View XDR-Engineer Exam Questions

Q: 1

[Cortex XDR Agent Configuration] Based on the Malware profile image below, what happens when a new custom-developed application attempts to execute on an endpoint?

Palo Alto Networks Certified XDR Engineer question

Options

Discussion

Parker C. Feb 2, 2026 1:49 pm

Option B. saw a similar question in recent exam reports and the profile blocks unknown apps.

Sofia Q. Jan 25, 2026 3:29 am

Option B since "block" for unknowns stops custom apps right away. D is tempting but only if there's delay policy.

Meera Jan 24, 2026 10:04 pm

So tired of these profile image questions where you have to squint. Option B

Morgan C. Jan 31, 2026 10:09 am

Guessing B, but if the profile had "alert" instead of block for unknowns then A would be right.

Meera Feb 2, 2026 7:07 pm

B , had something like this in a mock. Custom or unknown executables get blocked right away if the policy is set to 'block' for unknowns, so it won't execute at all. Not 100% sure if all versions behave exactly the same, but that's how Palo's usual malware profile works. Agree?

Neha Jan 27, 2026 3:12 am

Arjun F. Jan 29, 2026 10:34 pm

B, Block enforcement means new apps like that won't get through. Standard for XDR, pretty sure that's what the image shows.

SkepticalAuditor7766 Jan 30, 2026 9:42 am

I thought it'd be D, cause sometimes the agent might give a warning or block on the second attempt depending on custom app policies. Maybe I'm mixing it up with older profiles though. Anyone else remember it working this way?

Noah Feb 12, 2026 9:00 am

B , XDR usually blocks custom apps if block is enabled on the malware profile.

Robin A. Feb 5, 2026 10:03 am

C or D. I remember seeing similar practice questions in the official guide and some exam reports, both had delayed/execution-after features called out. Could be missing a detail in the profile image though.

Be respectful. No spam.

Q: 2

[Detection Engineering] An analyst considers an alert with the category of lateral movement to be allowed and not needing to be checked in the future. Based on the image below, which action can an engineer take to address the requirement?

Options

Discussion

Piya Jan 27, 2026 1:15 am

B . Alert exclusion rule by source and name stops future alerts of this category from popping up, which is what the question is asking for. The other options are more restrictive or target specific processes, but here they want to allow similar lateral movement events fully. Pretty sure Palo Alto wants B in this scenario, but open to corrections if anyone's done it another way.

Sofia C. Feb 4, 2026 10:54 pm

Pretty sure it's D. That rule would cover the parent process and exact command, so you wouldn't see this alert for that specific case again. I saw a similar question in old practice sets and D was close to what they wanted, but maybe I'm missing something about category-wide suppression? Disagree?

AmeliaZ Jan 29, 2026 12:21 pm

B makes sense here. The question wants to allow all similar lateral movement alerts in the future, not just for one process or command. Creating an alert exclusion rule by source and name covers that category across the board, which matches how XDR handles alert silencing at scale. I think that’s what Palo Alto expects but wouldn’t mind seeing confirmation from the official guide or lab materials if anyone has them.

Ethan S. Feb 9, 2026 2:49 pm

Needs to be B. That exclusion rule by source and name fits since they want to allow all future similar alerts.

MethodicalEngineer8138 Feb 5, 2026 12:07 pm

B, not D. Exclusion rule by alert source and name will stop these from triggering in the future, which matches the ask. Pretty sure that's what Palo Alto wants here, but correct me if I'm off.

Priya P. Jan 27, 2026 4:36 pm

B , since the requirement is to stop alerting for this category in the future, not just for a single process or command. An alert exclusion rule (B) covers all similar cases, which matches the scenario better than just making an exception for one process like D. Pretty sure that's what Palo Alto expects here, but I'm open if someone has seen it different in labs.

Kevin D. Jan 26, 2026 10:49 pm

Nah, D is better since it's more specific to that parent process and command than B would be.

Zoe T. Feb 4, 2026 2:42 pm

C or D? I was thinking maybe C since injection and prevention rules feel right when you want to allow a process, but honestly D is tempting too because it mentions the parent process and command, which lines up with how some labs show exceptions. If anyone's tried this in a real XDR console or used the official guide, let me know what matched better.

Robin T. Jan 29, 2026 6:19 am

I actually think D is closer, since it talks about making an exception for that parent process and the specific command. If you just want to never see this exact alert again, that's usually safer than excluding all similar alerts like B would. Trap here is going too broad with B and potentially missing legit detections later. Pretty sure but open to correction if I'm missing a XDR nuance.

Olivia P. Jan 24, 2026 12:48 pm

B fits for skipping future alerts on this. Recommend double-checking with the official admin guide or lab it if possible, in case the UI has changed.

Be respectful. No spam.

Q: 3

[Data Ingestion and Integration] What will be the output of the function below? L_TRIM("a* aapple", "a")

Options

Discussion

LoganF Jan 25, 2026 1:36 am

A. similar question was in the official guide and practice tests.

Anita W. Feb 9, 2026 5:17 pm

Drew Q. Feb 12, 2026 9:07 pm

A imo. The trap is B but the space doesn't get trimmed since only 'a' is in the trim set. L_TRIM just strips 'a' from the left, leaves the space. Anyone see it different?

QuickMentor607 Jan 25, 2026 6:43 am

Chris Y. Feb 11, 2026 8:40 pm

C tbh. I think L_TRIM strips all specified 'a' chars from the left, so after removing the initial 'a', it keeps going and chops any more leading 'a's, so you'd get "pple" left. But I'm not 100% if it stops at non-'a' chars (like space). Someone might clarify this edge case.

Ben G. Feb 10, 2026 7:17 pm

Probably C. I thought L_TRIM with 'a' removes all leading 'a' characters, so should leave 'pple'. Not sure if I'm missing something with the space though.

Neha Q. Feb 8, 2026 3:03 am

B tbh, some exam reports mix up trim outputs so double check with the official doc or lab if unsure.

Anita Feb 7, 2026 4:06 pm

Its A here, only the 'a' chars on the left get trimmed so the space remains. Pretty sure about this, unless there's something weird with encoding but looks straightforward.

Avery G. Jan 30, 2026 3:58 pm

Its A, since L_TRIM only removes 'a' from the left. Space stays because it's not part of the trim set. Agree?

CuriousLearner2782 Feb 12, 2026 4:40 am

Option B this L_TRIM can trip you up on formatting and spaces in the actual exam.

Be respectful. No spam.

Q: 4

[Maintenance and Troubleshooting] An insider compromise investigation has been requested to provide evidence of an unauthorized removable drive being mounted on a company laptop. Cortex XDR agent is installed with default prevention agent settings profile and default extension "Device Configuration" profile. Where can an engineer find the evidence?

Options

Discussion

Anita A. Feb 6, 2026 7:23 am

My pick: A, since default device profiles log mounts in Host Inventory. C is tricky but only if custom or restricted configs are in play, which isn't the case here. Pretty sure about this based on similar exam reports. Disagree?

DirectLead5745 Feb 8, 2026 7:17 am

A. saw a similar question in recent exam reports and Host Inventory > Mounts is what gets checked with defaults.

QuietOps7913 Feb 11, 2026 7:02 am

Liam U. Feb 7, 2026 1:15 pm

If device logging on the "default" profile was actually disabled, then yeah maybe C would apply. From what I know though, default Device Configuration profile usually logs mounts so A is still more likely.

Ivy L. Feb 9, 2026 3:24 am

A tbh, as long as the question says "default" for the agent and device config, Host Inventory > Mounts will log what you need. If the profile wasn’t default, then maybe C would make sense, but here it’s definitely A.

Layla Q. Feb 8, 2026 5:56 am

Always Palo Alto and their default config gotchas! It's A here, Host Inventory > Mounts shows removable drive mounts as long as you haven't messed with the defaults. Seen this asked in similar practice sets. Let me know if I missed some recent change in Cortex XDR though.

Taylor Feb 8, 2026 9:12 am

Nah, C is a trap here since default config does log mounts. It's A for Host Inventory -> Mounts.

Chloe K. Feb 1, 2026 6:59 am

Host Inventory > Mounts is the place for mount evidence when using default profiles. The agent tracks removable device mounts there by default. I think A fits unless extra monitoring was needed (which would be C).

MiaR Feb 11, 2026 3:27 pm

A is the pick here, just like what most official guides and some practice tests point to for default Cortex XDR configs. I think Host Inventory -> Mounts shows the mount evidence unless custom settings are in play. Anyone use other resources showing differently?

Nathan F. Feb 3, 2026 3:37 am

A makes sense since with default settings, Host Inventory > Mounts should log the device activity you need for this investigation. The Device Configuration profile covers mounts by default. Pretty sure it's A, unless I'm missing something about agent versions.

Be respectful. No spam.

Q: 5

[Cortex XDR Agent Configuration] How are dynamic endpoint groups created and managed in Cortex XDR?

Options

Discussion

Kevin X. Feb 7, 2026 6:15 pm

Option D

Taylor T. Jan 27, 2026 9:03 am

Yeah, D. Dynamic groups auto-populate based on attributes like OS type or version.

Alex D. Feb 4, 2026 10:15 pm

Option D makes sense for dynamic endpoint groups in Cortex XDR since they're defined by fields like OS or segment, auto-populating as endpoints match those criteria. B would apply if the question was about static groups, but "dynamic" is the key here. I think some folks mix this up since other EDRs blur the lines. Agree?

Arjun Jan 31, 2026 7:48 am

Ajay W. Feb 4, 2026 9:41 am

Is anyone else thinking B could sorta make sense if the question focused more on group membership flexibility? The "dynamic" part pushes me toward D though, since those use things like OS and network segment to assign endpoints automatically. Am I missing something?

Jordan S. Feb 5, 2026 7:49 am

B tbh, since you can have an endpoint in several groups for different policy scopes. I think that's how flexible grouping works, unless I'm mixing this up with static assignments. Kinda tricky question.

LaylaE Feb 5, 2026 6:05 pm

D imo

Sara Jan 27, 2026 8:01 am

B or D, but I picked B. Saw a similar question in a practice set and it said endpoints could belong to multiple groups for flexible policy use, which sounded right to me.

Nora Feb 9, 2026 10:17 pm

I see why someone would pick B, since in some EDRs you can add a device to multiple groups for flexible policy management. But from what I've seen, dynamic endpoint groups in Cortex XDR are more about auto-populating based on attributes, not stacking policies by group overlap. Went with B here since the question doesn't rule that out, but not 100% sure. Agree or did I miss something?

PreciseLead9646 Feb 7, 2026 8:35 am

Its D. Dynamic endpoint groups in XDR are built on criteria like OS type or network segment so they update automatically.

Be respectful. No spam.

Q: 6

[Dashboards and Reporting] Which action is being taken with the query below? dataset = xdr_data | fields agent_hostname, _time, _product | comp latest as latest_time by agent_hostname, _product | join type=inner (dataset = endpoints | fields endpoint_name, endpoint_status, endpoint_type) as lookup lookup.endpoint_name = agent_hostname | filter endpoint_status = ENUM.CONNECTED | fields agent_hostname, endpoint_status, latest_time, _product

Options

Discussion

MethodicalMentor8575 Feb 2, 2026 6:26 am

Option A had a similar question in exam reports and it matches the query logic.

Parker D. Feb 2, 2026 5:47 pm

A , C looks tempting but without filtering on endpoint_type it's really all connected endpoints. Seen similar traps in practice exams.

Vikram B. Feb 2, 2026 10:59 am

Sanjay O. Feb 10, 2026 6:02 am

Yeah, A fits since there isn’t any filter on endpoint_type so it’s pulling latest activity for all connected endpoints, not just firewalls. Would have to see endpoint_type=firewall for C to make sense. Pretty sure on this, but open if I missed something.

Reese I. Feb 5, 2026 11:56 am

A , C is tempting but the trap is no firewall filter so it's just all endpoints that are connected.

Sanjay W. Feb 6, 2026 4:49 am

These questions make Palo Alto reporting sound trickier than it is. A

Leo A. Feb 9, 2026 5:47 am

Option A but I get why some go for C. The trap is that there’s no endpoint_type filter, so it’s all connected endpoints, not just firewalls. Pretty sure about this, unless I missed something in the join step. Anyone see it differently?

Taylor Jan 30, 2026 2:37 am

Why not C if they filtered by endpoint_type? Without that, looks like it covers everything connected.

Skyler B. Jan 26, 2026 7:47 pm

A , C is tricky but there's no endpoint_type filter, so not just firewalls.

Quinn S. Jan 25, 2026 7:08 am

Be respectful. No spam.

Q: 7

[Post-Deployment Management and Configuration] What happens when the XDR Collector is uninstalled from an endpoint by using the Cortex XDR console?

Options

Discussion

Morgan G. Jan 28, 2026 7:05 pm

In official docs and most practice tests for XDR, configuration retention is usually set to the default (90 days), but I've seen some guides reference 7 days too. Anyone confirm from the latest admin guide?

Robin Z. Jan 31, 2026 12:07 am

Nah, it's C. The uninstall kicks in at the next heartbeat and config data sticks around for 90 days unless you've set it differently. Pretty sure docs back that up, but open to being corrected if I'm missing a twist.

SkepticalNeteng3312 Feb 9, 2026 9:44 am

B tbh, since some docs mention config data sticks around for just 7 days, not 90. C seems like a trap here.

Ben L. Feb 11, 2026 9:58 pm

B is wrong, C. Encountered exactly similar question in my exam and config data sat for 90 days post-uninstall, not deleted instantly.

Jason P. Feb 1, 2026 4:26 am

Its C

Leo G. Jan 27, 2026 8:50 am

I don't think D is right here since config data isn't wiped instantly. C makes sense because the uninstallation waits for the next heartbeat and keeps config for 90 days, that's in line with what I’ve seen in exam reports.

Neha Feb 5, 2026 6:35 am

B vs C for me. Pretty sure config data sticks around, but I thought retention was 7 days not 90. Maybe I'm mixing it up with a different product though, so let me know if I missed something.

Taylor D. Feb 13, 2026 4:23 pm

C imo

Kevin I. Feb 2, 2026 1:12 am

Probably C. Standard retention is 90 days unless a custom policy says otherwise.

Ravi C. Feb 10, 2026 2:55 am

C or D? I know config data usually sticks around for 90 days (which matches C), but I get why some say D cause it mentions "immediately." Pretty sure C is the standard, but wouldn't be shocked if D slipped through. Agree?

Be respectful. No spam.

Q: 8

[Post-Deployment Management and Configuration] A cloud administrator reports high network bandwidth costs attributed to Cortex XDR operations and asks for bandwidth usage to be optimized without compromising agent functionality. Which two techniques should the engineer implement? (Choose two.)

Options

Discussion

Nathan Jan 24, 2026 5:41 pm

Don’t think D is the right fit unless you’re dealing with segmentation or brokers specifically. A and C actually target bandwidth reduction: P2P reduces cloud pulls, and bandwidth control limits usage. Pretty sure that's what the question wants, but open to other views.

Aaron B. Jan 27, 2026 12:38 am

I was thinking C and D since Broker VM (D) acts as local relay, so less cloud traffic. C is obvious for direct bandwidth management. Not totally sure though, maybe A helps more internally? Open to better logic here.

Grace Feb 9, 2026 1:40 am

A and C tbh. P2P update sharing (A) keeps traffic local, and bandwidth management (C) lets you throttle usage, so both help cut cloud network costs. D feels more about segmentation than basic bandwidth savings.

Quinn E. Feb 1, 2026 6:58 am

A,C imo. P2P download sources (A) let agents grab updates from local peers, which drops cloud bandwidth use a lot. Bandwidth control (C) directly sets a cap. D is more for network segmentation cases, not general cost savings. Happy to be corrected if I missed something.

SharpAnalyst326 Jan 24, 2026 7:52 pm

A and C. Using P2P agent upgrades plus bandwidth control should keep network overhead down. I think that's the right mix here.

Karan C. Jan 29, 2026 4:22 am

C vs D. If the admin wants to control bandwidth, C (bandwidth control) feels right, but D (Broker VM) is tempting because it also helps optimize traffic by handling updates locally. I might pick C and D, though A does help with internal P2P sharing. Not totally sure here, could be wrong on this combo.

Amelia J. Jan 29, 2026 10:13 pm

Maybe A and C. P2P download sources (A) lower the external bandwidth hits by sharing updates internally, and bandwidth control (C) lets you cap usage. D seems more for segmented networks so not certain, but I'd pick A/C unless I'm missing something.

Kevin Z. Feb 1, 2026 12:21 am

Pretty sure it's A and C, saw a similar scenario on a mock. Both help cut bandwidth.

MasonL Jan 26, 2026 5:48 pm

A and C make sense since P2P sources and bandwidth control directly cut WAN usage. D is tempting but actually more about segmentation, not general bandwidth. Unless they mention isolated networks, I'd stick with A/C here. Disagree?

SharpOps6976 Feb 11, 2026 2:15 am

I’d say D

Be respectful. No spam.

Q: 9

[Data Ingestion and Integration] In addition to using valid authentication credentials, what is required to enable the setup of the Database Collector applet on the Broker VM to ingest database activity?

Options

Discussion

Anita L. Jan 29, 2026 1:40 pm

I don't think it's B or D here. The collector applet setup just asks for a valid SQL query that pulls the activity you want, not access to logs. Option A matches what I've seen in similar practice material. Happy if someone sees it differently but pretty sure A's correct since the others are more for audit/forensic cases.

Mia Jan 27, 2026 2:33 pm

A . Seen this in a lab before, just need a valid SQL query for the applet to ingest data.

Luke Jan 24, 2026 12:55 pm

C/D? The key here is the collector applet expects a valid SQL query for ingestion but if the database isn't configured to expose those tables, then B or D could matter. Pretty sure it's A unless the environment locks down custom queries. Anyone disagree?

Piya M. Jan 26, 2026 5:56 pm

Yeah, it's A. You need a valid SQL query as part of the collector setup process.

Quinn O. Feb 3, 2026 5:28 am

A imo. The setup process really focuses on needing a valid SQL query to pull the right activity, not just log access or schema. Not 100% on this but that's how I've seen it in practice.

Nathan O. Feb 9, 2026 3:46 pm

B is tempting since audit logs are often used for monitoring, but for the Database Collector applet you actually need to provide a valid SQL query (A) during setup. That's how you specify which events or activity should be ingested. Palo Alto's docs highlight the SQL query piece, so I'd go A here. If anyone can point to a use case where B is required instead, I'm interested.

Adam Jan 28, 2026 5:29 pm

I was actually thinking B, since access to the audit log is usually important for tracking database activity. Not 100% sure though.

Adam Jan 27, 2026 12:26 pm

A is my pick, is correct here. Had something like this in a mock and it wanted a valid SQL query as part of the config process for the Database Collector applet, not just audit log or schema access. Pretty sure about this but open to pushback if I missed something subtle.

Reese Jan 26, 2026 7:19 am

Probably A since the Database Collector needs an actual SQL query to pull the relevant activity. Just having access to logs or schema isn’t enough for this setup, as far as I know. Let me know if anyone's seen different in practice.

Morgan G. Feb 3, 2026 9:39 pm

A tbh. From what I've seen in the official guide and practice labs, the setup really just checks for a valid SQL query to start ingesting data. Other options relate more to auditing or deep forensics. If anyone saw something different in labs, open to it!

Be respectful. No spam.

Q: 10

[Maintenance and Troubleshooting] A query is created that will run weekly via API. After it is tested and ready, it is reviewed in the Query Center. Which available column should be checked to determine how many compute units will be used when the query is run?

Options

Discussion

Ivy Feb 7, 2026 1:33 pm

Option B here. Compute Unit Usage shows what's actually used when the query runs on schedule, not just a simulated estimate. I think that's what they're looking for but if anyone saw something different in the UI, let me know.

Kevin N. Feb 5, 2026 12:15 am

Option B popped up in a practice set I did, pretty sure it's right. "Compute Unit Usage" reflects what actually gets consumed when the query runs live, not just in test mode.

Leo D. Jan 29, 2026 3:12 am

Had something like this in a mock, B.

Riley J. Jan 25, 2026 7:16 am

Is "Simulated Compute Units" (C) ever shown in the official practice test for post-deployment queries? I remember seeing it there.

Amelia L. Feb 3, 2026 5:18 am

C or B, but honestly feel like C fits too if we're talking about tested queries before scheduling.

NathanI Jan 27, 2026 10:39 pm

Nathan Q. Feb 10, 2026 10:53 pm

Noah S. Feb 9, 2026 4:41 pm

C or B. If the review's happening before it's actually live, C could be valid here depending on Query Center view.

SharpAnalyst9452 Jan 29, 2026 9:59 am

C or B? If they're asking for what's actually consumed after the query goes live via API, it's gotta be B (Compute Unit Usage). But if the question wanted a pre-run estimate, then C (Simulated Compute Units) would make sense. Based on the wording though, pretty sure it's B here. Let me know if you interpret it different.

Karan Feb 13, 2026 1:24 am

I've seen similar questions in official guides, and B is the way to go for live API usage. "Compute Unit Usage" directly shows the actual compute resources your scheduled query will consume, not just estimates or quotas. If anyone's used official practice tests, should match up there too. Pretty sure about this but open to other views.

Be respectful. No spam.

Question 1 of 20 · Page 1 / 2

Premium Access Includes

✓ Quiz Simulator
✓ Exam Mode
✓ Progress Tracking
✓ Question Saving
✓ Flash Cards
✓ Drag & Drops
✓ 3 Months Access
✓ PDF Downloads

Get Premium Access

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE