• Home
  • Articles
  • Pass Your Exam With 100% Verified XDR-Analyst Exam Questions [Q15-Q38]

Pass Your Exam With 100% Verified XDR-Analyst Exam Questions [Q15-Q38]

Share

Pass Your Exam With 100% Verified XDR-Analyst Exam Questions

XDR-Analyst Dumps PDF - XDR-Analyst Real Exam Questions Answers


Palo Alto Networks XDR-Analyst Exam Syllabus Topics:

TopicDetails
Topic 1
  • Endpoint Security Management:
Topic 2
  • Incident Handling and Response: This domain focuses on investigating alerts using forensics, causality chains and timelines, analyzing security incidents, executing response actions including automated remediation, and managing exclusions.
Topic 3
  • Data Analysis: This domain encompasses querying data with XQL language, utilizing query templates and libraries, working with lookup tables, hunting for IOCs, using Cortex XDR dashboards, and understanding data retention and Host Insights.
Topic 4
  • Alerting and Detection Processes: This domain covers identifying alert types and sources, prioritizing alerts through scoring and custom configurations, creating incidents, and grouping alerts with data stitching techniques.
Topic 5
  • This domain addresses managing endpoint prevention profiles and policies, validating agent operational states, and assessing the impact of agent versions and content updates.

 

NEW QUESTION # 15
What license would be required for ingesting external logs from various vendors?

  • A. Cortex XDR Pro per Endpoint
  • B. Cortex XDR Pro per TB
  • C. Cortex XDR Vendor Agnostic Pro
  • D. Cortex XDR Cloud per Host

Answer: B

Explanation:
To ingest external logs from various vendors, you need a Cortex XDR Pro per TB license. This license allows you to collect and analyze logs from Palo Alto Networks and third-party sources, such as firewalls, proxies, endpoints, cloud services, and more. You can use the Log Forwarding app to forward logs from the Logging Service to an external syslog receiver. The Cortex XDR Pro per Endpoint license only supports logs from Cortex XDR agents installed on endpoints. The Cortex XDR Vendor Agnostic Pro and Cortex XDR Cloud per Host licenses do not exist. Reference:
Features by Cortex XDR License Type
Log Forwarding App for Cortex XDR Analytics
SaaS Log Collection


NEW QUESTION # 16
What should you do to automatically convert leads into alerts after investigating a lead?

  • A. Create BIOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.
  • B. Lead threats can't be prevented in the future because they already exist in the environment.
  • C. Create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.
  • D. Build a search query using Query Builder or XQL using a list of lOCs.

Answer: C

Explanation:
To automatically convert leads into alerts after investigating a lead, you should create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting. IOC rules are used to detect known threats based on indicators of compromise (IOCs) such as file hashes, IP addresses, domain names, etc. By creating IOC rules from the leads, you can prevent future occurrences of the same threats and generate alerts for them. Reference:
PCDRA Study Guide, page 25
Cortex XDR 3: Handling Cortex XDR Alerts, section 3.2
Cortex XDR Documentation, section "Create IOC Rules"


NEW QUESTION # 17
When viewing the incident directly, what is the "assigned to" field value of a new Incident that was just reported to Cortex?

  • A. Pending
  • B. It is blank
  • C. Unassigned
  • D. New

Answer: C

Explanation:
The "assigned to" field value of a new incident that was just reported to Cortex is "Unassigned". This means that the incident has not been assigned to any analyst or group yet, and it is waiting for someone to take ownership of it. The "assigned to" field is one of the default fields that are displayed in the incident layout, and it can be used to filter and sort incidents in the incident list. The "assigned to" field can be changed manually by an analyst, or automatically by a playbook or a rule12.
Let's briefly discuss the other options to provide a comprehensive explanation:
A . Pending: This is not the correct answer. Pending is not a valid value for the "assigned to" field. Pending is a possible value for the "status" field, which indicates the current state of the incident. The status field can have values such as "New", "Active", "Done", "Closed", or "Pending"3.
B . It is blank: This is not the correct answer. The "assigned to" field is never blank for any incident. It always has a default value of "Unassigned" for new incidents, unless a playbook or a rule assigns it to a specific analyst or group12.
D . New: This is not the correct answer. New is not a valid value for the "assigned to" field. New is a possible value for the "status" field, which indicates the current state of the incident. The status field can have values such as "New", "Active", "Done", "Closed", or "Pending"3.
In conclusion, the "assigned to" field value of a new incident that was just reported to Cortex is "Unassigned". This field can be used to manage the ownership and responsibility of incidents, and it can be changed manually or automatically.
Reference:
Cortex XDR Pro Admin Guide: Manage Incidents
Cortex XDR Pro Admin Guide: Assign Incidents
Cortex XDR Pro Admin Guide: Update Incident Status


