XDR-Analyst Online Practice Questions

Home / Palo Alto Networks / XDR-Analyst

Latest XDR-Analyst Exam Practice Questions

The practice questions for XDR-Analyst exam was last updated on 2025-12-17 .

Viewing page 1 out of 6 pages.

Viewing questions 1 out of 32 questions.

Question#1

Live Terminal uses which type of protocol to communicate with the agent on the endpoint?

A. NetBIOS over TCP
B. WebSocket
C. UDP and a random port
D. TCP, over port 80

Explanation:
Live Terminal uses the WebSocket protocol to communicate with the agent on the endpoint.
WebSocket is a full-duplex communication protocol that enables bidirectional data exchange between a client and a server over a single TCP connection. WebSocket is designed to be implemented in web browsers and web servers, but it can be used by any client or server application. WebSocket provides a persistent connection between the Cortex XDR console and the endpoint, allowing you to execute commands and receive responses in real time. Live Terminal uses port 443 for WebSocket communication, which is the same port used for HTTPS traffic.
Reference: Initiate a Live Terminal Session
WebSocket

Question#2

What is by far the most common tactic used by ransomware to shut down a victim’s operation?

A. preventing the victim from being able to access APIs to cripple infrastructure
B. denying traffic out of the victims network until payment is received
C. restricting access to administrative accounts to the victim
D. encrypting certain files to prevent access by the victim

Explanation:
Ransomware is a type of malicious software, or malware, that encrypts certain files or data on the victim’s system or network and prevents them from accessing their data until they pay a ransom. This is by far the most common tactic used by ransomware to shut down a victim’s operation, as it can cause costly disruptions, data loss, and reputational damage. Ransomware can affect individual users, businesses, and organizations of all kinds. Ransomware can spread through various methods, such as phishing emails, malicious attachments, compromised websites, or network vulnerabilities. Some ransomware variants can also self-propagate and infect other devices or networks.
Ransomware authors typically demand payment in cryptocurrency or other untraceable methods, and may threaten to delete or expose the encrypted data if the ransom is not paid within a certain time frame. However, paying the ransom does not guarantee that the files will be decrypted or that the attackers will not target the victim again. Therefore, the best way to protect against ransomware is to prevent infection in the first place, and to have a backup of the data in case of an attack1234
Reference: What is Ransomware? | How to Protect Against Ransomware in 2023 Ransomware - Wikipedia
What is ransomware? | Ransomware meaning | Cloudflare [What Is Ransomware? | Ransomware.org]
[Ransomware ― FBI]

Question#3

Which minimum Cortex XDR agent version is required for Kubernetes Cluster?

A. Cortex XDR 6.1
B. Cortex XDR 7.4
C. Cortex XDR 7.5
D. Cortex XDR 5.0

Explanation:
The minimum Cortex XDR agent version required for Kubernetes Cluster is Cortex XDR 7.5. This version introduces the Cortex XDR agent for Kubernetes hosts, which provides protection and visibility for Linux hosts that run on Kubernetes clusters. The Cortex XDR agent for Kubernetes hosts supports the following features:
Anti-malware protection
Behavioral threat protection
Exploit protection
File integrity monitoring
Network security
Audit and remediation
Live terminal
To install the Cortex XDR agent for Kubernetes hosts, you need to deploy the Cortex XDR agent as a DaemonSet on your Kubernetes cluster. You also need to configure the agent settings profile and the agent installer in the Cortex XDR management console.
Reference: Cortex XDR Agent Release Notes: This document provides the release notes for Cortex XDR agent
versions, including the new features, enhancements, and resolved issues.
Install the Cortex XDR Agent for Kubernetes Hosts: This document explains how to install and configure the Cortex XDR agent for Kubernetes hosts using the Cortex XDR management console and the Kubernetes command-line tool.

Question#4

What motivation do ransomware attackers have for returning access to systems once their victims have paid?

A. There is organized crime governance among attackers that requires the return of access to remain in good standing.
B. Nation-states enforce the return of system access through the use of laws and regulation.
C. Failure to restore access to systems undermines the scheme because others will not believe their valuables would be returned.
D. The ransomware attackers hope to trace the financial trail back and steal more from traditional banking institutions. -

Explanation:
Ransomware attackers have a motivation to return access to systems once their victims have paid because they want to maintain their reputation and credibility. If they fail to restore access to systems, they risk losing the trust of future victims who may not believe that paying the ransom will result in getting their data back. This would reduce the effectiveness and profitability of their scheme. Therefore, ransomware attackers have an incentive to honor their promises and decrypt the data after receiving the ransom.
Reference: What is the motivation behind ransomware? | Foresite
As Ransomware Attackers’ Motives Change, So Should Your Defense - Forbes

Question#5

What should you do to automatically convert leads into alerts after investigating a lead?

A. Lead threats can't be prevented in the future because they already exist in the environment.
B. Create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.
C. Create BIOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting.
D. Build a search query using Query Builder or XQL using a list of lOCs.

Explanation:
To automatically convert leads into alerts after investigating a lead, you should create IOC rules based on the set of the collected attribute-value pairs over the affected entities concluded during the lead hunting. IOC rules are used to detect known threats based on indicators of compromise (IOCs) such as file hashes, IP addresses, domain names, etc. By creating IOC rules from the leads, you can prevent future occurrences of the same threats and generate alerts for them.
Reference: PCDRA Study Guide, page 25
Cortex XDR 3: Handling Cortex XDR Alerts, section 3.2
Cortex XDR Documentation, section “Create IOC Rules”

Exam Code: XDR-AnalystQ & A: 91 Q&AsUpdated:  2025-12-17

 Get All XDR-Analyst Q&As

Top 20 Exams

CertQuestionsBank doesn't offer Real Microsoft, Amazon, Cisco Exam Questions. All CertQuestionsBank content is sourced from the Internet.

Important Links

Know Us

Follow Us

Copyright © 2025 CertQuestionsBank NETWORK CO.,LIMITED. All Rights Reserved.