Palo Alto Networks PCCSE Prisma Certified Cloud Security Engineer Online Training - Page 2 of 13

Question #1

Given a default deployment of Console, a customer needs to identify the alerted compliance checks that are set by default.

Where should the customer navigate in Console?

A . Monitor > Compliance
B . Defend > Compliance
C . Manage > Compliance
D . Custom > Compliance

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

Reference: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/compliance/manage_compliance.html

In the context of Prisma Cloud by Palo Alto Networks, the correct navigation to identify alerted compliance checks set by default is under the "Defend" section, specifically at "Defend > Compliance." This section is designed to allow users to configure and manage compliance policies and rules, monitor compliance statuses, and review alerts related to compliance violations. The "Defend" section is tailored for setting up defenses, including compliance standards, against potential security risks within the cloud environment, making it the logical location for managing and reviewing compliance-related alerts and settings.

Question #2

Which container scan is constructed correctly?

A . twistcli images scan -u api -p api –address https://us-west1.cloud.twistlock.com/us-3-123456789 – – container myimage/latest
B . twistcli images scan –docker-address https://us-west1.cloud.twistlock.com/us-3-123456789 myimage/latest
C . twistcli images scan -u api -p api –address https://us-west1.cloud.twistlock.com/us-3-123456789 – -details myimage/latest
D . twistcli images scan -u api -p api –docker-address https://us-west1.cloud.twistlock.com/us-3-
123456789 myimage/latest

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The correct construction for a container scan using the TwistCLI tool provided by Prisma Cloud (formerly Twistlock) is shown in option

C. This command uses the TwistCLI tool to scan a container image, specifying the necessary authentication credentials (username and password with ‘-u’ and ‘-p’ flags), the address of the Prisma Cloud instance (with the ‘–address’ flag), and the image to be scanned (in this case, ‘myimage/latest’). The inclusion of the ‘–details’ flag is a common practice to obtain detailed scan results, which is crucial for in-depth analysis and remediation efforts. This command structure aligns with the standard usage of TwistCLI for image scanning purposes, as documented in Prisma Cloud’s official resources and guides.

Question #3

The development team wants to fail CI jobs where a specific CVE is contained within the image.

How should the development team configure the pipeline or policy to produce this outcome?

A . Set the specific CVE exception as an option in Jenkins or twistcli.
B . Set the specific CVE exception as an option in Defender running the scan.
C . Set the specific CVE exception as an option using the magic string in the Console.
D . Set the specific CVE exception in Console’s CI policy.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Reference tech docs: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/continuous_integration/set_policy_ci_plugins.html

Vulnerability rules that target the build tool can allow specific vulnerabilities by creating an exception and setting the effect to ‘ignore’. Block them by creating an exception and setting hte effect to ‘fail’. For example, you could create a vulnerability rule that explicitly allows CVE-2018-1234 to suppress warnings in the scan results.

To fail CI jobs based on a specific CVE contained within an image, the development team should configure the policy within Prisma Cloud’s Console, specifically within the Continuous Integration (CI) policy settings. By setting a specific CVE exception in the CI policy, the team can define criteria that will cause the CI process to fail if the specified CVE is detected in the scanned image. This approach allows for granular control over the build process, ensuring that images with known vulnerabilities are not promoted through the CI/CD pipeline, thereby maintaining the security posture of the deployed applications. This method is in line with best practices for integrating security into the CI/CD process, allowing for automated enforcement of security standards directly within the development pipeline.

Question #4

Which three types of classifications are available in the Data Security module? (Choose three.)

A . Personally identifiable information
B . Malicious IP
C . Compliance standard
D . Financial information
E . Malware

Reveal Solution Hide Solution

Correct Answer: ACD
ACD

Explanation:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-data-security.html

In the Data Security module of Prisma Cloud, the classifications available focus on the types of sensitive data that need protection. These classifications include Personally Identifiable Information (PII), which involves data that can be used on its own or with other information to identify, contact, or locate a single person. Compliance standards pertain to data that must be protected to meet specific regulatory requirements, such as GDPR, HIPAA, or PCI-DSS. Financial information classification is concerned with data related to financial transactions, accounts, and credit card numbers, which are critical to secure due to their sensitive nature. These classifications are integral to data security strategies, ensuring that sensitive information is adequately protected according to its nature and the regulatory requirements governing it.

Question #5

A customer has a requirement to terminate any Container from image topSecret:latest when a process named ransomWare is executed.

How should the administrator configure Prisma Cloud Compute to satisfy this requirement?

