Paloalto Networks XDR-Engineer Palo Alto Networks XDR Engineer Exam Practice Test

In a sensitive and highly regulated environment (e.g., healthcare, finance), Cortex XDR agent configurations must balance security with stability and compliance. This often involves controlling agent upgrades and content updates to minimize disruptions while ensuring timely protection updates. The following steps are recommended to achieve this balance.

Correct Answer Analysis (B, C):

B. Create an agent settings profile where the agent upgrade scope is maintenance releases only: In regulated environments, frequent agent upgrades can introduce risks of instability or compatibility issues. Limiting upgrades tomaintenance releases only(e.g., bug fixes and minor updates, not major version changes) ensures stability while addressing critical issues. This is configured in the agent settings profile to control the upgrade scope.

C. Create an agent settings profile, enable content auto-update, and include a delay of four days: Content updates (e.g., Behavioral Threat Protection rules, localanalysis logic) are critical for maintaining protection but can be delayed in regulated environments to allow for testing. Enablingcontent auto-updatewith afour-day delayensures that updates are applied automatically but provides a window to validate changes, reducing the risk of unexpected behavior.

Why not the other options?

A. Enable critical environment versions: There is no specific “critical environment versions” setting in Cortex XDR. This option appears to be a misnomer and does not align with standard agent configuration practices for regulated environments.

D. Enable minor content version updates: While enabling minor content updates can be useful, it does not provide the control needed in a regulated environment (e.g., a delay for testing). Option C (auto-update with a delay) is a more comprehensive and appropriate step.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains agent configurations for regulated environments: “In sensitive environments, configure agent settings profiles to limit upgrades to maintenance releases and enable content auto-updates with a delay (e.g., four days) to ensure stability and compliance” (paraphrased from the Agent Settings section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers agent management, stating that “maintenance-only upgrades and delayed content updates are recommended for regulated environments to balance security and stability” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “Cortex XDR agent configuration” as a key exam topic, encompassing settings for regulated environments.

In Cortex XDR,custom prevention rulesare used to block specific behaviors or activities on endpoints by leveragingBehavioral Indicators of Compromise (BIOCs). BIOCs define patterns of behavior (e.g., specific process executions, file modifications, or network activities) that, when detected, can trigger preventive actions, such as blocking a process or isolating an endpoint. These BIOCs are typically associated with aRestriction profile, which enforces blocking actions for matched behaviors.

Correct Answer Analysis (C):Acustom behavioral indicator of compromise (BIOC)added to aRestriction profileenables a custom prevention rule to block specific behavior. The BIOC defines the behavior to detect (e.g., a process accessing a sensitive file), and the Restriction profile specifies the preventive action (e.g., block the process). This configuration ensures that the identified behavior is blocked on endpoints where the profile is applied.

Why not the other options?

A. A correlation rule added to an Agent Blocking profile: Correlation rules are used to generate alerts by correlating events across datasets, not to block behaviors directly. There is no “Agent Blocking profile” in Cortex XDR; this is a misnomer.

B. A custom behavioral indicator of compromise (BIOC) added to an Exploit profile: Exploit profiles are used to detect and prevent exploit-based attacks (e.g., memory corruption), not general behavioral patterns defined by BIOCs. BIOCs are associated with Restriction profiles for blocking behaviors.

D. A correlation rule added to a Malware profile: Correlation rules do not directly block behaviors; they generate alerts. Malware profiles focus on file-based threats (e.g., executables analyzed by WildFire), not behavioral blocking via BIOCs.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains BIOC and Restriction profiles: “Custom BIOCs can be added to Restriction profiles to block specific behaviors on endpoints, enabling tailored prevention rules” (paraphrased from the BIOC and Restriction Profile sections). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers prevention rules, stating that “BIOCs in Restriction profiles enable blocking of specific endpoint behaviors” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “detection engineering” as a key exam topic, encompassing BIOC and prevention rule configuration.

In Cortex XDR,dashboard drilldownsallow users to interact with widgets (e.g., charts or tables) by clicking on elements to access additional details or perform actions. Drilldowns enhance the investigative capabilities of dashboards by linking to related data or views.

