View XDR-Analyst Exam Questions

Q: 1

What is a primary use case of lookup tables in Cortex XDR?

Options

Discussion

Parker M. Mar 1, 2026 8:24 am

A. Lookup tables are for correlating outside info with internal XDR data, not for creating datasets or auto reports.

Nathan Mar 4, 2026 7:24 am

Option A Not B-lookup tables aren’t for auto-dataset creation, mostly used for enrichment.

Parker Mar 2, 2026 3:37 am

Zoe U. Mar 3, 2026 6:53 am

A tbh

Nathan V. Feb 18, 2026 4:57 am

A is what makes sense here. The main use of lookup tables in Cortex XDR is to bring in extra info from outside sources (like threat intel or asset lists) and match it up with your internal logs. Not really for running playbooks or making reports directly. Pretty sure that's correct, unless Palo's changed something lately.

Taylor O. Mar 2, 2026 6:52 am

A is the right pick here. Lookup tables let you correlate external data like threat intel or asset lists with internal logs, which is super useful during investigations. They're not really for running playbooks (C) or generating reports (D) on their own. Pretty sure that's what Palo Alto expects, but if anyone's seen a different use case in practice let me know.

NoahI Feb 28, 2026 1:45 am

C or D for me. Lookup tables could be used to trigger playbooks or help generate reports, right? Not 100 percent sure though, someone let me know if that's not possible.

Ava Q. Feb 21, 2026 12:15 pm

My pick: it's A, since lookup tables are mainly about adding external context like threat intel to what XDR already has. Saw a similar question in some exam reports. Someone correct me if I'm off.

Nina P. Feb 19, 2026 10:38 pm

Lookup tables are mainly for matching external data, like threat intel, with what XDR already has. That's A. Haven't seen any docs where they're used to generate reports directly, so pretty sure this is right but feel free to correct me.

Meera Z. Mar 6, 2026 12:17 am

Not D, that's a common trap since generating exclusion reports isn't the main thing lookup tables do. A is more accurate here.

Be respectful. No spam.

Q: 2

Which Cortex XDR feature allows hunting queries to be repeated automatically?

Options

Discussion

Ethan Feb 18, 2026 10:41 am

Its A based on what I remember from the docs and some official practice tests. Scheduled queries are the only ones that support auto-repeat for threat hunting, the others don’t schedule anything. Pretty sure but open to debate.

Aisha M. Feb 27, 2026 10:16 pm

Its A, but if the question meant only saving queries instead of running them automatically, would it be B?

QuickLearner7184 Feb 21, 2026 8:28 am

Its B here, since Query Library is where you manage and reuse hunting queries. I thought "automatically" might mean it's running by itself, but the library lets you repeat/launch saved queries whenever needed, so pretty sure that's what they mean. If they wanted automation specifically, they'd say schedule. Let me know if I'm missing something.

Liam Feb 18, 2026 9:00 pm

Anita D. Feb 22, 2026 11:39 am

A tbh, unless they mean "repeat" as in manual re-running not actual automation, then it'd flip.

Mason W. Feb 26, 2026 6:59 pm

A makes the most sense. Scheduled queries are what lets XDR run hunting logic on a recurring basis, not just a one-off. Other options like B (query library) just save the query, they don’t automate anything. Pretty sure but correct me if I’m missing something.

Maya E. Mar 3, 2026 4:54 am

A had something like this in a mock. The scheduled queries option matches the "repeated automatically" part.

Arjun E. Feb 22, 2026 7:11 pm

Probably A for this. Scheduled queries do the repeat automatically bit, not just saving or showing queries like B or C.

Sofia A. Feb 27, 2026 12:02 am

A , saw something similar in an official guide and practice test. That feature is all about automating the hunt process.

Layla C. Mar 3, 2026 8:16 pm

Be respectful. No spam.

Q: 3

Remediation suggestions in XDR often include:

Options

Discussion

Taylor C. Feb 27, 2026 9:37 pm

Option A

Morgan Feb 20, 2026 4:04 am

B tbh, Palo loves automation and false positive removal is always in their marketing.

