View XDR-Engineer Exam Questions

Q: 1

[Cortex XDR Agent Configuration] Based on the Malware profile image below, what happens when a new custom-developed application attempts to execute on an endpoint?

Palo Alto Networks Certified XDR Engineer question

Options

Q: 2

[Detection Engineering] An analyst considers an alert with the category of lateral movement to be allowed and not needing to be checked in the future. Based on the image below, which action can an engineer take to address the requirement?

Options

Discussion

PracticalOps643 Mar 5, 2026 9:51 pm

Option B is best here since it excludes alerts by source and name, covering all similar future lateral movement alerts. D would only handle a specific parent process or command. Pretty sure B matches Palo Alto's expected workflow, but let me know if you see it differently.

Piya A. Feb 21, 2026 9:19 am

B . Blocking by alert source and name is what you need if you want to stop this category from alerting again. D's more for single process/command use, trap for broader cases.

Piya Feb 20, 2026 12:05 pm

B . Alert exclusion rule by source and name stops future alerts of this category from popping up, which is what the question is asking for. The other options are more restrictive or target specific processes, but here they want to allow similar lateral movement events fully. Pretty sure Palo Alto wants B in this scenario, but open to corrections if anyone's done it another way.

Nora Mar 6, 2026 3:28 pm

B , saw a similar question on a practice and alert exclusion by source and name is what Palo Alto expects if you want to skip all future alerts for a specific category. D's for more targeted scenarios. Seen this logic in exam dumps before. Agree?

Leo I. Mar 5, 2026 6:29 pm

D imo. I remember in a lab we handled similar alert suppression with an exception rule focused on the parent process and command, which matched what the analyst wanted. The admin guide talks about exclusions, but for one-off scenarios, D feels right to me. Might be missing a nuance though, official practice test could help confirm.

NehaR Feb 21, 2026 10:32 am

D , since that exception targets the parent process and command so should suppress alerts for that specific scenario. Right?

Sofia C. Mar 1, 2026 9:45 am

Pretty sure it's D. That rule would cover the parent process and exact command, so you wouldn't see this alert for that specific case again. I saw a similar question in old practice sets and D was close to what they wanted, but maybe I'm missing something about category-wide suppression? Disagree?

AmeliaZ Feb 22, 2026 11:11 pm

B makes sense here. The question wants to allow all similar lateral movement alerts in the future, not just for one process or command. Creating an alert exclusion rule by source and name covers that category across the board, which matches how XDR handles alert silencing at scale. I think that’s what Palo Alto expects but wouldn’t mind seeing confirmation from the official guide or lab materials if anyone has them.

Ethan S. Mar 6, 2026 1:40 am

Needs to be B. That exclusion rule by source and name fits since they want to allow all future similar alerts.

MethodicalEngineer8138 Mar 1, 2026 10:57 pm

B, not D. Exclusion rule by alert source and name will stop these from triggering in the future, which matches the ask. Pretty sure that's what Palo Alto wants here, but correct me if I'm off.

Be respectful. No spam.

Q: 3

[Data Ingestion and Integration] What will be the output of the function below? L_TRIM("a* aapple", "a")

Options

Discussion

Alex E. Feb 26, 2026 2:45 am

A . Had something like this in a mock, and L_TRIM only removes the 'a' characters from the left, not spaces or anything else. The first char is 'a', then '*' stays, so you're left with ' aapple' as output. Let me know if someone disagrees but this matches what I've seen in labs.

SeanN Feb 19, 2026 5:43 pm

D imo, but pretty sure that's a trap. If the trim set was different I'd say C, but not confident here.

LoganF Feb 18, 2026 12:26 pm

A. similar question was in the official guide and practice tests.

Avery S. Mar 2, 2026 11:59 pm

Nah, I think A here. L_TRIM just strips out the leading 'a' character, so the output is space + 'aapple'. B's trap is thinking quotes are part of the output, but they're not.

Reese Mar 7, 2026 11:31 pm

Probably A. The L_TRIM function here just removes the leading 'a', nothing else, so the output would still have the space and asterisk in front of aapple. Not 100% sure if there's some edge case but that's how I see it. Disagree?