Correct Answer Analysis (A, C):

A. Navigate to a different dashboard: A drilldown can be configured to navigate to another dashboard, providing a more detailed view or related metrics. For example, clicking on an alert count in a widget might open a dashboard focused on alert details.

C. Link to an XQL query: Drilldowns often link to anXQL querythat filters data based on the clicked element (e.g., an alert name or source). This allows users to view raw events or detailed records in the Query Builder or Investigation view.

Why not the other options?

B. Initiate automated response actions: Drilldowns are primarily for navigation and data exploration, not for triggering automated response actions. Response actions (e.g., isolating an endpoint) are typically initiated from the Incident or Alert views, not dashboards.

D. Send alerts to console users: Drilldowns do not send alerts to users. Alerts are generated by correlation rules or BIOCs, and dashboards are used for visualization, not alert distribution.

Exact Extract or Reference:

TheCortex XDR Documentation Portaldescribes drilldown functionality: “Dashboard drilldowns can navigate to another dashboard or link to an XQL query to display detailed data based on the selected widget element” (paraphrased from the Dashboards and Widgets section). TheEDU-262: Cortex XDR Investigation and Responsecourse covers dashboards, stating that “drilldowns enable navigation to other dashboards or XQL queries for deeper analysis” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “dashboards and reporting” as a key exam topic, encompassing drilldown configuration.

TheXDR Collectoron a Windows endpoint collects logs (e.g., Windows Event Logs) and forwards them to the Cortex XDR console for analysis. An OS upgrade can impact the collector’s functionality, particularly if it affects log formats, sizes, or compatibility. If log events are no longer observed after the upgrade, the issue likely relates to a change in how logs are processed or transmitted. Cortex XDR imposes limits on log event sizes to ensure efficient ingestion and processing.

Correct Answer Analysis (A):The probable cause is thatthe log events are greater than 5MB. Cortex XDR has a size limit for individual log events, typically around 5MB, to prevent performance issues during ingestion. An OS upgrade may change the way logs are generated (e.g., increasing verbosity or adding metadata), causing events to exceed this limit. If log events are larger than 5MB, the XDR Collector will drop them, resulting in no logs being observed in the console.

Why not the other options?

B. They are in Winlogbeat format: Winlogbeat is a supported log shipper for collecting Windows Event Logs, and the XDR Collector is compatible with this format. The format itself is not the issue unless misconfigured, which is not indicated.

C. They are in Filebeat format: Filebeat is also supported by the XDR Collector for file-based logs. The format is not the likely cause unless the OS upgrade changed the log source, which is not specified.

D. They are less than 1MB: There is no minimum size limit for log events in Cortex XDR, so being less than 1MB would not cause logs to stop appearing.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains log ingestion limits: “Individual log events larger than 5MB are dropped by the XDR Collector to prevent ingestion issues, which may occur after changes like an OS upgrade” (paraphrased from the XDR Collector Troubleshooting section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers log collection issues, stating that “log events exceeding 5MB are not ingested, a common issue after OS upgrades thatincrease log size” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “maintenance and troubleshooting” as a key exam topic, encompassing log ingestion issues.

In Cortex XDR, managing data ingestion involves defining rules to collect, filter, or drop logs to optimize storage and processing. The goal is todrop undesired logsto reduce the amount of data ingested. The syntax used in the options appears to be a combination of ingestion rule metadata (e.g., [COLLECT] or [INGEST]) and filtering logic, likely written in a simplified query language for log processing. Thedropaction explicitly discards logs matching a condition, whilefilterwithnot containscan achieve similar results by keeping only logs that do not match the condition.

Correct Answer Analysis (C):The method in option C,[COLLECT:vendor="vendor", product="product", target_dataset="", no_hit=drop] * drop _raw_log contains "undesired logs";, explicitlydropslogs where the raw log content contains "undesired logs". The [COLLECT] directive defines the log collection scope (vendor, product, and dataset), and the no_hit=drop parameter indicates that unmatched logs are dropped. The drop _raw_log contains "undesired logs" statement ensures that logs matching the "undesired logs" pattern are discarded, effectively reducing the amount of data ingested.

Why not the other options?

A. [COLLECT:vendor="vendor", product="product", target_brokers="", no_hit=drop] * drop _raw_log contains "undesired logs";: This is similar to option C but uses target_brokers="", which is typically used for Broker VM configurations rather than direct dataset ingestion. While it could work, option C is more straightforward with target_dataset="".

