Palo Alto Networks PSE-Cortex Exam Dumps & Practice Test Questions

Question 1:

What metric does the Cortex XSOAR "Saved by Dbot" widget primarily measure?

A. The total dollar amount saved from actions taken by all Cortex XSOAR users across incidents
B. The monetary savings gained by using Cortex XSOAR instead of alternative security tools
C. The total time saved for each playbook task executed within incidents
D. The time saved through Dbot’s machine learning functionalities

Correct Answer: C

Explanation:

The “Saved by Dbot” widget in Cortex XSOAR is designed to track and quantify time savings achieved by automating security operations, specifically within the context of incident response. This widget does not calculate financial savings or compare Cortex XSOAR to other platforms; rather, it focuses on the amount of time saved by automating tasks that would otherwise be performed manually by security analysts.

When a playbook task runs automatically, Cortex XSOAR estimates how long it would have taken a human to complete the same task manually. These time estimates can be based on default values or customized benchmarks reflecting organizational standards. For example, if a playbook automates an IP enrichment process, the widget might calculate that 3 to 5 minutes were saved per incident, since an analyst no longer has to execute those steps manually.

As these automated tasks accumulate across multiple incidents, the widget aggregates the total time saved, providing security operations teams with a clear measurement of the efficiency and productivity gains achieved through automation. This helps teams demonstrate operational improvements and justify investments in automation technology.

Why the other options are incorrect:

• A: This option suggests the widget calculates monetary savings based on all user actions, but the widget exclusively tracks time saved, not dollar amounts.

• B: This choice implies a cost comparison between Cortex XSOAR and other products, which the widget does not provide; it is focused on internal automation impact only.

• D: While Dbot may leverage machine learning (ML) capabilities in certain features, the widget’s purpose is not to quantify time saved by ML specifically. It measures time saved through all automated playbook tasks, regardless of underlying technology.

In summary, the “Saved by Dbot” widget acts as a time-savings indicator, showing how automation reduces manual effort in incident handling. It helps security teams track labor hours saved, improved response times, and enhanced workflow efficiency — critical factors in demonstrating return on investment in automation.

Question 2:

Which feature of the Cortex XDR agent is responsible for blocking malicious files from being introduced through USB-connected removable devices?

A. Agent management
B. Device control
C. Agent configuration
D. Device customization

Correct Answer: B

Explanation:

The Cortex XDR feature that prevents malicious files from USB-connected removable devices is known as device control. This is a key endpoint security capability that allows organizations to enforce policies restricting the use of peripheral devices, such as USB drives, which are often exploited to introduce malware or exfiltrate sensitive data.

With device control enabled, administrators can create granular rules defining what types of USB devices are allowed or blocked on managed endpoints. For example, they can block all mass storage devices by default or allow only devices that appear on an approved whitelist based on attributes like vendor ID or serial number. This prevents unauthorized or potentially harmful USB devices from being used.

This functionality is essential in protecting endpoints from attacks that rely on physical media. Malware hidden in USB drives can automatically execute when plugged into a machine, especially if autorun features are exploited. By controlling access to USB storage, Cortex XDR reduces the risk of malware spreading and strengthens endpoint defenses.

The other options are incorrect for these reasons:

• A. Agent management involves the deployment, updating, and monitoring of Cortex XDR agents but does not directly control device access.

• C. Agent configuration relates to setting policies for threat detection and resource use, but the actual enforcement of USB blocking happens under device control.

• D. Device customization is not a recognized feature in Cortex XDR and does not pertain to USB device management.

Device control settings are applied through Cortex XDR’s policy management interface, where administrators specify the actions to take when removable devices are connected — such as block, allow, or alert. These rules are then enforced by the agent on the endpoint, with detailed logging to monitor USB activity.

In conclusion, device control is the precise feature that enforces security policies preventing malicious file loading from USB-connected devices, thereby enhancing endpoint security and reducing attack vectors related to removable media.

Question 3:

Which log type does Cortex XDR Pro natively ingest on a per-terabyte basis?

