XDR Engineer Intermediate Practice Exam: Medium Difficulty 2025

A global company wants to deploy Cortex XDR agents to endpoints that frequently work off-network. Security requires that endpoints continue to send telemetry even when users are not connected to VPN, and that agent-to-cloud communications are encrypted. Which deployment approach best meets these requirements with the least operational overhead?

During a Cortex XDR rollout, the security team wants to prevent duplicate endpoint records and ensure consistent policy targeting across laptops that may be reimaged periodically. Which identifier strategy most effectively supports stable endpoint identity for management and reporting?

Your SOC wants Cortex XDR to correlate endpoint alerts with firewall traffic logs to speed investigations. The firewall logs currently go to a SIEM. What is the best approach to onboard these logs into Cortex XDR while preserving parsing and correlation value?

An organization onboards identity logs and endpoint telemetry into Cortex XDR. Analysts report that some incident timelines show user activity but not the expected endpoint process details. Which troubleshooting step is most appropriate first?

A customer onboards cloud audit logs and endpoint data into Cortex XDR. They want to reduce false positives by ensuring alerts only trigger when an endpoint event and a cloud event are related to the same user identity. What configuration approach best supports this goal?

Your organization wants to apply stricter exploit protection to servers than to user workstations while keeping malware prevention consistent across all endpoints. What is the most effective way to implement this in Cortex XDR?

An analyst needs to quickly contain a suspected compromised endpoint from an incident while still allowing it to communicate with Cortex XDR for investigation and remediation actions. Which response action best matches this requirement?

After enabling a new prevention policy, the SOC sees an increase in alerts that are determined to be legitimate administrative tools used by IT. They want to reduce noise while still detecting malicious use of similar tools on non-IT endpoints. What is the best practice approach?

You are building an automation to handle commodity malware alerts. The playbook should (1) verify the alert is high confidence, (2) isolate the endpoint, and (3) create a ticket with key details. What design choice best prevents unnecessary isolation when the alert lacks sufficient confidence?

A playbook enriches an incident with threat intelligence, then decides whether to block an indicator. The team wants an audit trail showing which indicators were blocked and why, and they want analysts to approve blocking for medium-severity incidents. Which playbook pattern best meets these requirements?