PEESEE COR TX New

Which feature in Cortex XSIAM extends analytics detections to all mapped network and authentication data?. Threat feed integration. Automation daybooks. Parsing rules. Data models.

What are process exceptions used for?. whitelist programs from WildFire analysis. permit processes to load specific DLLs. change the WildFire verdict for a given executable. disable an EPM for a particular process.

What is a benefit offered by Cortex XSOAR?. It provides advanced customization capabilities. It provides real-time protection across hosts and containers. It enables consolidation of multiple point products into a single integrated service. It enables a comprehensive view of the customer environment with regard to digital employee productivity.

What allows the use of predetermined Palo Alto Networks roles to assign access rights to Cortex XDR users?. role-based access control. cloud identity engine. endpoint groups. restrictions security profile.

The certificate used for decryption was installed as a trusted root CA certificate to ensure communication between the Cortex XDR Agent and Cortex XDR Management Console What action needs to be taken if the administrator determines the Cortex XDR Agents are not communicating with the Cortex XDR Management Console?. add paloaltonetworks com to the SSL Decryption Exclusion list. enable SSL decryption. disable SSL decryption. reinstall the root CA certificate.

How can Cortex XSOAR save time when a phishing incident occurs?. It can automatically email staff to warn them about the phishing attack and show them a copy of the email. It can automatically respond to the phishing email to unsubscribe from future emails. It can automatically purge the email from user mailboxes in which it has not yet opened. It can automatically identify every mailbox that received the phish and create corresponding cases for.

Which two areas of Cortex XDR are used for threat hunting activities? (Choose two.). indicators of compromise (IOC) rules. query builder. live terminal. host insights module.

Which two actions are required to add indicators to the whitelist? (Choose two.). Click "New Whitelisted Indicator" in the Whitelist page. Upload an external file named "whitelist" to the Whitelist page. Upload an external file named "whitelist" to the Indicators page. Select the indicators and click "Delete and Whitelist" in the Indicators page.

Which feature of Cortex Xpanse allows it to identify previously unknown assets?. Dynamic asset registration. Scheduled network scanning. Continuous internet scanning. Active directory enumeration.

In an Air-Gapped environment where the Docker package was manually installed after the Cortex XSOAR installation which action allows Cortex XSOAR to access Docker?. create a “docker” group and add the "Cortex XSOAR" or "demisto" user to this group. create a "Cortex XSOAR' or "demisto" group and add the "docker" user to this group. disable the Cortex XSOAR service. enable the docker service.

What is a key difference between audit users and full users in Cortex XSOAR?. Audit users can only view incidents, while full users can edit system components. Full users can only view dashboards, while audit users can investigate incidents. Audit users have read-only permission, white full users have read-write permission. Audit users can run scripts and playbooks, while full users can only view reports.

In addition to incident volume, which four critical factors must be evaluated to determine effectiveness and ROI on cybersecurity planning and technology?. Analyst, training costs, duplicated, false positives. People, staffing costs, duplicates, false positives. People, security controls, mean time to detect, false positives. Standard operating procedures, staffing costs, duplicates, mean time to respond.

Which attack method is a result of techniques designed to gain access through vulnerabilities in the code of an operating system (OS) or application?. exploit. malware. phishing. ransomware.

Which two troubleshooting steps should be taken when an integration is failing to connect? (Choose two.). Ensure the playbook is set to run in quiet mode to minimize CPU usage and suppress errors. Confirm the integration credentials or API keys are valid. Check the integration logs and enable a higher logging level, if needed, view the specific error. Confirm there are no dashboards or reports configured to use that integration instance.

On a multi-tenanted v6.2 Cortex XSOAR server, which path leads to the server.log for "Tenant1"?. /var/log/demisto/acc_Tenant1/server.log. /var/log/demisto/Tenant1/server.log. /var/lib/demisto/acc_Tenant1/server.log. /var/lib/demisto/server.log.

Which deployment type supports installation of an engine on Windows, Mac OS. and Linux?. RPM. SH. DEB. ZIP.

Which technology allows a customer to integrate Cortex Xpanse with third-party applications or services, assets, and IP ranges while leveraging investigation capabilities?. POSTMAN. Webhook. REST API. D KPI.

Which source provides data for Cortex XDR?. VMware NSX. Amazon Alexa rank indicator. Cisco ACI. Linux endpoints.

Cortex XDR external data ingestion processes ingest data from which sources?. windows event logs only. syslogs only. windows event logs, syslogs, and custom external sources. windows event logs and syslogs only.

Which product enables the discovery, exchange, and contribution of security automation playbooks, built into Cortex XSOAR?. XSOAR Threat Intelligence Platform (TIP). XSOAR Automated Systems. XSOAR Ticketing Systems. XSOAR Marketplace.

An antivirus refresh project was initiated by the IT operations executive. Who is the best source for discussion about the project's operational considerations'?. endpoint manager. SOC manager. SOC analyst. desktop engineer.

For which two purposes can Cortex XSOAR engines be deployed? (Choose two.). To execute recurring daybooks based on specific time schedules or changed to a feed. To add processing resources for a heavily-used integration via load-balancing groups. To integrate with tools in a network location that the Cortex XSOAR server cannot reach directly. To connect Cortex XSOAR to all required Palo Alto Networks resources such as the Cortex Gateway.

