Cortex-02 24

What is the result of creating an exception from an exploit security event?. White lists the process from WildFire analysis. exempts the user from generating events for 24 hours. Signature comparison. WildFire hash comparison and dynamic analysi.

Cortex XSOAR has extracted a malicious Internet Protocol (IP) address involved in command-and-control (C2) traffic. What is the best method to block this IP from communicating with endpoints without requiring a configuration change on the firewall?. Have XSOAR automatically add the IP address to a threat intelligence management (TIM) malicious IP list to elevate priority of future alerts. Have XSOAR automatically add the IP address to a deny rule in the firewall. Have XSOAR automatically add the IP address to an external dynamic list (EDL) used by the firewall. Have XSOAR automatically create a NetOps ticket requesting a configuration change to the firewall to block the IP.

How does DBot score an indicator that has multiple reputation scores?. uses the most severe score scores. the reputation as undefined. uses the average score. uses the least severe score.

How can you view all the relevant incident for an indicator?. Linked Incident column in Indicator Screen. Linked Indicators column in Incident Screen. Related Indicators column in Incident Screen. Related Incident column in Indicator Screen.

A test for a Microsoft exploit has been planned. After some research Internet Explorer 1 1 CVE-2016-0189 has been selected and a module in Metasploit has been identified (exploit/windows/browser/ms16 051 vbscript) The description and current configuration of the exploit are as follows; What is the remaining configuration?. set PAYLOAD windows/x64/meterpreter/reverse_tcp set SSLCert survey set LHOST 10.0.0.10 set LPORT. set PAYLOAD windows/x64/meterpreter/bind_tcp set SRVHOST 10.0.0.10 set SRVHOST 443 set URIPATH survey. set PAYLOAD windows/x64/meterpreter/reverse_tcp set SRVHOST 10.0.0.10 set SRVHOST 443 set URIPATH survey. set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 10.0.0.10 set LPORT 443 set URIPATH survey.

Which two statements apply to widgets? (Choose two.). All widgets are customizable. Dashboards cannot be shared across an organization. A widget can have its own time range that is different from the rest of the dashboard. Some widgets cannot be changed.

What is primary purpose of Cortex XSIAM's machine learned led design?. To group alerts into incident for manual analysis. To facilitate alert and log management without automation. To effective handle the bulk of incident through automation. To rely heavily on human-driven detection and remediation.

Which statement best describes the benefits of the combination of Prisma Cloud, Cortex Xpanse, and partner services?. It achieves comprehensive multi-cloud visibility and security. It optimizes network performance in multi-cloud environments. It enhances on-premises security measures. It streamlines the cloud migration processes.

What should be configured for a Cortex XSIAM customer who wants to automate the response to certain alerts?. Playbook triggers. Correlation rules. Incident scoring. Data model rules.

The images show two versions of the same automation script and the results they produce when executed in Demisto. What are two possible causes of the exception thrown in the second Image? (Choose two.) SUCCESS. The modified scnpt was run in the wrong Docker image. The modified script required a different parameter to run successfully. The dictionary was defined incorrectly in the second script. The modified script attempted to access a dictionary key that did not exist in the dictionary named "data".

Which description applies to the features of the Cortex platform as a holistic ecosystem?. It is solely focused on reactive security measures, neglecting proactive approaches. It offers an end-to-end security solution, covering every step of security processes. It primarily focuses on endpoint prevention without addressing other security aspects. It provides a partial security solution, leaving some steps of the security process uncovered.

A customer wants to modify the retention periods of their logs in Cortex Data Lake. Where would the user configure the ratio of storage log type?. Within the TMS, create an agent settings profile and modify the Disk Quota value. It is not possible to configure quota for specific log types. Go to the Cortex Data Lake App oud Services, then choose Configuration and modify the Threat Quota. Write a GPO for each endpoint agent to check in less often.

When preparing for a Cortex XSOAR proof of value (POV), which task should be performed before the evaluation is requested?. Ensuring that the customer has single sign-on (SSO) configured in their environment. Building out an executive-level proposal detailing the product capabilities. Planning for every different use case the customer has for the solution. Gathering a list of the different integrations that will need to be configured.

Which Cortex XDR Agent capability prevents loading malicious files from USB-connected removable equipment?. Agent Configuration. Device Control. Device Customization. Agent Management.

