Practice Free XDR-Analyst Exam Online Questions
Question #21
Which of the following Live Terminal options are available for Android systems?
- A . Live Terminal is not supported.
- B . Stop an app.
- C . Run APK scripts.
- D . Run Android commands.
Correct Answer: D
D
Explanation:
Cortex XDR supports Live Terminal for Android systems, which allows you to remotely access and manage Android endpoints using a command-line interface. You can use Live Terminal to run Android commands, such as adb shell, adb logcat, adb install, and adb uninstall. You can also use Live Terminal to view and modify files, directories, and permissions on the Android endpoints. Live Terminal for Android systems does not support stopping an app or running APK scripts.
Reference: Cortex XDR documentation portal
Initiate a Live Terminal Session
Live Terminal Commands
D
Explanation:
Cortex XDR supports Live Terminal for Android systems, which allows you to remotely access and manage Android endpoints using a command-line interface. You can use Live Terminal to run Android commands, such as adb shell, adb logcat, adb install, and adb uninstall. You can also use Live Terminal to view and modify files, directories, and permissions on the Android endpoints. Live Terminal for Android systems does not support stopping an app or running APK scripts.
Reference: Cortex XDR documentation portal
Initiate a Live Terminal Session
Live Terminal Commands
Question #22
Which minimum Cortex XDR agent version is required for Kubernetes Cluster?
- A . Cortex XDR 6.1
- B . Cortex XDR 7.4
- C . Cortex XDR 7.5
- D . Cortex XDR 5.0
Correct Answer: C
C
Explanation:
The minimum Cortex XDR agent version required for Kubernetes Cluster is Cortex XDR 7.5. This version introduces the Cortex XDR agent for Kubernetes hosts, which provides protection and visibility for Linux hosts that run on Kubernetes clusters. The Cortex XDR agent for Kubernetes hosts supports the following features:
Anti-malware protection
Behavioral threat protection
Exploit protection
File integrity monitoring
Network security
Audit and remediation
Live terminal
To install the Cortex XDR agent for Kubernetes hosts, you need to deploy the Cortex XDR agent as a DaemonSet on your Kubernetes cluster. You also need to configure the agent settings profile and the agent installer in the Cortex XDR management console.
Reference: Cortex XDR Agent Release Notes: This document provides the release notes for Cortex XDR agent
versions, including the new features, enhancements, and resolved issues.
Install the Cortex XDR Agent for Kubernetes Hosts: This document explains how to install and configure the Cortex XDR agent for Kubernetes hosts using the Cortex XDR management console and the Kubernetes command-line tool.
C
Explanation:
The minimum Cortex XDR agent version required for Kubernetes Cluster is Cortex XDR 7.5. This version introduces the Cortex XDR agent for Kubernetes hosts, which provides protection and visibility for Linux hosts that run on Kubernetes clusters. The Cortex XDR agent for Kubernetes hosts supports the following features:
Anti-malware protection
Behavioral threat protection
Exploit protection
File integrity monitoring
Network security
Audit and remediation
Live terminal
To install the Cortex XDR agent for Kubernetes hosts, you need to deploy the Cortex XDR agent as a DaemonSet on your Kubernetes cluster. You also need to configure the agent settings profile and the agent installer in the Cortex XDR management console.
Reference: Cortex XDR Agent Release Notes: This document provides the release notes for Cortex XDR agent
versions, including the new features, enhancements, and resolved issues.
Install the Cortex XDR Agent for Kubernetes Hosts: This document explains how to install and configure the Cortex XDR agent for Kubernetes hosts using the Cortex XDR management console and the Kubernetes command-line tool.
Question #23
Which statement best describes how Behavioral Threat Protection (BTP) works?
- A . BTP injects into known vulnerable processes to detect malicious activity.
- B . BTP runs on the Cortex XDR and distributes behavioral signatures to all agents.
- C . BTP matches EDR data with rules provided by Cortex XDR.
- D . BTP uses machine Learning to recognize malicious activity even if it is not known.
