Scribd
Upload
52 views5 pages

PCDRA

The document consists of multiple-choice questions related to Cortex XDR, covering topics such as incident management, file quarantine, exploit types, Windows Registry, and Behavioral Threat Protection. Each question tests knowledge on specific functionalities and definitions within the Cortex XDR environment. The questions also address the use of XQL queries and the implications of various security threats.

Uploaded by

fredl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
52 views5 pages

PCDRA

The document consists of multiple-choice questions related to Cortex XDR, covering topics such as incident management, file quarantine, exploit types, Windows Registry, and Behavioral Threat Protection. Each question tests knowledge on specific functionalities and definitions within the Cortex XDR environment. The questions also address the use of XQL queries and the implications of various security threats.

Uploaded by

fredl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

1.

While working the alerts involved in a Cortex XDR incident, an analyst has found that
every alert in this incident requires an exclusion .

What will the Cortex XDR console automatically do to this incident if all alerts contained
have exclusions?

mark the incident as Unresolved

create a BIOC rule excluding this behavior

create an exception to prevent future false positives

mark the incident as Resolved C False Positive


2. To create a BIOC rule with XQL query you must at a minimum filter on which field
inorder for it to be a valid BIOC rule?

causality_chain

endpoint_name

threat_event

event_type
3. After scan, how does file quarantine function work on an endpoint?

Quarantine takes ownership of the files and folders and prevents execution through access
control.

Quarantine disables the network adapters and locks down access preventing any
communications with the endpoint.

Quarantine removes a specific file from its location on a local or removable drive to a
protected folder and prevents it from being executed.

Quarantine prevents an endpoint from communicating with anything besides the listed
exceptions in the agent profile and Cortex XD
4. Which statement is true for Application Exploits and Kernel Exploits?

The ultimate goal of any exploit is to reach the application.

Kernel exploits are easier to prevent then application exploits.

The ultimate goal of any exploit is to reach the kernel.

Application exploits leverage kernel vulnerability.


5. Which of the following best defines the Windows Registry as used by the Cortex
XDRagent?
a hierarchical database that stores settings for the operating system and for applications

a system of files used by the operating system to commit memory that exceeds the available
hardware resources. Also known as the “swap”

a central system, available via the internet, for registering officially licensed versions of
software to prove ownership

a ledger for maintaining accurate and up-to-date information on total disk usage and disk
space remaining available to the operating system
6. What kind of the threat typically encrypts userfiles?

ransomware

SQL injection attacks

Zero-day exploits

supply-chain attacks
7. A file is identified as malware by the Local Analysis module whereas WildFire verdict is
Benign, Assuming WildFire is accurate .

Which statement is correct for the incident?

It is true positive.

It is false positive.

It is a false negative.

It is true negative.
8. LiveTerminal uses which type of protocol to communicate with the agent on the
endpoint?

NetBIOS over TCP

WebSocket

UDP and a random port

TCP, over port 80


9. What are two purposes of “Respond to Malicious Causality Chains” in a Cortex XDR
Windows Malware profile? (Choose two.)

Automatically close the connections involved in malicious traffic.

Automatically kill the processes involved in malicious activity.


Automatically terminate the threads involved in malicious activity.

Automaticallyblock the IP addresses involved in malicious traffic.


10. Which of the following policy exceptions applies to the following description?

‘An exception allowing specific PHP files’

Support exception

Local file threat examination exception

Behavioral threat protection rule exception

Process exception
11. Which built-in dashboard would be the best option for an executive, if they were
looking for the Mean Time to Resolution (MTTR) metric?

Security Manager Dashboard

Data Ingestion Dashboard

Security Admin Dashboard

Incident Management Dashboard


12. When selecting multiple Incidents at a time, what options are available from the menu
when a user right-clicks the incidents? (Choose two.)

Assign incidents to an analyst in bulk.

Change the status of multiple incidents.

Investigate several Incidents at once.

Delete the selected Incidents.


13. Which of the following represents the correct relation of alerts to incidents?

Only alerts with the same host are grouped together into one Incident in a given time frame.

Alerts that occur within a three hour time frame are grouped together into one Incident.

Alerts with same causality chains that occur within a given time frame are grouped together
into an Incident.

Every alert creates a new Incident.


14. If you have an isolated network that is prevented from connecting to the Cortex Data
Lake, which type of Broker VM setup can you use to facilitate the communication?
Broker VM Pathfinder

Local Agent Proxy

Local Agent Installer and Content Caching

Broker VM Syslog Collector


15. When creating a custom XQL query in a dashboard, how would a user save that XQL
query to the Widget Library?

Click the three dots on the widget andthen choose “Save” and this will link the query to the
Widget Library.

This isn’t supported, you have to exit the dashboard and go into the Widget Library first to
create it.

Click on “Save to Action Center” in the dashboard and you will be promptedto give the query
a name and description.

Click on “Save to Widget Library” in the dashboard and you will be prompted to give the
query a name and description.
16. Phishing belongs which of the following MITRE ATT&CK tactics?

Initial Access, Persistence

Persistence, Command and Control

Reconnaissance, Persistence

Reconnaissance, Initial Access


17. When creating a BIOC rule, which XQL query can be used?

dataset = xdr_data | filterevent_sub_type = PROCESS_START and


action_process_image_name ~= ".*?.(?:pdf|docx).exe"

dataset = xdr_data | filter event_type = PROCESS and event_sub_type =


PROCESS_START and action_process_image_name ~= ".*?.(?:pdf|docx).exe"

dataset = xdr_data | filter action_process_image_name ~= ".*?.(?:pdf|docx).exe" | fields


action_process_image

dataset = xdr_data | filter event_behavior = true event_sub_type = PROCESS_START and


action_process_image_name ~=".*?.(?:pdf|docx).exe"
18. When creating a scheduled report which is not an option?

Run weekly on a certain day and time.


Run quarterly on a certain day and time.

Run monthly on a certain day and time.

Run daily at a certain time (selectable hours and minutes).


19. When using the “File Search and Destroy” feature, which of the following search hash
type is supported?

SHA256 hash of the file

AES256 hash of the file

MD5 hash of the file

SHA1 hash of the file


20. Which statement best describes how Behavioral Threat Protection (BTP) works?

BTP injects into known vulnerable processes to detect malicious activity.

BTP runs on the Cortex XDR and distributes behavioral signatures to all agents.

BTP matches EDR data with rules provided by Cortex XD

BTP uses machine Learning to recognize malicious activity even if it is not known.

You might also like