that acts as a proxy server for the Cortex XDR agents that are deployed on the isolated network. The Local Agent Proxy enables the Cortex XDR agents to communicate securely with the Cortex Data Lake and the Cortex XDR management console over the internet, without requiring direct access to the internet from the isolated network. The Local Agent Proxy also allows the Cortex XDR agents to download installation packages and content updates from the Cortex XDR management console. To use the Local Agent Proxy setup, you need to deploy a Broker VM on the isolated network and configure it as a Local Agent Proxy. You also need to deploy another Broker VM on a network that has internet access and configure it as a Remote Agent Proxy. The Remote Agent Proxy acts as a relay between the Local Agent Proxy and the Cortex Data Lake. You also need to install a strong cipher SHA256-based SSL certificate on both the Local Agent Proxy and the Remote Agent Proxy to ensure secure communication. You can read more about the Local Agent Proxy setup and how to configure it here1 and here2. Reference:
Local Agent Proxy
Configure the Local Agent Proxy Setup
NEW QUESTION # 55
Which Type of IOC can you define in Cortex XDR?
- A. destination port
- B. full path
- C. App-ID
- D. e-mail address
Answer: B
Explanation:
Cortex XDR allows you to define IOCs based on various criteria, such as file hashes, registry keys, IP addresses, domain names, and full paths. A full path IOC is a specific location of a file or folder on an endpoint, such as C:\Windows\System32\calc.exe. You can use full path IOCs to detect and respond to malicious files or folders that are located in known locations on your endpoints12.
Let's briefly discuss the other options to provide a comprehensive explanation:
A . destination port: This is not the correct answer. Destination port is not a type of IOC that you can define in Cortex XDR. Destination port is a network attribute that indicates the port number to which a packet is sent. Cortex XDR does not support defining IOCs based on destination ports, but you can use XQL queries to filter network events by destination ports3.
B . e-mail address: This is not the correct answer. E-mail address is not a type of IOC that you can define in Cortex XDR. E-mail address is an identifier that is used to send and receive e-mails. Cortex XDR does not support defining IOCs based on e-mail addresses, but you can use the Cortex XDR - IOC integration with Cortex XSOAR to ingest IOCs from various sources, including e-mail addresses4.
D . App-ID: This is not the correct answer. App-ID is not a type of IOC that you can define in Cortex XDR. App-ID is a feature of Palo Alto Networks firewalls that identifies and controls applications on the network. Cortex XDR does not support defining IOCs based on App-IDs, but you can use the Cortex XDR Analytics app to create custom rules that use App-IDs as part of the rule logic5.
In conclusion, full path is the type of IOC that you can define in Cortex XDR. By using full path IOCs, you can enhance your detection and response capabilities and protect your endpoints from malicious files or folders.
Reference:
Create an IOC Rule
XQL Reference Guide: Network Events Schema
Cortex XDR - IOC
Cortex XDR Analytics App
PCDRA: Which Type of IOC can define in Cortex XDR?
NEW QUESTION # 56
Which two types of exception profiles you can create in Cortex XDR? (Choose two.)
- A. role-based profiles that apply to specific endpoints
- B. agent exception profiles that apply to specific endpoints
- C. exception profiles that apply to specific endpoints
- D. global exception profiles that apply to all endpoints
Answer: B,D
Explanation:
Cortex XDR allows you to create two types of exception profiles: agent exception profiles and global exception profiles. Agent exception profiles apply to specific endpoints that are assigned to the profile. Global exception profiles apply to all endpoints in your network. You can use exception profiles to configure different types of exceptions, such as process exceptions, support exceptions, behavioral threat protection rule exceptions, local analysis rules exceptions, advanced analysis exceptions, or digital signer exceptions. Exception profiles help you fine-tune the security policies for your endpoints and reduce false positives. Reference:
Exception Security Profiles
Create an Agent Exception Profile
Create a Global Exception Profile
NEW QUESTION # 57
When creating a custom XQL query in a dashboard, how would a user save that XQL query to the Widget Library?
