Cortex-01 24

Which feature in Cortex XSIAM extends analytics detections to all mapped network and authentication data?. Threat feed integration. Automation daybooks. Parsing rules. Data models.

What are process exceptions used for?. whitelist program from WildFire analysis. permit procesess to load specific DLLs. change the WildFire verdict for given executables. disable an EPM for a particular pro ess.

What is a benefit offered by Cortex XSOAR?. It provides advanced customization capabilities. It provides real-time protection across hosts and containers. It enables consolidation of multiple point products into a single integrated service.

What allows the use of predetermined Palo Alto Networks roles to assign access rights to Cortex XDR users?. role-based access control. cloud identity engine. endpoint groups. restrictions security profile.

The certificate used for decryption was installed as a trusted root CA certificate to ensure communication between the Cortex XDR Agent and Cortex XDR Management Console What action needs to be taken if the administrator determines the Cortex XDR Agents are not communicati g with the Cortex XDR Management Console?. add paloaltonetworks.com to the SSL Decriyption Exclusion list. enable SSL decryption. disable SSL decryption. reinstall the root CA certificate.

How can Cortex XSOAR save time when a phising incident occurs?. It can automatically email staff to warn them about the phishing attack and show them a copy of the email. It can automatically respond to the phishing email to unsubscribe from future emails. It can automatically purge the email from user mailboxes in which it has not yet opened. It can automatically identify every mailbox that received the phish and create corresponding cases for them.

Which two areas of Cortex XDR are used for threat hunting activities? (Choose two.). indicators of compromise (IOC) rules. query builder. live terminal. host insights module.

Which two actions are required to add indicators to the whitelist? (Choose two.). Click "New Whitelisted Indicator" in the Whitelist page. Upload an external file named "whitelist" to the Whitelist page. Upload an external file named "whitelist" to the Indicators page. Select the indicators and click "Delete and Whitelist" in the Indicators page.

Which feature of Cortex Xpanse allows it to identify previously unknown assets?. Select the indicators and click "Delete and Whitelist" in the Indicators page. Scheduled network scanning. Continuous internet scanning. Active directory enumeration.

In an Air-Gapped environment where the Docker package was manually installed after the Cortex XSOAR installation which action allows Cortex XSOAR to access Docker?. create a "docker" group and add the "Cortex XSOAR" or "demisto" user to this group. create a "Cortex XSOAR' or "demisto" group and add the "docker" user to this group. disable the Cortex XSOAR service. enable the docker service.

What is a key difference between audit users and full users in Cortex XSOAR?. Audit users can only view incidents, while full users can edit system components. Full users can only view dashboards, while audit users can investigate incidents. Audit users have read-only permission, white full users have read-write permission. Audit users can run scripts and playbooks, while full users can only view reports.

In addition to incident volume, which four critical factors must be evaluated to determine effectiveness and ROI on cybersecurity planning and technology?. Analyst, training costs, duplicate, false positive. People, staffing costs, duplicate, false positives. People, security controls, mean time to detect, false positives. Standard operating procedures, staffing costs, duplicates, mean time to respond.

Which attack method is a result of techniques designed to gain access through vulnerabilities in the code of an operating system (OS) or application?. exploit. malware. phishing. ransomware.

Which two troubleshooting steps should be taken when an integration is failing to connect? (Choose two.). Ensure the playbook is set to run in quiet mode to minimize CPU usage and suppress errors. Confirm the integration credentials or API keys are valid. Check the integration logs and enable a higher logging level, if needed, view the specific error. Confirm there are no dashboards or reports configured to use integration instance.

On a multi-tenanted v6.2 Cortex XSOAR server, which path leads to the server.log for "Tenant1"?. /var/log/demisto/acc Tenantl/server.log. /var/log/demisto/Tenant1/server.log. /var/lib/demisto/acc_Tenant1/server.log. /var/lib/demisto/server.log.

Which deployment type supports installation of an engine on Windows, Mac OS. and Linux?. RPM. SH. DEB. ZIP.

