palo alto networks pcdra practice test

palo alto networks certified detection and remediation analyst

Last exam update: Dec 18 ,2024
Page 1 out of 8. Viewing questions 1-10 out of 83

Question 1

When creating a BIOC rule, which XQL query can be used?

  • A. dataset = xdr_data| filter event_sub_type = PROCESS_START andaction_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
  • B. dataset = xdr_data| filter event_type = PROCESS andevent_sub_type = PROCESS_START andaction_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
  • C. dataset = xdr_data| filter action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"| fields action_process_image
  • D. dataset = xdr_data| filter event_behavior = trueevent_sub_type = PROCESS_START andaction_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
Answer:

b

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

Cortex XDR Analytics can alert when detecting activity matching the following MITRE ATT&CKTM techniques.

  • A. Exfiltration, Command and Control, Collection
  • B. Exfiltration, Command and Control, Privilege Escalation
  • C. Exfiltration, Command and Control, Impact
  • D. Exfiltration, Command and Control, Lateral Movement
Answer:

d

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

What is by far the most common tactic used by ransomware to shut down a victims operation?

  • A. preventing the victim from being able to access APIs to cripple infrastructure
  • B. denying traffic out of the victims network until payment is received
  • C. restricting access to administrative accounts to the victim
  • D. encrypting certain files to prevent access by the victim
Answer:

d

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

While working the alerts involved in a Cortex XDR incident, an analyst has found that every alert in this incident requires an exclusion. What will the Cortex XDR console automatically do to this incident if all alerts contained have exclusions?

  • A. mark the incident as Unresolved
  • B. create a BIOC rule excluding this behavior
  • C. create an exception to prevent future false positives
  • D. mark the incident as Resolved False Positive
Answer:

d

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

After scan, how does file quarantine function work on an endpoint?

  • A. Quarantine takes ownership of the files and folders and prevents execution through access control.
  • B. Quarantine disables the network adapters and locks down access preventing any communications with the endpoint.
  • C. Quarantine removes a specific file from its location on a local or removable drive to a protected folder and prevents it from being executed.
  • D. Quarantine prevents an endpoint from communicating with anything besides the listed exceptions in the agent profile and Cortex XDR.
Answer:

c

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

Which Exploit Prevention Module (EPM) provides better entropy for randomization of memory locations?

  • A. UASLR
  • B. JIT Mitigation
  • C. Memory Limit Heap spray check
  • D. DLL Security
Answer:

a

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to open a malicious Word document. You learn from the WildFire report and AutoFocus that this document is known to have been used in Phishing campaigns since 2018. What steps can you take to ensure that the same document is not opened by other users in your organization protected by the Cortex XDR agent?

  • A. Enable DLL Protection on all endpoints but there might be some false positives.
  • B. Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.
  • C. No step is required because Cortex shares IOCs with our fellow Cyber Threat Alliance members.
  • D. No step is required because the malicious document is already stopped.
Answer:

b

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

Which type of BIOC rule is currently available in Cortex XDR?

  • A. Threat Actor
  • B. Discovery
  • C. Network
  • D. Dropper
Answer:

d

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

When investigating security events, which feature in Cortex XDR is useful for reverting the changes on the endpoint?

  • A. Remediation Automation
  • B. Machine Remediation
  • C. Automatic Remediation
  • D. Remediation Suggestions
Answer:

d

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

What should you do to automatically convert leads into alerts after investigating a lead?

  • A. Lead threats can't be prevented in the future because they already exist in the environment.
  • B. Build a search query using Query Builder or XQL using a list of IOCs.
  • C. Create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.
  • D. Create BIOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.
Answer:

c

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2