XDR-Engineer Palo Alto Networks XDR Engineer Questions and Answers

Cortex XDR supports integration with cloud platforms like Microsoft Azure to ingest asset data, improving visibility into cloud-based assets and enhancing incident investigation by correlating cloud events with endpoint and network data. The Cloud Inventory feature in Cortex XDR is designed to collect and manage asset data from cloud providers, including Azure, providing details such as virtual machines, storage accounts, and network configurations.

Correct Answer Analysis (C) : Cloud Inventory should be configured to integrate asset data from Microsoft Azure. This feature allows Cortex XDR to pull in metadata about Azure assets, such as compute instances, networking resources, and configurations, enabling better visibility and correlation during incident investigations. Administrators configure Cloud Inventory by connecting to Azure via API credentials (e.g., using an Azure service principal) to sync asset data into Cortex XDR.

Why not the other options?

A. Azure Network Watcher : Azure Network Watcher is a Microsoft Azure service for monitoring and diagnosing network issues, but it is not directly integrated with Cortex XDR for asset data ingestion.

B. Cloud Identity Engine : The Cloud Identity Engine integrates with identity providers (e.g., Azure AD) to sync user and group data for identity-based threat detection, not for general asset data like VMs or storage.

D. Microsoft 365 : Microsoft 365 integration in Cortex XDR is for ingesting email and productivity suite data (e.g., from Exchange or Teams), not for Azure asset data.

Exact Extract or Reference:

The Cortex XDR Documentation Portal explains cloud integrations: “Cloud Inventory integrates with Microsoft Azure to collect asset data, enhancing visibility and incident investigation by providing details on cloud resources” (paraphrased from the Cloud Inventory section). The EDU-260: Cortex XDR Prevention and Deployment course covers cloud data integration, stating that “Cloud Inventory connects to Azure to ingest asset metadata for improved visibility” (paraphrased from course materials). The Palo Alto Networks Certified XDR Engineer datasheet includes “data ingestion and integration” as a key exam topic, encompassing Cloud Inventory setup.

In Cortex XDR, managing data ingestion involves defining rules to collect, filter, or drop logs to optimize storage and processing. The goal is to drop undesired logs to reduce the amount of data ingested. The syntax used in the options appears to be a combination of ingestion rule metadata (e.g., [COLLECT] or [INGEST] ) and filtering logic, likely written in a simplified query language for log processing. The drop action explicitly discards logs matching a condition, while filter with not contains can achieve similar results by keeping only logs that do not match the condition.

Correct Answer Analysis (C) : The method in option C, [COLLECT:vendor="vendor", product="product", target_dataset="", no_hit=drop] * drop _raw_log contains "undesired logs"; , explicitly drops logs where the raw log content contains "undesired logs". The [COLLECT] directive defines the log collection scope (vendor, product, and dataset), and the no_hit=drop parameter indicates that unmatched logs are dropped. The drop _raw_log contains "undesired logs" statement ensures that logs matching the "undesired logs" pattern are discarded, effectively reducing the amount of data ingested.

Why not the other options?

A. [COLLECT:vendor="vendor", product="product", target_brokers="", no_hit=drop] * drop _raw_log contains "undesired logs"; : This is similar to option C but uses target_brokers="", which is typically used for Broker VM configurations rather than direct dataset ingestion. While it could work, option C is more straightforward with target_dataset="".

B. [INGEST:vendor="vendor", product="product", target_dataset="vendor_product_raw", no_hit=drop] * filter _raw_log not contains "undesired logs"; : This method uses filter _raw_log not contains "undesired logs" to keep logs that do not match the condition, which indirectly drops undesired logs. However, the drop action in option C is more explicit and efficient for reducing ingestion.

D. [INGEST:vendor="vendor", product="product", target_brokers="vendor_product_raw", no_hit=keep] * filter _raw_log not contains "undesired logs"; : The no_hit=keep parameter means unmatched logs are kept, which does not align with the goal of reducing data. The filter statement reduces data, but no_hit=keep may counteract this by retaining unmatched logs, making this less effective than option C.

