Palo Alto Networks System Engineer – Cortex — Question 50

A Cortex XDR Pro administrator is alerted to a suspicious process creation security event from multiple users who believe these events are false positives.
Which two steps should be taken confirm the false positives and create an exception? (Choose two.)

Answer options

• A. Within the Malware Security profile, disable the Prevent Malicious Child Process Execution module.
• B. Contact support and ask for a security exception.
• C. Within the Malware Security profile, add the specific parent process, child process, and command line argument to the child process whitelist.
• D. In the Cortex XDR security event, review the specific parent process, child process, and command line arguments.

Correct answer: C, D

Explanation

The correct steps to confirm false positives involve reviewing the details of the security event and whitelisting the processes involved. Option C allows for the specific processes to be excluded from future alerts, while option D helps in verifying the legitimacy of the alerts. Options A and B do not directly address the verification process or the creation of an exception effectively.