palo alto networks pcdra practice test

When creating a BIOC rule, which XQL query can be used?

• A. dataset = xdr_data| filter event_sub_type = PROCESS_START andaction_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
• B. dataset = xdr_data| filter event_type = PROCESS andevent_sub_type = PROCESS_START andaction_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"
• C. dataset = xdr_data| filter action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"| fields action_process_image
• D. dataset = xdr_data| filter event_behavior = trueevent_sub_type = PROCESS_START andaction_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"

Cortex XDR Analytics can alert when detecting activity matching the following MITRE ATT&CKTM techniques.

• A. Exfiltration, Command and Control, Collection
• B. Exfiltration, Command and Control, Privilege Escalation
• C. Exfiltration, Command and Control, Impact
• D. Exfiltration, Command and Control, Lateral Movement

What is by far the most common tactic used by ransomware to shut down a victims operation?

• A. preventing the victim from being able to access APIs to cripple infrastructure
• B. denying traffic out of the victims network until payment is received
• C. restricting access to administrative accounts to the victim
• D. encrypting certain files to prevent access by the victim

While working the alerts involved in a Cortex XDR incident, an analyst has found that every alert in this incident requires an exclusion. What will the Cortex XDR console automatically do to this incident if all alerts contained have exclusions?

• A. mark the incident as Unresolved
• B. create a BIOC rule excluding this behavior
• C. create an exception to prevent future false positives
• D. mark the incident as Resolved False Positive

After scan, how does file quarantine function work on an endpoint?

• A. Quarantine takes ownership of the files and folders and prevents execution through access control.
• B. Quarantine disables the network adapters and locks down access preventing any communications with the endpoint.
• C. Quarantine removes a specific file from its location on a local or removable drive to a protected folder and prevents it from being executed.
• D. Quarantine prevents an endpoint from communicating with anything besides the listed exceptions in the agent profile and Cortex XDR.

Which Exploit Prevention Module (EPM) provides better entropy for randomization of memory locations?

• A. UASLR
• B. JIT Mitigation
• C. Memory Limit Heap spray check
• D. DLL Security

As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to open a malicious Word document. You learn from the WildFire report and AutoFocus that this document is known to have been used in Phishing campaigns since 2018. What steps can you take to ensure that the same document is not opened by other users in your organization protected by the Cortex XDR agent?

• A. Enable DLL Protection on all endpoints but there might be some false positives.
• B. Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.
• C. No step is required because Cortex shares IOCs with our fellow Cyber Threat Alliance members.
• D. No step is required because the malicious document is already stopped.

Which type of BIOC rule is currently available in Cortex XDR?

• A. Threat Actor
• B. Discovery
• C. Network
• D. Dropper

When investigating security events, which feature in Cortex XDR is useful for reverting the changes on the endpoint?

• A. Remediation Automation
• B. Machine Remediation
• C. Automatic Remediation
• D. Remediation Suggestions

What should you do to automatically convert leads into alerts after investigating a lead?

• A. Lead threats can't be prevented in the future because they already exist in the environment.
• B. Build a search query using Query Builder or XQL using a list of IOCs.
• C. Create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.
• D. Create BIOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.