Month End Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Paloalto Networks PSE-Cortex Palo Alto Networks System Engineer - Cortex Professional Exam Practice Test

Demo: 50 questions
Total 168 questions

Palo Alto Networks System Engineer - Cortex Professional Questions and Answers

Question 1

A test for a Microsoft exploit has been planned. After some research Internet Explorer 11 CVE-2016-0189 has been selected and a module in Metasploit has been identified

(exploit/windows/browser/ms16_051_vbscript)

The description and current configuration of the exploit are as follows;

What is the remaining configuration?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 2

Which statement applies to the malware protection flow in Cortex XDR Prevent?

Options:

A.

Local static analysis happens before a WildFire verdict check.

B.

In the final step, the block list is verified.

C.

A trusted signed file is exempt from local static analysis.

D.

Hash comparisons come after local static analysis.

Question 3

Why is Premium Customer Success an important part of any Cortex bill of materials?

Options:

A.

It provides full implementation services.

B.

It provides managed threat hunting

C.

It provides instructor-led training courses.

D.

It provides expert-led configuration guidance.

Question 4

Which feature of Cortex Xpanse allows it to identify previously unknown assets?

Options:

A.

Dynamic asset registration

B.

Scheduled network scanning

C.

Continuous internet scanning

D.

Active directory enumeration

Question 5

Why is reputation scoring important in the Threat Intelligence Module of Cortex XSOAR?

Options:

A.

It allows for easy comparison between open-source intelligence and paid services.

B.

It deconflicts prioritization when two vendors give different scores for the same indicator.

C.

It provides a mathematical model for combining scores from multiple vendors.

D.

It helps identify threat intelligence vendors with substandard content.

Question 6

A Cortex XSOAR customer wants to ingest emails from a single mailbox. The mailbox brings in reported phishing emails and email requests from human resources (HR) to onboard new users. The customer wants to run two separate workflows from this mailbox, one for phishing and one for onboarding.

What will allow Cortex XSOAR to accomplish this in the most efficient way?

Options:

A.

Create two instances of the email integration and classify one instance as ingesting incidents of type phishing and the other as ingesting incidents of type onboarding.

B.

Use an incident classifier based on a field in each type of email to classify those containing "Phish Alert" in the subject as phishing and those containing "Onboard Request" as onboarding.

C.

Create a playbook to process and determine incident type based on content of the email.

D.

Use machine learning (ML) to determine incident type.

Question 7

What are the key capabilities of the ASM for Remote Workers module?

Options:

A.

Monitoring endpoint activity, managing firewall rules, and mitigating cybersecurity threats

B.

Gathering endpoint data, conducting internal scans, and automating network configurations

C.

Identifying office network vulnerabilities, monitoring remote workforce, and encrypting data

D.

Analyzing global scan data, identifying risky issues on remote networks, and providing internal insights

Question 8

How does Cortex XSOAR automation save time when a phishing incident occurs?

Options:

A.

By developing an integration.

B.

By responding to management with risk scores

C.

By purging unopened phishing email from user mailboxes

D.

By emailing staff to inform them of phishing attack in advance

Question 9

Within Cortex XSIAM, how does the integration of Attack Surface Management (ASM) provide a unified approach to security event management that traditional SIEMs typically lack?

Options:

A.

By providing a queryable dataset of ASM data for threat hunting

B.

By offering dashboards on ASM data within the management console

C.

By manually correlating of ASM data with security events

D.

By enriching incidents with ASM data for all internet-facing assets

Question 10

For which two purposes can Cortex XSOAR engines be deployed? (Choose two.)

Options:

A.

To execute recurring daybooks based on specific time schedules or changed to a feed

B.

To add processing resources for a heavily-used integration via load-balancing groups.

C.

To integrate with tools in a network location that the Cortex XSOAR server cannot reach directly

D.

To connect Cortex XSOAR to all required Palo Alto Networks resources such as the Cortex Gateway

Question 11

Which two Cortex XSOAR incident type features can be customized under Settings > Advanced > Incident Types? (Choose two.)