Which technology allows a customer to integrate Cortex Xpanse with third-party applications or services, assets, and IP ranges while leveraging investigation capabilities?. POSTMAN. Webhook. REST API. KPI.

Which source provides data for Cortex XDR?. VMware NSX. Amazon Alexa rank indicator. Cisco ACI. Linux endpoints.

Cortex XDR external data ingestion processes ingest data from which sources?. windows event logs only. syslogs only. windows event logs, syslogs, and custom external sources. windows event logs and syslogs only.

Which product enables the discovery, exchange, and contribution of security automation playbooks, built into Cortex XSOAR?. XSOAR Threat Intelligence Platform (TIP). XSOAR Automated System. XSOAR Ticketing System. XSOAR Marketplace.

An antivirus refresh project was initiated by the IT operations executive. Who is the best source for discussion about the project's operational considerations?. endpoint manager. SOC manager. SOC analyst. desktop engineer.

For which two purposes can Cortex XSOAR engines be deployed? (Choose two.). To execute recurring daybooks based on specific time schedules or changed to a feed. To add processing resources for a heavily-used integration via load-balancing groups. To integrate with tools in a network location that the Cortex XSOAR server cannot reach directly. To connect Cortex XSOAR to all required Palo Alto Networks resources such as the Cortex Gateway.

How does a clear understanding of a customer's technical expertise assist in a hand off following the close of an opportunity?. It enables customers to prepare for audits so they can demonstrate compliance. It helps in assigning additional technical tasks to the customer. It allows implementation teams to bypass initial scoping exercises. It enables post-sales teams to tailor their support and training appropriately.

Which command is used to add Cortex XSOAR "User 1 " to an investigation from the War Room commandline interface (CLI)?. /invite User 1. #User1. @User1. !invite Userl.

A Cortex XSOAR customer wants to ingest emails from a single mailbox. The mailbox brings in reported phishing emails and email requests from human resources (HR) to onboard new users. The customer wants to run two separate workflows from this mailbox, one for phishing and one for onboarding. What will allow Cortex XSOAR to accomplish this in the most efficient way?. Create two instances of the email integration and classify one instance as ingesting incidents of type phishing and the other as ingesting incidents of type onboarding. Use an incident classifier based on a field in each type of email to classify those containing "Phish Alert" in the subject as phishing and those containing "Onboard Request" as onboarding. Create a playbook to process and determine incident type based on content of the email. Use machine learning (ML) to determine incident type.

If you have a playbook task that errors out. where could you see the output of the task?. /var/log/messages. War Room of the incident. Demisto Audit log. Playbook Editor.

How does Cortex XSOAR automation save time when a phishing incident occurs?. By developing an integration. By responding to management with risk scores. By purging unopened phishing email from user mailboxes. By emailing staff to inform them of phishing attack in advance.

What are two capabilities od a War Room? (choose two). create widgets for an investigation. create playbooks for orchestrartion. act as an audit trial for an investigation. run ad-hoc automation commands.

Cortex XDR can schedule recurring sc n of endpoints for malware. Identify two methods for initiating an ondemand malware scan (Choose two). Response > Action Center. the local console. Telnet. Endpoint > Endpoint Management.

What is used to display only file entries in a War Room?. files from War Room CLI WW. incident files section in layout builder. files and attachments filters. /files from War Room CLI.

Why is it important to document notes from the Proof of Value (POV) for post-sales hand off?. To generate additional training material for the POV's production implementation. To certify that the POV was completed and meets all customer requirements. To allow implementation teams to bypass scooping exercises and shorten delivery time. To ensure the implementation teams understand the customer use cases and priorities.

Which task allows the playbook to follow different paths based on specific conditions?. Conditional. Automation. Manual. Parallel.

An Administrator is alerted to a Suspicious Process Creation security event from multiple users. The users believe that these events are false positives Which two steps should the administrator take to confirm the false positives and create an exception? (Choose two). With the Malware Security profile, disable the "Prevent Malicious Child Process Execution" module. Within the Malware Security profile add the specific parent process, child process, and command line argument to the child process whitelist. In the Cortex XDR security event, review the specific parent process, child process, and command line arguments. Contact support and ask for a security exception.

