Summer Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exc65

What will enable a custom prevention rule to block specific behavior?

A.

A correlation rule added to an Agent Blocking profile

B.

A custom behavioral indicator of compromise (BIOC) added to an Exploit profile

C.

A custom behavioral indicator of compromise (BIOC) added to a Restriction profile

D.

A correlation rule added to a Malware profile

Which step is required to configure a proxy for an XDR Collector?

A.

Edit the YAML configuration file with the new proxy information

B.

Restart the XDR Collector after configuring the proxy settings

C.

Connect the XDR Collector to the Pathfinder

D.

Configure the proxy settings on the Cortex XDR tenant

Which components may be included in a Cortex XDR content update?

A.

Device control profiles, agent versions, and kernel support

B.

Behavioral Threat Protection (BTP) rules and local analysis logic

C.

Antivirus definitions and agent versions

D.

Firewall rules and antivirus definitions

What is the earliest time frame an alert could be automatically generated once the conditions of a new correlation rule are met?

A.

Between 30 and 45 minutes

B.

Immediately

C.

5 minutes or less

D.

Between 10 and 20 minutes

Which two steps should be considered when configuring the Cortex XDR agent for a sensitive and highly regulated environment? (Choose two.)

A.

Enable critical environment versions

B.

Create an agent settings profile where the agent upgrade scope is maintenance releases only

C.

Create an agent settings profile, enable content auto-update, and include a delay of four days

D.

Enable minor content version updates

How long is data kept in the temporary hot storage cache after being queried from cold storage?

A.

1 hour, re-queried to a maximum of 12 hours

B.

24 hours, re-queried to a maximum of 7 days

C.

24 hours, re-queried to a maximum of 14 days

D.

1 hour, re-queried to a maximum of 24 hours

A correlation rule is created to detect potential insider threats by correlating user login events from one dataset with file access events from another dataset. The rule must retain all user login events, even if there are no matching file access events, to ensure no login activity is missed.

text

Copy

dataset = x

| join (dataset = y)

Which type of join is required to maintain all records from dataset x, even if there are no matching events from dataset y?

A.

Inner

B.

Left

C.

Right

D.

Outer

What are two possible actions that can be triggered by a dashboard drilldown? (Choose two.)

A.

Navigate to a different dashboard

B.

Initiate automated response actions

C.

Link to an XQL query

D.

Send alerts to console users

An engineer wants to automate the handling of alerts in Cortex XDR and defines several automation rules with different actions to be triggered based on specific alert conditions. Some alerts do not trigger the automation rules as expected. Which statement explains why the automation rules might not apply to certain alerts?

A.

They are executed in sequential order, so alerts may not trigger the correct actions if the rules are not configured properly

B.

They only apply to new alerts grouped into incidents by the system and only alerts that generateincidents trigger automation actions

C.

They can only be triggered by alerts with high severity; alerts with low or informational severity will not trigger the automation rules

D.

They can be applied to any alert, but they only work if the alert is manually grouped into an incident by the analyst

An engineer is building a dashboard to visualize the number of alerts from various sources. One of the widgets from the dashboard is shown in the image below:

The engineer wants to configure a drilldown on this widget to allow dashboard users to select any of the alert names and view those alerts with additional relevant details. The engineer has configured the following XQL query to meet the requirement:

dataset = alerts

| fields alert_name, description, alert_source, severity, original_tags, alert_id, incident_id

| filter alert_name =

| sort desc _time

How will the engineer complete the third line of the query (filter alert_name =) to allow dynamic filtering on a selected alert name?

A.

$y_axis.value

B.

$x_axis.value

C.

$x_axis.name

D.

$y_axis.name