Ajay Mar 1, 2026 6:04 pm

Just to clarify, are people maybe confusing the trim set here? If you specify only "a" as the trim char in L_TRIM, it won’t remove the space or special chars, just any leading 'a's. So the result wouldn’t be B or C, unless they change the trim set to include more chars.

Ajay H. Feb 28, 2026 7:18 am

Option B

Anita W. Mar 6, 2026 4:07 am

Drew Q. Mar 8, 2026 2:41 am

A imo. The trap is B but the space doesn't get trimmed since only 'a' is in the trim set. L_TRIM just strips 'a' from the left, leaves the space. Anyone see it different?

QuickMentor607 Feb 18, 2026 5:33 pm

Be respectful. No spam.

Q: 4

[Maintenance and Troubleshooting] An insider compromise investigation has been requested to provide evidence of an unauthorized removable drive being mounted on a company laptop. Cortex XDR agent is installed with default prevention agent settings profile and default extension "Device Configuration" profile. Where can an engineer find the evidence?

Options

Discussion

Anita A. Mar 2, 2026 6:13 pm

My pick: A, since default device profiles log mounts in Host Inventory. C is tricky but only if custom or restricted configs are in play, which isn't the case here. Pretty sure about this based on similar exam reports. Disagree?

DirectLead5745 Mar 4, 2026 6:08 pm

A. saw a similar question in recent exam reports and Host Inventory > Mounts is what gets checked with defaults.

Robin U. Feb 25, 2026 3:16 am

Option A Official admin guide and lab drills help with these Cortex XDR default profile scenarios.

QuietOps7913 Mar 7, 2026 5:52 pm

CarefulLearner1287 Mar 8, 2026 7:56 am

A, not D. The trap here is thinking device_control preset logs mounts by default but only Host Inventory -> Mounts shows mount evidence with default configs.

Ava K. Mar 7, 2026 10:29 pm

Its A, some think D because of the device control preset but Host Inventory Mounts gives the evidence right away with defaults.

JasonF Feb 25, 2026 1:58 pm

D, Device control preset should log these actions by default, so I'd check there first.

Neha R. Feb 19, 2026 8:31 pm

I don't think it's C. A is the best pick here since with default profiles, Host Inventory -> Mounts will show removable device mount events. C is a trap because extra config isn't needed for this data (unless defaults were changed). Disagree?

Sam L. Mar 4, 2026 9:48 am

C not A

Liam U. Mar 4, 2026 12:06 am

If device logging on the "default" profile was actually disabled, then yeah maybe C would apply. From what I know though, default Device Configuration profile usually logs mounts so A is still more likely.

Be respectful. No spam.

Q: 5

[Cortex XDR Agent Configuration] How are dynamic endpoint groups created and managed in Cortex XDR?

Options

Discussion

Kevin X. Mar 4, 2026 5:05 am

Option D

Skyler J. Mar 6, 2026 9:04 pm

C/D? Leaning D since dynamic endpoint groups use OS type and other criteria.

Ishaan Mar 5, 2026 7:38 pm

D . Dynamic endpoint groups in Cortex XDR are based on stuff like OS type and network segment, so they update automatically without manual intervention. B talks about multiple group membership but that’s not the dynamic part here. Pretty sure D fits what the question’s asking.

Alex Feb 21, 2026 3:29 am

Option D since dynamic groups in Cortex XDR are built using attributes like OS type or network segment. Static groups would need manual intervention, but D matches the automation piece. Unless Palo changed this recently, that's what I've seen in practice.

Taylor T. Feb 20, 2026 7:53 pm

Yeah, D. Dynamic groups auto-populate based on attributes like OS type or version.

Alex D. Mar 1, 2026 9:06 am

Option D makes sense for dynamic endpoint groups in Cortex XDR since they're defined by fields like OS or segment, auto-populating as endpoints match those criteria. B would apply if the question was about static groups, but "dynamic" is the key here. I think some folks mix this up since other EDRs blur the lines. Agree?

Piya Feb 22, 2026 7:33 pm

D imo, since dynamic endpoint groups rely on matching criteria like OS type and network segment to auto-populate membership. B is tempting, but that's not the main mechanism for group creation here. If I'm off let me know.

