Palo Alto

Which incident should a responder prioritize based on overall functional and informational impact to the company?. A user in the accounting department receives a pop-up message after visiting a website. A public-facing web server has multiple failed login attempts over a short period of time. An external-facing company website is currently unavailable. A large upload of user data from an internal file server to a public website occurs.

Which response action in Cortex XSIAM would be unavailable to a SOC analyst investigating an incident involving a Linux server?. File search and destroy. Live Terminal session initiation. Running a script. Halting network access.

What is the role of content packs in Cortex XSOAR?. To provide rebuilt bundles for supporting security orchestration use cases. To support technical support teams with relevant information required to troubleshoot. To serve as a central location for installing, exchanging, and contributing content. To serve as a major software versioning update.

Which action should an administrator take to create automated response actions when a user account is compromised, allowing attacker to upload data to an external IP address and infect a machine on the company network with malware?. Create automation rules in Cortex XDR that will trigger for each alert. Create a script in Cortex XSOAR that will run a playbook based on the scenario. Create playbook triggers in Cortex XSIAM and run playbooks for each alert. Map the events as type of Cortex XSOAR incident, then run a playbook.

During a sophisticated cyber attack, a company experiences a stealthy, multivector intrusion that evades detection by traditional security tools. The company requires a solution that will correlate and analyze the disparate attack indicators across its network, endpoints, and cloud environments to uncover the full scope of the breach and take immediate automated response actions. Which solution should be recommended?. XDR. SIEM. EDR. XSOAR.

What is a difference between cold storage and hot storage in Cortex?. Cold storage is required, while hot storage is optional. Cold storage and hot storage can be stored in different cloud locations. Logs in cold storage have more details than logs stored in hot storage. Querying logs in cold storage takes more time than querying logs in hot storage.

Where in Cortex XSOAR are analystsle to collaborate and converse with others for joint real-time investigations?. Investigations tab. War Room. Evidence Board. Work plan.

Which Cortex XDR component raises an alert when suspicious activity composed of multiple events is detected and deviates from established baseline behavior?. Analytics Engine. Causality Analysis Engine. XQL Query Engine. Cloud Identity Engine.

Which two types of content can be installed or upgraded through a Cortex XSIAM content pack? (Choose two.). Analytics alerts. Playbook triggers. Data Model rules. Behavioral Threat Protection (BTP). Analytics alerts ; Data Model rules.

What is required to enable ingestion of on-premises firewall logs into Cortex XDR?. Broker VM. API. PAN-OS content pack. Cloud Identity Engine.

Which component of Cortex XDR is designed to detect insider threats?. Forensics. Identity Analytics. Cloud Identity Engine. Host Insights.

A new incident in Cortex XSIAM contains WildFire malware and Behavioral Threat Protection (BTP) alertsout an unsigned process attempting to dump the memory of Isass.exe. Which initial verdict applies to this incident?. False positive. True positive. False negative. True negative.

A file hash is evaluated a Cortex XSOAR by using two unique threat feeds: VirusTotal feed (rating of B- usually reliable) and the file verdict is malicious AlienVault feed (rating of B- usually reliable) and the file verdict is benign What is the file verdict in XSOAR?. Benign. Malicious. Unknown. Suspicious.

A customer is investigating a security incident in which unusual network traffic is observed and a malicious process is identified on an endpoint. Which Cortex XDR capability assists with correlating firewall network logs and endpoint data in this environment?. Log stitching. User authentication management. Indicator of compromise (IOC) rule. Analytics.

Where can an administrator begin to grant a new non-SSO user access to a Cortex XDR tenant?. Cortex XDR tenant settings under Access Management. Cortex Gateway. Customer Support Portal. IT Service Portal.

Where can the actions taken to stitch alerts together in Cortex XSIAM be viewed?. Alerts and Insights. Timeline. Causality chain. Key Assets & Artifacts.

