XDR-ENGINEER Exam Questions

Which method will drop undesired logs and reduce the amount of data being ingested?

Based on the image of a validated false positive alert below, which action is recommended for resolution?

What should be configured in Cortex XDR to integrate asset data from Microsoft Azure for better visibility and incident investigation?

What happens when the XDR Collector is uninstalled from an endpoint by using the Cortex XDR console?

Log events from a previously deployed Windows XDR Collector agent are no longer being observed in the console after an OS upgrade. Which aspect of the log events is the probable ca...

Which action is being taken with the query below? dataset = xdr_data | fields agent_hostname, _time, _product | comp latest as latest_time by agent_hostname, _product | join type=i...

Based on the SBAC scenario image below, when the tenant is switched to permissive mode, which endpoint(s) data will be accessible?

An analyst considers an alert with the category of lateral movement to be allowed and not needing to be checked in the future. Based on the image below, which action can an enginee...

Some company employees are able to print documents when working from home, but not on network-attached printers, while others are able to print only to file. What can be inferred a...

Which two steps should be considered when configuring the Cortex XDR agent for a sensitive and highly regulated environment? (Choose two.)

When isolating Cortex XDR agent components to troubleshoot for compatibility, which command is used to turn off a component on a Windows machine?

During deployment of Cortex XDR for Linux Agents, the security engineering team is asked to implement memory monitoring for agent health monitoring. Which agent service should be m...

The most recent Cortex XDR agents are being installed at a newly acquired company. A list with endpoint types (i.e., OS, hardware, software) is provided to the engineer. What shoul...

After deploying Cortex XDR agents to a large group of endpoints, some of the endpoints have a partially protected status. In which two places can insights into what is contributing...

What is a benefit of ingesting and forwarding Palo Alto Networks NGFW logs to Cortex XDR?

An XDR engineer is configuring an automation playbook to respond to high-severity malware alerts by automatically isolating the affected endpoint and notifying the security team vi...

An administrator wants to employ reusable rules within custom parsing rules to apply consistent log field extraction across multiple data sources. Which section of the parsing rule...

What will be the output of the function below? L_TRIM("a* aapple", "a")

Based on the Malware profile image below, what happens when a new custom-developed application attempts to execute on an endpoint?

Which configuration profile option with an available built-in template can be applied to both Windows and Linux systems by using XDR Collector?

What is the earliest time frame an alert could be automatically generated once the conditions of a new correlation rule are met?

When onboarding a Palo Alto Networks NGFW to Cortex XDR, what must be done to confirm that logs are being ingested successfully after a device is selected and verified?

During a recent internal purple team exercise, the following recommendation is given to the detection engineering team: Detect and prevent command line invocation of Python on Wind...

Multiple remote desktop users complain of in-house applications no longer working. The team uses macOS with Cortex XDR agents version 8.7.0, and the applications were previously al...

A new parsing rule is created, and during testing and verification, all the logs for which field data is to be parsed out are missing. All the other logs from this data source appe...

Which XQL query can be saved as a behavioral indicator of compromise (BIOC) rule, then converted to a custom prevention rule?

Which step is required to configure a proxy for an XDR Collector?

How long is data kept in the temporary hot storage cache after being queried from cold storage?

Which components may be included in a Cortex XDR content update?

An insider compromise investigation has been requested to provide evidence of an unauthorized removable drive being mounted on a company laptop. Cortex XDR agent is installed with...

A static endpoint group is created by adding 321 endpoints using the Upload From File feature. However, after group creation, the members count field shows 244 endpoints. What are...

What are two possible actions that can be triggered by a dashboard drilldown? (Choose two.)

A multinational company with over 300,000 employees has recently deployed Cortex XDR in North America. The solution includes the Identity Threat Detection and Response (ITDR) add-o...

When using Kerberos as the authentication method for Pathfinder, which two settings must be validated on the DNS server? (Choose two.)

How can a customer ingest additional events from a Windows DHCP server into Cortex XDR with minimal configuration?

How are dynamic endpoint groups created and managed in Cortex XDR?

An engineer is building a dashboard to visualize the number of alerts from various sources. One of the widgets from the dashboard is shown in the image below: The engineer wants to...

An XDR engineer is creating a correlation rule to monitor login activity on specific systems. When the activity is identified, an alert is created. The alerts are being generated p...

A correlation rule is created to detect potential insider threats by correlating user login events from one dataset with file access events from another dataset. The rule must reta...

A cloud administrator reports high network bandwidth costs attributed to Cortex XDR operations and asks for bandwidth usage to be optimized without compromising agent functionality...

How can a Malware profile be configured to prevent a specific executable from being uploaded to the cloud?

During the deployment of a Broker VM in a high availability (HA) environment, after configuring the Broker VM FQDN, an XDR engineer must ensure agent installer availability and eff...

A Custom Prevention rule that was determined to be a false positive alert needs to be tuned. The behavior was determined to be authorized and expected on the affected endpoint. Bas...

In addition to using valid authentication credentials, what is required to enable the setup of the Database Collector applet on the Broker VM to ingest database activity?

Which statement describes the functionality of fixed filters and dashboard drilldowns in enhancing a dashboard's interactivity and data insights?

An engineer wants to automate the handling of alerts in Cortex XDR and defines several automation rules with different actions to be triggered based on specific alert conditions. S...

What will enable a custom prevention rule to block specific behavior?

A query is created that will run weekly via API. After it is tested and ready, it is reviewed in the Query Center. Which available column should be checked to determine how many co...

A security audit determines that the Windows Cortex XDR host-based firewall is not blocking outbound RDP connections for certain remote workers. The audit report confirms the follo...

Using the Cortex XDR console, how can additional network access be allowed from a set of IP addresses to an isolated endpoint?