A . set the Container model to manual relearn and set the default runtime rule to block for process protection.
B . set the Container model to relearn and set the default runtime rule to prevent for process protection.
C . add a new runtime policy targeted at a specific Container name, add ransomWare process into the denied process list, and set the action to “prevent”.
D . choose “copy into rule” for the Container, add a ransomWare process into the denied process list, and set the action to “block”.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To terminate any Container from the image "topSecret:latest" when a process named "ransomWare" is executed, the administrator should create a new runtime policy in Prisma Cloud Compute specifically targeting the container in question. By adding the "ransomWare" process to the denied process list within this policy and setting the action to "prevent," Prisma Cloud Compute will actively

monitor for the execution of the specified process within the targeted container and take preventive action to terminate the container if the process is detected. This approach allows for precise, targeted security measures that address specific threats identified by the organization, thereby enhancing the overall security posture and protecting sensitive workloads from potential compromise.

Question #5

A customer has a requirement to terminate any Container from image topSecret:latest when a process named ransomWare is executed.

How should the administrator configure Prisma Cloud Compute to satisfy this requirement?

A . set the Container model to manual relearn and set the default runtime rule to block for process protection.
B . set the Container model to relearn and set the default runtime rule to prevent for process protection.
C . add a new runtime policy targeted at a specific Container name, add ransomWare process into the denied process list, and set the action to “prevent”.
D . choose “copy into rule” for the Container, add a ransomWare process into the denied process list, and set the action to “block”.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To terminate any Container from the image "topSecret:latest" when a process named "ransomWare" is executed, the administrator should create a new runtime policy in Prisma Cloud Compute specifically targeting the container in question. By adding the "ransomWare" process to the denied process list within this policy and setting the action to "prevent," Prisma Cloud Compute will actively

monitor for the execution of the specified process within the targeted container and take preventive action to terminate the container if the process is detected. This approach allows for precise, targeted security measures that address specific threats identified by the organization, thereby enhancing the overall security posture and protecting sensitive workloads from potential compromise.

Question #5

A customer has a requirement to terminate any Container from image topSecret:latest when a process named ransomWare is executed.

How should the administrator configure Prisma Cloud Compute to satisfy this requirement?

A . set the Container model to manual relearn and set the default runtime rule to block for process protection.
B . set the Container model to relearn and set the default runtime rule to prevent for process protection.
C . add a new runtime policy targeted at a specific Container name, add ransomWare process into the denied process list, and set the action to “prevent”.
D . choose “copy into rule” for the Container, add a ransomWare process into the denied process list, and set the action to “block”.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To terminate any Container from the image "topSecret:latest" when a process named "ransomWare" is executed, the administrator should create a new runtime policy in Prisma Cloud Compute specifically targeting the container in question. By adding the "ransomWare" process to the denied process list within this policy and setting the action to "prevent," Prisma Cloud Compute will actively

monitor for the execution of the specified process within the targeted container and take preventive action to terminate the container if the process is detected. This approach allows for precise, targeted security measures that address specific threats identified by the organization, thereby enhancing the overall security posture and protecting sensitive workloads from potential compromise.

Question #5

A customer has a requirement to terminate any Container from image topSecret:latest when a process named ransomWare is executed.

How should the administrator configure Prisma Cloud Compute to satisfy this requirement?

A . set the Container model to manual relearn and set the default runtime rule to block for process protection.
B . set the Container model to relearn and set the default runtime rule to prevent for process protection.
C . add a new runtime policy targeted at a specific Container name, add ransomWare process into the denied process list, and set the action to “prevent”.
D . choose “copy into rule” for the Container, add a ransomWare process into the denied process list, and set the action to “block”.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To terminate any Container from the image "topSecret:latest" when a process named "ransomWare" is executed, the administrator should create a new runtime policy in Prisma Cloud Compute specifically targeting the container in question. By adding the "ransomWare" process to the denied process list within this policy and setting the action to "prevent," Prisma Cloud Compute will actively

monitor for the execution of the specified process within the targeted container and take preventive action to terminate the container if the process is detected. This approach allows for precise, targeted security measures that address specific threats identified by the organization, thereby enhancing the overall security posture and protecting sensitive workloads from potential compromise.

Question #5

A customer has a requirement to terminate any Container from image topSecret:latest when a process named ransomWare is executed.

How should the administrator configure Prisma Cloud Compute to satisfy this requirement?

