xdr-engineer Free Sample Questions

A global financial institution is deploying Cortex XDR across a hybrid environment with 50,000 endpoints. The primary objective is to centralize log collection from legacy syslog devices, cloud flow logs, and Palo Alto Networks NGFWs, while minimizing latency for real-time threat hunting. The security architect must decide on the optimal Broker VM architecture. Given the requirements for high availability, geographic distribution, and performance, which Broker VM deployment strategy should the architect recommend?

A security engineer is creating a new endpoint security profile for a group of developers who frequently work with unsigned binaries and custom scripts for testing purposes. The goal is to provide strong protection without impeding their development workflow. Which TWO settings within the Malware Protection profile should be configured to achieve this balance? (Select TWO)

True or False: The Cortex XDR Broker VM can be configured with a Syslog Collector applet to receive, parse, and forward logs from third-party devices to the Cortex Data Lake.

A healthcare organization has recently deployed Cortex XDR and is concerned about sophisticated lateral movement techniques. Their environment consists of Windows servers hosting electronic health record (EHR) systems and workstations used by clinical staff. The threat intelligence team has warned about adversaries using legitimate administrative tools like PsExec for lateral movement after gaining an initial foothold. The SOC manager wants to create a high-fidelity detection rule that specifically identifies anomalous PsExec usage targeting critical EHR servers. The EHR servers are all part of an Active Directory group named "EHR-Servers". Normal administrative activity originates from a dedicated set of bastion hosts within the `10.100.50.0/24` subnet. The SOC team has observed that attackers often launch PsExec from compromised user workstations, which are in different subnets. The goal is to generate an alert only when PsExec is used to connect to an EHR server from a source that is NOT one of the authorized bastion hosts. Which XQL query would be most effective for creating a Correlation Rule to detect this specific suspicious activity?

During a routine health check, a Cortex XDR administrator notices that several endpoints in a remote branch office have not checked in for over 24 hours. The administrator has confirmed network connectivity between the branch office and the corporate data center. The `cytool` command-line utility is available on one of the affected endpoints. Which `cytool` command should the administrator run first to diagnose the agent's communication status with the Cortex XDR console?

A security engineer is designing a data ingestion pipeline using a Broker VM to collect logs from multiple on-premises sources. The sources include a custom application generating logs in a unique key-value format, a Cisco ASA firewall sending standard syslog, and a database server sending audit logs over TCP. The goal is to normalize all these logs into the Cortex XDR format before forwarding them to the Cortex Data Lake. Which sequence of components and actions within the Broker VM correctly represents the processing flow for the custom application logs? ```mermaid flowchart LR subgraph Broker_VM A[Collector Applet] --> B{Parsing Rule}; B --> C[Normalization]; C --> D[Forwarder]; end subgraph Custom_App E[Log Source] end subgraph CDL F[Cortex Data Lake] end E --> A; D --> F; ```

A Cortex XDR administrator is configuring user roles for a multi-tiered SOC. The requirements are to create a 'Tier 1 Analyst' role with view-only access to incidents and endpoint data, but no ability to perform response actions like isolating an endpoint. Which specific permission should be explicitly denied or not granted when creating this custom role?

An organization is using the Host Firewall module on Cortex XDR to enforce network policies on its endpoints. The security team needs to create a rule that blocks all inbound traffic to developer workstations from the corporate guest Wi-Fi network (`172.16.32.0/20`), but allows all other traffic. How should this rule be configured in the Host Firewall profile?

A SOC analyst is investigating an alert and needs to find all DNS queries made by a specific host (`workstation-123.acme.corp`) in the last 7 days that were not to the internal corporate DNS servers (`10.1.1.10`, `10.2.1.10`). Which XQL query will retrieve this information most efficiently?

An XDR engineer is troubleshooting a data ingestion issue where logs from a custom application are being received by the Broker VM but are not appearing in the XDR console. The engineer suspects a problem with the custom parsing rule. Which component or log file should be checked first to validate if the parsing rule is correctly extracting fields from the raw logs?