XDR-Engineer Palo Alto Networks XDR Engineer Questions and Answers

TheIdentity Threat Detection and Response (ITDR)add-on in Cortex XDR enhances identity-based threat detection by integrating with theCloud Identity Engine, which synchronizes user,group, and computer details from identity providers (e.g., Active Directory, Okta). For the Cloud Identity Engine to provide comprehensive identity data across regions, it must be properly configured and aligned with the Cortex XDR tenant’s region.

Correct Answer Analysis (A):The issue is likely thatthe XDR tenant is not in the same region as the Cloud Identity Engine. Cortex XDR tenants are region-specific (e.g., North America, Europe), and the Cloud Identity Engine must be configured to synchronize data with the tenant in the same region. If the North American tenant is used but the European offices’ identity data is managed by a Cloud Identity Engine in a different region (e.g., Europe), the tenant may not receive user, group, or computer details for European users, causing the observed issue.

Why not the other options?

B. The Cloud Identity Engine plug-in has not been installed and configured: The question states that the Cloud Identity Engine has been onboarded, implying it is installed and configured. The issue is specific to European office data, not a complete lack of integration.

C. The Cloud Identity Engine needs to be activated in all global regions: The Cloud Identity Engine does not need to be activated in all regions. It needs to be configured to synchronize with the tenant in the correct region, and regional misalignment is the more likely issue.

D. The ITDR add-on is not compatible with the Cloud Identity Engine: The ITDR add-on is designed to work with the Cloud Identity Engine, so compatibility is not the issue.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains Cloud Identity Engine integration: “The Cloud Identity Engine must be configured in the same region as the Cortex XDR tenant to ensure proper synchronization of user, group, and computer details” (paraphrased from the Cloud Identity Engine section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers ITDR and identity integration, stating that “regional alignment between the tenant and Cloud Identity Engine is critical for accurate identity data” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “data ingestion and integration” as a key exam topic, encompassing Cloud Identity Engine configuration.

Cortex XDR’shost-based firewallfeature allows administrators to define rules to control network traffic on endpoints, such as blocking outbound Remote Desktop Protocol (RDP) connections (typically on TCP port 3389). The firewall rules are organized intorule groups, which can be applied based on the endpoint’snetwork location(e.g., internal or external). Thenetwork location configurationin Agent Settings determines whether an endpoint is considered internal (e.g., on the company network at HQ) or external (e.g., remote workers on a public network). The audit confirms that a rule to block outbound RDP exists, the rule logic is correct, and it works at HQ but not for remote workers.

Correct Answer Analysis (D):The likely reason RDP connections are not being blocked for remote workers is thatthe pertinent host-based firewall rule group is only applied to internal rule groups. Since network location configuration is enabled, Cortex XDR distinguishes between internal (e.g., HQ) and external (e.g., remote workers) networks. If the firewall rule group containing the RDP block rule is applied only tointernal rule groups, it will only take effect for endpoints at HQ (internal network), as confirmed by the audit. Remote workers, on an external network, would not be subject to this rule group, allowing their outbound RDP connections to proceed.

Why not the other options?

A. The profile's default action for outbound traffic is set to Allow: While a default action of Allow could permit traffic not matched by a rule, the audit confirms the RDP block rule’s logic is adequate and works at HQ. This suggests the rule is being applied correctly for internal endpoints, but not for external ones, pointing to a rule group scoping issue rather than the default action.

B. The pertinent host-based firewall rule group is only applied to external rule groups: If the rule group were applied only to external rule groups, remote workers (on external networks) would have RDP blocked, but the audit shows the opposite—RDP is blocked at HQ (internal) but not for remote workers.

C. Report mode is set to Enabled in the report settings under the profile configuration: If report mode were enabled, the firewall rule would only log RDP traffic without blocking it, but this would affect all endpoints (both HQ and remote workers). The audit shows RDP is blocked at HQ, so report mode is not enabled.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains host-based firewall configuration: “Firewall rule groups can be applied to internal or external network locations, as determined by the network location configuration in Agent Settings. Rules applied to internal rule groups will not affect endpoints on external networks” (paraphrased from the Host-Based Firewall section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers firewall rules, stating that “network location settings determine whether a rule group applies to internal or external endpoints, impacting rule enforcement” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “Cortex XDR agent configuration” as a key exam topic, encompassing host-based firewall settings.