What determines the indicator layout displayed and the scripts that will run on an indicator of compromise (IOC) in Cortex XSIAM?. Size. Type. Date. Origin.

Which action is performed as the final step of the NIST incident response plan?. Updating incident response procedures. Gathering evidence. Restoring from backups. Conducting incident response training exercises.

What is the purpose of incident types in Cortex XSOAR?. They categorize manual and automated incidents, trigger playbooks automatically, and require predefined fields and integrations. They assist in mapping manual incidents, assign default playbooks, and require inline auto-extraction of indicators. They classify events ingested through integrations or the REST API, can trigger specific playbooks, and include customizable layouts and service-level agreement (SLA) parameters. They manually create incidents, configure universal playbooks, and enforce strict adherence to preset service-level agreement (SLA) reminders.

Which activities are facilitated through the War Room in Cortex XSOAR?. Creating, editing, and deleting tasks in the workplan. Running security playbooks, scripts, and commands. Conducting initial investigation of incident data and threat intelligence. Viewing a summary of case details and alerts.

What are the primary functions of the Causality Analysis Engine in Cortex XDR?. To identify the root cause of alerts and provide a complete forensic timeline of events. To prioritize critical alerts and reduce the overall number of alerts generated. To perform regular system backups and restore operations in case of failure. To determine only the root cause of an attack and automatically remediate threats.

How do indicator verdicts in Cortex XSOAR assist analysts in threat detection and response efforts?. They categorize indicators based on their geographic origin, helping analysts focus on threats from specific countries. They classify indicators solely based on their frequency of occurrence in the network, allowing analysts to identify common patterns. They classify indicators as malicious, suspicious, benign, or unknown, enabling analysts to prioritize and respond to threats. They categorize indicators based on the threat actor’s tactics, techniques, and procedures.

What is the function of a Causality View?. To provide users access to collaborate and execute CLI commands in Cortex XDR and Cortex XSIAM. To present the alerts and process execution chain of all activity pertaining to the same event. To consolidate multiple security tools into a single interface to improve analyst productivity. To present alerts from multiple data sources as individual incidents in the console.

What is a primary responsibility of an incident responder in a SOC?. Mitigating incidents that have been escalated. Supervising vulnerability assessments and penetration tests. Determining or adjusting criticality of alerts. Developing incident recovery crises communications plans.

How do sensors function in Cortex XSIAM?. They monitor endpoint agent health. The monitor data ingestion health. They assist with log stitching. They collect logs and telemetry data.

In which scenario would an organization benefit from Cortex XDR compared to an EDR solution?. A business wants to integrate data from network traffic, cloud environments, and identity systems for a unified threat landscape. A corporation wants to monitor endpoint activities for advanced threats and gain visibility into endpoint behaviors. A customer relies on manual processes for incident detection and response with minimal use of automated tools and analytics. A company requires endpoint security that focuses on isolating and responding to threats at the endpoint level.

What does the analytics engine use to compare an entity to itself across different time periods using statistical methods?. Temporal profile. Peer group profile. Exploit profile. Entity classification.

Which action is the responsibility of the SOC manager?. Troubleshooting network cabling and physical installation. Performing initial triage and classification of incidents. Handling direct end-user support or help desk issues. Developing and implementing crisis communication plans.

What role does incident response play in handling cybersecurity incidents?. Scheduling regular software updates and maintenance to prevent potential cyber threats. Providing structured methods for investigating, containing, and eradicating cyber threats. Notifying external authorities and stakeholders immediately after a cyber threat is detected. Monitoring network traffic and creating comprehensive Security policies.

What is the expected behavior when an endpoint is isolated in Cortex XSIAM?. It can continue to communicate with other endpoints. It can continue to receive regular upgrades in Cortex XSIAM. It will not have network access except for traffic to Cortex XSIAM. It will have access to only internal network resources.

