Palo Alto Networks PCDRA Exam Practice Test Instant Access

Question 1

How can you pivot within a row to Causality view and Timeline views for further investigate?

AUsing the Open Card Only

BUsing the Open Card and Open Timeline actions respectively

CYou can't pivot within a row to Causality view and Timeline views

DUsing Open Timeline Actions Only

Answer : B

To pivot within a row to Causality view and Timeline views for further investigation, you can use the Open Card and Open Timeline actions respectively. The Open Card action will open a new tab with the Causality view of the selected row, showing the causal chain of events that led to the alert. The Open Timeline action will open a new tab with the Timeline view of the selected row, showing the chronological sequence of events that occurred on the affected endpoint. These actions allow you to drill down into the details of each alert and understand the root cause and impact of the incident.Reference:

Cortex XDR User Guide, Chapter 9: Investigate Alerts, Section: Pivot to Causality View and Timeline View

PCDRA Study Guide, Section 3: Investigate and Respond to Alerts, Objective 3.1: Investigate alerts using the Causality view and Timeline view

Question 2

Which of the following best defines the Windows Registry as used by the Cortex XDR agent?

Aa hierarchical database that stores settings for the operating system and for applications

Ba system of files used by the operating system to commit memory that exceeds the available hardware resources. Also known as the ''swap''

Ca central system, available via the internet, for registering officially licensed versions of software to prove ownership

Da ledger for maintaining accurate and up-to-date information on total disk usage and disk space remaining available to the operating system

Answer : A

The Windows Registry is a hierarchical database that stores settings for the operating system and for applications that run on Windows. The registry contains information, settings, options, and other values for programs and hardware installed on all versions of Microsoft Windows operating systems. The registry is organized into five main sections, called hives, each of which contains keys, subkeys, and values. The Cortex XDR agent uses the registry to store its configuration, status, and logs, as well as to monitor and control the endpoint's security features. The Cortex XDR agent also allows you to run scripts that can read, write, or delete registry keys and values on the endpoint.Reference:

Windows Registry - Wikipedia

Registry Operations

Question 3

A Linux endpoint with a Cortex XDR Pro per Endpoint license and Enhanced Endpoint Data enabled has reported malicious activity, resulting in the creation of a file that you wish to delete. Which action could you take to delete the file?

AManually remediate the problem on the endpoint in question.

BOpen X2go from the Cortex XDR console and delete the file via X2go.

CInitiate Remediate Suggestions to automatically delete the file.

DOpen an NFS connection from the Cortex XDR console and delete the file.

Answer : C

The best action to delete the file on the Linux endpoint is to initiate Remediation Suggestions from the Cortex XDR console. Remediation Suggestions are a feature of Cortex XDR that provide you with recommended actions to undo the effects of malicious activity on your endpoints. You can view the remediation suggestions for each alert or incident in the Cortex XDR console, and decide whether to apply them or not. Remediation Suggestions can help you restore the endpoint to its original state, remove malicious files or processes, or fix registry or system settings. Remediation Suggestions are based on the forensic data collected by the Cortex XDR agent and the analysis performed by Cortex XDR.

The other options are incorrect for the following reasons:

A is incorrect because manually remediating the problem on the endpoint is not a convenient or efficient way to delete the file. Manually remediating the problem would require you to access the endpoint directly, log in as root, locate the file, and delete it. This would also require you to have the necessary permissions and credentials to access the endpoint, and to know the exact path and name of the file. Manually remediating the problem would also not provide you with any audit trail or confirmation of the deletion.

B is incorrect because opening X2go from the Cortex XDR console is not a supported or secure way to delete the file. X2go is a third-party remote desktop software that allows you to access Linux endpoints from a graphical user interface. However, X2go is not integrated with Cortex XDR, and using it would require you to install and configure it on both the Cortex XDR console and the endpoint. Using X2go would also expose the endpoint to potential network attacks or unauthorized access, and would not provide you with any audit trail or confirmation of the deletion.

D is incorrect because opening an NFS connection from the Cortex XDR console is not a feasible or reliable way to delete the file. NFS is a network file system protocol that allows you to access files on remote servers as if they were local. However, NFS is not integrated with Cortex XDR, and using it would require you to set up and maintain an NFS server and client on both the Cortex XDR console and the endpoint. Using NFS would also depend on the network availability and performance, and would not provide you with any audit trail or confirmation of the deletion.

Remediation Suggestions

Apply Remediation Suggestions

Question 4

What is the function of WildFire for Cortex XDR?

AWildFire runs in the cloud and analyses alert data from the XDR agent to check for behavioural threats.

BWildFire is the engine that runs on the local agent and determines whether behavioural threats are occurring on the endpoint.

CWildFire accepts and analyses a sample to provide a verdict.

DWildFire runs entirely on the agent to quickly analyse samples and provide a verdict.

Answer : C

WildFire is a cloud-based service that accepts and analyses samples from various sources, including Cortex XDR, to provide a verdict of malware, benign, or grayware. WildFire also generates detailed analysis reports that show the behaviour and characteristics of the samples. Cortex XDR uses WildFire verdicts and reports to enhance its detection and prevention capabilities, as well as to provide more visibility and context into the threats.Reference:

WildFire Analysis Concepts

WildFire Overview

Question 5

Where would you go to add an exception to exclude a specific file hash from examination by the Malware profile for a Windows endpoint?

AFind the Malware profile attached to the endpoint, Under Portable Executable and DLL Examination add the hash to the allow list.

BFrom the rules menu select new exception, fill out the criteria, choose the scope to apply it to, hit save.

CFind the exceptions profile attached to the endpoint, under process exceptions select local analysis, paste the hash and save.

DIn the Action Center, choose Allow list, select new action, select add to allow list, add your hash to the list, and apply it.

Answer : D

To add an exception to exclude a specific file hash from examination by the Malware profile for a Windows endpoint, you need to use the Action Center in Cortex XDR. The Action Center allows you to create and manage actions that apply to endpoints, such as adding files or processes to the allow list or block list, isolating or unisolating endpoints, or initiating live terminal sessions. To add a file hash to the allow list, you need to choose Allow list, select new action, select add to allow list, add your hash to the list, and apply it.This will prevent the Malware profile from scanning or blocking the file on the endpoints that match the scope of the action.Reference: Cortex XDR 3: Responding to Attacks1, Action Center2

Question 6

Which of the following is NOT a precanned script provided by Palo Alto Networks?

Adelete_file

Bquarantine_file

Cprocess_kill_name

Dlist_directories

Answer : D

Palo Alto Networks provides a set of precanned scripts that you can use to perform various actions on your endpoints, such as deleting files, killing processes, or quarantining malware. The precanned scripts are written in Python and are available in the Agent Script Library in the Cortex XDR console. You can use the precanned scripts as they are, or you can customize them to suit your needs. The precanned scripts are:

delete_file: Deletes a specific file from a local or removable drive.

quarantine_file: Moves a specific file from its location on a local or removable drive to a protected folder and prevents it from being executed.

process_kill_name: Kills a process by its name on the endpoint.

process_kill_pid: Kills a process by its process ID (PID) on the endpoint.

process_kill_tree: Kills a process and all its child processes by its name on the endpoint.

process_kill_tree_pid: Kills a process and all its child processes by its PID on the endpoint.

process_list: Lists all the processes running on the endpoint, along with their names, PIDs, and command lines.

process_list_tree: Lists all the processes running on the endpoint, along with their names, PIDs, command lines, and parent processes.

process_start: Starts a process on the endpoint by its name or path.

registry_delete_key: Deletes a registry key and all its subkeys and values from the Windows registry.

registry_delete_value: Deletes a registry value from the Windows registry.

registry_list_key: Lists all the subkeys and values under a registry key in the Windows registry.

registry_list_value: Lists the value and data of a registry value in the Windows registry.

registry_set_value: Sets the value and data of a registry value in the Windows registry.

The script list_directories isnota precanned script provided by Palo Alto Networks. It is a custom script that you can write yourself using Python commands.

Run Scripts on an Endpoint

Agent Script Library

Precanned Scripts

Question 7

Which module provides the best visibility to view vulnerabilities?

ALive Terminal module

BDevice Control Violations module

CHost Insights module

DForensics module

Answer : C

TheHost Insights moduleprovides the best visibility to view vulnerabilities on your endpoints. The Host Insights module is an add-on feature for Cortex XDR that combines vulnerability management, application and system visibility, and a Search and Destroy feature to help you identify and contain threats. The vulnerability management feature allows you to scan your Windows endpoints for known vulnerabilities and missing patches, and view the results in the Cortex XDR console. You can also filter and sort the vulnerabilities by severity, CVSS score, CVE ID, or patch availability. The Host Insights module helps you reduce your exposure to threats and improve your security posture.Reference:

Host Insights

Vulnerability Management

Palo Alto Networks PCDRA Palo Alto Networks Certified Detection and Remediation Analyst Exam Practice Test