NEW QUESTION 1
How do sub-playbooks affect the Incident Context Data?

• A. When set to private, task outputs do not automatically get written to the root context
• B. When set to private, task outputs automatically get written to the root context
• C. When set to global, allows parallel task execution.
• D. When set to global, sub-playbook tasks do not have access to the root context

Answer: A

NEW QUESTION 2
An administrator has a critical group of systems running Windows XP SP3 that cannot be upgraded The administrator wants to evaluate the ability of Traps to protect these systems and the word processing applications running on them
How should an administrator perform this evaluation?

• A. Gather information about the word processing applications and run them on a Windows XP SP3 VM Determine if any of the applications are vulnerable and run the exploit with an exploitation tool
• B. Run word processing exploits in a latest version of Windows VM in a controlled and isolated environmen
• C. Document indicators of compromise and compare to Traps protection capabilities
• D. Run a known 2015 flash exploit on a Windows XP SP3 V
• E. and run an exploitation tool that acts as a listener Use the results to demonstrate Traps capabilities
• F. Prepare the latest version of Windows VM Gather information about the word processing applications, determine if some of them are vulnerable and prepare a working exploit for at least one of them Execute with an exploitation tool

Answer: C

NEW QUESTION 3
Which step is required to prepare the VDI Golden Image?

• A. Review any PE files that WildFire determined to be malicious
• B. Ensure the latest content updates are installed
• C. Run the VDI conversion tool
• D. Set the memory dumps to manual setting

Answer: A

NEW QUESTION 4
The images show two versions of the same automation script and the results they produce when executed in Demisto. What are two possible causes of the exception thrown in the second Image? (Choose two.)
SUCCESS

• A. The modified scnpt was run in the wrong Docker image
• B. The modified script required a different parameter to run successfully.
• C. The dictionary was defined incorrectly in the second script.
• D. The modified script attempted to access a dictionary key that did not exist in the dictionary named "data”

Answer: A

NEW QUESTION 5
In an Air-Gapped environment where the Docker package was manually installed after the Cortex XSOAR installation which action allows Cortex XSOAR to access Docker?

• A. create a “docker” group and add the "Cortex XSOAR" or "demisto" user to this group
• B. create a "Cortex XSOAR' or "demisto" group and add the "docker" user to this group
• C. disable the Cortex XSOAR service
• D. enable the docker service

Answer: A

NEW QUESTION 6
In Cortex XDR Prevent, which three matching criteria can be used to dynamically group endpoints? (Choose three )

• A. alert root cause
• B. hostname
• C. domain/workgroup membership
• D. OS
• E. presence of Flash executable

Answer: BCD

NEW QUESTION 7
Which two types of lOCs are available for creation in Cortex XDR? (Choose two.)

• A. IP
• B. endpoint hostname
• C. domain
• D. registry entry

Answer: AC

NEW QUESTION 8
What is the difference between an exception and an exclusion?

• A. An exception is based on rules and exclusions are on alerts
• B. An exclusion is based on rules and exceptions are based on alerts.
• C. An exception does not exist
• D. An exclusion does not exist

Answer: A

NEW QUESTION 9
Which two items are stitched to the Cortex XDR causality chain'' (Choose two)

• A. firewall alert
• B. SIEM alert
• C. full URL
• D. registry set value

Answer: AC

NEW QUESTION 10
Which CLI query would bring back Notable Events from Splunk?
A)

B)

C)

D)

• A. Option A
• B. Option B
• C. Option C
• D. Option D

Answer: D

NEW QUESTION 11
When a Demisto Engine is part of a Load-Balancing group it?

• A. Must be in a Load-Balancing group with at least another 3 members
• B. It must have port 443 open to allow the Demisto Server to establish a connection
• C. Can be used separately as an engine, only if connected to the Demisto Server directly
• D. Cannot be used separately and does not appear in the in the engines drop-down menu when configuring an integration instance

Answer: D

NEW QUESTION 12
The prospect is deciding whether to go with a phishing or a ServiceNow use case as part of their POC We have integrations for both but a playbook for phishing only Which use case should be used for the POC?

• A. phishing
• B. either
• C. ServiceNow
• D. neither

Answer: A

NEW QUESTION 13
How many use cases should a POC success criteria document include?

• A. only 1
• B. 3 or more
• C. no more than 5
• D. no more than 2

Answer: A

NEW QUESTION 14
Which two filter operators are available in Cortex XDR? (Choose two.)

• A. < >
• B. Contains
• C. =
• D. Is Contained By

Answer: BC

NEW QUESTION 15
Which Cortex XDR capability extends investigations to an endpoint?

• A. Log Stitching
• B. Causality Chain
• C. Sensors
• D. Live Terminal

Answer: A

Explanation:
https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/cortex-xdr-overview/cortex-xdr-conc

NEW QUESTION 16
How does an "inline" auto-extract task affect playbook execution?

• A. Doesn't wait until the indicators are enriched and continues executing the next step
• B. Doesn't wait until the indicators are enriched but populate context data before executing the next
• C. ste
• D. Wait until the indicators are enriched but doesn't populate context data before executing the next step.
• E. Wait until the indicators are enriched and populate context data before executing the next step.

Answer: D

NEW QUESTION 17
What are process exceptions used for?

• A. whitelist programs from WildFire analysis
• B. permit processes to load specific DLLs
• C. change the WildFire verdict for a given executable
• D. disable an EPM for a particular process

Answer: D

NEW QUESTION 18
......