Use VCE Exam Simulator to open VCE files
PSE-Cortex Palo Alto Networks Practice Test Questions and Exam Dumps
Question 1:
What does the Cortex XSOAR "Saved by Dbot" widget calculate?
A. amount saved in Dollars according to actions carried out by all users in Cortex XSOAR across all incidents
B. amount saved in Dollars by using Cortex XSOAR instead of other products
C. amount of time saved by each playbook task within an incident
D. amount of time saved by Dbot's machine learning (ML) capabilities
Answer: C
Explanation:
The “Saved by Dbot” widget in Cortex XSOAR is designed to quantify the amount of time saved through automated operations performed within incidents. Rather than calculating monetary value or comparing against third-party solutions, the widget specifically highlights how much time has been saved across incidents by leveraging automation, particularly at the playbook task level.
Each time a playbook task is executed automatically — without human intervention — Cortex XSOAR can estimate how long that task would have taken if completed manually. These time estimates are usually predefined within the system or customized based on organizational standards. For instance, if a playbook automates an IP enrichment task, Cortex XSOAR might calculate that the automation saved 3 to 5 minutes per incident by not requiring a human analyst to carry out the same steps manually.
Over time, these time savings accumulate, and the "Saved by Dbot" widget aggregates them to provide a clear representation of operational efficiency. The metric focuses entirely on time saved, not on dollars, and it does not involve any monetary estimates or direct cost comparisons. This allows SOC teams and incident responders to measure the practical impact of their automations on their daily workflows.
Let’s break down the incorrect options:
A refers to the amount saved in dollars across all user actions. This is misleading because the widget does not calculate financial savings; it strictly measures time.
B suggests a comparison of cost-effectiveness between Cortex XSOAR and other products. However, the widget has no benchmarking function against other platforms or tools. It focuses only on internal automation results within XSOAR.
D attributes the savings to Dbot's machine learning (ML) capabilities. While ML may be a part of XSOAR’s advanced features, the "Saved by Dbot" widget is not specifically about ML. It’s about automation in general — mostly through playbooks — and the time efficiency it brings.
In summary, the widget serves as a productivity indicator, showing how much manual analyst time is saved due to the deployment of automated workflows in Cortex XSOAR. This helps demonstrate ROI in terms of labor hours saved, improved response times, and operational efficiency within the security operations center. The term "Dbot" is used symbolically here to represent the automated engine of XSOAR rather than a specific feature like machine learning.
Thus, the correct answer is C.
Question 2:
Which Cortex XDR agent capability prevents loading malicious files from USB-connected removable equipment?
A. agent management
B. device control
C. agent configuration
D. device customization
Answer: B
Explanation:
The correct capability in Cortex XDR that prevents loading malicious files from USB-connected removable media is device control. This feature is a core part of Cortex XDR’s endpoint protection functionality and plays a critical role in enforcing security policies on endpoints, particularly those related to peripheral devices.
Device control allows administrators to set strict rules about what types of USB devices can or cannot be accessed on managed endpoints. For instance, administrators can block all USB mass storage devices by default or create allowlists of approved devices based on parameters like vendor ID, product ID, or serial number. These rules prevent unauthorized or potentially dangerous USB drives from being used, which is a common vector for malware infection or data exfiltration.
This capability is essential in modern enterprise environments where USB devices can be a significant risk. Malware can be hidden within files stored on USB drives and automatically execute when plugged into a computer, especially if autorun features are exploited or if the files exploit known vulnerabilities. By preventing or restricting access to USB storage, Cortex XDR significantly reduces the attack surface.
Here’s why the other options are incorrect:
A (agent management): This refers broadly to the ability to deploy, update, monitor, and manage Cortex XDR agents across endpoints. While essential for overall endpoint protection, it does not directly control or restrict USB access.
C (agent configuration): This involves settings applied to the XDR agent, such as policies related to threat prevention, behavioral analytics, or resource usage. Although USB blocking rules might be configured through policy, the actual enforcement mechanism falls under the device control capability.
D (device customization): This is not a defined feature or recognized term in Cortex XDR. While it may sound similar to configuring device settings, it is not an actual capability within the platform and does not apply to USB or peripheral security enforcement.
