A Cortex XSOAR customer wants to ingest from a single mailbox. The mailbox brings in reported phishing emails and email requests from human resources (HR) to onboard new users. The customer wants to run two separate workflows from this mailbox, one for phishing and one for onboarding.
What will allow Cortex XSOAR to accomplish this in the most efficient way?
a. Usee machine learning (ML) to determine incident type
b. Create two instances of the email integration and classily one instance as ingesting incidents of type phishing and the other as ingesting incidents of type boarding
c. Use an incident classifier based on field in each type of email to classify those containing “Phish Alert” in the subject as phishing and those containing “Onboard Request” as onboarding
d. Create a playbook to process and determine incident type based on content of the email
What allows the use of predetermined Palo Alto Networks roles to assign access rights to Cortex XDR users?
a. Restrictions security profile
b. Cloud identity engine (CIE)
c. Endpoint groups
d. role-based access control (RBAC)
What integration allows searching and displaying Splunk results within Cortex XSOAR?
a. Demisto App for Splunk integration
b. SplunkPY integration
c. Splunk integration
d. XSOAR REST API integration
How can Cortex XSOAR save time when a phishing incident occurs?
a. It can automatically identify every mailbox that received the phish and create corresponding cases for them
b. It can automatically email staff to warn them about the phishing attack and show them a copy of the email
c. It can automatically purge the email from user mailboxes in which it has not yet opened
d. It can automatically respond to the phishing email to unsubscribe from future emails
Which two types of Indicators of compromise (IOCs) are available for creation in Cortex XDR?
a. Internet Protocol (IP)
b. Endport hostname
c. registry entry
d. domain
Which command is used to add Cortex XSOAR “User1” to an investigation from the War Room?
a. #Invite User1
b. @User1
c. #User1
d. !Invite User1
Which component displays an entire picture of an attack, including the root cause or delivery point?
a. Cortex XSOAR Work Plan
b. Cortex Data Lake
c. Cortex XDR Causality View
d. Cortex SOC Orchestrator
Which two items are stitched to the Cortex XDR causality chain? (Choose two.)
a. registry set value
b. firewall alerts
c. security and information event management (SIEM)
d. full uniform resource locator (URL)
A customer wants the main Cortex XSOAR server installed in one site and wants to integrate with three other technologies in a second site
What communications are required between the two sites if the customer wants to install a Cortex XSOAR engine in the second site?
a. The Cortex XSOAR server at the first site must be able to initiate a connection to the Cortex XSOAR engine at the second site
b. All connectivity is initiated from the Cortex XSOAR server on the first site via a managed cloud proxy
c. Dedicated site-to-site virtual private network (VPN) is required for the Cortex XSOAR server at the first site to initiate a connection to the Cortex XSOAR engine at the second site
d. The Cortex XSOAR engine at the first site must be able to initiate a connection to the Cortex XSOAR server at the second site
A customer agrees to do a 30-day proof of concept (POC) and wants to integrate with a product with which Cortex XSOAR is not currently integrated.
What is the appropriate response to the customer?
a. Extend the POC window to allow the solution architects to build it
b. Explain that custom integrations are not included in the POC
c. Explain that it can be built by Professional Services, but it will take an additional 30 days
d. Agree to build the integration as part of the POC
Which service helps uncover attackers wherever they hide by combining world-class threat hunters with Cortex XDR technology that runs on integrated endpoint, network, and cloud data sources?
a. Cloud Identity Engine (CIE)
b. Threat Intelligence Platform (TIP)
c. Virtual desktop infrastructure (VDI)
d. Managed Threat Hunting (MTH)
What is the result of creating an exception from an exploit security event?
a. Triggered exploit protection module (EPM) for the host and process involved is disabled
b. User is exempt from generating events for 24 hours
c. Process from WildFire analysis is whitelisted
d. Administrators are exempt from generating alerts for 24 hours
Cortex XSOAR has extracted a malicious Internet Protocol (IP) address involved in command-and-control (C2) traffic.
What is the best method to block this IP from communicating with endpoints without requiring a configuration change on the firewall?
a. Have XSOAR automatically add the IP address to a deny rule in the firewall
b. Have XSOAR automatically add the IP address to a threat intelligence management (TIM) malicious IP list to elevate priority of future alerts
c. Have XSOAR automatically add the IP address to an external dynamic list (EDL) used by the firewall
d. Have XSOAR automatically create a NetOps ticket requesting a configuration change to the firewall to block the IP
What is the size of the free Cortex Data Lake instance provided to a customer who has activated a TMS tenant, but has not purchased a Cortex Data Lake instance?
a. 10 TB
b. 1 TB
c. 100 GB
d. 10 GB
Cortex XDR external data ingestion processes ingest data from which sources?
a. Windows event logs only
b. Windows event logs, syslogs, and custom external sources
c. Windows event logs and syslogs only
d. Syslogs only
Which process is the causality chain does the Cortex XDR agent identify as triggering an event sequence?
a. Adversary’s remote process
b. Chain’s alert initiator
c. Causality group owner
d. Relevant shell
How do sub-playbooks affect the incident Context Data?
a. When set to global, sub-playbook tasks do not have access to the root context
b. When set to private, task outputs do not automatically get written to the root context
c. When set to global, parallel task execution is allowed
d. When set to private, task outputs are automatically written to the root context
An adversary attempts to communicate with malware running on a network in order to control malware activities or to exfiltrate data from the network.
What Cortex XDR Analytics alert will this activity most likely trigger?
a. Uncommon local scheduled task creation
b. Malware
c. New administrative behavior
d. DNS Tunneling
Which two types of indicators of compromise (IOCs) are available for creation in Cortex XDR?
a. Registry
b. Hostname
c. Hash
d. File path
Which attack method is a result of techniques designed to gain access through vulnerabilities in the code of an operating system (OS) or application?
a. Malware
b. Exploit
c. Ransomware
d. phishing
What is a benefit of user entity behavior analytics (UEBA) over security information and event management (SIEM)?
a. UEBA can add trusted signers of Windows or Mac processes to a whitelist in the Endpoint Security Manager (ESM) Console
b. UEBA establishes a secure connection in which endpoints can be routed, and it collects and forwards logs and files for analysis
c. SIEMs have difficulty detecting unknown or advanced security threats that do not involve malware, such as credential theft
d. SIEMs supports only agentless scanning, not agent-based workload protection across VMs, containers, Kubernetes.
Which statement applies to a Cortex XSOAR engine that is part of a load-balancing group?
a. It does not appear in the engine drop-down menu when configuring an integration instance
b. It must be in a load-balancing group with at least three additional members
c. It can be used separately as an engine only if directly connected to the XSOAR server
d. It must have port 443 open to allow the XSOAR server to establish a connection
Which step is required to prepare the virtual desktop infrastructure (VDI) golden image?
a. Run the VDI conversion tool
b. Ensure the latest content updates are installed
c. Set the memory dumps to manual setting
d. Review any portable executable (PE) files WildFire determined to be malicious
Which integration allows data to be pushed from Cortex XSOAR into Splunk?
a. SplunkUpdate integration
b. Demisto App for Splunk integration
c. SplunkPY integration
d. ArcSight ESM integration
A Cortex XDR Pro administrator is alerted to a suspicious process creation security event from multiple users who believe these events are false positives.
Which two steps should be taken confirm the false positives and create an exception? (Choose two)
a. In the Cortex XDR security event, review the specific parent process, child process, and command line arguments
b. Contact support and ask for a security exception
c. Within the Malware Security profile, add the specific parent process, child process, and command line argument to the child process whitelist
d. Within the Malware Security profile, disable the Prevent Malicious Child Process Execution module
The Cortex XDR management service requires which other Palo Alto Networks product?
a. Cortex Data Lake
b. Directory Sync
c. Panorama
d. Cortex XSOAR
Which Cortex XDR agent capability prevents loading malicious files from USB-connected removable equipment?
a. Device control
b. Agent management
c. Agent configuration
d. Device customization
Which task setting allows context output to a specific key?
a. Extend context
b. Task output
c. Stop on errors
d. tags
Which two methods does the Cortex XDR agent use to identify malware during a scheduled scan? (Choose two)
a. WildFire hash comparison
b. Signature comparison
c. Dynamic analysis
d. Heuristic analysis
What are two capabilities of a War Room? (Choose two)
a. Run ad-hoc automation commands
b. Create widgets for an investigation
c. Act as an audit trail for an investigation
d. Create playbooks for orchestration