A SOC analyst at a financial services firm is investigating a high-severity incident originating from a database server. The causality chain indicates that a legitimate, signed administrative tool, `db_admin_util.exe`, was used to spawn a PowerShell process that connected to a known malicious IP address. The firm's policy prohibits isolating this critical server. Which response action in Cortex XDR would be most effective at containing the immediate threat while adhering to the policy?
A security team is deploying Cortex XDR agents to a new fleet of developer workstations. To minimize false positives from custom-built applications and scripts, the team creates a specific Security Profile for this group. Which two settings within the Malware Protection profile are most appropriate for allowing legitimate, internally developed tools to run without triggering alerts, while still maintaining a strong security posture? (Select TWO)
An analyst needs to create a scheduled XQL query that runs daily to identify any process that creates a file with a '.ps1' extension in a user's 'Downloads' directory. Which XQL query correctly accomplishes this?
During an incident investigation, an analyst observes that Cortex XDR has automatically stitched together alerts from an endpoint, a firewall, and an identity provider into a single incident. What is the primary mechanism that enables this cross-domain data stitching?
True or False: In Cortex XDR, using the 'Isolate Host' response action will immediately terminate all network connections, including the agent's connection back to the Cortex XDR console, preventing any further remote actions.
An analyst is reviewing the Host Insights data for a critical server and notices that the 'OS Version' field is listed as 'Unsupported'. What is the most significant security implication of this status?
A manufacturing company is concerned about intellectual property theft. A security analyst is tasked with creating a proactive threat hunting query to find evidence of large data exfiltration over DNS. Which XQL query would be most effective for this purpose?
An XDR analyst is troubleshooting why a new exploit protection module is not being applied to a specific group of servers. The servers have the correct agent version installed and are connected to the console. What is the most likely reason for this issue?
While investigating an incident, an analyst needs to retrieve a suspicious executable from a remote endpoint for sandboxing. The endpoint is currently isolated. Which is the correct sequence of steps to retrieve the file using Live Terminal?
What is the primary function of a lookup table in Cortex XDR data analysis?