01. What does a "Red" incident score (e.g., 95) signify in the console?
a) The incident is currently being handled.
b) The incident is high-risk and high-priority.
c) The incident is a confirmed false positive.
d) The incident is older than 30 days.
02. Which of the following are valid data sources that can be queried using XQL in Cortex XDR?
(Select TWO).
a) pan_palo_alto_networks_firewall_raw
b) traps_management_service_logs
c) endpoint_event_log
d) xdr_data
03. When an automated response (Playbook) is triggered in Cortex XDR, where can an analyst see the results of those actions?
a) In the "Endpoint Administration" tab.
b) Only by logging into the remote host.
c) In the "Timeline" view of the incident.
d) In a physical letter sent to the office.
04. Which of the following are valid resolution statuses when resolving an incident?
(Select TWO).
a) Not Applicable
b) True Positive
c) Deleted by User
d) False Positive
05. During an investigation, you discover a malicious file. You want to see every other endpoint that has this same file. Which XQL command should you start with?
a) dataset = xdr_data | filter file_sha256 = "..."
b) show all files where hash is "..."
c) find file "..."
d) dataset = incidents | list all
06. You run the following query:
dataset = xdr_data | filter action_external_hostname != null | comp count(action_external_hostname) as visit_count by agent_hostname | sort desc visit_count | limit 5
What will be the output of this query?
a) A list of the 5 most frequently visited external websites across the entire company.
b) The names of 5 users who were blocked by the firewall.
c) The top 5 hosts that have made the most external network connections.
d) A list of 5 hosts that have no external network traffic.
07. During an investigation, you use the "Timeline" view. You see a sequence of events: 1. User opens Word -> 2. Word launches PowerShell -> 3. PowerShell connects to an external IP. Which feature allows you to see the parent-child relationship of these processes visually?
a) Timeline
b) Log View
c) Asset Management
d) Causality View
08. Which of the following are valid "Alert Sources" that Cortex XDR can ingest and analyze?
(Select THREE).
a) Cortex XDR Agents
b) Palo Alto Networks Next-Generation Firewalls
c) Third-party SIEM alerts via API
d) Legacy antivirus logs from local disk via FTP
e) Windows Event Logs (via Broker VM or Agent)
09. A security administrator needs to prevent a specific high-volume, low-risk administrative tool from triggering "Malicious Executable" alerts. Which action should be taken to stop these alerts from appearing in the future while maintaining the ability to see them in logs?
a) Create an Alert Exclusion
b) Create a Support Exception
c) Disable the Malware Profile
d) Quarantine the executable
10. You are configuring a custom prioritization rule to increase the incident score for alerts involving the “Domain Admin” user group. Which Cortex XDR feature allows you to adjust severity based on this user attribute?
a) Incident Scoring Configuration
b) Alert Starring Rules
c) Custom Prioritization Rules
d) Featured Fields Configuration
Before you write the Palo Alto XDR-Analyst certification exam, you may have certain doubts in your mind regarding the pattern of the test, the types of questions asked in it, the difficulty level of the questions and time required to complete the questions. These Palo Alto Networks Certified XDR Analyst sample questions and demo exam help you in removing these doubts and prepare you to take the test.
