31/5/2020 Realize Your Potential: paloaltonetworks

Test - Palo Alto Networks Accredited Systems Engineer (PSE): Cortex Associate Accreditation Exam

Test Questions

Question 1 of 25.

Which function displays an entire picture of an attack including its root cause or delivery point?

Cortex XDR incident analysis

Cortex SOC Orchestrator
Cortex Data Lake
Cortex XSOAR Work Plan

Mark for follow up

Question 2 of 25.

What is an advantage of the multi-method detection approach used by Cortex XDR over traditional antivirus approaches?

It runs in the cloud.

It is faster than hash comparison.
It is updated frequently.
It prevents unknown threats.

Mark for follow up

Question 3 of 25.

What is orchestration in the context of SOAR?

The selection of the right SIEM for the right customer

The ability to control network and endpoint enforcement points
Formalization of organized workflows for people and machines
Automation of mundane cybersecurity tasks
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 1/8
31/5/2020 Realize Your Potential: paloaltonetworks

Mark for follow up

Question 4 of 25.

How does Cortex XDR use machine learning?

It learns about the processes used by a SOC to automate those processes.

It learns about all the attacks throughout the world so that it can recognize which attacks are present in an environment.
It learns about normal user and process behavior in an infrastructure so it can recognize anomalous behavior.
It learns about the processes used in a SOC to provide customized alerts to the right people in the SOC.

Mark for follow up

Question 5 of 25.

Which attack prevention technique does Cortex XDR use?

Password oversimplicity protection

PowerShell Shortcut abuse protection
Executive power corruption protection
Memory corruption protection

Mark for follow up

Question 6 of 25.

Which are two ways that WildFire works with Cortex XDR Prevent? (Choose two.)

WildFire analyzes the root cause of attacks so that Cortex XDR can stop the attack before malware takes hold.
WildFire converts unknown attacks to known attacks so Cortex XDR can block the attacks in the future.
WildFire blocks known attacks before they reach endpoints.
WildFire provides known threat information to Cortex XDR agents.

Mark for follow up

Question 7 of 25.
Which statement is true regarding Cortex XDR Prevent Execution Restrictions?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 2/8
31/5/2020 Realize Your Potential: paloaltonetworks

They are included in regular content updates.

They are used to blacklist or whitelist files for future processing.
They are used to specify which exploit prevention method will be applied to a given process.
They define where and how users can run executable files.

Mark for follow up

Question 8 of 25.
Which statement describes the malware protection flow in Cortex XDR Prevent?

A trusted signed file is exempt from local static analysis.

Local static analysis happens before a WildFire verdict check.
A blacklist check is the final step of malware protection flow.
Hash comparisons come after local static analysis.

Mark for follow up

Question 9 of 25.

Where can the entire history of group interactions involving an attack response be seen?

WildFire
AutoFocus
The Cortex XDR Incident page
The Cortex XSOAR War Room

Mark for follow up

Question 10 of 25.

When is an existing Cortex XDR customer a bad prospect for Cortex XSOAR?

When they already have and use AutoFocus.

When Cortex XDR is their “go to” XDR tool.
When they already have and use Cortex XSOAR.
When they use the ATT&CK rubric to guide their security efforts.

Mark for follow up

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 3/8
31/5/2020 Realize Your Potential: paloaltonetworks

Question 11 of 25.

Which option best describes the functionality of Cortex XDR Prevent for endpoints?

Orchestration
Remediation
Detection and response
Prevention

Mark for follow up

Question 12 of 25.

What is the ATT&CK framework?

A set of playbooks for orchestrated cyberattacks

A defense strategy for cyber, biological, or nuclear attack
A rubric for assessing TTP defense
A toolkit for hackers

Mark for follow up

Question 13 of 25.

Which sensor captures forensic information about a security event that occurs on an endpoint?

Zingbox dynamic inventory agent

AutoFocus connector
Cortex XSOAR indicator
Cortex XDR agent

Mark for follow up

Question 14 of 25.

What are two sources of alert enrichment for Cortex XSOAR? (Choose two.)

Cortex XSOAR dashboards

Cortex Data Lake

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 4/8
31/5/2020 Realize Your Potential: paloaltonetworks

AutoFocus
SIEMs

Mark for follow up

Question 15 of 25.

What’s a subplaybook?

an app that underlies a playbook to ensure it flows from task to task

an obsolete playbook of inferior quality
an updated playbook that substitutes for an older playbook
a playbook used as a task in another playbook

Mark for follow up

Question 16 of 25.

Which Cortex XSOAR functionality always is part of accessing external sources for alert enrichment?

War Room
Playbooks
Integrations
Incidents

Mark for follow up

Question 17 of 25.

What is an advantage of Cortex XDR Pro analysis?

It puts attack steps in context for security analysts, even when each step in itself may look innocent.
It is completely automatic and does not require security analysts for operation.
It provides prevention as well as detection and response.
It is quicker than that of any of its competitors.

Mark for follow up

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 5/8
31/5/2020 Realize Your Potential: paloaltonetworks

Question 18 of 25.
Which two problems does a security operations team often encounter? (Choose two.)

too many security products

too many alerts
too much alert context data
too many security experts

Mark for follow up

Question 19 of 25.

Which statement is true about advanced cyberthreats?

Protection against zero-day attacks is impractical.

Zero-day attacks are unstoppable.
Sufficiently frequent signature updates prevent zero-day attacks.
A zero-day vulnerability is a product security flaw of which the product's vendor has no prior awareness.

Mark for follow up

Question 20 of 25.

What should a customer do that wants to keep a set of specific information for every event of a certain type?

chat about it in the War Room

add custom fields to incidents representing events of that type
use Remote Device Control to obtain the information
add that information in the Evidence Board when investigating the incident

Mark for follow up

Question 21 of 25.

Which two analysis methods does WildFire use to detect malware? (Choose two.)

executive restriction
static
dynamic

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 6/8
31/5/2020 Realize Your Potential: paloaltonetworks

program slicing

Mark for follow up

Question 22 of 25.

Which action is required before a new integration can ingest a typed alert and automatically run a playbook for the resulting incident?

The playbook must be run manually with that type of alert.

The integration must be primed with a test alert of that type.
The alert source must be made aware through an API of the playbook to be run.
An instance of the integration must be created.

Mark for follow up

Question 23 of 25.

What are two sources of log data for Cortex XDR? (Choose two.)

Mobile devices
Agents on endpoints
AutoFocus
Next-generation firewalls

Mark for follow up

Question 24 of 25.

What should a customer do to obtain a Cortex XSOAR dashboard that caters to their needs and processes?

quickly design and build the dashboard they need within minutes
hire consultants who can build in 30 to 60 days the dashboard they need
change their processes to conform with the well-tested standard dashboard
choose among millions of dashboards provided OOTB

Mark for follow up

Question 25 of 25.

Whi h d t i id d b k tt k ti ?
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 7/8
31/5/2020 Realize Your Potential: paloaltonetworks
Which advantage is provided by unknown attack prevention?

Unknown attack prevention enables quarantine of compromised systems.

Unknown attack prevention approaches detect known attacks more quickly than do traditional known attack approaches.
Unknown attack prevention facilitates incident root cause analysis.
Production environments can be protected even before OS patches are applied.

Mark for follow up

Save / Return Later Summary

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 8/8