- A. This isn't supported, you have to exit the dashboard and go into the Widget Library first to create it.
- B. Click on "Save to Action Center" in the dashboard and you will be prompted to give the query a name and description.
- C. Click on "Save to Widget Library" in the dashboard and you will be prompted to give the query a name and description.
- D. Click the three dots on the widget and then choose "Save" and this will link the query to the Widget Library.
Answer: C
Explanation:
To save a custom XQL query to the Widget Library, you need to click on "Save to Widget Library" in the dashboard and you will be prompted to give the query a name and description. This will allow you to reuse the query in other dashboards or reports. You cannot save a query to the Widget Library by clicking the three dots on the widget, as this will only give you options to edit, delete, or clone the widget. You also cannot save a query to the Action Center, as this is a different feature that allows you to create alerts or remediation actions based on the query results. You do not have to exit the dashboard and go into the Widget Library first to create a query, as you can do it directly from the dashboard. Reference:
Cortex XDR Pro Admin Guide: Save a Custom Query to the Widget Library
Cortex XDR Pro Admin Guide: Create a Dashboard
NEW QUESTION # 58
When selecting multiple Incidents at a time, what options are available from the menu when a user right-clicks the incidents? (Choose two.)
- A. Assign incidents to an analyst in bulk.
- B. Delete the selected Incidents.
- C. Change the status of multiple incidents.
- D. Investigate several Incidents at once.
Answer: A,C
Explanation:
When selecting multiple incidents at a time, the options that are available from the menu when a user right-clicks the incidents are: Assign incidents to an analyst in bulk and Change the status of multiple incidents. These options allow the user to perform bulk actions on the selected incidents, such as assigning them to a specific analyst or changing their status to open, in progress, resolved, or closed. These options can help the user to manage and prioritize the incidents more efficiently and effectively. To use these options, the user needs to select the incidents from the incident table, right-click on them, and choose the desired option from the menu. The user can also use keyboard shortcuts to perform these actions, such as Ctrl+A to select all incidents, Ctrl+Shift+A to assign incidents to an analyst, and Ctrl+Shift+S to change the status of incidents12 Reference:
Assign Incidents to an Analyst in Bulk
Change the Status of Multiple Incidents
NEW QUESTION # 59
What does the following output tell us?
- A. Host shpapy_win10 had the most vulnerabilities.
- B. This is an actual output of the Top 10 hosts with the most malware.
- C. There is one informational severity alert.
- D. There is one low severity incident.
Answer: B
Explanation:
The output shows the top 10 hosts with the most malware in the last 30 days, based on the Cortex XDR data. The output is sorted by the number of incidents, with the host with the most incidents at the top. The output also shows the number of alerts, the number of endpoints, and the percentage of endpoints for each host. The output is generated by using the ACC (Application Command Center) feature of Cortex XDR, which provides a graphical representation of the network activity and threat landscape. The ACC allows you to view and analyze various widgets, such as the Top 10 hosts with the most malware, the Top 10 applications by bandwidth, the Top 10 threats by count, and more .
Reference:
Use the ACC to Analyze Network Activity
Top 10 Hosts with the Most Malware
NEW QUESTION # 60
Why would one threaten to encrypt a hypervisor or, potentially, a multiple number of virtual machines running on a server?
- A. To potentially perform a Distributed Denial of Attack.
- B. To gain notoriety and potentially a consulting position.
- C. To better understand the underlying virtual infrastructure.
- D. To extort a payment from a victim or potentially embarrass the owners.
Answer: D
Explanation:
Encrypting a hypervisor or a multiple number of virtual machines running on a server is a form of ransomware attack, which is a type of cyberattack that involves locking or encrypting the victim's data or system and demanding a ransom for its release. The attacker may threaten to encrypt the hypervisor or the virtual machines to extort a payment from the victim or potentially embarrass the owners by exposing their sensitive or confidential information. Encrypting a hypervisor or a multiple number of virtual machines can have a severe impact on the victim's business operations, as it can affect the availability, integrity, and confidentiality of their data and applications. The attacker may also use the encryption as a leverage to negotiate a higher ransom or to coerce the victim into complying with their demands. Reference:
Encrypt an Existing Virtual Machine or Virtual Disk: This document explains how to encrypt an existing virtual machine or virtual disk using the vSphere Client.