In practice, device control can be configured through Cortex XDR's policy management interface. Administrators create rules under the “Device Control” tab, choosing actions such as block, allow, or alert based on the type of USB device. These rules are then pushed to agents on the relevant endpoints. Additionally, logs generated from device access attempts help security teams monitor and audit USB activity.
In conclusion, device control is the precise feature that fulfills the task described in the question — preventing malicious files from being introduced via USB-connected removable equipment. It enhances endpoint security by enforcing strict controls on external device interactions, which is vital in maintaining a secure computing environment and preventing malware infiltration via physical media.
Therefore, the correct answer is B.
Question 3:
Which type of log is ingested natively in Cortex XDR Pro per TB?
A. Google Kubernetes Engine
B. Demisto
C. Docker
D. Microsoft Office 365
Answer: D
Explanation:
In Cortex XDR Pro, native ingestion per terabyte (TB) refers to the platform's ability to directly ingest, process, and analyze log types without requiring third-party integrations or additional parsing layers. Among the options provided, Microsoft Office 365 logs are the correct example of a log type that Cortex XDR Pro can ingest natively per TB.
Microsoft Office 365 is widely used in enterprise environments and includes services like Exchange Online, SharePoint Online, and Teams. As such, it produces rich telemetry and activity logs related to user authentication, email access, file sharing, login attempts, and more. These logs are highly relevant to security operations, as they can provide visibility into account compromises, insider threats, data exfiltration, and other security incidents. Cortex XDR supports native ingestion of these logs under its per-TB data licensing model, making it possible for organizations to bring in large volumes of Office 365 data for advanced analytics, correlation, and alerting.
Let’s examine why the other choices are not correct:
A (Google Kubernetes Engine): While Kubernetes environments are increasingly critical for application deployment and security, Cortex XDR does not natively ingest logs from Google Kubernetes Engine per TB in the same out-of-the-box manner as it does with Office 365. Kubernetes logs typically require additional configuration, connectors, or third-party log forwarders to be properly collected and parsed in XDR.
B (Demisto): Demisto is the former name for Cortex XSOAR, Palo Alto Networks’ Security Orchestration, Automation, and Response (SOAR) platform. It is not a source of raw logs like Office 365. Rather, it’s a system for executing automated playbooks and integrating tools across the security stack. Although logs or actions from XSOAR can be monitored, it is not considered a native per-TB log ingestion source for Cortex XDR.
C (Docker): Like Kubernetes, Docker is used for containerized application environments. Docker logs typically relate to container activity, health, and system operations. While valuable for security and performance monitoring, Docker log ingestion in Cortex XDR would require intermediate steps (e.g., forwarding logs to a syslog server or using an integration app). These logs are not natively ingested per TB in the same way Office 365 logs are.
Cortex XDR Pro per TB licensing is built to accommodate high-volume data sources that generate structured logs critical for detection and investigation. Microsoft Office 365 fits this use case perfectly due to its ubiquitous use in enterprises and its extensive audit logging capabilities. Native ingestion means organizations can route Office 365 audit logs directly into Cortex XDR using available APIs, without transforming or preprocessing the data elsewhere.
In summary, Microsoft Office 365 is the correct answer because it represents a log source that Cortex XDR Pro is designed to ingest natively under its per-TB licensing model, enabling deep inspection and alerting with minimal integration effort.
Therefore, the correct answer is D.
Question 4:
An adversary attempts to communicate with malware running on a network in order to control malware activities or to exfiltrate data from the network.
Which Cortex XDR Analytics alert will this activity most likely trigger?
A. uncommon local scheduled task creation
B. malware
C. new administrative behavior
D. DNS Tunneling
Answer: D
Explanation:
The scenario described involves an adversary attempting to communicate covertly with malware that is already present within a network. This type of communication is often used to issue commands to the malware (command-and-control or C2) or to exfiltrate data back to an external server. To avoid detection by traditional security tools, adversaries frequently use techniques that exploit standard network protocols—particularly DNS.
In this context, DNS Tunneling is the most likely technique and the corresponding Cortex XDR Analytics alert that would be triggered.
DNS Tunneling is a method that encodes data within DNS queries and responses. Since DNS traffic is typically allowed to pass freely through firewalls and is rarely inspected in detail, it becomes a convenient channel for attackers to hide their communication. Malware can use this technique to send data or receive commands by disguising the traffic as legitimate DNS lookups.
Cortex XDR Analytics includes machine learning models and behavior-based detection mechanisms specifically designed to identify anomalies in DNS traffic. When it detects behavior such as:
High-frequency DNS queries to suspicious or unknown domains
Long or suspiciously structured domain names (used to encode data)
DNS requests that do not match usual patterns for legitimate activity
It may generate a DNS Tunneling alert. This alert indicates that a host may be using DNS queries in a non-standard way, possibly to communicate with an external adversary or to leak sensitive information.
Let’s examine why the other options are incorrect:
A (uncommon local scheduled task creation): This alert pertains to persistence mechanisms. It indicates that a scheduled task was created locally on a machine in a way that deviates from the host’s normal behavior. It does not reflect remote communication or data exfiltration.
B (malware): While this is a general term, Cortex XDR’s "malware" alerts are typically tied to known signature-based detections or suspicious behavior indicative of a malicious executable. However, the specific tactic of exfiltration via DNS would not fall solely under this category, and a more precise behavioral analytics alert like "DNS Tunneling" would be triggered.
C (new administrative behavior): This alert is associated with deviations in administrative activity, such as a user suddenly performing administrative actions they don’t normally execute. While that could signal insider threats or compromised credentials, it is unrelated to the specific scenario of network-based malware communication.
In conclusion, when malware communicates externally via DNS for command-and-control or data exfiltration, DNS Tunneling is a classic technique used by attackers. Cortex XDR’s analytics engine is equipped to identify this behavior using a combination of DNS traffic profiling, statistical modeling, and behavioral baselines. As such, the activity described in the question would most likely trigger a DNS Tunneling alert.
Therefore, the correct answer is D.
Question 5:
How do sub-playbooks affect the Incident Context Data?
A. When set to private, task outputs do not automatically get written to the root context.
B. When set to global, sub-playbook tasks do not have access to the root context.
C. When set to global, parallel task execution is allowed.
D. When set to private, task outputs are automatically written to the root context.
Answer: A
Explanation:
In Cortex XSOAR, playbooks are a fundamental component of the automation and orchestration framework. They define the sequence of actions that should be performed in response to an incident. Sub-playbooks are nested playbooks called within a parent playbook and are useful for modularizing logic, promoting reusability, and maintaining clarity in complex workflows.
One of the critical design considerations when using sub-playbooks is how they interact with the incident context data, which is essentially the shared working memory for the playbook. This context holds key variables, artifacts, task outputs, and results from integrations or user inputs that occur during playbook execution.
When configuring a sub-playbook, users must choose whether the sub-playbook should operate in global or private context mode:
Global context means the sub-playbook has access to and can modify the parent incident’s context data. Any task outputs, variables, or values generated within the sub-playbook are written directly to the root context, which makes them accessible to other parts of the parent playbook or other sub-playbooks. This approach ensures transparency and shared access to information but may lead to clutter or unintended overwrites in the context data.
Private context mode, on the other hand, isolates the sub-playbook’s context. This means that task outputs are not automatically written to the root context unless explicitly passed or configured to do so. This is beneficial for encapsulating logic or avoiding unintentional side effects in the global context. It promotes better data hygiene and modular design since the sub-playbook essentially works in a sandbox.
With that in mind, let’s evaluate the answer choices:
A is correct. It accurately states that when a sub-playbook is set to private, the task outputs are not written to the root context by default. This isolation protects the root context from being unintentionally modified and is the expected behavior of a private sub-playbook.
B is incorrect. In global mode, sub-playbook tasks do have access to the root context. In fact, global mode is used when you want shared access to the context between the parent and sub-playbooks.
C is misleading. Parallel task execution is a feature of how tasks are structured within a playbook, not a function of whether the context is global or private. Context mode has no bearing on parallelism.
D is incorrect. It reverses the actual behavior. In private mode, task outputs are not written to the root context unless explicitly configured.
In summary, private context for sub-playbooks in Cortex XSOAR ensures that the data generated remains local to the sub-playbook and does not clutter or overwrite the shared incident data in the root context. This design is critical for modularity and maintaining clean context handling in complex automation scenarios.
Therefore, the correct answer is A.
Question 6:
Which two playbook functionalities allow looping through a group of tasks during playbook execution? (Choose two.)
