PSE-Cortex Palo Alto Networks System Engineer - Cortex Professional Questions and Answers

To ensure secure connectivity between the customer's network and the Cortex platform while adhering to compliance restrictions, the customer should use the Broker VM. The Broker VM acts as a secure intermediary between the local network and the Cortex platform, allowing for controlled and encrypted communication without directly exposing the network to the platform.

Adding processing resources for heavily used integrations, ensuring that the workload is distributed effectively across multiple engines via load-balancing groups.

Integrating with tools in network locations that the main Cortex XSOAR server cannot reach directly, ensuring proper communication and functionality between the server and isolated systems.

When preparing the golden image in a Cortex XDR Virtual Desktop Infrastructure (VDI) deployment, it is required to scan the image using the imageprep tool. This tool ensures that the image is properly configured for use in a VDI environment by preparing it for deployment with Cortex XDR.

During a Cortex Xpanse proof of value (POV), it's important to review the mapping in advance to identify a few interesting findings to share with the customer. This helps highlight the product's value and allows the customer to see actionable insights early in the evaluation process, making the POV more impactful.

If a prospective customer is unable to run a product evaluation, Tech Rehearsal can be used to showcase Cortex XDR. A Tech Rehearsal provides a guided demonstration of the product's capabilities and features, allowing the customer to gain a deeper understanding of how it works in their environment without a formal evaluation.

Confirm the integration credentials or API keys are valid, as incorrect or expired credentials are a common cause of connection issues.

Check the integration logs and enable a higher logging level if needed, to view more detailed error information. This can help identify the root cause of the failure and guide further troubleshooting.

Correct

Audit users in Cortex XSOAR have limited, read-only access to the system, which allows them to view information without making any changes. Full users, on the other hand, have read-write access, meaning they can both view and modify incidents, configurations, and other system components.

Cortex Xpanse provides visibility over remote workforce risks by identifying customer assets on residential networks. This allows organizations to monitor and secure assets that are outside of the traditional corporate network, which is particularly important as more employees work remotely and connect from various locations.

A clear understanding of a customer’s technical expertise helps post-sales teams customize their support and training efforts to match the customer's knowledge level. This ensures that the customer receives the appropriate guidance, training, and resources needed to effectively use the product or solution after the sale.

Cortex Data Lake (often referred to as Strata Logging Service in some contexts) is Palo Alto Networks’ cloud-based storage solution that centralizes security data for products like Cortex XDR, Prisma Access, and NGFWs. The question involves a customer who has activated a TMS (Tenant Management Service) tenant but has not purchased a Cortex Data Lake instance. TMS is part of the Palo Alto Networks ecosystem for managing tenants and services, typically associated with Cortex or Prisma deployments. Let’s break this down to determine the size of the free Cortex Data Lake instance provided in this scenario.

Understanding TMS and Cortex Data Lake:

TMS Tenant: The Tenant Management Service is a framework used to manage multiple tenants or instances within Palo Alto Networks’ cloud services (e.g., Cortex XDR, Prisma Access). Activating a TMS tenant implies the customer has initialized a management structure but hasn’t committed to a full Cortex Data Lake purchase.

Free Cortex Data Lake Instance: Palo Alto Networks provides a limited, free tier of Cortex Data Lake storage to customers who activate certain services or products, allowing them to evaluate functionality or store minimal data before committing to a paid license.

Free Storage Allocation:

When a customer activates a TMS tenant without purchasing a Cortex Data Lake instance, Palo Alto Networks allocates a default free storage capacity to enable basic functionality. According to official documentation and standard practices:

The free Cortex Data Lake instance provides 100 GB of storage.

This amount is intended for initial use cases, such as storing logs from a small number of endpoints (e.g., Cortex Xテゴ XDR Prevent agents), firewall logs, or trial data during evaluation periods.

Option Analysis:

A. 10 GB:

Analysis: 10 GB is too small to be a meaningful free tier for a product like Cortex Data Lake, which is designed to handle security telemetry from endpoints, networks, or cloud services. Even basic log storage for a few devices over a short period would exceed this quickly.