Which two statements apply to creating scripts in Cortex XSOAR? (Choose two.). They can be protected using a password. They can be scheduled to run at a later time and day. They can be written using Java. They can be executed with higher permissions. They can be scheduled to run at a later time and day ; They can be executed with higher permissions.

Which two roles can access data model rules in Cortex XSIAM? (Choose two.). Account admin. Deployment admin. Instance administrator. IT administrator. Account admin ; Instance administrator.

Which two types of tasks are supported in Cortex XSIAM playbooks? (Choose two.). Sub-playbook. Script creation. Conditional. Data collection. Sub-playbook ; Conditional.

Which scripting language would create a custom widget in Cortex XDR that shows the top five accounts with failed Windows logons in the past 24 hours?. XQL. JavaScript. Python. PowerShell.

Which solution will minimize mean time to resolution (MTTR) when, as a result of previous malware infection, a company’s Windows endpoint is suffering a small amount of file corruption and modified registry keys?. Issue a new laptop from the help desk to expedite a clean system. Use Live Terminal to connect to the machine and upload files to replace the corrupted files. Use group policy objects to push new files and registry key changes to the endpoint. Use remediation suggestions to restore the affected files and registry modifications.

With a Windows endpoint, what is required to remove the Cortex XDR agent when the endpoint is no longer online and cannot be managed directly from the management console?. A Cortex XDR administrator must provide the end user with an offline removal tool created in the management console. When running the uninstaller, the administrator must enter an uninstall password from the management console. An administrator must use Cytool to disable security protection on the endpoint with an uninstall password. An administrator must disable the agent by opening the agent console from the system tray and entering a password.

Which sensor is used by Cortex XSIAM to identify and collect DNS queries, HTTP header, and DHCP information?. Windows Event Collector logs. Directory Sync logs. Pathfinder data collector. Enhanced application logs.

What are two outcomes of threat intelligence in a SOC? (Choose two.). Mitigation of potential risks to systems and data. Enablement of security operations teams to reduce workload through automation. Reduction of the number of alerts observed in an incident. Identification and detection of known threat verdicts to improve company security posture. Mitigation of potential risks to systems and data ; Identification and detection of known threat verdicts to improve company security posture.

Which MITRE enterprise tactic will provide more information on the technique used by a threat actor who has successfully used PsExec to upload files to an internal server from a compromised workstation?. Privilege escalation. Lateral movement. Execution. Persistence.

What is the main difference between artificial intelligence (AI) and machine learning (ML) in cybersecurity?. ML enables machines to learn from data, while AI enables machines to mimic human cognitive functions. AI and ML are interchangeable terms that refer to preprogrammed rules which can detect threats. ML is a broader discipline that includes AI, which focuses solely on natural language processing. AI is used for automating responses, while ML manages hardware and network infrastructure.

What is the WildFire verdict on a sample that does not pose a direct security threat, but is shown to display obtrusive behavior?. Grayware. Unknown. Benign. Malware.

What is the Cortex XSOAR Marketplace?. Searchable collection of third-party playbooks and data models. Development environment for creating and sharing third-party integrations. Digital storefront where Cortex XSOAR training credits can be purchased and used. Built-in repository of installable content, including integrations and automations.

Which two functions are allowed when stitching logs in Cortex XDR? (Choose two.). Providing real-time threat prevention or remediation of threats. Creating granular BIOC and correlation rules. Enabling creation of custom scripts for remediation of security incidents. Running investigation queries based on combined network and endpoint events. Creating granular BIOC and correlation rules ; Running investigation queries based on combined network and endpoint events.

Which two statements are relevant to reports in Cortex XDR? (Choose two.). They can be sent in a password protected PDF version. They can be automatically pushed to the corporate intranet. They can use mock data for visualization. They can have an attached screenshot of an XQL query widget. They can be sent in a password protected PDF version ; They can have an attached screenshot of an XQL query widget.

