50 XDR Engineer Practice Questions: Question Bank 2025

An organization is planning a Cortex XDR deployment and wants to ensure endpoint telemetry is continuously collected even when users are off-network. Which component provides this endpoint data collection capability?

A security engineer wants to onboard firewall logs into Cortex XDR with minimal custom parsing while preserving rich security context. Which log source is the best fit?

An analyst is configuring role-based access control (RBAC) in Cortex XDR. They want junior analysts to investigate alerts but prevent them from changing policies or agent settings. What is the most appropriate approach?

A Cortex XDR engineer wants an automated response to immediately isolate a host when a high-severity alert is generated. Which feature is designed to automate this action based on alert conditions?

A company has multiple business units and wants to prevent one unit’s analysts from viewing another unit’s endpoint alerts and host information in Cortex XDR. What design best supports this requirement?

After onboarding a new syslog data source, the SOC reports that search results are inconsistent because key fields like source IP and username appear in different field names across vendors. What is the best practice to improve analytic consistency in Cortex XDR?

Endpoint agents are deployed, but some hosts do not appear in the Cortex XDR endpoints inventory. The affected users confirm the agent service is running. Which is the most likely next troubleshooting step?

A security team wants to ensure that only approved response actions (for example, isolate endpoint, terminate process) can be executed automatically, while other actions require manual approval. What is the best approach in Cortex XDR?

A playbook is designed to automatically isolate an endpoint when an alert indicates possible ransomware. The SOC is concerned about false positives causing business disruption. Which playbook design is the best balance of speed and safety?

A customer wants to correlate endpoint, network, and identity data for stronger detections. They have endpoint agents deployed, firewall logs onboarded, and an identity provider producing authentication logs. Detections still fail to link events to the correct user on endpoints. What is the most likely missing element needed for effective correlation?

An analyst wants to quickly identify whether a suspicious executable seen in Cortex XDR is common or rare across the environment. Which Cortex XDR feature is best suited for this?

A security team wants to onboard network traffic logs from Palo Alto Networks firewalls into Cortex XDR to improve incident correlation. What is the recommended approach?

A customer is planning a phased Cortex XDR agent rollout. They want new agents to receive the correct security policy automatically based on AD OU membership. Which configuration is most appropriate?

After onboarding Okta audit logs into Cortex XDR, the team notices user names appear in multiple formats (e.g., jsmith, jsmith@company.com), causing fragmented identity correlation. What is the best next step?

A Cortex XDR tenant ingests endpoint, firewall, and DNS logs. Analysts want incidents to automatically prioritize when a single host shows beaconing behavior followed by credential access activity. Which capability primarily enables this cross-data correlation into a single incident?

An automation engineer is building a Cortex XDR playbook to contain a host when a high-severity malware alert occurs. They want to minimize business disruption by confirming with a human before isolating the endpoint. What is the best playbook design?

A SOC wants to ensure playbooks can take action in external systems (for example, disabling a user in an IdP) without embedding static admin passwords in the playbook. What is the recommended approach?

A company has multiple subsidiaries and wants each subsidiary’s analysts to see only their own endpoints and incidents in Cortex XDR, while a central SOC retains global visibility. Which design best supports this requirement?

After deploying Cortex XDR agents, the team sees endpoints listed as "Disconnected" even though they can reach the internet. A proxy is required for outbound traffic, but the proxy requires authentication. Which action is most likely to restore connectivity?

You are troubleshooting why a playbook is not executing its containment step. The incident meets the severity threshold, but the isolation task fails with an authorization error. What is the most likely root cause?

A new analyst can see Cortex XDR alerts but cannot close incidents or change case severity. Which Cortex XDR capability should you use to enforce this separation of duties?

You want Cortex XDR to enrich alerts with user identity and host context from Active Directory so investigations show the likely user tied to an endpoint and IP address. Which integration best addresses this requirement?

An endpoint is suspected of compromise. You need to prevent it from communicating on the network while keeping it powered on for remote investigation in Cortex XDR. Which response action is most appropriate?

A company must send Cortex XDR alerts to a third-party ITSM tool. The ITSM tool is reachable only from an internal network and cannot accept inbound connections from the internet. What is the best architecture to enable this integration?

