XDR Analyst Practice Exam 2025: Latest Questions

An analyst wants to understand how Cortex XDR correlates activity across endpoints, network, and cloud sources to create a single view of suspicious behavior. Which Cortex XDR construct best represents this correlated view?

A Cortex XDR alert shows a malicious process on a workstation. You need to quickly determine what spawned the process and what it connected to afterward. Which feature should you use first?

An analyst needs to reduce risk immediately after confirming malware execution on a single endpoint, but does not want to impact other endpoints. Which response action is the most targeted initial containment step?

A manager asks for a weekly summary of the organization’s most common alert types and the endpoints most frequently involved. Where should an analyst start to build this summary in Cortex XDR?

A suspicious PowerShell command is observed in an alert. You want to find whether the same command line executed on any other endpoint in the last 30 days. Which is the best approach?

Your SOC wants to ensure consistent handling of common incidents (for example, commodity malware) with minimal analyst effort. Which Cortex XDR capability best supports repeatable, guided actions and automation?

An organization wants Cortex XDR to ingest and normalize logs from a third-party data source that cannot send logs directly to Cortex XDR. Which component is commonly used to bridge this gap?

You need to share investigation results with leadership while protecting sensitive endpoint usernames and internal IP addresses. What is the best practice when generating reports or exports from Cortex XDR?

During an investigation, an endpoint shows a high-severity alert, but the causality chain appears truncated and does not include the initiating process. Several endpoints report similar gaps. What is the most likely root cause to validate first?

An analyst is asked to prove whether a suspected lateral movement technique occurred: a user account authenticated to multiple endpoints in a short period followed by remote service execution. Which approach provides the strongest evidence in Cortex XDR?

An analyst wants to quickly determine whether an alert is isolated to one host or impacting multiple endpoints. Which Cortex XDR view is most appropriate to start with?

A new alert is created from endpoint telemetry and shows a process tree with parent/child relationships. Which Cortex XDR component is primarily responsible for collecting the endpoint data used to build this process tree?

An incident has been confirmed as malicious, and the analyst needs to immediately prevent a specific endpoint from communicating on the network while keeping it powered on for forensic review. What is the recommended containment action in Cortex XDR?

An analyst is investigating suspicious PowerShell activity. They want to identify every endpoint where the same command line was executed in the last 7 days. Which approach is most appropriate in Cortex XDR?

A detection shows an unknown executable making outbound connections to multiple rare domains. The analyst wants a quick confidence boost without detonating files. Which Cortex XDR capability best supports this triage decision?

During investigation, the analyst sees multiple related alerts that should be handled together as a single case. What Cortex XDR feature most directly supports consolidating and managing related activity as one unit of work?

An analyst contains an endpoint and then needs to remove persistence created by a malicious scheduled task. Which sequence is the best practice in Cortex XDR incident response?

A team wants a weekly report that highlights the top malware alerts by endpoint and shows whether incidents were resolved within an internal SLA. Which Cortex XDR capability best supports delivering this requirement?

A Windows endpoint is generating repeated high-severity malware alerts, but when the analyst opens the causality chain, key process events appear missing or incomplete. Other endpoints look normal. What is the most likely cause?

An analyst suspects lateral movement using remote service creation. They need to determine the originating host, the credential/account used, and the set of target endpoints involved, then confirm whether it is part of the same attack campaign. Which investigation approach in Cortex XDR is most effective?

An analyst wants to quickly verify whether a suspicious executable identified in an alert appears elsewhere in the environment and where it executed. Which Cortex XDR artifact is best suited to pivot from the alert to this broader visibility?

You need to provide leadership a weekly view showing: total incidents created, mean time to acknowledge (MTTA), mean time to remediate (MTTR), and a breakdown of incident sources. Which approach best meets this requirement in Cortex XDR?

A host is suspected of active malware execution. You want to stop further lateral movement immediately while still allowing the endpoint to communicate with Cortex XDR for investigation and response actions. What is the most appropriate response action?

After enabling a new set of prevention policies, multiple endpoints are shown as "disconnected" and are not sending telemetry. Network connectivity appears normal. Which check is the most appropriate first step to troubleshoot from a Cortex XDR architecture perspective?

During an investigation, you find a chain of activity: a user opens a document, a scripting engine spawns a command shell, and then a credential-dumping tool runs. You want to capture the most defensible evidence to justify the incident scope and recommended containment. Which Cortex XDR view or data representation is most appropriate?