New Year Sale 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

Palo Alto Networks XDR Analyst Question and Answers

Palo Alto Networks XDR Analyst

Last Update Jan 14, 2026
Total Questions : 91

We are offering FREE XDR-Analyst Paloalto Networks exam questions. All you do is to just go and sign up. Give your details, prepare XDR-Analyst free exam questions and then go for complete pool of Palo Alto Networks XDR Analyst test questions that will help you more.

XDR-Analyst pdf

XDR-Analyst PDF

$36.75  $104.99
 Add to Cart
XDR-Analyst Engine

XDR-Analyst Testing Engine

$43.75  $124.99
 Add to Cart
XDR-Analyst PDF + Engine

XDR-Analyst PDF + Testing Engine

$57.75  $164.99
 Add to Cart
Questions 1

Which statement is correct based on the report output below?

Options:

A.  

Host Inventory Data Collection is enabled.

B.  

3,297 total incidents have been detected.

C.  

Forensic inventory data collection is enabled.

D.  

133 agents have full disk encryption.

Discussion 0
Questions 2

Which statement is true based on the following Agent Auto Upgrade widget?

Options:

A.  

There are a total of 689 Up To Date agents.

B.  

Agent Auto Upgrade was enabled but not on all endpoints.

C.  

Agent Auto Upgrade has not been enabled.

D.  

There are more agents in Pending status than In Progress status.

Discussion 0
Questions 3

A file is identified as malware by the Local Analysis module whereas WildFire verdict is Benign, Assuming WildFire is accurate. Which statement is correct for the incident?

Options:

A.  

It is true positive.

B.  

It is false positive.

C.  

It is a false negative.

D.  

It is true negative.

Discussion 0
Questions 4

When creating a BIOC rule, which XQL query can be used?

Options:

A.  

dataset = xdr_data

| filter event_sub_type = PROCESS_START and

action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"

B.  

dataset = xdr_data

| filter event_type = PROCESS and

event_sub_type = PROCESS_START and

action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"

C.  

dataset = xdr_data

| filter action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"

| fields action_process_image

D.  

dataset = xdr_data

| filter event_behavior = true

event_sub_type = PROCESS_START and

action_process_image_name ~= ".*?\.(?:pdf|docx)\.exe"

Discussion 0
Questions 5

As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to open a malicious Word document. You learn from the WildFire report and AutoFocus that this document is known to have been used in Phishing campaigns since 2018. What steps can you take to ensure that the same document is not opened by other users in your organization protected by the Cortex XDR agent?

Options:

A.  

Enable DLL Protection on all endpoints but there might be some false positives.

B.  

Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.

C.  

No step is required because Cortex shares IOCs with our fellow Cyber Threat Alliance members.

D.  

No step is required because the malicious document is already stopped.

Discussion 0
Questions 6

Which module provides the best visibility to view vulnerabilities?

Options:

A.  

Live Terminal module

B.  

Device Control Violations module

C.  

Host Insights module

D.  

Forensics module

Discussion 0
Questions 7

How can you pivot within a row to Causality view and Timeline views for further investigate?

Options:

A.  

Using the Open Card Only

B.  

Using the Open Card and Open Timeline actions respectively

C.  

You can't pivot within a row to Causality view and Timeline views

D.  

Using Open Timeline Actions Only

Discussion 0
Questions 8

What is the maximum number of agents one Broker VM local agent applet can support?

Options:

A.  

5,000

B.  

10,000

C.  

15,000

D.  

20,000

Discussion 0
Questions 9

Which of the following protection modules is checked first in the Cortex XDR Windows agent malware protection flow?

Options:

A.  

Hash Verdict Determination

B.  

Behavioral Threat Protection

C.  

Restriction Policy

D.  

Child Process Protection

Discussion 0
Questions 10

Which two types of exception profiles you can create in Cortex XDR? (Choose two.)

Options:

A.  

exception profiles that apply to specific endpoints

B.  

agent exception profiles that apply to specific endpoints

C.  

global exception profiles that apply to all endpoints

D.  

role-based profiles that apply to specific endpoints

Discussion 0
Questions 11

What kind of the threat typically encrypts user files?

Options:

A.  

ransomware

B.  

SQL injection attacks

C.  

Zero-day exploits

D.  

supply-chain attacks

Discussion 0
Questions 12

What types of actions you can execute with live terminal session?

Options:

A.  

Manage Network configurations, Quarantine Files, Run PowerShell scripts

B.  

Manage Processes, Manage Files, Run Operating System Commands, Run Ruby Commands and Scripts

C.  

Apply patches, Reboot System, send notification for end user, Run Python Commands and Scripts

D.  