B. [INGEST:vendor="vendor", product="product", target_dataset="vendor_product_raw", no_hit=drop] * filter _raw_log not contains "undesired logs";: This method uses filter _raw_log not contains "undesired logs" to keep logs that do not match the condition, which indirectly drops undesired logs. However, the drop action in option C is more explicit and efficient for reducing ingestion.

D. [INGEST:vendor="vendor", product="product", target_brokers="vendor_product_raw", no_hit=keep] * filter _raw_log not contains "undesired logs";: The no_hit=keep parameter means unmatched logs are kept, which does not align with the goal of reducing data. The filter statement reduces data, but no_hit=keep may counteract this by retaining unmatched logs, making this less effective than option C.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains log ingestion rules: “To reduce data ingestion, use the drop action to discard logs matching specific patterns, such as _raw_log contains 'pattern'” (paraphrased from the Data Ingestion section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers data ingestion optimization, stating that “dropping logs with specific content using drop _raw_log contains is an effective way to reduce ingested data volume” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “data ingestion and integration” as a key exam topic, encompassing log filtering and dropping.

When installing Cortex XDR agents on Linux systems, ensuring compatibility with the operating system (OS) type and version is critical, especially for the most recent agent versions. Linux systems require specific kernel module support because the Cortex XDR agent relies on kernel modules for core functionality, such as process monitoring, file system protection, and network filtering. TheKernel Module Version Supportdocumentation provides detailed information on which Linux distributions (e.g., Ubuntu, CentOS, RHEL) and kernel versions are supported by the Cortex XDR agent, ensuring the agent can operate effectively on the target systems.

Correct Answer Analysis (B):TheKernel Module Version Supportshould be cross-referenced for Linux systems to verify that the OS types (e.g., Ubuntu, CentOS) and specific kernel versions listed are supported by the Cortex XDR agent. This ensures that the agent’s kernel modules, which are essential for protection features, are compatible with the Linux endpoints at the newly acquired company.

Why not the other options?

A. Content Compatibility Matrix: A Content Compatibility Matrix typically details compatibility between content updates (e.g., Behavioral Threat Protection rules) and agent versions, not OS or kernel compatibility for Linux systems.

C. End-of-Life Summary: The End-of-Life Summary provides information on agent versions or OS versions that are no longer supported by Palo Alto Networks, but it is not the primary resource for checking current OS and kernel compatibility.

D. Agent Installer Certificate: The Agent Installer Certificate relates to the cryptographic verification of the agent installer package, not to OS or kernel compatibility.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains Linux agent requirements: “For Linux systems, cross-reference the Kernel Module Version Support to ensure compatibility with supported OS types and kernel versions” (paraphrased from the Linux Agent Deployment section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers Linux agent installation, stating that “Kernel Module Version Support lists compatible Linux distributions and kernel versions for Cortex XDR agents” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “planning and installation” as a key exam topic, encompassing Linux agent compatibility checks.

In Cortex XDR, printing issues can be influenced by agent configurations, particularly those related to network access or device control. The scenario describes two groups of employees: one group can print when working from home but not on network-attached printers, and another can only print to file (e.g., PDF or XPS). This suggests a restriction on network printing, likely due to a security policy enforced by the Cortex XDR agent.

Correct Answer Analysis (B):They may have a host firewall profile set to block activity to all network-attached printersis the most likely inference. Cortex XDR’shost firewallfeature allows administrators to define rules that control network traffic, including blocking outbound connections to network-attached printers (e.g., by blocking protocols like IPP or LPD on specific ports). Employees working from home (on external networks) may be subject to a firewall profile that blocks network printing to prevent data leakage, while local printing (e.g., to USB printers) or printing to file is allowed. The group that can only print to file likely has stricter rules that block all physical printing, allowing only virtual print-to-file operations.

Why not the other options?

A. They may be attached to the default extensions policy and profile: The default extensions policy typically does not include specific restrictions on printing, focusing instead on general agent behavior (e.g., device control or exploit protection). Printing issues are more likely tied to firewall or device control profiles.

C. They may have different disk encryption profiles that are not allowing print jobs on encrypted files: Cortex XDR does not manage disk encryption profiles, and disk encryption (e.g., BitLocker) does not typically block printing based on file encryption status. This is not a relevant cause.

D. They may be on different device extensions profiles set to block different print jobs: While device control profiles can block USB printers, they do not typically control network printing or distinguish between print-to-file and physical printing. Network printing restrictions are more likely enforced by host firewall rules.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains host firewall capabilities: “Host firewall profiles can block outbound traffic to network-attached printers, restricting printing for remote employees to prevent unauthorized data transfers” (paraphrased from the Host-Based Firewall section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers firewall configurations, stating that “firewall rules can block network printing while allowing local or virtual printing, often causing printing issues for remote users” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “Cortex XDR agent configuration” as a key exam topic, encompassing host firewall settings.

To ingest additional events from a Windows DHCP server into Cortex XDR with minimal configuration, the recommended approach is to use theCortex XDR Collector. TheXDR Collectoris a lightweight component designed to collect and forward logs and events from various sources, including Windows servers, to Cortex XDR for analysis and correlation. It is specifically optimized for scenarios where full Cortex XDR agent deployment is not required, and it minimizes configuration overhead by automating much of the data collection process.

For a Windows DHCP server, the XDR Collector can be installed on the server to collect DHCP logs (e.g., lease assignments, renewals, or errors) from the Windows Event Log or other relevant sources. Once installed, the collector forwards these events to the Cortex XDR tenant with minimal setup, requiring only basic configuration such as specifying the target data types and ensuring network connectivity to the Cortex XDR cloud. This approach is more straightforward than alternatives like setting up a full agent or configuring external integrations like Windows Event Collector (WEC) or HTTP collectors, which require additional infrastructure or manual configuration.

Why not the other options?

A. Activate Windows Event Collector (WEC): While WEC can collect events from Windows servers, it requires significant configuration, including setting up a WEC server, configuring subscriptions, and integrating with Cortex XDR via a separate ingestion mechanism. This is not minimal configuration.

C. Enable HTTP collector integration: HTTP collector integration is used for ingesting data via HTTP/HTTPS APIs, which is not applicable for Windows DHCP server events, as DHCP logs are typically stored in the Windows Event Log, not exposed via HTTP.

D. Install the Cortex XDR agent: The Cortex XDR agent is a full-featured endpoint protection and detection solution that includes prevention, detection, and responsecapabilities. While it can collect some event data, it is overkill for the specific task of ingesting DHCP server events and requires more configuration than the XDR Collector.

Exact Extract or Reference:

TheCortex XDR Documentation Portaldescribes theXDR Collectoras a tool for “collecting logs and events from servers and endpoints with minimal setup” (paraphrased from the Data Ingestion section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse emphasizes that “XDR Collectors are ideal for ingesting server logs, such as those from Windows DHCP servers, with streamlined configuration” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetlists “data source onboarding and integration configuration” as a key skill, which includes configuring XDR Collectors for log ingestion.

Cortex XDR content updatesdeliver enhancements to the platform’s detection and prevention capabilities, including updates to rules, logic, and other components that improve threat detection without requiring a full agent upgrade. These updates are distinct from agent software updates (which change the agent version) or firewall configurations.

Correct Answer Analysis (B):Cortex XDR content updates typically includeBehavioral Threat Protection (BTP) rulesandlocal analysis logic. BTP rules define patterns for detecting advanced threats based on endpoint behavior, while local analysis logic enhances the agent’s ability to analyze files and activities locally, improving detection accuracy and performance.

Why not the other options?

A. Device control profiles, agent versions, and kernel support: Device control profiles are part of policy configurations, not content updates. Agent versions are updated via software upgrades, not content updates. Kernel support may be included in agent upgrades, not content updates.

C. Antivirus definitions and agent versions: Antivirus definitions are associated with traditional AV solutions, not Cortex XDR’s behavior-based approach. Agent versions are updated separately, not as part of content updates.

D. Firewall rules and antivirus definitions: Firewall rules are managed by Palo Alto Networks firewalls, not Cortex XDR content updates. Antivirus definitions are not relevant to Cortex XDR’s detection mechanisms.