A . set the Container model to manual relearn and set the default runtime rule to block for process protection.
B . set the Container model to relearn and set the default runtime rule to prevent for process protection.
C . add a new runtime policy targeted at a specific Container name, add ransomWare process into the denied process list, and set the action to “prevent”.
D . choose “copy into rule” for the Container, add a ransomWare process into the denied process list, and set the action to “block”.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To terminate any Container from the image "topSecret:latest" when a process named "ransomWare" is executed, the administrator should create a new runtime policy in Prisma Cloud Compute specifically targeting the container in question. By adding the "ransomWare" process to the denied process list within this policy and setting the action to "prevent," Prisma Cloud Compute will actively

monitor for the execution of the specified process within the targeted container and take preventive action to terminate the container if the process is detected. This approach allows for precise, targeted security measures that address specific threats identified by the organization, thereby enhancing the overall security posture and protecting sensitive workloads from potential compromise.

Question #5

A customer has a requirement to terminate any Container from image topSecret:latest when a process named ransomWare is executed.

How should the administrator configure Prisma Cloud Compute to satisfy this requirement?

A . set the Container model to manual relearn and set the default runtime rule to block for process protection.
B . set the Container model to relearn and set the default runtime rule to prevent for process protection.
C . add a new runtime policy targeted at a specific Container name, add ransomWare process into the denied process list, and set the action to “prevent”.
D . choose “copy into rule” for the Container, add a ransomWare process into the denied process list, and set the action to “block”.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To terminate any Container from the image "topSecret:latest" when a process named "ransomWare" is executed, the administrator should create a new runtime policy in Prisma Cloud Compute specifically targeting the container in question. By adding the "ransomWare" process to the denied process list within this policy and setting the action to "prevent," Prisma Cloud Compute will actively

monitor for the execution of the specified process within the targeted container and take preventive action to terminate the container if the process is detected. This approach allows for precise, targeted security measures that address specific threats identified by the organization, thereby enhancing the overall security posture and protecting sensitive workloads from potential compromise.

Question #5

A customer has a requirement to terminate any Container from image topSecret:latest when a process named ransomWare is executed.

How should the administrator configure Prisma Cloud Compute to satisfy this requirement?

A . set the Container model to manual relearn and set the default runtime rule to block for process protection.
B . set the Container model to relearn and set the default runtime rule to prevent for process protection.
C . add a new runtime policy targeted at a specific Container name, add ransomWare process into the denied process list, and set the action to “prevent”.
D . choose “copy into rule” for the Container, add a ransomWare process into the denied process list, and set the action to “block”.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To terminate any Container from the image "topSecret:latest" when a process named "ransomWare" is executed, the administrator should create a new runtime policy in Prisma Cloud Compute specifically targeting the container in question. By adding the "ransomWare" process to the denied process list within this policy and setting the action to "prevent," Prisma Cloud Compute will actively

monitor for the execution of the specified process within the targeted container and take preventive action to terminate the container if the process is detected. This approach allows for precise, targeted security measures that address specific threats identified by the organization, thereby enhancing the overall security posture and protecting sensitive workloads from potential compromise.

Question #5

A customer has a requirement to terminate any Container from image topSecret:latest when a process named ransomWare is executed.

How should the administrator configure Prisma Cloud Compute to satisfy this requirement?

A . set the Container model to manual relearn and set the default runtime rule to block for process protection.
B . set the Container model to relearn and set the default runtime rule to prevent for process protection.
C . add a new runtime policy targeted at a specific Container name, add ransomWare process into the denied process list, and set the action to “prevent”.
D . choose “copy into rule” for the Container, add a ransomWare process into the denied process list, and set the action to “block”.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To terminate any Container from the image "topSecret:latest" when a process named "ransomWare" is executed, the administrator should create a new runtime policy in Prisma Cloud Compute specifically targeting the container in question. By adding the "ransomWare" process to the denied process list within this policy and setting the action to "prevent," Prisma Cloud Compute will actively

monitor for the execution of the specified process within the targeted container and take preventive action to terminate the container if the process is detected. This approach allows for precise, targeted security measures that address specific threats identified by the organization, thereby enhancing the overall security posture and protecting sensitive workloads from potential compromise.

Question #5

A customer has a requirement to terminate any Container from image topSecret:latest when a process named ransomWare is executed.

How should the administrator configure Prisma Cloud Compute to satisfy this requirement?