How does a clear understanding of a customer’s technical expertise assist in a hand off following the close of an opportunity?. It enables customers to prepare for audits so they can demonstrate compliance. It helps in assigning additional technical tasks to the customer. It allows implementation teams to bypass initial scoping exercises. It enables post-sales teams to tailor their support and training appropriately.

Which command is used to add Cortex XSOAR "User1" to an investigation from the War Room command-line interface (CLI)?. /invite User1. #User1. @User1. !invite User1.

A Cortex XSOAR customer wants to ingest emails from a single mailbox. The mailbox brings in reported phishing emails and email requests from human resources (HR) to onboard new users. The customer wants to run two separate workflows from this mailbox, one for phishing and one for onboarding. What will allow Cortex XSOAR to accomplish this in the most efficient way?. Create two instances of the email integration and classify one instance as ingesting incidents of type phishing and the other as ingesting incidents of type onboarding. Use an incident classifier based on a field in each type of email to classify those containing "Phish Alert" in the subject as phishing and those containing "Onboard Request" as onboarding. Create a playbook to process and determine incident type based on content of the email. Use machine learning (ML) to determine incident type.

Which two formats are supported by Whitelist? (Choose two). Regex. STIX. CSV. CIDR.

If you have a playbook task that errors out. where could you see the output of the task?. /var/log/messages. War Room of the incident. Demisto Audit log. Playbook Editor.

How does Cortex XSOAR automation save time when a phishing incident occurs?. By developing an integration. By responding to management with risk scores. By purging unopened phishing email from user mailboxes. By emailing staff to inform them of phishing attack in advance.

What are two capabilities of a War Room? (Choose two.). create widgets for an investigation. create playbooks for orchestration. act as an audit trail for an investigation. run ad-hoc automation commands.

Cortex XDR can schedule recurring scans of endpoints for malware. Identify two methods for initiating an on-demand malware scan (Choose two ). Response > Action Center. the local console. Telnet. Endpoint > Endpoint Management.

What is used to display only file entries in a War Room?. files from War Room CLI WW. incident files section in layout builder. files and attachments filters. /files from War Room CLI.

Why is it important to document notes from the Proof of Value (POV) for post-sales hand off?. To generate additional training material for the POV’s production implementation. To certify that the POV was completed and meets all customer requirements. To allow implementation teams to bypass scooping exercises and shorten delivery time. To ensure the implementation teams understand the customer use cases and priorities.

Which task allows the playbook to follow different paths based on specific conditions?. Conditional. Automation. Manual. Parallel.

An Administrator is alerted to a Suspicious Process Creation security event from multiple users. The users believe that these events are false positives Which two steps should the administrator take to confirm the false positives and create an exception? (Choose two ). With the Malware Security profile, disable the "Prevent Malicious Child Process Execution" module. Within the Malware Security profile add the specific parent process, child process, and command line argument to the child process whitelist. In the Cortex XDR security event, review the specific parent process, child process, and command line arguments. Contact support and ask for a security exception.

How can the required log ingestion license be determined when sizing a Cortex XSIAM deployment?. Use the Cortex Data Lake Calculator to estimate the volume of third-party logs. Count the number of correlation sources and multiply by desired retention days. Ask the customer for average log ingestion estimates from their existing SIEM. Ask the customer to provide average daily alert volume.

Which solution profiles network behavior metadata, not payloads and files, allowing effective operation regardless of encrypted or unencrypted communication protocols, like HTTPS?. endpoint protection platform (EPP). Security Information and Event Management (SIEM). endpoint detection and response (EDR). Network Detection and Response (NDR).

Given the integration configuration and error in the screenshot what is the cause of the problem?. incorrect instance name. incorrect Username and Password. incorrect appliance port. incorrect server URL.

Which task setting allows context output to a specific key?. extend context. stop on errors. task output. lags.

Which statement applies to the malware protection flow of the endpoint agent in Cortex XSIAM?. A tile from an allowed signer is exempt from local analysis. Local analysis always happens before a WildFire verdict check. Hash comparisons come after local static analysis. The block list is verified in the final step.

A Cortex Xpanse customer receives an email regarding an upcoming product update and wants to get more information on the new features. In which resource can the customer access this information?. Administrator Guide. Release Notes. Compatibility Matrix. LIVEcommunity.

Which Cortex XDR capability allows for the immediate termination of a process discovered during investigation of a security event?. file explorer. Log stitching. live sensor. live terminal.

What is the result of creating an exception from an exploit security event?. Administrators are exempt from generating alerts for 24 hours. Process from WildFire analysis is whitelisted. Triggered exploit protection module (EPM) for the host and process involved is disabled. User is exempt from generating events for 24 hours.

In the DBotScore context field, which context key would differentiate between multiple entries for the same indicator in a multi-TIP environment?. Vendor. Type. Using. Brand.

An EDR project was initiated by a CISO. Which resource will likely have the most heavy influence on the project?. desktop engineer. SOC manager. SOC analyst IT. operations manager.

A prospect has agreed to do a 30-day POC and asked to integrate with a product that Demisto currently does not have an integration with. How should you respond?. Extend the POC window to allow the solution architects to build it. Tell them we can build it with Professional Services. Tell them custom integrations are not created as part of the POC. Agree to build the integration as part of the POC.