How can the required log ingestion license be determined when sizing a Cortex XSIAM deployment?. Use the Cortex Data Lake Calculator to estimate the volume of third-party logs. Count the number of correlation sources and multiply by desired retention days. Ask the customer for average log ingestion estimates from their exisiting SIEM. Ask the customer to provide average daily alert volume.

Which solution profiles network behavior metadata, not payloads and files, allowing effective operation regardless of encrypted or unencrypted communication protocols, like HTTPS?. Endpoint protection platform (EPP). Security Information and Event Management (SIEM). Endpoint detection and response (EDR). Network Detection and Response (NDR).

Given the integration configuration and error in the screenshot what is the cause of the problem?. incorrect instance name. incorrect Username and Password. incorrect appliance port. incorrect server URL.

Which task setting allows context output to a specific key?. extend context. stop on errors. task output. lags.

Which statement applies to the malware protection flow of the endpoint agent in Cortex XSIAM?. A tile from an allowed signer is exempt from local analysis. Local analysis always happens before a WildFire verdict check. Hash comparisons come after local static analysis. The block list is verified in the final step.

A Cortex Xpanse customer receives an email regarding an upcoming product update and wants to get more information on the new features. In which resource can the customer access this information?. Administrator Guide. Release Notes. Compatibility Matrix. LIVE communitv.

Which Cortex XDR capability allows for the immediate termination of process discovered during investigation of a security event?. file explorer. Log stitching. live sensor. live terminal.

What is the result of creating an exception from an exploit security event?. Administrators are exempt from generating alerts for 24 hours. Process from WildFire analysis is whitelisted. Triggered exploit protection module (EPM) for the host and process involved is disabled. User is exempt from generating events for 24 hours.

In the DBotScore context field, which context key would differentiate between multiple entries for the same indicator in a multi-TIP environment?. Vendor. Type. Using. Brand.

An EDR project was initiated by a CISO. Which resource will likely have the most heavy influence on the project?. desktop engineer. SOC manager. SOC analyst IT. operations manager.

A prospect has agreed to do a 30-day POC and ask to integrate with a product that Demisto currently does not have an integration with. How should you respond?. Extend the POC window to allow the solution architects to build it. Tell them we can build it with Professional Services. Tell them custom integrations are not created as part of the POC. Agree to build the integration as part of the POC.

A Cortex XSIAM customer is unable to access their Cortex XSIAM tenant. Which resource can the customer use to validate the uptime of Cortex XSIAM?. A. Administrator Guide. B. LIVEcommunity. C. Release Notes. D. Palo Alto Networks Status Page.

Which two methods does the Cortex XDR agent use to identify malware during a scheduled scan? (Choose two.). WildFire hash comparison. heuristic analysis. signature comparison. dynamic analysis.

A customer has purchased Cortex Data Lake storage with the following configuration, which requires 2 TB of Cortex Data Lake to order: support for 300 total Cortex XDR clients all forwarding Cortex XDR data with 30-day retention storage for higher fidelity logs to support Cortex XDR advanced analytics The customer now needs 1000 total Cortex XDR clients, but continues with 300 clients forwarding Cortex XDR data with 30-day retention. What is the new total storage requirement for Cortex Data Lake storage to order?. 16 TB. 4 TB. 8 TB. 2 TB.

Which step is required to prepare the VDI Golden Image?. Review any PE files that WildFire determined to be malicious. Ensure the latest content updates are installed. Run the VDI conversion tool. Set the mamory dumps to manual setting.

In addition to migration and go-live, what are two best-practice steps for migrating from SIEM to Cortex XSIAM? (Choose two.). Execution. Certification. Conclusion. Testing.

Which playbook feature allows concurrent execution of tasks?. parallel task. automation task. manual task. conditional task.