Exact Extract or Reference:

The Cortex XDR Documentation Portal explains log ingestion rules: “To reduce data ingestion, use the drop action to discard logs matching specific patterns, such as _raw_log contains 'pattern'” (paraphrased from the Data Ingestion section). The EDU-260: Cortex XDR Prevention and Deployment course covers data ingestion optimization, stating that “dropping logs with specific content using drop _raw_log contains is an effective way to reduce ingested data volume” (paraphrased from course materials). The Palo Alto Networks Certified XDR Engineer datasheet includes “data ingestion and integration” as a key exam topic, encompassing log filtering and dropping.

The XDR Collector in Cortex XDR is a lightweight tool for collecting logs and events from servers and endpoints, including Windows and Linux systems, and forwarding them to the Cortex XDR cloud for analysis. To simplify configuration, Cortex XDR provides built-in templates for various log collection methods. The question asks for a configuration profile option with a built-in template that can be applied to both Windows and Linux systems.

Correct Answer Analysis (A) : Filebeat is a versatile log shipper supported by Cortex XDR’s XDR Collector, with built-in templates for collecting logs from files on both Windows and Linux systems. Filebeat can be configured to collect logs from various sources (e.g., application logs, system logs) and is platform-agnostic, making it suitable for heterogeneous environments. Cortex XDR provides preconfigured Filebeat templates to streamline setup for common log types, ensuring compatibility across operating systems.

Why not the other options?

B. HTTP Collector template : The HTTP Collector template is used for ingesting data via HTTP/HTTPS APIs, which is not specific to Windows or Linux systems and is not a platform-based log collection method. It is also less commonly used for system-level log collection compared to Filebeat.

C. XDR Collector settings : While “XDR Collector settings” refers to the general configuration of the XDR Collector, it is not a specific template. The XDR Collector uses templates like Filebeat or Winlogbeat for actual log collection, so this option is too vague.

D. Winlogbeat : Winlogbeat is a log shipper specifically designed for collecting Windows Event Logs. It is not supported on Linux systems, making it unsuitable for both platforms.

Exact Extract or Reference:

The Cortex XDR Documentation Portal describes XDR Collector templates: “Filebeat templates are provided for collecting logs from files on both Windows and Linux systems, enabling flexible log ingestion across platforms” (paraphrased from the Data Ingestion section). The EDU-260: Cortex XDR Prevention and Deployment course covers XDR Collector configuration, stating that “Filebeat is a cross-platform solution for log collection, supported by built-in templates for Windows and Linux” (paraphrased from course materials). The Palo Alto Networks Certified XDR Engineer datasheet includes “data ingestion and integration” as a key exam topic, encompassing XDR Collector templates.

When onboarding a Palo Alto Networks Next-Generation Firewall (NGFW) to Cortex XDR, the process involves selecting and verifying the device to ensure it can send logs to Cortex XDR. After this step, confirming successful log ingestion is critical to validate the integration. The most direct and reliable method to confirm ingestion is to query the ingested logs using XQL (XDR Query Language) , which allows the engineer to search for NGFW log data in Cortex XDR.

Correct Answer Analysis (A) : Conduct an XQL query for NGFW log data is the correct action. After onboarding, the engineer can run an XQL query such as dataset = panw_ngfw_logs | limit 10 to check if NGFW logs are present in Cortex XDR. This confirms that logs are being successfully ingested and stored in the appropriate dataset, ensuring the integration is working as expected.

Why not the other options?

B. Wait for an incident that involves the NGFW to populate : Waiting for an incident is not a reliable or proactive method to confirm log ingestion. Incidents depend on detection rules and may not occur immediately, even if logs are being ingested.

C. Confirm that the selected device has a valid certificate : While a valid certificate is necessary during the onboarding process (e.g., for secure communication), this step is part of the verification process, not a method to confirm log ingestion after verification.

D. Retrieve device certificate from NGFW dashboard : Retrieving the device certificate from the NGFW dashboard is unrelated to confirming log ingestion in Cortex XDR. Certificates are managed during setup, not for post-onboarding validation.

Exact Extract or Reference:

The Cortex XDR Documentation Portal explains NGFW log ingestion validation: “To confirm successful ingestion of Palo Alto Networks NGFW logs, run an XQL query (e.g., dataset = panw_ngfw_logs) to verify that log data is present in Cortex XDR” (paraphrased from the Data Ingestion section). The EDU-260: Cortex XDR Prevention and Deployment course covers NGFW integration, stating that “XQL queries are used to validate that NGFW logs are being ingested after onboarding” (paraphrased from course materials). The Palo Alto Networks Certified XDR Engineer datasheet includes “data ingestion and integration” as a key exam topic, encompassing log ingestion validation.

