CertsTopics Logo

Month End Sale 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: save70

Free and Premium Paloalto Networks PSE-Cortex Dumps Questions Answers

Page: 1 / 13
Total 168 questions
Get PSE-Cortex Full Access Download PSE-Cortex PDF

Palo Alto Networks System Engineer - Cortex Professional Questions and Answers

Question 1

An Administrator is alerted to a Suspicious Process Creation security event from multiple users.

The users believe that these events are false positives Which two steps should the administrator take to confirm the false positives and create an exception? (Choose two )

Options:

A.

With the Malware Security profile, disable the "Prevent Malicious Child Process Execution" module

B.

Within the Malware Security profile add the specific parent process, child process, and command line argument to the child process whitelist

C.

In the Cortex XDR security event, review the specific parent process, child process, and command line arguments

D.

Contact support and ask for a security exception.

Buy Now
Question 2

How many use cases should a POC success criteria document include?

Options:

A.

only 1

B.

3 or more

C.

no more than 5

D.

no more than 2

Question 3

An administrator has a critical group of systems running Windows XP SP3 that cannot be upgraded The administrator wants to evaluate the ability of Traps to protect these systems and the word processing applications running on them

How should an administrator perform this evaluation?

Options:

A.

Gather information about the word processing applications and run them on a Windows XP SP3 VM Determine if any of the applications are vulnerable and run the exploit with an exploitation tool

B.

Run word processing exploits in a latest version of Windows VM in a controlled and isolated environment. Document indicators of compromise and compare to Traps protection capabilities

C.

Run a known 2015 flash exploit on a Windows XP SP3 VM. and run an exploitation tool that acts as a listener Use the results to demonstrate Traps capabilities

D.

Prepare the latest version of Windows VM Gather information about the word processing applications, determine if some of them are vulnerable and prepare a working exploit for at least one of them Execute with an exploitation tool

Question 4

A customer has purchased Cortex XDR and requires phone support for the product.

Which Palo Alto Networks offering would fulfill this need?

Options:

A.

Platinum Success

B.

Premium Success

C.

Diamond Success

D.

Standard Success

Question 5

An adversary is attempting to communicate with malware running on your network for the purpose of controlling malware activities or for ex filtrating data from your network. Which Cortex XDR Analytics alert is this activity most likely to trigger'?

Options:

A.

Uncommon Local Scheduled Task Creation

B.

Malware

C.

New Administrative Behavior

D.

DNS Tunneling

Question 6

Which Cortex XDR capability prevents running malicious files from USB-connected removable equipment?

Options:

A.

Device customization

B.

Agent configuration

C.

Agent management

D.

Restrictions profile

Question 7

What is the difference between the intel feed’s license quotas of Cortex XSOAR Starter Edition and Cortex XSOAR (SOAR + TIM)?

Options:

A.

Cortex XSOAR Started Edition has unlimited access to the Threat Intel Library.

B.

In Cortex XSOAR (SOAR + TIM), Unit 42 Intelligence is not included.

C.

In Cortex XSOAR (SOAR + TIM), intelligence detail view and relationships data are not included.

D.

Cortex XSOAR Starter Edition includes up to 5 active feeds and 100 indicators/fetch.

Question 8

The certificate used for decryption was installed as a trusted root CA certificate to ensure communication between the Cortex XDR Agent and Cortex XDR Management Console What action needs to be taken if the administrator determines the Cortex XDR Agents are not communicating with the Cortex XDR Management Console?

Options:

A.

add paloaltonetworks com to the SSL Decryption Exclusion list

B.

enable SSL decryption

C.

disable SSL decryption

D.

reinstall the root CA certificate

Question 9

What is the requirement for enablement of endpoint and network analytics in Cortex XDR?

Options:

A.

Cloud Identity Engine configured and enabled

B.

Network Mapper applet on the Broker VM configured and enabled

C.

Logs from at least 30 endpoints over a minimum of two weeks

D.

Windows DHCP logs ingested via a Cortex XDR collector

Question 10

Given the integration configuration and error in the screenshot what is the cause of the problem?