Which option is required to prepare the VDI Golden Image?. Configure the Golden Image as a persistent VDI. Use the Cortex XDR VDI tool to obtain verdicts for all PE files. Install the Cortex XOR Agent on the local machine. Run the Cortex VDI conversion tool.

A customer has purchased Cortex XSOAR and has a need to rapidly stand up the product in their environment. The customer has stated that their internal staff are currently occupied with other projects. Which Palo Alto Networks service offering should be recommended to the customer?. Deployment. Onboarding. Fast-Track. QuickStart.

Which playbook functionality allows grouping of task to create functional building blocks?. playbook features. sub-playbooks. conditional tasks. manual tasks.

When initiated, which Cortex XDR c pabu lty allows immediate termination of the process-or entire process tree-on an anomalous process discovere during investigation of a security event?. Live sensors. Live terminal. Log forwarding. Log stitching.

How does an "inline" auto-extract task affect playbook execution?. Doesn't wait until the indicators are enriched and continues executing the next step. Doesn't wait until the indicators are enriched but populate context data before executing the next. step. Wait until the indicators are enriched but doesn't populate context data before executing the next step. Wait until the indicators are enriched and populate context data before executing the next step.

The certificate used for decryption was installed as a trusted toot CA certificate to ensure communication between the Cortex XDR Agent and Cortex XDR Management Console. What action needs to be taken if the administrator determines the Cortex XDR Agents are not communic in with the Cortex XDR Management Console?. add paloaltonetworks.com to the SSL Decryption Exclusion list. enable SSL decryption. disable SSL decryption. reinstall the root CA certificate.

The prospect is deciding whether to go with a phishing or a ServiceNow use case as part of their POC We have integrations for both but a playbook for phishing only Which use case should be used for the POC?. phishing. either. ServiceNow. neither.

Which process in the causality chain does the Cortex XDR agent identify as triggering an event sequence?. the relevant shell. The causality group owner. the adversary's remote process. the chain's alert initiator.

An administrator of a Cortex XDR protected production environment would like to test its ability to protect users from a known flash player exploit. What is the safest way to do it?. The administrator should attach a copy of the weapomzed flash file to an email, send the email to a selected group of employees, and monitor the Events tab on the Cortex XDR console. The administrator should use the Cortex XDR tray icon to confirm his corporate laptop is fully protected then open the weaponized flash file on his machine, and monitor the Events tab on the Cortex XDR console. The administrator should create a non-production Cortex XDR test environment that accurately represents the production environment, introduce the weaponized flash dile, and monitor the Events tab on the Cortex XDR console. The administrator should be place a copy weaponized flash file on several USB drives, them around the office and monitor the Events tab on the Cortex XDR console.

"Bob" is a Demisto user. Which command is used to add "Bob" to an investigation from the War Room CLI?. #Bob. /invite Bob. @B0b. !invite Bob.

Rearrange the steps into the correct order for modifying an incident layout. Edit the layout. Select the edit Layout option. Navigate to settings > Advanced > Incident Types. Select the incident type you want to customize the layout view for. Navigate to Setting > Layout Builder.

Which resource can a customer use to ensure that the Cortex XDR agent will operate correctly on their CenOS 01 servers?. Administrator Guide. Compatibility Matrix. Release Notes. LIVE community.

In Cortex XDR Prevent, which three matching criteria can be used to dynamically group endpoints? (Choose three). alert root cause. hostname. domain/workgroup membership. OS. presence of Flash executable.

Which two filter operators are available in Cortex XDR? (Choose two.). not Contains. !*. =>. <>.

Which three Demisto incident features can be customized under Setting > Advanced > Incident Types ? (Choose three.). Define whether a playbook runs automatically when an incident type is encountered. Set reminders for an incident SLA. Add new fields to an incident type. Define the way that incidents of a specific type are displayed in the system. Drop new incidents of the same type that contain similar information.

What is the requirement for enablement of endpoint and network analytics in Cortex XDR?. Cloud Identity Engine configured and enabled. Network Mapper applet on the Broker VM configured and enabled. Logs from at least 30 endpoints over a minimum of two weeks. Windows DHCP logs ingested via a Cortex XDR collector.

A Cortex XSOAR customer has a phishing use case in which a playbook has been implemented with one of the step blocking a malicious URL found in an email reported by one of the users?. Email the CISO to advise that malicious email was found. Disable the user's email account. Email the user to confirm the reported email was phishing. Change the user's password.

When analyzing logs for indicators, which are used for only BIOC identification'?. observed activity. artifacts. techniques. error messages.

