PSE-Cortex Palo Alto Networks System Engineer - Cortex Professional Questions and Answers

Cortex Data Lake (often referred to as Strata Logging Service in some contexts) is Palo Alto Networks’ cloud-based storage solution that centralizes security data for products like Cortex XDR, Prisma Access, and NGFWs. The question involves a customer who has activated a TMS (Tenant Management Service) tenant but has not purchased a Cortex Data Lake instance. TMS is part of the Palo Alto Networks ecosystem for managing tenants and services, typically associated with Cortex or Prisma deployments. Let’s break this down to determine the size of the free Cortex Data Lake instance provided in this scenario.

Understanding TMS and Cortex Data Lake:

TMS Tenant: The Tenant Management Service is a framework used to manage multiple tenants or instances within Palo Alto Networks’ cloud services (e.g., Cortex XDR, Prisma Access). Activating a TMS tenant implies the customer has initialized a management structure but hasn’t committed to a full Cortex Data Lake purchase.

Free Cortex Data Lake Instance: Palo Alto Networks provides a limited, free tier of Cortex Data Lake storage to customers who activate certain services or products, allowing them to evaluate functionality or store minimal data before committing to a paid license.

Free Storage Allocation:

When a customer activates a TMS tenant without purchasing a Cortex Data Lake instance, Palo Alto Networks allocates a default free storage capacity to enable basic functionality. According to official documentation and standard practices:

The free Cortex Data Lake instance provides 100 GB of storage.

This amount is intended for initial use cases, such as storing logs from a small number of endpoints (e.g., Cortex Xテゴ XDR Prevent agents), firewall logs, or trial data during evaluation periods.

Option Analysis:

A. 10 GB:

Analysis: 10 GB is too small to be a meaningful free tier for a product like Cortex Data Lake, which is designed to handle security telemetry from endpoints, networks, or cloud services. Even basic log storage for a few devices over a short period would exceed this quickly.

Conclusion: Incorrect.

B. 1 TB:

Analysis: 1 TB (1,000 GB) is a substantial amount of storage, typically associated with paid Cortex Data Lake subscriptions rather than a free tier. Offering this much for free would undermine the paid licensing model.

Conclusion: Incorrect.

C. 10 TB:

Analysis: 10 TB is even larger and aligns with enterprise-scale paid deployments, not a free instance. This size is far beyond what’s provided without a purchase.

Conclusion: Incorrect.

D. 100 GB:

Analysis: 100 GB is the documented size of the free Cortex Data Lake instance provided to customers who activate a tenant (e.g., via TMS) without purchasing additional storage. It’s sufficient for small-scale testing, such as storing logs from a handful of Cortex XDR agents or firewall data for a limited retention period (e.g., 30 days).

Conclusion: Correct.

Supporting Context:

Cortex XDR Example: For Cortex XDR Prevent customers, activating a tenant includes 100 GB of free Cortex Data Lake storage for 30 days of alert data (not full telemetry, which requires XDR Pro). This aligns with the TMS scenario, where basic tenant activation triggers the same free tier.

Prisma Access: Similarly, Prisma Access customers activating a tenant without a purchased Data Lake instance receive 100 GB for initial log storage.

Documentation: While exact wording may vary, Palo Alto Networks consistently references 100 GB as the free tier across product activation guides.

The best option for providing 24/7 monitoring of Cortex XDR, given that the customer only has staff available during business hours, would be Managed Detection and Response (MDR). MDR services provide continuous monitoring, detection, and response to security incidents, even outside of business hours, by leveraging expert security teams to manage and respond to threats when the customer’s internal staff is unavailable.

Cortex Xpanse provides visibility over remote workforce risks by identifying customer assets on residential networks. This allows organizations to monitor and secure assets that are outside of the traditional corporate network, which is particularly important as more employees work remotely and connect from various locations.

A clear understanding of a customer’s technical expertise helps post-sales teams customize their support and training efforts to match the customer's knowledge level. This ensures that the customer receives the appropriate guidance, training, and resources needed to effectively use the product or solution after the sale.

Audit users in Cortex XSOAR have limited, read-only access to the system, which allows them to view information without making any changes. Full users, on the other hand, have read-write access, meaning they can both view and modify incidents, configurations, and other system components.

The primary purpose of Cortex XSIAM's machine learning-led design is to automate the handling of the bulk of incidents. By leveraging machine learning, it can automatically classify, group, and respond to incidents, reducing the need for manual intervention and increasing efficiency in incident management.

To enable endpoint and network analytics in Cortex XDR, the requirement is to have logs from at least 30 endpoints over a minimum of two weeks. This provides sufficient data for Cortex XDR to perform effective analytics and detection, helping identify trends and potential threats.

The Restrictions profile in Cortex XDR is used to prevent running malicious files from USB-connected removable equipment. This capability helps enhance endpoint security by blocking the execution of unauthorized or malicious files from external devices such as USB drives, reducing the risk of malware spreading through these vectors.

In the malware protection flow of the endpoint agent in Cortex XSIAM, hash comparisons are performed after local static analysis. This ensures that files are first analyzed locally to determine whether they are suspicious or potentially harmful, and then their hash is compared against known threat intelligence to check for any known malicious files.

Managed Threat Hunting combines world-class threat intelligence with Cortex XSIAM (Extended Security Intelligence and Automation Management) technology to help identify attackers. This service provides proactive threat hunting capabilities, allowing security teams to detect advanced threats and respond to potential attacks with the help of expert analysts and automated tools.

When evaluating the effectiveness and ROI on cybersecurity planning and technology, it's important to consider people, security controls, mean time to detect (MTTD), and false positives. These factors help ensure that the security infrastructure is both efficient and effective in preventing, detecting, and responding to threats, while optimizing the overall cost and resource allocation.

If a prospective customer is unable to run a product evaluation, Tech Rehearsal can be used to showcase Cortex XDR. A Tech Rehearsal provides a guided demonstration of the product's capabilities and features, allowing the customer to gain a deeper understanding of how it works in their environment without a formal evaluation.

The QuickStart service offering is designed for customers who need to rapidly deploy a solution like Cortex XSOAR. It provides a streamlined process for setting up the product, which is ideal for customers who have limited availability of internal resources due to other projects. QuickStart allows for a faster and more efficient implementation.

The best place to find official resource material for a product or solution is typically the Administrator’s guide. It contains authoritative, comprehensive, and up-to-date information on setup, configuration, troubleshooting, and best practices directly from the product's vendor.

When preparing the golden image in a Cortex XDR Virtual Desktop Infrastructure (VDI) deployment, it is required to scan the image using the imageprep tool. This tool ensures that the image is properly configured for use in a VDI environment by preparing it for deployment with Cortex XDR.

Data models in Cortex XSIAM extend analytics detections to all mapped network and authentication data. These models help structure and normalize data, enabling more effective and comprehensive analysis across various data sources, improving the detection and response capabilities within the platform.

Premium Success is the offering from Palo Alto Networks that provides phone support for customers who have purchased Cortex XDR. This service includes access to technical support for critical issues and offers enhanced services to ensure smooth product usage and problem resolution.

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-0/cortex-xsoar-admin/engines/install-deploy-and-configure-demisto-engines/create-a-new-engine.html