A. playbook functions
B. sub-playbooks
C. GenericPolling playbooks
D. playbook tasks
Answer: B and C
Explanation:
Looping through tasks in a playbook is a powerful feature in Cortex XSOAR that enables automation workflows to repeat specific steps based on conditions, time intervals, or lists of items. Two functionalities that directly support looping through groups of tasks are sub-playbooks and GenericPolling playbooks.
Let’s break each one down:
Sub-playbooks
Sub-playbooks are reusable sets of tasks that can be embedded into a larger (parent) playbook. Cortex XSOAR allows sub-playbooks to be looped when given a list of items to process. This is particularly useful when a task needs to be repeated for each element in a collection, such as running enrichment for each IP address, file hash, or email address identified in an incident.
To enable looping in a sub-playbook:
You define the input as a list.
The sub-playbook will execute once per item in the list.
Each loop iteration is isolated, and results can be collected in a structured way.
This is an efficient way to modularize repeatable logic and scale playbook actions across multiple similar entities.
GenericPolling Playbooks
GenericPolling is a built-in Cortex XSOAR mechanism designed to loop tasks at timed intervals until a specific condition is met. This is most often used when waiting for the result of an asynchronous action — for example, when a security product starts scanning a file and returns a status like “In Progress,” a GenericPolling playbook will:
Check the status at defined intervals (e.g., every minute).
Loop through a defined group of tasks (such as rechecking status).
Exit once a success condition is met (e.g., status = "Done").
GenericPolling supports a controlled loop structure with retries, timeouts, and exit conditions, making it a standard way to wait for external systems to complete their processing before continuing the rest of the playbook.
Why the other options are incorrect:
A (playbook functions): This term is vague and does not refer to a specific looping mechanism in Cortex XSOAR. There are no built-in components labeled “playbook functions” that handle loops directly. While playbooks can perform functions like conditions and data parsing, this is not a native looping feature.
D (playbook tasks): Individual playbook tasks can be looped in limited ways — for example, if configured with a loop condition on a single task — but a group of tasks cannot be looped using just regular playbook tasks. Looping a group of tasks requires the use of sub-playbooks or polling mechanisms that handle structured repetition.
Looping through a set of tasks is a critical automation feature in Cortex XSOAR, particularly when dealing with asynchronous responses or collections of entities. Sub-playbooks allow for structured loops across list inputs, making them ideal for repetitive enrichment or data processing. GenericPolling playbooks enable periodic checks and conditional exits, which are perfect for external systems that require time to respond.
Therefore, the correct answers are B and C.
Question 7:
Cortex XSOAR has extracted a malicious Internet Protocol (IP) address involved in command-and-control (C2) traffic.
What is the best method to block this IP from communicating with endpoints without requiring a configuration change on the firewall?
A. Have XSOAR automatically add the IP address to a threat intelligence management (TIM) malicious IP list to elevate priority of future alerts.
B. Have XSOAR automatically add the IP address to a deny rule in the firewall.
C. Have XSOAR automatically add the IP address to an external dynamic list (EDL) used by the firewall.
D. Have XSOAR automatically create a NetOps ticket requesting a configuration change to the firewall to block the IP.
Answer: C
Explanation:
In the scenario described, a malicious IP address associated with command-and-control (C2) activity has been identified through Cortex XSOAR’s automation and threat intelligence capabilities. The goal is to block this IP from communicating with endpoints — quickly and efficiently — without making manual configuration changes to the firewall.
The most effective and scalable solution for this purpose is to use an External Dynamic List (EDL).
What is an External Dynamic List (EDL)?
An EDL is a Palo Alto Networks feature that allows the firewall to pull in a list of IP addresses, domains, or URLs from an external source, such as a web server or threat feed. Once configured, the firewall can automatically reference the EDL in a policy rule, such as a deny rule, to block traffic to or from the entities listed in the EDL. Because the list is dynamic, it can be updated automatically by tools like XSOAR — without needing to reconfigure or redeploy the firewall policy.
This approach offers several advantages:
No manual intervention required: Once the EDL and policy rule are set up, future updates to the EDL do not require firewall policy changes.
Real-time updates: Cortex XSOAR can programmatically add malicious IPs to the EDL as they are discovered, ensuring near-instant protection.