Sean N. Mar 6, 2026 3:17 am

C or D? D talks about using fields like OS type for automatic group creation, which matches the 'dynamic' part of the question. C feels like a trap though, since you can change policies without deleting groups. Think D is right but open to pushback.

Ravi Feb 28, 2026 6:57 pm

Probably B, since endpoints can be in multiple groups, might be a trick here.

Drew T. Mar 1, 2026 3:05 am

Nah, I don’t think B fits here. The dynamic part means groups get filled automatically based on stuff like OS type or version, which is what D describes. B is a common trap in XDR questions since multiple group membership doesn’t always mean it’s dynamic. Seen similar wording on practice sets.

Be respectful. No spam.

Q: 6

[Dashboards and Reporting] Which action is being taken with the query below? dataset = xdr_data | fields agent_hostname, _time, _product | comp latest as latest_time by agent_hostname, _product | join type=inner (dataset = endpoints | fields endpoint_name, endpoint_status, endpoint_type) as lookup lookup.endpoint_name = agent_hostname | filter endpoint_status = ENUM.CONNECTED | fields agent_hostname, endpoint_status, latest_time, _product

Options

Discussion

MethodicalMentor8575 Feb 26, 2026 5:16 pm

Option A had a similar question in exam reports and it matches the query logic.

Olivia C. Mar 6, 2026 7:21 pm

Seen something like this in official study material, it's tracking latest activity for any endpoint. A

HannahY Feb 22, 2026 5:59 am

This looks just like a question I saw on a recent exam report, and A was the pick there too.

Meera T. Feb 22, 2026 8:35 pm

A is right. C feels like a trick since there's no filter for firewall endpoint_type in the query, so it's just grabbing latest activity for any connected endpoint. Seen similar wording on practice, but open to other thoughts if I'm missing something here.

Parker D. Feb 27, 2026 4:37 am

A , C looks tempting but without filtering on endpoint_type it's really all connected endpoints. Seen similar traps in practice exams.

Vikram B. Feb 26, 2026 9:49 pm

Ethan Feb 23, 2026 1:43 am

C or D. The query grabs endpoint_type and only keeps connected endpoints, so I'd expect "connected firewall endpoints" (C) to be right if we see firewall types there. Official practice sets cover similar joins, suggest brushing up there. Not 100 percent sure though.

Sanjay D. Feb 27, 2026 1:07 pm

Pretty sure it's A. The query is filtering for connected endpoints, grabbing their latest activity but doesn't limit by endpoint_type so it's not just firewalls. Saw something very similar in an exam report too, so A makes sense to me.

Sara T. Feb 24, 2026 4:01 pm

Its A here, I think. The query joins to get endpoint status and filters for CONNECTED only, but there’s no filter on endpoint_type so it’s not just firewalls (which would make it C). So we’re just tracking latest activity of all connected endpoints. Pretty sure but if anyone spots something I missed, let me know.

Piya I. Feb 23, 2026 4:16 pm

Looks like it's pulling the latest activity for connected endpoints in general, not just firewalls since there's no endpoint_type filter. A is correct from what I've seen in official guides and practice sets. If anyone's found a resource pointing to C though, let me know.

Be respectful. No spam.

Q: 7

[Post-Deployment Management and Configuration] What happens when the XDR Collector is uninstalled from an endpoint by using the Cortex XDR console?

Options

Discussion

Mia D. Feb 18, 2026 10:50 am

Option C that's the retention you see in official guides and practice tests. If you want to double check, go through the latest admin guide or sample exam.

Morgan G. Feb 22, 2026 5:55 am

In official docs and most practice tests for XDR, configuration retention is usually set to the default (90 days), but I've seen some guides reference 7 days too. Anyone confirm from the latest admin guide?

MethodicalOps4661 Feb 23, 2026 10:28 am

C tbh, that's what the docs say for default retention. The collector waits for the next heartbeat before the uninstall completes and keeps config data for 90 days unless you change that policy. D trips people up because it sounds immediate but that's only if the org has set a custom period. Correct me if I'm wrong, but C matches normal deployments.

Reese Z. Mar 4, 2026 4:47 am

C or D? For default config retention I'm pretty sure it's C, config sticks 90 days after uninstall.

CameronH Feb 25, 2026 4:30 pm

B tbh, since config data could be kept only 7 days if org has set a custom retention. The question doesn't mention default policy, and I've seen places limit it for compliance reasons. If it's really always 90 by default then maybe C fits better. Anyone else run into this on a real tenant?

Robin Z. Feb 24, 2026 10:57 am

Nah, it's C. The uninstall kicks in at the next heartbeat and config data sticks around for 90 days unless you've set it differently. Pretty sure docs back that up, but open to being corrected if I'm missing a twist.

SkepticalNeteng3312 Mar 5, 2026 8:35 pm

B tbh, since some docs mention config data sticks around for just 7 days, not 90. C seems like a trap here.

Ben L. Mar 8, 2026 8:48 am

B is wrong, C. Encountered exactly similar question in my exam and config data sat for 90 days post-uninstall, not deleted instantly.

Jason P. Feb 25, 2026 3:17 pm

Its C

Leo G. Feb 20, 2026 7:40 pm

I don't think D is right here since config data isn't wiped instantly. C makes sense because the uninstallation waits for the next heartbeat and keeps config for 90 days, that's in line with what I’ve seen in exam reports.

Be respectful. No spam.

Q: 8

[Post-Deployment Management and Configuration] A cloud administrator reports high network bandwidth costs attributed to Cortex XDR operations and asks for bandwidth usage to be optimized without compromising agent functionality. Which two techniques should the engineer implement? (Choose two.)

Options

Discussion

Layla G. Mar 6, 2026 1:24 pm

I think B and D. Had something like this in a mock, and those two seemed like they reduced bandwidth just by limiting what gets downloaded and using local settings. Could be missing something, but not ruling these out yet.

Nathan Feb 18, 2026 4:31 am

Don’t think D is the right fit unless you’re dealing with segmentation or brokers specifically. A and C actually target bandwidth reduction: P2P reduces cloud pulls, and bandwidth control limits usage. Pretty sure that's what the question wants, but open to other views.

Drew E. Feb 18, 2026 7:39 am

B . Enabling minor content version updates should also help with bandwidth, since it only pulls smaller/delta updates. Not sure if that's actually as effective as the other options, but feels like B plus C would reduce costs. Thoughts?

Quinn A. Feb 22, 2026 8:44 am

My vote is it’s A and C. Setting up P2P downloads (A) means agents can pull updates from each other instead of all hitting the cloud, which really cuts bandwidth. C lets you actually limit how much bandwidth gets used for content updates. Unless your network is really segmented, D isn’t as useful here. If anyone’s implemented D in a straightforward setup and saw benefit, let me know!

Sara Feb 21, 2026 8:31 pm

Looks like A and C. P2P updates (A) let agents grab files from each other, cutting download traffic, and C gives you more direct bandwidth control. Not fully certain, but these two seem the most efficient for this scenario.

Rowan X. Mar 5, 2026 6:05 am

Don’t think D is right here. A looks like a trap unless you want new infra, pretty sure it’s A and C.

DirectCandidate7663 Mar 3, 2026 12:56 pm

A C tbh. P2P agent updates (A) keep most traffic local, and bandwidth management (C) lets you set limits directly. D is mostly for segmented setups, so not as helpful here unless the infra is split up. Not 100% but seems right according to what I've seen in practice.

PracticalMentor937 Feb 25, 2026 8:02 am

I think A, C. Both directly target bandwidth optimization without extra infra. Not seeing how D fits unless you're segmenting the network more heavily. Open to other ideas if I'm missing a use case.

Aaron B. Feb 20, 2026 11:29 am

I was thinking C and D since Broker VM (D) acts as local relay, so less cloud traffic. C is obvious for direct bandwidth management. Not totally sure though, maybe A helps more internally? Open to better logic here.

Grace Mar 5, 2026 12:30 pm

A and C tbh. P2P update sharing (A) keeps traffic local, and bandwidth management (C) lets you throttle usage, so both help cut cloud network costs. D feels more about segmentation than basic bandwidth savings.

Be respectful. No spam.

Q: 9

[Data Ingestion and Integration] In addition to using valid authentication credentials, what is required to enable the setup of the Database Collector applet on the Broker VM to ingest database activity?

Options

Discussion

Anita L. Feb 23, 2026 12:31 am

I don't think it's B or D here. The collector applet setup just asks for a valid SQL query that pulls the activity you want, not access to logs. Option A matches what I've seen in similar practice material. Happy if someone sees it differently but pretty sure A's correct since the others are more for audit/forensic cases.

Mia Feb 21, 2026 1:23 am

A . Seen this in a lab before, just need a valid SQL query for the applet to ingest data.

Nathan X. Feb 23, 2026 11:09 pm

Setup needs a valid SQL query so the Database Collector knows what data to ingest, so A fits best. Accessing logs (B or D) is more for continuous monitoring, but for initial setup the query is critical. Seen similar in exam prep materials too. I think A is right but always possible there’s some corner case I missed-anyone seen otherwise?

Nathan Feb 27, 2026 12:11 am

Not D, it's A here since you need a valid SQL query for setup not just log access.

Luke Feb 17, 2026 11:46 pm

C/D? The key here is the collector applet expects a valid SQL query for ingestion but if the database isn't configured to expose those tables, then B or D could matter. Pretty sure it's A unless the environment locks down custom queries. Anyone disagree?

Piya M. Feb 20, 2026 4:46 am

Yeah, it's A. You need a valid SQL query as part of the collector setup process.

Quinn O. Feb 27, 2026 4:18 pm

A imo. The setup process really focuses on needing a valid SQL query to pull the right activity, not just log access or schema. Not 100% on this but that's how I've seen it in practice.

Nathan O. Mar 6, 2026 2:36 am

B is tempting since audit logs are often used for monitoring, but for the Database Collector applet you actually need to provide a valid SQL query (A) during setup. That's how you specify which events or activity should be ingested. Palo Alto's docs highlight the SQL query piece, so I'd go A here. If anyone can point to a use case where B is required instead, I'm interested.

Adam Feb 22, 2026 4:20 am

I was actually thinking B, since access to the audit log is usually important for tracking database activity. Not 100% sure though.

Adam Feb 20, 2026 11:17 pm

A is my pick, is correct here. Had something like this in a mock and it wanted a valid SQL query as part of the config process for the Database Collector applet, not just audit log or schema access. Pretty sure about this but open to pushback if I missed something subtle.

Be respectful. No spam.

Q: 10

[Maintenance and Troubleshooting] A query is created that will run weekly via API. After it is tested and ready, it is reviewed in the Query Center. Which available column should be checked to determine how many compute units will be used when the query is run?

Options

Discussion

Ivy Mar 4, 2026 12:23 am

Option B here. Compute Unit Usage shows what's actually used when the query runs on schedule, not just a simulated estimate. I think that's what they're looking for but if anyone saw something different in the UI, let me know.

Kevin N. Mar 1, 2026 11:05 am

Option B popped up in a practice set I did, pretty sure it's right. "Compute Unit Usage" reflects what actually gets consumed when the query runs live, not just in test mode.

Jack J. Mar 6, 2026 9:24 am

Adam Feb 21, 2026 2:50 pm

That would be B. That's the column in Query Center for actual usage after go-live, I think.

Zoe S. Mar 1, 2026 10:30 am

Not seeing how C fits, since that'd show the simulation. B lines up better given it's about actual units used when live. Open to other opinions if I've missed something, but B looks right from what I recall.

Leo D. Feb 22, 2026 2:02 pm

Had something like this in a mock, B.

Riley J. Feb 18, 2026 6:06 pm

Is "Simulated Compute Units" (C) ever shown in the official practice test for post-deployment queries? I remember seeing it there.

Amelia L. Feb 27, 2026 4:08 pm

C or B, but honestly feel like C fits too if we're talking about tested queries before scheduling.

NathanI Feb 21, 2026 9:29 am

Aaron W. Feb 25, 2026 9:21 am

B , similar question popped up in official practice and the admin guide. Always check those docs for these details.

Be respectful. No spam.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE