PCDRA Free Questions

Question #1

When using the “File Search and Destroy” feature, which of the following search hash type is supported?

A . SHA256 hash of the file
B . AES256 hash of the file
C . MD5 hash of the file
D . SHA1 hash of the file

Reveal Solution Hide Solution

Question #2

When creating a BIOC rule, which XQL query can be used?

A . dataset = xdr_data
| filter event_sub_type = PROCESS_START and
action_process_image_name ~= ".*?.(?:pdf|docx).exe"
B . dataset = xdr_data
| filter event_type = PROCESS and
event_sub_type = PROCESS_START and
action_process_image_name ~= ".*?.(?:pdf|docx).exe"
C . dataset = xdr_data
| filter action_process_image_name ~= ".*?.(?:pdf|docx).exe"
| fields action_process_image
D . dataset = xdr_data
| filter event_behavior = true
event_sub_type = PROCESS_START and
action_process_image_name ~= ".*?.(?:pdf|docx).exe"

Reveal Solution Hide Solution

Question #3

In incident-related widgets, how would you filter the display to only show incidents that were “starred”?

A . Create a custom XQL widget
B . This is not currently supported
C . Create a custom report and filter on starred incidents
D . Click the star in the widget

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

To filter the display to only show incidents that were “starred”, you need to click the star in the widget. This will apply a filter that shows only the incidents that contain a starred alert, which is an alert that matches a specific condition that you define in the incident starring configuration. You can use the incident starring feature to prioritize and focus on the most important or relevant incidents in your environment1.

Let’s briefly discuss the other options to provide a comprehensive explanation:

A) Create a custom XQL widget: This is not the correct answer. Creating a custom XQL widget is not necessary to filter the display to only show starred incidents. A custom XQL widget is a widget that you create by using the XQL query language to define the data source and the visualization type. You can use custom XQL widgets to create your own dashboards or reports, but they are not required for filtering incidents by stars2.

B) This is not currently supported: This is not the correct answer. Filtering the display to only show starred incidents is currently supported by Cortex XDR. You can use the star icon in the widget to apply this filter, or you can use the Filter Builder to create a custom filter based on the Starred field1.

C) Create a custom report and filter on starred incidents: This is not the correct answer. Creating a custom report and filtering on starred incidents is not the only way to filter the display to only show starred incidents. A custom report is a report that you create by using the Report Builder to define the data source, the layout, and the schedule. You can use custom reports to generate and share periodic reports on your Cortex XDR data, but they are not the only option for filtering incidents by stars3.

In conclusion, clicking the star in the widget is the simplest and easiest way to filter the display to only show incidents that were “starred”. By using this feature, you can quickly identify and focus on the most critical or relevant incidents in your environment.

Reference: Filter Incidents by Stars

Create a Custom XQL Widget

Create a Custom Report

Question #4

Which built-in dashboard would be the best option for an executive, if they were looking for the Mean Time to Resolution (MTTR) metric?

A . Security Manager Dashboard
B . Data Ingestion Dashboard
C . Security Admin Dashboard
D . Incident Management Dashboard

Reveal Solution Hide Solution

Question #5

With a Cortex XDR Prevent license, which objects are considered to be sensors?

A . Syslog servers
B . Third-Party security devices
C . Cortex XDR agents
D . Palo Alto Networks Next-Generation Firewalls

Reveal Solution Hide Solution

Question #6

How does Cortex XDR agent for Windows prevent ransomware attacks from compromising the file system?

A . by encrypting the disk first.
B . by utilizing decoy Files.
C . by retrieving the encryption key.
D . by patching vulnerable applications.

Reveal Solution Hide Solution

Question #7

Which statement is true based on the following Agent Auto Upgrade widget?

A . There are a total of 689 Up To Date agents.
B . Agent Auto Upgrade was enabled but not on all endpoints.
C . Agent Auto Upgrade has not been enabled.
D . There are more agents in Pending status than In Progress status.

Reveal Solution Hide Solution

Question #8

In Windows and macOS you need to prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer.

What is one way to add an exception for the singer?

A . In the Restrictions Profile, add the file name and path to the Executable Files allow list.
B . Create a new rule exception and use the singer as the characteristic.
C . Add the signer to the allow list in the malware profile.
D . Add the signer to the allow list under the action center page.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer in Windows and macOS, one way to add an exception for the signer is to add the signer to the allow list in the malware profile. A malware profile is a profile that defines the settings and actions for malware prevention and detection on the endpoints. A malware profile allows you to specify a list of files, folders, or signers that you want to exclude from malware scanning and blocking. By adding the signer to the allow list in the malware profile, you can prevent the Cortex XDR Agent from blocking any file that is signed by that signer1.

Let’s briefly discuss the other options to provide a comprehensive explanation:

A) In the Restrictions Profile, add the file name and path to the Executable Files allow list: This is not the correct answer. Adding the file name and path to the Executable Files allow list in the Restrictions Profile will not prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. A Restrictions Profile is a profile that defines the settings and actions for restricting the execution of files or processes on the endpoints. A Restrictions Profile allows you to specify a list of executable files that you want to allow or block based on the file name and path. However, this method does not take into account the digital signer of the file, and it may not be effective if the file name or path changes2.

B) Create a new rule exception and use the signer as the characteristic: This is not the correct answer. Creating a new rule exception and using the signer as the characteristic will not prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. A rule exception is an exception that you can create to modify the behavior of a specific prevention rule or BIOC rule. A rule exception allows you to specify the characteristics and the actions that you want to apply to the exception, such as file hash, process name, IP address, or domain name. However, this method does not support using the signer as a characteristic, and it may not be applicable to all prevention rules or BIOC rules3.

D) Add the signer to the allow list under the action center page: This is not the correct answer. Adding the signer to the allow list under the action center page will not prevent the Cortex XDR Agent from blocking execution of a file based on the digital signer. The action center page is a page that allows you to create and manage actions that you can perform on your endpoints, such as isolating, scanning, collecting files, or executing scripts. The action center page does not have an option to add a signer to the allow list, and it is not related to the malware prevention or detection functionality4.

In conclusion, to prevent the Cortex XDR Agent from blocking execution of a file based on the digital

signer in Windows and macOS, one way to add an exception for the signer is to add the signer to the allow list in the malware profile. By using this method, you can exclude the files that are signed by the trusted signer from the malware scanning and blocking.

Reference: Add a New Malware Security Profile

Add a New Restrictions Security Profile

Create a Rule Exception

Action Center

Question #9

Which type of BIOC rule is currently available in Cortex XDR?

A . Threat Actor
B . Discovery
C . Network
D . Dropper

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The type of BIOC rule that is currently available in Cortex XDR is Discovery. A Discovery BIOC rule is a rule that detects suspicious or malicious behavior on endpoints based on the Cortex XDR data. A Discovery BIOC rule can use various event types, such as file, injection, load image, network, process, registry, or user, to define the criteria for the rule. A Discovery BIOC rule can also use operators, functions, and variables to create complex logic and conditions for the rule. A Discovery BIOC rule can generate alerts when the rule is triggered, and these alerts can be grouped into incidents for further investigation and response12.

Let’s briefly discuss the other options to provide a comprehensive explanation:

A) Threat Actor: This is not the correct answer. Threat Actor is not a type of BIOC rule that is currently available in Cortex XDR. Threat Actor is a term that refers to an individual or a group that is responsible for a cyberattack or a threat campaign. Cortex XDR does not support creating BIOC rules based on threat actors, but it can provide threat intelligence and context from various sources, such as Unit 42, AutoFocus, or Cortex XSOAR3.

C) Network: This is not the correct answer. Network is not a type of BIOC rule that is currently available in Cortex XDR. Network is an event type that can be used in a Discovery BIOC rule to define the criteria based on network attributes, such as source IP, destination IP, source port, destination port, protocol, or domain. Network is not a standalone type of BIOC rule, but a part of the Discovery BIOC rule2.

D) Dropper: This is not the correct answer. Dropper is not a type of BIOC rule that is currently available in Cortex XDR. Dropper is a term that refers to a type of malware that is designed to download and install other malicious files or programs on a compromised system. Cortex XDR does not support creating BIOC rules based on droppers, but it can detect and prevent droppers using various methods, such as behavioral threat protection, exploit prevention, or WildFire analysis4. In conclusion, the type of BIOC rule that is currently available in Cortex XDR is Discovery. By using Discovery BIOC rules, you can create custom detection rules that match your specific use cases and scenarios.

Reference: Create a BIOC Rule BIOC Rule Event Types

Threat Intelligence and Context

Malware Prevention

[email protected]

Monday - Sunday 9:00am - 6:00pm

Paloalto Networks PCDRA Real Exam Questions

The questions for PCDRA were last updated at Dec 18,2024.

[email protected]

Monday - Sunday 9:00am - 6:00pm