NEW QUESTION # 18
Which statement best describes how Behavioral Threat Protection (BTP) works?

  • A. BTP uses machine Learning to recognize malicious activity even if it is not known.
  • B. BTP matches EDR data with rules provided by Cortex XDR.
  • C. BTP runs on the Cortex XDR and distributes behavioral signatures to all agents.
  • D. BTP injects into known vulnerable processes to detect malicious activity.

Answer: A

Explanation:
The statement that best describes how Behavioral Threat Protection (BTP) works is D, BTP uses machine learning to recognize malicious activity even if it is not known. BTP is a feature of Cortex XDR that allows you to define custom rules to detect and block malicious behaviors on endpoints. BTP uses machine learning to profile behavior and detect anomalies indicative of attack. BTP can recognize malicious activity based on file attributes, registry keys, processes, network connections, and other criteria, even if the activity is not associated with any known malware or threat. BTP rules are updated through content updates and can be managed from the Cortex XDR console.
The other statements are incorrect for the following reasons:
A is incorrect because BTP does not inject into known vulnerable processes to detect malicious activity. BTP does not rely on process injection, which is a technique used by some malware to hide or execute code within another process. BTP monitors the behavior of all processes on the endpoint, regardless of their vulnerability status, and compares them with the BTP rules.
B is incorrect because BTP does not run on the Cortex XDR and distribute behavioral signatures to all agents. BTP runs on the Cortex XDR agent, which is installed on the endpoint, and analyzes the endpoint data locally. BTP does not use behavioral signatures, which are predefined patterns of malicious behavior, but rather uses machine learning to identify anomalies and deviations from normal behavior.
C is incorrect because BTP does not match EDR data with rules provided by Cortex XDR. BTP is part of the EDR (Endpoint Detection and Response) capabilities of Cortex XDR, and uses the EDR data collected by the Cortex XDR agent to perform behavioral analysis. BTP does not match the EDR data with rules provided by Cortex XDR, but rather applies the BTP rules defined by the Cortex XDR administrator or the Palo Alto Networks threat research team.
Reference:
Cortex XDR Agent Administrator Guide: Behavioral Threat Protection
Cortex XDR: Stop Breaches with AI-Powered Cybersecurity


NEW QUESTION # 19
Which type of BIOC rule is currently available in Cortex XDR?

  • A. Network
  • B. Dropper
  • C. Threat Actor
  • D. Discovery

Answer: D

Explanation:
The type of BIOC rule that is currently available in Cortex XDR is Discovery. A Discovery BIOC rule is a rule that detects suspicious or malicious behavior on endpoints based on the Cortex XDR data. A Discovery BIOC rule can use various event types, such as file, injection, load image, network, process, registry, or user, to define the criteria for the rule. A Discovery BIOC rule can also use operators, functions, and variables to create complex logic and conditions for the rule. A Discovery BIOC rule can generate alerts when the rule is triggered, and these alerts can be grouped into incidents for further investigation and response12.
Let's briefly discuss the other options to provide a comprehensive explanation:
A . Threat Actor: This is not the correct answer. Threat Actor is not a type of BIOC rule that is currently available in Cortex XDR. Threat Actor is a term that refers to an individual or a group that is responsible for a cyberattack or a threat campaign. Cortex XDR does not support creating BIOC rules based on threat actors, but it can provide threat intelligence and context from various sources, such as Unit 42, AutoFocus, or Cortex XSOAR3.
C . Network: This is not the correct answer. Network is not a type of BIOC rule that is currently available in Cortex XDR. Network is an event type that can be used in a Discovery BIOC rule to define the criteria based on network attributes, such as source IP, destination IP, source port, destination port, protocol, or domain. Network is not a standalone type of BIOC rule, but a part of the Discovery BIOC rule2.
D . Dropper: This is not the correct answer. Dropper is not a type of BIOC rule that is currently available in Cortex XDR. Dropper is a term that refers to a type of malware that is designed to download and install other malicious files or programs on a compromised system. Cortex XDR does not support creating BIOC rules based on droppers, but it can detect and prevent droppers using various methods, such as behavioral threat protection, exploit prevention, or WildFire analysis4.
In conclusion, the type of BIOC rule that is currently available in Cortex XDR is Discovery. By using Discovery BIOC rules, you can create custom detection rules that match your specific use cases and scenarios.
Reference:
Create a BIOC Rule
BIOC Rule Event Types
Threat Intelligence and Context
Malware Prevention