Options:

A.

incorrect instance name

B.

incorrect Username and Password

C.

incorrect appliance port

D.

incorrect server URL

Question 11

Which feature of Cortex XSIAM helps analyst reduce the noise and false positives that often plague traditional SIEM systems?

Options:

A.

Alert range indicators

B.

Al-generated correlation rules

C.

Automatic incident scoring

D.

Dynamic alarm fields

Question 12

Which two filter operators are available in Cortex XDR? (Choose two.)

Options:

A.

< >

B.

Contains

C.

=

D.

Is Contained By

Question 13

An administrator of a Cortex XDR protected production environment would like to test its ability to protect users from a known flash player exploit.

What is the safest way to do it?

Options:

A.

The administrator should attach a copy of the weapomzed flash file to an email, send the email to a selected group of employees, and monitor the Events tab on the Cortex XDR console

B.

The administrator should use the Cortex XDR tray icon to confirm his corporate laptop is fully protected then open the weaponized flash file on his machine, and monitor the Events tab on the Cortex XDR console.

C.

The administrator should create a non-production Cortex XDR test environment that accurately represents the production environment, introduce the weaponized flash file, and monitor the Events tab on the Cortex XDR console.

D.

The administrator should place a copy of the weaponized flash file on several USB drives, scatter them around the office and monitor the Events tab on the Cortex XDR console

Question 14

When initiated, which Cortex XDR capability allows immediate termination of the process-or entire process tree-on an anomalous process discovered during investigation of a security event?

Options:

A.

Live sensors

B.

Live terminal

C.

Log forwarding

D.

Log stitching

Question 15

Which consideration should be taken into account before deploying Cortex XSOAR?

Options:

A.

Which cybersecurity framework to implement for Secure Operations Center (SOC) operations

B.

Whether communication with internal or external applications is required

C.

How to configure network firewalls for optimal performance

D.

Which endpoint protection software to integrate with Cortex XSOAR

Question 16

What are process exceptions used for?

Options:

A.

whitelist programs from WildFire analysis

B.

permit processes to load specific DLLs

C.

change the WildFire verdict for a given executable

D.

disable an EPM for a particular process

Question 17

Which two types of lOCs are available for creation in Cortex XDR? (Choose two.)

Options:

A.

IP

B.

endpoint hostname

C.

domain

D.

registry entry

Question 18

An EDR project was initiated by a CISO. Which resource will likely have the most heavy influence on the project?

Options:

A.

desktop engineer

B.

SOC manager

C.

SOC analyst IT

D.

operations manager

Question 19

A customer has 2700 endpoints. There is currently concern about recent attacks in their industry and threat intelligence from a third-party subscription. In an attempt to be proactive, phishing simulations have been prioritized, but the customer wants to gain more visibility and remediation capabilities specific to their network traffic.

Which Cortex product provides these capabilities?

Options:

Question 20

When preparing for a Cortex XSOAR proof of value (POV), which task should be performed before the evaluation is requested?

Options:

A.

Ensuring that the customer has single sign-on (SSO) configured in their environment

B.

Building out an executive-IeveI proposal detailing the product capabilities

C.

Planning for every different use case the customer has for the solution

D.

Gathering a list of the different integrations that will need to be configured

Question 21

A General Purpose Dynamic Section can be added to which two layouts for incident types? (Choose two)

Options:

A.

"Close" Incident Form

B.

Incident Summary

C.

Incident Quick View

D.

"New"/Edit" Incident Form

Question 22

Which Cortex XDR Agent capability prevents loading malicious files from USB-connected removable equipment?

Options:

A.

Agent Configuration

B.

Device Control

C.

Device Customization

D.

Agent Management

Question 23

Which two Cortex XSOAR incident type features can be customized under Settings > Advanced > Incident Types? (Choose two.)

Options:

A.

adding new fields to an incident type

B.

setting reminders for an incident service level agreement

C.

defining whether a playbook runs automatically when an incident type is encountered

D.

dropping new incidents of the same type that contain similar information

Question 24

Which action should be performed by every Cortex Xpanse proof of value (POV)?

Options:

A.

Grant the customer access to the management console immediately following activation.

B.

Provide the customer with an export of all findings at the conclusion of the POV.

C.

Enable all of the attach surface rules to show the highest number of alerts.

D.

Review the mapping in advance to identity a few interesting findings to share with the customer.

Question 25

Which two filter operators are available in Cortex XDR? (Choose two.)

Options:

A.

not Contains

B.

!*

C.

=>

D.

< >

Question 26

What is the recommended first step in planning a Cortex XDR deployment?

Options:

A.

Implement Cortex XDR across all endpoints without assessing architecture or assets

B.

Deploy agents across the entire environment for immediate protection.

C.

Deploy Cortex XDR on endpoints with the highest potential for attack.

D.

Conduct an assessment and identify critical assets and endpoint within the environment.

Question 27

Cortex XSOAR has extracted a malicious IP address involved in command-and-control traffic.

What is the best method to automatically block this IP from communicating with endpoints without requiring a configuration change on the firewall?

Options:

A.

Create a NetOps ticket requesting a configuration change to the firewall to block the IP.

B.

Add the IP address to an external dynamic list used by the firewall.

C.

Add the IP address to a threat intelligence management malicious IP list to elevate priority of future alerts.

D.

Block the IP address by creating a deny rule in the firewall.

Question 28

Which statement applies to the malware protection flow of the endpoint agent in Cortex XSIAM?

Options:

A.

A tile from an allowed signer is exempt from local analysis.

B.

Local analysis always happens before a WildFire verdict check.

C.

Hash comparisons come after local static analysis.

D.

The block list is verified in the final step.

Question 29

The customer has indicated they need EDR data collection capabilities, which Cortex XDR license is required?

Options:

A.

Cortex XDR Pro per TB

B.

Cortex XDR Prevent

C.

Cortex XDR Endpoint

D.

Cortex XDR Pro Per Endpoint

Question 30

Which Cortex XDR license is required for a customer that requests endpoint detection and response (EDR) data collection capabilities?

Options:

A.

Cortex XDR Pro per TB

B.

Cortex XDR Endpoint

C.

Cortex XDR Prevent

D.

Cortex XDR Pro Per Endpoint

Question 31

Which statement applies to the differentiation of Cortex XDR from security information and event management (SIEM)?

Options:

A.

SIEM has access to raw logs from agents, where Cortex XDR traditionally only gets alerts.

B.

Cortex XDR allows just logging into the console and out of the box the events were blocked as a proactive approach.

C.

Cortex XDR requires a large and diverse team of analysts and up to several weeks for simple actions like creating an alert.

D.

SIEM has been entirely designed and built as cloud-native, with the ability to stitch together cloud logs, on-premises logs, third-party logs, and endpoint logs.

Question 32

Which command-line interface (CLI) query would retrieve the last three Splunk events?

Options:

A.

!search using=splunk_instance_1 query="* | last 3"

B.

!search using=splunk_instance_1 query="* | 3"

C.

!query using=splunk_instance_1 query="* | last 3"

D.

!search using=splunk_instance_1 query="* | head 3"

Question 33

Which two log types should be configured for firewall forwarding to the Cortex Data Lake for use by Cortex XDR? (Choose two)

Options:

A.

Security Event

B.

HIP

C.

Correlation

D.

Analytics

Question 34

How does DBot score an indicator that has multiple reputation scores?

Options:

A.

uses the most severe score scores

B.

the reputation as undefined

C.

uses the average score

D.

uses the least severe score

Question 35

What are the key capabilities of the ASM for Remote Workers module?

Options:

A.

Monitoring endpoint activity, managing firewall rules, and mitigating cybersecurity threats

B.

Gathering endpoint data, conducting internal scans, and automating network configurations

C.

Identifying office network vulnerabilities, monitoring remote workforce, and encrypting data

D.

Analyzing global scan data, identifying risky issues on remote networks, and providing internal insights

Question 36

Which Linux OS command will manually load Docker images onto the Cortex XSOAR server in an air-gapped environment?

