Which components may be included in a Cortex XDR content update?
A. Device control profiles, agent versions, and kernel support
B. Behavioral Threat Protection (BTP) rules and local analysis logic
C. Antivirus definitions and agent versions
D. Firewall rules and antivirus definitions
When onboarding a Palo Alto Networks NGFW to Cortex XDR, what must be done to confirm that logs are being ingested successfully after a device is selected and verified?
A. Conduct an XQL query for NGFW log data
B. Wait for an incident that involves the NGFW to populate
C. Confirm that the selected device has a valid certificate
D. Retrieve device certificate from NGFW dashboard
Which action is being taken with the query below?
dataset = xdr_data
| fields agent_hostname, _time, _product
| comp latest as latest_time by agent_hostname, _product
| join type=inner (dataset = endpoints
| fields endpoint_name, endpoint_status, endpoint_type) as lookup lookup.endpoint_name
= agent_hostname
| filter endpoint_status = ENUM.CONNECTED
| fields agent_hostname, endpoint_status, latest_time, _product
A. Monitoring the latest activity of endpoints
B. Identifying endpoints that have disconnected from the network
C. Monitoring the latest activity of connected firewall endpoints
D. Checking for endpoints with outdated agent versions
When isolating Cortex XDR agent components to troubleshoot for compatibility, which command is used to turn off a component on a Windows machine?
A. "C:\Program Files\Palo Alto Networks\Traps\xdr.exe" stop
B. "C:\Program Files\Palo Alto Networks\Traps\cytool.exe" runtime stop
C. "C:\Program Files\Palo Alto Networks\Traps\xdr.exe" -s stop
D. "C:\Program Files\Palo Alto Networks\Traps\cytool.exe" occp
How are dynamic endpoint groups created and managed in Cortex XDR?
A. Endpoint groups require intervention to update the group with new endpoints when a new device is added to the network
B. Each endpoint can belong to multiple groups simultaneously, allowing different security policies to be applied to the same device at the same time
C. After an endpoint group is created, its assigned security policy cannot be changed without deleting and recreating the group
D. Endpoint groups are defined based on fields such as OS type, OS version, and network segment
A correlation rule is created to detect potential insider threats by correlating user login
events from one dataset with file access events from another dataset. The rule must retain
all user login events, even if there are no matching file access events, to ensure no login activity is missed.
text
Copy
dataset = x
| join (dataset = y)
Which type of join is required to maintain all records from dataset x, even if there are no
matching events from dataset y?
A. Inner
B. Left
C. Right
D. Outer
An XDR engineer is configuring an automation playbook to respond to high-severity malware alerts by automatically isolating the affected endpoint and notifying the security team via email. The playbook should only trigger for alerts generated by the Cortex XDR analytics engine, not custom BIOCs. Which two conditions should the engineer include in the playbook trigger to meet these requirements? (Choose two.)
A. Alert severity is High
B. Alert source is Cortex XDR Analytics
C. Alert category is Malware
D. Alert status is New
What will enable a custom prevention rule to block specific behavior?
A. A correlation rule added to an Agent Blocking profile
B. A custom behavioral indicator of compromise (BIOC) added to an Exploit profile
C. A custom behavioral indicator of compromise (BIOC) added to a Restriction profile
D. A correlation rule added to a Malware profile
What is the earliest time frame an alert could be automatically generated once the conditions of a new correlation rule are met?
A. Between 30 and 45 minutes
B. Immediately
C. 5 minutes or less
D. Between 10 and 20 minutes
The most recent Cortex XDR agents are being installed at a newly acquired company. A list with endpoint types (i.e., OS, hardware, software) is provided to the engineer. What should be cross-referenced for the Linux systems listed regarding the OS types and OS versions supported?
A. Content Compatibility Matrix
B. Kernel Module Version Support
C. End-of-Life Summary
D. Agent Installer Certificate
What happens when the XDR Collector is uninstalled from an endpoint by using the Cortex XDR console?
A. The files are removed immediately, and the machine is deleted from the system without any retention period
B. The machine status remains active until manually removed, and the configuration data is retained for up to seven days
C. It is uninstalled during the next heartbeat communication, machine status changes to Uninstalled, and the configuration data is retained for 90 days
D. The associated configuration data is removed from the Action Center immediately after uninstallation
How can a customer ingest additional events from a Windows DHCP server into Cortex XDR with minimal configuration?
A. Activate Windows Event Collector (WEC)
B. Install the XDR Collector
C. Enable HTTP collector integration
D. Install the Cortex XDR agent
| Page 1 out of 5 Pages |
| 12 |
Real-World Scenario Mastery: Our XDR-Engineer practice exam don't just test definitions. They present you with the same complex, scenario-based problems you'll encounter on the actual exam.
Strategic Weakness Identification: Each practice session reveals exactly where you stand. Discover which domains need more attention, before Palo Alto Networks XDR Engineer exam day arrives.
Confidence Through Familiarity: There's no substitute for knowing what to expect. When you've worked through our comprehensive XDR-Engineer practice exam questions pool covering all topics, the real exam feels like just another practice session.
Copyright © All Rights Reserved