NEW QUESTION # 20
Which profiles can the user use to configure malware protection in the Cortex XDR console?

  • A. Anti-Malware profile
  • B. Malware Detection profile
  • C. Malware profile
  • D. Malware Protection profile

Answer: D

Explanation:
The user can use the Malware Protection profile to configure malware protection in the Cortex XDR console. The Malware Protection profile defines the actions that Cortex XDR takes when it detects malware on your endpoints. You can configure different actions for different types of malware, such as ransomware, password theft, or child process. You can also configure the scan frequency and scope for periodic malware scans. The Malware Protection profile is part of the Endpoint Security policy that you assign to your endpoints. Reference:
Malware Protection Profile
Endpoint Security Policy


NEW QUESTION # 21
In Windows and macOS you need to prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. What is one way to add an exception for the singer?

  • A. Create a new rule exception and use the singer as the characteristic.
  • B. Add the signer to the allow list under the action center page.
  • C. In the Restrictions Profile, add the file name and path to the Executable Files allow list.
  • D. Add the signer to the allow list in the malware profile.

Answer: D

Explanation:
To prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer in Windows and macOS, one way to add an exception for the signer is to add the signer to the allow list in the malware profile. A malware profile is a profile that defines the settings and actions for malware prevention and detection on the endpoints. A malware profile allows you to specify a list of files, folders, or signers that you want to exclude from malware scanning and blocking. By adding the signer to the allow list in the malware profile, you can prevent the Cortex XDR Agent from blocking any file that is signed by that signer1.
Let's briefly discuss the other options to provide a comprehensive explanation:
A . In the Restrictions Profile, add the file name and path to the Executable Files allow list: This is not the correct answer. Adding the file name and path to the Executable Files allow list in the Restrictions Profile will not prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. A Restrictions Profile is a profile that defines the settings and actions for restricting the execution of files or processes on the endpoints. A Restrictions Profile allows you to specify a list of executable files that you want to allow or block based on the file name and path. However, this method does not take into account the digital signer of the file, and it may not be effective if the file name or path changes2.
B . Create a new rule exception and use the signer as the characteristic: This is not the correct answer. Creating a new rule exception and using the signer as the characteristic will not prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. A rule exception is an exception that you can create to modify the behavior of a specific prevention rule or BIOC rule. A rule exception allows you to specify the characteristics and the actions that you want to apply to the exception, such as file hash, process name, IP address, or domain name. However, this method does not support using the signer as a characteristic, and it may not be applicable to all prevention rules or BIOC rules3.
D . Add the signer to the allow list under the action center page: This is not the correct answer. Adding the signer to the allow list under the action center page will not prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. The action center page is a page that allows you to create and manage actions that you can perform on your endpoints, such as isolating, scanning, collecting files, or executing scripts. The action center page does not have an option to add a signer to the allow list, and it is not related to the malware prevention or detection functionality4.
In conclusion, to prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer in Windows and macOS, one way to add an exception for the signer is to add the signer to the allow list in the malware profile. By using this method, you can exclude the files that are signed by the trusted signer from the malware scanning and blocking.
Reference:
Add a New Malware Security Profile
Add a New Restrictions Security Profile
Create a Rule Exception
Action Center


NEW QUESTION # 22
What are two purposes of "Respond to Malicious Causality Chains" in a Cortex XDR Windows Malware profile? (Choose two.)

