PSE-Cortex-Pro-24 Palo Alto Networks Systems Engineer Professional - Cortex Questions and Answers

playbook features

sub-playbooks

conditional tasks

manual tasks

An exception is based on rules and exclusions are on alerts

An exclusion is based on rules and exceptions are based on alerts.

An exception does not exist

An exclusion does not exist

phishing

either

ServiceNow

neither

The Data Ingestion Health page identifies deviations from normal patterns of log collection

The Cortex XSIAM Command Center dashboard will display a red icon if a data source is having issues.

The tenant’s compute units consumption will change dramatically, indicating a collection issue.

It automatically runs a copilot playbook to troubleshoot and resolve ingestion issues.

Email the CISO to advise that malicious email was found.

Disable the user's email account.

Email the user to confirm the reported email was phishing.

Change the user's password.

SIEM has access to raw logs from agents, where Cortex XDR traditionally only gets alerts.

Cortex XDR allows just logging into the console and out of the box the events were blocked as a proactive approach.

Cortex XDR requires a large and diverse team of analysts and up to several weeks for simple actions like creating an alert.

SIEM has been entirely designed and built as cloud-native, with the ability to stitch together cloud logs, on-premises logs, third-party logs, and endpoint logs.

Threat feed integration

Automation daybooks

Parsing rules

Data models

Directory Sync

Cortex Data Lake

Panorama

Cortex XSOAR

Domain/workgroup membership

quarantine status

hostname

OS

attack threat intelligence tag

scripts library from the action center

Open Database Connectivity (ODBC) connection to network device database

Common Event Format (CEF) via broker Syslog module

file reader to the /var/log/messages file on the device

Online forums

Video series

Administrator's guide

Technical blogs

Define whether a playbook runs automatically when an incident type is encountered

Set reminders for an incident SLA

Add new fields to an incident type

Define the way that incidents of a specific type are displayed in the system

Drop new incidents of the same type that contain similar information

Heuristic analysis

Local analysis

Signature comparison

WildFire hash comparison and dynamic analysis

Administrator Guide

LIVEcommunity

Release Notes

Palo Alto Networks Status Page

cc-xnet50.traps.paloaltonetworks.com

hc-xnet50.traps.paloaltonetworks.com

cc-xnet.traps.paloaltonetworks.com

cc.xnet50traps.paloaltonetworks.com

xnettraps.paloaltonetworks.com

ch-xnet.traps.paloaltonetworks.com

WildFire hash comparison

heuristic analysis

signature comparison

dynamic analysis

Generic Polling Automation Playbook

Playbook Tasks

Sub-Play books

Playbook Functions

Have XSOAR automatically add the IP address to a threat intelligence management (TIM) malicious IP list to elevate priority of future alerts.

Have XSOAR automatically add the IP address to a deny rule in the firewall.

Have XSOAR automatically add the IP address to an external dynamic list (EDL) used by the firewall.

Have XSOAR automatically create a NetOps ticket requesting a configuration change to the firewall to block the IP.

Local static analysis happens before a WildFire verdict check.

In the final step, the block list is verified.

A trusted signed file is exempt from local static analysis.

Hash comparisons come after local static analysis.

< >

Contains

=

Is Contained By

adding new fields to an incident type

setting reminders for an incident service level agreement

defining whether a playbook runs automatically when an incident type is encountered

dropping new incidents of the same type that contain similar information

not Contains

!*

=>

< >

VMware NSX

Amazon Alexa rank indicator

Cisco ACI

Linux endpoints

incorrect instance name

incorrect Username and Password

incorrect appliance port

incorrect server URL

ArcSight ESM integration

SplunkUpdate integration

Demisto App for Splunk integration

SplunkPY integration

Cortex XSOAR Started Edition has unlimited access to the Threat Intel Library.

In Cortex XSOAR (SOAR + TIM), Unit 42 Intelligence is not included.

In Cortex XSOAR (SOAR + TIM), intelligence detail view and relationships data are not included.

Cortex XSOAR Starter Edition includes up to 5 active feeds and 100 indicators/fetch.

Ensure the playbook is set to run in quiet mode to minimize CPU usage and suppress errors

Confirm the integration credentials or API keys are valid.

Check the integration logs and enable a higher logging level, if needed, view the specific error.

Confirm there are no dashboards or reports configured to use that integration instance.

Advanced logging service license

HTTP Collector

Devices in the same region as XDR/XSIAM

XDR/XSIAM Broker VM

windows event logs only

syslogs only

windows event logs, syslogs, and custom external sources

windows event logs and syslogs only

Deployment

Onboardinq

Fast-Track

QuickStart

Playbook triggers

Correlation rules

Incident scoring

Data model rules

Live Sensors

File Explorer

Log Stitching

Live Terminal

Grant the customer access to the management console immediately following activation.

Provide the customer with an export of all findings at the conclusion of the POV.

Enable all of the attach surface rules to show the highest number of alerts.

Review the mapping in advance to identity a few interesting findings to share with the customer.

playbook editor

XSOAR audit log

/var/log/messages

War Room of the incident

Ensuring that the customer has single sign-on (SSO) configured in their environment

Building out an executive-IeveI proposal detailing the product capabilities

Planning for every different use case the customer has for the solution

Gathering a list of the different integrations that will need to be configured

To group alerts into incidents for manual analysis

To facilitate alert and log management without automation

To effectively handle the bulk of incidents through automation

To rely heavily on human-driven detection and remediation

alert root cause

hostname

domain/workgroup membership

OS

presence of Flash executable

Configure the Golden Image as a persistent VDI

Use the Cortex XDR VDI tool to obtain verdicts for all PE files

Install the Cortex XOR Agent on the local machine

Run the Cortex VDI conversion tool

Disable automatic memory dumps.

Scan the image using the imagepreptool.

Launch the VDI conversion tool.

Enable the VDI license timeout.

SplunkPY integration

Demisto App for Splunk integration

XSOAR REST API integration

Splunk integration

#Bob

/invite Bob

@Bob

!invite Bob

It achieves comprehensive multi-cloud visibility and security

B It optimizes network performance in multi-cloud environments

It enhances on-premises security measures

It streamlines the cloud migration processes

/var/log/demisto/acc_Tenant1/server.log

/var/log/demisto/Tenant1/server.log

/var/lib/demisto/acc_Tenant1/server.log

/var/lib/demisto/server.log

exploit

malware

phishing

ransomware

It provides advanced customization capabilities.

It provides real-time protection across hosts and containers.

It enables consolidation of multiple point products into a single integrated service.

It enables a comprehensive view of the customer environment with regard to digital employee productivity.

Option A

Option B

Option C

Option D

firewall alert

SIEM alert

full URL

registry set value