Table of Contents
Question
What are two purposes of “Respond to Malicious Causality Chains” in a Cortex XDR Windows Malware profile? (Choose two.)
A. Automatically close the connections involved in malicious traffic.
B. Automatically kill the processes involved in malicious activity.
C. Automatically terminate the threads involved in malicious activity.
D. Automatically block the IP addresses involved in malicious traffic.
Answer
A. Automatically close the connections involved in malicious traffic.
D. Automatically block the IP addresses involved in malicious traffic.
Explanation
Answer: A and D.
Explanation: The “Respond to Malicious Causality Chains” feature in a Cortex XDR Windows Malware profile allows the agent to take automatic actions against network connections and processes that are involved in malicious activity on the endpoint. The feature has two modes: Block IP Address and Kill Process.
The Block IP Address mode automatically closes the connections involved in malicious traffic and blocks the IP addresses involved in malicious traffic from communicating with the endpoint. This mode is useful for preventing remote network attacks that attempt to perform malicious activity on the endpoint, such as encrypting files or stealing data. The agent maintains a list of blocked IP addresses per endpoint, which can be viewed and managed from the Cortex XDR Action Center. The agent also supports an IP addresses allow list, which can be configured in the Malware Security profile to exclude specific and known safe IP addresses or IP address ranges from being blocked. This mode is supported for IPv4 connections only.
The Kill Process mode automatically kills the processes involved in malicious activity on the endpoint. This mode is useful for stopping local malware infections that attempt to perform malicious activity on the endpoint, such as creating persistence mechanisms or modifying system settings. The agent also supports a process allow list, which can be configured in the Malware Security profile to exclude specific and known safe processes from being killed.
The “Respond to Malicious Causality Chains” feature does not automatically terminate the threads involved in malicious activity (option C), as this would not stop the entire process from running. Therefore, option C is incorrect.
Reference
- Solved: LIVEcommunity – Behavioral Alert from Vulnerability Scanner – How to Allow Scans WITHOUT alerts from IP address? – LIVEcommunity – 456271 (paloaltonetworks.com)
- LIVEcommunity – Automatic deletion of files suspected/confirmed as malware – LIVEcommunity – 448949 (paloaltonetworks.com)
- Remediate Changes from Malicious Activity • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal
- Cortex XDR Agent 7.3 New Features | Palo Alto Networks
- Palo Alto Networks Certified Detection and Remediation Analyst (PCDRA) – Palo Alto Networks
- LIVEcommunity – Registration LIVE for our NEW Certification, PCDRA! – LIVEcommunity – 447726 (paloaltonetworks.com)
- LIVEcommunity – NEW: PCDRA Certification Preparation Workshop – LIVEcommunity – 448022 (paloaltonetworks.com)
- Add a New Malware Security Profile • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal
Palo Alto Networks Certified Detection and Remediation Analyst PCDRA certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Palo Alto Networks Certified Detection and Remediation Analyst PCDRA exam and earn Palo Alto Networks Certified Detection and Remediation Analyst PCDRA certification.