A customer wants the main Cortex XSOAR server installed in one site and wants to integrate with three other technologies in a second site. What communications are required between the two sites if the customer wants to install a Cortex XSOAR engine in the second site?. The Cortex XSOAR server at the first site must able to initiate a connection to the a Cortex XSOAR engine at the second site. All connectivity is initiated from the Cortex XSOAR server on the first site via a managed cloud proxy. Dedicated site-to-site virtual provate network (VPN) is required for the Cortex XSOAR server at the first site to initiate connection to the Cortex XSOAR engine at the second site. The Cortex XSOAR engine at the first site must be able to initiate a connection to the Cortex XSOAR.

A customer has purchased Cortex XDR and requires 24/7 monitoring of the platform. However, the customer only has staff available during business hours. Which Palo Alto Networks offering would best meet this requirement?. Security Orchestration, Automation and Response. Security Information and Event Management. Managed Detection and Response. Network Detection and Response.

Approximately how many Cortex XSOAR marketplace integrations exist?. Between 1-400. Between 400-700. Between 700-2000. Over 700-2000.

Which consideration should be taken into account before deploying Cortex XSOAR?. Which cybersecurity framework to implement for Secure Operations Center (SOC) operations. Whether communication with internal or external applications is required. How to configure network firewalls for optimal performance. Which endpoint protection software to integrate with Cortex XSOAR.

Which Cortex XSIAM license is required if an organization needs to protect a cloud Kubernetes host?. Attack Surface Management. Cortex XSIAM Enterprise. Identity Threat Detection and Response. Cortex XSIAM Enterprise Plus.

Which Cortex capability extend investigation to an endpoint?. Log Stitching. Causality Chain. Sensors. Live Terminal.

Which two types of indicators of compromise (IOCs) are available for creation in Cortex XDR? (Choose two.). registry. file path. hash. hostname.

What does the Cortex XSOAR "Saved by Dbot" widget calculate?. amount saved in Dollars according to actions carried out by all u ers in Cortex XSOAR across all incident. amount saved in Dollars by using Cortex XSOAR instead of other product. amount of time saved by each playbook task within an incident. amount of time saved by Dbot's machine learning (ML) capabilities.

When a Demisto Engine is part of a Load-Balancing group it?. Must be in a Load-Balancing group with at least another 3 member. It must have port 443 open to allow the Demisto Server to establish a connection. Can be used separately as an engine, only if connected to the Demisto Server directly. Cannot be used separately and does not appear in the in the engines drop-down menu when configuring an integration instance.

Which two types of IOCs are available for creation in Cortex XDR? (Choose two.). IP. endpoint hostname. domain. registry entry.

Which two log types should be configured for firewall forwarding to the Cortex Data Lake for use by Cortex XDR? (Choose two). Security Event. HIP. Correlation. Analytics.

Which command-line interface (CLI) query would retrieve the last three Splunk events?. !search using=splunk_instance_l query="* | last 3". !search using=splunk_instance_l query="* | 3". !query using=splunk_instance_l query="* | last 3". !search using=splunk_instance_l query="* | head 3".

Which aspect of Cortex Xpanse allows for visibility over remote workforce risks?. The ability to identify customer assets on residential networks. The use of a VPN connection to scan remote devices. The deployment of a Cortex Xpanse aqent on the remote endpoint. The presence of a portal for remote workers to use for posture checking.

D. The presence of a portal for remote workers to use for posture checking. It provides a statistical model for combining scores from multiple vendors. It resolves conflicting scores from different vendors with the same indicator. It allows for comparison between open-source intelligence and paid services. It helps identify threat feed vendors with invalid content.

Which service helps uncover attackers w erever they hide by combining world-class threat hunters with Cortex XDR technology that runs on integrated endpoint, network, and cloud data sources?. A. Cloud Identity Engine. B. Managed Threat Hunting. C. virtual desktop infrastructure (VDI). D. Threat Intelligence Platform (TIP).

If an anomalous process is discovered while investigating the cause of a security event, you can take immediate action to terminate the process or the whole process tree, and block processes from running by initiating which Cortex XDR capability?. A. Live Sensors. B. File Explorer. C. Log Stitching. D. Live Terminal.

What is the primary mechanism for the attribution of attack surface data in Cortex Xpanse?. A. Active scanning with network-installed agents. B. Dark web monitoring. C. Customer-provided asset inventory lists. D. Scanning from public internet data sources.

Which action should be performed by every Cortex Xpanse proof of value (POV)?. A. Grant the customer access to the management console immediately following activation. B. Provide the customer with an export of all findings at the conclusion of the POV. C. Enable all of the attach surface rules to show the highest number of alerts. D. Review the mapping in advance to identity a few interesting findings to share with the customer.

What is the difference between the intel feed's license quotas of Cortex XSOAR Starter Edition and Cortex XSOAR (SOAR + TIM)?. A. Cortex XSOAR Started Edition has unlimited access to the Threat Intel Library. B. In Cortex XSOAR (SOAR + TIM), Unit 42 Intelligence is not included. C. In Cortex XSOAR (SOAR + TIM), intelligence detail view and relationships data are not included. D. Cortex XSOAR Starter Edition includes up to 5 active feeds and 100 indicators/fetch.

A cusctomer is hesitant to directly connect their network to the Cortex platform due to compliance restrictions. Which deployment method should the customer use to ensure connectivity between their network and the Cortex platform?. Elasticsearch. Broker VM. Syslog collector. Windows Event Collector.

Which two entities can be created as a BIOC? (Choose two.). file. registry. event log. alert log.

How do sub-playbooks affect the Incident Cortext Data?. When set to private, task output do not automatically get written to the root context. When set to private, task output automatically get written to the root context. When set to global, allows parallel task execution. When set to global, sub-playbook task do not have access to the root context.

How many use cases should a POC success criteria document include?. only 1. 3 or more. no more than 5. no more than 2.

An adversary is attempting to communicate with malware running on your network for the purpose of controlling malware activities or for ex filtrating data from your network. Which Cortex XDR Analytics alert is this activity most likely to trigger'?. Uncommon Local Scheduled Task Creation. Malware. New Administrative Behavior. DNS Tunneling.

Which element displays an entire picture of an attack, including the root cause or delivery point?. A. Cortex XSOAR Work Plan. B. Cortex SOC Orchestrator. C. Cortex Data Lake. D. Cortex XDR Causality View.

What are two manual actions allowed on War Room entries? (choose two). Mark as artifact. Mark as schedule entry. Mark as note. Mark as evidence.

What is the difference between an exception and an exclusion?. An exception is based on rules and exclusions are on alerts. An exclusion is based on rules and exceptions are based on alerts. An exception does not exist. An exclusion does not exist.

Given the exception thrown in the accompanying image by the Demisto REST API integration, which action would most likely solve the problem?. Generic Polling Automation Playbook. Playbook Tasks. Sub-Play books. Playbook Functions.

What does Cortex Xpanse ingest from XDR endpoints?. MAC addresses. User-agent data. Public IP addresses. Hostname.

Which four types of Traps logs are stored within Cortex Data Lake?. Threat, Config, System, Data. Threat, Config, System, Analytic. Threat, Monitor. System, Analytic. Threat, Config, Authentication, Analytic.

Which statement applies to the differentiation of Cortex XDR from security information and event management (SIEM)?. SIEM has access to raw logs from agents, where Cortex XDR traditionally only gets alerts. Cortex XDR allows just logging into the console and out of the box the events were blocked as a proactive approach. Cortex XDR requires a large and diverse team of analysts and up to several weeks for simple actions like creating an alert. SIEM has been entirely designed and built as cloud-native, with the ability to stitch together cloud logs, on-premises logs, third-party logs, and endpoint logs.

What method does the Traps agent use to identify malware during a scheduled scan?. Heuristic analysis. Local analysis. Signature comparison. WildFire hash comparison and dynamic analysis.