In Cortex XDR,static endpoint groupsare manually defined groups of endpoints, often created by uploading a file containing endpoint identifiers (e.g., IP addresses, hostnames, or aliases) using theUpload From Filefeature. If fewer endpoints are added to the group than expected (e.g., 244 instead of 321), there are several possible reasons related to endpoint status or registration.

Correct Answer Analysis (C, D):

**C. Endpoints added to the group were in Disconnected or Connection Lost status when groupstatus when group membership was added: If endpoints are in aDisconnectedorConnection Loststatus (i.e., not actively communicating with the Cortex XDR tenant), they may not be successfully added to the group, as Cortex XDR requires active registration to validate and process group membership.

D. The IP address, hostname, or alias of the endpoints must match an existing agent that has registered with the tenant: For endpoints to be added to a static group, their identifiers (IP address, hostname, or alias) in the uploaded file must correspond to agents that are registered with the Cortex XDR tenant. If the identifiers do not match registered agents, those endpoints will not be added to the group.

Why not the other options?

A. Static groups have a limit of 250 endpoints when adding by file: There is no documented limit of 250 endpoints for static groups in Cortex XDR when using the Upload From File feature. The platform supports large numbers of endpoints in groups, and this is not a valid reason.

B. Endpoints added to the new group were previously added to an existing group: In Cortex XDR, endpoints are assigned to a single group for policy application to avoid conflicts, but this does not prevent endpoints from being added to a new static group during creation. The issue lies in registration or connectivity, not prior group membership.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains endpoint group management: “Endpoints must be registered and actively connected to the tenant to be added to static groups. Unregistered or disconnected endpoints may not be included in the group” (paraphrased from the Endpoint Management section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers group creation, stating that “static groups require valid, registered endpoint identifiers, and disconnected endpoints may not be added” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “Cortex XDR agent configuration” as a key exam topic, encompassing endpoint group management.

In Cortex XDR,parsing rulesare used to extract and normalize fields from raw log data during ingestion, ensuring that the data is structured for analysis and correlation. The parsing process includes stages such as filtering, parsing, and mapping. If logs for which field data is to be parsed out are missing, while other logs from the same data source are ingested as expected, the issue likely lies within the parsing rule itself, specifically in the filtering stage that determines which logs are processed.

Correct Answer Analysis (C):The filter stage is dropping the logsis the most likely cause. Parsing rules often include afilter stagethat determines which logs are processed based on specific conditions (e.g., log content, source, or type). If the filter stage of the new parsing rule is misconfigured (e.g., using an incorrect condition like log_type != expected_type or a regex that doesn’t match the logs), it may drop the logs intended for parsing, causing them to be excluded from the ingestion pipeline. Since other logs from the same data source are ingested correctly, the issue is specific to the parsing rule’s filter, not a broader ingestion problem.

Why not the other options?

A. The Broker VM is offline: If the Broker VM were offline, it would affect all log ingestion from the data source, not just the specific logs targeted by the parsing rule. The question states that other logs from the same data source are ingested as expected, so the Broker VM is likely operational.

B. The parsing rule corrupted the database: Parsing rules operate on incoming logs during ingestion and do not directly interact with or corrupt the Cortex XDR database. This is an unlikely cause, and database corruption would likely cause broader issues, not just missing specific logs.

D. The XDR Collector is dropping the logs: The XDR Collector forwards logs to Cortex XDR, and if it were dropping logs, it would likely affect all logs from the data source, not just those targeted by the parsing rule. Since other logs are ingested correctly, the issue is downstream in the parsing rule, not at the collector level.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains parsing rule behavior: “The filter stage in a parsing rule determines which logs are processed; misconfigured filters can drop logs, causing them to be excluded from ingestion” (paraphrased from the Data Ingestion section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers parsing rule troubleshooting, stating that “if specific logs are missing during parsing, check the filter stage for conditions that may be dropping the logs” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “data ingestion and integration” as a key exam topic, encompassing parsing rule configuration and troubleshooting.

In Cortex XDR, aCustom Prevention ruleoften leveragesBehavioral Indicators of Compromise (BIOCs)to detect specific patterns or behaviors on endpoints. When a rule generates a false positive alert for authorized and expected behavior, tuning is required to prevent future false alerts. The question assumes the alert is related to a BIOC triggered by the Custom Prevention rule, and the goal is to suppress or refine the alert without disrupting security.

Correct Answer Analysis (A, B):

A. Apply an alert exception: Analert exceptioncan be created in Cortex XDR to suppress alerts for specific conditions, such as a particular endpoint, user, or behavior. This is a quick way to prevent false positive alerts for authorized behavior without modifying the underlying rule, ensuring the behavior is ignored in future detections.

B. Apply an alert exclusion to the XDR behavioral indicator of compromise (BIOC) alert: Analert exclusionspecifically targets BIOC alerts, allowing administrators to exclude certain BIOCs from triggering alerts on specific endpoints or under specific conditions. This is an effective way to tune the Custom Prevention rule by suppressing the BIOC alert for the authorized behavior.

Why not the other options?

C. Apply an alert exclusion to the XDR agent alert: This option is incorrect because alert exclusions are applied to BIOCs or specific alert types, not to generic“XDR agent alerts.” The term “XDR agent alert” is not a standard concept in Cortex XDR for exclusions, making this option invalid.

D. Modify the behavioral indicator of compromise (BIOC) logic: While modifying the BIOC logic could prevent false positives, it risks altering the rule’s effectiveness for other endpoints or scenarios. Since the behavior is authorized only on the affected endpoint, modifying the BIOC logic is less targeted than applying an exception or exclusion and is not one of the best steps in this context.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains alert tuning: “Alert exceptions suppress alerts for specific conditions, such as authorized behaviors, without modifying rules. Alert exclusions can be applied to BIOC alerts to prevent false positives on specific endpoints” (paraphrased from the Alert Management section). TheEDU-262: Cortex XDR Investigation and Responsecourse covers alert tuning, stating that “exceptions and BIOC exclusions are used to handle false positives for authorized behaviors” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “detection engineering” as a key exam topic, encompassing alert tuning and BIOC management.

IntegratingPalo Alto Networks Next-Generation Firewalls (NGFWs)with Cortex XDR by ingesting and forwarding NGFW logs allows for enhanced visibility and correlation across network and endpoint data. NGFW logs contain detailed information about network traffic, applications, and threats, which Cortex XDR can use to improve its detection and analysis capabilities.

Correct Answer Analysis (C):Enabling additional analysis through enhanced application loggingis a key benefit. NGFW logs include application-layer data (e.g., App-ID, user activity, URL filtering), which Cortex XDR can ingest to perform deeper analysis, such as correlating network events with endpoint activities. This enhanced logging enables better incident investigation, threat detection, and behavioral analytics by providing a more comprehensive view of the environment.

Why not the other options?

A. Sending endpoint logs to the NGFW for analysis: The integration is about forwarding NGFW logs to Cortex XDR, not the other way around. Endpoint logs are not sent to the NGFW for analysis in this context.

B. Blocking network traffic based on Cortex XDR detections: While Cortex XDR can share threat intelligence with NGFWs to block traffic (via mechanisms like External Dynamic Lists), this is not the primary benefit of ingesting NGFW logs into Cortex XDR. The focus here is on analysis, not blocking.

D. Automated downloading of malware signatures from the NGFW: NGFWs do not provide malware signatures to Cortex XDR. Malware signatures are typically sourced from WildFire (Palo Alto Networks’ cloud-based threat analysis service), not directly from NGFW logs.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains NGFW integration: “Ingesting Palo Alto Networks NGFW logs into Cortex XDR enables additional analysis through enhanced application logging, improving visibility and correlation across network and endpoint data” (paraphrased from the Data Ingestion section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers NGFW log integration, stating that “forwarding NGFW logs to Cortex XDR enhancesapplication-layer analysis for better threat detection” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “data ingestion and integration” as a key exam topic, encompassing NGFW log integration.

The scenario involves macOS users with Cortex XDR agents (version 8.7.0) who can no longer run in-house applications that were previously allowed via disable prevention rules in the"Engineer-Mac" Exceptions Profile. This profile is applied to an endpoint group (e.g., "Mac-Engineers"). Theissue likely stems from a change in the endpoint group’s configuration or the endpoints’ attributes, affecting policy application.

Correct Answer Analysis (A):The reason for the behavior is that theendpoint IP address changed from 192.168.0.0 range to 192.168.100.0 range. In Cortex XDR, endpoint groups can be defined using dynamic criteria, such as IP address ranges, to apply specific policies like the "Engineer-Mac" Exceptions Profile. If the group "Mac-Engineers" was defined to include endpoints in the 192.168.0.0 range, and the remote desktop users’ IP addresses changed to the 192.168.100.0 range (e.g., due to a network change or VPN reconfiguration), these endpoints would no longer belong to the "Mac-Engineers" group. As a result, the "Engineer-Mac" Exceptions Profile, which allowed the in-house applications, would no longer apply, causing the applications to be blocked by default prevention rules.

Why not the other options?

B. The Cloud Identity Engine is disconnected or removed: The Cloud Identity Engine provides user and group data for identity-based policies, but it is not directly related to Exceptions Profiles or application execution rules. Its disconnection would not affect the application of the "Engineer-Mac" profile.

C. XDR agent version was downgraded from 8.7.0 to 8.4.0: The question states the users are using version 8.7.0, and there’s no indication of a downgrade. Even if a downgrade occurred, it’s unlikely to affect the application of an Exceptions Profile unless specific features were removed, which is not indicated.

D. Installation type changed from VDI to Kubernetes: The installation type (e.g., VDI for virtual desktops or Kubernetes for containerized environments) is unrelated to macOS endpoints running remote desktop sessions. This change would not impact the application of the Exceptions Profile.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains endpoint group policies: “Dynamic endpoint groups based on IP address ranges apply policies like Exceptions Profiles; if an endpoint’s IP changes to a different range, it may no longer belong to the group, affecting policy enforcement” (paraphrased from the Endpoint Management section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers policy application, stating that “changes in IP address ranges can cause endpoints to fall out of a group, leading to unexpected policy behavior like blocking previously allowed applications” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “Cortex XDR agent configuration” as a key exam topic, encompassing endpoint group and policy management.

In Cortex XDR,fixed filtersanddashboard drilldownsare key features that enhance the interactivity and usability of dashboards. Fixed filters allow users to refine the data displayed in dashboard widgets by selecting predefined or dynamic values (e.g., time ranges, severities, or alertsources), adjusting the scope of the data presented. Dashboard drilldowns, on the other hand, enable users to interact with widget elements (e.g., clicking on a chart bar) to gain deeper insights, such as navigating to detailed views, other dashboards, or executingXQL (XDR Query Language)searches for granular data analysis.

Correct Answer Analysis (C):The statement in option C accurately describes the functionality:Fixed filters let users select predefined or dynamic values to adjust the scope, ensuring users can focus on specific subsets of data (e.g., alerts from a particular source).Dashboard drilldowns provide interactive insights or trigger contextual changes, like linking to XQL searches, allowing users to explore related data or perform detailed investigations directly from the dashboard.

Why not the other options?

A. Fixed filters allow users to select predefined data values, while dashboard drilldowns enable users to alter the scope of the data displayed by selecting filter values from the dashboard header: This is incorrect because drilldowns do not alter the scope via dashboard header filters; they provide navigational or query-based insights (e.g., linking to XQL searches). Additionally, fixed filters support both predefined and dynamic values, not just predefined ones.

B. Fixed filters limit the data visible in widgets, while dashboard drilldowns allow users to download data from the dashboard in various formats: While fixed filters limit data in widgets, drilldowns do not primarily facilitate data downloads. Downloads are handled via export functions, not drilldowns.

D. Fixed filters allow users to adjust the layout, while dashboard drilldowns provide links to external reports and/or dashboards: Fixed filters do not adjust the dashboard layout; they filter data. Drilldowns can link to other dashboards but not typically to external reports, and their primary role is interactive data exploration, not just linking.

Exact Extract or Reference:

TheCortex XDR Documentation Portaldescribes dashboard features: “Fixed filters allow users to select predefined or dynamic values to adjust the scope of data in widgets. Drilldowns enable interactive exploration by linking to XQL searches or other dashboards for contextual insights” (paraphrased from the Dashboards and Widgets section). TheEDU-262: Cortex XDR Investigation and Responsecourse covers dashboard configuration, stating that “fixed filters refine data scope, and drilldowns provide interactive links to XQL queries or related dashboards” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “dashboards and reporting” as a key exam topic, encompassing fixed filters and drilldowns.

TheXDR Collectoron a Windows endpoint collects logs (e.g., Windows Event Logs) and forwards them to the Cortex XDR console for analysis. An OS upgrade can impact the collector’s functionality, particularly if it affects log formats, sizes, or compatibility. If log events are no longer observed after the upgrade, the issue likely relates to a change in how logs are processed or transmitted. Cortex XDR imposes limits on log event sizes to ensure efficient ingestion and processing.

Correct Answer Analysis (A):The probable cause is thatthe log events are greater than 5MB. Cortex XDR has a size limit for individual log events, typically around 5MB, to prevent performance issues during ingestion. An OS upgrade may change the way logs are generated (e.g., increasing verbosity or adding metadata), causing events to exceed this limit. If log events are larger than 5MB, the XDR Collector will drop them, resulting in no logs being observed in the console.

Why not the other options?

B. They are in Winlogbeat format: Winlogbeat is a supported log shipper for collecting Windows Event Logs, and the XDR Collector is compatible with this format. The format itself is not the issue unless misconfigured, which is not indicated.

C. They are in Filebeat format: Filebeat is also supported by the XDR Collector for file-based logs. The format is not the likely cause unless the OS upgrade changed the log source, which is not specified.

D. They are less than 1MB: There is no minimum size limit for log events in Cortex XDR, so being less than 1MB would not cause logs to stop appearing.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains log ingestion limits: “Individual log events larger than 5MB are dropped by the XDR Collector to prevent ingestion issues, which may occur after changes like an OS upgrade” (paraphrased from the XDR Collector Troubleshooting section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers log collection issues, stating that “log events exceeding 5MB are not ingested, a common issue after OS upgrades thatincrease log size” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “maintenance and troubleshooting” as a key exam topic, encompassing log ingestion issues.

TheDatabase Collector appleton the Broker VM in Cortex XDR is used to ingest database activity logs by querying the database directly. To set up the applet, valid authentication credentials (e.g., username and password) are required to connect to the database. Additionally, avalid SQL querymust be provided to specify the data to be collected, such as specific tables, columns, or events (e.g., login activity or data modifications).

Correct Answer Analysis (A):Avalid SQL query targeting the desired datais required to configure the Database Collector applet. The query defines which database records or events are retrieved and sent to Cortex XDR for analysis. This ensures the applet collects only the relevant data, optimizing ingestion and analysis.

Why not the other options?

B. Access to the database audit log: While audit logs may contain relevant activity, the Database Collector applet queries the database directly using SQL, not by accessing audit logs. Audit logs are typically ingested via other methods, such as Filebeat or syslog.

C. Database schema exported in the correct format: The Database Collector does not require an exported schema. The SQL query defines the data structure implicitly, and Cortex XDR maps the queried data to its schema during ingestion.

D. Access to the database transaction log: Transaction logs are used for database recovery or replication, not for direct data collection by the Database Collector applet, which relies on SQL queries.

Exact Extract or Reference:

TheCortex XDR Documentation Portaldescribes the Database Collector applet: “To configure the Database Collector, provide valid authentication credentials and a valid SQL query to retrieve the desired database activity” (paraphrased from the Broker VM Applets section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers data ingestion, stating that “the Database Collector applet requires a SQL query to specify the data to ingest from the database” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “data ingestion and integration” as a key exam topic, encompassing Database Collector configuration.

In Cortex XDR,dynamic endpoint groupsare used to organize endpoints for applying security policies, managing configurations, and streamlining operations. These groups are defined based on dynamic criteria, such asOS type,OS version,network segment,hostname, or other endpoint attributes. When a new endpoint is added to the network, it is automatically assigned to the appropriate group(s) based on these criteria, without manual intervention. This dynamic assignment ensures that security policies are consistently applied to endpoints matching the group’s conditions.

Correct Answer Analysis (D):The optionDaccurately describes how dynamic endpoint groups are created and managed. Administrators define groups using filters based on endpoint attributes like operating system (e.g., Windows, macOS, Linux), OS version (e.g., Windows 10 21H2), or network segment (e.g., subnet or domain). These filters are evaluated dynamically, so endpoints are automatically added or removed from groups as their attributes change or new devices are onboarded.

Why not the other options?

A. Endpoint groups require intervention to update the group with new endpoints when a new device is added to the network: This is incorrect because dynamic endpoint groups are designed to automatically include new endpoints that match the group’s criteria, without manual intervention.

B. Each endpoint can belong to multiple groups simultaneously, allowing different security policies to be applied to the same device at the same time: This is incorrect because, in Cortex XDR, an endpoint is assigned to a single endpoint group for policy application to avoid conflicts. While endpoints can match multiple group criteria, the system uses a priority or hierarchy to assign the endpoint to onegroup for policy enforcement.

C. After an endpoint group is created, its assigned security policy cannot be changed without deleting and recreating the group: This is incorrect because Cortex XDR allows administrators to modify the security policy assigned to an endpoint group without deleting and recreating the group.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains endpoint group management: “Dynamic endpoint groups are created by defining filters based on endpoint attributes such as OS type, version, or network segment. Endpoints are automatically assigned to groups based on these criteria” (paraphrased from the Endpoint Management section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers endpoint group configuration, stating that “groups are dynamically updated as endpoints join or leave the network based on defined attributes” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “endpoint management and policy configuration” as a key exam topic, which encompasses dynamic endpoint groups.

In Cortex XDR, theDevice Configuration profile(an extension of the agent settings profile) controls how the Cortex XDR agent monitors and manages device-related activities, such as the mounting of removable drives. By default, the Device Configuration profile includes monitoring for device mount events, such as when a USB drive or other removable media is connected to an endpoint. These events are logged and can be accessed for investigations, such as detecting unauthorized drive usage in an insider compromise scenario.

Correct Answer Analysis (A):TheHost Inventory -> Mountssection in the Cortex XDR console provides a detailed view of mount events for each endpoint, including information about removable drives mounted on the system. This is the most straightforward place to find evidence of an unauthorized removable drive being mounted on the company laptop, as it aggregates device mount events captured by the default Device Configuration profile.

Why not the other options?

B. dataset = xdr_data | filter event_type = ENUM.MOUNT and event_sub_type = ENUM.MOUNT_DRIVE_MOUNT: This XQL query is technically correct for retrieving mount events from thexdr_datadataset, but it requires manual query execution and knowledge of specific event types. The Host Inventory -> Mounts section is a more user-friendly and direct method for accessing this data, making it the preferred choice for an engineer investigating this issue.

C. The requested data requires additional configuration to be captured: This is incorrect because the default Device Configuration profile already captures mount events for removable drives, so no additional configuration is needed.

D. preset = device_control: Thedevice_controlpreset in XQL retrieves device control-related events (e.g., USB block or allow actions), but it may not specifically include mount events unless explicitly configured. The Host Inventory -> Mounts section is more targeted for this investigation.

Exact Extract or Reference:

TheCortex XDR Documentation Portaldescribes device monitoring: “The default Device Configuration profile logs mount events for removable drives, which can be viewed in the Host Inventory -> Mounts section of the console” (paraphrased from the Device Configuration section). TheEDU-262: Cortex XDR Investigation and Responsecourse covers investigation techniques, stating that “mount events for removable drives are accessible in the Host Inventory for endpoints with default device monitoring” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “maintenance and troubleshooting” as a key exam topic, encompassing investigation of endpoint events.