A Cortex XSIAM customer is unable to access their Cortex XSIAM tenant. Which resource can the customer use to validate the uptime of Cortex XSIAM?. Administrator Guide. LIVEcommunity. Release Notes. Palo Alto Networks Status Page.

Which two methods does the Cortex XDR agent use to identify malware during a scheduled scan? (Choose two.). WildFire hash comparison. heuristic analysis. signature comparison. dynamic analysis.

A customer has 2700 endpoints. There is currently concern about recent attacks in their industry and threat intelligence from a third-party subscription. In an attempt to be proactive, phishing simulations have been prioritized, but the customer wants to gain more visibility and remediation capabilities specific to their network traffic. Which Cortex product provides these capabilities?. XDR Pro Per Endpoint. XDR Pro Per GB. XDR Forensics Module. XDR Phishing Response Playbook.

A customer has purchased Cortex Data Lake storage with the following configuration, which requires 2 TB of Cortex Data Lake to order: support for 300 total Cortex XDR clients all forwarding Cortex XDR data with 30-day retention storage for higher fidelity logs to support Cortex XDR advanced analytics The customer now needs 1000 total Cortex XDR clients, but continues with 300 clients forwarding Cortex XDR data with 30-day retention. What is the new total storage requirement for Cortex Data Lake storage to order?. 16 TB. 4 TB. 8 TB. 2 TB.

Which step is required to prepare the VDI Golden Image?. Review any PE files that WildFire determined to be malicious. Ensure the latest content updates are installed. Run the VDI conversion tool. Set the memory dumps to manual setting.

In addition to migration and go-live, what are two best-practice steps for migrating from SIEM to Cortex XSIAM? (Choose two.). Execution. Certification. Conclusion. Testing.

Which playbook feature allows concurrent execution of tasks?. parallel tasks. automation tasks. manual tasks. conditional tasks.

A customer wants the main Cortex XSOAR server installed in one site and wants to integrate with three other technologies in a second site. What communications are required between the two sites if the customer wants to install a Cortex XSOAR engine in the second site?. The Cortex XSOAR server at the first site must be able to initiate a connection to the Cortex XSOAR engine at the second site. All connectivity is initiated from the Cortex XSOAR server on the first site via a managed cloud proxy. Dedicated site-to-site virtual private network (VPN) is required for the Cortex XSOAR server at the first site to initiate a connection to the Cortex XSOAR engine at the second site. The Cortex XSOAR engine at the first site must be able to initiate a connection to the Cortex XSOAR server at the second site.

A customer has purchased Cortex XDR and requires 24/7 monitoring of the platform. However, the customer only has staff available during business hours. Which Palo Alto Networks offering would best meet this requirement?. Security Orchestration, Automation and Response. Security Information and Event Management. Managed Detection and Response. Network Detection and Response.

Approximately how many Cortex XSOAR marketplace integrations exist?. Between 1-400. Between 400-700. Between 700-2000. Over 2000.

Which consideration should be taken into account before deploying Cortex XSOAR?. Which cybersecurity framework to implement for Secure Operations Center (SOC) operations. Whether communication with internal or external applications is required. How to configure network firewalls for optimal performance. Which endpoint protection software to integrate with Cortex XSOAR.

Which Cortex XSIAM license is required if an organization needs to protect a cloud Kubernetes host?. Attack Surface Management. Cortex XSIAM Enterprise. Identity Threat Detection and Response. Cortex XSIAM Enterprise Plus.

Which Cortex XDR capability extends investigations to an endpoint?. Log Stitching. Causality Chain. Sensors. Live Terminal.

Which two types of indicators of compromise (IOCs) are available for creation in Cortex XDR? (Choose two.). registry. file path. hash. hostname.

What does the Cortex XSOAR "Saved by Dbot" widget calculate?. amount saved in Dollars according to actions carried out by all users in Cortex XSOAR across all incidents. amount saved in Dollars by using Cortex XSOAR instead of other products. amount of time saved by each playbook task within an incident. amount of time saved by Dbot's machine learning (ML) capabilities.

When a Demisto Engine is part of a Load-Balancing group it?. Must be in a Load-Balancing group with at least another 3 members. It must have port 443 open to allow the Demisto Server to establish a connection. Can be used separately as an engine, only if connected to the Demisto Server directly. Cannot be used separately and does not appear in the in the engines drop-down menu when configuring an integration instance.

Which two types of lOCs are available for creation in Cortex XDR? (Choose two.). IP. endpoint hostname. domain. registry entry.

Which two log types should be configured for firewall forwarding to the Cortex Data Lake for use by Cortex XDR? (Choose two). Security Event. HIP. Correlation. Analytics.

Which command-line interface (CLI) query would retrieve the last three Splunk events?. !search using=splunk_instance_1 query="* | last 3". !search using=splunk_instance_1 query="* | 3". !query using=splunk_instance_1 query="* | last 3". !search using=splunk_instance_1 query="* | head 3".

Which aspect of Cortex Xpanse allows for visibility over remote workforce risks?. The ability to identify customer assets on residential networks. The use of a VPN connection to scan remote devices. The deployment of a Cortex Xpanse aqent on the remote endpoint. The presence of a portal for remote workers to use for posture checking.