Options:

A.

adding new fields to an incident type

B.

setting reminders for an incident service level agreement

C.

defining whether a playbook runs automatically when an incident type is encountered

D.

dropping new incidents of the same type that contain similar information

Question 12

During the TMS instance activation, a tenant (Customer) provides the following information for the fields in the Activation - Step 2 of 2 window.

During the service instance provisioning which three DNS host names are created? (Choose three.)

Options:

A.

cc-xnet50.traps.paloaltonetworks.com

B.

hc-xnet50.traps.paloaltonetworks.com

C.

cc-xnet.traps.paloaltonetworks.com

D.

cc.xnet50traps.paloaltonetworks.com

E.

xnettraps.paloaltonetworks.com

F.

ch-xnet.traps.paloaltonetworks.com

Question 13

How does a clear understanding of a customer’s technical expertise assist in a hand off following the close of an opportunity?

Options:

A.

It enables customers to prepare for audits so they can demonstrate compliance.

B.

It helps in assigning additional technical tasks to the customer

C.

It allows implementation teams to bypass initial scoping exercises

D.

It enables post-sales teams to tailor their support and training appropriately

Question 14

The Cortex XDR management service requires which other Palo Alto Networks product?

Options:

A.

Directory Sync

B.

Cortex Data Lake

C.

Panorama

D.

Cortex XSOAR

Question 15

When a Demisto Engine is part of a Load-Balancing group it?

Options:

A.

Must be in a Load-Balancing group with at least another 3 members

B.

It must have port 443 open to allow the Demisto Server to establish a connection

C.

Can be used separately as an engine, only if connected to the Demisto Server directly

D.

Cannot be used separately and does not appear in the in the engines drop-down menu when configuring an integration instance

Question 16

Which source provides data for Cortex XDR?

Options:

A.

VMware NSX

B.

Amazon Alexa rank indicator

C.

Cisco ACI

D.

Linux endpoints

Question 17

In the DBotScore context field, which context key would differentiate between multiple entries for the same indicator in a multi-TIP environment?

Options:

A.

Vendor

B.

Type

C.

Using

D.

Brand

Question 18

What is a key difference between audit users and full users in Cortex XSOAR?

Options:

A.

Audit users can only view incidents, while full users can edit system components.

B.

Full users can only view dashboards, while audit users can investigate incidents.

C.

Audit users have read-only permission, white full users have read-write permission.

D.

Audit users can run scripts and playbooks, while full users can only view reports.

Question 19

When integrating with Splunk, what will allow you to push alerts into Cortex XSOAR via the REST API?

Options:

A.

splunk-get-alerts integration command

B.

Cortex XSOAR TA App for Splunk

C.

SplunkSearch automation

D.

SplunkGO integration

Question 20

Which element displays an entire picture of an attack, including the root cause or delivery point?

Options:

A.

Cortex XSOAR Work Plan

B.

Cortex SOC Orchestrator

C.

Cortex Data Lake

D.

Cortex XDR Causality View

Question 21

A customer wants the main Cortex XSOAR server installed in one site and wants to integrate with three other technologies in a second site.

What communications are required between the two sites if the customer wants to install a Cortex XSOAR engine in the second site?

Options:

A.

The Cortex XSOAR server at the first site must be able to initiate a connection to the Cortex XSOAR engine at the second site.

B.

All connectivity is initiated from the Cortex XSOAR server on the first site via a managed cloud proxy.

C.

Dedicated site-to-site virtual private network (VPN) is required for the Cortex XSOAR server at the first site to initiate a connection to the Cortex XSOAR engine at the second site.

D.

The Cortex XSOAR engine at the first site must be able to initiate a connection to the Cortex XSOAR server at the second site.

Question 22

Given the integration configuration and error in the screenshot what is the cause of the problem?

Options:

A.

incorrect instance name

B.

incorrect Username and Password

C.

incorrect appliance port

D.

incorrect server URL

Question 23

What is the primary purpose of Cortex XSIAM’s machine learning led design?

Options:

A.

To group alerts into incidents for manual analysis

B.

To facilitate alert and log management without automation

C.

To effectively handle the bulk of incidents through automation

D.

To rely heavily on human-driven detection and remediation

Question 24

What is a requirement when integrating Cortex XSIAM or Cortex XDR with other Palo Alto Networks products?

