Exam: Palo Alto Networks: XDR Engineer (PAN-XDRE)

The Palo Alto Networks Certified XDR Engineer validates the knowledge and skills of experienced engineers in installation, deployment configuration, post-deployment management and configuration, data source onboarding, integration configuration, and detection engineering using Cortex XDR. The certification also validates the application of Cortex XDR architecture.

Palo Alto Networks certification exam items are developed and approved by exam development experts in conjunction with subject matter experts (SMEs) who represent a broad spectrum of roles relevant to each certification. Each item is referenced to a publicly available technical or scholarly source.

Candidates should be able to demonstrate:

• Working knowledge of security operations
• Understanding of network security, infrastructure, protocols, and topology
• Working knowledge of endpoint OS fundamentals and security hardening methods
• Working knowledge of security operations technology
• Knowledge of current and emergent trends in information security
• Ability to use security models / architectures (e.g., defense-in-depth, Zero Trust)
• Working knowledge of programming and scripting languages (i.e., Python, Powershell, SQL, RegEx, XQL)
• Ability to implement automation for efficient incident handling
• Working knowledge of log source onboarding, log normalization, and parsing
• Ability to integrate products and tools, including third-party products and tools
• Ability to configure agents, including policies and profiles
• Ability to ensure the availability, integrity, and security of data through monitoring
• Working knowledge of security frameworks (e.g., MITRE ATT&CK)
• Understanding of vulnerability management
• Familiarity with common data formats and data transformation (e.g., JSON, XML, CEF)
• Understanding of SaaS architectures

Planning and Installation 14%

• 1.1 Explain the deployment process, objectives, and resources (e.g., hardware, software, data sources, integrations)
• 1.2 Explain the deployment and functionality of Cortex XDR components
• 1.2.1 XDR agent
• 1.2.2 Broker VM
• 1.2.3 XDR Collector
• 1.2.4 Cloud Identity Engine
• 1.3 Configure user roles, permissions, and access controls
• 1.4 Demonstrate understanding of data retention and compute units

Cortex XDR Agent Configuration 22%

• 2.1 Configure endpoint prevention profiles and policies
• 2.2 Configure endpoint extension profiles and policies
• 2.3 Configure endpoint groups

Ingestion and Automation 22%

• 3.1 Onboard data sources (e.g., NGFW, network, cloud, identity)
• 3.2 Manage simple automation rules
• 3.3 Configure Broker VM applets and clusters
• 3.4 Configure XDR Collectors
• 3.5 Configure parsing rules

Detection and Reporting 22%

• 4.1 Create detection rules to align with requirements
• 4.1.1 Correlation
• 4.1.2 Custom prevention rules
• 4.1.3 Behavioral indicators of compromise (BIOCs) and indicators of compromise (IOCs)
• 4.2 Configure exceptions and exclusions
• 4.3 Create custom dashboards and reporting templates

Maintenance and Troubleshooting 20%

• 5.1 Manage Cortex XDR software component updates (e.g., content, agents, Collectors, Broker VM)
• 5.2 Troubleshoot data management issues (e.g., data ingestion, parsing)
• 5.3 Troubleshoot Cortex XDR components (e.g., agents, Collectors, Broker VM)

It is recommended that you have previously attended:

• Cortex XDR: Security Operations and Integration