XDR Analyst Practice Exam: Test Your Knowledge 2025

What is the primary function of the Cortex XDR agent when deployed on an endpoint?

An analyst is investigating an alert where multiple failed login attempts were followed by a successful login from an unusual location. Which Cortex XDR feature would have initially detected this behavior?

During an incident response, you need to isolate a compromised endpoint while maintaining communication with the Cortex XDR agent. What action should you take?

Which component stores all the raw data collected from various sources in Cortex XDR for analysis and long-term retention?

What is the purpose of Causality Analysis in Cortex XDR?

A security analyst needs to create a custom detection rule for a specific threat pattern not covered by default analytics. Which Cortex XDR feature should they use?

An organization has deployed Cortex XDR with both Palo Alto Networks firewalls and third-party security products. How can they ingest data from the third-party products?

During investigation, an analyst discovers that a legitimate process was used to execute malicious commands. What technique is this an example of, and how would Cortex XDR detect it?

When responding to a ransomware incident, what is the recommended sequence of actions in Cortex XDR?

What information does the Cortex XDR Risk Score provide about endpoints?

An analyst needs to search for all processes that made network connections to a specific IP address across all endpoints in the last 30 days. Which Cortex XDR capability should they use?

After containing a threat, you need to remove malicious files from multiple endpoints and restore a modified registry key. What Cortex XDR feature enables this?

Which Cortex XDR agent protection module specifically prevents exploitation techniques such as buffer overflow, heap spray, and ROP chain execution?

Your organization wants to generate a weekly executive report showing trends in security incidents, top targeted assets, and MITRE ATT&CK technique coverage. What Cortex XDR feature would you use?

During an investigation, you discover an incident involves multiple alerts across endpoints, network, and cloud workloads. How does Cortex XDR handle the relationship between these alerts?

An organization needs to implement least privilege principles for their XDR analysts. Different team members should have different investigation and response capabilities. How should this be configured?

While investigating a suspected data exfiltration incident, you need to identify all files accessed by a suspicious process and determine if any were transmitted over the network. Which Cortex XDR investigation approach is most effective?

After identifying a new malicious hash during an investigation, what is the best practice for preventing this threat across the entire organization in Cortex XDR?

A senior analyst needs to understand the effectiveness of security controls by analyzing which MITRE ATT&CK techniques have been detected and blocked over the past quarter. Which Cortex XDR feature provides this visibility?

During a complex investigation, you need to pivot from a suspicious IP address to identify all endpoints that communicated with it, then find all processes on those endpoints that made the connections. What is the most efficient approach in Cortex XDR?