XDR Engineer Practice Exam: Test Your Knowledge 2025

An organization is deploying Cortex XDR agents across their enterprise. Which component is responsible for collecting and forwarding endpoint data to the Cortex Data Lake?

A security team needs to ingest third-party firewall logs into Cortex XDR that are not from Palo Alto Networks devices. Which component should they deploy?

An administrator wants to create a custom alert that triggers when more than 10 failed login attempts occur within 5 minutes from the same source IP. Which Cortex XDR feature should they use?

Which XDR response action can be executed directly from a playbook to isolate a compromised endpoint from the network while maintaining connectivity to the Cortex XDR management server?

A company has deployed Cortex XDR agents using the default prevention profile. What is the primary protection mechanism that the agent uses to prevent malware execution?

An organization is configuring log forwarding from their Palo Alto Networks firewall to Cortex Data Lake. Which method provides the most efficient and recommended approach?

During an investigation, a security analyst needs to understand the complete attack chain from initial compromise to lateral movement. Which Cortex XDR feature provides this visualization?

A security team wants to automate the enrichment of suspicious file hashes against external threat intelligence feeds within their incident response playbook. Which playbook task type should they configure?

An enterprise has multiple Cortex XDR tenants for different business units. They want to investigate threats across all tenants from a single interface. Which feature enables this capability?

When configuring agent settings profiles, an administrator needs to apply different malware protection settings to servers versus workstations. What is the recommended approach?

A company needs to integrate their existing SIEM solution with Cortex XDR to forward XDR alerts. Which integration method should they use?

During a ransomware incident, a playbook needs to check if a file has been encrypted before taking remediation actions. Which playbook component allows this conditional logic?

An organization has deployed Cortex XDR agents but notices that some endpoints are showing as disconnected despite having network connectivity. What is the most likely cause?

A security analyst needs to hunt for indicators of persistence mechanisms across all endpoints. Which XDR capability provides the most efficient method for this investigation?

When integrating Active Directory with Cortex XDR for user attribution, which component retrieves user-to-IP mappings?

A security team wants to automatically isolate any endpoint that generates a critical severity incident involving ransomware indicators. However, they want to require manual approval for isolating servers. How should they configure the playbook?

An administrator needs to ensure that Cortex XDR agents can perform WildFire analysis on unknown files. Which setting must be enabled in the agent profile?

A company uses both Palo Alto Networks firewalls and third-party endpoint security solutions. They want to correlate network and endpoint data in Cortex XDR. What is the minimum required integration?

During a security incident investigation, an analyst notices that the Causality View shows a process chain but some intermediate processes are missing. What is the most likely explanation?

A security operations team wants to automatically create ServiceNow tickets for all high-severity incidents detected by Cortex XDR. Which integration approach provides the most seamless automation?