Manage Processes, Manage Files, Run Operating System Commands, Run Python Commands and Scripts

Discussion 0
Questions 13

Can you disable the ability to use the Live Terminal feature in Cortex XDR?

Options:

A.  

Yes, via the Cortex XDR console or with an installation switch.

B.  

No, a separate installer package without Live Terminal is required.

C.  

No, it is a required feature of the agent.

D.  

Yes, via Agent Settings Profile.

Discussion 0
Questions 14

Which of the following is NOT a precanned script provided by Palo Alto Networks?

Options:

A.  

delete_file

B.  

quarantine_file

C.  

process_kill_name

D.  

list_directories

Discussion 0
Questions 15

What license would be required for ingesting external logs from various vendors?

Options:

A.  

Cortex XDR Pro per Endpoint

B.  

Cortex XDR Vendor Agnostic Pro

C.  

Cortex XDR Pro per TB

D.  

Cortex XDR Cloud per Host

Discussion 0
Questions 16

When is the wss (WebSocket Secure) protocol used?

Options:

A.  

when the Cortex XDR agent downloads new security content

B.  

when the Cortex XDR agent uploads alert data

C.  

when the Cortex XDR agent connects to WildFire to upload files for analysis

D.  

when the Cortex XDR agent establishes a bidirectional communication channel

Discussion 0
Questions 17

If you have an isolated network that is prevented from connecting to the Cortex Data Lake, which type of Broker VM setup can you use to facilitate the communication?

Options:

A.  

Broker VM Pathfinder

B.  

Local Agent Proxy

C.  

Local Agent Installer and Content Caching

D.  

Broker VM Syslog Collector

Discussion 0
Questions 18

What does the following output tell us?

Options:

A.  

There is one low severity incident.

B.  

Host shpapy_win10 had the most vulnerabilities.

C.  

There is one informational severity alert.

D.  

This is an actual output of the Top 10 hosts with the most malware.

Discussion 0
Questions 19

Where would you view the WildFire report in an incident?

Options:

A.  

next to relevant Key Artifacts in the incidents details page

B.  

under Response --> Action Center

C.  

under the gear icon --> Agent Audit Logs

D.  

on the HUB page at apps.paloaltonetworks.com

Discussion 0
Questions 20

Where can SHA256 hash values be used in Cortex XDR Malware Protection Profiles?

Options:

A.  

in the macOS Malware Protection Profile to indicate allowed signers

B.  

in the Linux Malware Protection Profile to indicate allowed Java libraries

C.  

SHA256 hashes cannot be used in Cortex XDR Malware Protection Profiles

D.  

in the Windows Malware Protection Profile to indicate allowed executables

Discussion 0
Questions 21

In the deployment of which Broker VM applet are you required to install a strong cipher SHA256-based SSL certificate?

Options:

A.  

Agent Proxy

B.  

Agent Installer and Content Caching

C.  

Syslog Collector

D.  

CSV Collector

Discussion 0
Questions 22

Which Type of IOC can you define in Cortex XDR?

Options:

A.  

destination port

B.  

e-mail address

C.  

full path

D.  

App-ID

Discussion 0
Questions 23

Which type of BIOC rule is currently available in Cortex XDR?

Options:

A.  

Threat Actor

B.  

Discovery

C.  

Network

D.  

Dropper

Discussion 0
Questions 24

What is the standard installation disk space recommended to install a Broker VM?

Options:

A.  

1GB disk space

B.  

2GB disk space

C.  

512GB disk space

D.  

256GB disk space

Discussion 0
Questions 25

Which of the following best defines the Windows Registry as used by the Cortex XDR agent?

Options:

A.  

a hierarchical database that stores settings for the operating system and for applications

B.  

a system of files used by the operating system to commit memory that exceeds the available hardware resources. Also known as the “swap”

C.  

a central system, available via the internet, for registering officially licensed versions of software to prove ownership

D.  

a ledger for maintaining accurate and up-to-date information on total disk usage and disk space remaining available to the operating system

Discussion 0
Questions 26

What is the function of WildFire for Cortex XDR?

Options:

A.  

WildFire runs in the cloud and analyses alert data from the XDR agent to check for behavioural threats.

B.  

WildFire is the engine that runs on the local agent and determines whether behavioural threats are occurring on the endpoint.

C.  

WildFire accepts and analyses a sample to provide a verdict.

D.  

WildFire runs entirely on the agent to quickly analyse samples and provide a verdict.

Discussion 0
Questions 27

In incident-related widgets, how would you filter the display to only show incidents that were “starred”?

Options:

A.  

Create a custom XQL widget

B.  

This is not currently supported

C.  

Create a custom report and filter on starred incidents

D.  

Click the star in the widget

Discussion 0