Month End Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Paloalto Networks > PSE-Cortex Professional > PSE-Cortex

PSE-Cortex Palo Alto Networks System Engineer - Cortex Professional Question and Answers

Question # 4

Which attack method is a result of techniques designed to gain access through vulnerabilities in the code of an operating system (OS) or application?

A.

exploit

B.

malware

C.

phishing

D.

ransomware

Full Access
Question # 5

When a Demisto Engine is part of a Load-Balancing group it?

A.

Must be in a Load-Balancing group with at least another 3 members

B.

It must have port 443 open to allow the Demisto Server to establish a connection

C.

Can be used separately as an engine, only if connected to the Demisto Server directly

D.

Cannot be used separately and does not appear in the in the engines drop-down menu when configuring an integration instance

Full Access
Question # 6

Which two Cortex XSOAR incident type features can be customized under Settings > Advanced > Incident Types? (Choose two.)

A.

adding new fields to an incident type

B.

setting reminders for an incident service level agreement

C.

defining whether a playbook runs automatically when an incident type is encountered

D.

dropping new incidents of the same type that contain similar information

Full Access
Question # 7

Which consideration should be taken into account before deploying Cortex XSOAR?

A.

Which cybersecurity framework to implement for Secure Operations Center (SOC) operations

B.

Whether communication with internal or external applications is required

C.

How to configure network firewalls for optimal performance

D.

Which endpoint protection software to integrate with Cortex XSOAR

Full Access
Question # 8

Why is reputation scoring important in the Threat Intelligence Module of Cortex XSOAR?

A.

It allows for easy comparison between open-source intelligence and paid services.

B.

It deconflicts prioritization when two vendors give different scores for the same indicator.

C.

It provides a mathematical model for combining scores from multiple vendors.

D.

It helps identify threat intelligence vendors with substandard content.

Full Access
Question # 9

What is the result of creating an exception from an exploit security event?

A.

Administrators are exempt from generating alerts for 24 hours.

B.

Process from WildFire analysis is whitelisted.

C.

Triggered exploit protection module (EPM) for the host and process involved is disabled.

D.

User is exempt from generating events for 24 hours.

Full Access
Question # 10

Which two items are stitched to the Cortex XDR causality chain'' (Choose two)

A.

firewall alert

B.

SIEM alert

C.

full URL

D.

registry set value

Full Access
Question # 11

A prospect has agreed to do a 30-day POC and asked to integrate with a product that Demisto currently does not have an integration with. How should you respond?

A.

Extend the POC window to allow the solution architects to build it

B.

Tell them we can build it with Professional Services.

C.

Tell them custom integrations are not created as part of the POC

D.

Agree to build the integration as part of the POC

Full Access
Question # 12

Which type of log is ingested natively in Cortex XDR Pro per TB?

A.

Google Kubernetes Engine

B.

Demisto

C.

Docker

D.

Microsoft Office 365

Full Access
Question # 13

Which two entities can be created as a behavioral indicator of compromise (BIOC)? (Choose two.)

A.

process

B.

data

C.

event alert

D.

network

Full Access
Question # 14

Which service helps identify attackers by combining world-class threat intelligence with Cortex XSIAM technology?

A.

Virtual Desktop Infrastructure

B.

Managed Threat Hunting

C.

Threat Intelligence Platform

D.

Cloud Identity Engine

Full Access
Question # 15

An administrator of a Cortex XDR protected production environment would like to test its ability to protect users from a known flash player exploit.

What is the safest way to do it?

A.

The administrator should attach a copy of the weapomzed flash file to an email, send the email to a selected group of employees, and monitor the Events tab on the Cortex XDR console

B.

The administrator should use the Cortex XDR tray icon to confirm his corporate laptop is fully protected then open the weaponized flash file on his machine, and monitor the Events tab on the Cortex XDR console.

C.

The administrator should create a non-production Cortex XDR test environment that accurately represents the production environment, introduce the weaponized flash file, and monitor the Events tab on the Cortex XDR console.

D.

The administrator should place a copy of the weaponized flash file on several USB drives, scatter them around the office and monitor the Events tab on the Cortex XDR console

Full Access
Question # 16

In addition to migration and go-live, what are two best-practice steps for migrating from SIEM to Cortex XSIAM? (Choose two.)

A.

Execution

B.

Certification

C.

Conclusion

D.

Testing

Full Access
Question # 17

Rearrange the steps into the correct order for modifying an incident layout.

Full Access
Question # 18

An EDR project was initiated by a CISO. Which resource will likely have the most heavy influence on the project?

A.

desktop engineer

B.

SOC manager

C.

SOC analyst IT

D.

operations manager

Full Access
Question # 19

Which source provides data for Cortex XDR?

A.

VMware NSX

B.

Amazon Alexa rank indicator

C.

Cisco ACI

D.

Linux endpoints

Full Access
Question # 20

Which feature of Cortex Xpanse allows it to identify previously unknown assets?

A.

Dynamic asset registration

B.

Scheduled network scanning

C.

Continuous internet scanning

D.