What is the function of reputation scoring in the Threat Intelligence Module of Cortex XSIAM?. It provides a statistical model for combining scores from multiple vendors. It resolves conflicting scores from different vendors with the same indicator. It allows for comparison between open-source intelligence and paid services. It helps identify threat feed vendors with invalid content.

Which service helps uncover attackers wherever they hide by combining world-class threat hunters with Cortex XDR technology that runs on integrated endpoint, network, and cloud data sources?. Cloud Identity Engine. Managed Threat Hunting. virtual desktop infrastructure (VDI). Threat Intelligence Platform (TIP).

If an anomalous process is discovered while investigating the cause of a security event, you can take immediate action to terminate the process or the whole process tree, and block processes from running by initiating which Cortex XDR capability?. Live Sensors. File Explorer. Log Stitching. Live Terminal.

What is the primary mechanism for the attribution of attack surface data in Cortex Xpanse?. Active scanning with network-installed agents. Dark web monitoring. Customer-provided asset inventory lists. Scanning from public internet data sources.

Which action should be performed by every Cortex Xpanse proof of value (POV)?. Grant the customer access to the management console immediately following activation. Provide the customer with an export of all findings at the conclusion of the POV. Enable all of the attach surface rules to show the highest number of alerts. Review the mapping in advance to identity a few interesting findings to share with the customer.

What is the difference between the intel feed’s license quotas of Cortex XSOAR Starter Edition and Cortex XSOAR (SOAR + TIM)?. Cortex XSOAR Started Edition has unlimited access to the Threat Intel Library. In Cortex XSOAR (SOAR + TIM), Unit 42 Intelligence is not included. In Cortex XSOAR (SOAR + TIM), intelligence detail view and relationships data are not included. Cortex XSOAR Starter Edition includes up to 5 active feeds and 100 indicators/fetch.

A customer is hesitant to directly connect their network to the Cortex platform due to compliance restrictions. Which deployment method should the customer use to ensure secure connectivity between their network and the Cortex platform?. Elasticsearch. Broker VM. Syslog collector. Windows Event Collector.

Which two entities can be created as a BIOC? (Choose two.). file. registry. event log. alert log.

How do sub-playbooks affect the Incident Context Data?. When set to private, task outputs do not automatically get written to the root context. When set to private, task outputs automatically get written to the root context. When set to global, allows parallel task execution. When set to global, sub-playbook tasks do not have access to the root context.

How many use cases should a POC success criteria document include?. only 1. 3 or more. no more than 5. no more than 2.

An adversary is attempting to communicate with malware running on your network for the purpose of controlling malware activities or for ex filtrating data from your network. Which Cortex XDR Analytics alert is this activity most likely to trigger'?. Uncommon Local Scheduled Task Creation. Malware. New Administrative Behavior. DNS Tunneling.

Which element displays an entire picture of an attack, including the root cause or delivery point?. Cortex XSOAR Work Plan. Cortex SOC Orchestrator. Cortex Data Lake. Cortex XDR Causality View.

What are two manual actions allowed on War Room entries? (Choose two.). Mark as artifact. Mark as scheduled entry. Mark as note. Mark as evidence.

What is the difference between an exception and an exclusion?. An exception is based on rules and exclusions are on alerts. An exclusion is based on rules and exceptions are based on alerts. An exception does not exist. An exclusion does not exist.

Given the exception thrown in the accompanying image by the Demisto REST API integration, which action would most likely solve the problem? Which two playbook functionalities allow looping through a group of tasks during playbook execution? (Choose two.). Generic Polling Automation Playbook. Playbook Tasks. Sub-Play books. Playbook Functions.

What does Cortex Xpanse ingest from XDR endpoints?. MAC addresses. User-agent data. Public IP addresses. Hostnames.

Which four types of Traps logs are stored within Cortex Data Lake?. Threat, Config, System, Data. Threat, Config, System, Analytic. Threat, Monitor. System, Analytic. Threat, Config, Authentication, Analytic.

Which statement applies to the differentiation of Cortex XDR from security information and event management (SIEM)?. SIEM has access to raw logs from agents, where Cortex XDR traditionally only gets alerts. Cortex XDR allows just logging into the console and out of the box the events were blocked as a proactive approach. Cortex XDR requires a large and diverse team of analysts and up to several weeks for simple actions like creating an alert. SIEM has been entirely designed and built as cloud-native, with the ability to stitch together cloud logs, on-premises logs, third-party logs, and endpoint logs.

What method does the Traps agent use to identify malware during a scheduled scan?. Heuristic analysis. Local analysis. Signature comparison. WildFire hash comparison and dynamic analysis.

What is the result of creating an exception from an exploit security event?. White lists the process from Wild Fire analysis. exempts the user from generating events for 24 hours. exempts administrators from generating alerts for 24 hours. disables the triggered EPM for the host and process involve.

Cortex XSOAR has extracted a malicious Internet Protocol (IP) address involved in command-and-control (C2) traffic. What is the best method to block this IP from communicating with endpoints without requiring a configuration change on the firewall?. Have XSOAR automatically add the IP address to a threat intelligence management (TIM) malicious IP list to elevate priority of future alerts. Have XSOAR automatically add the IP address to a deny rule in the firewall. Have XSOAR automatically add the IP address to an external dynamic list (EDL) used by the firewall. Have XSOAR automatically create a NetOps ticket requesting a configuration change to the firewall to block the IP.