Correct Answer: D
D
Explanation:
The statement that best describes how Behavioral Threat Protection (BTP) works is D, BTP uses machine learning to recognize malicious activity even if it is not known. BTP is a feature of Cortex XDR that allows you to define custom rules to detect and block malicious behaviors on endpoints. BTP uses machine learning to profile behavior and detect anomalies indicative of attack. BTP can recognize malicious activity based on file attributes, registry keys, processes, network connections, and other criteria, even if the activity is not associated with any known malware or threat. BTP rules are updated through content updates and can be managed from the Cortex XDR console.
The other statements are incorrect for the following reasons:
A is incorrect because BTP does not inject into known vulnerable processes to detect malicious activity. BTP does not rely on process injection, which is a technique used by some malware to hide or execute code within another process. BTP monitors the behavior of all processes on the endpoint, regardless of their vulnerability status, and compares them with the BTP rules.
B is incorrect because BTP does not run on the Cortex XDR and distribute behavioral signatures to all agents. BTP runs on the Cortex XDR agent, which is installed on the endpoint, and analyzes the endpoint data locally. BTP does not use behavioral signatures, which are predefined patterns of malicious behavior, but rather uses machine learning to identify anomalies and deviations from normal behavior.
C is incorrect because BTP does not match EDR data with rules provided by Cortex XDR. BTP is part of the EDR (Endpoint Detection and Response) capabilities of Cortex XDR, and uses the EDR data collected by the Cortex XDR agent to perform behavioral analysis. BTP does not match the EDR data with rules provided by Cortex XDR, but rather applies the BTP rules defined by the Cortex XDR administrator or the Palo Alto Networks threat research team.
Reference: Cortex XDR Agent Administrator Guide: Behavioral Threat Protection
Cortex XDR: Stop Breaches with AI-Powered Cybersecurity
D
Explanation:
The statement that best describes how Behavioral Threat Protection (BTP) works is D, BTP uses machine learning to recognize malicious activity even if it is not known. BTP is a feature of Cortex XDR that allows you to define custom rules to detect and block malicious behaviors on endpoints. BTP uses machine learning to profile behavior and detect anomalies indicative of attack. BTP can recognize malicious activity based on file attributes, registry keys, processes, network connections, and other criteria, even if the activity is not associated with any known malware or threat. BTP rules are updated through content updates and can be managed from the Cortex XDR console.
The other statements are incorrect for the following reasons:
A is incorrect because BTP does not inject into known vulnerable processes to detect malicious activity. BTP does not rely on process injection, which is a technique used by some malware to hide or execute code within another process. BTP monitors the behavior of all processes on the endpoint, regardless of their vulnerability status, and compares them with the BTP rules.
B is incorrect because BTP does not run on the Cortex XDR and distribute behavioral signatures to all agents. BTP runs on the Cortex XDR agent, which is installed on the endpoint, and analyzes the endpoint data locally. BTP does not use behavioral signatures, which are predefined patterns of malicious behavior, but rather uses machine learning to identify anomalies and deviations from normal behavior.
C is incorrect because BTP does not match EDR data with rules provided by Cortex XDR. BTP is part of the EDR (Endpoint Detection and Response) capabilities of Cortex XDR, and uses the EDR data collected by the Cortex XDR agent to perform behavioral analysis. BTP does not match the EDR data with rules provided by Cortex XDR, but rather applies the BTP rules defined by the Cortex XDR administrator or the Palo Alto Networks threat research team.
Reference: Cortex XDR Agent Administrator Guide: Behavioral Threat Protection
Cortex XDR: Stop Breaches with AI-Powered Cybersecurity
Question #24
What is by far the most common tactic used by ransomware to shut down a victim’s operation?
- A . preventing the victim from being able to access APIs to cripple infrastructure
- B . denying traffic out of the victims network until payment is received
- C . restricting access to administrative accounts to the victim
- D . encrypting certain files to prevent access by the victim
Correct Answer: D
D
Explanation:
Ransomware is a type of malicious software, or malware, that encrypts certain files or data on the victim’s system or network and prevents them from accessing their data until they pay a ransom. This is by far the most common tactic used by ransomware to shut down a victim’s operation, as it can cause costly disruptions, data loss, and reputational damage. Ransomware can affect individual users, businesses, and organizations of all kinds. Ransomware can spread through various methods, such as phishing emails, malicious attachments, compromised websites, or network vulnerabilities. Some ransomware variants can also self-propagate and infect other devices or networks.
