Free Palo Alto Networks Certified XDR Engineer Exam XDR-Engineer Exam Practice Test

[Post-Deployment Management and Configuration]Using the Cortex XDR console, how can additional network access be allowed from a set of IP addresses to an isolated endpoint?

• Add entries in Configuration section of Security Settings
• Add entries in the Allowed Domains section of Security Settings for the tenant
• Add entries in Exceptions Configuration section of Isolation Exceptions
• Add entries in Response Actions section of Agent Settings profile

[Cortex XDR Agent Configuration]How can a Malware profile be configured to prevent a specific executable from being uploaded to the cloud?

• Disable on-demand file examination for the executable
• Set PE and DLL examination for the executable to report action mode
• Add the executable to the allow list for executions
• Create an exclusion rule for the executable

[Detection Engineering]During a recent internal purple team exercise, the following recommendation is given to the detection engineering team: Detect and prevent command line invocation of Python on Windows endpoints by non-technical business units. Which rule type should be implemented?

• Analytics Behavioral Indicator of Compromise (ABIOC)
• Behavioral Indicator of Compromise (BIOC)
• Correlation
• Indicator of Compromise (IOC)

[Data Ingestion and Integration]A new parsing rule is created, and during testing and verification, all the logs for which field data is to be parsed out are missing. All the other logs from this data source appear as expected. What may be the cause of this behavior?

• The Broker VM is ofline
• The parsing rule corrupted the database
• The filter stage is dropping the logs
• The XDR Collector is dropping the logs

[Planning and Installation]During the deployment of a Broker VM in a high availability (HA) environment, after configuring the Broker VM FQDN, an XDR engineer must ensure agent installer availability and efficient content caching to maintain performance consistency across failovers. Which additionalconfiguration steps should the engineer take?

• Use shared SSL certificates and keys for all Broker VMs and configure a single IP address for failover
• Upload the-signed SSL server certificate and key and deploy a load balancer
• Deploy a load balancer and configure SSL termination at the load balancer
• Enable synchronized session persistence across Broker VMs and use a self-signed certificate and key

[Post-Deployment Management and Configuration]What happens when the XDR Collector is uninstalled from an endpoint by using the Cortex XDR console?

• The files are removed immediately, and the machine is deleted from the system without any retention period
• The machine status remains active until manually removed, and the configuration data is retained for up to seven days
• It is uninstalled during the next heartbeat communication, machine status changes to Uninstalled, and the configuration data is retained for 90 days
• The associated configuration data is removed from the Action Center immediately after uninstallation

[Cortex XDR Agent Configuration]Which two steps should be considered when configuring the Cortex XDR agent for a sensitive and highly regulated environment? (Choose two.)

• Enable critical environment versions
• Create an agent settings profile where the agent upgrade scope is maintenance releases only
• Create an agent settings profile, enable content auto-update, and include a delay of four days
• Enable minor content version updates

[Playbook Creation and Automation]An engineer wants to automate the handling of alerts in Cortex XDR and defines several automation rules with different actions to be triggered based on specific alert conditions. Some alerts do not trigger the automation rules as expected. Which statement explains why the automation rules might not apply to certain alerts?

• They are executed in sequential order, so alerts may not trigger the correct actions if the rules are not configured properly
• They only apply to new alerts grouped into incidents by the system and only alerts that generateincidents trigger automation actions
• They can only be triggered by alerts with high severity; alerts with low or informational severity will not trigger the automation rules
• They can be applied to any alert, but they only work if the alert is manually grouped into an incident by the analyst

[Detection Engineering]What is the earliest time frame an alert could be automatically generated once the conditions of a new correlation rule are met?

• Between 30 and 45 minutes
• Immediately
• 5 minutes or less
• Between 10 and 20 minutes

[Cortex XDR Agent Configuration]A static endpoint group is created by adding 321 endpoints using the Upload From File feature. However, after group creation, the members count field shows 244 endpoints. What are two possible reasons why endpoints were not added to the group? (Choose two.)

• Static groups have a limit of 250 endpoints when adding by file
• Endpoints added to the new group were previously added to an existing group
• Endpoints added to the group were in Disconnected or Connection Lost status when groupmembership was added
• The IP address, hostname, or alias of the endpoints must match an existing agent that has registered with the tenant