Options:

A.

Advanced logging service license

B.

HTTP Collector

C.

Devices in the same region as XDR/XSIAM

D.

XDR/XSIAM Broker VM

Question 25

What is the size of the free Cortex Data Lake instance provided to a customer who has activated a TMS tenant, but has not purchased a Cortex Data Lake instance?

Options:

A.

10 GB

B.

1 TB

C.

10 TB

D.

100 GB

Question 26

Which Cortex XDR capability extends investigations to an endpoint?

Options:

A.

Log Stitching

B.

Causality Chain

C.

Sensors

D.

Live Terminal

Question 27

What is the difference between the intel feed’s license quotas of Cortex XSOAR Starter Edition and Cortex XSOAR (SOAR + TIM)?

Options:

A.

Cortex XSOAR Started Edition has unlimited access to the Threat Intel Library.

B.

In Cortex XSOAR (SOAR + TIM), Unit 42 Intelligence is not included.

C.

In Cortex XSOAR (SOAR + TIM), intelligence detail view and relationships data are not included.

D.

Cortex XSOAR Starter Edition includes up to 5 active feeds and 100 indicators/fetch.

Question 28

Cortex XSOAR has extracted a malicious Internet Protocol (IP) address involved in command-and-control (C2) traffic.

What is the best method to block this IP from communicating with endpoints without requiring a configuration change on the firewall?

Options:

A.

Have XSOAR automatically add the IP address to a threat intelligence management (TIM) malicious IP list to elevate priority of future alerts.

B.

Have XSOAR automatically add the IP address to a deny rule in the firewall.

C.

Have XSOAR automatically add the IP address to an external dynamic list (EDL) used by the firewall.

D.

Have XSOAR automatically create a NetOps ticket requesting a configuration change to the firewall to block the IP.

Question 29

Which integration allows data to be pushed from Cortex XSOAR into Splunk?

Options:

A.

ArcSight ESM integration

B.

SplunkUpdate integration

C.

Demisto App for Splunk integration

D.

SplunkPY integration

Question 30

Which consideration should be taken into account before deploying Cortex XSOAR?

Options:

A.

Which cybersecurity framework to implement for Secure Operations Center (SOC) operations

B.

Whether communication with internal or external applications is required

C.

How to configure network firewalls for optimal performance

D.

Which endpoint protection software to integrate with Cortex XSOAR

Question 31

Which statement applies to the malware protection flow of the endpoint agent in Cortex XSIAM?

Options:

A.

A tile from an allowed signer is exempt from local analysis.

B.

Local analysis always happens before a WildFire verdict check.

C.

Hash comparisons come after local static analysis.

D.

The block list is verified in the final step.

Question 32

What is the difference between an exception and an exclusion?

Options:

A.

An exception is based on rules and exclusions are on alerts

B.

An exclusion is based on rules and exceptions are based on alerts.

C.

An exception does not exist

D.

An exclusion does not exist

Question 33

Which two types of indicators of compromise (IOCs) are available for creation in Cortex XDR? (Choose two.)

Options:

A.

registry

B.

file path

C.

hash

D.

hostname

Question 34

Which two filter operators are available in Cortex XDR? (Choose two.)

Options:

A.

< >

B.

Contains

C.

=

D.

Is Contained By

Question 35

A prospective customer is interested in Cortex XDR but is enable to run a product evaluation.

Which tool can be used instead to showcase Cortex XDR?

Options:

A.

Test Flight

B.

War Game

C.

Tech Rehearsal

D.

Capture the Flag

Question 36

Which CLI query would bring back Notable Events from Splunk?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 37

Which command-line interface (CLI) query would retrieve the last three Splunk events?

Options:

A.

!search using=splunk_instance_1 query="* | last 3"

B.

!search using=splunk_instance_1 query="* | 3"

C.

!query using=splunk_instance_1 query="* | last 3"

D.

!search using=splunk_instance_1 query="* | head 3"

Question 38

What should be configured for a Cortex XSIAM customer who wants to automate the response to certain alerts?

Options:

A.

Playbook triggers

B.

Correlation rules

C.

Incident scoring

D.