Scalability and automation: This method supports integration with threat intel and incident response playbooks, enabling fully automated protection workflows.
Why the other options are incorrect:
A (Threat Intelligence Management list): While adding the IP to a threat intel list may help with alert enrichment or prioritization in the future, it does not actively block the IP. This action is informative but not preventative in the short term.
B (Add to a deny rule in the firewall): Modifying firewall deny rules typically requires a policy change, which might involve change control procedures, manual approvals, and configuration commits — all of which violate the requirement to avoid manual firewall changes.
D (Create a NetOps ticket for firewall configuration): This is a manual, time-consuming process. While valid in some workflows, it clearly contradicts the requirement to block the IP without requiring a configuration change on the firewall.
To fulfill the goal of blocking a malicious IP address without making changes to the firewall configuration, the best method is to use EDLs. Once an EDL-based rule is established on the firewall, Cortex XSOAR can dynamically update it by adding malicious IPs directly through automation. This ensures immediate enforcement while maintaining operational efficiency.
Therefore, the correct answer is C.
Question 8:
Which integration allows searching and displaying Splunk results within Cortex XSOAR?
A. SplunkPY integration
B. Demisto App for Splunk integration
C. XSOAR REST API integration
D. Splunk integration
Answer: D
Explanation:
To effectively retrieve and display log or event data from Splunk within Cortex XSOAR, the most appropriate and officially supported method is through the Splunk integration. This integration is specifically built for bi-directional communication with Splunk, allowing security teams to run queries, collect results, and use the data within playbooks and investigations.
Understanding the "Splunk integration"
The Splunk integration in Cortex XSOAR enables users to:
Execute search queries against Splunk's indexed data using SPL (Search Processing Language).
Fetch the results and display them within Cortex XSOAR's incident war room or context.
Trigger actions in Splunk based on alerts from XSOAR (e.g., running saved searches or checking status).
Use search results as part of automated workflows, such as correlation with threat indicators or forensic analysis.
The key benefit of this integration is its native design and support, ensuring compatibility and reliable communication between the two platforms. The integration is API-based, using secure authentication and query submission, making it suitable for enterprise-scale deployments.
Evaluating the other options:
A (SplunkPY integration): This is a Python-based integration approach, often used for custom scripts, but it is not an officially supported or native integration in XSOAR for Splunk. It lacks the robustness and reliability of the official Splunk integration.
B (Demisto App for Splunk integration): This integration works in the opposite direction — from Splunk to Cortex XSOAR. It allows Splunk to send notable events or alerts to XSOAR. While valuable for incident ingestion, it does not allow searching or displaying Splunk data from within XSOAR, which is the specific requirement in this question.
C (XSOAR REST API integration): This is for accessing XSOAR itself programmatically — it allows other systems to interact with XSOAR but does not connect XSOAR to Splunk. It is unrelated to querying Splunk data.
If the goal is to search and display Splunk results from within Cortex XSOAR, the correct method is to use the official Splunk integration. It supports real-time querying, retrieval, and display of data directly within playbooks, enabling effective incident response and forensic analysis based on Splunk logs.
Therefore, the correct answer is D.
Question 9:
Which two types of indicators of compromise (IOCs) are available for creation in Cortex XDR? (Choose two.)
A. registry
B. file path
C. hash
D. hostname
Answer: C and D
Explanation:
In Cortex XDR, Indicators of Compromise (IOCs) are used to detect and potentially block malicious activities or artifacts associated with known threats. These IOCs help analysts and automated systems correlate events, raise alerts, and take preventative actions against threats that match known malicious signatures or patterns.
Among the various types of IOCs that can be created and used in Cortex XDR, hashes and hostnames are two officially supported IOC types for creation and detection.
Hash IOCs
Hashes (typically in the form of MD5, SHA-1, or SHA-256) are one of the most common and reliable forms of IOCs. They uniquely identify a file based on its contents. Cortex XDR allows users to:
Create hash IOCs manually or automatically via integrated threat intelligence feeds.
Detect files matching these hashes during scans or when the file is executed.
Apply policy actions such as alerting or blocking when a file with a matching hash is seen.
Using hash-based IOCs is particularly effective for detecting known malware, rogue binaries, or previously analyzed malicious executables.
