CompTIA
Checkpoint
ISC
HP
Dell
EC-Council
EXIN
Fortinet
ITIL®
Juniper
PMI
Microsoft
VMware
Avaya
Google
Salesforce
Amazon
Palo Alto Networks
Certiport
ISC2
All Vendors
  2. Home
  3. Exams
  4. Palo Alto Networks
  5. PCDRA

Free PCDRA Exam Braindumps (page: 5)

Page 5 of 23
PDF with 96 Questions

As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to download Cobalt Strike on one of your servers. Days later, you learn about a massive ongoing supply chain attack. Using Cortex XDR you recognize that your server was compromised by the attack and that Cortex XDR prevented it.
What steps can you take to ensure that the same protection is extended to all your servers?

  1. Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.
  2. Enable DLL Protection on all servers but there might be some false positives.
  3. Create IOCs of the malicious files you have found to prevent their execution.
  4. Enable Behavioral Threat Protection (BTP) with cytool to prevent the attack from spreading.

Answer(s): A

Explanation:

To ensure that the same protection is extended to all your servers, you need to create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity. BTP is a feature of Cortex XDR that allows you to create custom rules that detect and block malicious or suspicious behaviors on your endpoints, such as file execution, process injection, network connection, or registry modification. BTP rules can use various operators, functions, and variables to define the criteria and the actions for the rules. By creating BTP rules that match the behaviors of the supply chain attack, you can prevent the attack from compromising your servers12. Let's briefly discuss the other options to provide a comprehensive explanation:
B) Enable DLL Protection on all servers but there might be some false positives: This is not the correct answer. Enabling DLL Protection on all servers will not ensure that the same protection is extended to all your servers. DLL Protection is a feature of Cortex XDR that allows you to block the execution of unsigned or untrusted DLL files on your endpoints. DLL Protection can help to prevent some types of attacks that use malicious DLL files, but it may not be effective against the supply chain attack that used a Trojanized DLL file that was digitally signed by a trusted vendor. DLL Protection may also cause some false positives, as it may block some legitimate DLL files that are unsigned or untrusted3. C) Create IOCs of the malicious files you have found to prevent their execution: This is not the correct answer. Creating IOCs of the malicious files you have found will not ensure that the same protection is extended to all your servers. IOCs are indicators of compromise that you can create to detect and respond to known threats on your endpoints, such as file hashes, registry keys, IP addresses, domain names, or full paths. IOCs can help to identify and block the malicious files that you have already discovered, but they may not be effective against the supply chain attack that used different variants of the malicious files with different hashes or names. IOCs may also become outdated, as the attackers may change or update their files to evade detection4.

D) Enable Behavioral Threat Protection (BTP) with cytool to prevent the attack from spreading: This is not the correct answer. Enabling BTP with cytool will not ensure that the same protection is extended to all your servers. BTP is a feature of Cortex XDR that allows you to create custom rules that detect and block malicious or suspicious behaviors on your endpoints, such as file execution, process injection, network connection, or registry modification. BTP rules can help to prevent the attack from spreading, but they need to be created and configured in the Cortex XDR app, not with cytool. Cytool is a command-line tool that allows you to perform various operations on the Cortex XDR agent, such as installing, uninstalling, upgrading, or troubleshooting. Cytool does not have an option to enable or configure BTP rules.
In conclusion, to ensure that the same protection is extended to all your servers, you need to create BTP rules to recognize and prevent the activity. By using BTP rules, you can create custom and flexible prevention rules that match the behaviors of the supply chain attack.


Reference:

Behavioral Threat Protection
Create a BTP Rule
DLL Protection
Create an IOC Rule
[Cytool]



Which statement is true based on the following Agent Auto Upgrade widget?

  1. There are a total of 689 Up To Date agents.
  2. Agent Auto Upgrade was enabled but not on all endpoints.
  3. Agent Auto Upgrade has not been enabled.
  4. There are more agents in Pending status than In Progress status.