Ransomware authors typically demand payment in cryptocurrency or other untraceable methods, and may threaten to delete or expose the encrypted data if the ransom is not paid within a certain time frame. However, paying the ransom does not guarantee that the files will be decrypted or that the attackers will not target the victim again. Therefore, the best way to protect against ransomware is to prevent infection in the first place, and to have a backup of the data in case of an attack1234
Reference: What is Ransomware? | How to Protect Against Ransomware in 2023 Ransomware – Wikipedia
What is ransomware? | Ransomware meaning | Cloudflare [What Is Ransomware? | Ransomware.org]
[Ransomware ― FBI]
D
Explanation:
Ransomware is a type of malicious software, or malware, that encrypts certain files or data on the victim’s system or network and prevents them from accessing their data until they pay a ransom. This is by far the most common tactic used by ransomware to shut down a victim’s operation, as it can cause costly disruptions, data loss, and reputational damage. Ransomware can affect individual users, businesses, and organizations of all kinds. Ransomware can spread through various methods, such as phishing emails, malicious attachments, compromised websites, or network vulnerabilities. Some ransomware variants can also self-propagate and infect other devices or networks.
Ransomware authors typically demand payment in cryptocurrency or other untraceable methods, and may threaten to delete or expose the encrypted data if the ransom is not paid within a certain time frame. However, paying the ransom does not guarantee that the files will be decrypted or that the attackers will not target the victim again. Therefore, the best way to protect against ransomware is to prevent infection in the first place, and to have a backup of the data in case of an attack1234
Reference: What is Ransomware? | How to Protect Against Ransomware in 2023 Ransomware – Wikipedia
What is ransomware? | Ransomware meaning | Cloudflare [What Is Ransomware? | Ransomware.org]
[Ransomware ― FBI]
Question #25
Which profiles can the user use to configure malware protection in the Cortex XDR console?
- A . Malware Protection profile
- B . Malware profile
- C . Malware Detection profile
- D . Anti-Malware profile
Correct Answer: A
A
Explanation:
The user can use the Malware Protection profile to configure malware protection in the Cortex XDR console. The Malware Protection profile defines the actions that Cortex XDR takes when it detects malware on your endpoints. You can configure different actions for different types of malware, such as ransomware, password theft, or child process. You can also configure the scan frequency and scope for periodic malware scans. The Malware Protection profile is part of the Endpoint Security policy that you assign to your endpoints.
Reference: Malware Protection Profile
Endpoint Security Policy
A
Explanation:
The user can use the Malware Protection profile to configure malware protection in the Cortex XDR console. The Malware Protection profile defines the actions that Cortex XDR takes when it detects malware on your endpoints. You can configure different actions for different types of malware, such as ransomware, password theft, or child process. You can also configure the scan frequency and scope for periodic malware scans. The Malware Protection profile is part of the Endpoint Security policy that you assign to your endpoints.
Reference: Malware Protection Profile
Endpoint Security Policy
Question #26
What are two purposes of “Respond to Malicious Causality Chains” in a Cortex XDR Windows Malware profile? (Choose two.)
- A . Automatically close the connections involved in malicious traffic.
- B . Automatically kill the processes involved in malicious activity.
- C . Automatically terminate the threads involved in malicious activity.
- D . Automatically block the IP addresses involved in malicious traffic.
Correct Answer: B, D
B, D
Explanation:
The “Respond to Malicious Causality Chains” feature in a Cortex XDR Windows Malware profile allows the agent to take automatic actions against network connections and processes that are involved in malicious activity on the endpoint. The feature has two modes: Block IP Address and Kill Process1.
The two purposes of “Respond to Malicious Causality Chains” in a Cortex XDR Windows Malware profile are:
Automatically kill the processes involved in malicious activity. This can help to stop the malware from spreading or doing any further damage.
Automatically block the IP addresses involved in malicious traffic. This can help to prevent the malware from communicating with its command and control server or other malicious hosts.
The other two options, automatically close the connections involved in malicious traffic and automatically terminate the threads involved in malicious activity, are not specific to “Respond to Malicious Causality Chains”. They are general security measures that the agent can perform regardless of the feature.
Reference: Cortex XDR Agent Security Profiles
Cortex XDR Agent 7.5 Release Notes
PCDRA: What are purposes of “Respond to Malicious Causality Chains” in …
B, D
Explanation:
The “Respond to Malicious Causality Chains” feature in a Cortex XDR Windows Malware profile allows the agent to take automatic actions against network connections and processes that are involved in malicious activity on the endpoint. The feature has two modes: Block IP Address and Kill Process1.
The two purposes of “Respond to Malicious Causality Chains” in a Cortex XDR Windows Malware profile are:
Automatically kill the processes involved in malicious activity. This can help to stop the malware from spreading or doing any further damage.
Automatically block the IP addresses involved in malicious traffic. This can help to prevent the malware from communicating with its command and control server or other malicious hosts.
The other two options, automatically close the connections involved in malicious traffic and automatically terminate the threads involved in malicious activity, are not specific to “Respond to Malicious Causality Chains”. They are general security measures that the agent can perform regardless of the feature.
Reference: Cortex XDR Agent Security Profiles
Cortex XDR Agent 7.5 Release Notes
PCDRA: What are purposes of “Respond to Malicious Causality Chains” in …
Question #27
Live Terminal uses which type of protocol to communicate with the agent on the endpoint?
- A . NetBIOS over TCP
- B . WebSocket
- C . UDP and a random port
- D . TCP, over port 80
Correct Answer: B
B
Explanation:
Live Terminal uses the WebSocket protocol to communicate with the agent on the endpoint.
WebSocket is a full-duplex communication protocol that enables bidirectional data exchange between a client and a server over a single TCP connection. WebSocket is designed to be implemented in web browsers and web servers, but it can be used by any client or server application. WebSocket provides a persistent connection between the Cortex XDR console and the endpoint, allowing you to execute commands and receive responses in real time. Live Terminal uses port 443 for WebSocket communication, which is the same port used for HTTPS traffic.
Reference: Initiate a Live Terminal Session
WebSocket
B
Explanation:
Live Terminal uses the WebSocket protocol to communicate with the agent on the endpoint.
WebSocket is a full-duplex communication protocol that enables bidirectional data exchange between a client and a server over a single TCP connection. WebSocket is designed to be implemented in web browsers and web servers, but it can be used by any client or server application. WebSocket provides a persistent connection between the Cortex XDR console and the endpoint, allowing you to execute commands and receive responses in real time. Live Terminal uses port 443 for WebSocket communication, which is the same port used for HTTPS traffic.
Reference: Initiate a Live Terminal Session
WebSocket
Question #28
Which type of BIOC rule is currently available in Cortex XDR?
- A . Threat Actor
- B . Discovery
- C . Network
- D . Dropper
Correct Answer: B
B
Explanation:
The type of BIOC rule that is currently available in Cortex XDR is Discovery. A Discovery BIOC rule is a rule that detects suspicious or malicious behavior on endpoints based on the Cortex XDR data. A Discovery BIOC rule can use various event types, such as file, injection, load image, network, process, registry, or user, to define the criteria for the rule. A Discovery BIOC rule can also use operators, functions, and variables to create complex logic and conditions for the rule. A Discovery BIOC rule can generate alerts when the rule is triggered, and these alerts can be grouped into incidents for further investigation and response12.
Let’s briefly discuss the other options to provide a comprehensive explanation:
B
Explanation:
The type of BIOC rule that is currently available in Cortex XDR is Discovery. A Discovery BIOC rule is a rule that detects suspicious or malicious behavior on endpoints based on the Cortex XDR data. A Discovery BIOC rule can use various event types, such as file, injection, load image, network, process, registry, or user, to define the criteria for the rule. A Discovery BIOC rule can also use operators, functions, and variables to create complex logic and conditions for the rule. A Discovery BIOC rule can generate alerts when the rule is triggered, and these alerts can be grouped into incidents for further investigation and response12.
Let’s briefly discuss the other options to provide a comprehensive explanation: