50 XDR Analyst Practice Questions: Question Bank 2025

An analyst wants to quickly pivot from an alert about a suspicious process to everything that happened on the same endpoint around that time (process tree, child processes, network connections). Which Cortex XDR view best supports this workflow?

A security team wants to isolate a compromised laptop from the network while still allowing the Cortex XDR agent to communicate with the service for investigation. What response action should the analyst use?

Which statement best describes the role of the Cortex XDR agent in the overall architecture?

An analyst needs a weekly summary showing incident counts by severity and the top affected hosts. What is the most appropriate built-in feature to use?

A medium-severity incident contains multiple alerts from the same host: a suspicious PowerShell command, a new scheduled task, and an outbound connection to an unknown domain. What is the best first investigative step in Cortex XDR?

An analyst ran a response action to terminate a malicious process, but the process keeps reappearing minutes later. Which next action is the best practice to prevent recurrence while continuing investigation?

A team notices a high number of benign alerts triggered by an internal IT script used across endpoints. They want to reduce noise while keeping visibility if the script is modified or behaves differently. What is the best approach?

Cortex XDR is ingesting endpoint data, but the SOC cannot correlate incidents with network activity from firewalls. Endpoint incidents appear without related network session context. Which integration is most likely missing?

During an investigation, an analyst needs to determine whether the same malicious file was executed on any other endpoint in the environment. What is the most effective method in Cortex XDR?

A host shows signs of credential theft: LSASS access attempts, followed by lateral movement attempts. The SOC must contain the threat quickly while preserving forensic evidence for later review. Which sequence is the best practice?

An analyst wants to quickly see which users and endpoints were involved in an alert without pivoting through multiple pages. In Cortex XDR, which view is designed to summarize key entities and relationships at a glance?

A Cortex XDR tenant has endpoint agents installed, but an analyst notices some endpoints are missing visibility data (no processes, no network, no alerts), while the agents appear "connected." Which is the most likely reason?

An analyst wants to send an alert to additional stakeholders only when an incident is raised as "High" severity. What is the most appropriate Cortex XDR feature to use?

A suspicious PowerShell command was observed on one endpoint. The analyst wants to determine whether the same command line has run on any other endpoint in the last 7 days. What is the best approach in Cortex XDR?

During triage, an incident contains multiple alerts that appear unrelated (different hosts and different tactics). What is the best next step to validate whether the grouping is correct?

An analyst needs to preserve forensic evidence before taking containment steps on a potentially compromised endpoint. Which action is generally the best practice sequence in Cortex XDR?

A SOC manager wants a weekly report showing incident counts by severity and the average time to close incidents. Which Cortex XDR capability best supports this requirement?

Multiple endpoints show a malicious file hash. The analyst wants to remediate quickly across the environment with minimal manual effort. Which Cortex XDR action best matches this goal?

A detection triggers on an endpoint, but the analyst suspects it is a legitimate administrative tool used by IT. The analyst wants to reduce future noise while maintaining protection. What is the best approach?

An organization wants to ensure that incident severity reflects business impact: critical servers should raise severity more than standard user laptops for the same detection. Which design choice best supports this requirement in Cortex XDR?

An analyst wants to quickly verify whether a suspicious executable on an endpoint is newly observed in the environment and how widely it has spread. Which Cortex XDR feature best supports this task?

A team is creating an incident handling playbook and wants to ensure they can contain a potentially compromised workstation while keeping it connected to Cortex XDR for continued telemetry and response. Which action best meets this goal?

An analyst needs to send a weekly summary of high-severity incidents and their statuses to stakeholders. Which Cortex XDR capability is most appropriate?

A Cortex XDR incident contains multiple alerts from different hosts that appear related. The analyst wants to understand the sequence of events and relationships among processes, network connections, and file writes for the primary host involved. What is the best view to use?

A security team ingests firewall logs and endpoint telemetry into Cortex XDR. They notice some firewall events are missing key fields needed for correlation, reducing alert fidelity. Which approach is most likely to improve correlation quality?

During an investigation, an analyst sees an alert for suspicious PowerShell activity. They suspect the command line was obfuscated and want to find other endpoints executing similar command patterns. Which method is best?

After confirming malicious activity, the analyst must ensure endpoints stop communicating with a known command-and-control domain while remediation is underway. What is the most appropriate action within Cortex XDR to reduce risk quickly?

An incident shows lateral movement behavior. The analyst needs to identify the initial access point (patient zero) using available evidence in Cortex XDR. Which approach is most effective?

A SOC manager asks for a KPI that measures how quickly the team responds after an incident is created, and they want it trended over time. Which metric best matches this request?

A company wants to ensure that, if an endpoint is compromised and attempts defense evasion by stopping security tooling, analysts are alerted quickly and can validate the impact. Which Cortex XDR data/source combination is most important for this use case?

An analyst wants to ensure all endpoint events and alerts in Cortex XDR are tied back to a single, consistent endpoint identity even if the device IP address changes. Which identifier is the best anchor for correlating endpoint activity over time?

You need to quickly understand why Cortex XDR generated an alert and what evidence contributed to it. Which view is the most direct place to review the alert’s contributing events and correlation context?

An analyst wants to stop a suspected compromised host from communicating with the network while the investigation continues. Which response action best meets this goal in Cortex XDR?

A manager asks for a weekly summary that highlights trends such as top alert types and the most frequently affected endpoints. Which Cortex XDR capability is most appropriate to deliver this in a repeatable way?

A detection shows PowerShell launching with a long encoded command line, followed by a network connection to an unusual external host. What is the best next step to validate whether the activity is malicious before taking containment actions?

After isolating an endpoint, the analyst wants to remove persistence by deleting a known malicious executable and its associated scheduled task. What is the best-practice sequence?

An investigation suggests a phishing-based compromise. The analyst wants to identify other endpoints that contacted the same suspicious domain within the last 24 hours. Which approach is most effective in Cortex XDR?

A SOC lead wants to measure investigation effectiveness by tracking time-to-acknowledge and time-to-remediate for alerts over the last month. What is the best way to support this in Cortex XDR?

Multiple endpoints generate similar malware alerts, but only some show network connections to the known command-and-control (C2) IP. You must decide which endpoints require immediate containment first. Which evidence should you prioritize to support a risk-based triage decision?

An analyst repeatedly gets false positives from a behavioral detection triggered by an internal software deployment tool that uses scripting and remote execution. The analyst must reduce noise without creating a security blind spot for similar attacker techniques. What is the best approach?

An analyst wants to understand how Cortex XDR correlates endpoint activity with network and cloud telemetry to create a single incident view. Which Cortex XDR capability primarily enables this correlation?

You open an incident and need to quickly confirm which host was the first to exhibit suspicious behavior and what triggered the alert. Where should you look first?

A single endpoint is confirmed compromised. You need to prevent further lateral movement while you continue to collect evidence remotely. Which response action best fits this requirement?

An executive asks for a weekly summary showing the number of incidents by severity, top affected endpoints, and time-to-respond trends. What is the most appropriate Cortex XDR approach?

Multiple alerts were grouped into a single incident, but an analyst suspects one alert is unrelated and should be investigated separately. What is the best action?

A suspicious PowerShell process was observed. You want to see parent/child processes, command-line arguments, and related file/network activity on the endpoint to validate malicious behavior. Which Cortex XDR view is most directly useful?

Your SOC wants to ensure response actions (e.g., isolate endpoint, kill process) are restricted to Tier 2+ analysts, while Tier 1 can investigate and add notes. What is the recommended way to implement this in Cortex XDR?

After containment, you need to ensure similar threats are detected earlier in the future. Which post-incident activity best aligns with continuous improvement in Cortex XDR?

A threat actor used a legitimate signed binary (LOLBIN) to perform malicious actions, and the activity appears as 'normal' process execution. You need higher confidence before taking disruptive action. Which approach is most appropriate?

A company ingests endpoint and identity data into Cortex XDR. They also want to bring in logs from multiple external sources for broader correlation, but they must minimize operational overhead and avoid custom parsing whenever possible. Which design choice best meets this goal?