What is enabled by Role Based Access Control (RBAC) in Cortex XDR?. Management of permissions and assignment of administrator access rights. Userility to manage Cortex XDR features based on job function. Automated response to detected threats based on user roles. Granular control and visibility over network traffic policies based on user roles.

What are two ways a security team assigns priority to security incidents in Cortex XDR? (Choose two.). By most recently generated. By most incident artifacts. By highest severity. By highest SmartScore. By highest severity ; By highest SmartScore.

A custom PowerShell command is detected by Cortex XDR as a behavioral threat, and the administrator has confirmed it as a false positive. What is the most operationally efficient way to allow this command to run and not be detected by Cortex XDR?. Create an alert exclusion based on CGO hash, signer, and process path. Create an alert exception based on CGO process path and command arguments. Right click on the alert and create an alert exclusion rule. Add the SHA256 hash to the allow list.

An analyst investigating an incident using Cortex XSIAM confirms that the files involved are not malware, but wants to determine if the incident is a genuine threat or a false positive. Which action will provide the analyst information for making the determination?. Checking the endpoint details if the machines involved. Viewing the timeline and filter for a alerts. Viewing the information alerts for the incident. Checking the incident War Room for history and command tasks.

What is involved in the day-to-day role of a triage specialist?. Deploying and configuring security technologies. Managing and configuring the monitoring tools. Conducting vulnerability assessment and penetration testing. Managing procurement of IT hardware and software.

Which two steps belong in the Cortex XSOAR incident lifecycle? (Choose two.). Planning. Incident creation. Incident notification. Preparation. Incident creation ; Incident notification.

What can be used to triage and determine if an artifact in Cortex XDR is malicious?. MITRE tactic. SmartScore. Alert severity. WildFire report.

What is a benefit of using Unit 42 threat intelligence during a ransomware attack?. It creates compliance reports to confirm that the company meets regulatory requirements following the ransomware attack. It provides detailed research on the ransomware, including its behavior and attack methods, to enhance the response strategy. It manually configures security agents across all company endpoints to ensure the ransomware has been effectively contained. It offers real-time network traffic analysis to detect and block ransomware spread in the company network.

Which function eliminates the need for manual analysis in an organization with multiple data sensors?. Log stitching. Log correlation. Log forwarding. Event log query.

How can an administrator run a Cortex XSOAR playbook regularly at a specific time and day of the week?. By configuring the playbook to run on a specific date and time. By creating a job that will run the playbook. By creating a scheduled report that will run the playbook. By creating a script that will run the playbook.

Which predefined role in the Cortex XDR tenant can view and triage incidents?. Investigator. Responder. Viewer. IT administrator.

A security auditor must ensure adherence to which two regulatory compliance frameworks when reviewing a financial institution’s data protection policies? (Choose two.). GDPR. NERC CIP. PCI DSS. FERPA. GDPR ; PCI DSS.

How is WildFire typically used by Cortex XDR?. To serve as a cloud-based sandboxing and a malware analysis engine. To build custom correlation rules using XQL. To be an extension of the Unit 42 incident response team. To display the compared artifacts with known bad SHA256 hashes.

Which attribute is an advantage of SOAR over SIEM?. It sends the alerts to notify security analysis. It collects data and alerts using a centralized platform. It adds automation in response to an alert. It creates correlation rules to detect custom behavior.

Which SOC tool allows an organization to aggregate logs from various sources for compliance, reporting, dashboarding, and threat hunting?. Endpoint detection and response (EDR). Attack surface management (ASM). Security orchestration, automation, and response (SOAR). Security Information and Event Management (SIEM).

Which task should a threat hunter include in the investigation when a Cortex XDR incident contains alertsout a malicious process?. Immediately isolate the endpoint and delete the identified file. Search for the SHA256 file hash on other endpoints in the environment. Add the SHA256 file hash to the Cortex XDR global block list. Disable the account of the user responsible for initiating the process.