  • A. Automatically close the connections involved in malicious traffic.
  • B. Automatically block the IP addresses involved in malicious traffic.
  • C. Automatically kill the processes involved in malicious activity.
  • D. Automatically terminate the threads involved in malicious activity.

Answer: B,C

Explanation:
The "Respond to Malicious Causality Chains" feature in a Cortex XDR Windows Malware profile allows the agent to take automatic actions against network connections and processes that are involved in malicious activity on the endpoint. The feature has two modes: Block IP Address and Kill Process1.
The two purposes of "Respond to Malicious Causality Chains" in a Cortex XDR Windows Malware profile are:
Automatically kill the processes involved in malicious activity. This can help to stop the malware from spreading or doing any further damage.
Automatically block the IP addresses involved in malicious traffic. This can help to prevent the malware from communicating with its command and control server or other malicious hosts.
The other two options, automatically close the connections involved in malicious traffic and automatically terminate the threads involved in malicious activity, are not specific to "Respond to Malicious Causality Chains". They are general security measures that the agent can perform regardless of the feature.
Reference:
Cortex XDR Agent Security Profiles
Cortex XDR Agent 7.5 Release Notes
PCDRA: What are purposes of "Respond to Malicious Causality Chains" in ...


NEW QUESTION # 23
What are two purposes of "Respond to Malicious Causality Chains" in a Cortex XDR Windows Malware profile? (Choose two.)

  • A. Automatically close the connections involved in malicious traffic.
  • B. Automatically block the IP addresses involved in malicious traffic.
  • C. Automatically kill the processes involved in malicious activity.
  • D. Automatically terminate the threads involved in malicious activity.

Answer: B,C


NEW QUESTION # 24
When using the "File Search and Destroy" feature, which of the following search hash type is supported?

  • A. AES256 hash of the file
  • B. SHA256 hash of the file
  • C. MD5 hash of the file
  • D. SHA1 hash of the file

Answer: B

Explanation:
The File Search and Destroy feature is a capability of Cortex XDR that allows you to search for and delete malicious or unwanted files across your endpoints. You can use this feature to quickly respond to incidents, remediate threats, and enforce compliance policies. To use the File Search and Destroy feature, you need to specify the file name and the file hash of the file you want to search for and delete. The file hash is a unique identifier of the file that is generated by a cryptographic hash function. The file hash ensures that you are targeting the exact file you want, and not a file with a similar name or a different version. The File Search and Destroy feature supports the SHA256 hash type, which is a secure hash algorithm that produces a 256-bit (32-byte) hash value. The SHA256 hash type is widely used for file integrity verification and digital signatures. The File Search and Destroy feature does not support other hash types, such as AES256, MD5, or SHA1, which are either encryption algorithms or less secure hash algorithms. Therefore, the correct answer is A, SHA256 hash of the file1234 Reference:
File Search and Destroy
What is a File Hash?
SHA-2 - Wikipedia
When using the "File Search and Destroy" feature, which of the following search hash type is supported?


NEW QUESTION # 25
What kind of the threat typically encrypts user files?

  • A. supply-chain attacks
  • B. Zero-day exploits
  • C. ransomware
  • D. SQL injection attacks

Answer: C

Explanation:
Ransomware is a type of malicious software, or malware, that encrypts user files and prevents them from accessing their data until they pay a ransom. Ransomware can affect individual users, businesses, and organizations of all kinds. Ransomware attacks can cause costly disruptions, data loss, and reputational damage. Ransomware can spread through various methods, such as phishing emails, malicious attachments, compromised websites, or network vulnerabilities. Some ransomware variants can also self-propagate and infect other devices or networks. Ransomware authors typically demand payment in cryptocurrency or other untraceable methods, and may threaten to delete or expose the encrypted data if the ransom is not paid within a certain time frame. However, paying the ransom does not guarantee that the files will be decrypted or that the attackers will not target the victim again. Therefore, the best way to protect against ransomware is to prevent infection in the first place, and to have a backup of the data in case of an attack123456 Reference:
What is Ransomware? | How to Protect Against Ransomware in 2023
Ransomware - Wikipedia
What is ransomware? | Ransomware meaning | Cloudflare
What Is Ransomware? | Ransomware.org
Ransomware - FBI


NEW QUESTION # 26
While working the alerts involved in a Cortex XDR incident, an analyst has found that every alert in this incident requires an exclusion. What will the Cortex XDR console automatically do to this incident if all alerts contained have exclusions?