How to Encrypt an Existing or New Virtual Machine: This article provides a guide on how to encrypt an existing or new virtual machine using AOMEI Backupper.
Ransomware: This document provides an overview of ransomware, its types, impacts, and prevention methods.
NEW QUESTION # 61
How does Cortex XDR agent for Windows prevent ransomware attacks from compromising the file system?
- A. by retrieving the encryption key.
- B. by encrypting the disk first.
- C. by utilizing decoy Files.
- D. by patching vulnerable applications.
Answer: C
Explanation:
Cortex XDR agent for Windows prevents ransomware attacks from compromising the file system by utilizing decoy files. Decoy files are randomly generated files that are placed in strategic locations on the endpoint, such as the user's desktop, documents, and pictures folders. These files are designed to look like valuable data that ransomware would target for encryption. When Cortex XDR agent detects that a process is attempting to access or modify a decoy file, it immediately blocks the process and alerts the administrator. This way, Cortex XDR agent can stop ransomware attacks before they can cause any damage to the real files on the endpoint. Reference:
Anti-Ransomware Protection
PCDRA Study Guide
NEW QUESTION # 62
Can you disable the ability to use the Live Terminal feature in Cortex XDR?
- A. Yes, via Agent Settings Profile.
- B. No, it is a required feature of the agent.
- C. No, a separate installer package without Live Terminal is required.
- D. Yes, via the Cortex XDR console or with an installation switch.
Answer: A
Explanation:
The Live Terminal feature in Cortex XDR allows you to initiate a remote connection to an endpoint and perform various actions such as running commands, uploading and downloading files, and terminating processes. You can disable the ability to use the Live Terminal feature in Cortex XDR by configuring the Agent Settings Profile. The Agent Settings Profile defines the behavior and functionality of the Cortex XDR agent on the endpoint. You can create different profiles for different groups of endpoints and assign them accordingly. To disable the Live Terminal feature, you need to uncheck the Enable Live Terminal option in the Agent Settings Profile and save the changes. This will prevent the Cortex XDR agent from accepting any Live Terminal requests from the Cortex XDR management console. Reference:
Live Terminal: This document explains how to use the Live Terminal feature to investigate and respond to security events on Windows endpoints.
Agent Settings Profile: This document describes how to create and manage Agent Settings Profiles to define the behavior and functionality of the Cortex XDR agent on the endpoint.
NEW QUESTION # 63
When creating a scheduled report which is not an option?
- A. Run monthly on a certain day and time.
- B. Run daily at a certain time (selectable hours and minutes).
- C. Run quarterly on a certain day and time.
- D. Run weekly on a certain day and time.
Answer: C
Explanation:
When creating a scheduled report in Cortex XDR, the option to run quarterly on a certain day and time is not available. You can only schedule reports to run daily, weekly, or monthly. You can also specify the start and end dates, the time zone, and the recipients of the report. Scheduled reports are useful for generating regular reports on the security events, incidents, alerts, or endpoints in your network. You can create scheduled reports from the Reports page in the Cortex XDR console, or from the Query Center by saving a query as a report. Reference:
Run or Schedule Reports
Create a Scheduled Report
NEW QUESTION # 64
......
Palo Alto Networks XDR-Analyst Exam Syllabus Topics:
| Topic | Details |
|---|---|
| Topic 1 |
|
| Topic 2 |
|
| Topic 3 |
|
| Topic 4 |
|
| Topic 5 |
|
Certification Topics of XDR-Analyst Exam PDF Recently Updated Questions: https://www.testsimulate.com/XDR-Analyst-study-materials.html