Palo Alto Networks Security Operations Professional — Question 15

Which task should a threat hunter include in the investigation when a Cortex XDR incident contains alertsout a malicious process?

Answer options

• A. Immediately isolate the endpoint and delete the identified file.
• B. Search for the SHA256 file hash on other endpoints in the environment.
• C. Add the SHA256 file hash to the Cortex XDR global block list.
• D. Disable the account of the user responsible for initiating the process.

Correct answer: B

Explanation

The correct answer is B because searching for the SHA256 file hash on other endpoints helps identify if the malicious process has spread or affected other systems. Option A is premature as it doesn't assess the broader impact, C is reactive and not part of the initial investigation, and D may not be necessary without confirming the extent of the incident.