Palo Alto Networks PCDRA Palo Alto Networks Certified Detection and Remediation Analyst Exam Practice Test

Page: 1 / 14
Total 91 questions
Question 1

What is an example of an attack vector for ransomware?



Answer : C

An example of an attack vector for ransomware is phishing emails containing malicious attachments. Phishing is a technique that involves sending fraudulent emails that appear to come from a legitimate source, such as a bank, a company, or a government agency. The emails typically contain a malicious attachment, such as a PDF document, a ZIP archive, or a Microsoft Office document, that contains ransomware or a ransomware downloader. When the recipient opens or downloads the attachment, the ransomware is executed and encrypts the files or data on the victim's system. The attacker then demands a ransom for the decryption key, usually in cryptocurrency.

Phishing emails are one of the most common and effective ways of delivering ransomware, as they can bypass security measures such as firewalls, antivirus software, or URL filtering. Phishing emails can also exploit the human factor, as they can trick the recipient into opening the attachment by using social engineering techniques, such as impersonating a trusted sender, creating a sense of urgency, or appealing to curiosity or greed. Phishing emails can also target specific individuals or organizations, such as executives, employees, or customers, in a technique called spear phishing, which increases the chances of success.

According to various sources, phishing emails are the main vector of ransomware attacks, accounting for more than 90% of all ransomware infections12.Some of the most notorious ransomware campaigns, such as CryptoLocker, Locky, and WannaCry, have used phishing emails as their primary delivery method3. Therefore, it is essential to educate users on how to recognize and avoid phishing emails, as well as to implement security solutions that can detect and block malicious attachments.Reference:

Top 7 Ransomware Attack Vectors & How to Avoid Becoming a Victim - Bitsight

What Is the Main Vector of Ransomware Attacks? A Definitive Guide

CryptoLocker Ransomware Information Guide and FAQ

[Locky Ransomware Information, Help Guide, and FAQ]

[WannaCry ransomware attack]


Question 2

In the Cortex XDR console, from which two pages are you able to manually perform the agent upgrade action? (Choose two.)



Answer : A, D

To manually upgrade the Cortex XDR agents, you can use theAsset Managementpage or theEndpoint Administrationpage in the Cortex XDR console. On the Asset Management page, you can select one or more endpoints and clickActions > Upgrade Agent. On the Endpoint Administration page, you can select one or more agent versions and clickUpgrade. You can also schedule automatic agent upgrades using theAgent Installationspage.Reference:

Asset Management

Endpoint Administration

Agent Installations


Question 3

Which search methods is supported by File Search and Destroy?



Answer : B

File Search and Destroy is a feature of Cortex XDR that allows you to search for and remove malicious files from endpoints. You can use this feature to find files by their hash, full path, or partial path using regex parameters. You can then select the files from the search results and destroy them by hash or by path. When you destroy a file by hash, all the file instances on the endpoint are removed. File Search and Destroy is useful for quickly responding to threats and preventing further damage.Reference:

Search and Destroy Malicious Files

Cortex XDR Pro Administrator Guide


Question 4

Which of the following Live Terminal options are available for Android systems?



Answer : D

Cortex XDR supports Live Terminal for Android systems, which allows you to remotely access and manage Android endpoints using a command-line interface. You can use Live Terminal to run Android commands, such asadb shell,adb logcat,adb install, andadb uninstall. You can also use Live Terminal to view and modify files, directories, and permissions on the Android endpoints. Live Terminal for Android systems does not support stopping an app or running APK scripts.Reference:

Cortex XDR documentation portal

Initiate a Live Terminal Session

Live Terminal Commands


Question 5

What should you do to automatically convert leads into alerts after investigating a lead?



Answer : B

To automatically convert leads into alerts after investigating a lead, you should create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting. IOC rules are used to detect known threats based on indicators of compromise (IOCs) such as file hashes, IP addresses, domain names, etc. By creating IOC rules from the leads, you can prevent future occurrences of the same threats and generate alerts for them.Reference:

PCDRA Study Guide, page 25

Cortex XDR 3: Handling Cortex XDR Alerts, section 3.2

Cortex XDR Documentation, section ''Create IOC Rules''


Question 6

Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack will be neutralized. Which of the following statements is correct?



Answer : D

Cortex XDR Analytics is a cloud-based service that uses machine learning and artificial intelligence to detect and prevent network attacks. Cortex XDR Analytics can interfere with the attack pattern as soon as it is observed on the endpoint by applying protection policies that block malicious processes, files, or network connections. This way, Cortex XDR Analytics can stop the attack before it causes any damage or compromises the system.Reference:

[Cortex XDR Analytics Overview]

[Cortex XDR Analytics Protection Policies]


Question 7

While working the alerts involved in a Cortex XDR incident, an analyst has found that every alert in this incident requires an exclusion. What will the Cortex XDR console automatically do to this incident if all alerts contained have exclusions?



Answer : D

If all alerts contained in a Cortex XDR incident have exclusions, the Cortex XDR console will automatically mark the incident as Resolved -- False Positive. This means that the incident was not a real threat, but a benign or legitimate activity that triggered an alert. By marking the incident as Resolved -- False Positive, the Cortex XDR console removes the incident from the list of unresolved incidents and does not count it towards the incident statistics.This helps the analyst to focus on the true positive incidents that require further investigation and response1.

An exclusion is a rule that hides an alert from the Cortex XDR console, based on certain criteria, such as the alert source, type, severity, or description. An exclusion does not change the security policy or prevent the alert from firing, it only suppresses the alert from the console.An exclusion is useful when the analyst wants to reduce the noise of false positive alerts that are not relevant or important2.

An exception, on the other hand, is a rule that overrides the security policy and allows or blocks a process or file from running on an endpoint, based on certain attributes, such as the file hash, path, name, or signer.An exception is useful when the analyst wants to prevent false negative alerts that are caused by malicious or unwanted files or processes that are not detected by the security policy3.

A BIOC rule is a rule that creates an alert based on a custom XQL query that defines a specific behavior of interest or concern.A BIOC rule is useful when the analyst wants to detect and alert on anomalous or suspicious activities that are not covered by the default Cortex XDR rules4.


Palo Alto Networks Cortex XDR Documentation, Resolve an Incident1

Palo Alto Networks Cortex XDR Documentation, Alert Exclusions2

Palo Alto Networks Cortex XDR Documentation, Exceptions3

Palo Alto Networks Cortex XDR Documentation, BIOC Rules4

Page:    1 / 14   
Total 91 questions