PSE-Cortex Palo Alto Networks System Engineer - Cortex Professional Questions and Answers

/invite User1

#User1

@User1

!invite User1

Threat, Config, System, Data

Threat, Config, System, Analytic

Threat, Monitor. System, Analytic

Threat, Config, Authentication, Analytic

Secure Shell (SSH)

SAML

RADIUS

Customer Support Portal

Generic Polling Automation Playbook

Playbook Tasks

Sub-Play books

Playbook Functions

ArcSight ESM integration

SplunkUpdate integration

Demisto App for Splunk integration

SplunkPY integration

Create a NetOps ticket requesting a configuration change to the firewall to block the IP.

Add the IP address to an external dynamic list used by the firewall.

Add the IP address to a threat intelligence management malicious IP list to elevate priority of future alerts.

Block the IP address by creating a deny rule in the firewall.

playbook editor

XSOAR audit log

/var/log/messages

War Room of the incident

endpoint manager

SOC manager

SOC analyst

desktop engineer

Cortex XSOAR Started Edition has unlimited access to the Threat Intel Library.

In Cortex XSOAR (SOAR + TIM), Unit 42 Intelligence is not included.

In Cortex XSOAR (SOAR + TIM), intelligence detail view and relationships data are not included.

Cortex XSOAR Starter Edition includes up to 5 active feeds and 100 indicators/fetch.

create a “docker” group and add the "Cortex XSOAR" or "demisto" user to this group

create a "Cortex XSOAR' or "demisto" group and add the "docker" user to this group

disable the Cortex XSOAR service

enable the docker service

parallel tasks

automation tasks

manual tasks

conditional tasks

phishing

either

ServiceNow

neither

process

data

event alert

network

Linked Incidents column in Indicator Screen

Linked Indicators column in Incident Screen

Related Indicators column in Incident Screen

Related Incidents column in Indicator Screen

The modified scnpt was run in the wrong Docker image

The modified script required a different parameter to run successfully.

The dictionary was defined incorrectly in the second script.

The modified script attempted to access a dictionary key that did not exist in the dictionary named "data”

files from War Room CLI WW

incident files section in layout builder

files and attachments filters

/files from War Room CLI

Marketplace Integration

Playbook

Data Ingestion Dashboard

Asset Inventory

Deployment

Onboardinq

Fast-Track

QuickStart

Device customization

Agent configuration

Agent management

Restrictions profile

playbook features

sub-playbooks

conditional tasks

manual tasks

Grant the customer access to the management console immediately following activation.

Provide the customer with an export of all findings at the conclusion of the POV.

Enable all of the attach surface rules to show the highest number of alerts.

Review the mapping in advance to identity a few interesting findings to share with the customer.

With the Malware Security profile, disable the "Prevent Malicious Child Process Execution" module

Within the Malware Security profile add the specific parent process, child process, and command line argument to the child process whitelist

In the Cortex XDR security event, review the specific parent process, child process, and command line arguments

Contact support and ask for a security exception.

Doesn't wait until the indicators are enriched and continues executing the next step

Doesn't wait until the indicators are enriched but populate context data before executing the next

step. Wait until the indicators are enriched but doesn't populate context data before executing the next step.

Wait until the indicators are enriched and populate context data before executing the next step.

Define whether a playbook runs automatically when an incident type is encountered

Set reminders for an incident SLA

Add new fields to an incident type

Define the way that incidents of a specific type are displayed in the system

Drop new incidents of the same type that contain similar information

Active scanning with network-installed agents

Dark web monitoring

Customer-provided asset inventory lists

Scanning from public internet data sources

All widgets are customizable.

Dashboards cannot be shared across an organization.

A widget can have its own time range that is different from the rest of the dashboard.

Some widgets cannot be changed

Cloud Identity Engine configured and enabled

Network Mapper applet on the Broker VM configured and enabled

Logs from at least 30 endpoints over a minimum of two weeks

Windows DHCP logs ingested via a Cortex XDR collector

< >

Contains

=

Is Contained By

Create a task that sends the survey responses to the analyst via email. If the responses are incorrect, the analyst fills out the correct response in the survey.

Create a manual task to ask the analyst to validate the survey response in the platform.

Create a sub-playbook and import a list of manager emails into XSOAR. Use a conditional task comparison to check if the response matches an email on the list. If no matches are found, loop the sub-playbook and send the survey back to the user until a match is found.

Create a conditional task comparison to check if the response contains a valid email address.

It allows for easy comparison between open-source intelligence and paid services.

It deconflicts prioritization when two vendors give different scores for the same indicator.

It provides a mathematical model for combining scores from multiple vendors.

It helps identify threat intelligence vendors with substandard content.

Threat feed integration

Automation daybooks

Parsing rules

Data models

extend context

stop on errors

task output

lags

IP

endpoint hostname

domain

registry entry

Conditional

Automation

Manual

Parallel

It can automatically email staff to warn them about the phishing attack and show them a copy of the email.

It can automatically respond to the phishing email to unsubscribe from future emails.

It can automatically purge the email from user mailboxes in which it has not yet opened.

It can automatically identify every mailbox that received the phish and create corresponding cases for them.

firewall alert

SIEM alert

full URL

registry set value

The ability to identify customer assets on residential networks

The use of a VPN connection to scan remote devices

The deployment of a Cortex Xpanse aqent on the remote endpoint

The presence of a portal for remote workers to use for posture checking

Cortex XDR Pro per TB

Cortex XDR Prevent

Cortex XDR Endpoint

Cortex XDR Pro Per Endpoint

Regex

STIX

CSV

CIDR

It is solely focused on reactive security measures, neglecting proactive approaches.

It offers an end-to-end security solution, covering every step of security processes.

It primarily focuses on endpoint prevention without addressing other security aspects

It provides a partial security solution, leaving some steps of the security process uncovered.

The Data Ingestion Health page identifies deviations from normal patterns of log collection

The Cortex XSIAM Command Center dashboard will display a red icon if a data source is having issues.

The tenant’s compute units consumption will change dramatically, indicating a collection issue.

It automatically runs a copilot playbook to troubleshoot and resolve ingestion issues.

It provides advanced customization capabilities.

It provides real-time protection across hosts and containers.

It enables consolidation of multiple point products into a single integrated service.

It enables a comprehensive view of the customer environment with regard to digital employee productivity.

Click "New Whitelisted Indicator" in the Whitelist page.

Upload an external file named "whitelist" to the Whitelist page.

Upload an external file named "whitelist" to the Indicators page.

Select the indicators and click "Delete and Whitelist" in the Indicators page.

SplunkPY integration

Demisto App for Splunk integration

XSOAR REST API integration

Splunk integration

sudo repoquery -a --installed

sudo demistoserver-x.x-xxxx.sh -- -tools=load

sudo docker ps load

sudo docker load -i YOUR_DOCKER_FILE.tar

Response > Action Center

the local console

Telnet

Endpoint > Endpoint Management

file explorer

Log stitching

live sensor

live terminal