Nina Feb 28, 2026 8:30 pm

I see why B looks good if you're thinking automation, but XDR remediation suggestions are usually vendor-agnostic patching steps, so A fits. Haven't seen auto-delete get recommended like that. Anyone else getting a different vibe?

Kevin Feb 19, 2026 4:31 am

Option A, since B is tempting if you're thinking only automation, but remediation tips usually point to patching. Disagree?

Jack M. Mar 1, 2026 3:07 pm

Pretty sure it's A here, since XDR usually suggests generic patching steps for vulnerabilities. The other options don't really fit what you'd see as standard remediation advice in XDR. Correct me if I missed something.

PreciseLead4523 Mar 3, 2026 9:30 am

Pretty sure A. XDR usually gives vendor-agnostic patching advice as remediation, not auto-deleting alerts or archiving stuff. B is about automation but that's not what most suggestions cover, I think.

JasonD Mar 6, 2026 11:41 am

B. not A. Some reports show people pick A but XDR auto-remediation makes B look tempting here if you miss the wording.

Cameron Mar 5, 2026 1:45 am

A B is a common trap if you think it's only about automatic actions.

Logan P. Feb 26, 2026 7:05 pm

A , that's the typical recommendation XDR throws out for vulnerabilities.

Taylor Feb 19, 2026 11:16 pm

A imo, because XDR generally recommends vendor-neutral patching steps when dealing with vulnerabilities. The other options are too broad or risky for standard remediation advice. I’ve seen this style question on some practice sets, chime in if you disagree.

Be respectful. No spam.

Q: 4

What does “starring” an alert signify in the Cortex XDR console?

Options

Discussion

Sean K. Feb 19, 2026 7:29 pm

Option B was in my exam last year. Starring just flags it as important for the analyst, doesn't trigger any updates or actions on the alert itself. Let me know if someone got a different result.

Aaron T. Feb 25, 2026 12:55 pm

Option B Saw a similar question in some exam reports, starring just makes the alert stand out as important.

Ishaan B. Mar 1, 2026 4:44 am

B for sure. Starring is just a way to visually mark an alert as important so analysts remember to look at it later. It doesn't auto-resolve, recalc severity, or merge anything. Unless they've added some new automation, I'm pretty confident it's still just a flag for importance-correct me if I'm missing something.

Neha Feb 27, 2026 1:01 pm

What if the alert was starred by automation and not manually? Would that flip it from B?

Aisha Q. Mar 8, 2026 8:00 am

B no backend automation. Just marks it important for triage, pretty sure.

Ivy L. Mar 8, 2026 6:14 am

Guessing D for this one. I thought starring an alert could trigger a severity recalculation in some setups, not 100% sure here.

Nina A. Mar 5, 2026 1:03 am

Yeah, it's B. Starring just signals it's important, doesn't do anything else automatically.

SeasonedTester6007 Mar 4, 2026 6:36 pm

Kinda nitpicky but if you had a playbook that auto-stars certain alerts, doesn't it still just mean it's marked important for the analyst? So B is right as long as starring doesn't trigger other automations tied to the alert itself. Pretty sure that's the current behavior but open to correction.

Grace S. Feb 21, 2026 8:53 pm

Not C, that's a common mix-up. It's B, starring just marks the alert as important for follow-up, that's it.

Kevin X. Feb 17, 2026 9:56 pm

Yeah, starring is just a way for the analyst to highlight an alert as important, nothing else changes in the backend. So B makes sense here. No impact on severity or status, unless someone manually acts later. If I'm missing something about automation, let me know, but pretty sure it's B.

Be respectful. No spam.

Q: 5

Which of the following alert sources can provide identity-based alerts?

Options

Discussion

Jordan Feb 28, 2026 9:53 am

A. had something like this in a mock-directory services pulls in real user identities so fits identity-based alerts best.

Neha P. Feb 27, 2026 4:11 pm

MethodicalAnalyst7613 Feb 22, 2026 1:54 pm

Option A, Saw a similar question in some exam practice, directory services is the only thing here that gives real user identity info for alerts.