When preparing the golden image in a Cortex XDR Virtual Desktop Infrastructure (VDI) deployment, which step is required?. Disable automatic memory dumps. Scan the image using the imagepreptool. Launch the VDI conversion tool. Enable the VDI license timeout.

In Cortex XDR Prevent, which three matching criteria can be used to dynamically group endpoints? (Choose three.). Domain/workgroup membership. quarantine status. hostname. OS. attack threat intelligence tag.

A General Purpose Dynamic Section can be added to which two layouts for incident types? (Choose two). "Close" Incident Form. Incident Summary. Incident Quick View. "New"/Edit" Incident Form.

An adversary attempts to communicate with malware running on a network in order to control malware activities or to exfiltrate data from the network. Which Cortex XDR Analytics alert will this activity most likely trigger?. uncommon local scheduled task creation. malware. new adinistrative behaviour. DNS Tunneling.

When running a Cortex XSIAM proof of value (POV), why is it important to deploy the Cortex XDR agent?. It will prevent all threats in the environment. It is used to enforce license compliance. It runs automation daybooks on the endpoints. It provides telemetry for stiching and analytics.

What are two ways Cortex XSIAM monitors for issues with data ingestion? (Choose two.). The Data Ingestion Health page identifies deviations from normal patterns of log collection. The Cortex XSIAM Command Center dashboard will display a red icon if a data source is having issues. The tenant's compute units consumption will change dramatically, indicating a collection issue. It automatically runs a copilot playbook to troubleshoot and resolve ingestion issues.

Which method is used for third-party network data consumption?. scripts library from the action center. Open Database Connectivity (ODBC) connection to network device database. Common Event Format (CEF) via broker Syslog module. file reader to the /var/log/messages file on the device.

Which Cortex XDR license is required for a customer that request endpoint detection and response (EDR) data collection capabilities?. Cortex XDR Pro per TB. Cortex XDR Endpoint. Cortex XDR Prevent. Cortex XDR Pro per Endpoint.

When integrating with Splunk, what will allow you to push alerts into Cortex XSOAR via the REST API?. splunk-get-alerts integration command. Cortex XSOAR TA App for Splunk. SplunkSearch automation. SplunkGO integration.

What must a customer deploy prior to collecting endpoint data in Cortex XSIAM?. Playbook. Broker VM. XDR Agent. External dynamic list.

During the TMS instance activation, a tenant (Customer) provides the following information for the fields in the Activation - Step 2 of 2 window. During the service instance provisioning which three DNS host names are created? (Choose three.). cc-xnet50.traps.paloaltonetworks.com. hc-xnet50.traps.paloaltonetworks.com. cc-xnet.traps.paloaltonetworks.com. cc.xnet50traps.paloaltonetworks.com. xnettraps.paloaltonetworks.com. ch-xnet.traps.paloaltonetworks.com.

Why is Premium Customer Success an important part of any Cortex bill of materials?. It provides full implementation services. It provides full implementation services. It provides instructor-led training courses. It provides expert-led configuration guidance.

A customer has purchased Cortex XDR and requires phone support for the product, Whisch Palo Alto Network offering would fulfill this need?. Platinum Success. Premium Success. Diamond Success. Standard Success.

Where is the best place to find official resource material?. Online forums. Video series. Administrator Guide. Technical blogs.

If a customer activates a TMS tenant and has not purchased a Cortex Data Lake instance. Palo Alto Networks will provide the customer with a free instance What size is this free Cortex Data Lake instance?. 1 TB. 10 TB. 100 GB. 10 TB.

Which integration allows searching and displaying Splunk results within Cortex XSOAR?. SplunkPY integration. Demisto App for Splunk integration. XSOAR REST API integration. Splunk integration.

Which two filter operators are available in Cortex XDR? (Choose two.). < >. Contains. =. Is Contained By.

What is the recommended first step in planning a Cortex XDR deployment?. Implement Cortex XDR across all endpoints without assessing architecture or assets. Deploy agents across the entire environment for immediate protection. Deploy Cortex XDR on endpoints with the highest potential for attack. Conduct an assessment and identify critical assets and endpoint within the environment.

What is the size of the free Cortex Data Lake instance provided to a customer who has activated a TMS tenant, but has not purchased a Cortex Data Lake instance?. 10 GB. 1 TB. 10 TB. 100 GB.

Which Cortex XDR capability prevents running malicious files from USB-connected removable equipment?. Device customization. Agent configuration. Agent management. Restrictions profile.

What are the key capabilities of the ASM for Remote Workers module?. Monitoring endpoint activity, managing firewall rules, and mitigating cybersecurity threats. Gathering endpoint data, conducting internal scans, and automating network configurations. Identifying office network vulnerabilities, monitoring remote workforce, and encrypting data. Analyzing global scan data, identifying risky issues on remote networks, and providing internal insights.

The customer has indicated they need EDR data collection capabilities, which Cortex XDR license is required?. Cortex XDR Pro per TB. Cortex XDR Pevent. Cortex XDR Endpoint. Cortex XDR Pro per Endpoint.

Which service helps identify attackers by combining world-class threat intelligence with Cortex XSIAM technology?. Virtual Desktop Infrastructure. Managed Threat Hunting. Threat Intelligence Platform. Cloud Identity Engine.

Which option describes a Load-Balancing Engine Group?. A group of engines that use an algorithm to efficiently share the workload for integrations. A group of engines that ensure High Availability of Demisto backend databases. A group of engines that use an algorithm to efficiently share the workload for automation scripts. A group of D2 agents that share processing power across multiple endpoints.

Which two Cortex XSOAR incident type features can be customized under Setting > Advanced > Incident Type? (Choose two). adding new field to an incident type. setting reminders for an incident service level agreement. defining whether a playbook runs automatically when an incident type is encountered. dropping new incident of the same type that contain similar information.

Where is the output of the task visible when a playbook task errors out?. playbook editor. XSOAR audit log. /var/log/messages. War Room of the incident.

The Cortex XDR management service requires which other Palo Alto Networks product?. Directory Sync. Cortex Data Lake. Panorama. Cortex XSOAR.

What is the retention requirement for Cortex Data Lake sizing?. number of endpoint. number of VM-Series NGFW. number of days. logs per second.

How does the integration between Corc&k Xpanse and Cortex XSOAR benefit security teams?. By enhancing firewall rule management. By enabling automatic incident response actions for internet-based incidents. By providing real-time threat intelligence feeds. By automating endpoint detection and response (EDR) processes.

Within Cortex XSIAM, how does the integration of Attack Surface Management (ASM) provide a unified approach to security event management that traditional SIEMs typically lack?. By providing a queryable dataset of ASM data for threat hunting. By offering dashboards on ASM data within the management console. By manually correlating of ASM data with security events. By enriching incidents with ASM data for all internet-facing assets.

A prospective customer is interested in Cortex XDR but is enable to run a product evaluation. Which tool can be used instead to showcase COrtex XDR?. Test Flight. War Game. Tech Rehearsal. Capture the Flag.

An existing Palo Alto Networks SASE customer expresses that their security operations practice is having difficulty using the SASE data to help detect threats in their environment. They understand that parts of the Cortex portfolio could potentially help them and have reached out for guidance on moving forward. Which two Cortex products are good recommendation for this customer? (Choose two.). Cortex XSOAR. Cortex XDR. Cortex. Cortex XSIAM.

What is a benefit of user entity behavior analytics (UEBA) over security information and event management (SIEM) ?. SIEMs supports only agentless scanning, not agent-based workload protection across VMS, containers /Kubernetes. UEBA can add trusted signers of Windows or Mac processes to a whitelist in the Endpoint Security Manager (ESM) Console. SIEMs have difficulty detecting unknown or advanced security threats that do not involve malware, such as credential theft. UEBA establishes a secure connection in which endpoints can be routed, and it collects and forwards logs and files for analysis.

Which two items are stitched to the Cortex XDR causality chain" (Choose two). firewall SIEM. SIEM alert. full URL. registry set value.

Which feature of Cortex XSIAM displays an entire picture of an attack, including the originating process or delivery point?. Sample analysis. Correlation rule. Causality View. Automation playbook.

What is a requirement when integrating Cortex XSIAM or Cortex XDR with other Palo Alto Networks products?. Advanced logging service license. HTTP Collector. Devices in the same region as XDR/XSIAM. XDR/XSIAM Broker VM.

Why is reputation scoring important in the Threat Intelligence Module of Cortex XSOAR?. It allows for easy comparison between open-source intelligence and paid services. It deconflicts prioritization when two vendors give different scores for the same indicator. It provides a mathematical model for combining scores from multiple vendors. It helps identify threat intelligence vendors with substandard content.

A Cortex XSOAR customer wants to send a survey to users asking them to input their manager's email for a training use case so the manager can receive status reports on the emoyee's training. However, the customer is concerned users will provide incorrect information to avoid sending status updates to their manager. How can Cortex XSOAR most efficiently sanitize user prior to using the responses in the playbook?. Create a task that sends the survey responses to the analyst via email. If the responses are incorrect, the analyst fills out the correct response in the survey. Create a manual task to ask the analyst to validate the survey response in the platform. Create a sub-playbook and import a list of manager emails into XSOAR. Use a conditional task comparison to check if the response matches an email on the list. If no matches are found, loop the subplaybook and send the survey back to the user until a match is found. Create a conditional task comparison to check if the response contains a valid email address.

Which statement applies to the malware protection flow in Cortex XDR Prevent?. Local static analysis happens before a WildFire verdict check. In the final step, the block list is verified. A trusted signed file is exempt from local static analysis. Hash comparisons come after local static analysis.

What are two ways a customer can configure user authentication access Cortex Xpanse? (Choose two.). Secure Shell (SSH). SAML. RADIUS. Customer Support Portal.

An administrator has a critical group of systems running Window XP SP3 that cannot be upgraded The administrator wants to evaluate the ability of Traps to protect these system and the word processing applications running on them How should an administrator perform this evaluation?. Gather information about the word processing and and run them on a Windows XP SP3 VM Determine if any of the applications are vulnerable and run the exploit with an exploitation tool. Run word processing exploits in a latest version of Windows VM in a controlled and isolated environment. Document indicator of compromise and compare to Traps protection capabilities. Run a known 2015 flash exploit on a Windows XP SP3 VM. and run an exploitation tool that acts as a listener Use the results to demonstrate Traps capabilities. Prepare the latest version of Windows VM Gather information about the word processing applications, determine if some of them are vulnerable and prepare a working exploit for at least one of them Execute with an exploitation tool.

Which two entities can be created as a behavioral indicator of compromise (BIOC)? (Choose two.). process. data. event alert. network. endpoint.

Cortex XSOAR has extracted a malicious IP address involved in command-and-control traffic. What is the best method to automatically block this IP from communicating with endpoints without requiring a configuration change on the firewall?. Create a NetOps ticket requesting a configuration change to the firewall to block the IP. Add the IP address to an external dynamic list used by the firewall. Add the IP address to a threat intelligence management malicious IP list to elevate priority of future alerts. Block the IP address by creating a deny rule in the firewall.

What are two incident investigation is needed in Cortex XDR? (Choose two). No solution will stop every attack further investigation of activity. Insider Threats may not be blocked and initial activity may go undetected. Analysts need to acquire forensic artifats of malware that has been blocked by the XDR agent. Detailed reports are needed for senior management to justify the cost of XDR.

Which feature of Cortex XSIAM helps analyst reduce the noise and false positives that often plague traditional SIEM systems?. Alert range indicators. Al-generated correlation rules. Automatic incident scoring. Dynamic alarm fields.

Which CLI query would bring back Notable Events from Splunk? A) !splunk-search query="'notable' | head 3" B) !splunk-search query="'notable' | head 3" C) !splunk-search query="'*" D) !splunk-search query="* | head 3". Option A. Option B. Option C. Option D.

What is the primary function of an engine in Cortex XSOAR?. To execute playbooks, scripts, commands, and integrations. To manage multiple Cortex XSOAR tenants. To provide a user interface for security analysts. To store and manage incident data, remediation plans, and documentation.

Which Cortex XSIAM feature can be used to onboard data sources?. Marketplace Integration. Playbook. Data Ingestion Dashboard. Asset Inventory.

Which integration allows data to be pushed from Cortex XSOAR into Splunk?. ArcSight ESM integration. SplunkUpdate integration. Demisto App for Splunk integration. SplunkPY integration.

What does DBot use to score an indicator that has multiple reputation scores?. most severe score. undefined score. average score. least severe score.

Which Linux OS command will manually load Docker images onto the Cortex XSOAR server in an airgapped environment?. sudo repoquery -a --installed. sudo demistoserver-x.x-xxxx.sh -tools=load. sudo docker ps load. sudo docker load -i YOUR_DOCKER_FILE.tar.

Which type of log is ingested natively in Cortex XDR Pro per TB?. Google Kubernates Engines. Demisto. Docker. Microsoft Office 365.