Exact Extract or Reference:

TheCortex XDR Documentation Portaldescribes content updates: “Content updates include Behavioral Threat Protection (BTP) rules and local analysis logic to enhance detection capabilities” (paraphrased from the Content Updates section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers content management, stating that “content updates deliver BTP rules and local analysis enhancements to improve threat detection” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “post-deployment management and configuration” as a key exam topic, encompassing content updates.

TheXDR Collectorin Cortex XDR is a lightweight tool for collecting logs and events from servers and endpoints. When a proxy is required for the XDR Collector to communicate with the Cortex XDR cloud, the proxy settings must be configured in the collector’s configuration file. Specifically, theYAML configuration file(e.g., config.yaml) must be edited to include the proxy details, such as the proxy server’s address, port, and authentication credentials (if required).

Correct Answer Analysis (A):To configure a proxy for the XDR Collector, the engineer mustedit the YAML configuration filewith the new proxy information. This involves adding or updating the proxy settings in the file, which the collector uses to route its traffic through the specified proxy server.

Why not the other options?

B. Restart the XDR Collector after configuring the proxy settings: While restarting the collector may be necessary to apply changes, it is not the primary step required to configure the proxy. The YAML file must be edited first.

C. Connect the XDR Collector to the Pathfinder: The Pathfinder is a Cortex XDR feature for discovering endpoints, not for configuring proxy settings for the XDR Collector.

D. Configure the proxy settings on the Cortex XDR tenant: Proxy settings for the XDR Collector are configured locally on the collector, not in the Cortex XDR tenant’s web interface.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains XDR Collector configuration: “To configure a proxy for the XDR Collector, edit the YAML configuration file to include the proxy server details, such as address and port” (paraphrased from the XDR Collector Configuration section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers XDR Collector setup, stating that“proxy settings are configured by editing the collector’s YAML file” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “data ingestion and integration” as a key exam topic, encompassing XDR Collector configuration.

In Cortex XDR,Scope-Based Access Control (SBAC)restricts user access to data based on predefined scopes, which can be assigned to endpoints, users, or other resources. Inpermissive mode, SBAC allows users to access data within their assigned scopes but may restrict access to data outside those scopes. The question assumes an SBAC scenario with four endpoints (E1, E2, E3, E4), where the user likely has access to a specific scope (e.g., Scope A) that includes E1, E2, and E3, while E4 is in a different scope (e.g., Scope B).

Correct Answer Analysis (C):When the tenant is switched to permissive mode, the user will have access toE1, E2, and E3because these endpoints are within the user’s assigned scope (e.g., Scope A). E4, being in a different scope (e.g., Scope B), will not be accessible unless the user has explicit accessto that scope. Permissive mode enforces scope restrictions, ensuring that only data within the user’s scope is visible.

Why not the other options?

A. E1 only: This is too restrictive; the user’s scope includes E1, E2, and E3, not just E1.

B. E2 only: Similarly, this is too restrictive; the user’s scope includes E1, E2, and E3, not just E2.

D. E1, E2, E3, and E4: This would only be correct if the user had access to both Scope A and Scope B or if permissive mode ignored scope restrictions entirely, which it does not. Permissive mode still enforces SBAC rules, limiting access to the user’s assigned scopes.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains SBAC: “In permissive mode, Scope-Based Access Control restricts user access to endpoints within their assigned scopes, ensuring data visibility aligns with scope permissions” (paraphrased from the Scope-Based Access Control section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers SBAC configuration, stating that “permissive mode allows access to endpoints within a user’s scope, such as E1, E2, and E3, while restricting access to endpoints in other scopes” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “post-deployment management and configuration” as a key exam topic, encompassing SBAC settings.

In Cortex XDR, data is stored in different tiers:hot storage(for recent, frequently accessed data),cold storage(for older, less frequently accessed data), and atemporary hot storage cachefor data retrieved from cold storage during queries. When data is queried from cold storage, it is moved to the temporary hot storage cache to enable faster access for subsequent queries. The question asks how long this data remains in the cache and the maximum duration for re-queries.

Correct Answer Analysis (B):Data retrieved from cold storage is kept in the temporary hot storage cache for24 hours. If the data is re-queried within this period, it remains accessible in the cache. The maximum duration for re-queries is7 days, after which the data may need to be retrieved from cold storage again, incurring additional processing time.

Why not the other options?

A. 1 hour, re-queried to a maximum of 12 hours: These durations are too short and do not align with Cortex XDR’s data retention policies for the hot storage cache.

C. 24 hours, re-queried to a maximum of 14 days: While the initial 24-hour cache duration is correct, the 14-day maximum for re-queries is too long and not supported by Cortex XDR’s documentation.

D. 1 hour, re-queried to a maximum of 24 hours: The 1-hour initial cache duration is incorrect, as Cortex XDR retains queried data for 24 hours.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains data storage: “Data queried from cold storage is cached in hot storage for 24 hours, with a maximum re-query period of 7 days” (paraphrased from the Data Management section). TheEDU-262: Cortex XDR Investigation and Responsecourse covers data retention, stating that “queried cold storage data remains in the hot cache for 24 hours, accessible for up to 7 days with re-queries” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “maintenance and troubleshooting” as a key exam topic, encompassing data storage management.

Since no image was provided, I assume the Malware profile is configured with default Cortex XDR settings, which typically enforce strict malware prevention for unknown or untrusted executables. In Cortex XDR, theMalware profilewithin the security policy determines how executables are handled on endpoints. For anew custom-developed application(an unknown executable not previously analyzed or allow-listed), the default behavior is toblock executionuntil the file is analyzed byWildFire(Palo Alto Networks’ cloud-based threat analysis service) or explicitly allowed via policy.

Correct Answer Analysis (B):By default, Cortex XDR’s Malware profile is configured toblockunknown executables, including new custom-developed applications, to prevent potential threats. When the application attempts ilustrator execute, the Cortex XDR agent intercepts it, sends it to WildFire for analysis (if not excluded), and blocks execution until a verdict is received. If the application is not on an allow list or excluded, itwill not executeimmediately, aligning with option B.

Why not the other options?

A. It will immediately execute: This would only occur if the application is on an allow list or if the Malware profile is configured to allow unknown executables, which is not typical for default settings.

C. It will execute after one hour: There is no default setting in Cortex XDR that delays execution for one hour. Execution depends on the WildFire verdict or policy configuration, not a fixed time delay.

D. It will execute after the second attempt: Cortex XDR does not have a mechanism that allows execution after a second attempt. Execution is either blocked or allowed based on policy and analysis results.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains Malware profile behavior: “By default, unknown executables are blocked until a WildFire verdict is received, ensuring protection against new or custom-developed applications” (paraphrased from the Malware Profile Configuration section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers Malware profiles, stating that “default settings block unknown executables to prevent potential threats until analyzed” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “Cortex XDR agent configuration” as a key exam topic, encompassing Malware profile settings.

In Cortex XDR, theQuery Centerallows administrators to manage and reviewXQL (XDR Query Language)queries, including those scheduled to run via API. Each query consumescompute units, a measure of the computational resources required to execute the query. To determine how many compute units a query will use, theCompute Unit Usagecolumn in the Query Center provides the actual or estimated resource consumption based on the query’s execution history or configuration.

Correct Answer Analysis (B):TheCompute Unit Usagecolumn in the Query Center displays the number of compute units consumed by a query when it runs. For a tested and ready query, this column provides the most accurate information on resource usage, helping administrators plan for API-based executions.

Why not the other options?

A. Query Status: The Query Status column indicates whether the query ran successfully, failed, or is pending, but it does not provide information on compute unit consumption.

C. Simulated Compute Units: While some systems may offer simulated estimates, Cortex XDR’s Query Center does not have a “Simulated Compute Units” column. The actual usage is tracked in Compute Unit Usage.

D. Compute Unit Quota: The Compute Unit Quota refers to the total available compute units for the tenant, not the specific usage of an individual query.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains Query Center functionality: “The Compute Unit Usage column in the Query Center shows the compute units consumed by a query, enabling administrators to assess resource usage for scheduled or API-based queries” (paraphrased from the Query Center section). TheEDU-262: Cortex XDR Investigation and Responsecourse covers query management, stating that “Compute Unit Usage provides details on the resources used by each query in the Query Center” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “maintenance and troubleshooting” as a key exam topic, encompassing query resource management.