A . set the Container model to manual relearn and set the default runtime rule to block for process protection.
B . set the Container model to relearn and set the default runtime rule to prevent for process protection.
C . add a new runtime policy targeted at a specific Container name, add ransomWare process into the denied process list, and set the action to “prevent”.
D . choose “copy into rule” for the Container, add a ransomWare process into the denied process list, and set the action to “block”.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To terminate any Container from the image "topSecret:latest" when a process named "ransomWare" is executed, the administrator should create a new runtime policy in Prisma Cloud Compute specifically targeting the container in question. By adding the "ransomWare" process to the denied process list within this policy and setting the action to "prevent," Prisma Cloud Compute will actively

monitor for the execution of the specified process within the targeted container and take preventive action to terminate the container if the process is detected. This approach allows for precise, targeted security measures that address specific threats identified by the organization, thereby enhancing the overall security posture and protecting sensitive workloads from potential compromise.

Question #14

Retrieve the Prisma Cloud Console images using ‘docker pull’.

Reveal Solution Hide Solution

Correct Answer: A

Explanation:

Retrieving Prisma Cloud Console images involves accessing a specific registry provided by Palo Alto Networks and authenticating using basic authentication with ‘docker login’. Once authenticated, the user can pull the Prisma Cloud Console images using the ‘docker pull’ command. This process is part of the initial setup for deploying Prisma Cloud Console in an environment, allowing users to obtain the necessary images to run the Console, which serves as the central management interface for Prisma Cloud. The detailed steps, including the specific registry URL and authentication method, are typically provided in the Prisma Cloud documentation, ensuring that users have the information needed to successfully retrieve and deploy Console images.

Question #15

Which two statements are true about the differences between build and run config policies? (Choose two.)

A . Run and Network policies belong to the configuration policy set.
B . Build and Audit Events policies belong to the configuration policy set.
C . Run policies monitor resources, and check for potential issues after these cloud resources are deployed.
D . Build policies enable you to check for security misconfigurations in the IaC templates and ensure that these issues do not get into production.
E . Run policies monitor network activities in your environment, and check for potential issues during
runtime.

Reveal Solution Hide Solution

Correct Answer: CD
CD

Explanation:

In the context of Prisma Cloud, Build and Run policies serve distinct purposes in securing cloud environments. Build policies are designed to evaluate Infrastructure as Code (IaC) templates before deployment. These policies help identify and remediate security misconfigurations in the development phase, ensuring that vulnerabilities are addressed before the infrastructure is provisioned. This proactive approach enhances security by preventing misconfigurations from reaching production environments.

On the other hand, Run policies are applied to resources that are already deployed in the cloud. These policies continuously monitor the cloud environment, detecting and alerting on potential security issues that arise in the runtime. Run policies help maintain the security posture of cloud resources by identifying deviations from established security baselines and enabling quick remediation of identified issues.

Both Build and Run policies are integral to a comprehensive cloud security strategy, addressing security concerns at different stages of the cloud resource lifecycle―from development and deployment to ongoing operation.

Question #16

A security team notices a number of anomalies under Monitor > Events. The incident response team works with the developers to determine that these anomalies are false positives.

What will be the effect if the security team chooses to Relearn on this image?

A . The model is deleted, and Defender will relearn for 24 hours.
B . The anomalies detected will automatically be added to the model.
C . The model is deleted and returns to the initial learning state.
D . The model is retained, and any new behavior observed during the new learning period will be added to the existing model.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

In Prisma Cloud, when anomalies are detected and the security team chooses to Relearn on a specific image, the existing behavioral model for that image is not deleted. Instead, the system retains the model and enters a new learning period, during which it observes the behavior of the container based on the image. If new behaviors are observed during this period, they are added to the existing model, thereby refining and updating the model to reflect the current operational profile of the container. This approach allows for dynamic adaptation to changes in container behavior while preserving the valuable insights and patterns already established in the model. The Relearn function is part of Prisma Cloud’s adaptive capabilities, enabling it to maintain accurate and up-to-date behavioral models that reflect the evolving nature of containerized applications.

Question #17

A customer does not want alerts to be generated from network traffic that originates from trusted internal networks.

Which setting should you use to meet this customer’s request?

A . Trusted Login IP Addresses
B . Anomaly Trusted List
C . Trusted Alert IP Addresses
D . Enterprise Alert Disposition

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

B –> Anomaly Trusted List―Exclude trusted IP addresses when conducting tests for PCI compliance or penetration testing on your network. Any addresses included in this list do not generate alerts against the Prisma Cloud Anomaly Policies that detect unusual network activity such as the policies that detect internal port scan and port sweep activity, which are enabled by default.

C –> Trusted Alert IP Addresses―If you have internal networks that connect to your public cloud infrastructure, you can add these IP address ranges (or CIDR blocks) as trusted … Prisma Cloud default network policies that look for internet exposed instances also do not generate alerts when the source IP address is included in the trusted IP address list and the account hijacking anomaly policy filters out activities from known IP addresses. Also, when you use RQL to query network traffic, you can filter out traffic from known networks that are included in the trusted IP address list.

