Palo Alto Networks XDR-Engineer Actual Free Exam Questions & Community Discussion

Exam Code/Number: XDR-Engineer
Exam Name/Title: Palo Alto Networks XDR Engineer
Certification Provider: Palo Alto Networks
Corresponding Certification: Security Operations

Exam Questions: 52
Updated On: Jun 03, 2026

Question #25

An engineer wants to automate the handling of alerts in Cortex XDR and defines several automation rules with different actions to be triggered based on specific alert conditions. Some alerts do not trigger the automation rules as expected. Which statement explains why the automation rules might not apply to certain alerts?

A. They are executed in sequential order, so alerts may not trigger the correct actions if the rules are not configured properly

B. They can only be triggered by alerts with high severity; alerts with low or informational severity will not trigger the automation rules

C. They can be applied to any alert, but they only work if the alert is manually grouped into an incident by the analyst

D. They only apply to new alerts grouped into incidents by the system and only alerts that generateincidents trigger automation actions

Discussion 0

Correct Answer: A Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #26

After deploying Cortex XDR agents to a large group of endpoints, some of the endpoints have a partially protected status. In which two places can insights into what is contributing to this status be located? (Choose two.)

A. Asset Inventory

B. Management Audit Logs

C. XQL query of the endpoints dataset

D. All Endpoints page

Discussion 0

Correct Answer: C,D Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #27

Based on the Malware profile image below, what happens when a new custom-developed application attempts to execute on an endpoint?

A. It will execute after one hour

B. It will not execute

C. It will immediately execute

D. It will execute after the second attempt

Discussion 0

Correct Answer: B Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #28

An XDR engineer is configuring an automation playbook to respond to high-severity malware alerts by automatically isolating the affected endpoint and notifying the security team via email. The playbook should only trigger for alerts generated by the Cortex XDR analytics engine, not custom BIOCs. Which two conditions should the engineer include in the playbook trigger to meet these requirements? (Choose two.)

A. Alert severity is High

B. Alert status is New

C. Alert source is Cortex XDR Analytics

D. Alert category is Malware

Discussion 0

Correct Answer: A,D Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #29

Which XQL query can be saved as a behavioral indicator of compromise (BIOC) rule, then converted to a custom prevention rule?

A. dataset = xdr_data
| filter event_type = ENUM.DEVICE and action_process_image_name = "**"
and action_process_image_command_line = "-e cmd*"
and action_process_image_command_line != "*cmd.exe -a /c*"

B. dataset = xdr_data
| filter event_type = FILE and (event_sub_type = FILE_CREATE_NEW or event_sub_type = FILE_WRITE or event_sub_type = FILE_REMOVE or event_sub_type = FILE_RENAME) and agent_hostname = "hostname"
| filter lowercase(action_file_path) in ("/etc/*", "/usr/local/share/*", "/usr/share/*") and action_file_extension in ("conf", "txt")
| fields action_file_name, action_file_path, action_file_type, agent_ip_addresses, agent_hostname, action_file_path

C. dataset = xdr_data
| filter event_type = ENUM.PROCESS and action_process_image_name = "**" and action_process_image_command_line = "-e cmd*" and action_process_image_command_line != "*cmd.exe -a /c*"

D. dataset = xdr_data
| filter event_type = ENUM.PROCESS and event_type = ENUM.DEVICE and
action_process_image_name = "**"
and action_process_image_command_line = "-e cmd*"
and action_process_image_command_line != "*cmd.exe -a /c*"

Discussion 0

Correct Answer: C Vote an answer

Explanation: Only visible for EduDump members. You can sign-up / login (it's free).

Question #30

Log events from a previously deployed Windows XDR Collector agent are no longer being observed in the console after an OS upgrade. Which aspect of the log events is the probable cause of this behavior?

A. They are in Winlogbeat format

B. They are in Filebeat format

C. They are less than 1MB

D. They are greater than 5MB

Discussion 0

Correct Answer: D Vote an answer

Download Free Palo Alto Networks XDR-Engineer Demo

Simply submit your e-mail address below to get started with our free demo of your Palo Alto Networks XDR-Engineer exam.