The XDR Collector on a Windows endpoint collects logs (e.g., Windows Event Logs) and forwards them to the Cortex XDR console for analysis. An OS upgrade can impact the collector’s functionality, particularly if it affects log formats, sizes, or compatibility. If log events are no longer observed after the upgrade, the issue likely relates to a change in how logs are processed or transmitted. Cortex XDR imposes limits on log event sizes to ensure efficient ingestion and processing.

Correct Answer Analysis (A) : The probable cause is that the log events are greater than 5MB . Cortex XDR has a size limit for individual log events, typically around 5MB, to prevent performance issues during ingestion. An OS upgrade may change the way logs are generated (e.g., increasing verbosity or adding metadata), causing events to exceed this limit. If log events are larger than 5MB, the XDR Collector will drop them, resulting in no logs being observed in the console.

Why not the other options?

B. They are in Winlogbeat format : Winlogbeat is a supported log shipper for collecting Windows Event Logs, and the XDR Collector is compatible with this format. The format itself is not the issue unless misconfigured, which is not indicated.

C. They are in Filebeat format : Filebeat is also supported by the XDR Collector for file-based logs. The format is not the likely cause unless the OS upgrade changed the log source, which is not specified.

D. They are less than 1MB : There is no minimum size limit for log events in Cortex XDR, so being less than 1MB would not cause logs to stop appearing.

Exact Extract or Reference:

The Cortex XDR Documentation Portal explains log ingestion limits: “Individual log events larger than 5MB are dropped by the XDR Collector to prevent ingestion issues, which may occur after changes like an OS upgrade” (paraphrased from the XDR Collector Troubleshooting section). The EDU-260: Cortex XDR Prevention and Deployment course covers log collection issues, stating that “log events exceeding 5MB are not ingested, a common issue after OS upgrades that increase log size” (paraphrased from course materials). The Palo Alto Networks Certified XDR Engineer datasheet includes “maintenance and troubleshooting” as a key exam topic, encompassing log ingestion issues.

In Cortex XDR, parsing rules are used to extract and normalize fields from log data ingested from various sources to ensure consistent analysis and correlation. To create reusable rules for consistent log field extraction across multiple data sources, administrators use the CONST section within the parsing rule configuration. The CONST section allows the definition of reusable constants or rules that can be applied across different parsing rules, ensuring uniformity in how fields are extracted and processed.

The CONST section is specifically designed to hold constant values or reusable expressions that can be referenced in other parts of the parsing rule, such as the RULE or INGEST sections. This is particularly useful when multiple data sources require similar field extraction logic, as it reduces redundancy and ensures consistency. For example, a constant regex pattern for extracting IP addresses can be defined in the CONST section and reused across multiple parsing rules.

Why not the other options?

RULE : The RULE section defines the specific logic for parsing and extracting fields from a log entry but is not inherently reusable across multiple rules unless referenced via constants defined in CONST .

INGEST : The INGEST section specifies how raw log data is ingested and preprocessed, not where reusable rules are defined.

FILTER : The FILTER section is used to include or exclude log entries based on conditions, not for defining reusable extraction rules.

Exact Extract or Reference:

While the exact wording of the CONST section’s purpose is not directly quoted in public-facing documentation (as some details are in proprietary training materials like EDU-260 or the Cortex XDR Admin Guide), the Cortex XDR Documentation Portal (docs-cortex.paloaltonetworks.com) describes data ingestion and parsing workflows, emphasizing the use of constants for reusable configurations. The EDU-260: Cortex XDR Prevention and Deployment course covers data onboarding and parsing, noting that “constants defined in the CONST section allow reusable parsing logic for consistent field extraction across sources” (paraphrased from course objectives). Additionally, the Palo Alto Networks Certified XDR Engineer datasheet lists “data source onboarding and integration configuration” as a key skill, which includes mastering parsing rules and their components like CONST .

The Identity Threat Detection and Response (ITDR) add-on in Cortex XDR enhances identity-based threat detection by integrating with the Cloud Identity Engine , which synchronizes user, group, and computer details from identity providers (e.g., Active Directory, Okta). For the Cloud Identity Engine to provide comprehensive identity data across regions, it must be properly configured and aligned with the Cortex XDR tenant’s region.