  • A. mark the incident as Resolved - False Positive
  • B. create an exception to prevent future false positives
  • C. mark the incident as Unresolved
  • D. create a BIOC rule excluding this behavior

Answer: A

Explanation:
If all alerts contained in a Cortex XDR incident have exclusions, the Cortex XDR console will automatically mark the incident as Resolved - False Positive. This means that the incident was not a real threat, but a benign or legitimate activity that triggered an alert. By marking the incident as Resolved - False Positive, the Cortex XDR console removes the incident from the list of unresolved incidents and does not count it towards the incident statistics. This helps the analyst to focus on the true positive incidents that require further investigation and response1.
An exclusion is a rule that hides an alert from the Cortex XDR console, based on certain criteria, such as the alert source, type, severity, or description. An exclusion does not change the security policy or prevent the alert from firing, it only suppresses the alert from the console. An exclusion is useful when the analyst wants to reduce the noise of false positive alerts that are not relevant or important2.
An exception, on the other hand, is a rule that overrides the security policy and allows or blocks a process or file from running on an endpoint, based on certain attributes, such as the file hash, path, name, or signer. An exception is useful when the analyst wants to prevent false negative alerts that are caused by malicious or unwanted files or processes that are not detected by the security policy3.
A BIOC rule is a rule that creates an alert based on a custom XQL query that defines a specific behavior of interest or concern. A BIOC rule is useful when the analyst wants to detect and alert on anomalous or suspicious activities that are not covered by the default Cortex XDR rules4.
Reference:
Palo Alto Networks Cortex XDR Documentation, Resolve an Incident1
Palo Alto Networks Cortex XDR Documentation, Alert Exclusions2
Palo Alto Networks Cortex XDR Documentation, Exceptions3
Palo Alto Networks Cortex XDR Documentation, BIOC Rules4


NEW QUESTION # 27
What is the function of WildFire for Cortex XDR?

  • A. WildFire accepts and analyses a sample to provide a verdict.
  • B. WildFire runs entirely on the agent to quickly analyse samples and provide a verdict.
  • C. WildFire is the engine that runs on the local agent and determines whether behavioural threats are occurring on the endpoint.
  • D. WildFire runs in the cloud and analyses alert data from the XDR agent to check for behavioural threats.

Answer: A

Explanation:
WildFire is a cloud-based service that accepts and analyses samples from various sources, including Cortex XDR, to provide a verdict of malware, benign, or grayware. WildFire also generates detailed analysis reports that show the behaviour and characteristics of the samples. Cortex XDR uses WildFire verdicts and reports to enhance its detection and prevention capabilities, as well as to provide more visibility and context into the threats. Reference:
WildFire Analysis Concepts
WildFire Overview


NEW QUESTION # 28
In incident-related widgets, how would you filter the display to only show incidents that were "starred"?

  • A. Create a custom XQL widget
  • B. Click the star in the widget
  • C. This is not currently supported
  • D. Create a custom report and filter on starred incidents

Answer: B

Explanation:
To filter the display to only show incidents that were "starred", you need to click the star in the widget. This will apply a filter that shows only the incidents that contain a starred alert, which is an alert that matches a specific condition that you define in the incident starring configuration. You can use the incident starring feature to prioritize and focus on the most important or relevant incidents in your environment1.
Let's briefly discuss the other options to provide a comprehensive explanation:
A . Create a custom XQL widget: This is not the correct answer. Creating a custom XQL widget is not necessary to filter the display to only show starred incidents. A custom XQL widget is a widget that you create by using the XQL query language to define the data source and the visualization type. You can use custom XQL widgets to create your own dashboards or reports, but they are not required for filtering incidents by stars2.
B . This is not currently supported: This is not the correct answer. Filtering the display to only show starred incidents is currently supported by Cortex XDR. You can use the star icon in the widget to apply this filter, or you can use the Filter Builder to create a custom filter based on the Starred field1.
C . Create a custom report and filter on starred incidents: This is not the correct answer. Creating a custom report and filtering on starred incidents is not the only way to filter the display to only show starred incidents. A custom report is a report that you create by using the Report Builder to define the data source, the layout, and the schedule. You can use custom reports to generate and share periodic reports on your Cortex XDR data, but they are not the only option for filtering incidents by stars3.
In conclusion, clicking the star in the widget is the simplest and easiest way to filter the display to only show incidents that were "starred". By using this feature, you can quickly identify and focus on the most critical or relevant incidents in your environment.
Reference:
Filter Incidents by Stars
Create a Custom XQL Widget
Create a Custom Report


NEW QUESTION # 29
What is the maximum number of agents one Broker VM local agent applet can support?

  • A. 10,000
  • B. 5,000
  • C. 20,000
  • D. 15,000

Answer: A

Explanation:
The Broker VM is a virtual machine that you can deploy in your network to provide various services and functionalities to the Cortex XDR agents. One of the services that the Broker VM offers is the Local Agent Settings applet, which allows you to configure the agent proxy, agent installer, and content caching settings for the agents. The Local Agent Settings applet can support a maximum number of 10,000 agents per Broker VM. If you have more than 10,000 agents in your network, you need to deploy additional Broker VMs and distribute the load among them. Reference:
Broker VM Overview: This document provides an overview of the Broker VM and its features, requirements, and deployment options.
Configure the Broker VM: This document explains how to install, set up, and configure the Broker VM in an ESXi environment.
Manage Broker VM from the Cortex XDR Management Console: This document describes how to activate and manage the Broker VM applets from the Cortex XDR management console.


NEW QUESTION # 30
Live Terminal uses which type of protocol to communicate with the agent on the endpoint?

  • A. TCP, over port 80
  • B. WebSocket
  • C. NetBIOS over TCP
  • D. UDP and a random port

Answer: B

Explanation:
Live Terminal uses the WebSocket protocol to communicate with the agent on the endpoint. WebSocket is a full-duplex communication protocol that enables bidirectional data exchange between a client and a server over a single TCP connection. WebSocket is designed to be implemented in web browsers and web servers, but it can be used by any client or server application. WebSocket provides a persistent connection between the Cortex XDR console and the endpoint, allowing you to execute commands and receive responses in real time. Live Terminal uses port 443 for WebSocket communication, which is the same port used for HTTPS traffic. Reference:
Initiate a Live Terminal Session
WebSocket


NEW QUESTION # 31
Which module provides the best visibility to view vulnerabilities?

  • A. Forensics module
  • B. Host Insights module
  • C. Device Control Violations module
  • D. Live Terminal module

Answer: B

Explanation:
The Host Insights module provides the best visibility to view vulnerabilities on your endpoints. The Host Insights module is an add-on feature for Cortex XDR that combines vulnerability management, application and system visibility, and a Search and Destroy feature to help you identify and contain threats. The vulnerability management feature allows you to scan your Windows endpoints for known vulnerabilities and missing patches, and view the results in the Cortex XDR console. You can also filter and sort the vulnerabilities by severity, CVSS score, CVE ID, or patch availability. The Host Insights module helps you reduce your exposure to threats and improve your security posture. Reference:
Host Insights
Vulnerability Management


NEW QUESTION # 32
Can you disable the ability to use the Live Terminal feature in Cortex XDR?

  • A. No, it is a required feature of the agent.
  • B. Yes, via Agent Settings Profile.
  • C. No, a separate installer package without Live Terminal is required.
  • D. Yes, via the Cortex XDR console or with an installation switch.