After onboarding cloud logs, Cortex XDR shows a large volume of duplicate authentication events. Investigations now contain repeated entries for the same action, increasing noise. What is the most likely cause?

You are tuning detection and want to suppress alerts triggered by a sanctioned admin script running on a known jump host, but you do NOT want to disable the detection globally. Which approach best meets the requirement?

Your SOC wants a playbook to automatically isolate an endpoint only when an alert is high severity AND the host is not in an 'Exempt-Servers' endpoint group. What is the best way to implement this logic?

A Cortex XDR agent appears as 'Disconnected' for several endpoints. Basic network connectivity is available, but the agents never reconnect. Which troubleshooting step is most appropriate to validate a common root cause without touching every endpoint?

You are designing a multi-team Cortex XDR deployment. Team A must manage endpoints and response actions. Team B must manage integrations and automation. You want least privilege with clear administrative boundaries. Which design best fits?

A playbook is triggered by an XDR alert and attempts to isolate the endpoint, but the action fails intermittently. The endpoint is online and the analyst can isolate it manually from the console. What is the most likely cause?

A security team wants Cortex XDR to correlate endpoint activity with network security events from their Palo Alto Networks firewalls. Which data source should they onboard to provide rich network session context?

An analyst is investigating an alert and needs to quickly understand the chain of activity across processes, users, and network connections on an endpoint. Which Cortex XDR view is designed specifically for this purpose?

You are planning a phased Cortex XDR rollout. What is the recommended approach to reduce operational risk while validating detection and prevention behavior?

A Cortex XDR playbook must gather additional data and then stop if a required field is missing to avoid taking disruptive actions. Which playbook capability best supports this requirement?

After onboarding firewall logs, Cortex XDR shows significantly fewer network events than expected. The firewall is sending logs to a syslog receiver, and the receiver forwards to Cortex XDR. What is the MOST likely cause?

Your organization wants different endpoint prevention policies for developers (more permissive) and for kiosk systems (more restrictive). What is the best way to implement this in Cortex XDR?

A company deploys a Broker VM for Cortex XDR data collection from internal sources. Which design consideration is MOST important to ensure reliable data ingestion?

A playbook is configured to isolate an endpoint automatically. The security team wants a human approval step only when the target endpoint is a server. How should this be implemented?

A SOC wants to reduce false positives from a behavioral alert that triggers when a legitimate IT tool is used by administrators on a specific set of endpoints. What is the best practice to reduce noise while maintaining detection elsewhere?

An incident response playbook pulls indicators from an external threat intelligence feed and then searches for matches in Cortex XDR. The playbook intermittently fails at the search step with no matches, even when matches exist. Which troubleshooting step is MOST appropriate first?

A security engineer wants to allow analysts to pivot from a Cortex XDR incident to the underlying raw log events and run ad-hoc searches to validate the scope. Which Cortex XDR component enables this capability?

Your organization wants to onboard network security logs into Cortex XDR from multiple Palo Alto Networks firewalls to improve incident context. Which approach is the recommended best practice?

An analyst wants to ensure any response actions taken from Cortex XDR (for example, isolating an endpoint) are tracked for audit purposes. Where should they look to review these actions?

A company has two business units. They want separate RBAC, separate incident queues, and no visibility across units, but they want to keep a single Cortex XDR tenant to reduce overhead. What is the best design approach?

After onboarding Windows endpoints, you see device inventory entries but no process causality (no process tree) for those hosts. Which is the most likely cause?

A SOC wants to reduce alert noise by automatically closing low-risk alerts when the same benign tool triggers repeatedly on approved servers, but they still want visibility for auditing. What is the best approach in Cortex XDR?

You need to allow Tier 1 analysts to run response actions like "Isolate Endpoint" but prevent them from changing policy configurations or agent settings. What is the best RBAC strategy?

A playbook is designed to enrich incidents by querying an external threat intel API. The API intermittently times out, causing the playbook to fail and stop before adding any enrichment. What is the best improvement?

A multinational company must ensure endpoint event data from EU users is not stored or processed outside the EU for regulatory reasons. What design choice best addresses this requirement when deploying Cortex XDR?

A playbook automatically isolates endpoints when a "high severity" incident is created. During testing, endpoints are being isolated for incidents that were initially medium but later escalated to high by correlation. You only want isolation when the incident is created as high severity (not escalated later). What is the best solution?