31/5/2020 Realize Your Potential: paloaltonetworks

Test - Palo Alto Networks Accredited Systems Engineer (PSE): Cortex Associate Accreditation Exam

Test Questions

Question 1 of 25.

What are two sources of alert enrichment for Cortex XSOAR? (Choose two.)

AutoFocus
Cortex Data Lake
Cortex XSOAR dashboards
SIEMs

Mark for follow up

Question 2 of 25.

What is the ATT&CK framework?

A set of playbooks for orchestrated cyberattacks

A rubric for assessing TTP defense
A defense strategy for cyber, biological, or nuclear attack
A toolkit for hackers

Mark for follow up

Question 3 of 25.

What should a customer do that wants to keep a set of specific information for every event of a certain type?

use Remote Device Control to obtain the information

add custom fields to incidents representing events of that type
chat about it in the War Room
add that information in the Evidence Board when investigating the incident
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 1/8
31/5/2020 Realize Your Potential: paloaltonetworks

Mark for follow up

Question 4 of 25.

What is an advantage of the multi-method detection approach used by Cortex XDR over traditional antivirus approaches?

It runs in the cloud.

It is updated frequently.
It is faster than hash comparison.
It prevents unknown threats.

Mark for follow up

Question 5 of 25.

Which statement describes the malware protection flow in Cortex XDR Prevent?

A trusted signed file is exempt from local static analysis.

A blacklist check is the final step of malware protection flow.
Local static analysis happens before a WildFire verdict check.
Hash comparisons come after local static analysis.

Mark for follow up

Question 6 of 25.

In which two ways does Cortex XDR Prevent complement Palo Alto Networks perimeter protection? (Choose two.)

Cortex XDR can prevent malevolent process execution spawned by traffic the NGFW allows through.
Information about threats is uploaded into Cortex XDR agents from perimeter NGFWs.
Cortex XDR agents send signatures about threats directly to Palo Alto Networks firewalls.
Endpoints sometimes are operated by their users outside the corporate network perimeter.

Mark for follow up

Question 7 of 25.
Which statement is true regarding Cortex XDR Prevent Execution Restrictions?

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 2/8
31/5/2020 Realize Your Potential: paloaltonetworks

They are included in regular content updates.

They are used to specify which exploit prevention method will be applied to a given process.
They are used to blacklist or whitelist files for future processing.
They define where and how users can run executable files.

Mark for follow up

Question 8 of 25.
Which action saves time during attack investigation?

exploring multiple endpoints for compromise

enriching alert data from multiple sources
investigating multiple alerts as a single incident
investigating multiple incidents associated with a single alert

Mark for follow up

Question 9 of 25.

Which function enables a customer to consistently use multiple competing products with similar functions?

Cortex Data Lake

Cortex XSOAR automation
Cortex XDR analysis
Cortex XDR integration

Mark for follow up

Question 10 of 25.

Which function displays an entire picture of an attack including its root cause or delivery point?

Cortex SOC Orchestrator

Cortex Data Lake
Cortex XSOAR Work Plan
Cortex XDR incident analysis

Mark for follow up

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 3/8
31/5/2020 Realize Your Potential: paloaltonetworks

Question 11 of 25.

What’s a subplaybook?

an app that underlies a playbook to ensure it flows from task to task

an obsolete playbook of inferior quality
a playbook used as a task in another playbook
an updated playbook that substitutes for an older playbook

Mark for follow up

Question 12 of 25.

When is an existing Cortex XDR customer a bad prospect for Cortex XSOAR?

When Cortex XDR is their “go to” XDR tool.

When they already have and use Cortex XSOAR.
When they use the ATT&CK rubric to guide their security efforts.
When they already have and use AutoFocus.

Mark for follow up

Question 13 of 25.

Which attack prevention technique does Cortex XDR use?

PowerShell Shortcut abuse protection

Executive power corruption protection
Memory corruption protection
Password oversimplicity protection

Mark for follow up

Question 14 of 25.

Which option best describes the functionality of Cortex XDR Prevent for endpoints?

Remediation
Detection and response

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 4/8
31/5/2020 Realize Your Potential: paloaltonetworks

Prevention
Orchestration

Mark for follow up

Question 15 of 25.

What is orchestration in the context of SOAR?

The ability to control network and endpoint enforcement points

Formalization of organized workflows for people and machines
Automation of mundane cybersecurity tasks
The selection of the right SIEM for the right customer

Mark for follow up

Question 16 of 25.

Which two analysis methods does WildFire use to detect malware? (Choose two.)

executive restriction
static
program slicing
dynamic

Mark for follow up

Question 17 of 25.

Which sensor captures forensic information about a security event that occurs on an endpoint?

Zingbox dynamic inventory agent

AutoFocus connector
Cortex XDR agent
Cortex XSOAR indicator

Mark for follow up

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 5/8
31/5/2020 Realize Your Potential: paloaltonetworks

Question 18 of 25.
Which action is required before a new integration can ingest a typed alert and automatically run a playbook for the resulting incident?

The playbook must be run manually with that type of alert.

The integration must be primed with a test alert of that type.
An instance of the integration must be created.
The alert source must be made aware through an API of the playbook to be run.

Mark for follow up

Question 19 of 25.

What is an advantage of Cortex XDR Pro analysis?

It puts attack steps in context for security analysts, even when each step in itself may look innocent.
It is completely automatic and does not require security analysts for operation.
It is quicker than that of any of its competitors.
It provides prevention as well as detection and response.

Mark for follow up

Question 20 of 25.

Which Cortex product provides intelligence to inform alert and incident analysis?

Cortex XSOAR
Cortex XDR
Zingbox
AutoFocus

Mark for follow up

Question 21 of 25.

How does Cortex XDR prevent unknown attacks against endpoints?

It keeps an updated version of WildFire hashes with malware verdicts.

It uses multiple prevention methods, each with multiple techniques.
It uses multiple signature versions to match attack mutations.

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 6/8
31/5/2020 Realize Your Potential: paloaltonetworks

It runs heuristically determined playbooks against the attacks.

Mark for follow up

Question 22 of 25.

Which advantage is provided by unknown attack prevention?

Unknown attack prevention enables quarantine of compromised systems.

Unknown attack prevention approaches detect known attacks more quickly than do traditional known attack approaches.
Production environments can be protected even before OS patches are applied.
Unknown attack prevention facilitates incident root cause analysis.

Mark for follow up

Question 23 of 25.

How does Cortex XDR use machine learning?

It learns about normal user and process behavior in an infrastructure so it can recognize anomalous behavior.
It learns about the processes used by a SOC to automate those processes.
It learns about all the attacks throughout the world so that it can recognize which attacks are present in an environment.
It learns about the processes used in a SOC to provide customized alerts to the right people in the SOC.

Mark for follow up

Question 24 of 25.

Where can the entire history of group interactions involving an attack response be seen?

The Cortex XDR Incident page

WildFire
AutoFocus
The Cortex XSOAR War Room

Mark for follow up

Question 25 of 25.

Whi h t bl d it ti t ft t ? (Ch t )
https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 7/8
31/5/2020 Realize Your Potential: paloaltonetworks
Which two problems does a security operations team often encounter? (Choose two.)

too many alerts

too much alert context data
too many security products
too many security experts

Mark for follow up

Save / Return Later Summary

https://paloaltonetworks.csod.com/Evaluations/EvalLaunch.aspx?loid=2d695ed1-6ed2-462c-a1b6-b2e4d7939749&evalLvl=5&redirect_url=%2fphnx%2fdriver.aspx%3froutename%3dSocial%2fUniversalProfile%2fTra… 8/8