Free PCDRA Sample Questions — Palo Alto Networks Certified Detection and Remediation Analyst

Which of the following paths will successfully activate Remediation Suggestions?

• A. Alerts Table > Right-click on a process node > Remediation Suggestions
• B. Incident View > Actions > Remediation Suggestions
• C. Causality View > Actions > Remediation Suggestions
• D. Alerts Table > Right-click on an alert > Remediation Suggestions

What is the outcome of creating and implementing an alert exclusion?

• A. The Cortex XDR agent will allow the process that was blocked to run on the endpoint
• B. The Cortex XDR console will hide those alerts
• C. The Cortex XDR agent will not create an alert for this event in the future
• D. The Cortex XDR console will delete those alerts and block ingestion of them in the future

When creating a custom XQL query in a dashboard, how would a user save that XQL query to the Widget Library?

• A. Click the three dots on the widget and then choose “Save” and this will link the query to the Widget Library
• B. This isn’t supported, you have to exit the dashboard and go into the Widget Library first to create it
• C. Click on “Save to Action Center” in the dashboard and you will be prompted to give the query a name and description
• D. Click on “Save to Widget Library” in the dashboard and you will be prompted to give the query a name and description

When using the “File Search and Destroy” feature, which of the following search hash type is supported?

• A. SHA256 hash of the file
• B. AES256 hash of the file
• C. MD5 hash of the file
• D. SHA1 hash of the file

Which type of IOC can you define in Cortex XDR?

• A. Source port
• B. Destination IP Address
• C. Destination IP Address:Destination
• D. Source IP Address

Which engine, of the following, in Cortex XDR determines the most relevant artifacts in each alert and aggregates all alerts related to an event into an incident?

• A. Sensor Engine
• B. Causality Analysis Engine
• C. Log Stitching Engine
• D. Causality Chain Engine

Which search methods is supported by File Search and Destroy?

• A. File Search and Repair
• B. File Seek and Destroy
• C. File Search and Destroy
• D. File Seek and Repair

Can you disable the ability to use the Live Terminal feature in Cortex XDR?

• A. Yes, via Agent Settings Profile
• B. No, it is a required feature of the agent
• C. No, a separate installer package without Live Terminal is required
• D. Yes, via the Cortex XDR console or with an installation switch

If you have an isolated network that is prevented from connecting to the Cortex Data Lake, which type of Broker VM setup can you use to facilitate the communication?

• A. Broker VM Pathfinder
• B. Local Agent Proxy
• C. Local Agent Installer and Content Caching
• D. Broker VM Syslog Collector

What should you do to automatically convert leads into alerts after investigating a lead?

• A. Lead threats can't be prevented in the future because they already exist in the environment
• B. Build a search query using Query Builder or XQL using a list of IOCs
• C. Create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting
• D. Create BIOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting

What is the purpose of the Cortex Data Lake?

• A. a local storage facility where your logs and alert data can be aggregated
• B. a cloud-based storage facility where your firewall logs are stored
• C. the interface between firewalls and the Cortex XDR agents
• D. the workspace for your Cortex XDR agents to detonate potential malware files

If you have an isolated network that is prevented from connecting to the Cortex Data Lake, which type of Broker VM setup can you use to facilitate the communication?

• A. Broker VM Pathfinder
• B. Local Agent Proxy
• C. Local agent installer
• D. Broker VM Syslog Collector

After scan, how does file quarantine function work on an endpoint?

• A. Quarantine takes ownership of the files and folders and prevents execution through access control
• B. Quarantine disables the network adapters and locks down access preventing any communications with the endpoint
• C. Quarantine removes a specific file from its location on a local or removable drive to a protected folder and prevents it from being executed
• D. Quarantine prevents an endpoint from communicating with anything besides the listed exceptions in the agent profile and Cortex XDR

Which profiles can the user use to configure malware protection in the Cortex XDR console?

• A. Malware Protection profile
• B. Malware profile
• C. Malware Detection profile
• D. Anti-Malware profile

What functionality of the Broker VM would you use to ingest third-party firewall logs to the Cortex Data Lake?

• A. Netflow Collector
• B. Syslog Collector
• C. DB Collector
• D. Pathfinder

Which Exploit Prevention Module (EPM) provides better entropy for randomization of memory locations?

• A. UASLR
• B. JIT Mitigation
• C. Memory Limit Heap spray check
• D. DLL Security

What license would be required for ingesting external logs from various vendors?

• A. Cortex XDR Pro per Endpoint
• B. Cortex XDR Vendor Agnostic Pro
• C. Cortex XDR Pro per TB
• D. Cortex XDR Cloud per Host

In the Cortex XDR console, from which two pages are you able to manually perform the agent upgrade action? (Choose two.)

• A. Endpoint Administration
• B. Asset Management
• C. Action Center
• D. Agent Installations

As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to download Cobalt Strike on one of your servers. Days later, you learn about a massive ongoing supply chain attack. Using Cortex XDR you recognize that your server was compromised by the attack and that Cortex XDR prevented it. What steps can you take to ensure that the same protection is extended to all your servers?

• A. Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity
• B. Enable DLL Protection on all servers but there might be some false positives
• C. Create IOCs of the malicious files you have found to prevent their execution
• D. Enable Behavioral Threat Protection (BTP) with cytool to prevent the attack from spreading

Which statement is true for Application Exploits and Kernel Exploits?

• A. The ultimate goal of any exploit is to reach the application
• B. Kernel exploits are easier to prevent then application exploits
• C. The ultimate goal of any exploit is to reach the kernel
• D. Application exploits leverage kernel vulnerability