A. Google Kubernetes Engine
B. Demisto
C. Docker
D. Microsoft Office 365

Answer: D

Explanation:

Cortex XDR Pro’s per-terabyte (TB) native log ingestion refers to its built-in capability to intake, process, and analyze specific log sources directly, without requiring additional third-party integrations or complex preprocessing. Among the options given, Microsoft Office 365 is the log type Cortex XDR Pro is designed to natively ingest on a per-TB licensing basis.

Microsoft Office 365 generates comprehensive telemetry logs covering services such as Exchange Online, SharePoint Online, and Microsoft Teams. These logs provide critical security insights into user activities like sign-ins, email exchanges, file access, and sharing. Since these logs contain valuable information about authentication events, suspicious behaviors, and potential insider threats, they are highly relevant for security analytics platforms like Cortex XDR.

Cortex XDR Pro supports native ingestion of Office 365 logs by leveraging direct APIs, allowing seamless import of audit data with minimal manual effort. This facilitates extensive detection, correlation, and investigation of suspicious activities within an organization’s cloud environment. The licensing model based on volume ingested per TB suits Office 365’s high-volume log output, ensuring that enterprises can monitor these critical logs efficiently.

The other options do not fit this native per-TB ingestion model:

• Google Kubernetes Engine (GKE): While Kubernetes logs are essential for container security, Cortex XDR does not provide direct, native ingestion of GKE logs per TB out of the box. Collecting Kubernetes logs usually requires additional tools like Fluentd or third-party log forwarders.

• Demisto: Now known as Cortex XSOAR, Demisto is a SOAR platform rather than a log source. It orchestrates automated security responses but does not itself generate native logs ingested on a per-TB basis.

• Docker: Docker generates container runtime logs, but similar to Kubernetes, ingesting these logs in Cortex XDR often needs intermediary log shippers or connectors. There is no direct native per-TB ingestion for Docker logs in Cortex XDR.

In summary, Microsoft Office 365 stands out as the native log source for Cortex XDR Pro’s per-TB ingestion licensing, enabling security teams to analyze large-scale audit logs directly, with no complex integration needed.

Question 4:

If an attacker tries to communicate with malware inside a network to control it or steal data, which Cortex XDR Analytics alert is most likely to be triggered?

A. Uncommon local scheduled task creation
B. Malware
C. New administrative behavior
D. DNS Tunneling

Answer: D

Explanation:

The scenario describes an adversary attempting covert communication with malware within a compromised network to control it or extract sensitive data. This kind of activity is a hallmark of command-and-control (C2) operations or data exfiltration performed by malware.

The most probable Cortex XDR Analytics alert triggered in this situation is DNS Tunneling. DNS tunneling is a stealthy technique attackers use to send data or commands by encoding them within DNS query and response traffic. Because DNS traffic is typically allowed through firewalls without deep inspection, it serves as an effective channel for malware to communicate with external command servers or exfiltrate stolen information without raising suspicion.

Cortex XDR uses advanced machine learning and behavior analysis to detect anomalies in DNS traffic patterns, such as unusually frequent DNS queries, requests to suspicious or uncommon domain names, or queries that carry encoded data. When such patterns are identified, Cortex XDR generates a DNS Tunneling alert, signaling potential hidden communication between internal hosts and external malicious actors.

Examining the other options:

• Uncommon local scheduled task creation relates to suspicious persistence mechanisms on endpoints, indicating a newly created scheduled task that deviates from normal behavior. It does not directly relate to network-based malware communication or data exfiltration.

• Malware alerts typically flag known malicious software based on signatures or suspicious endpoint behavior but do not specifically indicate network communication methods like DNS tunneling.

• New administrative behavior alerts concern unusual administrative actions by users, which might indicate insider threats or credential compromise but do not cover external malware communication channels.

Therefore, DNS Tunneling is the most precise and relevant alert type in this case. Cortex XDR’s behavioral analytics are well-equipped to detect this sophisticated technique, providing security teams with early warnings of covert malware control or data leakage attempts.

Question 5:

How do sub-playbooks influence the handling of Incident Context Data in Cortex XSOAR?

A. When configured as private, task outputs do not automatically update the root context.
B. When configured as global, sub-playbook tasks cannot access the root context.
C. When configured as global, parallel execution of tasks is enabled.
D. When configured as private, task outputs are automatically written to the root context.

Answer: A

Explanation:

In Cortex XSOAR, playbooks orchestrate automated security workflows by defining sequences of actions for incident response. Sub-playbooks are modular playbooks called within a parent playbook to promote reusability and simplify complex automations. A key consideration when working with sub-playbooks is how they interact with the incident context data—the shared data store that holds variables, outputs, artifacts, and other incident-related information accessible throughout playbook execution.

Sub-playbooks can be configured to operate in either global or private context modes, which determines how they read from and write to the root incident context.

• Global context mode: Here, the sub-playbook shares the same incident context as the parent. All outputs, variables, and artifacts generated within the sub-playbook automatically update the root context. This means other parts of the parent playbook, or even other sub-playbooks, can access and modify these outputs seamlessly. This mode facilitates data sharing but risks clutter or unintended overwrites in complex playbooks.

• Private context mode: When set to private, the sub-playbook operates in an isolated environment. Its outputs and variables do not automatically propagate to the root context unless explicitly designed to do so via return values or mappings. This isolation acts like a sandbox, preventing the sub-playbook’s internal data from polluting or accidentally modifying the parent’s shared context. It encourages modular design and cleaner data management.

Given these modes, option A is correct because when a sub-playbook is configured as private, task outputs do not get automatically written back to the root context. This is the expected behavior to protect the integrity of the global context.

Why the other options are incorrect:

• B is false because global mode explicitly grants sub-playbooks access to the root context, not restricts it.

• C is misleading since parallel task execution depends on task arrangement and playbook design, not the context mode (global vs. private).

• D is incorrect since private mode prevents automatic output writing to the root context, the opposite of what this option claims.

In summary, understanding the distinction between private and global contexts is essential for effective sub-playbook design in Cortex XSOAR. Private mode offers encapsulation and avoids accidental data overwrites by isolating task outputs, while global mode promotes data sharing but can increase complexity. Hence, A accurately captures the impact of private sub-playbooks on incident context data.

Question 6:

Which two features in Cortex XSOAR enable repetitive execution (looping) through a group of tasks during a playbook run? (Select two.)

A. playbook functions
B. sub-playbooks
C. GenericPolling playbooks
D. playbook tasks

Answer: B and C

Explanation:

Looping through tasks is a powerful capability in Cortex XSOAR that enables workflows to repeatedly execute certain actions, either based on lists of data or timed conditions. This is especially important for automating repetitive steps such as enrichment of multiple entities or waiting for external processes to complete. Two distinct playbook functionalities support this kind of looping: sub-playbooks and GenericPolling playbooks.

Sub-playbooks act as reusable building blocks within a larger playbook. When configured to accept a list as input, sub-playbooks automatically execute once for each item in that list. For example, if you have a list of IP addresses extracted from an incident, a sub-playbook can loop through this list to perform enrichment or investigation tasks on each IP individually. This design enables modular, scalable workflows where repeated logic is neatly encapsulated and results can be gathered systematically.

GenericPolling playbooks provide a different type of looping based on time and condition checking. They are designed to execute a group of tasks repeatedly at defined intervals until a specified exit condition is met. This pattern is useful when waiting for asynchronous processes — such as an antivirus scan or an external threat intel query — to complete. The playbook loops, re-checking the status regularly, and exits only once the process finishes successfully or a timeout occurs. GenericPolling adds control through retries, delays, and exit conditions, ensuring efficient waiting without manual intervention.

Why the other options are not correct:

• Playbook functions (A) is a vague term and does not represent a dedicated looping mechanism in Cortex XSOAR. While playbooks can include conditional logic and data processing functions, there is no inherent looping function labeled this way.

• Playbook tasks (D) on their own cannot loop through multiple items or task groups effectively. While individual tasks can sometimes be repeated under specific conditions, looping a group of tasks requires using sub-playbooks or polling mechanisms.

In conclusion, sub-playbooks provide a natural way to loop over collections of data items, running complex task sets per item, while GenericPolling playbooks handle timed repetition until a condition is met. Both mechanisms complement each other to cover a broad range of looping use cases in Cortex XSOAR automation.

Thus, the correct answers are B and C.

Question 7:

Cortex XSOAR detects a malicious IP involved in command-and-control traffic. What is the most efficient way to block this IP from reaching endpoints without requiring any direct changes to firewall configurations?

A. Automatically add the IP to a threat intelligence list to improve prioritization of future alerts
B. Automatically insert the IP into a firewall deny rule
C. Automatically add the IP to an External Dynamic List (EDL) consumed by the firewall
D. Automatically open a NetOps request ticket to apply a firewall configuration change

Correct Answer: C

Explanation:

In situations where Cortex XSOAR identifies a suspicious IP address — such as one associated with command-and-control (C2) activity — security teams must act quickly to block communication from that IP to prevent further compromise. However, the constraint in this scenario is to avoid making direct configuration changes to the firewall. The best solution in this case is to utilize External Dynamic Lists (EDLs).

An External Dynamic List (EDL) is a dynamic resource that firewalls — particularly Palo Alto Networks firewalls — can reference in their security policies. These lists are typically hosted externally and contain IPs, domains, or URLs. Firewalls fetch these lists at regular intervals and automatically enforce policies based on their contents. EDLs are highly valuable in automation workflows because they support real-time updates without requiring policy redeployments.

By integrating Cortex XSOAR with a preconfigured EDL, XSOAR can programmatically add the malicious IP to the list. Since the firewall already has a rule that blocks all traffic associated with the EDL, the IP is immediately blocked without any human intervention or reconfiguration of firewall settings.

Now let’s evaluate the other options:

• Option A refers to adding the IP to a threat intelligence list, which is useful for alert enrichment or detection in future incidents. However, it does not actively block the IP, making it ineffective in the short term.

• Option B involves modifying the firewall deny rules. This would require a policy change and likely a configuration push, which violates the requirement of not making any firewall changes.

• Option D proposes opening a ticket for a NetOps team to apply a firewall rule. This is a manual, slower process, and again, contradicts the objective of blocking the IP without changing the firewall directly.

In summary, EDLs provide a scalable, real-time, automated solution that aligns perfectly with the stated requirement. Once the firewall is configured to use the EDL, Cortex XSOAR can dynamically add new malicious IPs, ensuring continuous protection without operational delays.

Therefore, the best solution is C.

Question 8:

Which integration should be used in Cortex XSOAR to perform Splunk queries and view results directly within the platform?

A. SplunkPY integration
B. Demisto App for Splunk integration
C. XSOAR REST API integration
D. Splunk integration

Correct Answer: D

Explanation:

To search and display Splunk logs within Cortex XSOAR, the most suitable integration is the Splunk integration. This is the official and natively supported connector designed specifically for enabling Cortex XSOAR to interact directly with Splunk’s powerful logging and search capabilities.

The Splunk integration allows incident responders and automation playbooks in XSOAR to submit SPL (Search Processing Language) queries, retrieve search results, and use this data in decision-making workflows, such as correlating logs with threat intelligence, enriching incident context, or triggering further actions. This integration also enables actions like running saved searches, monitoring log patterns, and fetching specific events, making it highly valuable in automated investigations.

This integration is bi-directional and secure, using API tokens or credentials to authenticate with Splunk. Its native support ensures reliability, full feature access, and maintained compatibility, which are crucial in production environments.

Let’s consider why the other options are less appropriate:

• Option A (SplunkPY integration) is typically a custom Python-based integration. While it may work for simple or non-standard tasks, it lacks the robust features, security, and support that come with the official integration. It's more prone to errors and harder to maintain in enterprise environments.

• Option B (Demisto App for Splunk) works in the opposite direction — it allows Splunk to forward alerts or events into Cortex XSOAR. This is useful for initiating incidents, but it does not allow you to search or retrieve data from Splunk within XSOAR, which is the core requirement here.

• Option C (XSOAR REST API integration) is a tool for external systems to interface with Cortex XSOAR, not for Cortex XSOAR to interact with other platforms. It has nothing to do with querying Splunk and is irrelevant for this use case.

In summary, if the requirement is to query Splunk from within Cortex XSOAR and display those results in dashboards or playbooks, the Splunk integration is the only correct and effective choice. It supports full interactivity, automation, and data flow between the two platforms, making it essential for any security operations center (SOC) using both tools.

Thus, the correct answer is D.

Question 9:

Which two types of Indicators of Compromise (IOCs) can be actively created and managed in Cortex XDR? (Choose two.)

A. Registry
B. File path
C. Hash
D. Hostname

Correct Answers: C and D

Explanation:

Cortex XDR supports several types of Indicators of Compromise (IOCs) that allow security analysts to proactively detect, monitor, and block malicious activities based on known threat attributes. Among the supported IOC types, hashes and hostnames stand out as key actionable elements within the Cortex XDR platform.

Hash IOCs refer to unique cryptographic representations of files—commonly in formats like MD5, SHA-1, or SHA-256. These hashes serve as fingerprints that unequivocally identify a file’s content. Cortex XDR enables the manual or automated creation of hash IOCs, allowing defenders to flag or block files associated with known malware or suspicious activity. Once a file’s hash is identified as malicious, Cortex XDR can alert on or prevent its execution, greatly enhancing the security posture. Hash IOCs are particularly valuable for identifying previously analyzed threats or well-known malware signatures.

Hostname IOCs consist of domain names or subdomains linked to malicious infrastructure—such as phishing sites, command-and-control (C2) servers, or malware distribution platforms. In Cortex XDR, these hostnames can be defined and monitored, with the system configured to alert or block traffic involving such addresses. This helps defenders respond to threats that use dynamic or changing IPs but remain tied to a consistent hostname.

On the other hand, registry keys (A) and file paths (B), while relevant in endpoint detection and behavioral analytics, are not supported IOC types for direct creation in Cortex XDR. Registry changes or suspicious file paths may be recorded and analyzed as part of behavioral analytics or endpoint monitoring but are not considered standalone IOCs in Cortex XDR’s IOC management feature.

To summarize:

• C (Hash) IOCs provide a precise method for identifying and blocking known malicious files.

• D (Hostname) IOCs allow for the detection of communication with known bad domains or C2 infrastructure.

Both are officially supported IOC types within Cortex XDR and can be leveraged in threat detection and prevention workflows.

Question 10:

After blocking a malicious URL discovered in a user-reported phishing email via a Cortex XSOAR playbook, what should be the next action in the automated response workflow?

A. Notify the CISO about the phishing discovery
B. Disable the reporting user’s email account
C. Send a confirmation email to the user that the threat was verified
D. Force a password reset for the user

Correct Answer: C

Explanation:

In a Cortex XSOAR environment, playbooks are automation workflows designed to handle security incidents such as phishing. Once a playbook has successfully identified and blocked a malicious URL embedded within a reported email, the next step should focus on finalizing the incident handling process with proper communication—specifically, acknowledging the reporter’s effort and closing the loop.

Option C, which involves sending a confirmation message to the reporting user, is the most suitable and user-centric action. Notifying the user that their reported email was verified as phishing:

• Reinforces security awareness.

• Encourages continued vigilance and participation.

• Builds trust in the automated threat response process.

It also contributes to a positive feedback culture where employees feel their input matters in the broader cybersecurity effort.

Let’s review why the other options are less appropriate:

• A (Notify the CISO): While escalating to executives like the CISO might be warranted in the event of a large-scale breach or targeted attack, doing so for routine phishing incidents is unnecessary. It could lead to alert fatigue and distract leadership from more critical issues.

• B (Disable the email account): Disabling a user account is a drastic response that is generally reserved for confirmed account compromises or insider threat activity. In this case, the user was simply the reporter, not the victim of compromise.

• D (Force a password reset): Similar to option B, this action is only warranted if there’s evidence suggesting the user account has been compromised (e.g., suspicious login behavior, unauthorized email activity). In the absence of such signs, forcing a password change is overly intrusive and could impact productivity without a security justification.

Cortex XSOAR playbooks often include communication steps as part of their design. Informing users when their reports are validated helps keep employees engaged and improves the efficiency and effectiveness of the organization’s threat detection process.

In conclusion, once a phishing URL has been blocked, the next logical and beneficial step is to confirm with the user that the email they reported was indeed malicious—making C the correct answer.