CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Palo Alto Networks
  5. PCDRA

Free PCDRA Exam Braindumps (page: 11)

Page 11 of 23
PDF with 96 Questions

While working the alerts involved in a Cortex XDR incident, an analyst has found that every alert in this incident requires an exclusion.
What will the Cortex XDR console automatically do to this incident if all alerts contained have exclusions?

  1. mark the incident as Unresolved
  2. create a BIOC rule excluding this behavior
  3. create an exception to prevent future false positives
  4. mark the incident as Resolved ­ False Positive

Answer(s): D

Explanation:

If all alerts contained in a Cortex XDR incident have exclusions, the Cortex XDR console will automatically mark the incident as Resolved ­ False Positive. This means that the incident was not a real threat, but a benign or legitimate activity that triggered an alert. By marking the incident as Resolved ­ False Positive, the Cortex XDR console removes the incident from the list of unresolved incidents and does not count it towards the incident statistics. This helps the analyst to focus on the true positive incidents that require further investigation and response1. An exclusion is a rule that hides an alert from the Cortex XDR console, based on certain criteria, such as the alert source, type, severity, or description. An exclusion does not change the security policy or prevent the alert from firing, it only suppresses the alert from the console. An exclusion is useful when the analyst wants to reduce the noise of false positive alerts that are not relevant or important2.
An exception, on the other hand, is a rule that overrides the security policy and allows or blocks a process or file from running on an endpoint, based on certain attributes, such as the file hash, path, name, or signer. An exception is useful when the analyst wants to prevent false negative alerts that are caused by malicious or unwanted files or processes that are not detected by the security policy3. A BIOC rule is a rule that creates an alert based on a custom XQL query that defines a specific behavior of interest or concern. A BIOC rule is useful when the analyst wants to detect and alert on anomalous or suspicious activities that are not covered by the default Cortex XDR rules4.


Reference:

Palo Alto Networks Cortex XDR Documentation, Resolve an Incident1 Palo Alto Networks Cortex XDR Documentation, Alert Exclusions2 Palo Alto Networks Cortex XDR Documentation, Exceptions3 Palo Alto Networks Cortex XDR Documentation, BIOC Rules4



Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack will be neutralized.
Which of the following statements is correct?

  1. Cortex XDR Analytics allows to interfere with the pattern as soon as it is observed on the firewall.
  2. Cortex XDR Analytics does not interfere with the pattern as soon as it is observed on the endpoint.
  3. Cortex XDR Analytics does not have to interfere with the pattern as soon as it is observed on the endpoint in order to prevent the attack.
  4. Cortex XDR Analytics allows to interfere with the pattern as soon as it is observed on the endpoint.

Answer(s): D

Explanation:

Cortex XDR Analytics is a cloud-based service that uses machine learning and artificial intelligence to detect and prevent network attacks. Cortex XDR Analytics can interfere with the attack pattern as soon as it is observed on the endpoint by applying protection policies that block malicious processes, files, or network connections. This way, Cortex XDR Analytics can stop the attack before it causes any damage or compromises the system.


Reference:

[Cortex XDR Analytics Overview]
[Cortex XDR Analytics Protection Policies]



After scan, how does file quarantine function work on an endpoint?

  1. Quarantine takes ownership of the files and folders and prevents execution through access control.
  2. Quarantine disables the network adapters and locks down access preventing any communications with the endpoint.
  3. Quarantine removes a specific file from its location on a local or removable drive to a protected folder and prevents it from being executed.
  4. Quarantine prevents an endpoint from communicating with anything besides the listed exceptions in the agent profile and Cortex XDR.

Answer(s): C

Explanation:

Quarantine is a feature of Cortex XDR that allows you to isolate a malicious file from its original location and prevent it from being executed. Quarantine works by moving the file to a protected folder on the endpoint and changing its permissions and attributes. Quarantine can be applied to files detected by periodic scans or by behavioral threat protection (BTP) rules. Quarantine is only supported for portable executable (PE) and dynamic link library (DLL) files. Quarantine does not affect the network connectivity or the communication of the endpoint with Cortex XDR.


Reference:

Quarantine Malicious Files
Manage Quarantined Files



Which two types of exception profiles you can create in Cortex XDR? (Choose two.)

  1. exception profiles that apply to specific endpoints
  2. agent exception profiles that apply to specific endpoints
  3. global exception profiles that apply to all endpoints
  4. role-based profiles that apply to specific endpoints

Answer(s): B,C

Explanation:

Cortex XDR allows you to create two types of exception profiles: agent exception profiles and global exception profiles. Agent exception profiles apply to specific endpoints that are assigned to the profile. Global exception profiles apply to all endpoints in your network. You can use exception profiles to configure different types of exceptions, such as process exceptions, support exceptions, behavioral threat protection rule exceptions, local analysis rules exceptions, advanced analysis exceptions, or digital signer exceptions. Exception profiles help you fine-tune the security policies for your endpoints and reduce false positives.


Reference:

Exception Security Profiles
Create an Agent Exception Profile
Create a Global Exception Profile



Page 11 of 23



Post your Comments and Discuss Palo Alto Networks PCDRA exam with other Community members:

Mohammed commented on September 24, 2024
Thank you for providing this exam dumps. The site is amazing and very clean. Please keep it this way and don't add any annoying ads or recaptcha validation like other sites.
GERMANY
upvote

cert commented on September 24, 2023
admin guide (windows) respond to malicious causality chains. when the cortex xdr agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files—the agent can automatically block the ip address to close all existing communication and block new connections from this ip address to the endpoint. when cortex xdrblocks an ip address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules. you can view the list of all blocked ip addresses per endpoint from the action center, as well as unblock them to re-enable communication as appropriate. this module is supported with cortex xdr agent 7.3.0 and later. select the action mode to take when the cortex xdr agent detects remote malicious causality chains: enabled (default)—terminate connection and block ip address of the remote connection. disabled—do not block remote ip addresses. to allow specific and known s
Anonymous
upvote

cert commented on September 24, 2023
admin guide (Windows) Respond to Malicious Causality Chains. When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files—the agent can automatically block the IP address to close all existing communication and block new connections from this IP address to the endpoint. When Cortex XDRblocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules. You can view the list of all blocked IP addresses per endpoint from the Action Center, as well as unblock them to re-enable communication as appropriate. This module is supported with Cortex XDR agent 7.3.0 and later. Select the Action Mode to take when the Cortex XDR agent detects remote malicious causality chains: Enabled (default)—Terminate connection and block IP address of the remote connection. Disabled—Do not block remote IP addresses. To allow specific and known s
Anonymous
upvote