Cameron R. Feb 22, 2026 10:18 am

It’s A. I don’t think DNS sinkhole or AV can really tie alerts to specific identities, since they focus on host or traffic data. Directory services integration actually imports user/group info, so that’s how XDR does true identity-based alerting. D is tempting but those logs aren’t consistent for identity. Pretty sure A is right, but open to pushback.

Piya Feb 19, 2026 12:15 am

Don’t think it’s C, A is more about real identity context with directory integration. Endpoint AV engines just report threats detected, usually not actual user identities tied to alerts. I think A fits better but not 100% sure, anyone disagree?

Cameron R. Mar 6, 2026 12:58 pm

A tbh

Morgan C. Feb 26, 2026 10:52 pm

A for sure

Ben E. Mar 8, 2026 5:48 am

Its A here. Directory services integration is what lets Cortex XDR actually map and alert on identities, not just devices or IPs. The others don’t really give real user account context. Pretty sure that’s what the question is after but happy to hear if anyone disagrees.

Liam W. Feb 23, 2026 6:45 pm

A, not D. Directory services integration is key for true identity-based alerts, broker logs can miss user mapping.

Sara M. Feb 23, 2026 2:52 am

A saw something super close on a recent exam and directory services is what XDR uses for true identity-based alerts.

Be respectful. No spam.

Q: 6

What is the primary purpose of the Cortex XDR “Featured fields”?

Options

Discussion

Ivy W. Feb 22, 2026 4:37 pm

B. not A. Featured fields are there to help triage by showing the most important attributes right away.

Aaron Mar 7, 2026 1:47 pm

B featured fields just make triage way faster by surfacing the right stuff up top.

Riley E. Feb 28, 2026 12:19 am

B , it's all about quick triage. Featured fields show the most important details right up front so analysts don't waste time digging for key info. Not really about SOAR or automation, I think. Agree?

Zoe J. Feb 19, 2026 12:03 am

My pick: B. The phrase "primary purpose" makes me think it's about highlighting info for triage, not automating anything. But if there's a policy change making SOAR triggers more common, could see D in weird edge cases.

SteadyAuditor2238 Feb 25, 2026 4:32 pm

Hard to say, D, since SOAR gets involved in escalations sometimes. Could be a trap between B and D.

Karan H. Mar 5, 2026 1:18 am

B imo, featured fields just bubble up the most critical details for an alert or incident so analysts can spot what's important fast. Not about automating or escalating, just making triage easier. Pretty sure that's right but open to other takes if I missed something.

Cameron D. Mar 9, 2026 4:36 pm

B tbh, had something like this in a mock. Featured fields in Cortex XDR are for fast triage highlights.

Ajay Feb 20, 2026 11:32 pm

I’d say B-featured fields are mostly for highlighting the key stuff so analysts can triage faster. That's what I've seen in similar exam reports, but not totally sure if there's a newer feature that changes that.

Liam V. Mar 10, 2026 7:29 am

Honestly, B fits unless the question is referencing some new automation tie-in that's not standard. Featured fields are mainly to highlight key info for triage, not automate escalation. But if a workflow links them to SOAR actions, I could see confusion. Anyone think D has a special use case?

Parker U. Feb 22, 2026 11:55 am

B featured fields help with fast triage by surfacing key info up front.

Be respectful. No spam.

Q: 7

When reviewing alert evidence, which of the following provides the clearest insight into the root cause of an attack?

Options

Discussion

FriendlyReviewer5714 Mar 8, 2026 6:30 pm

Option B. Official guide and lab walkthroughs usually say forensic host data is best for root cause in XDR scenarios.

Aisha Feb 18, 2026 2:01 am

B. ITDR logs are tempting but forensic data gives more direct evidence for root cause imo. If the question focused on credential abuse, maybe A, but here B fits better. Disagree?

