ERASED TEST, YOU MAY BE INTERESTED ON PSE Cortex 2024
COMMENTS |
STATISTICS |
RECORDS
|
|---|
TAKE THE TEST
|
Title of test:
PSE Cortex 2024 Description: PSE Pro Cortex Author: PaloAltoNetworks Other tests from this author Creation Date: 10/07/2024 Category: Computers Number of questions: 62 |
Share the Test:
New Comment
No comments about this test.
Content:
|
A Cortex XSOAR customer wants to ingest from a single mailbox. The mailbox brings in reported phishing emails and email requests from human resources (HR) to onboard new users. The customer wants to run two separate workflows from this mailbox, one for phishing and one for onboarding.
What will allow Cortex XSOAR to accomplish this in the most efficient way? Usee machine learning (ML) to determine incident type Create two instances of the email integration and classily one instance as ingesting incidents of type phishing and the other as ingesting incidents of type boarding Use an incident classifier based on field in each type of email to classify those containing “Phish Alert” in the subject as phishing and those containing “Onboard Request” as onboarding Create a playbook to process and determine incident type based on content of the email . What allows the use of predetermined Palo Alto Networks roles to assign access rights to Cortex XDR users? Restrictions security profile Cloud identity engine (CIE) Endpoint groups role-based access control (RBAC). What integration allows searching and displaying Splunk results within Cortex XSOAR? Demisto App for Splunk integration SplunkPY integration Splunk integration XSOAR REST API integration . How can Cortex XSOAR save time when a phishing incident occurs? It can automatically identify every mailbox that received the phish and create corresponding cases for them It can automatically email staff to warn them about the phishing attack and show them a copy of the email It can automatically purge the email from user mailboxes in which it has not yet opened It can automatically respond to the phishing email to unsubscribe from future emails . Which two types of Indicators of compromise (IOCs) are available for creation in Cortex XDR? Internet Protocol (IP) Endport hostname registry entry domain . Which role is associated with responsibility for backups and disaster-recovery configuration? SOAR engineer IT administrator SOC/CERT analyst SOC/CERT manager. Which type of deployment involves the use of one or more Cortex XSOAR engines? hosted cloud hybrid cloud private cloud protective enclave. How do you change the log level? Edit the /etc/demisto.conf file. Use the drop-down menu on the Troubleshooting page. Stop the server process and restart it with a --log-level=<value> parameter. Add a custom server parameter services.log.detail with a value of 0, 1, or 2. If you had sufficient privileges, on which page would a message that new content is available appear? Home Indicators Playbooks Dashboards. Which manual action can you perform by use of the Cortex XSOAR web console to support air-gapped deployments? installation of Docker images execution of the tar command to decompress platform-content archives update of the content repository download of Docker images. By what quantity can you increase your storage in Cortex Data Lake? 100GB 1GB 1TB 100TB. Which two filter operators are available in Cortex XDR? (Choose two) < > Contains = Is Contained By. What are process exceptions used for ? whitelist programs from WildFire analysis permit processes to load specific DLLs change the WildFire verdict for a given executable disable an EPM for a particular process. Which option is required to prepare the VDI Golden Image? Configure the Golden Image as a persistent VDI Use the Cortex XDR VDI tool to obtain verdicts for all PE files Install the Cortex XOR Agent on the local machine Run the Cortex VDI conversion tool. A prospect has agreed to do a 30-day POC and asked to integrate with a product that Demisto currently does not have an integration with. How should you respond ? Extend the POC window to allow the solution architects to build it Tell them we can build it with Professional Services. Tell them custom integrations are not created as part of the POC Agree to build the integration as part of the POC. What method does the Traps agent use to identify malware during a scheduled scan ? Heuristic analysis Local analysis Signature comparison WildFire hash comparison and dynamic analysis. What is the result of creating an exception from an exploit security event? White lists the process from Wild Fire analysis exempts the user from generating events for 24 hours exempts administrators from generating alerts for 24 hours disables the triggered EPM for the host and process involve. Which two entities can be created as a BIOC? (Choose two.) file registry event log alert log. Which task allows the playbook to follow different paths based on specific conditions? Conditional Automation Manual Parallel. If a customer activates a TMS tenant and has not purchased a Cortex Data Lake instance. Palo Alto Networks will provide the customer with a free instance. What size is this free Cortex Data Lake instance? 