Palo Alto Networks XDR-Engineer Exam Practice Test Instant Access

Question 1

[Planning and Installation]

The most recent Cortex XDR agents are being installed at a newly acquired company. A list with endpoint types (i.e., OS, hardware, software) is provided to the engineer. What should be cross-referenced for the Linux systems listed regarding the OS types and OS versions supported?

AContent Compatibility Matrix

BKernel Module Version Support

CEnd-of-Life Summary

DAgent Installer Certificate

Answer : B

Question 2

[Dashboards and Reporting]

What are two possible actions that can be triggered by a dashboard drilldown? (Choose two.)

ANavigate to a different dashboard

BInitiate automated response actions

CLink to an XQL query

DSend alerts to console users

Answer : A, C

Question 3

[Detection Engineering]

An XDR engineer is creating a correlation rule to monitor login activity on specific systems. When the activity is identified, an alert is created. The alerts are being generated properly but are missing the username when viewed. How can the username information be included in the alerts?

ASelect ''Initial Access'' in the MITRE ATT&CK mapping to include the username

BUpdate the query in the correlation rule to include the username field

CAdd a mapping for the username field in the alert fields mapping

DAdd a drill-down query to the alert which pulls the username field

Answer : C

Question 4

[Detection Engineering]

Based on the image of a validated false positive alert below, which action is recommended for resolution?

ACreate an alert exclusion for OUTLOOK.EXE

BDisable an action to the CGO Process DWWIN.EXE

CCreate an exception for the CGO DWWIN.EXE for ROP Mitigation Module

DCreate an exception for OUTLOOK.EXE for ROP Mitigation Module

Answer : D

Question 5

[Maintenance and Troubleshooting]

When isolating Cortex XDR agent components to troubleshoot for compatibility, which command is used to turn off a component on a Windows machine?

A'C:\Program Files\Palo Alto Networks\Traps\xdr.exe' stop

B'C:\Program Files\Palo Alto Networks\Traps\cytool.exe' runtime stop

C'C:\Program Files\Palo Alto Networks\Traps\xdr.exe' -s stop

D'C:\Program Files\Palo Alto Networks\Traps\cytool.exe' occp

Answer : B

Question 6

[Detection Engineering]

Which XQL query can be saved as a behavioral indicator of compromise (BIOC) rule, then converted to a custom prevention rule?

Adataset = xdr_data| filter event_type = ENUM.DEVICE and action_process_image_name = '**'and action_process_image_command_line = '-e cmd*'and action_process_image_command_line != '*cmd.exe -a /c*'

Bdataset = xdr_data| filter event_type = ENUM.PROCESS and event_type = ENUM.DEVICE and action_process_image_name = '**'and action_process_image_command_line = '-e cmd*'and action_process_image_command_line != '*cmd.exe -a /c*'

Cdataset = xdr_data| filter event_type = FILE and (event_sub_type = FILE_CREATE_NEW or event_sub_type = FILE_WRITE or event_sub_type = FILE_REMOVE or event_sub_type = FILE_RENAME) and agent_hostname = 'hostname'| filter lowercase(action_file_path) in ('/etc/*', '/usr/local/share/*', '/usr/share/*') and action_file_extension in ('conf', 'txt')| fields action_file_name, action_file_path, action_file_type, agent_ip_addresses, agent_hostname, action_file_path

Ddataset = xdr_data| filter event_type = ENUM.PROCESS and action_process_image_name = '**'and action_process_image_command_line = '-e cmd*'and action_process_image_command_line != '*cmd.exe -a /c*'

Answer : D

Question 7

[Post-Deployment Management and Configuration]

Using the Cortex XDR console, how can additional network access be allowed from a set of IP addresses to an isolated endpoint?

AAdd entries in Configuration section of Security Settings

BAdd entries in the Allowed Domains section of Security Settings for the tenant

CAdd entries in Exceptions Configuration section of Isolation Exceptions

DAdd entries in Response Actions section of Agent Settings profile

Answer : C

Palo Alto Networks Certified XDR Engineer XDR-Engineer Exam Practice Test