Conclusion: Incorrect.

B. 1 TB:

Analysis: 1 TB (1,000 GB) is a substantial amount of storage, typically associated with paid Cortex Data Lake subscriptions rather than a free tier. Offering this much for free would undermine the paid licensing model.

Conclusion: Incorrect.

C. 10 TB:

Analysis: 10 TB is even larger and aligns with enterprise-scale paid deployments, not a free instance. This size is far beyond what’s provided without a purchase.

Conclusion: Incorrect.

D. 100 GB:

Analysis: 100 GB is the documented size of the free Cortex Data Lake instance provided to customers who activate a tenant (e.g., via TMS) without purchasing additional storage. It’s sufficient for small-scale testing, such as storing logs from a handful of Cortex XDR agents or firewall data for a limited retention period (e.g., 30 days).

Conclusion: Correct.

Supporting Context:

Cortex XDR Example: For Cortex XDR Prevent customers, activating a tenant includes 100 GB of free Cortex Data Lake storage for 30 days of alert data (not full telemetry, which requires XDR Pro). This aligns with the TMS scenario, where basic tenant activation triggers the same free tier.

Prisma Access: Similarly, Prisma Access customers activating a tenant without a purchased Data Lake instance receive 100 GB for initial log storage.

Documentation: While exact wording may vary, Palo Alto Networks consistently references 100 GB as the free tier across product activation guides.

Cortex Xpanse ingests public IP addresses from XDR endpoints. This allows the platform to monitor and track internet-facing assets, providing visibility into exposed assets and potential attack surfaces across the network.

25 web pages

As a Palo Alto Cortex Professional, I’ll provide a detailed explanation for Question 165: Which Cortex XSIAM license is required if an organization needs to protect a cloud Kubernetes host? based on Palo Alto Networks’ documentation and licensing structure for Cortex XSIAM.

Correct Answer: D. Cortex XSIAM Enterprise Plus

Cortex XSIAM (Extended Security Intelligence and Automation Management) is an AI-driven security operations platform that unifies endpoint, network, cloud, and identity protection into a single solution. Protecting a cloud Kubernetes host involves securing containerized workloads in a Kubernetes environment, which requires specific capabilities such as agent-based or agentless detection, runtime protection, and integration with cloud-specific telemetry. Let’s evaluate the licensing options provided—A. Attack Surface Management, B. Cortex XSIAM Enterprise, C. Identity Threat Detection and Response, and D. Cortex XSIAM Enterprise Plus—to determine which one meets this requirement.

Cortex XSIAM Licensing Overview:

Cortex XSIAM offers tiered licensing plans, each providing different levels of functionality:

Attack Surface Management (ASM): Focuses on discovering and managing external attack surfaces (e.g., internet-facing assets). It does not include endpoint or cloud host protection capabilities like those needed for Kubernetes.

Cortex XSIAM Enterprise: The base tier that includes core SOC capabilities such as SIEM, XDR (endpoint detection and response), SOAR (security orchestration, automation, and response), and basic endpoint protection. It supports standard endpoint protection but lacks advanced cloud workload protection for Kubernetes.

Identity Threat Detection and Response (ITDR): An add-on or standalone module focused on detecting and responding to identity-based threats (e.g., credential misuse). It does not provide host-level protection for cloud environments like Kubernetes.

Cortex XSIAM Enterprise Plus: The highest tier, which extends the Enterprise license with advanced capabilities, including enhanced cloud workload protection for environments like Kubernetes, additional analytics packs, and broader data ingestion.

Kubernetes Protection Requirements:

Protecting a cloud Kubernetes host with Cortex XSIAM involves:

Agent-Based Protection: Deploying the Cortex XDR agent as a DaemonSet on Kubernetes nodes to monitor processes, network activity, and file events at the host and container levels.

Agentless Protection: Leveraging cloud telemetry and analytics for unmanaged Kubernetes clusters.

Cloud Workload Security: Detecting and responding to threats in containerized environments, which requires integration with Kubernetes-specific data (e.g., pod metadata, container runtime details).

Palo Alto Networks introduced Kubernetes-specific security features in Cortex XDR and XSIAM, including a specialized Linux agent and analytics packs for managed and unmanaged clusters. These capabilities are tied to advanced licensing tiers beyond the base Enterprise offering.

Option Analysis:

A. Attack Surface Management:

Purpose: Identifies exposed assets and vulnerabilities across the attack surface.

Relevance: While useful for visibility into external risks, ASM does not provide runtime protection or agent deployment for Kubernetes hosts.

Conclusion: Incorrect. It lacks the necessary endpoint and cloud protection features.

B. Cortex XSIAM Enterprise:

Purpose: Provides core XDR, SIEM, and SOAR functionality with endpoint protection for standard hosts (e.g., Windows, Linux).

Relevance: Includes the Cortex XDR agent for basic endpoint protection but does not explicitly cover advanced cloud workload protection for Kubernetes. The Enterprise tier is designed for general SOC operations and lacks the specialized Kubernetes analytics and licensing required for cloud hosts.

Conclusion: Incorrect. It’s insufficient for Kubernetes-specific protection.

C. Identity Threat Detection and Response:

Purpose: Focuses on identity-based threat detection (e.g., monitoring user behavior, credential attacks).

Relevance: ITDR is unrelated to host-level protection for Kubernetes. It addresses a different threat vector (identity) rather than cloud workload security.

Conclusion: Incorrect. It does not meet the requirement.

D. Cortex XSIAM Enterprise Plus:

Purpose: Extends the Enterprise tier with advanced features, including enhanced cloud detection and response (CDR), support for cloud workloads (e.g., Kubernetes, VMs), and additional analytics packs.

Relevance: The Enterprise Plus license includes the necessary capabilities for protecting cloud Kubernetes hosts. It supports the Cortex XDR agent for Kubernetes (deployed as a DaemonSet) and integrates agentless detection for cloud environments. Documentation highlights that advanced cloud protection, such as for Kubernetes, requires this higher tier, often tied to the “Cloud per Host” licensing model within XSIAM.

Conclusion: Correct. This license provides the required functionality.

Licensing Nuance:

For Cortex XDR (a component of XSIAM), protecting a Kubernetes host requires a Cortex Cloud per Host license, which is distinct from the standard Pro per Endpoint license. Within the XSIAM framework, this cloud-specific protection is bundled into the Enterprise Plus tier, which encompasses advanced cloud security features beyond what’s available in the base Enterprise license. The Enterprise Plus tier ensures compatibility with Kubernetes environments through both agent-based and agentless approaches, as outlined in Palo Alto Networks’ Kubernetes security enhancements.

Documenting notes from the Proof of Value (POV) is crucial for the post-sales handoff because it helps ensure that implementation teams understand the customer use cases and priorities. This documentation provides context for the customer's specific needs, enabling a smoother and more tailored implementation process.

The Live terminal capability in Cortex XDR allows the immediate termination of an anomalous process or the entire process tree during the investigation of a security event. This feature helps analysts take swift action to stop potentially malicious activity on the endpoint in real-time.

Before requesting a Cortex XSOAR proof of value (POV) evaluation, it's important to gather a list of the different integrations that will need to be configured. This ensures that the POV can be tailored to the customer's environment and use cases, and allows the evaluation to be based on real-world data and workflows.

Cortex Data Lake (now known as Strata Logging Service in some contexts, but still referred to as Cortex Data Lake for XDR purposes) is the cloud-based storage solution that supports Cortex XDR by storing endpoint telemetry, logs, and analytics data. The customer’s storage needs depend on the number of Cortex XDR clients, the subset forwarding data, the retention period, and the type of data stored (e.g., higher fidelity logs for advanced analytics). Let’s break down the problem step-by-step to determine the new storage requirement.

Initial Configuration:

Total Cortex XDR Clients: 300

Clients Forwarding Cortex XDR Data: 300 (all clients are forwarding data)

Retention Period: 30 days

Additional Requirement: Storage for higher fidelity logs to support Cortex XDR advanced analytics

Initial Storage Ordered: 2 TB

This configuration implies that 2 TB was sufficient to support 300 clients, all forwarding data, with a 30-day retention period, including the additional storage needed for advanced analytics logs.