Active directory enumeration

Full Access
Question # 21

In Cortex XDR Prevent, which three matching criteria can be used to dynamically group endpoints? (Choose three.)

A.

Domain/workgroup membership

B.

quarantine status

C.

hostname

D.

OS

E.

attack threat intelligence tag

Full Access
Question # 22

Which four types of Traps logs are stored within Cortex Data Lake?

A.

Threat, Config, System, Data

B.

Threat, Config, System, Analytic

C.

Threat, Monitor. System, Analytic

D.

Threat, Config, Authentication, Analytic

Full Access
Question # 23

An antivirus refresh project was initiated by the IT operations executive. Who is the best source for discussion about the project's operational considerations'?

A.

endpoint manager

B.

SOC manager

C.

SOC analyst

D.

desktop engineer

Full Access
Question # 24

Which two areas of Cortex XDR are used for threat hunting activities? (Choose two.)

A.

indicators of compromise (IOC) rules

B.

query builder

C.

live terminal

D.

host insights module

Full Access
Question # 25

A Cortex XSOAR customer wants to ingest emails from a single mailbox. The mailbox brings in reported phishing emails and email requests from human resources (HR) to onboard new users. The customer wants to run two separate workflows from this mailbox, one for phishing and one for onboarding.

What will allow Cortex XSOAR to accomplish this in the most efficient way?

A.

Create two instances of the email integration and classify one instance as ingesting incidents of type phishing and the other as ingesting incidents of type onboarding.

B.

Use an incident classifier based on a field in each type of email to classify those containing "Phish Alert" in the subject as phishing and those containing "Onboard Request" as onboarding.

C.

Create a playbook to process and determine incident type based on content of the email.

D.

Use machine learning (ML) to determine incident type.

Full Access
Question # 26

How does the integration between Cortex Xpanse and Cortex XSOAR benefit security teams?

A.

By enhancing firewall rule management

B.

By enabling automatic incident response actions for internet-based incidents

C.

By providing real-time threat intelligence feeds

D.

By automating endpoint detection and response (EDR) processes

Full Access
Question # 27

Which Cortex XSIAM license is required if an organization needs to protect a cloud Kubernetes host?

A.

Attack Surface Management

B.

Cortex XSIAM Enterprise

C.

Identity Threat Detection and Response

D.

Cortex XSIAM Enterprise Plus

Full Access
Question # 28

Which option describes a Load-Balancing Engine Group?

A.

A group of engines that use an algorithm to efficiently share the workload for integrations

B.

A group of engines that ensure High Availability of Demisto backend databases.

C.

A group of engines that use an algorithm to efficiently share the workload for automation scripts

D.

A group of D2 agents that share processing power across multiple endpoints

Full Access
Question # 29

What should be configured for a Cortex XSIAM customer who wants to automate the response to certain alerts?

A.

Playbook triggers

B.

Correlation rules

C.

Incident scoring

D.

Data model rules

Full Access
Question # 30

Which integration allows data to be pushed from Cortex XSOAR into Splunk?

A.

ArcSight ESM integration

B.

SplunkUpdate integration

C.

Demisto App for Splunk integration

D.

SplunkPY integration

Full Access
Question # 31

What is a benefit of user entity behavior analytics (UEBA) over security information and event management (SIEM)?

A.

SIEMs supports only agentless scanning, not agent-based workload protection across VMs, containers/Kubernetes.

B.

UEBA can add trusted signers of Windows or Mac processes to a whitelist in the Endpoint Security Manager (ESM) Console.

C.

SIEMs have difficulty detecting unknown or advanced security threats that do not involve malware, such as credential theft.

D.

UEBA establishes a secure connection in which endpoints can be routed, and it collects and forwards logs and files for analysis.

Full Access
Question # 32

An Administrator is alerted to a Suspicious Process Creation security event from multiple users.

The users believe that these events are false positives Which two steps should the administrator take to confirm the false positives and create an exception? (Choose two )

A.

With the Malware Security profile, disable the "Prevent Malicious Child Process Execution" module

B.

Within the Malware Security profile add the specific parent process, child process, and command line argument to the child process whitelist

C.

In the Cortex XDR security event, review the specific parent process, child process, and command line arguments

D.

Contact support and ask for a security exception.

Full Access
Question # 33

Where is the best place to find official resource material?

A.

Online forums

B.

Video series

C.

Administrator's guide

D.

Technical blogs

Full Access
Question # 34

How does an "inline" auto-extract task affect playbook execution?

A.

Doesn't wait until the indicators are enriched and continues executing the next step

B.

Doesn't wait until the indicators are enriched but populate context data before executing the next

C.

step. Wait until the indicators are enriched but doesn't populate context data before executing the next step.

D.

Wait until the indicators are enriched and populate context data before executing the next step.

Full Access
Question # 35

How does a clear understanding of a customer’s technical expertise assist in a hand off following the close of an opportunity?

A.

It enables customers to prepare for audits so they can demonstrate compliance.

B.

It helps in assigning additional technical tasks to the customer

C.

It allows implementation teams to bypass initial scoping exercises

D.