1 TB 10 GB 100 GB 10 TB. What are two manual actions allowed on War Room entries? (Choose two.) Mark as artifact Mark as scheduled entry Mark as note Mark as evidence. In Cortex XDR Prevent, which three matching criteria can be used to dynamically group endpoints? (Choose three ) alert root cause hostname domain/workgroup membership OS presence of Flash executable. In an Air-Gapped environment where the Docker package was manually installed after the Cortex XSOAR installation which action allows Cortex XSOAR to access Docker? create a “docker” group and add the "Cortex XSOAR" or "demisto" user to this group create a "Cortex XSOAR' or "demisto" group and add the "docker" user to this group disable the Cortex XSOAR service enable the docker service. Which three Demisto incident type features can be customized under Settings > Advanced > Incident Types? (Choose three) Define whether a playbook runs automatically when an incident type is encountered Set reminders for an incident SLA Add new fields to an incident type Define the way that incidents of a specific type are displayed in the system Drop new incidents of the same type that contain similar information. The customer has indicated they need EDR data collection capabilities, which Cortex XDR license is required? Cortex XDR Pro per TB Cortex XDR Prevent Cortex XDR Endpoint Cortex XDR Pro Per Endpoint. If an anomalous process is discovered while investigating the cause of a security event, you can take immediate action to terminate the process or the whole process tree, and block processes from running by initiating which Cortex XDR capability? Live Sensors File Explorer Log Stitching Live Terminal. Which deployment type supports installation of an engine on Windows, Mac OS. and Linux? RPM SH DEB ZIP. An adversary is attempting to communicate with malware running on your network for the purpose of controlling malware activities or for ex filtrating data from your network. Which Cortex XDR Analytics alert is this activity most likely to trigger'? Uncommon Local Scheduled Task Creation Malware New Administrative Behavior DNS Tunneling. Which two filter operators are available in Cortex XDR? (Choose two.) not Contains !* => < >. Which Cortex XDR Agent capability prevents loading malicious files from USB-connected removable equipment? Agent Configuration Device Control Device Customization Agent Management. When analyzing logs for indicators, which are used for only BIOC identification'? observed activity artifacts techniques error messages. Which process in the causality chain does the Cortex XDR agent identify as triggering an event sequence? the relevant shell The causality group owner the adversary's remote process the chain's alert initiator. How does DBot score an indicator that has multiple reputation scores? uses the most severe score the reputation as undefined uses the average score uses the least severe score. "Bob" is a Demisto user. Which command is used to add 'Bob" to an investigation from the War Room CLI? #Bob /invite Bob @Bob !invite Bob. Which two items are stitched to the Cortex XDR causality chain'' (Choose two) firewall alert SIEM alert full URL registry set value. Which Cortex XDR capability extends investigations to an endpoint? Log Stitching Causality Chain Sensors Live Terminal. When integrating with Splunk, what will allow you to push alerts into Cortex XSOAR via the REST API? splunk-get-alerts integration command Cortex XSOAR TA App for Splunk SplunkSearch automation SplunkGO integration. You have a playbook task that errors out. where could you see the output of the task? /var/log/messages War Room of the incident Demisto Audit log Playbook Editor. How can you view all the relevant incidents for an indicator? Linked Incidents column in Indicator Screen Linked Indicators column in Incident Screen Related Indicators column in Incident Screen Related Incidents column in Indicator Screen. Which step is required to prepare the VDI Golden Image? Review any PE files that WildFire determined to be malicious Ensure the latest content updates are installed Run the VDI conversion tool Set the memory dumps to manual setting. Which four types of Traps logs are stored within Cortex Data Lake? Threat, Config, System, Data Threat, Config, System, Analytic Threat, Monitor. System, Analytic Threat, Config, Authentication, Analytic . A prospect has agreed to do a 30-day POC and asked to integrate with a product that Demisto currently does not have an integration with. How should you respond? Extend the POC window to allow the solution architects to build it Tell them we can build it with Professional Services. Tell them custom integrations are not created as part of the POC Agree to build the integration as part of the POC . What is the result of creating an exception from an exploit security event? White lists the process from Wild Fire analysis exempts the user from generating events for 24 hours exempts administrators from generating alerts for 24 hours disables the triggered EPM for the host and process involve . Which option describes a Load-Balancing Engine Group? A group of engines that use an algorithm to efficiently share the workload for integrations A group of engines that ensure High Availability of Demisto backend databases. A group of engines that use an algorithm to efficiently share the workload for automation scripts A group of D2 agents that share processing power across multiple endpoints . Which two entities can be created as a BIOC? (Choose two.) file registry event log alert log . The certificate used for decryption was installed as a trusted toot CA certificate to ensure communication between the Cortex XDR Agent and Cortex XDR Management Console. What action needs to be taken if the administrator determines the Cortex XDR Agents are not communicating with the Cortex XDR Management Console? add paloaltonetworks.com to the SSL Decryption Exclusion list enable SSL decryption disable SSL decryption reinstall the root CA certificate . Which task allows the playbook to follow different paths based on specific conditions? Conditional Automation Manual Parallel. How do sub-playbooks affect the Incident Context Data? When set to private, task outputs do not automatically get written to the root context When set to private, task outputs automatically get written to the