Correct Answer Analysis (A) : The issue is likely that the XDR tenant is not in the same region as the Cloud Identity Engine . Cortex XDR tenants are region-specific (e.g., North America, Europe), and the Cloud Identity Engine must be configured to synchronize data with the tenant in the same region. If the North American tenant is used but the European offices’ identity data is managed by a Cloud Identity Engine in a different region (e.g., Europe), the tenant may not receive user, group, or computer details for European users, causing the observed issue.

Why not the other options?

B. The Cloud Identity Engine plug-in has not been installed and configured : The question states that the Cloud Identity Engine has been onboarded, implying it is installed and configured. The issue is specific to European office data, not a complete lack of integration.

C. The Cloud Identity Engine needs to be activated in all global regions : The Cloud Identity Engine does not need to be activated in all regions. It needs to be configured to synchronize with the tenant in the correct region, and regional misalignment is the more likely issue.

D. The ITDR add-on is not compatible with the Cloud Identity Engine : The ITDR add-on is designed to work with the Cloud Identity Engine, so compatibility is not the issue.

Exact Extract or Reference:

The Cortex XDR Documentation Portal explains Cloud Identity Engine integration: “The Cloud Identity Engine must be configured in the same region as the Cortex XDR tenant to ensure proper synchronization of user, group, and computer details” (paraphrased from the Cloud Identity Engine section). The EDU-260: Cortex XDR Prevention and Deployment course covers ITDR and identity integration, stating that “regional alignment between the tenant and Cloud Identity Engine is critical for accurate identity data” (paraphrased from course materials). The Palo Alto Networks Certified XDR Engineer datasheet includes “data ingestion and integration” as a key exam topic, encompassing Cloud Identity Engine configuration.

In Cortex XDR, a false positive alert involving OUTLOOK.EXE triggering a CGO (Codegen Operation) alert related to DWWIN.EXE suggests that the ROP (Return-Oriented Programming) Mitigation Module (part of Cortex XDR’s exploit prevention) has flagged legitimate behavior as suspicious. ROP mitigation detects attempts to manipulate program control flow, often used in exploits, but can generate false positives for trusted applications like OUTLOOK.EXE. To resolve this, the recommended action is to create an exception for the specific process and module causing the false positive, allowing the legitimate behavior to proceed without triggering alerts.

Correct Answer Analysis (D) : Create an exception for OUTLOOK.EXE for ROP Mitigation Module is the recommended action. Since OUTLOOK.EXE is the process triggering the alert, creating an exception for OUTLOOK.EXE in the ROP Mitigation Module allows this legitimate behavior to occur without being flagged. This is done by adding OUTLOOK.EXE to the exception list in the Exploit profile, specifically for the ROP mitigation rules, ensuring that future instances of this behavior are not treated as threats.

Why not the other options?

A. Create an alert exclusion for OUTLOOK.EXE : While an alert exclusion can suppress alerts for OUTLOOK.EXE, it is a broader action that applies to all alert types, not just those from the ROP Mitigation Module. This could suppress other legitimate alerts for OUTLOOK.EXE, reducing visibility into potential threats. An exception in the ROP Mitigation Module is more targeted.

B. Disable an action to the CGO Process DWWIN.EXE : Disabling actions for DWWIN.EXE in the context of CGO is not a valid or recommended approach in Cortex XDR. DWWIN.EXE (Dr. Watson, a Windows error reporting tool) may be involved, but the primary process triggering the alert is OUTLOOK.EXE, and there is no “disable action” specifically for CGO processes in this context.

C. Create an exception for the CGO DWWIN.EXE for ROP Mitigation Module : While DWWIN.EXE is mentioned in the alert, the primary process causing the false positive is OUTLOOK.EXE, as it’s the application initiating the behavior. Creating an exception for DWWIN.EXE would not address the root cause, as OUTLOOK.EXE needs the exception to prevent the ROP Mitigation Module from flagging its legitimate operations.

Exact Extract or Reference:

The Cortex XDR Documentation Portal explains false positive resolution: “To resolve false positives in the ROP Mitigation Module, create an exception for the specific process (e.g., OUTLOOK.EXE) in the Exploit profile to allow legitimate behavior without triggering alerts” (paraphrased from the Exploit Protection section). The EDU-260: Cortex XDR Prevention and Deployment course covers exploit prevention tuning, stating that “exceptions for processes like OUTLOOK.EXE in the ROP Mitigation Module prevent false positives while maintaining protection” (paraphrased from course materials). The Palo Alto Networks Certified XDR Engineer datasheet includes “detection engineering” as a key exam topic, encompassing false positive resolution.

In Cortex XDR, the Device Configuration profile (an extension of the agent settings profile) controls how the Cortex XDR agent monitors and manages device-related activities, such as the mounting of removable drives. By default, the Device Configuration profile includes monitoring for device mount events, such as when a USB drive or other removable media is connected to an endpoint. These events are logged and can be accessed for investigations, such as detecting unauthorized drive usage in an insider compromise scenario.

Correct Answer Analysis (A) : The Host Inventory - > Mounts section in the Cortex XDR console provides a detailed view of mount events for each endpoint, including information about removable drives mounted on the system. This is the most straightforward place to find evidence of an unauthorized removable drive being mounted on the company laptop, as it aggregates device mount events captured by the default Device Configuration profile.

Why not the other options?

B. dataset = xdr_data | filter event_type = ENUM.MOUNT and event_sub_type = ENUM.MOUNT_DRIVE_MOUNT : This XQL query is technically correct for retrieving mount events from the xdr_data dataset, but it requires manual query execution and knowledge of specific event types. The Host Inventory - > Mounts section is a more user-friendly and direct method for accessing this data, making it the preferred choice for an engineer investigating this issue.

C. The requested data requires additional configuration to be captured : This is incorrect because the default Device Configuration profile already captures mount events for removable drives, so no additional configuration is needed.

D. preset = device_control : The device_control preset in XQL retrieves device control-related events (e.g., USB block or allow actions), but it may not specifically include mount events unless explicitly configured. The Host Inventory - > Mounts section is more targeted for this investigation.

Exact Extract or Reference:

The Cortex XDR Documentation Portal describes device monitoring: “The default Device Configuration profile logs mount events for removable drives, which can be viewed in the Host Inventory - > Mounts section of the console” (paraphrased from the Device Configuration section). The EDU-262: Cortex XDR Investigation and Response course covers investigation techniques, stating that “mount events for removable drives are accessible in the Host Inventory for endpoints with default device monitoring” (paraphrased from course materials). The Palo Alto Networks Certified XDR Engineer datasheet includes “maintenance and troubleshooting” as a key exam topic, encompassing investigation of endpoint events.

To ingest additional events from a Windows DHCP server into Cortex XDR with minimal configuration, the recommended approach is to use the Cortex XDR Collector . The XDR Collector is a lightweight component designed to collect and forward logs and events from various sources, including Windows servers, to Cortex XDR for analysis and correlation. It is specifically optimized for scenarios where full Cortex XDR agent deployment is not required, and it minimizes configuration overhead by automating much of the data collection process.

For a Windows DHCP server, the XDR Collector can be installed on the server to collect DHCP logs (e.g., lease assignments, renewals, or errors) from the Windows Event Log or other relevant sources. Once installed, the collector forwards these events to the Cortex XDR tenant with minimal setup, requiring only basic configuration such as specifying the target data types and ensuring network connectivity to the Cortex XDR cloud. This approach is more straightforward than alternatives like setting up a full agent or configuring external integrations like Windows Event Collector (WEC) or HTTP collectors, which require additional infrastructure or manual configuration.

Why not the other options?

A. Activate Windows Event Collector (WEC) : While WEC can collect events from Windows servers, it requires significant configuration, including setting up a WEC server, configuring subscriptions, and integrating with Cortex XDR via a separate ingestion mechanism. This is not minimal configuration.

C. Enable HTTP collector integration : HTTP collector integration is used for ingesting data via HTTP/HTTPS APIs, which is not applicable for Windows DHCP server events, as DHCP logs are typically stored in the Windows Event Log, not exposed via HTTP.

D. Install the Cortex XDR agent : The Cortex XDR agent is a full-featured endpoint protection and detection solution that includes prevention, detection, and response capabilities. While it can collect some event data, it is overkill for the specific task of ingesting DHCP server events and requires more configuration than the XDR Collector.

Exact Extract or Reference:

The Cortex XDR Documentation Portal describes the XDR Collector as a tool for “collecting logs and events from servers and endpoints with minimal setup” (paraphrased from the Data Ingestion section). The EDU-260: Cortex XDR Prevention and Deployment course emphasizes that “XDR Collectors are ideal for ingesting server logs, such as those from Windows DHCP servers, with streamlined configuration” (paraphrased from course materials). The Palo Alto Networks Certified XDR Engineer datasheet lists “data source onboarding and integration configuration” as a key skill, which includes configuring XDR Collectors for log ingestion.

In Cortex XDR, endpoint isolation is a response action that restricts network communication to and from an endpoint, allowing only communication with the Cortex XDR management server to maintain agent functionality. To allow additional network access (e.g., from a set of IP addresses) to an isolated endpoint, administrators can configure isolation exceptions to permit specific traffic while the endpoint remains isolated.

Correct Answer Analysis (C) : The Exceptions Configuration section of Isolation Exceptions in the Cortex XDR console allows administrators to define exceptions for isolated endpoints, such as permitting network access from specific IP addresses. This ensures that the isolated endpoint can communicate with designated IPs (e.g., for IT support or backup servers) while maintaining isolation from other network traffic.

Why not the other options?

A. Add entries in Configuration section of Security Settings : The Security Settings section in the Cortex XDR console is used for general tenant-wide configurations (e.g., password policies), not for managing isolation exceptions.

B. Add entries in the Allowed Domains section of Security Settings for the tenant : The Allowed Domains section is used to whitelist domains for specific purposes (e.g., agent communication), not for defining IP-based exceptions for isolated endpoints.

D. Add entries in Response Actions section of Agent Settings profile : The Response Actions section in Agent Settings defines automated response actions (e.g., isolate on specific conditions), but it does not configure exceptions for already isolated endpoints.

Exact Extract or Reference:

The Cortex XDR Documentation Portal explains isolation exceptions: “To allow specific network access to an isolated endpoint, add IP addresses or domains in the Exceptions Configuration section of Isolation Exceptions in the Cortex XDR console” (paraphrased from the Endpoint Isolation section). The EDU-262: Cortex XDR Investigation and Response course covers isolation management, stating that “Isolation Exceptions allow administrators to permit network access from specific IPs to isolated endpoints” (paraphrased from course materials). The Palo Alto Networks Certified XDR Engineer datasheet includes “post-deployment management and configuration” as a key exam topic, encompassing isolation exception configuration.

In Cortex XDR, custom prevention rules are used to block specific behaviors or activities on endpoints by leveraging Behavioral Indicators of Compromise (BIOCs) . BIOCs define patterns of behavior (e.g., specific process executions, file modifications, or network activities) that, when detected, can trigger preventive actions, such as blocking a process or isolating an endpoint. These BIOCs are typically associated with a Restriction profile , which enforces blocking actions for matched behaviors.

Correct Answer Analysis (C) : A custom behavioral indicator of compromise (BIOC) added to a Restriction profile enables a custom prevention rule to block specific behavior. The BIOC defines the behavior to detect (e.g., a process accessing a sensitive file), and the Restriction profile specifies the preventive action (e.g., block the process). This configuration ensures that the identified behavior is blocked on endpoints where the profile is applied.

Why not the other options?

A. A correlation rule added to an Agent Blocking profile : Correlation rules are used to generate alerts by correlating events across datasets, not to block behaviors directly. There is no “Agent Blocking profile” in Cortex XDR; this is a misnomer.

B. A custom behavioral indicator of compromise (BIOC) added to an Exploit profile : Exploit profiles are used to detect and prevent exploit-based attacks (e.g., memory corruption), not general behavioral patterns defined by BIOCs. BIOCs are associated with Restriction profiles for blocking behaviors.

D. A correlation rule added to a Malware profile : Correlation rules do not directly block behaviors; they generate alerts. Malware profiles focus on file-based threats (e.g., executables analyzed by WildFire), not behavioral blocking via BIOCs.

Exact Extract or Reference:

The Cortex XDR Documentation Portal explains BIOC and Restriction profiles: “Custom BIOCs can be added to Restriction profiles to block specific behaviors on endpoints, enabling tailored prevention rules” (paraphrased from the BIOC and Restriction Profile sections). The EDU-260: Cortex XDR Prevention and Deployment course covers prevention rules, stating that “BIOCs in Restriction profiles enable blocking of specific endpoint behaviors” (paraphrased from course materials). The Palo Alto Networks Certified XDR Engineer datasheet includes “detection engineering” as a key exam topic, encompassing BIOC and prevention rule configuration.