Palo Alto Networks Certified XDR Engineer XDR-Engineer Exam Practice Test

Page: 1 / 14
Total 50 questions
Question 1

[Cortex XDR Agent Configuration]

Multiple remote desktop users complain of in-house applications no longer working. The team uses macOS with Cortex XDR agents version 8.7.0, and the applications were previously allowed by disable prevention rules attached to the Exceptions Profile "Engineer-Mac." Based on the images below, what is a reason for this behavior?



Answer : A


Question 2

[Maintenance and Troubleshooting]

When isolating Cortex XDR agent components to troubleshoot for compatibility, which command is used to turn off a component on a Windows machine?



Answer : B


Question 3

[Detection Engineering]

A Custom Prevention rule that was determined to be a false positive alert needs to be tuned. The behavior was determined to be authorized and expected on the affected endpoint. Based on the image below, which two steps could be taken? (Choose two.)

[Image description: A Custom Prevention rule configuration, assumed to trigger a Behavioral Indicator of Compromise (BIOC) alert for authorized behavior]



Answer : A, B


Question 4

[Playbook Creation and Automation]

An engineer wants to automate the handling of alerts in Cortex XDR and defines several automation rules with different actions to be triggered based on specific alert conditions. Some alerts do not trigger the automation rules as expected. Which statement explains why the automation rules might not apply to certain alerts?



Answer : A


Question 5

[Cortex XDR Agent Configuration]

How are dynamic endpoint groups created and managed in Cortex XDR?



Answer : D


Question 6

[Maintenance and Troubleshooting]

How long is data kept in the temporary hot storage cache after being queried from cold storage?



Answer : B


Question 7

[Dashboards and Reporting]

An engineer is building a dashboard to visualize the number of alerts from various sources. One of the widgets from the dashboard is shown in the image below:

The engineer wants to configure a drilldown on this widget to allow dashboard users to select any of the alert names and view those alerts with additional relevant details. The engineer has configured the following XQL query to meet the requirement:

dataset = alerts

| fields alert_name, description, alert_source, severity, original_tags, alert_id, incident_id

| filter alert_name =

| sort desc _time

How will the engineer complete the third line of the query (filter alert_name =) to allow dynamic filtering on a selected alert name?



Answer : B


Page:    1 / 14   
Total 50 questions