Hostname IOCs
Hostnames (e.g., malicious.example.com) are also widely used as IOCs. These IOCs typically represent domains or subdomains used for:
Command-and-control (C2) communication.
Malware distribution.
Phishing or drive-by download campaigns.
In Cortex XDR, hostnames can be imported or defined as IOCs to flag any network traffic attempting to resolve or communicate with them. This is especially useful for blocking or alerting on connections to known malicious domains, even if the associated IP address changes frequently.
Why the other options are incorrect:
A (Registry): While registry activity can be monitored and flagged as anomalous behavior (e.g., unusual registry modifications), registry keys or paths are not supported as IOCs in Cortex XDR for creation or direct matching.
B (File Path): Similarly, file paths can be logged and analyzed in behavioral analytics, but file path-based IOCs are not a supported IOC type in Cortex XDR. File path information may be included in EDR telemetry or behavioral rules, but not as standalone IOCs.
Cortex XDR supports several types of IOCs that are actionable, meaning they can be detected, alerted on, or blocked. Among the valid types are hashes and hostnames, which are both supported for IOC creation and correlation. These help security teams track and respond to known threats based on file identities and malicious network destinations.
Therefore, the correct answers are C and D.
Question 10:
A Cortex XSOAR customer has a phishing use case in which a playbook has been implemented with one of the steps blocking a malicious URL found in an email reported by one of the users.
What would be the appropriate next step in the playbook?
A. Email the CISO to advise that malicious email was found.
B. Disable the user's email account.
C. Email the user to confirm the reported email was phishing.
D. Change the user's password.
Answer: C
Explanation:
In a Cortex XSOAR phishing use case, automation workflows (playbooks) are designed to process reported emails, analyze content and indicators (like URLs or attachments), and take appropriate response actions. Once the malicious content—such as a malicious URL—has been successfully blocked, the next logical step in the incident response process is closing the communication loop with the reporting user.
This brings us to option C: Email the user to confirm the reported email was phishing.
Why this is the most appropriate next step:
Once a phishing email has been analyzed and identified as malicious:
The playbook should communicate the outcome to the user who initially reported it.
This builds trust in the incident response process and reinforces the importance of user vigilance.
Confirming the email was indeed phishing serves an educational purpose, encouraging the user to continue reporting suspicious emails.
This response does not require elevated intervention or security action beyond acknowledgment and user feedback.
Cortex XSOAR playbooks are often configured to automatically notify users about the resolution of their reported incidents, especially in phishing scenarios. This notification step is a low-risk, high-value action that completes the incident handling lifecycle.
Why the other options are not appropriate:
A (Email the CISO): While keeping executives informed is important, routine phishing alerts typically do not require CISO-level escalation, especially when they are already contained and mitigated. Escalating every confirmed phishing email would create noise and inefficiency.
B (Disable the user's email account): There is no evidence in this scenario that the user’s account was compromised. Disabling accounts is a severe and disruptive action and should only be taken if there are clear signs of compromise (e.g., unusual logins, forwarding rules, or sending malicious messages).
D (Change the user's password): Again, unless there are indications of account compromise, changing a user's password is unnecessary and intrusive. It may frustrate users and slow productivity without adding real security benefit in this context.
After identifying and blocking a malicious URL in a phishing email, the most appropriate next step is to close the feedback loop with the user who reported the email. This not only provides transparency but also reinforces good security practices and ensures user engagement in threat reporting. More aggressive actions like disabling the account or changing the password would only be appropriate if there were signs of actual compromise, which are not present in this case.
Therefore, the correct answer is C.
Top Training Courses
SY0-701
CompTIA Security+
$14.99
AZ-104
Microsoft Azure Administrator
$14.99
200-301
Cisco Certified Network Associate (CCNA)
$14.99
AWS Certified Solutions Architect - Associate SAA-C03
AWS Certified Solutions Architect - Associate SAA-C03
$14.99
AZ-305
Designing Microsoft Azure Infrastructure Solutions
$14.99
PL-300
Microsoft Power BI Data Analyst
$14.99
350-401
Implementing Cisco Enterprise Network Core Technologies (ENCOR)
$14.99
AZ-900
Microsoft Azure Fundamentals
$14.99
CS0-003
CompTIA CySA+ (CS0-003)
$14.99
CISSP
Certified Information Systems Security Professional
$14.99