root context When set to global, allows parallel task execution. When set to global, sub-playbook tasks do not have access to the root context . An EDR project was initiated by a CISO. Which resource will likely have the most heavy influence on the project? desktop engineer SOC manager SOC analyst IT operations manager . How many use cases should a POC success criteria document include? only 1 3 or more no more than 5 no more than 2. An Administrator is alerted to a Suspicious Process Creation security event from multiple users. The users believe that these events are false positives Which two steps should the administrator take to confirm the false positives and create an exception? (Choose two ) With the Malware Security profile, disable the "Prevent Malicious Child Process Execution" module Within the Malware Security profile add the specific parent process, child process, and command line argument to the child process whitelist In the Cortex XDR security event, review the specific parent process, child process, and command line arguments Contact support and ask for a security exception. . How does an "inline" auto-extract task affect playbook execution? Doesn't wait until the indicators are enriched and continues executing the next Doesn't wait until the indicators are enriched but populate context data before executing the next step. Wait until the indicators are enriched but doesn't populate context data before executing the next step. Wait until the indicators are enriched and populate context data before executing the next step. . The prospect is deciding whether to go with a phishing or a ServiceNow use case as part of their POC We have integrations for both but a playbook for phishing only. Which use case should be used for the POC? phishing either ServiceNow neither . When a Demisto Engine is part of a Load-Balancing group it? Must be in a Load-Balancing group with at least another 3 members It must have port 443 open to allow the Demisto Server to establish a connection Can be used separately as an engine, only if connected to the Demisto Server directly Cannot be used separately and does not appear in the in the engines drop-down menu when configuring an integration instance . An administrator has a critical group of systems running Windows XP SP3 that cannot be upgraded. The administrator wants to evaluate the ability of Traps to protect these systems and the word processing applications running on them. How should an administrator perform this evaluation? Gather information about the word processing applications and run them on a Windows XP SP3 VM Determine if any of the applications are vulnerable and run the exploit with an exploitation tool Run word processing exploits in a latest version of Windows VM in a controlled and isolated environment. Document indicators of compromise and compare to Traps protection capabilities Run a known 2015 flash exploit on a Windows XP SP3 VM. and run an exploitation tool that acts as a listener Use the results to demonstrate Traps capabilities Prepare the latest version of Windows VM Gather information about the word processing applications, determine if some of them are vulnerable and prepare a working exploit for at least one of them Execute. Which two formats are supported by Whitelist? (Choose two) Regex STIX CSV CIDR . What is the difference between an exception and an exclusion? An exception is based on rules and exclusions are on alerts An exclusion is based on rules and exceptions are based on alerts. An exception does not exist An exclusion does not exist . Which service helps uncover attackers wherever they hide by combining world-class threat hunters with Cortex XDR technology that runs on integrated endpoint, network, and cloud data sources? Cloud Identity Engine (CIE) Threat Intelligence Platform (TIP) Virtual Desktop Insfrastructure (VDI) Managed Threat Hunting (MTH). An antivirus refresh project was initiated by the IT operations executive. Who is the best source for discussion about the project's operational considerations'? endpoint manager SOC manager SOC analyst desktop engineer. What is the retention requirement for Cortex Data Lake sizing? number of endpoints number of VM-Series NGFW number of days logs per second. A customer wants the main Cortex XSOAR server installed in one site and wants to integrate with three other technologies in a second site. What communications are required between the two sites if the customer wants to install a Cortex XSOAR engine in the second site? The Cortex XSOAR server at the first site must be able to initiate a connection to the Cortex XSOAR engine at the second site. All connectivity is initiated from the Cortex XSOAR server on the first site via a managed cloud proxy. Dedicated site-to-site virtual private network (VPN) is required for the Cortex XSOAR server at the first site to initiate a connection to the Cortex XSOAR engine at the second site. The Cortex XSOAR engine at the first site must be able to initiate a connection to the Cortex XSOAR server at the second site. Cortex XSOAR has extracted a malicious Internet Protocol (IP) address involved in command-and-control (C2) traffic. What is the best method to block this IP from communicating with endpoints without requiring a configuration change on the firewall? have XSOAR automatically add IP address to a deny rule in the firewall. Have XSOAR automatically add the IP address to a threat intelligence management (TIM) malicious IP list to elevate priority of future alerts. Have XSOAR automatically add the IP address to an external dynamic list (EDL) used by the firewall. Have XSOAR automatically create a NetOps ticket requesting a configuration change to the firewall to block the IP. |
Report abuse