PSE-Cortex Questions and Answers

sudo repoquery -a --installed

sudo demistoserver-x.x-xxxx.sh -- -tools=load

sudo docker ps load

sudo docker load -i YOUR_DOCKER_FILE.tar

Create a task that sends the survey responses to the analyst via email. If the responses are incorrect, the analyst fills out the correct response in the survey.

Create a manual task to ask the analyst to validate the survey response in the platform.

Create a sub-playbook and import a list of manager emails into XSOAR. Use a conditional task comparison to check if the response matches an email on the list. If no matches are found, loop the sub-playbook and send the survey back to the user until a match is found.

Create a conditional task comparison to check if the response contains a valid email address.

playbook editor

XSOAR audit log

/var/log/messages

War Room of the incident

To generate additional training material for the POV’s production implementation

To certify that the POV was completed and meets all customer requirements

To allow implementation teams to bypass scooping exercises and shorten delivery time

To ensure the implementation teams understand the customer use cases and priorities

exploit

malware

phishing

ransomware

Cortex XDR Pro per TB

Cortex XDR Prevent

Cortex XDR Endpoint

Cortex XDR Pro Per Endpoint

To execute playbooks, scripts, commands, and integrations

To manage multiple Cortex XSOAR tenants

To provide a user interface for security analysts

To store and manage incident data, remediation plans, and documentation

Live sensors

Live terminal

Log forwarding

Log stitching

Threat feed integration

Automation daybooks

Parsing rules

Data models

Analyst, training costs, duplicated, false positives

People, staffing costs, duplicates, false positives

People, security controls, mean time to detect, false positives

Standard operating procedures, staffing costs, duplicates, mean time to respond

RPM

SH

DEB

ZIP

Local static analysis happens before a WildFire verdict check.

In the final step, the block list is verified.

A trusted signed file is exempt from local static analysis.

Hash comparisons come after local static analysis.

Regex

STIX

CSV

CIDR

Generic Polling Automation Playbook

Playbook Tasks

Sub-Play books

Playbook Functions

indicators of compromise (IOC) rules

query builder

live terminal

host insights module

endpoint manager

SOC manager

SOC analyst

desktop engineer

Gather information about the word processing applications and run them on a Windows XP SP3 VM Determine if any of the applications are vulnerable and run the exploit with an exploitation tool

Run word processing exploits in a latest version of Windows VM in a controlled and isolated environment. Document indicators of compromise and compare to Traps protection capabilities

Run a known 2015 flash exploit on a Windows XP SP3 VM. and run an exploitation tool that acts as a listener Use the results to demonstrate Traps capabilities

Prepare the latest version of Windows VM Gather information about the word processing applications, determine if some of them are vulnerable and prepare a working exploit for at least one of them Execute with an exploitation tool

adding new fields to an incident type

setting reminders for an incident service level agreement

defining whether a playbook runs automatically when an incident type is encountered

dropping new incidents of the same type that contain similar information

firewall alert

SIEM alert

full URL

registry set value

It provides advanced customization capabilities.

It provides real-time protection across hosts and containers.

It enables consolidation of multiple point products into a single integrated service.

It enables a comprehensive view of the customer environment with regard to digital employee productivity.

SIEM has access to raw logs from agents, where Cortex XDR traditionally only gets alerts.

Cortex XDR allows just logging into the console and out of the box the events were blocked as a proactive approach.

Cortex XDR requires a large and diverse team of analysts and up to several weeks for simple actions like creating an alert.

SIEM has been entirely designed and built as cloud-native, with the ability to stitch together cloud logs, on-premises logs, third-party logs, and endpoint logs.

Which cybersecurity framework to implement for Secure Operations Center (SOC) operations

Whether communication with internal or external applications is required

How to configure network firewalls for optimal performance

Which endpoint protection software to integrate with Cortex XSOAR

file explorer

Log stitching

live sensor

live terminal

ArcSight ESM integration

SplunkUpdate integration

Demisto App for Splunk integration

SplunkPY integration

uses the most severe score scores

the reputation as undefined

uses the average score

uses the least severe score

Alert range indicators

Al-generated correlation rules

Automatic incident scoring

Dynamic alarm fields

It provides a statistical model for combining scores from multiple vendors

It resolves conflicting scores from different vendors with the same indicator.

It allows for comparison between open-source intelligence and paid services.

It helps identify threat feed vendors with invalid content.

With the Malware Security profile, disable the "Prevent Malicious Child Process Execution" module

Within the Malware Security profile add the specific parent process, child process, and command line argument to the child process whitelist

In the Cortex XDR security event, review the specific parent process, child process, and command line arguments

Contact support and ask for a security exception.

All widgets are customizable.

Dashboards cannot be shared across an organization.

A widget can have its own time range that is different from the rest of the dashboard.

Some widgets cannot be changed

Sample analysis

Correlation rule

Causality View

Automation playbook

Secure Shell (SSH)

SAML

RADIUS

Customer Support Portal

XSOAR Threat Intelligence Platform (TIP)

XSOAR Automated Systems

XSOAR Ticketing Systems

XSOAR Marketplace

Response > Action Center

the local console

Telnet

Endpoint > Endpoint Management

SplunkPY integration

Demisto App for Splunk integration

XSOAR REST API integration

Splunk integration

Marketplace Integration

Playbook

Data Ingestion Dashboard

Asset Inventory

alert root cause

hostname

domain/workgroup membership

OS

presence of Flash executable

Mark as artifact

Mark as scheduled entry

Mark as note

Mark as evidence

Execution

Certification

Conclusion

Testing

create a “docker” group and add the "Cortex XSOAR" or "demisto" user to this group

create a "Cortex XSOAR' or "demisto" group and add the "docker" user to this group

disable the Cortex XSOAR service

enable the docker service

SIEMs supports only agentless scanning, not agent-based workload protection across VMs, containers/Kubernetes.

UEBA can add trusted signers of Windows or Mac processes to a whitelist in the Endpoint Security Manager (ESM) Console.

SIEMs have difficulty detecting unknown or advanced security threats that do not involve malware, such as credential theft.

UEBA establishes a secure connection in which endpoints can be routed, and it collects and forwards logs and files for analysis.

Live Sensors

File Explorer

Log Stitching

Live Terminal

It will prevent all threats in the environment.

It is used to enforce license compliance.

It runs automation daybooks on the endpoints.

It provides telemetry for stitching and analytics.

White lists the process from Wild Fire analysis

exempts the user from generating events for 24 hours

exempts administrators from generating alerts for 24 hours

disables the triggered EPM for the host and process involve

playbook features

sub-playbooks

conditional tasks

manual tasks