Answer(s): B

Explanation:

The Agent Auto Upgrade widget shows the status of the agent auto upgrade feature on the endpoints. The widget displays the number of agents that are up to date, in progress, pending, failed, and not configured. In this case, the widget shows that there are 450 agents that are up to date, 78 in progress, 15 pending, 18 failed, and 128 not configured. This means that the agent auto upgrade feature was enabled but not on all endpoints.


Reference:

Cortex XDR Agent Auto Upgrade
PCDRA Study Guide



What is the purpose of targeting software vendors in a supply-chain attack?

  1. to take advantage of a trusted software delivery method.
  2. to steal users' login credentials.
  3. to access source code.
  4. to report Zero-day vulnerabilities.

Answer(s): A

Explanation:

A supply chain attack is a type of cyberattack that targets a trusted third-party vendor who offers services or software vital to the supply chain. Software supply chain attacks inject malicious code into an application in order to infect all users of an app. The purpose of targeting software vendors in a supply-chain attack is to take advantage of a trusted software delivery method, such as an update or a download, that can reach a large number of potential victims. By compromising a software vendor, an attacker can bypass the security measures of the downstream organizations and gain access to their systems, data, or networks.


Reference:

What Is a Supply Chain Attack? - Definition, Examples & More | Proofpoint US What Is a Supply Chain Attack? - CrowdStrike
What Is a Supply Chain Attack? | Zscaler
What Is a Supply Chain Attack? Definition, Examples & Prevention



What is the standard installation disk space recommended to install a Broker VM?

  1. 1GB disk space
  2. 2GB disk space
  3. 512GB disk space
  4. 256GB disk space

Answer(s): D

Explanation:

The Broker VM for Cortex XDR is a virtual machine that serves as the central communication hub for all Cortex XDR agents deployed in your organization. It enables agents to communicate with the Cortex XDR cloud service and allows you to manage and monitor the agents' activities from a centralized location. The system requirements for the Broker VM are as follows:
CPU: 4 cores
RAM: 8 GB
Disk space: 256 GB
Network: Internet access and connectivity to all Cortex XDR agents The disk space requirement is based on the number of agents and the frequency of content updates. The Broker VM stores the content updates locally and distributes them to the agents. The disk space also depends on the retention period of the content updates, which can be configured in the Broker VM settings. The default retention period is 30 days.


Reference:

Broker VM for Cortex XDR
PCDRA Study Guide



Page 5 of 23



Post your Comments and Discuss Palo Alto Networks PCDRA exam with other Community members:

Mohammed commented on September 24, 2024
Thank you for providing this exam dumps. The site is amazing and very clean. Please keep it this way and don't add any annoying ads or recaptcha validation like other sites.
GERMANY
upvote

cert commented on September 24, 2023
admin guide (windows) respond to malicious causality chains. when the cortex xdr agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files—the agent can automatically block the ip address to close all existing communication and block new connections from this ip address to the endpoint. when cortex xdrblocks an ip address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules. you can view the list of all blocked ip addresses per endpoint from the action center, as well as unblock them to re-enable communication as appropriate. this module is supported with cortex xdr agent 7.3.0 and later. select the action mode to take when the cortex xdr agent detects remote malicious causality chains: enabled (default)—terminate connection and block ip address of the remote connection. disabled—do not block remote ip addresses. to allow specific and known s
Anonymous
upvote

cert commented on September 24, 2023
admin guide (Windows) Respond to Malicious Causality Chains. When the Cortex XDR agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files—the agent can automatically block the IP address to close all existing communication and block new connections from this IP address to the endpoint. When Cortex XDRblocks an IP address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules. You can view the list of all blocked IP addresses per endpoint from the Action Center, as well as unblock them to re-enable communication as appropriate. This module is supported with Cortex XDR agent 7.3.0 and later. Select the Action Mode to take when the Cortex XDR agent detects remote malicious causality chains: Enabled (default)—Terminate connection and block IP address of the remote connection. Disabled—Do not block remote IP addresses. To allow specific and known s
Anonymous
upvote