For a customer who does not want alerts to be generated from network traffic originating from trusted internal networks, the appropriate setting is C. Trusted Alert IP Addresses. This setting allows for specifying certain IP addresses as trusted, meaning alerts will not be triggered by activities from these IPs, ensuring that internal network traffic is not flagged as potentially malicious.

Question #18

A DevOps lead reviewed some system logs and notices some odd behavior that could be a data exfiltration attempt. The DevOps lead only has access to vulnerability data in Prisma Cloud Compute, so the DevOps lead passes this information to SecOps.

Which pages in Prisma Cloud Compute can the SecOps lead use to investigate the runtime aspects of this attack?

A . The SecOps lead should investigate the attack using Vulnerability Explorer and Runtime Radar.
B . The SecOps lead should use Incident Explorer and Compliance Explorer.
C . The SecOps lead should use the Incident Explorer page and Monitor > Events > Container Audits.
D . The SecOps lead should review the vulnerability scans in the CI/CD process to determine blame.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To investigate the runtime aspects of a potential data exfiltration attempt, the SecOps lead in Prisma Cloud Compute should focus on areas that provide insights into runtime activity and potential threats.

C. The SecOps lead should use the Incident Explorer page and Monitor > Events > Container Audits. These sections provide detailed information on security incidents and container-level activities, enabling a thorough investigation into the runtime behavior that might indicate a security issue.

Question #19

A customer finds that an open alert from the previous day has been resolved. No auto-remediation was configured.

Which two reasons explain this change in alert status? (Choose two.)

A . user manually changed the alert status.
B . policy was changed.
C . resource was deleted.
D . alert was sent to an external integration.

Reveal Solution Hide Solution

Correct Answer: AC
AC

Explanation:

When an open alert from the previous day has been resolved without any configured auto-remediation, the change in alert status could be due to A. a user manually changing the alert status, indicating a manual intervention where someone reviewed and updated the alert status, and C. resource was deleted, implying that the resolution of the alert could be due to the removal of the resource associated with the alert, hence nullifying the alert condition.

Reference: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-alerts/prisma-cloud-alert-resolution-reasons.html

Question #20

Which three steps are involved in onboarding an account for Data Security? (Choose three.)

A . Create a read-only role with in-line policies
B . Create a Cloudtrail with SNS Topic
C . Enable Flow Logs
D . Enter the RoleARN and SNSARN
E . Create a S3 bucket

Reveal Solution Hide Solution

Correct Answer: BDE
BDE

Explanation:

Onboarding an account for Data Security involves several critical steps to ensure comprehensive coverage and effective monitoring.

The steps involved include B. Create a Cloudtrail with SNS Topic to track and manage API calls and relevant notifications, D. Enter the RoleARN and SNSARN to provide necessary access and integration points for data security functions, and E. Create a S3 bucket

which serves as a storage solution for logging and data capture essential for security analysis.

Question #21

An administrator has deployed Console into a Kubernetes cluster running in AWS. The administrator also has configured a load balancer in TCP passthrough mode to listen on the same ports as the default Prisma Compute Console configuration.

In the build pipeline, the administrator wants twistcli to talk to Console over HTTPS.

Which port will twistcli need to use to access the Prisma Compute APIs?

A . 8084
B . 443
C . 8083
D . 8081

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

When the administrator wants twistcli to communicate with the Console over HTTPS in a Kubernetes cluster, and considering the load balancer is configured in TCP passthrough mode, A. 8084 is typically the port used for secure HTTPS communication with the Prisma Compute Console. This port will allow twistcli to access the Prisma Compute APIs securely.

https://docs.prismacloudcompute.com/docs/compute_edition_21_04/tools/twistcli.html#connectivity-to-console

Question #22

A customer is reviewing Container audits, and an audit has identified a cryptominer attack.

Which three options could have generated this audit? (Choose three.)

A . The value of the mined currency exceeds $100.
B . High CPU usage over time for the container is detected.
C . Common cryptominer process name was found.
D . The mined currency is associated with a user token.
E . Common cryptominer port usage was found.

Reveal Solution Hide Solution

Correct Answer: BCE
BCE

Explanation:

In the case of identifying a cryptominer attack through container audits, the options that could have generated this audit include B. High CPU usage over time for the container is detected, which is a common indicator of cryptomining activity as it consumes significant computational resources, C. Common cryptominer process name was found, which directly indicates the presence of cryptomining based on known malicious processes, and E. Common cryptominer port usage was found, suggesting cryptomining activity based on network behavior typical of such attacks.

