Practice Free XDR Engineer Exam Online Questions
A new parsing rule is created, and during testing and verification, all the logs for which field data is to be parsed out are missing. All the other logs from this data source appear as expected.
What may be the cause of this behavior?
- A . The Broker VM is offline
- B . The parsing rule corrupted the database
- C . The filter stage is dropping the logs
- D . The XDR Collector is dropping the logs
Which configuration profile option with an available built-in template can be applied to both Windows and Linux systems by using XDR Collector?
- A . Filebeat
- B . HTTP Collector template
- C . XDR Collector settings
- D . Winlogbeat
When isolating Cortex XDR agent components to troubleshoot for compatibility, which command is used to turn off a component on a Windows machine?
- A . "C:Program FilesPalo Alto NetworksTrapsxdr.exe" stop
- B . "C:Program FilesPalo Alto NetworksTrapscytool.exe" runtime stop
- C . "C:Program FilesPalo Alto NetworksTrapsxdr.exe" -s stop
- D . "C:Program FilesPalo Alto NetworksTrapscytool.exe" occp
Which statement describes the functionality of fixed filters and dashboard drilldowns in enhancing a dashboard’s interactivity and data insights?
- A . Fixed filters allow users to select predefined data values, while dashboard drilldowns enable users to alter the scope of the data displayed by selecting filter values from the dashboard header
- B . Fixed filters limit the data visible in widgets, while dashboard drilldowns allow users to download data from the dashboard in various formats
- C . Fixed filters let users select predefined or dynamic values to adjust the scope, while dashboard drilldowns provide interactive insights or trigger contextual changes, like linking to XQL searches
- D . Fixed filters allow users to adjust the layout, while dashboard drilldowns provide links to external reports and/or dashboards
A security audit determines that the Windows Cortex XDR host-based firewall is not blocking outbound RDP connections for certain remote workers.
The audit report confirms the following:
All devices are running healthy Cortex XDR agents.
A single host-based firewall rule to block all outbound RDP is implemented.
The policy hosting the profile containing the rule applies to all Windows endpoints.
The logic within the firewall rule is adequate.
Further testing concludes RDP is successfully being blocked on all devices tested at company HQ. Network location configuration in Agent Settings is enabled on all Windows endpoints.
What is the likely reason the RDP connections are not being blocked?
- A . The profile’s default action for outbound traffic is set to Allow
- B . The pertinent host-based firewall rule group is only applied to external rule groups
- C . Report mode is set to Enabled in the report settings under the profile configuration
- D . The pertinent host-based firewall rule group is only applied to internal rule groups
Based on the image of a validated false positive alert below, which action is recommended for resolution?
- A . Create an alert exclusion for OUTLOOK.EXE
- B . Disable an action to the CGO Process DWWIN.EXE
- C . Create an exception for the CGO DWWIN.EXE for ROP Mitigation Module
- D . Create an exception for OUTLOOK.EXE for ROP Mitigation Module
A static endpoint group is created by adding 321 endpoints using the Upload From File feature. However, after group creation, the members count field shows 244 endpoints.
What are two possible reasons why endpoints were not added to the group? (Choose two.)
- A . Static groups have a limit of 250 endpoints when adding by file
- B . Endpoints added to the new group were previously added to an existing group
- C . Endpoints added to the group were in Disconnected or Connection Lost status when group membership was added
- D . The IP address, hostname, or alias of the endpoints must match an existing agent that has registered with the tenant
What are two possible actions that can be triggered by a dashboard drilldown? (Choose two.)
- A . Navigate to a different dashboard
- B . Initiate automated response actions
- C . Link to an XQL query
- D . Send alerts to console users
Using the Cortex XDR console, how can additional network access be allowed from a set of IP addresses to an isolated endpoint?
- A . Add entries in Configuration section of Security Settings
- B . Add entries in the Allowed Domains section of Security Settings for the tenant
- C . Add entries in Exceptions Configuration section of Isolation Exceptions
- D . Add entries in Response Actions section of Agent Settings profile
A multinational company with over 300,000 employees has recently deployed Cortex XDR in North America. The solution includes the Identity Threat Detection and Response (ITDR) add-on, and the Cortex team has onboarded the Cloud Identity Engine to the North American tenant. After waiting the required soak period and deploying enough agents to receive Identity and threat analytics detections, the team does not see user, group, or computer details for individuals from the European offices.
What may be the reason for the issue?
- A . The XDR tenant is not in the same region as the Cloud Identity Engine
- B . The Cloud Identity Engine plug-in has not been installed and configured
- C . The Cloud Identity Engine needs to be activated in all global regions
- D . The ITDR add-on is not compatible with the Cloud Identity Engine