After scan, how does file quarantine function work on an endpoint?
Correct Answer: C
Explanation Quarantine is a feature of Cortex XDR that allows you to isolate a malicious file from its original location and prevent it from being executed. Quarantine works by moving the file to a protected folder on the endpoint and changing its permissions and attributes. Quarantine can be applied to files detected by periodic scans or by behavioral threat protection (BTP) rules. Quarantine is only supported for portable executable (PE) and dynamic link library (DLL) files. Quarantine does not affect the network connectivity or the communication of the endpoint with Cortex XDR. References: * Quarantine Malicious Files * Manage Quarantined Files
PCDRA Exam Question 42
When viewing the incident directly, what is the "assigned to" field value of a new Incident that was just reported to Cortex?
Correct Answer: C
Explanation The "assigned to" field value of a new incident that was just reported to Cortex is "Unassigned". This means that the incident has not been assigned to any analyst or group yet, and it is waiting for someone to take ownership of it. The "assigned to" field is one of the default fields that are displayed in the incident layout, and it can be used to filter and sort incidents in the incident list. The "assigned to" field can be changed manually by an analyst, or automatically by a playbook or a rule12. Let's briefly discuss the other options to provide a comprehensive explanation: A: Pending: This is not the correct answer. Pending is not a valid value for the "assigned to" field. Pending is a possible value for the "status" field, which indicates the current state of the incident. The status field can have values such as "New", "Active", "Done", "Closed", or "Pending"3. B: It is blank: This is not the correct answer. The "assigned to" field is never blank for any incident. It always has a default value of "Unassigned" for new incidents, unless a playbook or a rule assigns it to a specific analyst or group12. D: New: This is not the correct answer. New is not a valid value for the "assigned to" field. New is a possible value for the "status" field, which indicates the current state of the incident. The status field can have values such as "New", "Active", "Done", "Closed", or "Pending"3. In conclusion, the "assigned to" field value of a new incident that was just reported to Cortex is "Unassigned". This field can be used to manage the ownership and responsibility of incidents, and it can be changed manually or automatically. References: * Cortex XDR Pro Admin Guide: Manage Incidents * Cortex XDR Pro Admin Guide: Assign Incidents * Cortex XDR Pro Admin Guide: Update Incident Status
PCDRA Exam Question 43
Which statement is true for Application Exploits and Kernel Exploits?
Correct Answer: C
PCDRA Exam Question 44
Which license is required when deploying Cortex XDR agent on Kubernetes Clusters as a DaemonSet?
Correct Answer: A
PCDRA Exam Question 45
Where would you go to add an exception to exclude a specific file hash from examination by the Malware profile for a Windows endpoint?