Question #23

Which step is included when configuring Kubernetes to use Prisma Cloud Compute as an admission controller?

A . copy the Console address and set the config map for the default namespace.
B . create a new namespace in Kubernetes called admission-controller.
C . enable Kubernetes auditing from the Defend > Access > Kubernetes page in the Console.
D . copy the admission controller configuration from the Console and apply it to Kubernetes.

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

When configuring Kubernetes to use Prisma Cloud Compute as an admission controller, a crucial step Involves D. copy the admission controller configuration from the Console and apply it to Kubernetes.

This step is essential for integrating Prisma Cloud Compute’s security controls directly into the Kubernetes admission process, enabling real-time security assessments and policy enforcement for new or modified resources within the cluster.

https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-04/prisma-cloud-compute-edition- admin/access_control/open_policy_agent.html step 2

Question #24

A Prisma Cloud administrator is onboarding a single GCP project to Prisma Cloud.

Which two steps can be performed by the Terraform script? (Choose two.)

A . enable flow logs for Prisma Cloud.
B . create the Prisma Cloud role.
C . enable the required APIs for Prisma Cloud.
D . publish the flow log to a storage bucket.

Reveal Solution Hide Solution

Correct Answer: BC
BC

Explanation:

When a Prisma Cloud administrator is onboarding a single GCP project to Prisma Cloud, the Terraform script can perform several steps to facilitate this integration. The steps include B. create the Prisma Cloud role, which is essential for defining the permissions and capabilities that Prisma Cloud will have within the GCP environment, and C. enable the required APIs for Prisma Cloud, ensuring that Prisma Cloud can access the necessary GCP services and features for comprehensive cloud security management.

Question #25

Which statement about build and run policies is true?

A . Build policies enable you to check for security misconfigurations in the IaC templates.
B . Every type of policy has auto-remediation enabled by default.
C . The four main types of policies are: Audit Events, Build, Network, and Run.
D . Run policies monitor network activities in the environment and check for potential issues during runtime.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

A true statement about build and run policies is

Question #26

An administrator sees that a runtime audit has been generated for a host. The audit message is: “Service postfix attempted to obtain capability SHELL by executing /bin/sh /usr/libexec/postfix/postfix- script.stop. Low severity audit, event is automatically added to the runtime model”

Which runtime host policy rule is the root cause for this runtime audit?

A . Custom rule with specific configuration for file integrity
B . Custom rule with specific configuration for networking
C . Default rule that alerts on capabilities
D . Default rule that alerts on suspicious runtime behavior

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

For a runtime audit generated for a host with a message indicating a service attempting to obtain capability by executing a script, the root cause for this runtime audit is most likely related to D. Default rule that alerts on suspicious runtime behavior. This default rule is designed to flag unusual or potentially harmful activities that could indicate a security risk, prompting further investigation.

Question #27

Which option identifies the Prisma Cloud Compute Edition?

A . Package installed with APT
B . Downloadable, self-hosted software
C . Software-as-a-Service (SaaS)
D . Plugin to Prisma Cloud

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

The Prisma Cloud Compute Edition is identified as B. Downloadable, self-hosted software. This option indicates that Prisma Cloud Compute Edition is a solution that organizations can deploy within their own infrastructure, providing them with control over the installation, configuration, and management of the security platform.

Reference: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/welcome/pcee_vs_pcce.html

Question #28

Which type of compliance check is available for rules under Defend > Compliance > Containers and Images > CI?

A . Host
B . Container
C . Functions
D . Image

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

In the context of Defend > Compliance > Containers and Images > CI within Prisma Cloud by Palo Alto Networks, the compliance checks are focused on the security posture and compliance of container images. Therefore, the type of compliance check available under this section would be related to Images, ensuring they adhere to security best practices and compliance standards before being deployed.

Question #29

The security team wants to protect a web application container from an SQLi attack.

Which type of policy should the administrator create to protect the container?

A . CNAF
B . Runtime
C . Compliance
D . CNNF

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

To protect a web application container from an SQL Injection (SQLi) attack, the administrator should create a Cloud Native Application Firewall (CNAF) policy. CNAF policies are designed to protect applications running in containers from various types of attacks, including SQLi, by inspecting the traffic going to and from the containerized applications and blocking malicious requests.

Reference: https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-09/prisma-cloud-compute-edition- admin/firewalls/waas

Question #30

An S3 bucket within AWS has generated an alert by violating the Prisma Cloud Default policy “AWS

S3 buckets are accessible to public”.

