XDR Analyst Intermediate Practice Exam: Medium Difficulty 2025

A security team wants Cortex XDR to correlate endpoint activity with network traffic seen on next-generation firewalls to improve investigation context. They already have endpoints onboarded. What is the best next step to enable this cross-data correlation in Cortex XDR?

Your organization has multiple business units with separate SOC teams. They want each SOC to investigate only its own endpoints, while a central admin team maintains global configuration. Which approach best supports this requirement in Cortex XDR?

An analyst sees an incident containing a suspicious PowerShell process that spawned from an Office application. The analyst wants to quickly understand how the process chain led to a network connection to an external IP and whether lateral movement occurred. Which Cortex XDR capability best supports this investigation workflow?

Cortex XDR generates frequent high-severity alerts for a legitimate IT automation tool that uses signed binaries but performs remote execution and registry changes. The SOC wants to reduce false positives without losing visibility into truly suspicious behavior. What is the best approach?

During investigation, an analyst suspects credential dumping on one host and wants to determine whether the same technique is being used elsewhere in the environment. What is the most effective next step in Cortex XDR?

An incident shows a malware alert on a user laptop. The analyst needs to confirm whether the laptop communicated with a known command-and-control (C2) domain and whether any other endpoints reached out to the same domain. Which investigation approach is best?

A ransomware-like incident is detected on a workstation. The SOC wants to contain the threat quickly while preserving evidence for later analysis. What is the most appropriate first response action in Cortex XDR?

An analyst confirmed a malicious executable is running on several endpoints. They need to stop it quickly across the environment and prevent re-execution, but avoid blocking legitimate software. Which combination of actions is most appropriate?

After remediating an incident, the SOC lead wants to ensure the environment is clean and that similar attacks will be detected earlier next time. Which post-incident activity best aligns with Cortex XDR best practices?

Management asks for a monthly report showing detection trends, top incident types, mean time to respond (MTTR), and which business unit has the highest volume of high-severity incidents. What is the best way to meet this request using Cortex XDR capabilities?