Maya Q. Mar 6, 2026 11:24 am

C/D? Alert starring (C) lets you quickly focus and prioritize investigation in some platforms, so in edge cases where you need to triage tons of alerts and spot patterns, it could bring clarity fast. Not sure if that's "root cause" in the forensic sense, but it can highlight what needs deeper digging. Maybe still useful depending on workflow.

ArjunG Feb 19, 2026 2:48 pm

I think B, since forensic data usually gives more detail than ITDR logs when tracing root cause. Not totally sure though if it's a hybrid attack.

Logan D. Feb 18, 2026 6:17 pm

A. ITDR logs could point right to identity attacks, so I might go with A for complex breaches.

Karan Mar 1, 2026 10:45 am

A tbh. ITDR logs seem like they'd give the best clue when the attack was tied to stolen credentials or lateral movement. I know B is strong for endpoint stuff, but identity data can be the root in complex attacks. Maybe I'm missing something?

CameronO Feb 23, 2026 3:56 am

B Official guide and most exam practice sets say forensic data from affected hosts is what the exam looks for in root cause questions like this. Would use lab environments to get more hands-on with this if unsure.

QuinnB Mar 1, 2026 2:14 am

Looks like B. A is a common trap here since ITDR logs are great for identity stuff but forensic data really nails the root cause.

Ravi G. Feb 17, 2026 8:31 pm

A , because ITDR logs can actually expose credential misuse or identity pivoting, which sometimes is the real root of an attack. Not 100% sure since forensic data is strong too.

Kevin V. Mar 8, 2026 11:00 pm

A tbh, since ITDR logs can sometimes reveal identity-based attack paths or compromised credentials, which could expose the initial vector. I know forensic host data (B) is solid for direct evidence, but if user creds are abused via SSO or federation, logs might be clearer on root cause in those edge cases. Disagree?

Be respectful. No spam.

Q: 8

Which two activities fall under forensic investigation in Cortex XDR? (Choose two)

Options

Discussion

Priya X. Mar 5, 2026 4:43 pm

A/B, seen exactly similar question in my exam and those two match the typical forensic investigation tasks every time.

Avery Feb 25, 2026 3:07 pm

C/D? I'm leaning toward D and C, but maybe I'm overthinking it. Configuring new firewall rules (C) feels like you'd do it as part of a containment step after you find something suspicious, so I could see someone picking it for investigation indirectly. Adjusting incident scores (D) also seems like you'd do while analyzing an event's details, even though it's not classic forensic work. I don't think it's A or B since those seem too technical for this context, but not sure. Anyone else read it this way?

Robin C. Feb 18, 2026 5:19 am

I don’t think it’s A. C and D fit better for this one.

Skyler H. Feb 18, 2026 7:26 pm

Its C/D

Zoe X. Mar 7, 2026 6:45 am

I’m wondering, if the question used the term “remediation” instead of “forensic investigation”, would C or D make sense? Feels like changing firewall rules or incident scores is more remediation than forensics. What do others think?

Logan U. Mar 3, 2026 3:52 am

Probably A and B, C is more about response/config not forensics. Seen this style on past practice sets.

FriendlyCandidate1115 Mar 3, 2026 5:59 am

I don’t think it’s C, A and B fit better. Forensics means actually inspecting artifacts like memory dumps or registry changes for traces of attacks, not just changing configs. I’m pretty sure XDR’s investigation tools focus on those areas.

CarefulLearner145 Feb 26, 2026 12:09 am

A and B make sense here. Forensics is about digging into artifacts like memory dumps or registry changes to spot malicious activity, not tweaking firewall rules or incident scores. Pretty sure that's the focus in Cortex XDR but open if I missed something.

Ivy Feb 26, 2026 6:14 pm

Tricky wording! Forensic investigation usually means evidence analysis, so A and B make sense. If the question asked about containment or response, then maybe C or D could be considered, but that's not the case here. Pretty sure it's A/B unless Palo Alto changes their definition of forensic in documentation. Disagree?

Mia K. Mar 3, 2026 1:47 am

C or D? But actually, forensics is about digging into the technical evidence, not changing protections or scores. A and B better fit classic analysis steps like looking at memory dumps and registry tweaks that malware might pull. Pretty sure that's what Cortex XDR lets you do in investigations. Agree?

