ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCDRA All Questions

View all questions & answers for the PCDRA exam
Go to Exam

Exam PCDRA topic 1 question 17 discussion

Actual exam question from Palo Alto Networks's PCDRA
Question #: 17
Topic #: 1
[All PCDRA Questions]

As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to download Cobalt Strike on one of your servers. Days later, you learn about a massive ongoing supply chain attack. Using Cortex XDR you recognize that your server was compromised by the attack and that Cortex XDR prevented it. What steps can you take to ensure that the same protection is extended to all your servers?

  • A. Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.
  • B. Enable DLL Protection on all servers but there might be some false positives.
  • C. Create IOCs of the malicious files you have found to prevent their execution.
  • D. Enable Behavioral Threat Protection (BTP) with cytool to prevent the attack from spreading.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by 9smiles at May 24, 2023, 1:27 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Chiquitabandita
3 months, 3 weeks ago
Selected Answer: A
To configure the Global Behavioral Threat Protection Rules: Define the Action mode to take when the Cortex XDR agent detects malicious causality chains: Block (default)—Block all processes and threads in the event chain up to the CGO. Report—Allow the activity but report it to Cortex XDR. Disabled—Disable the module and do not analyze or report the activity.
upvoted 1 times
...
Chiquitabandita
3 months, 4 weeks ago
I had seen about 4 questions from this site, that are very similar and can't really confirm which is the best answer. I keep coming up with a similar solution would be to create a BIOC rule for this situation but that is not one of the choices, it is different from a BTP rule, which to my research does not allow creation of rules to the general public. I had wondered if they possibly got the question mistranscribed from the source. Anyone have any other sources? C looks like it could be a good choice except as, 9smiles has suggested it is detection, not prevention, and the question asks for prevention.
upvoted 1 times
...
9smiles
10 months, 3 weeks ago
Please provide a reference for your claim im2ca. I have not been able to find any supporting documentation for this. Probably you are talking about custom prevention rules, which are basically BIOC rules that you add to restriction profiles see [1], but BTP Rules are something else and their database is not available to the public [2]. [1]: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-a-BIOC-Rule [2]: https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/about-behavioral-threat-protection-btp-rules/td-p/395977
upvoted 2 times
...
im2ca
12 months ago
Correct is A: You can create BTP Rules in Cortex XDR .
upvoted 2 times
...
9smiles
1 year, 1 month ago
About BTP rules: Prevents sophisticated attacks that leverage built-in OS executables and common administration utilities by continuously monitoring endpoint activity for malicious causality chains. You are not able to create these - only create exceptions and turn them off so A cannot be correct. C can also not be correct since IOCs lead to detections, and do not prevent the file from running. My guess would be B
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago