An existing Palo Alto Networks SASE customer expresses that their security operations practice is having difficulty using the SASE data to help detect threats in their environment. They understand that parts of the Cortex portfolio could potentially help them and have reached out for guidance on moving forward. Which two Cortex products are good recommendation for this customer? (Choose two.)
Correct Answer: A,B
Cortex XSOAR provides automation and orchestration capabilities to help streamline security operations and enhance threat detection by integrating with existing security tools and automating responses. Cortex XDR offers advanced detection and response across endpoints, networks, and cloud, helping to correlate security data, detect threats, and respond effectively, especially when dealing with diverse security data sources.
Question 7
A customer has purchased Cortex Data Lake storage with the following configuration, which requires 2 TB of Cortex Data Lake to order: support for 300 total Cortex XDR clients all forwarding Cortex XDR data with 30-day retention storage for higher fidelity logs to support Cortex XDR advanced analytics The customer now needs 1000 total Cortex XDR clients, but continues with 300 clients forwarding Cortex XDR data with 30-day retention. What is the new total storage requirement for Cortex Data Lake storage to order?
Correct Answer: D
Cortex Data Lake (now known as Strata Logging Service in some contexts, but still referred to as Cortex Data Lake for XDR purposes) is the cloud-based storage solution that supports Cortex XDR by storing endpoint telemetry, logs, and analytics data. The customer's storage needs depend on the number of Cortex XDR clients, the subset forwarding data, the retention period, and the type of data stored (e.g., higher fidelity logs for advanced analytics). Let's break down the problem step-by-step to determine the new storage requirement. Initial Configuration: * Total Cortex XDR Clients: 300 * Clients Forwarding Cortex XDR Data: 300 (all clients are forwarding data) * Retention Period: 30 days * Additional Requirement: Storage for higher fidelity logs to support Cortex XDR advanced analytics * Initial Storage Ordered: 2 TB This configuration implies that 2 TB was sufficient to support 300 clients, all forwarding data, with a 30-day retention period, including the additional storage needed for advanced analytics logs. New Configuration: * Total Cortex XDR Clients: 1,000 * Clients Forwarding Cortex XDR Data: 300 (unchanged from the initial setup) * Retention Period: 30 days (unchanged) * Additional Requirement: Storage for higher fidelity logs to support Cortex XDR advanced analytics (unchanged) The key change is the increase in total Cortex XDR clients from 300 to 1,000, but the number of clients forwarding data remains 300, and the retention period and analytics requirements are unchanged. We need to determine how this affects the storage requirement. Cortex Data Lake Storage Sizing for Cortex XDR: Palo Alto Networks provides sizing guidelines for Cortex Data Lake based on the number of endpoints forwarding data, the retention period, and the type of data stored. The storage requirement is primarily driven by: * Clients Forwarding Data: Only the endpoints actively sending telemetry to Cortex Data Lake (e.g., Cortex XDR Pro endpoints with enhanced data collection) contribute significantly to storage needs. * Retention Period: The number of days data is retained directly scales the storage requirement. * Data Type: Higher fidelity logs for advanced analytics (e.g., XDR Pro features like behavioral analytics) increase storage per endpoint compared to basic logs. * Cortex XDR Prevent: Provides basic endpoint protection with minimal data forwarding (e.g., alerts only), typically included in a 30-day retention baseline with minimal storage impact. * Cortex XDR Pro: Includes enhanced endpoint data collection (e.g., process execution, network activity) for advanced analytics, significantly increasing storage needs when enabled. The problem states that all 300 initial clients were forwarding data, and the same 300 continue to do so in the new setup, with support for advanced analytics. This suggests these are likely Cortex XDR Pro clients, as Pro is required for full telemetry and analytics capabilities. Storage Calculation: Palo Alto Networks doesn't publish exact per-endpoint storage figures publicly, but we can infer the requirement from the initial configuration and industry benchmarks: * Initial Setup (300 Clients, 30 Days, 2 TB): * 2 TB supports 300 clients forwarding data for 30 days with advanced analytics. * Per client, this approximates to:2 TB÷300 clients=0.00667 TB/client2 \, \text{TB} \div 300 \, \text {clients} = 0.00667 \, \text{TB/client} 2TB÷300clients=0.00667TB/client or 6.67 GB per client for 30 days with higher fidelity logs. * This aligns with typical XDR Pro storage estimates, where enhanced data collection (e.g., 5-10 GB per endpoint per 30 days) is common depending on activity levels and analytics features. * New Setup (1,000 Total Clients, 300 Forwarding, 30 Days): * Clients Forwarding Data: Still 300, unchanged. * Retention: Still 30 days, unchanged. * Analytics Logs: Still required, unchanged. * Storage is driven by the 300 clients forwarding data, not the total number of clients. The additional 700 clients (1,000 - 300 = 700) are not forwarding data, suggesting they might be on Cortex XDR Prevent licenses or not fully activated for data collection, contributing negligible storage (e.g., only alerts, which are minimal). Thus, the storage requirement remains: 300clients×6.67GB/client=2,001GB#2TB References: Cortex XDR Documentation: Indicates that storage is calculated based on endpoints with data collection enabled, not total agents (e.g., docs-cortex.paloaltonetworks.com). Cortex Data Lake Sizing: Palo Alto's sizing tools (e.g., Strata Logging Service Estimator) emphasize active data sources and retention, not total licenses. Industry Norms: XDR solutions typically require 5-15 GB per endpoint per 30 days for advanced analytics, consistent with the 2 TB for 300 clients.
Question 8
A customer is hesitant to directly connect their network to the Cortex platform due to compliance restrictions. Which deployment method should the customer use to ensure secure connectivity between their network and the Cortex platform?
Correct Answer: D
To ensure secure connectivity between the customer's network and the Cortex platform while adhering to compliance restrictions, the customer should use the Broker VM. The Broker VM acts as a secure intermediary between the local network and the Cortex platform, allowing for controlled and encrypted communication without directly exposing the network to the platform.
Question 9
Where is the best place to find official resource material?
Correct Answer: B
Question 10
What is the primary function of an engine in Cortex XSOAR?
Correct Answer: A
The primary function of an engine in Cortex XSOAR is to execute playbooks, scripts, commands, and integrations. This allows the platform to automate and orchestrate security operations tasks, helping security teams respond to incidents more efficiently.