Answer: B

Explanation:
The Live Terminal feature in Cortex XDR allows you to initiate a remote connection to an endpoint and perform various actions such as running commands, uploading and downloading files, and terminating processes. You can disable the ability to use the Live Terminal feature in Cortex XDR by configuring the Agent Settings Profile. The Agent Settings Profile defines the behavior and functionality of the Cortex XDR agent on the endpoint. You can create different profiles for different groups of endpoints and assign them accordingly. To disable the Live Terminal feature, you need to uncheck the Enable Live Terminal option in the Agent Settings Profile and save the changes. This will prevent the Cortex XDR agent from accepting any Live Terminal requests from the Cortex XDR management console. Reference:
Live Terminal: This document explains how to use the Live Terminal feature to investigate and respond to security events on Windows endpoints.
Agent Settings Profile: This document describes how to create and manage Agent Settings Profiles to define the behavior and functionality of the Cortex XDR agent on the endpoint.


NEW QUESTION # 33
Which of the following Live Terminal options are available for Android systems?

  • A. Run APK scripts.
  • B. Stop an app.
  • C. Run Android commands.
  • D. Live Terminal is not supported.

Answer: C

Explanation:
Cortex XDR supports Live Terminal for Android systems, which allows you to remotely access and manage Android endpoints using a command-line interface. You can use Live Terminal to run Android commands, such as adb shell, adb logcat, adb install, and adb uninstall. You can also use Live Terminal to view and modify files, directories, and permissions on the Android endpoints. Live Terminal for Android systems does not support stopping an app or running APK scripts. Reference:
Cortex XDR documentation portal
Initiate a Live Terminal Session
Live Terminal Commands


NEW QUESTION # 34
Which of the following best defines the Windows Registry as used by the Cortex XDR agent?

  • A. a hierarchical database that stores settings for the operating system and for applications
  • B. a system of files used by the operating system to commit memory that exceeds the available hardware resources. Also known as the "swap"
  • C. a central system, available via the internet, for registering officially licensed versions of software to prove ownership
  • D. a ledger for maintaining accurate and up-to-date information on total disk usage and disk space remaining available to the operating system

Answer: A

Explanation:
The Windows Registry is a hierarchical database that stores settings for the operating system and for applications that run on Windows. The registry contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows operating systems. The registry is organized into five main sections, called hives, each of which contains keys, subkeys, and values. The Cortex XDR agent uses the registry to store its configuration, status, and logs, as well as to monitor and control the endpoint's security features. The Cortex XDR agent also allows you to run scripts that can read, write, or delete registry keys and values on the endpoint. Reference:
Windows Registry - Wikipedia
Registry Operations


NEW QUESTION # 35
What is the action taken out by Managed Threat Hunting team for Zero Day Exploits?

  • A. MTH researches for threats in the logs and reports to engineering.
  • B. MTH pushes content updates to prevent against the zero-day exploits.
  • C. MTH runs queries and investigative actions and no further action is taken.
  • D. MTH researches for threats in the tenant and generates a report with the findings.

Answer: D

Explanation:
The Managed Threat Hunting (MTH) team is a group of security experts who proactively hunt for threats in the Cortex XDR tenant and generate a report with the findings. The MTH team uses advanced queries and investigative actions to identify and analyze potential threats, such as zero-day exploits, that may have bypassed the prevention and detection capabilities of Cortex XDR. The MTH team also provides recommendations and best practices to help customers remediate the threats and improve their security posture. Reference:
Managed Threat Hunting Service
Managed Threat Hunting Report


NEW QUESTION # 36
The Cortex XDR console has triggered an incident, blocking a vitally important piece of software in your organization that is known to be benign. Which of the following options would prevent Cortex XDR from blocking this software in the future, for all endpoints in your organization?

  • A. Create an individual alert exclusion.
  • B. Create an endpoint-specific exception.
  • C. Create a global exception.
  • D. Create a global inclusion.

Answer: C

Explanation:
A global exception is a rule that allows you to exclude specific files, processes, or behaviors from being blocked or detected by Cortex XDR. A global exception applies to all endpoints in your organization that are protected by Cortex XDR. Creating a global exception for a vitally important piece of software that is known to be benign would prevent Cortex XDR from blocking this software in the future, for all endpoints in your organization.
To create a global exception, you need to follow these steps:
In the Cortex XDR management console, go to Policy Management > Exceptions and click Add Exception.
Select the Global Exception option and click Next.
Enter a name and description for the exception and click Next.
Select the type of exception you want to create, such as file, process, or behavior, and click Next.
Specify the criteria for the exception, such as file name, hash, path, process name, command line, or behavior name, and click Next.
Review the summary of the exception and click Finish.
Reference:
Create Global Exceptions: This document explains how to create global exceptions to exclude specific files, processes, or behaviors from being blocked or detected by Cortex XDR.
Exceptions Overview: This document provides an overview of exceptions and how they can be used to fine-tune the Cortex XDR security policy.


NEW QUESTION # 37
What is the purpose of the Cortex Data Lake?

  • A. the workspace for your Cortex XDR agents to detonate potential malware files
  • B. a local storage facility where your logs and alert data can be aggregated
  • C. a cloud-based storage facility where your firewall logs are stored
  • D. the interface between firewalls and the Cortex XDR agents

Answer: C

Explanation:
The purpose of the Cortex Data Lake is to provide a cloud-based storage facility where your firewall logs are stored. Cortex Data Lake is a service that collects, transforms, and integrates your enterprise's security data to enable Palo Alto Networks solutions. It powers AI and machine learning, detection accuracy, and app and service innovation. Cortex Data Lake automatically collects, integrates, and normalizes data across your security infrastructure, including your next-generation firewalls, Prisma Access, and Cortex XDR. With unified data, you can run advanced AI and machine learning to radically simplify security operations with apps built on Cortex. Cortex Data Lake is available in multiple regions and supports data residency and privacy requirements. Reference:
Cortex Data Lake - Palo Alto Networks
Cortex Data Lake - Palo Alto Networks
Cortex Data Lake, the technology behind Cortex XDR - Palo Alto Networks CORTEX DATA LAKE - Palo Alto Networks Sizing for Cortex Data Lake Storage - Palo Alto Networks


NEW QUESTION # 38
......

XDR-Analyst Dumps 100 Pass Guarantee With Latest Demo: https://www.examcost.com/XDR-Analyst-practice-exam.html

Prepare XDR-Analyst Question Answers Free Update With 100% Exam Passing Guarantee [2026]: https://drive.google.com/open?id=1xo9dnvhShInDbHrdTTyToFq_33EZy3JA

Related Articles

more
Palo Alto Networks XDR-Analyst Certification Practice Exam

ExamCost provides valid exam collection to help you pass exam once and help you waste more exam cost. If you choose our ExamCost exam collection we guarantee you pass exam surely.

Latest Test Cost

Useful Links

Contact Us

Our Working Time: ( GMT 0:00-15:00 )
From Monday to Saturday

Support: Contact now 

If you have any question please leave me your email address, we will reply and send email to you in 12 hours.

Copyright © 2026 ExamCost NETWORK CO.,LIMITED. All Rights Reserved. All trademarks used are properties of their respective owners. Privacy Policy

Disclaimer:
ExamCost doesn't offer Real Certiport Exam Questions.
ExamCost doesn't offer Real (ISC)² Exam Questions.
ExamCost doesn't offer Real CompTIA Exam Questions.
Oracle and Java are registered trademarks of Oracle and/or its affiliates
ExamCost material do not contain actual actual Oracle Exam Questions or material.
ExamCost doesn't offer Real Microsoft Exam Questions.
Microsoft®, Azure®, Windows®, Windows Vista®, and the Windows logo are registered trademarks of Microsoft Corporation
ExamCost Materials do not contain actual questions and answers from Cisco's Certification Exams. The brand Cisco is a registered trademark of CISCO, Inc
CFA Institute does not endorse, promote or warrant the accuracy or quality of these questions. CFA® and Chartered Financial Analyst® are registered trademarks owned by CFA Institute.
ExamCost does not offer exam dumps or questions from actual exams. We offer learning material and practice tests created by subject matter experts to assist and help learners prepare for those exams. All certification brands used on the website are owned by the respective brand owners. ExamCost does not own or claim any ownership on any of the brands.