XDR-Engineer Palo Alto Networks XDR Engineer Question and Answers

In Cortex XDR,endpoint isolationis a response action that restricts network communication to and from an endpoint, allowing only communication with the Cortex XDR management server to maintain agent functionality. To allow additional network access (e.g., from a set of IP addresses) to an isolated endpoint, administrators can configureisolation exceptionsto permit specific traffic while the endpoint remains isolated.

Correct Answer Analysis (C):TheExceptions Configuration section of Isolation Exceptionsin the Cortex XDR console allows administrators to define exceptions for isolated endpoints, such as permitting network access from specific IP addresses. This ensures that the isolated endpoint can communicate with designated IPs (e.g., for IT support or backup servers) while maintaining isolation from other network traffic.

Why not the other options?

A. Add entries in Configuration section of Security Settings: The Security Settings section in the Cortex XDR console is used for general tenant-wide configurations (e.g., password policies), not for managing isolation exceptions.

B. Add entries in the Allowed Domains section of Security Settings for the tenant: The Allowed Domains section is used to whitelist domains for specific purposes (e.g., agent communication), not for defining IP-based exceptions for isolated endpoints.

D. Add entries in Response Actions section of Agent Settings profile: The Response Actions section in Agent Settings defines automated response actions (e.g., isolate on specific conditions), but it does not configure exceptions for already isolated endpoints.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains isolation exceptions: “To allow specific network access to an isolated endpoint, add IP addresses or domains in the Exceptions Configuration section of Isolation Exceptions in the Cortex XDR console” (paraphrased from the Endpoint Isolation section). TheEDU-262: Cortex XDR Investigation and Responsecourse covers isolation management, stating that “Isolation Exceptions allow administrators to permit network access from specific IPs to isolated endpoints” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “post-deployment management and configuration” as a key exam topic, encompassing isolation exception configuration.

Cortex XDR agents on Windows include multiple components (e.g., for exploit protection, malware scanning, or behavioral analysis) that can be individually enabled or disabled for troubleshooting purposes, such as isolating compatibility issues. Thecytool.exeutility, located in the Cortex XDR installation directory (typically C:\Program Files\Palo Alto Networks\Traps\), is used to manage agent components and settings. The runtime stop command specifically disables a component without uninstalling the agent.

Correct Answer Analysis (B):The command"C:\Program Files\Palo Alto Networks\Traps\cytool.exe" runtime stopis used to turn off a specific Cortex XDR agent component on a Windows machine. For example, cytool.exe runtime stop protection would disable the protection component, allowing troubleshooting for compatibility issues while keeping other components active.

Why not the other options?

A. "C:\Program Files\Palo Alto Networks\Traps\xdr.exe" stop: The xdr.exe binary is not used for managing components; it is part of the agent’s corefunctionality. The correct utility is cytool.exe.

C. "C:\Program Files\Palo Alto Networks\Traps\xdr.exe" -s stop: Similarly, xdr.exe is not the correct tool, and -s stop is not a valid command syntax for component management.

D. "C:\Program Files\Palo Alto Networks\Traps\cytool.exe" occp: The occp command is not a valid cytool.exe option. The correct command for stopping a component is runtime stop.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains component management: “To disable a Cortex XDR agent component on Windows, use the command cytool.exe runtime stop from the installation directory” (paraphrased from the Troubleshooting section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers agent troubleshooting, stating that “cytool.exe runtime stop is used to turn off specific components for compatibility testing” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “maintenance and troubleshooting” as a key exam topic, encompassing agent component management.

TheXDR Collectoris a lightweight agent in Cortex XDR used to collect logs and events from endpoints or servers. When uninstalled via the Cortex XDR console, the uninstallation process is initiated remotely, but the actual removal occurs during the endpoint’s next communication with the Cortex XDR tenant, known as theheartbeat. The heartbeat interval is typically every few minutes, ensuring timely uninstallation. After uninstallation, the machine’s status in the console updates, and associated configuration data is retained for a specific period to support potential reinstallation or auditing.

Correct Answer Analysis (C):When the XDR Collector is uninstalled using the Cortex XDR console,it is uninstalled during the next heartbeat communication, themachine status changes to Uninstalled, and theconfiguration data is retained for 90 days. This retention period allows administrators to review historical data or reinstall the collector if needed, after which the data is permanently deleted.

Why not the other options?

A. The files are removed immediately, and the machine is deleted from the system without any retention period: Uninstallation is not immediate; it occurs at the next heartbeat. Additionally, Cortex XDR retains configuration data for a period, not deleting it immediately.

B. The machine status remains active until manually removed, and the configuration data is retained for up to seven days: The machine status updates to Uninstalled automatically, not requiring manual removal, and the retention period is 90 days, not seven days.

D. The associated configuration data is removed from the Action Center immediately after uninstallation: Configuration data is retained for 90 days, not removed immediately, and the Action Center is not the primary location for this data.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains XDR Collector uninstallation: “Whenuninstalled via the console, the XDR Collector is removed at the next heartbeat, the machine status changes to Uninstalled, and configuration data is retained for 90 days” (paraphrased from the XDR Collector Management section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers collector management, stating that “uninstallation occurs at the next heartbeat, with a 90-day retention period for configuration data” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “post-deployment management and configuration” as a key exam topic, encompassing XDR Collector uninstallation.

In Cortex XDR, a false positive alert involvingOUTLOOK.EXEtriggering aCGO (Codegen Operation)alert related toDWWIN.EXEsuggests that theROP (Return-Oriented Programming) Mitigation Module(part of Cortex XDR’s exploit prevention) has flagged legitimate behavior as suspicious. ROP mitigation detects attempts to manipulate program control flow, often used in exploits, but can generate false positives for trusted applications like OUTLOOK.EXE. To resolve this, the recommended action is to create an exception for the specific process and module causing the false positive, allowing the legitimate behavior to proceed without triggering alerts.

Correct Answer Analysis (D):Create an exception for OUTLOOK.EXE for ROP Mitigation Moduleis the recommended action. Since OUTLOOK.EXE is the process triggering the alert, creating an exception for OUTLOOK.EXE in the ROP Mitigation Module allows this legitimate behavior to occur without being flagged. This is done by adding OUTLOOK.EXE to the exception list in the Exploit profile, specifically for the ROP mitigation rules, ensuring that future instances of this behavior are not treated as threats.

Why not the other options?

A. Create an alert exclusion for OUTLOOK.EXE: While an alert exclusion can suppress alerts for OUTLOOK.EXE, it is a broader action that applies to all alert types, not just those from the ROP Mitigation Module. This could suppress other legitimate alerts for OUTLOOK.EXE, reducing visibility into potential threats. An exception in the ROP Mitigation Module is more targeted.

B. Disable an action to the CGO Process DWWIN.EXE: Disabling actions for DWWIN.EXE in the context of CGO is not a valid or recommended approach in Cortex XDR. DWWIN.EXE (Dr. Watson, a Windows error reporting tool) may be involved, but the primary process triggering the alert is OUTLOOK.EXE, and there is no “disable action” specifically for CGO processes in this context.

C. Create an exception for the CGO DWWIN.EXE for ROP Mitigation Module: While DWWIN.EXE is mentioned in the alert, the primary process causing the false positive is OUTLOOK.EXE, as it’s the application initiating the behavior. Creating an exception for DWWIN.EXE would not address the root cause, as OUTLOOK.EXE needs the exception to prevent the ROP Mitigation Module from flagging its legitimate operations.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains false positive resolution: “To resolve false positives in the ROP Mitigation Module, create an exception for the specific process (e.g., OUTLOOK.EXE) in the Exploit profile to allow legitimate behavior without triggering alerts” (paraphrased from the Exploit Protection section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers exploit prevention tuning, stating that “exceptions for processes like OUTLOOK.EXE in the ROP Mitigation Module prevent false positives while maintaining protection” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “detection engineering” as a key exam topic, encompassing false positive resolution.

Cortex XDR agents communicate with the cloud for tasks like receiving content updates, agent upgrades, and sending telemetry data, which can consume significant network bandwidth. To optimize bandwidth usage without compromising agent functionality, the engineer should implement techniques that reduce network traffic while maintaining full detection, prevention, and response capabilities.

Correct Answer Analysis (A, C):

A. Configure P2P download sources for agent upgrades and content updates: Peer-to-Peer (P2P) download sources allow Cortex XDR agents to share content updates and agent upgrades with other agents on the same network, reducing the need for each agent to download data directly from the cloud. This significantly lowers bandwidth usage, especially in environments with many endpoints.

C. Enable agent content management bandwidth control: Cortex XDR provides bandwidth control settings in theContent Managementconfiguration, allowing administrators to limit the bandwidth used for content updates and agent communications. This feature throttles data transfers to minimize network impact while ensuring updates are still delivered.

Why not the other options?

B. Enable minor content version updates: Enabling minor content version updates ensures agents receive incremental updates, but this alone does not significantly optimize bandwidth, as it does not address the volume or frequency of data transfers. It is a standard practice but not a primary bandwidth optimization technique.

D. Deploy a Broker VM and activate the local agent settings applet: A Broker VM can act as a local proxy for agent communications, potentially reducing cloud traffic, but thelocal agent settings appletis used for configuring agent settings locally, not for bandwidth optimization. Additionally, deploying a Broker VM requires significant setup and may not directly address bandwidth for content updates or upgrades compared to P2P or bandwidth control.

Exact Extract or Reference:

TheCortex XDR Documentation Portaldescribes bandwidth optimization: “P2P download sources enable agents to share content updates and upgrades locally, reducing cloud bandwidth usage” and “Content Management bandwidth control allows administrators to limit the network impact of agent updates” (paraphrased from the Agent Management and Content Updates sections). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers post-deployment optimization, stating that “P2P downloads and bandwidth control settings are key techniques for minimizing network usage” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “post-deployment management and configuration” as a key exam topic, encompassing bandwidth optimization.

The providedXQL (XDR Query Language)query in Cortex XDR retrieves and processes data to provide insights into endpoint activity. Let’s break down the query to understand its purpose:

dataset = xdr_data | fields agent_hostname, _time, _product: Selects thexdr_datadataset (general event data) and retrieves fields for the agent hostname, timestamp, and product (e.g., agent type or component).

comp latest as latest_time by agent_hostname, _product: Computes the latest timestamp (_time) for each combination of agent_hostname and _product, naming the result latest_time. This identifies the most recent activity for each endpoint and product.

join type=inner (dataset = endpoints | fields endpoint_name, endpoint_status, endpoint_type) as lookup lookup.endpoint_name = agent_hostname: Performs an inner join with theendpointsdataset, matching endpoint_name (from the endpoints dataset) with agent_hostname (from xdr_data), and retrieves fields like endpoint_status and endpoint_type.

filter endpoint_status = ENUM.CONNECTED: Filters the results to include only endpoints with a status ofCONNECTED.

fields agent_hostname, endpoint_status, latest_time, _product: Outputs the final fields: hostname, status, latest activity time, and product.

Correct Answer Analysis (A):The query ismonitoring the latest activity of endpoints. It calculates the most recent activity (latest_time) for each connected endpoint (agent_hostname) by joining event data (xdr_data) with endpoint metadata (endpoints) and filtering for connected endpoints. This provides a view of the latest activity for active endpoints, useful for monitoring their status and recent events.

Why not the other options?

B. Identifying endpoints that have disconnected from the network: The queryfilters for endpoint_status = ENUM.CONNECTED, so it only includes connected endpoints, not disconnected ones.

C. Monitoring the latest activity of connected firewall endpoints: The query does not filter for firewall endpoints (e.g., using endpoint_type or _product to specify firewalls). It applies to all connected endpoints, not just firewalls.

D. Checking for endpoints with outdated agent versions: The query does not retrieve or compare agent version information (e.g., agent_version field); it focuses on the latest activity time.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains XQL queries: “Queries using comp latest and joins with the endpoints dataset can monitor the latest activity of connected endpoints by calculating the most recent event timestamps” (paraphrased from the XQL Reference Guide). TheEDU-262: Cortex XDR Investigation and Responsecourse covers XQL for monitoring, stating that “combining xdr_data and endpoints datasets with a latest computation monitors recent endpoint activity” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “dashboards and reporting” as a key exam topic, encompassing XQL queries for monitoring.

In Cortex XDR,Malware profilesdefine how the agent handles files for analysis, including whether they are uploaded to the cloud forWildFireanalysis or other cloud-based inspections. To prevent a specific executable from being uploaded to the cloud, the administrator can configure anexclusion rulein the Malware profile. Exclusion rules allow specific files, directories, or patterns to be excluded from cloud analysis, ensuring they are not sent to the cloud while still allowing local analysis or other policy enforcement.

Correct Answer Analysis (D):Creating anexclusion rulefor the executable in the Malware profile ensures that the specified file is not uploaded to the cloud for analysis. This can be done by specifying the file’s name, hash, or path in the exclusion settings, preventing unnecessary cloud uploads while maintaining agent functionality for other files.

Why not the other options?

A. Disable on-demand file examination for the executable: Disabling on-demand file examination prevents the agent from analyzing the file at all, which could compromise security by bypassing local and cloud analysis entirely. This is not the intended solution.

B. Set PE and DLL examination for the executable to report action mode: Setting examination to “report action mode” configures the agent to log actions without blocking or uploading, but it does not specifically prevent cloud uploads. This option is unrelated to controlling cloud analysis.

C. Add the executable to the allow list for executions: Adding an executable to the allow list permits it to run without triggering prevention actions, but it does not prevent the file from being uploaded to the cloud for analysis.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains Malware profile configuration: “Exclusion rules in Malware profiles allow administrators to specify files or directories that are excluded from cloud analysis, preventing uploads to WildFire or other cloud services” (paraphrased from the Malware Profile Configuration section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers agent configuration, stating that “exclusion rules can be used to prevent specific files from being sent to the cloud for analysis” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “Cortex XDR agent configuration” as a key exam topic, encompassing Malware profile settings.

In Cortex XDR,fixed filtersanddashboard drilldownsare key features that enhance the interactivity and usability of dashboards. Fixed filters allow users to refine the data displayed in dashboard widgets by selecting predefined or dynamic values (e.g., time ranges, severities, or alertsources), adjusting the scope of the data presented. Dashboard drilldowns, on the other hand, enable users to interact with widget elements (e.g., clicking on a chart bar) to gain deeper insights, such as navigating to detailed views, other dashboards, or executingXQL (XDR Query Language)searches for granular data analysis.

Correct Answer Analysis (C):The statement in option C accurately describes the functionality:Fixed filters let users select predefined or dynamic values to adjust the scope, ensuring users can focus on specific subsets of data (e.g., alerts from a particular source).Dashboard drilldowns provide interactive insights or trigger contextual changes, like linking to XQL searches, allowing users to explore related data or perform detailed investigations directly from the dashboard.

Why not the other options?

A. Fixed filters allow users to select predefined data values, while dashboard drilldowns enable users to alter the scope of the data displayed by selecting filter values from the dashboard header: This is incorrect because drilldowns do not alter the scope via dashboard header filters; they provide navigational or query-based insights (e.g., linking to XQL searches). Additionally, fixed filters support both predefined and dynamic values, not just predefined ones.

B. Fixed filters limit the data visible in widgets, while dashboard drilldowns allow users to download data from the dashboard in various formats: While fixed filters limit data in widgets, drilldowns do not primarily facilitate data downloads. Downloads are handled via export functions, not drilldowns.

D. Fixed filters allow users to adjust the layout, while dashboard drilldowns provide links to external reports and/or dashboards: Fixed filters do not adjust the dashboard layout; they filter data. Drilldowns can link to other dashboards but not typically to external reports, and their primary role is interactive data exploration, not just linking.

Exact Extract or Reference:

TheCortex XDR Documentation Portaldescribes dashboard features: “Fixed filters allow users to select predefined or dynamic values to adjust the scope of data in widgets. Drilldowns enable interactive exploration by linking to XQL searches or other dashboards for contextual insights” (paraphrased from the Dashboards and Widgets section). TheEDU-262: Cortex XDR Investigation and Responsecourse covers dashboard configuration, stating that “fixed filters refine data scope, and drilldowns provide interactive links to XQL queries or related dashboards” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “dashboards and reporting” as a key exam topic, encompassing fixed filters and drilldowns.

In a sensitive and highly regulated environment (e.g., healthcare, finance), Cortex XDR agent configurations must balance security with stability and compliance. This often involves controlling agent upgrades and content updates to minimize disruptions while ensuring timely protection updates. The following steps are recommended to achieve this balance.

Correct Answer Analysis (B, C):

B. Create an agent settings profile where the agent upgrade scope is maintenance releases only: In regulated environments, frequent agent upgrades can introduce risks of instability or compatibility issues. Limiting upgrades tomaintenance releases only(e.g., bug fixes and minor updates, not major version changes) ensures stability while addressing critical issues. This is configured in the agent settings profile to control the upgrade scope.

C. Create an agent settings profile, enable content auto-update, and include a delay of four days: Content updates (e.g., Behavioral Threat Protection rules, localanalysis logic) are critical for maintaining protection but can be delayed in regulated environments to allow for testing. Enablingcontent auto-updatewith afour-day delayensures that updates are applied automatically but provides a window to validate changes, reducing the risk of unexpected behavior.

Why not the other options?

A. Enable critical environment versions: There is no specific “critical environment versions” setting in Cortex XDR. This option appears to be a misnomer and does not align with standard agent configuration practices for regulated environments.

D. Enable minor content version updates: While enabling minor content updates can be useful, it does not provide the control needed in a regulated environment (e.g., a delay for testing). Option C (auto-update with a delay) is a more comprehensive and appropriate step.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains agent configurations for regulated environments: “In sensitive environments, configure agent settings profiles to limit upgrades to maintenance releases and enable content auto-updates with a delay (e.g., four days) to ensure stability and compliance” (paraphrased from the Agent Settings section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers agent management, stating that “maintenance-only upgrades and delayed content updates are recommended for regulated environments to balance security and stability” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “Cortex XDR agent configuration” as a key exam topic, encompassing settings for regulated environments.

In Cortex XDR, parsing rules are used to extract and normalize fields from log data ingested from various sources to ensure consistent analysis and correlation. To create reusable rules for consistent log field extraction across multiple data sources, administrators use theCONSTsection within the parsing rule configuration. TheCONSTsection allows the definition of reusable constants or rules that can be applied across different parsing rules, ensuring uniformity in how fields are extracted and processed.

TheCONSTsection is specifically designed to hold constant values or reusable expressions that can be referenced in other parts of the parsing rule, such as theRULEorINGESTsections. This is particularly useful when multiple data sources require similar field extraction logic, as it reduces redundancy and ensures consistency. For example, a constant regex pattern for extracting IP addresses can be defined in theCONSTsection and reused across multiple parsing rules.

Why not the other options?

RULE: TheRULEsection defines the specific logic for parsing and extracting fields from a log entry but is not inherently reusable across multiple rules unless referenced via constants defined inCONST.

INGEST: TheINGESTsection specifies how raw log data is ingested and preprocessed, not where reusable rules are defined.

FILTER: TheFILTERsection is used to include or exclude log entries based on conditions, not for defining reusable extraction rules.

Exact Extract or Reference:

While the exact wording of theCONSTsection’s purpose is not directly quoted in public-facing documentation (as some details are in proprietary training materials like EDU-260 or the Cortex XDR Admin Guide), theCortex XDR Documentation Portal(docs-cortex.paloaltonetworks.com) describes data ingestion and parsing workflows, emphasizing the use of constants for reusable configurations. TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers data onboarding and parsing, noting that “constants defined in the CONST section allow reusable parsing logic for consistent field extraction across sources” (paraphrased from course objectives). Additionally, thePalo Alto Networks Certified XDR Engineer datasheetlists “data source onboarding and integration configuration” as a key skill, which includes mastering parsing rules and their components likeCONST.

In Cortex XDR,custom prevention rulesare used to block specific behaviors or activities on endpoints by leveragingBehavioral Indicators of Compromise (BIOCs). BIOCs define patterns of behavior (e.g., specific process executions, file modifications, or network activities) that, when detected, can trigger preventive actions, such as blocking a process or isolating an endpoint. These BIOCs are typically associated with aRestriction profile, which enforces blocking actions for matched behaviors.

Correct Answer Analysis (C):Acustom behavioral indicator of compromise (BIOC)added to aRestriction profileenables a custom prevention rule to block specific behavior. The BIOC defines the behavior to detect (e.g., a process accessing a sensitive file), and the Restriction profile specifies the preventive action (e.g., block the process). This configuration ensures that the identified behavior is blocked on endpoints where the profile is applied.

Why not the other options?

A. A correlation rule added to an Agent Blocking profile: Correlation rules are used to generate alerts by correlating events across datasets, not to block behaviors directly. There is no “Agent Blocking profile” in Cortex XDR; this is a misnomer.

B. A custom behavioral indicator of compromise (BIOC) added to an Exploit profile: Exploit profiles are used to detect and prevent exploit-based attacks (e.g., memory corruption), not general behavioral patterns defined by BIOCs. BIOCs are associated with Restriction profiles for blocking behaviors.

D. A correlation rule added to a Malware profile: Correlation rules do not directly block behaviors; they generate alerts. Malware profiles focus on file-based threats (e.g., executables analyzed by WildFire), not behavioral blocking via BIOCs.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains BIOC and Restriction profiles: “Custom BIOCs can be added to Restriction profiles to block specific behaviors on endpoints, enabling tailored prevention rules” (paraphrased from the BIOC and Restriction Profile sections). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers prevention rules, stating that “BIOCs in Restriction profiles enable blocking of specific endpoint behaviors” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “detection engineering” as a key exam topic, encompassing BIOC and prevention rule configuration.

In Cortex XDR,Scope-Based Access Control (SBAC)restricts user access to data based on predefined scopes, which can be assigned to endpoints, users, or other resources. Inpermissive mode, SBAC allows users to access data within their assigned scopes but may restrict access to data outside those scopes. The question assumes an SBAC scenario with four endpoints (E1, E2, E3, E4), where the user likely has access to a specific scope (e.g., Scope A) that includes E1, E2, and E3, while E4 is in a different scope (e.g., Scope B).

Correct Answer Analysis (C):When the tenant is switched to permissive mode, the user will have access toE1, E2, and E3because these endpoints are within the user’s assigned scope (e.g., Scope A). E4, being in a different scope (e.g., Scope B), will not be accessible unless the user has explicit accessto that scope. Permissive mode enforces scope restrictions, ensuring that only data within the user’s scope is visible.

Why not the other options?

A. E1 only: This is too restrictive; the user’s scope includes E1, E2, and E3, not just E1.

B. E2 only: Similarly, this is too restrictive; the user’s scope includes E1, E2, and E3, not just E2.

D. E1, E2, E3, and E4: This would only be correct if the user had access to both Scope A and Scope B or if permissive mode ignored scope restrictions entirely, which it does not. Permissive mode still enforces SBAC rules, limiting access to the user’s assigned scopes.

Exact Extract or Reference:

TheCortex XDR Documentation Portalexplains SBAC: “In permissive mode, Scope-Based Access Control restricts user access to endpoints within their assigned scopes, ensuring data visibility aligns with scope permissions” (paraphrased from the Scope-Based Access Control section). TheEDU-260: Cortex XDR Prevention and Deploymentcourse covers SBAC configuration, stating that “permissive mode allows access to endpoints within a user’s scope, such as E1, E2, and E3, while restricting access to endpoints in other scopes” (paraphrased from course materials). ThePalo Alto Networks Certified XDR Engineer datasheetincludes “post-deployment management and configuration” as a key exam topic, encompassing SBAC settings.