Palo Alto Networks Certified Detection and Remediation Analyst (PCDRA) — Question 81

As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to open a malicious Word document. You learn from the WildFire report and AutoFocus that this document is known to have been used in Phishing campaigns since 2018. What steps can you take to ensure that the same document is not opened by other users in your organization protected by the Cortex XDR agent?

Answer options

• A. Enable DLL Protection on all endpoints but there might be some false positives.
• B. Create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.
• C. No step is required because Cortex shares IOCs with our fellow Cyber Threat Alliance members.
• D. No step is required because the malicious document is already stopped.

Correct answer: B

Explanation

The correct answer is B, as creating Behavioral Threat Protection (BTP) rules allows for proactive recognition and prevention of similar malicious activities in the future. Option A may help but could generate false positives, while C and D incorrectly assume no further action is needed despite the ongoing threat of similar phishing attempts.