PSE-Cortex Palo Alto Networks System Engineer - Cortex Professional Questions and Answers

Google Kubernetes Engine

Demisto

Docker

Microsoft Office 365

Linked Incidents column in Indicator Screen

Linked Indicators column in Incident Screen

Related Indicators column in Incident Screen

Related Incidents column in Indicator Screen

extend context

stop on errors

task output

lags

Cortex XDR Pro per TB

Cortex XDR Endpoint

Cortex XDR Prevent

Cortex XDR Pro Per Endpoint

process

data

event alert

network

Which cybersecurity framework to implement for Secure Operations Center (SOC) operations

Whether communication with internal or external applications is required

How to configure network firewalls for optimal performance

Which endpoint protection software to integrate with Cortex XSOAR

Option A

Option B

Option C

Option D

Cortex XDR Pro per TB

Cortex XDR Prevent

Cortex XDR Endpoint

Cortex XDR Pro Per Endpoint

cc-xnet50.traps.paloaltonetworks.com

hc-xnet50.traps.paloaltonetworks.com

cc-xnet.traps.paloaltonetworks.com

cc.xnet50traps.paloaltonetworks.com

xnettraps.paloaltonetworks.com

ch-xnet.traps.paloaltonetworks.com

/var/log/demisto/acc_Tenant1/server.log

/var/log/demisto/Tenant1/server.log

/var/lib/demisto/acc_Tenant1/server.log

/var/lib/demisto/server.log

endpoint protection platform (EPP)

Security Information and Event Management (SIEM)

endpoint detection and response (EDR)

Network Detection and Response (NDR)

The Data Ingestion Health page identifies deviations from normal patterns of log collection

The Cortex XSIAM Command Center dashboard will display a red icon if a data source is having issues.

The tenant’s compute units consumption will change dramatically, indicating a collection issue.

It automatically runs a copilot playbook to troubleshoot and resolve ingestion issues.

Alert range indicators

Al-generated correlation rules

Automatic incident scoring

Dynamic alarm fields

Mark as artifact

Mark as scheduled entry

Mark as note

Mark as evidence

playbook features

sub-playbooks

conditional tasks

manual tasks

Security Event

HIP

Correlation

Analytics

Disable automatic memory dumps.

Scan the image using the imagepreptool.

Launch the VDI conversion tool.

Enable the VDI license timeout.

Ensure the playbook is set to run in quiet mode to minimize CPU usage and suppress errors

Confirm the integration credentials or API keys are valid.

Check the integration logs and enable a higher logging level, if needed, view the specific error.

Confirm there are no dashboards or reports configured to use that integration instance.

POSTMAN

Webhook

REST API

D KPI

ArcSight ESM integration

SplunkUpdate integration

Demisto App for Splunk integration

SplunkPY integration

The administrator should attach a copy of the weapomzed flash file to an email, send the email to a selected group of employees, and monitor the Events tab on the Cortex XDR console

The administrator should use the Cortex XDR tray icon to confirm his corporate laptop is fully protected then open the weaponized flash file on his machine, and monitor the Events tab on the Cortex XDR console.

The administrator should create a non-production Cortex XDR test environment that accurately represents the production environment, introduce the weaponized flash file, and monitor the Events tab on the Cortex XDR console.

The administrator should place a copy of the weaponized flash file on several USB drives, scatter them around the office and monitor the Events tab on the Cortex XDR console

Option A

Option B

Option C

Option D

RPM

SH

DEB

ZIP

SplunkPY integration

Demisto App for Splunk integration

XSOAR REST API integration

Splunk integration

VMware NSX

Amazon Alexa rank indicator

Cisco ACI

Linux endpoints

< >

Contains

=

Is Contained By

Gather information about the word processing applications and run them on a Windows XP SP3 VM Determine if any of the applications are vulnerable and run the exploit with an exploitation tool

Run word processing exploits in a latest version of Windows VM in a controlled and isolated environment. Document indicators of compromise and compare to Traps protection capabilities

Run a known 2015 flash exploit on a Windows XP SP3 VM. and run an exploitation tool that acts as a listener Use the results to demonstrate Traps capabilities

Prepare the latest version of Windows VM Gather information about the word processing applications, determine if some of them are vulnerable and prepare a working exploit for at least one of them Execute with an exploitation tool

Administrator Guide

LIVEcommunity

Release Notes

Palo Alto Networks Status Page

A tile from an allowed signer is exempt from local analysis.

Local analysis always happens before a WildFire verdict check.

Hash comparisons come after local static analysis.

The block list is verified in the final step.

Grant the customer access to the management console immediately following activation.

Provide the customer with an export of all findings at the conclusion of the POV.

Enable all of the attach surface rules to show the highest number of alerts.

Review the mapping in advance to identity a few interesting findings to share with the customer.

endpoint manager

SOC manager

SOC analyst

desktop engineer

Conditional

Automation

Manual

Parallel

Domain/workgroup membership

quarantine status

hostname

OS

attack threat intelligence tag

Cortex XSOAR Work Plan

Cortex SOC Orchestrator

Cortex Data Lake

Cortex XDR Causality View

Have XSOAR automatically add the IP address to a threat intelligence management (TIM) malicious IP list to elevate priority of future alerts.

Have XSOAR automatically add the IP address to a deny rule in the firewall.

Have XSOAR automatically add the IP address to an external dynamic list (EDL) used by the firewall.

Have XSOAR automatically create a NetOps ticket requesting a configuration change to the firewall to block the IP.

registry

file path

hash

hostname

file

registry

event log

alert log

No solution will stop every attack requiring further investigation of activity.

Insider Threats may not be blocked and initial activity may go undetected.

Analysts need to acquire forensic artifacts of malware that has been blocked by the XDR agent.

Detailed reports are needed for senior management to justify the cost of XDR.

Elasticsearch

Broker VM

Syslog collector

Windows Event Collector

Vendor

Type

Using

Brand

SIEMs supports only agentless scanning, not agent-based workload protection across VMs, containers/Kubernetes.

UEBA can add trusted signers of Windows or Mac processes to a whitelist in the Endpoint Security Manager (ESM) Console.

SIEMs have difficulty detecting unknown or advanced security threats that do not involve malware, such as credential theft.

UEBA establishes a secure connection in which endpoints can be routed, and it collects and forwards logs and files for analysis.

Configure the Golden Image as a persistent VDI

Use the Cortex XDR VDI tool to obtain verdicts for all PE files

Install the Cortex XOR Agent on the local machine

Run the Cortex VDI conversion tool

Threat, Config, System, Data

Threat, Config, System, Analytic

Threat, Monitor. System, Analytic

Threat, Config, Authentication, Analytic

incorrect instance name

incorrect Username and Password

incorrect appliance port

incorrect server URL

Secure Shell (SSH)

SAML

RADIUS

Customer Support Portal

role-based access control

cloud identity engine

endpoint groups

restrictions security profile