It enables post-sales teams to tailor their support and training appropriately

Full Access
Question # 36

Which service helps uncover attackers wherever they hide by combining world-class threat hunters with Cortex XDR technology that runs on integrated endpoint, network, and cloud data sources?

A.

Cloud Identity Engine

B.

Managed Threat Hunting

C.

virtual desktop infrastructure (VDI)

D.

Threat Intelligence Platform (TIP)

Full Access
Question # 37

What does the Cortex XSOAR "Saved by Dbot" widget calculate?

A.

amount saved in Dollars according to actions carried out by all users in Cortex XSOAR across all incidents

B.

amount saved in Dollars by using Cortex XSOAR instead of other products

C.

amount of time saved by each playbook task within an incident

D.

amount of time saved by Dbot's machine learning (ML) capabilities

Full Access
Question # 38

A customer wants to modify the retention periods of their Threat logs in Cortex Data Lake.

Where would the user configure the ratio of storage for each log type?

A.

Within the TMS, create an agent settings profile and modify the Disk Quota value

B.

It is not possible to configure Cortex Data Lake quota for specific log types.

C.

Go to the Cortex Data Lake App in Cloud Services, then choose Configuration and modify the Threat Quota

D.

Write a GPO for each endpoint agent to check in less often

Full Access
Question # 39

A prospective customer is interested in Cortex XDR but is enable to run a product evaluation.

Which tool can be used instead to showcase Cortex XDR?

A.

Test Flight

B.

War Game

C.

Tech Rehearsal

D.

Capture the Flag

Full Access
Question # 40

A customer wants the main Cortex XSOAR server installed in one site and wants to integrate with three other technologies in a second site.

What communications are required between the two sites if the customer wants to install a Cortex XSOAR engine in the second site?

A.

The Cortex XSOAR server at the first site must be able to initiate a connection to the Cortex XSOAR engine at the second site.

B.

All connectivity is initiated from the Cortex XSOAR server on the first site via a managed cloud proxy.

C.

Dedicated site-to-site virtual private network (VPN) is required for the Cortex XSOAR server at the first site to initiate a connection to the Cortex XSOAR engine at the second site.

D.

The Cortex XSOAR engine at the first site must be able to initiate a connection to the Cortex XSOAR server at the second site.

Full Access
Question # 41

Which Cortex XDR capability allows for the immediate termination of a process discovered during investigation of a security event?

A.

file explorer

B.

Log stitching

C.

live sensor

D.

live terminal

Full Access
Question # 42

Which two methods does the Cortex XDR agent use to identify malware during a scheduled scan? (Choose two.)

A.

WildFire hash comparison

B.

heuristic analysis

C.

signature comparison

D.

dynamic analysis

Full Access
Question # 43

Which two actions are required to add indicators to the whitelist? (Choose two.)

A.

Click "New Whitelisted Indicator" in the Whitelist page.

B.

Upload an external file named "whitelist" to the Whitelist page.

C.

Upload an external file named "whitelist" to the Indicators page.

D.

Select the indicators and click "Delete and Whitelist" in the Indicators page.

Full Access
Question # 44

A test for a Microsoft exploit has been planned. After some research Internet Explorer 11 CVE-2016-0189 has been selected and a module in Metasploit has been identified

(exploit/windows/browser/ms16_051_vbscript)

The description and current configuration of the exploit are as follows;

What is the remaining configuration?

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 45

A customer has purchased Cortex Data Lake storage with the following configuration, which requires 2 TB of Cortex Data Lake to order:

support for 300 total Cortex XDR clients all forwarding Cortex XDR data with 30-day retention

storage for higher fidelity logs to support Cortex XDR advanced analytics

The customer now needs 1000 total Cortex XDR clients, but continues with 300 clients forwarding Cortex XDR data with 30-day retention.

What is the new total storage requirement for Cortex Data Lake storage to order?

A.

16 TB

B.

4 TB

C.

8 TB

D.

2 TB

Full Access
Question # 46

Given the integration configuration and error in the screenshot what is the cause of the problem?

A.

incorrect instance name

B.

incorrect Username and Password

C.

incorrect appliance port

D.

incorrect server URL

Full Access
Question # 47

Where is the output of the task visible when a playbook task errors out?

A.

playbook editor

B.

XSOAR audit log

C.

/var/log/messages

D.

War Room of the incident

Full Access
Question # 48

The Cortex XDR management service requires which other Palo Alto Networks product?

A.

Directory Sync

B.

Cortex Data Lake

C.

Panorama

D.

Cortex XSOAR

Full Access
Question # 49

What is the recommended first step in planning a Cortex XDR deployment?

A.

Implement Cortex XDR across all endpoints without assessing architecture or assets

B.

Deploy agents across the entire environment for immediate protection.

C.

Deploy Cortex XDR on endpoints with the highest potential for attack.

D.

Conduct an assessment and identify critical assets and endpoint within the environment.

Full Access
Question # 50

A customer is hesitant to directly connect their network to the Cortex platform due to compliance restrictions.

Which deployment method should the customer use to ensure secure connectivity between their network and the Cortex platform?

A.

Elasticsearch

B.

Broker VM

C.

Syslog collector

D.

Windows Event Collector

Full Access