Be respectful. No spam.

Q: 9

Which two benefits come from using the Query Library in Cortex XDR? (Choose two)

Options

Discussion

CalmReviewer6285 Mar 1, 2026 8:22 pm

Actually, I'd say C. The Query Library should help with scheduling reports, right? I remember reading something about automating that process in practice questions. Not totally certain but C feels like a decent pick here.

Ishaan J. Feb 25, 2026 3:42 pm

Option C

Robin W. Mar 4, 2026 8:53 am

Saving and sharing queries is what the Query Library actually does so A, B.

Hannah I. Mar 4, 2026 7:10 pm

A and B. Query Library's main perks are saving and sharing queries, not automating reports or making incidents. C is tempting but that's handled elsewhere in XDR, not the Library itself. If anyone's seen scheduling as a direct library feature let me know, but pretty sure that's a common trap here.

Amelia M. Feb 23, 2026 9:36 am

A and B tbh, official guide and exam practice both call those out for Query Library.

Avery T. Feb 27, 2026 5:45 pm

If the question isn't talking about automating or scheduling, I think it's A and B. Query Library is mainly for saving and sharing queries, not for report scheduling. Maybe in some specific configs C could apply? Not totally sure.

Hannah V. Mar 4, 2026 12:38 am

The Query Library in Cortex XDR is really for saving and sharing custom queries (A and B), not for automating reports or converting to incidents. Pretty sure those extra features are handled elsewhere, not in the library itself. Anyone see it work differently in real setups?

QuickArchitect8297 Feb 26, 2026 12:37 pm

C , exam practice questions mention scheduling so that's what I picked. Official guide might help check.

Adam I. Feb 24, 2026 5:10 am

A and B

Avery A. Mar 6, 2026 7:38 am

Option A and B. Those are the actual Query Library benefits, not C or D.

Be respectful. No spam.

Q: 10

Why is integrating dashboards, reports, and Host Insights valuable for SOCs?

Options

Discussion

Robin Mar 2, 2026 12:00 am

Option A matches what I've seen in similar questions. Really clear distinction in the options here.

Ajay Y. Feb 21, 2026 12:07 pm

Makes sense to go with A here.

Layla Q. Feb 22, 2026 3:56 am

A. That's the only one that makes sense for what SOCs need from these integrations.

CuriousAnalyst1002 Feb 23, 2026 7:00 pm

A is what I'd pick. Integrating dashboards, reports, and Host Insights gives SOCs a full picture of what's happening across detections, assets, and vulnerabilities. Pretty sure that's the value here, but let me know if you see it different.

Sam O. Feb 28, 2026 4:00 am

C tbh, because dashboards and Host Insights reduce manual XQL work, but A looks tempting as a trap.

Ava J. Mar 8, 2026 11:38 pm

A imo, that's what the official guide and exam practice both outline for SOC visibility.

Meera Mar 4, 2026 10:10 pm

A is right since dashboards, reports, and Host Insights together actually give a big picture view for detection and asset risk. C sounds tempting but you still need manual XQL sometimes so it's not a full replacement. Anyone see an edge case where A wouldn't fit?

ZoeI Feb 20, 2026 8:44 am

C , feels like integrating dashboards and Host Insights would get rid of most manual XQL work. Trap might be A.

SteadyEngineer7996 Feb 22, 2026 12:04 am

Probably A. Integrating dashboards, reports, and Host Insights gives SOC teams full visibility of current detections, asset status, and vulnerabilities all in one place. This helps analysts correlate data faster and prioritize issues based on real risk. I’m pretty sure that’s what most official material and lab walk-throughs emphasize for Cortex XDR, but if anyone has seen something different on official practice tests or guides, let me know.

Sara J. Mar 4, 2026 7:33 pm

C/D? I don't think C makes sense since XQL is still needed for custom stuff, but D feels like a distractor. A is the only one that really fits for holistic SOC visibility.

Be respectful. No spam.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE