PSE-CORTEX Online Practice Questions and Answers

A General Purpose Dynamic Section can be added to which two layouts for incident types? (Choose two)

A. "Close" Incident Form

B. Incident Summary

C. Incident Quick View

D. "New"/Edit" Incident Form

If you have a playbook task that errors out. where could you see the output of the task?

A. /var/log/messages

B. War Room of the incident

C. Demisto Audit log

D. Playbook Editor

During the TMS instance activation, a tenant (Customer) provides the following information for the fields in the Activation - Step 2 of 2 window.

During the service instance provisioning which three DNS host names are created? (Choose three.)

A. cc-xnet50.traps.paloaltonetworks.com

B. hc-xnet50.traps.paloaltonetworks.com

C. cc-xnet.traps.paloaltonetworks.com

D. cc.xnet50traps.paloaltonetworks.com

E. xnettraps.paloaltonetworks.com

F. ch-xnet.traps.paloaltonetworks.com

An administrator of a Cortex XDR protected production environment would like to test its ability to protect users from a known flash player exploit.

What is the safest way to do it?

A. The administrator should attach a copy of the weapomzed flash file to an email, send the email to a selected group of employees, and monitor the Events tab on the Cortex XDR console

B. The administrator should use the Cortex XDR tray icon to confirm his corporate laptop is fully protected then open the weaponized flash file on his machine, and monitor the Events tab on the Cortex XDR console.

C. The administrator should create a non-production Cortex XDR test environment that accurately represents the production environment, introduce the weaponized flash file, and monitor the Events tab on the Cortex XDR console.

D. The administrator should place a copy of the weaponized flash file on several USB drives, scatter them around the office and monitor the Events tab on the Cortex XDR console

When analyzing logs for indicators, which are used for only BIOC identification'?

A. observed activity

B. artifacts

C. techniques

D. error messages

Which process in the causality chain does the Cortex XDR agent identify as triggering an event sequence?

A. the relevant shell

B. The causality group owner

C. the adversary's remote process

D. the chain's alert initiator

When integrating with Splunk, what will allow you to push alerts into Cortex XSOAR via the REST API?

A. splunk-get-alerts integration command

B. Cortex XSOAR TA App for Splunk

C. SplunkSearch automation

D. SplunkGO integration

If a customer activates a TMS tenant and has not purchased a Cortex Data Lake instance.

Palo Alto Networks will provide the customer with a free instance

What size is this free Cortex Data Lake instance?

A. 1 TB

B. 10 GB

C. 100 GB

D. 10 TB

How does an "inline" auto-extract task affect playbook execution?

A. Doesn't wait until the indicators are enriched and continues executing the next step

B. Doesn't wait until the indicators are enriched but populate context data before executing the next

C. step. Wait until the indicators are enriched but doesn't populate context data before executing the next step.

D. Wait until the indicators are enriched and populate context data before executing the next step.

In Cortex XDR Prevent, which three matching criteria can be used to dynamically group endpoints? (Choose three.)

A. Domain/workgroup membership

B. quarantine status

C. hostname

D. OS

E. attack threat intelligence tag

The images show two versions of the same automation script and the results they produce when executed in Demisto. What are two possible causes of the exception thrown in the second Image? (Choose two.)

A. The modified scnpt was run in the wrong Docker image

B. The modified script required a different parameter to run successfully.

C. The dictionary was defined incorrectly in the second script.

D. The modified script attempted to access a dictionary key that did not exist in the dictionary named "data"

What are two manual actions allowed on War Room entries? (Choose two.)

A. Mark as artifact

B. Mark as scheduled entry

C. Mark as note

D. Mark as evidence

Given the integration configuration and error in the screenshot what is the cause of the problem? [missing the exhibits]

A. incorrect instance name

B. incorrect Username and Password

C. incorrect appliance port

D. incorrect server URL

If an anomalous process is discovered while investigating the cause of a security event, you can take immediate action to terminate the process or the whole process tree, and block processes from running by initiating which Cortex XDR capability?

A. Live Sensors

B. File Explorer

C. Log Stitching

D. Live Terminal

Which two items are stitched to the Cortex XDR causality chain'' (Choose two)

A. firewall alert

B. SIEM alert

C. full URL

D. registry set value