Options:

A.

sudo repoquery -a --installed

B.

sudo demistoserver-x.x-xxxx.sh -- -tools=load

C.

sudo docker ps load

D.

sudo docker load -i YOUR_DOCKER_FILE.tar

Question 37

A Cortex XSOAR customer has a phishing use case in which a playbook has been implemented with one of the steps blocking a malicious URL found in an email reported by one of the users.

What would be the appropriate next step in the playbook?

Options:

A.

Email the CISO to advise that malicious email was found.

B.

Disable the user's email account.

C.

Email the user to confirm the reported email was phishing.

D.

Change the user's password.

Question 38

Within Cortex XSIAM, how does the integration of Attack Surface Management (ASM) provide a unified approach to security event management that traditional SIEMs typically lack?

Options:

A.

By providing a queryable dataset of ASM data for threat hunting

B.

By offering dashboards on ASM data within the management console

C.

By manually correlating of ASM data with security events

D.

By enriching incidents with ASM data for all internet-facing assets

Question 39

What is the result of creating an exception from an exploit security event?

Options:

A.

Administrators are exempt from generating alerts for 24 hours.

B.

Process from WildFire analysis is whitelisted.

C.

Triggered exploit protection module (EPM) for the host and process involved is disabled.

D.

User is exempt from generating events for 24 hours.

Question 40

Which feature in Cortex XSIAM extends analytics detections to all mapped network and authentication data?

Options:

A.

Threat feed integration

B.

Automation daybooks

C.

Parsing rules

D.

Data models

Question 41

Which two formats are supported by Whitelist? (Choose two)

Options:

A.

Regex

B.

STIX

C.

CSV

D.

CIDR

Question 42

What is the primary function of an engine in Cortex XSOAR?

Options:

A.

To execute playbooks, scripts, commands, and integrations

B.

To manage multiple Cortex XSOAR tenants

C.

To provide a user interface for security analysts

D.

To store and manage incident data, remediation plans, and documentation

Question 43

What is the primary mechanism for the attribution of attack surface data in Cortex Xpanse?

Options:

A.

Active scanning with network-installed agents

B.

Dark web monitoring

C.

Customer-provided asset inventory lists

D.

Scanning from public internet data sources

Question 44

Which resource can a customer use to ensure that the Cortex XDR agent will operate correctly on their CentOS 07 servers?

Options:

A.

Administrator Guide

B.

Compatibility Matrix

C.

Release Notes

D.

LIVE community

Question 45

What allows the use of predetermined Palo Alto Networks roles to assign access rights to Cortex XDR users?

Options:

A.

role-based access control

B.

cloud identity engine

C.

endpoint groups

D.

restrictions security profile

Question 46

A customer has purchased Cortex XSOAR and has a need to rapidly stand up the product in their environment. The customer has stated that their internal staff are currently occupied with other projects.

Which Palo Alto Networks service offering should be recommended to the customer?

Options:

A.

Deployment

B.

Onboardinq

C.

Fast-Track

D.

QuickStart

Question 47

Which CLI query would bring back Notable Events from Splunk?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 48

An adversary attempts to communicate with malware running on a network in order to control malware activities or to exfiltrate data from the network.

Which Cortex XDR Analytics alert will this activity most likely trigger?

Options:

A.

uncommon local scheduled task creation

B.

malware

C.

new administrative behavior

D.

DNS Tunneling

Question 49

If you have a playbook task that errors out. where could you see the output of the task?

Options:

A.

/var/log/messages

B.

War Room of the incident

C.

Demisto Audit log

D.

Playbook Editor

Question 50

Which task setting allows context output to a specific key?

Options:

A.

extend context

B.

stop on errors

C.

task output

D.

lags

Exam Detail
Vendor: Paloalto Networks
Certification: PSE-Cortex Professional
Exam Code: PSE-Cortex
Exam Name: Palo Alto Networks System Engineer - Cortex Professional
Last Update: Apr 26, 2025
PSE-Cortex Question Answers
Page: 1 / 13
Total 168 questions
Get PSE-Cortex Full Access Download PSE-Cortex PDF