The policy definition follows:

config where cloud.type = ‘aws’ AND api.name=’aws-s3api-get-bucket-acl’ AND json.rule="((((acl.grants[? (@.grantee==’AllUsers’)] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee==’AllUsers’)] size > 0) and publicAccessBlockConfiguration.ignorePublicAcis is false) or (policyStatus.isPublic is true and publicAccessBlockConfiguration.restrictPublicBuckets is false)) and websiteConfiguration does not exist"

Why did this alert get generated?

A . an event within the cloud account
B . network traffic to the S3 bucket
C . configuration of the S3 bucket
D . anomalous behaviors

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The alert "AWS S3 buckets are accessible to public" is generated due to the configuration of the S3 bucket, which has been set in a way that allows public access. The policy definition provided checks for various conditions that would make an S3 bucket publicly accessible, such as grants to ‘AllUsers’, the absence of a ‘publicAccessBlockConfiguration’, or specific configurations that do not restrict public access. Therefore, the alert is triggered by the configuration settings of the S3 bucket that violate the policy’s criteria for public accessibility.

Question #31

DRAG DROP

Which order of steps map a policy to a custom compliance standard? (Drag the steps into the correct order of occurrence, from the first step to the last.)

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Question #31

DRAG DROP

Which order of steps map a policy to a custom compliance standard? (Drag the steps into the correct order of occurrence, from the first step to the last.)

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Question #31

DRAG DROP

Which order of steps map a policy to a custom compliance standard? (Drag the steps into the correct order of occurrence, from the first step to the last.)

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Question #31

DRAG DROP

Which order of steps map a policy to a custom compliance standard? (Drag the steps into the correct order of occurrence, from the first step to the last.)

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Question #31

DRAG DROP

Which order of steps map a policy to a custom compliance standard? (Drag the steps into the correct order of occurrence, from the first step to the last.)

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Question #36

A customer is interested in PCI requirements and needs to ensure that no privilege containers can start in the environment.

Which action needs to be set for “do not use privileged containers”?

A . Prevent
B . Alert
C . Block
D . Fail

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Block ― Defender stops the entire container if a process that violates your policy attempts to run.

https://docs.prismacloudcompute.com/docs/enterprise_edition/runtime_defense/runtime_defense_containers.html#_effect

Question #37

Given an existing ECS Cluster, which option shows the steps required to install the Console in Amazon ECS?

A . The console cannot natively run in an ECS cluster. A onebox deployment should be used.
B . Download and extract the release tarball
Ensure that each node has its own storage for Console data Create the Console task definition Deploy the task definition
C . Download and extract release tarball Download task from AWS Create the Console task definition Deploy the task definition
D . Download and extract the release tarball Create an EFS file system and mount to each node in the cluster Create the Console task definition Deploy the task definition

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

Reference: https://docs.paloaltonetworks.com/prisma/prisma-cloud/19-11/prisma-cloud-compute-edition- admin/install/install_amazon_ecs.html

To install the Console in an Amazon ECS Cluster, the steps involve downloading and extracting the release tarball, which contains the necessary files for the Console. Then, an Amazon Elastic File System (EFS) should be created and mounted to each node in the ECS cluster to provide shared storage for Console data. Following this, a Console task definition needs to be created in ECS, which defines how the Console container should run. Finally, this task definition is deployed to the ECS cluster to start the Console.

Question #38

Which options show the steps required to upgrade Console when using projects?

A . Upgrade all Supervisor Consoles Upgrade Central Console
B . Upgrade Central Console
Upgrade Central Console Defenders
C . Upgrade Defender Upgrade Central Console
Upgrade Supervisor Consoles
D . Upgrade Central Console Upgrade all Supervisor Consoles

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

When you have one or more tenant or scale Projects, upgrade all Supervisors before upgrading the Central Console. https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-09/prisma-cloud-compute-edition-admin/upgrade/upgrade_process

Question #39

A customer has Prisma Cloud Enterprise and host Defenders deployed.

What are two options that allow an administrator to upgrade Defenders? (Choose two.)

A . with auto-upgrade, the host Defender will auto-upgrade.
B . auto deploy the Lambda Defender.
C . click the update button in the web-interface.
D . generate a new DaemonSet file.

Reveal Solution Hide Solution

Correct Answer: AD
AD

Explanation:

In Prisma Cloud, Defenders can be set to auto-upgrade, which is a feature that allows the host Defender to automatically upgrade to the latest version without manual intervention. This ensures that the Defenders are always up-to-date with the latest security features and fixes, enhancing the security posture of the environment they protect.

Question #40

Which intensity setting for anomaly alerts is used for the measurement of 100 events over 30 days?

A . High
B . Medium
C . Low
D . Very High

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

In the context of setting anomaly alert intensities in Prisma Cloud, an intensity setting of "Medium" could be used for the measurement of 100 events over 30 days. This setting indicates a moderate level of anomaly detection sensitivity, which is suitable for environments where there is a need to balance between detecting potential security issues and minimizing false positives.

Reference: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-administrators/define-prisma-cloud-enterprise-settings.html

Question #41

Given this information:

The Console is located at https://prisma-console.mydomain.local The username is: cluster

The password is: password123

The image to scan is: myimage:latest

Which twistcli command should be used to scan a Container for vulnerabilities and display the details about each vulnerability?

A . twistcli images scan –console-address https://prisma-console.mydomain.local -u cluster -p password123 — details myimage:latest
B . twistcli images scan –console-address prisma-console.mydomain.local -u cluster -p password123 – – vulnerability-details myimage:latest
C . twistcli images scan –address prisma-console.mydomain.local -u cluster -p password123 — vulnerability- details myimage:latest
D . twistcli images scan –address https://prisma-console.mydomain.local -u cluster -p password123 — details myimage:latest

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/tools/twistcli_scan_images

Question #42

The development team wants to block Cross Site Scripting attacks from pods in its environment.

How should the team construct the CNAF policy to protect against this attack?

A . create a Host CNAF policy, targeted at a specific resource, check the box for XSS attack protection, and set the action to “prevent”.
B . create a Container CNAF policy, targeted at a specific resource, check the box for XSS attack protection, and set the action to alert.
C . create a Container CNAF policy, targeted at a specific resource, check the box for XSS protection, and set the action to prevent.
D . create a Container CNAF policy, targeted at a specific resource, and they should set “Explicitly allowed inbound IP sources” to the IP address of the pod.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

To protect pods in an environment from Cross-Site Scripting (XSS) attacks, the development team should create a Container Cloud Native Application Firewall (CNAF) policy. This policy should be targeted at the specific resource (e.g., a particular pod or set of pods), with the option for XSS protection checked, and the action set to "prevent." This configuration ensures that any XSS attacks directed at the targeted containers are effectively blocked.

Question #43

The Prisma Cloud administrator has configured a new policy.

Which steps should be used to assign this policy to a compliance standard?

A . Edit the policy, go to step 3 (Compliance Standards), click + at the bottom, select the compliance standard, fill in the other boxes, and then click Confirm.
B . Create the Compliance Standard from Compliance tab, and then select Add to Policy.
C . Open the Compliance Standards section of the policy, and then save.
D . Custom policies cannot be added to existing standards.

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

To assign a new policy to a compliance standard in Prisma Cloud, the administrator needs to edit the policy and navigate to the step where compliance standards are managed. By clicking the ‘+’ button, the administrator can add the policy to a specific compliance standard, provide necessary details, and confirm the assignment. This integrates the custom policy into the chosen compliance standard, ensuring that compliance checks include the newly defined policy criteria.

Question #44

An administrator wants to install the Defenders to a Kubernetes cluster. This cluster is running the console on the default service endpoint and will be exporting to YAML.

Console Address: $CONSOLE_ADDRESS Websocket Address: $WEBSOCKET_ADDRESS User:

$ADMIN_USER

Which command generates the YAML file for Defender install?

A . <PLATFORM>/twistcli defender
–address $CONSOLE_ADDRESS
–user $ADMIN_USER
–cluster-address $CONSOLE_ADDRESS
B . <PLATFORM>/twistcli defender export kubernetes
–address $WEBSOCKET_ADDRESS
–user $ADMIN_USER
–cluster-address $CONSOLE_ADDRESS
C . <PLATFORM>/twistcli defender YAML kubernetes
–address $CONSOLE_ADDRESS
–user $ADMIN_USER
–cluster-address $WEBSOCKET_ADDRESS
D . <PLATFORM>/twistcli defender export kubernetes
–address $CONSOLE_ADDRESS
–user $ADMIN_USER
–cluster-address $WEBSOCKET_ADDRESS

Reveal Solution Hide Solution

Correct Answer: D
D

Explanation:

The correct command to generate the YAML file for Defender install in a Kubernetes cluster, considering the console and websocket addresses, as well as the admin user, would typically involve specifying the addresses and user details. The option D seems most aligned with standard practices for such commands, where you export the Defender configuration for Kubernetes, specifying the console and websocket addresses along with the user details.

Reference: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/install/install_kubernetes.html

Question #45