New Configuration:

Total Cortex XDR Clients: 1,000

Clients Forwarding Cortex XDR Data: 300 (unchanged from the initial setup)

Retention Period: 30 days (unchanged)

Additional Requirement: Storage for higher fidelity logs to support Cortex XDR advanced analytics (unchanged)

The key change is the increase in total Cortex XDR clients from 300 to 1,000, but the number of clients forwarding data remains 300, and the retention period and analytics requirements are unchanged. We need to determine how this affects the storage requirement.

Cortex Data Lake Storage Sizing for Cortex XDR:

Palo Alto Networks provides sizing guidelines for Cortex Data Lake based on the number of endpoints forwarding data, the retention period, and the type of data stored. The storage requirement is primarily driven by:

Clients Forwarding Data: Only the endpoints actively sending telemetry to Cortex Data Lake (e.g., Cortex XDR Pro endpoints with enhanced data collection) contribute significantly to storage needs.

Retention Period: The number of days data is retained directly scales the storage requirement.

Data Type: Higher fidelity logs for advanced analytics (e.g., XDR Pro features like behavioral analytics) increase storage per endpoint compared to basic logs.

Cortex XDR Prevent: Provides basic endpoint protection with minimal data forwarding (e.g., alerts only), typically included in a 30-day retention baseline with minimal storage impact.

Cortex XDR Pro: Includes enhanced endpoint data collection (e.g., process execution, network activity) for advanced analytics, significantly increasing storage needs when enabled.

The problem states that all 300 initial clients were forwarding data, and the same 300 continue to do so in the new setup, with support for advanced analytics. This suggests these are likely Cortex XDR Pro clients, as Pro is required for full telemetry and analytics capabilities.

Storage Calculation:

Palo Alto Networks doesn’t publish exact per-endpoint storage figures publicly, but we can infer the requirement from the initial configuration and industry benchmarks:

Initial Setup (300 Clients, 30 Days, 2 TB):

2 TB supports 300 clients forwarding data for 30 days with advanced analytics.

Per client, this approximates to:2 TB÷300 clients=0.00667 TB/client2 \, \text{TB} \div 300 \, \text{clients} = 0.00667 \, \text{TB/client} 2TB÷300clients=0.00667TB/client or 6.67 GB per client for 30 days with higher fidelity logs.

This aligns with typical XDR Pro storage estimates, where enhanced data collection (e.g., 5-10 GB per endpoint per 30 days) is common depending on activity levels and analytics features.

New Setup (1,000 Total Clients, 300 Forwarding, 30 Days):

Clients Forwarding Data: Still 300, unchanged.

Retention: Still 30 days, unchanged.

Analytics Logs: Still required, unchanged.

Storage is driven by the 300 clients forwarding data, not the total number of clients. The additional 700 clients (1,000 - 300 = 700) are not forwarding data, suggesting they might be on Cortex XDR Prevent licenses or not fully activated for data collection, contributing negligible storage (e.g., only alerts, which are minimal).

Thus, the storage requirement remains:

300clients×6.67GB/client=2,001GB≈2TB

To determine the required log ingestion license when sizing a Cortex XSIAM deployment, it's most effective to ask the customer for average log ingestion estimates from their existing SIEM. This provides a clear understanding of the data volume to be ingested, helping to accurately determine the necessary licensing.

The QuickStart service offering is designed for customers who need to rapidly deploy a solution like Cortex XSOAR. It provides a streamlined process for setting up the product, which is ideal for customers who have limited availability of internal resources due to other projects. QuickStart allows for a faster and more efficient implementation.

Premium Success is the offering from Palo Alto Networks that provides phone support for customers who have purchased Cortex XDR. This service includes access to technical support for critical issues and offers enhanced services to ensure smooth product usage and problem resolution.

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/cortex-xdr-indicators/working-with-biocs/create-a-bioc-rule.html