How does DBot score an indicator that has multiple reputation scores?. uses the most severe score scores. the reputation as undefined. uses the average score. uses the least severe score.

How can you view all the relevant incidents for an indicator?. Linked Incidents column in Indicator Screen. Linked Indicators column in Incident Screen. Related Indicators column in Incident Screen. Related Incidents column in Indicator Screen.

A test for a Microsoft exploit has been planned. After some research Internet Explorer 11 CVE-2016-0189 has been selected and a module in Metasploit has been identified(exploit/windows/browser/ms16_051_vbscript) The description and current configuration of the exploit are as follows; What is the remaining configuration?. Option A. Option B. Option C. set PAYLOAD set LHOST set LPORT set URIPATH.

Which two statements apply to widgets? (Choose two.). All widgets are customizable. Dashboards cannot be shared across an organization. A widget can have its own time range that is different from the rest of the dashboard. Some widgets cannot be changed.

What is the primary purpose of Cortex XSIAM’s machine learning led design?. To group alerts into incidents for manual analysis. To facilitate alert and log management without automation. To effectively handle the bulk of incidents through automation. To rely heavily on human-driven detection and remediation.

Which statement best describes the benefits of the combination of Prisma Cloud, Cortex Xpanse, and partner services?. It achieves comprehensive multi-cloud visibility and security. It optimizes network performance in multi-cloud environments. It enhances on-premises security measures. It streamlines the cloud migration processes.

What should be configured for a Cortex XSIAM customer who wants to automate the response to certain alerts?. Playbook triggers. Correlation rules. Incident scoring. Data model rules.

The images show two versions of the same automation script and the results they produce when executed in Demisto. What are two possible causes of the exception thrown in the second Image? (Choose two.). The modified scnpt was run in the wrong Docker image. The modified script required a different parameter to run successfully. The dictionary was defined incorrectly in the second script. The modified script attempted to access a dictionary key that did not exist in the dictionary named "data”.

Which description applies to the features of the Cortex platform as a holistic ecosystem?. It is solely focused on reactive security measures, neglecting proactive approaches. It offers an end-to-end security solution, covering every step of security processes. It primarily focuses on endpoint prevention without addressing other security aspects. It provides a partial security solution, leaving some steps of the security process uncovered.

A customer wants to modify the retention periods of their Threat logs in Cortex Data Lake. Where would the user configure the ratio of storage for each log type?. Within the TMS, create an agent settings profile and modify the Disk Quota value. It is not possible to configure Cortex Data Lake quota for specific log types. Go to the Cortex Data Lake App in Cloud Services, then choose Configuration and modify the Threat Quota. Write a GPO for each endpoint agent to check in less often.

When preparing for a Cortex XSOAR proof of value (POV), which task should be performed before the evaluation is requested?. Ensuring that the customer has single sign-on (SSO) configured in their environment. Building out an executive-IeveI proposal detailing the product capabilities. Planning for every different use case the customer has for the solution. Gathering a list of the different integrations that will need to be configured.

Which Cortex XDR Agent capability prevents loading malicious files from USB-connected removable equipment?. Agent Configuration. Device Control. Device Customization. Agent Management.

Which option is required to prepare the VDI Golden Image?. Configure the Golden Image as a persistent VDI. Use the Cortex XDR VDI tool to obtain verdicts for all PE files. Install the Cortex XOR Agent on the local machine. Run the Cortex VDI conversion tool.

A customer has purchased Cortex XSOAR and has a need to rapidly stand up the product in their environment. The customer has stated that their internal staff are currently occupied with other projects. Which Palo Alto Networks service offering should be recommended to the customer?. Deployment. Onboardinq. Fast-Track. QuickStart.

Which playbook functionality allows grouping of tasks to create functional building blocks?. playbook features. sub-playbooks. conditional tasks. manual tasks.

When initiated, which Cortex XDR capability allows immediate termination of the process-or entire process tree-on an anomalous process discovered during investigation of a security event?. Live sensors. Live terminal. Log forwarding. Log stitching.

How does an "inline" auto-extract task affect playbook execution?. Doesn't wait until the indicators are enriched and continues executing the next step. Doesn't wait until the indicators are enriched but populate context data before executing the next. step. Wait until the indicators are enriched but doesn't populate context data before executing the next step. Wait until the indicators are enriched and populate context data before executing the next step.

The certificate used for decryption was installed as a trusted toot CA certificate to ensure communication between the Cortex XDR Agent and Cortex XDR Management Console. What action needs to be taken if the administrator determines the Cortex XDR Agents are not communicating with the Cortex XDR Management Console?. add paloaltonetworks.com to the SSL Decryption Exclusion list. enable SSL decryption. disable SSL decryption. reinstall the root CA certificate.

The prospect is deciding whether to go with a phishing or a ServiceNow use case as part of their POC We have integrations for both but a playbook for phishing only Which use case should be used for the POC?. phishing. either. ServiceNow. neither.

Which process in the causality chain does the Cortex XDR agent identify as triggering an event sequence?. the relevant shell. The causality group owner. the adversary's remote process. the chain's alert initiator.

An administrator of a Cortex XDR protected production environment would like to test its ability to protect users from a known flash player exploit. What is the safest way to do it?. The administrator should attach a copy of the weapomzed flash file to an email, send the email to a selected group of employees, and monitor the Events tab on the Cortex XDR console. The administrator should use the Cortex XDR tray icon to confirm his corporate laptop is fully protected then open the weaponized flash file on his machine, and monitor the Events tab on the Cortex XDR console. The administrator should create a non-production Cortex XDR test environment that accurately represents the production environment, introduce the weaponized flash file, and monitor the Events tab on the Cortex XDR console. The administrator should place a copy of the weaponized flash file on several USB drives, scatter them around the office and monitor the Events tab on the Cortex XDR console.

"Bob" is a Demisto user. Which command is used to add 'Bob" to an investigation from the War Room CLI?. #Bob. /invite Bob. @Bob. !invite Bob.

Rearrange the steps into the correct order for modifying an incident layout. Navigate to settings > advanced > incident type Select incident type Edit the layout Select Edit Layout option Navigate to settings > layout builder. ok.

Which resource can a customer use to ensure that the Cortex XDR agent will operate correctly on their CentOS 07 servers?. Administrator Guide. Compatibility Matrix. Release Notes. LIVE community.

In Cortex XDR Prevent, which three matching criteria can be used to dynamically group endpoints? (Choose three ). alert root cause. hostname. domain/workgroup membership. OS. presence of Flash executable.

Which two filter operators are available in Cortex XDR? (Choose two.). not Contains. !*. =>. < >.

Which three Demisto incident type features can be customized under Settings > Advanced > Incident Types? (Choose three.). Define whether a playbook runs automatically when an incident type is encountered. Set reminders for an incident SLA. Add new fields to an incident type. Define the way that incidents of a specific type are displayed in the system. Drop new incidents of the same type that contain similar information.

What is the requirement for enablement of endpoint and network analytics in Cortex XDR?. Cloud Identity Engine configured and enabled. Network Mapper applet on the Broker VM configured and enabled. Logs from at least 30 endpoints over a minimum of two weeks. Windows DHCP logs ingested via a Cortex XDR collector.

A Cortex XSOAR customer has a phishing use case in which a playbook has been implemented with one of the steps blocking a malicious URL found in an email reported by one of the users. What would be the appropriate next step in the playbook?. Email the CISO to advise that malicious email was found. Disable the user's email account. Email the user to confirm the reported email was phishing. Change the user's password.

When analyzing logs for indicators, which are used for only BIOC identification'?. observed activity. artifacts. techniques. error messages.

When preparing the golden image in a Cortex XDR Virtual Desktop Infrastructure (VDI) deployment, which step is required?. Disable automatic memory dumps. Scan the image using the imagepreptool. Launch the VDI conversion tool. Enable the VDI license timeout.

In Cortex XDR Prevent, which three matching criteria can be used to dynamically group endpoints? (Choose three.). Domain/workgroup membership. quarantine status. hostname. OS. attack threat intelligence tag.

A General Purpose Dynamic Section can be added to which two layouts for incident types? (Choose two). "Close" Incident Form. Incident Summary. Incident Quick View. "New"/Edit" Incident Form.

An adversary attempts to communicate with malware running on a network in order to control malware activities or to exfiltrate data from the network. Which Cortex XDR Analytics alert will this activity most likely trigger?. uncommon local scheduled task creation. malware. new administrative behavior. DNS Tunneling.

When running a Cortex XSIAM proof of value (POV), why is it important to deploy the Cortex XDR agent?. It will prevent all threats in the environment. It is used to enforce license compliance. It runs automation daybooks on the endpoints. It provides telemetry for stitching and analytics.

What are two ways Cortex XSIAM monitors for issues with data ingestion? (Choose two.). The Data Ingestion Health page identifies deviations from normal patterns of log collection. The Cortex XSIAM Command Center dashboard will display a red icon if a data source is having issues. The tenant’s compute units consumption will change dramatically, indicating a collection issue. It automatically runs a copilot playbook to troubleshoot and resolve ingestion issues.

Which method is used for third-party network data consumption?. scripts library from the action center. Open Database Connectivity (ODBC) connection to network device database. Common Event Format (CEF) via broker Syslog module. file reader to the /var/log/messages file on the device.

Which Cortex XDR license is required for a customer that requests endpoint detection and response (EDR) data collection capabilities?. Cortex XDR Pro per TB. Cortex XDR Endpoint. Cortex XDR Prevent. Cortex XDR Pro Per Endpoint.

When integrating with Splunk, what will allow you to push alerts into Cortex XSOAR via the REST API?. splunk-get-alerts integration command. Cortex XSOAR TA App for Splunk. SplunkSearch automation. SplunkGO integration.

What must a customer deploy prior to collecting endpoint data in Cortex XSIAM?. Playbook. Broker VM. XDR agent. External dynamic list.

During the TMS instance activation, a tenant (Customer) provides the following information for the fields in the Activation - Step 2 of 2 window. During the service instance provisioning which three DNS host names are created? (Choose three.). cc-xnet50.traps.paloaltonetworks.com. hc-xnet50.traps.paloaltonetworks.com. cc-xnet.traps.paloaltonetworks.com. cc.xnet50traps.paloaltonetworks.com. xnettraps.paloaltonetworks.com. ch-xnet.traps.paloaltonetworks.com.

Why is Premium Customer Success an important part of any Cortex bill of materials?. It provides full implementation services. It provides managed threat hunting. It provides instructor-led training courses. It provides expert-led configuration guidance.

A customer has purchased Cortex XDR and requires phone support for the product. Which Palo Alto Networks offering would fulfill this need?. Platinum Success. Premium Success. Diamond Success. Standard Success.

Where is the best place to find official resource material?. Online forums. Video series. Administrator's guide. Technical blogs.

If a customer activates a TMS tenant and has not purchased a Cortex Data Lake instance. Palo Alto Networks will provide the customer with a free instance What size is this free Cortex Data Lake instance?. 1 TB. 10 GB. 100 GB. 10 TB.

Which integration allows searching and displaying Splunk results within Cortex XSOAR?. SplunkPY integration. Demisto App for Splunk integration. XSOAR REST API integration. Splunk integration.

Which two filter operators are available in Cortex XDR? (Choose two.). < >. Contains. =. Is Contained By.

What is the recommended first step in planning a Cortex XDR deployment?. Implement Cortex XDR across all endpoints without assessing architecture or assets. Deploy agents across the entire environment for immediate protection. Deploy Cortex XDR on endpoints with the highest potential for attack. Conduct an assessment and identify critical assets and endpoint within the environment.

What is the size of the free Cortex Data Lake instance provided to a customer who has activated a TMS tenant, but has not purchased a Cortex Data Lake instance?. 10 GB. 1 TB. 10 TB. 100 GB.

Which Cortex XDR capability prevents running malicious files from USB-connected removable equipment?. Device customization. Agent configuration. Agent management. Restrictions profile.

What are the key capabilities of the ASM for Remote Workers module?. Monitoring endpoint activity, managing firewall rules, and mitigating cybersecurity threats. Gathering endpoint data, conducting internal scans, and automating network configurations. Identifying office network vulnerabilities, monitoring remote workforce, and encrypting data. Analyzing global scan data, identifying risky issues on remote networks, and providing internal insights.

The customer has indicated they need EDR data collection capabilities, which Cortex XDR license is required?. Cortex XDR Pro per TB. Cortex XDR Prevent. Cortex XDR Endpoint. Cortex XDR Pro Per Endpoint.

Which service helps identify attackers by combining world-class threat intelligence with Cortex XSIAM technology?. Virtual Desktop Infrastructure. Managed Threat Hunting. Threat Intelligence Platform. Cloud Identity Engine.

Which option describes a Load-Balancing Engine Group?. A group of engines that use an algorithm to efficiently share the workload for integrations. A group of engines that ensure High Availability of Demisto backend databases. A group of engines that use an algorithm to efficiently share the workload for automation scripts. A group of D2 agents that share processing power across multiple endpoints.

Which two Cortex XSOAR incident type features can be customized under Settings > Advanced > Incident Types? (Choose two.). adding new fields to an incident type. setting reminders for an incident service level agreement. defining whether a playbook runs automatically when an incident type is encountered. dropping new incidents of the same type that contain similar information.

Where is the output of the task visible when a playbook task errors out?. playbook editor. XSOAR audit log. /var/log/messages. War Room of the incident.

The Cortex XDR management service requires which other Palo Alto Networks product?. Directory Sync. Cortex Data Lake. Panorama. Cortex XSOAR.

What is the retention requirement for Cortex Data Lake sizing?. number of endpoints. number of VM-Series NGFW. number of days. logs per second.

How does the integration between Cortex Xpanse and Cortex XSOAR benefit security teams?. By enhancing firewall rule management. By enabling automatic incident response actions for internet-based incidents. By providing real-time threat intelligence feeds. By automating endpoint detection and response (EDR) processes.

Within Cortex XSIAM, how does the integration of Attack Surface Management (ASM) provide a unified approach to security event management that traditional SIEMs typically lack?. By providing a queryable dataset of ASM data for threat hunting. By offering dashboards on ASM data within the management console. By manually correlating of ASM data with security events. By enriching incidents with ASM data for all internet-facing assets.

A prospective customer is interested in Cortex XDR but is enable to run a product evaluation. Which tool can be used instead to showcase Cortex XDR?. Test Flight. War Game. Tech Rehearsal. Capture the Flag.

An existing Palo Alto Networks SASE customer expresses that their security operations practice is having difficulty using the SASE data to help detect threats in their environment. They understand that parts of the Cortex portfolio could potentially help them and have reached out for guidance on moving forward. Which two Cortex products are good recommendation for this customer? (Choose two.). Cortex XSOAR. Cortex XDR. Cortex. Cortex XSIAM.

What is a benefit of user entity behavior analytics (UEBA) over security information and event management (SIEM)?. SIEMs supports only agentless scanning, not agent-based workload protection across VMs, containers/Kubernetes. UEBA can add trusted signers of Windows or Mac processes to a whitelist in the Endpoint Security Manager (ESM) Console. SIEMs have difficulty detecting unknown or advanced security threats that do not involve malware, such as credential theft. UEBA establishes a secure connection in which endpoints can be routed, and it collects and forwards logs and files for analysis.

Which two items are stitched to the Cortex XDR causality chain'' (Choose two). firewall alert. SIEM alert. full URL. registry set value.

Which feature of Cortex XSIAM displays an entire picture of an attack, including the originating process or delivery point?. Sample analysis. Correlation rule. Causality View. Automation playbook.

What is a requirement when integrating Cortex XSIAM or Cortex XDR with other Palo Alto Networks products?. Advanced logging service license. HTTP Collector. Devices in the same region as XDR/XSIAM. XDR/XSIAM Broker VM.

Why is reputation scoring important in the Threat Intelligence Module of Cortex XSOAR?. It allows for easy comparison between open-source intelligence and paid services. It deconflicts prioritization when two vendors give different scores for the same indicator. It provides a mathematical model for combining scores from multiple vendors. It helps identify threat intelligence vendors with substandard content.

A Cortex XSOAR customer wants to send a survey to users asking them to input their manager's email for a training use case so the manager can receive status reports on the employee's training. However, the customer is concerned users will provide incorrect information to avoid sending status updates to their manager. How can Cortex XSOAR most efficiently sanitize user input prior to using the responses in the playbook?. Create a task that sends the survey responses to the analyst via email. If the responses are incorrect, the analyst fills out the correct response in the survey. Create a manual task to ask the analyst to validate the survey response in the platform. Create a sub-playbook and import a list of manager emails into XSOAR. Use a conditional task comparison to check if the response matches an email on the list. If no matches are found, loop the sub-playbook and send the survey back to the user until a match is found. Create a conditional task comparison to check if the response contains a valid email address.

Which statement applies to the malware protection flow in Cortex XDR Prevent?. Local static analysis happens before a WildFire verdict check. In the final step, the block list is verified. A trusted signed file is exempt from local static analysis. Hash comparisons come after local static analysis.

What are two ways a customer can configure user authentication access Cortex Xpanse? (Choose two.). Secure Shell (SSH). SAML. RADIUS. Customer Support Portal.

An administrator has a critical group of systems running Windows XP SP3 that cannot be upgraded The administrator wants to evaluate the ability of Traps to protect these systems and the word processing applications running on them How should an administrator perform this evaluation?. Gather information about the word processing applications and run them on a Windows XP SP3 VM. Determine if any of the applications are vulnerable and run the exploit with an exploitation tool. Run word processing exploits in a latest version of Windows VM in a controlled and isolated environment. Document indicators of compromise and compare to Traps protection capabilities. Run a known 2015 flash exploit on a Windows XP SP3 VM. and run an exploitation tool that acts as a listener Use the results to demonstrate Traps capabilities. Prepare the latest version of Windows VM Gather information about the word processing applications, determine if some of them are vulnerable and prepare a working exploit for at least one of them Execute with an exploitation tool.

Which two entities can be created as a behavioral indicator of compromise (BIOC)? (Choose two.). process. data. event alert. network.

Cortex XSOAR has extracted a malicious IP address involved in command-and-control traffic. What is the best method to automatically block this IP from communicating with endpoints without requiring a configuration change on the firewall?. Create a NetOps ticket requesting a configuration change to the firewall to block the IP. Add the IP address to an external dynamic list used by the firewall. Add the IP address to a threat intelligence management malicious IP list to elevate priority of future alerts. Block the IP address by creating a deny rule in the firewall.

What are two reasons incident investigation is needed in Cortex XDR? (Choose two.). No solution will stop every attack requiring further investigation of activity. Insider Threats may not be blocked and initial activity may go undetected. Analysts need to acquire forensic artifacts of malware that has been blocked by the XDR agent. Detailed reports are needed for senior management to justify the cost of XDR.

Which feature of Cortex XSIAM helps analyst reduce the noise and false positives that often plague traditional SIEM systems?. Alert range indicators. Al-generated correlation rules. Automatic incident scoring. Dynamic alarm fields.

Which CLI query would bring back Notable Events from Splunk?. !splunk-search query="* | head 3". ok.

What is the primary function of an engine in Cortex XSOAR?. To execute playbooks, scripts, commands, and integrations. To manage multiple Cortex XSOAR tenants. To provide a user interface for security analysts. To store and manage incident data, remediation plans, and documentation.

Which Cortex XSIAM feature can be used to onboard data sources?. Marketplace Integration. Playbook. Data Ingestion Dashboard. Asset Inventory.

Which integration allows data to be pushed from Cortex XSOAR into Splunk?. ArcSight ESM integration. SplunkUpdate integration. Demisto App for Splunk integration. SplunkPY integration.

What does DBot use to score an indicator that has multiple reputation scores?. most severe score. undefined score. average score. least severe score.

Which Linux OS command will manually load Docker images onto the Cortex XSOAR server in an air-gapped environment?. sudo repoquery -a --installed. sudo demistoserver-x.x-xxxx.sh -- -tools=load. sudo docker ps load. sudo docker load -i YOUR_DOCKER_FILE.tar.

Which type of log is ingested natively in Cortex XDR Pro per TB?. Google Kubernetes Engine. Demisto. Docker. Microsoft Office 365.