01. Who typically defines the rule-scoring thresholds in Cortex XDR correlation logic?
a) SOC Tier-1 Analysts
b) Machine Learning Algorithm
c) Platform Administrator
d) External Threat Feed Provider
02. An administrator wants to employ reusable rules within custom parsing rules to apply consistent log field extraction across multiple data sources. Which section of the parsing rule should the administrator use to define those reusable rules in Cortex XDR?
a) CONST
b) INGEST
c) FILTER
d) RULE
03. Which condition is required if an automation rule should apply only to alerts generated by the Cortex XDR Analytics engine?
a) Alert table is exported
b) Alert status is Resolved
c) Dashboard filter is set
d) Alert source is Cortex XDR Analytics
04. What is the earliest time frame an alert could be automatically generated once the conditions of a new correlation rule are met?
a) Between 30 and 45 minutes
b) Between 10 and 20 minutes
c) 5 minutes or less
d) Immediately
05. Which TWO factors help ensure accurate alert generation?
(Choose 2)
a) Proper detection rule configuration and tuning
b) Increased number of dashboards available
c) Accurate normalization and consistent data mapping
d) Modified endpoint prevention profiles
06. What would be the best way to apply different security policies to Linux and Windows endpoints using Cortex XDR?
a) Create separate user roles
b) Use external scripts to apply policies
c) Manually assign each policy to every agent
d) Use OS filters in endpoint groups
07. During the deployment of a Broker VM in a high availability (HA) environment, after configuring the Broker VM FQDN, an XDR engineer must ensure agent installer availability and efficient content caching to maintain performance consistency across failovers.
Which additionalconfiguration steps should the engineer take?
a) Use shared SSL certificates and keys for all Broker VMs and configure a single IP address for failover
b) Upload the-signed SSL server certificate and key and deploy a load balancer
c) Deploy a load balancer and configure SSL termination at the load balancer
d) Enable synchronized session persistence across Broker VMs and use a self-signed certificate and key
08. Which Cortex XDR component is explicitly listed in the official XDR Engineer blueprint under Planning and Installation?
a) Incident classifier
b) Dashboard drilldown engine
c) Cloud Identity Engine/
d) Threat intel campaign mapper
09.Why might an endpoint show as “Disconnected” in Cortex XDR even if the operating system is functioning normally?
a) The agent service is not running or is blocked by local firewall
b) The agent is using an outdated policy
c) The host is not part of the trusted domain
d) The endpoint has been offboarded
10. What is the primary purpose of enabling exploit protection within a Cortex XDR prevention policy?
a) To block network-based threats like port scanning
b) To prevent user account takeovers through password policies
c) To isolate the host from all incoming traffic
d) To protect applications against memory corruption techniques
Before you write the Palo Alto XDR-Engineer certification exam, you may have certain doubts in your mind regarding the pattern of the test, the types of questions asked in it, the difficulty level of the questions and time required to complete the questions. These Palo Alto Networks Certified XDR Engineer sample questions and demo exam help you in removing these doubts and prepare you to take the test.
