Palo Alto Networks PCDRA Exam Practice Test Instant Access

Question 1

What motivation do ransomware attackers have for returning access to systems once their victims have paid?

AThere is organized crime governance among attackers that requires the return of access to remain in good standing. B. Nation-states enforce the return of system access through the use of laws and regulation.

CFailure to restore access to systems undermines the scheme because others will not believe their valuables would be returned.

DThe ransomware attackers hope to trace the financial trail back and steal more from traditional banking institutions. -

Answer : C

Ransomware attackers have a motivation to return access to systems once their victims have paid because they want to maintain their reputation and credibility. If they fail to restore access to systems, they risk losing the trust of future victims who may not believe that paying the ransom will result in getting their data back. This would reduce the effectiveness and profitability of their scheme. Therefore, ransomware attackers have an incentive to honor their promises and decrypt the data after receiving the ransom.Reference:

What is the motivation behind ransomware? | Foresite

As Ransomware Attackers' Motives Change, So Should Your Defense - Forbes

Question 2

In the Cortex XDR console, from which two pages are you able to manually perform the agent upgrade action? (Choose two.)

AAsset Management

BAgent Installations

CAction Center

DEndpoint Administration

Answer : A, D

To manually upgrade the Cortex XDR agents, you can use theAsset Managementpage or theEndpoint Administrationpage in the Cortex XDR console. On the Asset Management page, you can select one or more endpoints and clickActions > Upgrade Agent. On the Endpoint Administration page, you can select one or more agent versions and clickUpgrade. You can also schedule automatic agent upgrades using theAgent Installationspage.Reference:

Asset Management

Endpoint Administration

Agent Installations

Question 3

Which search methods is supported by File Search and Destroy?

AFile Seek and Destroy

BFile Search and Destroy

CFile Seek and Repair

DFile Search and Repair

Answer : B

File Search and Destroy is a feature of Cortex XDR that allows you to search for and remove malicious files from endpoints. You can use this feature to find files by their hash, full path, or partial path using regex parameters. You can then select the files from the search results and destroy them by hash or by path. When you destroy a file by hash, all the file instances on the endpoint are removed. File Search and Destroy is useful for quickly responding to threats and preventing further damage.Reference:

Search and Destroy Malicious Files

Cortex XDR Pro Administrator Guide

Question 4

Which of the following Live Terminal options are available for Android systems?

ALive Terminal is not supported.

BStop an app.

CRun APK scripts.

DRun Android commands.

Answer : D

Cortex XDR supports Live Terminal for Android systems, which allows you to remotely access and manage Android endpoints using a command-line interface. You can use Live Terminal to run Android commands, such asadb shell,adb logcat,adb install, andadb uninstall. You can also use Live Terminal to view and modify files, directories, and permissions on the Android endpoints. Live Terminal for Android systems does not support stopping an app or running APK scripts.Reference:

Cortex XDR documentation portal

Initiate a Live Terminal Session

Live Terminal Commands

Question 5

What should you do to automatically convert leads into alerts after investigating a lead?

ALead threats can't be prevented in the future because they already exist in the environment.

BCreate IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.

CCreate BIOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.

DBuild a search query using Query Builder or XQL using a list of lOCs.

Answer : B

To automatically convert leads into alerts after investigating a lead, you should create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting. IOC rules are used to detect known threats based on indicators of compromise (IOCs) such as file hashes, IP addresses, domain names, etc. By creating IOC rules from the leads, you can prevent future occurrences of the same threats and generate alerts for them.Reference:

PCDRA Study Guide, page 25

Cortex XDR 3: Handling Cortex XDR Alerts, section 3.2

Cortex XDR Documentation, section ''Create IOC Rules''

Question 6

You can star security events in which two ways? (Choose two.)

ACreate an alert-starring configuration.

BCreate an Incident-starring configuration.

CManually star an alert.

DManually star an Incident.

Answer : C, D

You can star security events in Cortex XDR in two ways: manually star an alert or an incident, or create an alert-starring or incident-starring configuration. Starring security events helps you prioritize and track the events that are most important to you. You can also filter and sort the events by their star status in the Cortex XDR console.

To manually star an alert or an incident, you can use the star icon in the Alerts table or the Incidents table. You can also star an alert from the Causality View or the Query Center Results table. You can star an incident from the Incident View or the Query Center Results table. You can also unstar an event by clicking the star icon again.

To create an alert-starring or incident-starring configuration, you can use the Alert Starring Configuration or the Incident Starring Configuration pages in the Cortex XDR console. You can define the criteria for starring alerts or incidents based on their severity, category, source, or other attributes. You can also enable or disable the configurations as needed.

Star Security Events

Create an Alert Starring Configuration

Create an Incident Starring Configuration

Question 7

Live Terminal uses which type of protocol to communicate with the agent on the endpoint?

ANetBIOS over TCP

BWebSocket

CUDP and a random port

DTCP, over port 80

Answer : B

Live Terminal uses theWebSocketprotocol to communicate with the agent on the endpoint. WebSocket is a full-duplex communication protocol that enables bidirectional data exchange between a client and a server over a single TCP connection. WebSocket is designed to be implemented in web browsers and web servers, but it can be used by any client or server application. WebSocket provides a persistent connection between the Cortex XDR console and the endpoint, allowing you to execute commands and receive responses in real time. Live Terminal uses port 443 for WebSocket communication, which is the same port used for HTTPS traffic.Reference:

Initiate a Live Terminal Session

WebSocket

Palo Alto Networks PCDRA Palo Alto Networks Certified Detection and Remediation Analyst Exam Practice Test