Data model rules

Question 39

Which two troubleshooting steps should be taken when an integration is failing to connect? (Choose two.)

Options:

A.

Ensure the playbook is set to run in quiet mode to minimize CPU usage and suppress errors

B.

Confirm the integration credentials or API keys are valid.

C.

Check the integration logs and enable a higher logging level, if needed, view the specific error.

D.

Confirm there are no dashboards or reports configured to use that integration instance.

Question 40

What is the function of reputation scoring in the Threat Intelligence Module of Cortex XSIAM?

Options:

A.

It provides a statistical model for combining scores from multiple vendors

B.

It resolves conflicting scores from different vendors with the same indicator.

C.

It allows for comparison between open-source intelligence and paid services.

D.

It helps identify threat feed vendors with invalid content.

Question 41

In Cortex XDR Prevent, which three matching criteria can be used to dynamically group endpoints? (Choose three )

Options:

A.

alert root cause

B.

hostname

C.

domain/workgroup membership

D.

OS

E.

presence of Flash executable

Question 42

What is a benefit of user entity behavior analytics (UEBA) over security information and event management (SIEM)?

Options:

A.

SIEMs supports only agentless scanning, not agent-based workload protection across VMs, containers/Kubernetes.

B.

UEBA can add trusted signers of Windows or Mac processes to a whitelist in the Endpoint Security Manager (ESM) Console.

C.

SIEMs have difficulty detecting unknown or advanced security threats that do not involve malware, such as credential theft.

D.

UEBA establishes a secure connection in which endpoints can be routed, and it collects and forwards logs and files for analysis.

Question 43

Which Cortex XSIAM feature can be used to onboard data sources?

Options:

A.

Marketplace Integration

B.

Playbook

C.

Data Ingestion Dashboard

D.

Asset Inventory

Question 44

What does Cortex Xpanse ingest from XDR endpoints?

Options:

A.

MAC addresses

B.

User-agent data

C.

Public IP addresses

D.

Hostnames

Question 45

A prospect has agreed to do a 30-day POC and asked to integrate with a product that Demisto currently does not have an integration with. How should you respond?

Options:

A.

Extend the POC window to allow the solution architects to build it

B.

Tell them we can build it with Professional Services.

C.

Tell them custom integrations are not created as part of the POC

D.

Agree to build the integration as part of the POC

Question 46

An adversary attempts to communicate with malware running on a network in order to control malware activities or to exfiltrate data from the network.

Which Cortex XDR Analytics alert will this activity most likely trigger?

Options:

A.

uncommon local scheduled task creation

B.

malware

C.

new administrative behavior

D.

DNS Tunneling

Question 47

Cortex XSOAR has extracted a malicious IP address involved in command-and-control traffic.

What is the best method to automatically block this IP from communicating with endpoints without requiring a configuration change on the firewall?

Options:

A.

Create a NetOps ticket requesting a configuration change to the firewall to block the IP.

B.

Add the IP address to an external dynamic list used by the firewall.

C.

Add the IP address to a threat intelligence management malicious IP list to elevate priority of future alerts.

D.

Block the IP address by creating a deny rule in the firewall.

Question 48

Which two methods does the Cortex XDR agent use to identify malware during a scheduled scan? (Choose two.)

Options:

A.

WildFire hash comparison

B.

heuristic analysis

C.

signature comparison

D.

dynamic analysis

Question 49

What is the primary mechanism for the attribution of attack surface data in Cortex Xpanse?

Options:

A.

Active scanning with network-installed agents

B.

Dark web monitoring

C.

Customer-provided asset inventory lists

D.

Scanning from public internet data sources

Question 50

Which statement applies to the differentiation of Cortex XDR from security information and event management (SIEM)?

Options:

A.

SIEM has access to raw logs from agents, where Cortex XDR traditionally only gets alerts.

B.

Cortex XDR allows just logging into the console and out of the box the events were blocked as a proactive approach.

C.

Cortex XDR requires a large and diverse team of analysts and up to several weeks for simple actions like creating an alert.

D.

SIEM has been entirely designed and built as cloud-native, with the ability to stitch together cloud logs, on-premises logs, third-party logs, and endpoint logs.

Demo: 50 questions
Total 168 questions