Palo Alto Networks XDR-Analyst Exam - Topic 1 Question 2 Discussion

Actual exam question for Palo Alto Networks's XDR-Analyst exam

Question #: 2
Topic #: 1

As a Malware Analyst working with Cortex XDR you notice an alert suggesting that there was a prevented attempt to open a malicious Word document. You learn from the WildFire report and AutoFocus that this document is known to have been used in Phishing campaigns since 2018. What steps can you take to ensure that the same document is not opened by other users in your organization protected by the Cortex XDR agent?

AEnable DLL Protection on all endpoints but there might be some false positives.

BCreate Behavioral Threat Protection (BTP) rules to recognize and prevent the activity.

CNo step is required because Cortex shares IOCs with our fellow Cyber Threat Alliance members.

DNo step is required because the malicious document is already stopped.

Show Suggested Answer

Suggested Answer: B

The correct answer is B, create Behavioral Threat Protection (BTP) rules to recognize and prevent the activity. BTP rules are a powerful feature of Cortex XDR that allow you to define custom rules to detect and block malicious behaviors on endpoints. You can use BTP rules to create indicators of compromise (IOCs) based on file attributes, registry keys, processes, network connections, and other criteria. By creating BTP rules, you can prevent the same malicious Word document from being opened by other users in your organization, even if the document has a different name or hash value. BTP rules are updated through content updates and can be managed from the Cortex XDR console.

The other options are incorrect for the following reasons:

A is incorrect because enabling DLL Protection on all endpoints is not a specific or effective way to prevent the malicious Word document. DLL Protection is a feature of Cortex XDR that prevents the loading of unsigned or untrusted DLLs by protected processes. However, this feature does not apply to Word documents or macros, and may cause false positives or compatibility issues with legitimate applications.

C is incorrect because relying on Cortex to share IOCs with the Cyber Threat Alliance members is not a proactive or sufficient way to prevent the malicious Word document. The Cyber Threat Alliance is a group of cybersecurity vendors that share threat intelligence and best practices to improve their products and services. However, not all vendors are members of the alliance, and not all IOCs are shared or updated in a timely manner. Therefore, you cannot assume that other users in your organization are protected by the same IOCs as Cortex XDR.

D is incorrect because doing nothing is not a responsible or secure way to prevent the malicious Word document. Even though Cortex XDR agent prevented the attempt to open the document on one endpoint, it does not mean that the document is no longer a threat. The document may still be circulating in your network or email system, and may be opened by other users who have different agent profiles or policies. Therefore, you should take steps to identify and block the document across your organization.

Cortex XDR Agent Administrator Guide: Behavioral Threat Protection

Cortex XDR Agent Administrator Guide: DLL Protection

Palo Alto Networks: Cyber Threat Alliance

by Wei at Dec 18, 2025, 12:41 PM

Limited Time Offer

25%

2 months ago

I think I'd go with option B. Creating BTP rules to recognize and prevent the activity seems like the best way to proactively protect against this known threat.

upvoted 0 times

...