March Sale Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Paloalto Networks PCCSE Prisma Certified Cloud Security Engineer Exam Practice Test

Page: 1 / 25
Total 250 questions

Prisma Certified Cloud Security Engineer Questions and Answers

Question 1

A customer has Prisma Cloud Enterprise and host Defenders deployed.

What are two options that allow an administrator to upgrade Defenders? (Choose two.)

Options:

A.

with auto-upgrade, the host Defender will auto-upgrade.

B.

auto deploy the Lambda Defender.

C.

click the update button in the web-interface.

D.

generate a new DaemonSet file.

Question 2

Taking which action will automatically enable all severity levels?

Options:

A.

Navigate to Settings > Enterprise Settings and enable all severity levels in the alarm center.

B.

Navigate to Policies > Settings and enable all severity levels in the alarm center.

C.

Navigate to Settings > Enterprise Settings and ensure all severity levels are checked under "auto-enable default policies.

D.

Navigate to Policies > Settings and ensure all severity levels are checked under "auto-enable default policies.

Question 3

What is the primary purpose of Prisma Cloud Code Security?

Options:

A.

To provide a platform for developers to create custom security policies for applications

B.

To triage alerts and incidents in realtime during deployment

C.

To address cloud infrastructure misconfigurations in code before they become alerts or incidents

D.

To offer instant feedback on application performance issues and bottlenecks

Question 4

An administrator wants to install the Defenders to a Kubernetes cluster. This cluster is running the console on the default service endpoint and will be exporting to YAML.

Console Address: $CONSOLE_ADDRESS Websocket Address: $WEBSOCKET_ADDRESS User: $ADMIN_USER

Which command generates the YAML file for Defender install?

Options:

A.

/twistcli defender \

--address $CONSOLE_ADDRESS \

--user $ADMIN_USER \

--cluster-address $CONSOLE_ADDRESS

B.

/twistcli defender export kubernetes \

--address $WEBSOCKET_ADDRESS \

--user $ADMIN_USER \

--cluster-address $CONSOLE_ADDRESS

C.

/twistcli defender YAML kubernetes \

--address $CONSOLE_ADDRESS \

--user $ADMIN_USER \

--cluster-address $WEBSOCKET_ADDRESS

D.

/twistcli defender export kubernetes \

--address $CONSOLE_ADDRESS \

--user $ADMIN_USER \

--cluster-address $WEBSOCKET_ADDRESS

Question 5

Which order of steps map a policy to a custom compliance standard?

(Drag the steps into the correct order of occurrence, from the first step to the last.)

Question # 5

Options:

Question 6

Which type of query is used for scanning Infrastructure as Code (laC) templates?

Options:

A.

API

B.

XML

C.

JSON

D.

RQL

Question 7

A customer wants to monitor the company’s AWS accounts via Prisma Cloud, but only needs the resource configuration to be monitored for now.

Which two pieces of information do you need to onboard this account? (Choose two.)

Options:

A.

Cloudtrail

B.

Subscription ID

C.

Active Directory ID

D.

External ID

E.

Role ARN

Question 8

How are the following categorized?

Backdoor account access Hijacked processes Lateral movement

Port scanning

Options:

A.

audits

B.

incidents

C.

admission controllers

D.

models

Question 9

You have onboarded a public cloud account into Prisma Cloud Enterprise. Configuration Resource ingestion is visible in the Asset Inventory for the onboarded account, but no alerts are being generated for the configuration assets in the account.

Config policies are enabled in the Prisma Cloud Enterprise tenant, with those policies associated to existing alert rules. ROL statements on the investigate matching those policies return config resource results successfully.

Why are no alerts being generated?

Options:

A.

The public cloud account is not associated with an alert notification.

B.

The public cloud account does not have audit trail ingestion enabled.

C.

The public cloud account does not access to configuration resources.

D.

The public cloud account is not associated with an alert rule.

Question 10

Which three actions are available for the container image scanning compliance rule? (Choose three.)

Options:

A.

Allow

B.

Snooze

C.

Block

D.

Ignore

E.

Alert

Question 11

Which RQL query type is invalid?

Options:

A.

Event

B.

IAM

C.

Incident

D.

Config

Question 12

Web-Application and API Security (WAAS) provides protection for which two protocols? (Choose two.)

Options:

A.

HTTP

B.

SSH

C.

Tomcat Web Connector via AJP

D.

TLS

Question 13

In which Console menu would an administrator verify whether a custom compliance check is failing or passing?

Options:

A.

Monitor > Compliance

B.

Container Security > Compliance

C.

Defend > Compliance

D.

Custom > Compliance

Question 14

Which three steps are involved in onboarding an account for Data Security? (Choose three.)

Options:

A.

Create a read-only role with in-line policies

B.

Create a Cloudtrail with SNS Topic

C.

Enable Flow Logs

D.

Enter the RoleARN and SNSARN

E.

Create a S3 bucket

Question 15

Which statement applies to Adoption Advisor?

Options:

A.

It helps adopt security capabilities at a fixed pace regardless of the organization's needs.

B.

It only provides guidance during the deploy phase of the application lifecycle.

C.

It is only available for organizations that have completed the cloud adoption journey.

D.

It includes security capabilities from subscriptions for CSPM, CWP, CCS, OEM, and Data Security.

Question 16

Which three public cloud providers are supported for VM image scanning? (Choose three.)

Options:

A.

GCP

B.

Alibaba

C.

Oracle

D.

AWS

E.

Azure

Question 17

What is the behavior of Defenders when the Console is unreachable during upgrades?

Options:

A.

Defenders continue to alert, but not enforce, using the policies and settings most recently cached before upgrading the Console.

B.

Defenders will fail closed until the web-socket can be re-established.

C.

Defenders will fail open until the web-socket can be re-established.

D.

Defenders continue to alert and enforce using the policies and settings most recently cached before upgrading the Console.

Question 18

Which two actions are required in order to use the automated method within Amazon Web Services (AWS) Cloud to streamline the process of using remediation in the identity and access management (IAM) module? (Choose two.)

Options:

A.

Install boto3 & requests library.

B.

Configure IAM Azure remediation script.

C.

Integrate with Azure Service Bus.

D.

Configure IAM AWS remediation script.

Question 19

Which two processes ensure that builds can function after a Console upgrade? (Choose two.)

Options:

A.

allowing Jenkins to automatically update the plugin

B.

updating any build environments that have twistcli included to use the latest version

C.

configuring build pipelines to download twistcli at the start of each build

D.

creating a new policy that allows older versions of twistcli to connect the Console

Question 20

Which three AWS policy types and identities are used to calculate the net effective permissions? (Choose three).

Options:

A.

AWS service control policies (SCPs)

B.

AWS IAM group

C.

AWS IAM role

D.

AWS IAM User

E.

AWS IAM tag policy

Question 21

Which ban for DoS protection will enforce a rate limit for users who are unable to post five (5) “. tar.gz" files within five (5) seconds?

Options:

A.

One with an average rate of 5 and file extensions match on “. tar.gz" on Web Application and API Security (WAAS)

B.

One with an average rate of 5 and file extensions match on “. tar.gz" on Cloud Native Network Firewall (CNNF)

C.

One with a burst rate of 5 and file extensions match on “. tar.gz" on Web Application and API Security (WAAS) *

D.

One with a burst rate of 5 and file extensions match on “. tar.gz" on Cloud Native Network Firewall (CNNF)

Question 22

What must be created in order to receive notifications about alerts generated when the operator is away from the Prisma Cloud Console?

Options:

A.

Alarm rule

B.

Notification rule

C.

Alert rule

D.

Offline alert

Question 23

Which three actions are required in order to use the automated method within Azure Cloud to streamline the process of using remediation in the identity and access management (IAM) module? (Choose three.)

Options:

A.

Install boto3 & requests library.

B.

Configure IAM Azure remediation script.

C.

Integrate with Azure Service Bus.

D.

Configure IAM AWS remediation script.

E.

Install azure.servicebus & requests library.

Question 24

An administrator needs to write a script that automatically deactivates access keys that have not been used for 30 days.

In which order should the API calls be used to accomplish this task? (Drag the steps into the correct order from the first step to the last.) Select and Place:

Question # 24

Options:

Question 25

An administrator has been tasked with a requirement by your DevSecOps team to write a script to continuously query programmatically the existing users, and the user’s associated permission levels, in a Prisma Cloud Enterprise tenant.

Which public documentation location should be reviewed to help determine the required attributes to carry out this step?

Options:

A.

Prisma Cloud Administrator’s Guide (Compute)

B.

Prisma Cloud API Reference

C.

Prisma Cloud Compute API Reference

D.

Prisma Cloud Enterprise Administrator’s Guide

Question 26

An organization wants to be notified immediately to any “High Severity” alerts for the account group “Clinical Trials” via Slack.

Which option shows the steps the organization can use to achieve this goal?

Options:

A.

1. Configure Slack Integration

2.Create an alert rule and select “Clinical Trials” as the account group

3.Under the “Select Policies” tab, filter on severity and select “High”

4.Under the Set Alert Notification tab, choose Slack and populate the channel

5.Set Frequency to “As it Happens”

B.

1. Create an alert rule and select “Clinical Trials” as the account group

2.Under the “Select Policies” tab, filter on severity and select “High”

3.Under the Set Alert Notification tab, choose Slack and populate the channel

4.Set Frequency to “As it Happens”

5.Set up the Slack Integration to complete the configuration

C.

1. Configure Slack Integration

2.Create an alert rule

3.Under the “Select Policies” tab, filter on severity and select “High”

4.Under the Set Alert Notification tab, choose Slack and populate the channel

5.Set Frequency to “As it Happens”

D.

1. Under the “Select Policies” tab, filter on severity and select “High”

2.Under the Set Alert Notification tab, choose Slack and populate the channel

3.Set Frequency to “As it Happens”

4.Configure Slack Integration

5.Create an Alert rule

Question 27

A customer wants to monitor its Amazon Web Services (AWS) accounts via Prisma Cloud, but only needs the resource configuration to be monitored at present.

Which two pieces of information are needed to onboard this account? (Choose two.)

Options:

A.

External ID

B.

CloudTrail

C.

Active Directory ID

D.

RoleARN

Question 28

An administrator wants to enforce a rate limit for users not being able to post five (5) .tar.gz files within five (5) seconds.

What does the administrator need to configure?

Options:

A.

A ban for DoS protection with an average rate of 5 and file extensions match on .tar.gz on WAAS

B.

A ban for DoS protection with a burst rate of 5 and file extensions match on .tar.gz on CNNF

C.

A ban for DoS protection with a burst rate of 5 and file extensions match on .tar gz on WAAS

D.

A ban for DoS protection with an average rate of 5 and file extensions match on .tar.gz on CNNF

Question 29

Which two integrated development environment (IDE) plugins are supported by Prisma Cloud as part of its Code Security? (Choose two.)

Options:

A.

Visual Studio Code

B.

IntelliJ

C.

BitBucket

D.

CircleCI

Question 30

A DevOps lead reviewed some system logs and notices some odd behavior that could be a data exfiltration attempt. The DevOps lead only has access to vulnerability data in Prisma Cloud Compute, so the DevOps lead passes this information to SecOps.

Which pages in Prisma Cloud Compute can the SecOps lead use to investigate the runtime aspects of this attack?

Options:

A.

The SecOps lead should investigate the attack using Vulnerability Explorer and Runtime Radar.

B.

The SecOps lead should use Incident Explorer and Compliance Explorer.

C.

The SecOps lead should use the Incident Explorer page and Monitor > Events > Container Audits.

D.

The SecOps lead should review the vulnerability scans in the CI/CD process to determine blame.

Question 31

Which Defender type performs registry scanning?

Options:

A.

Serverless

B.

Container

C.

Host

D.

RASP

Question 32

Which Prisma Cloud policy type can protect against malware?

Options:

A.

Event

B.

Network

C.

Config

D.

Data

Question 33

Prisma Cloud supports which three external systems that allow the import of vulnerabilities and provide additional context on risks in the cloud? (Choose three.)

Options:

A.

Splunk

B.

Amazon GuardDuty

C.

Qualys

D.

Amazon Inspector

E.

ServiceNow

Question 34

Which two services require external notifications to be enabled for policy violations in the Prisma Cloud environment? (Choose two.)

Options:

A.

Splunk

B.

QROC

C.

SQS

D.

Email

Question 35

An administrator sees that a runtime audit has been generated for a host. The audit message is:

“Service postfix attempted to obtain capability SHELL by executing /bin/sh /usr/libexec/postfix/postfix- script.stop. Low severity audit, event is automatically added to the runtime model”

Which runtime host policy rule is the root cause for this runtime audit?

Options:

A.

Custom rule with specific configuration for file integrity

B.

Custom rule with specific configuration for networking

C.

Default rule that alerts on capabilities

D.

Default rule that alerts on suspicious runtime behavior

Question 36

An S3 bucket within AWS has generated an alert by violating the Prisma Cloud Default policy “AWS S3 buckets are accessible to public”. The policy definition follows:

config where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule="((((acl.grants[? (@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee=='AllUsers')] size > 0) and publicAccessBlockConfiguration.ignorePublicAcis is false) or (policyStatus.isPublic is true and publicAccessBlockConfiguration.restrictPublicBuckets is false)) and websiteConfiguration does not exist"

Why did this alert get generated?

Options:

A.

an event within the cloud account

B.

network traffic to the S3 bucket

C.

configuration of the S3 bucket

D.

anomalous behaviors

Question 37

Which two variables must be modified to achieve automatic remediation for identity and access management (IAM) alerts in Azure cloud? (Choose two.)

Options:

A.

API_ENDPOINT

B.

SQS_QUEUE_NAME

C.

SB_QUEUE_KEY

D.

YOUR_ACCOUNT_NUMBER

Question 38

During the Learning phase of the Container Runtime Model, Prisma Cloud enters a “dry run” period for how many hours?

Options:

A.

4

B.

48

C.

1

D.

24

Question 39

Which categories does the Adoption Advisor use to measure adoption progress for Cloud Security Posture Management?

Options:

A.

Visibility, Compliance, Governance, and Threat Detection and Response

B.

Network, Anomaly, and Audit Event

C.

Visibility, Security, and Compliance

D.

Foundations, Advanced, and Optimize

Question 40

Which alert deposition severity must be chosen to generate low and high severity alerts in the Anomaly settings when user wants to report on an unknown browser and OS, impossible time travel, or both due to account hijacking attempts?

Options:

A.

High

B.

Aggressive

C.

Moderate

D.

Conservative

Question 41

A customer has a large environment that needs to upgrade Console without upgrading all Defenders at one time.

What are two prerequisites prior to performing a rolling upgrade of Defenders? (Choose two.)

Options:

A.

manual installation of the latest twistcli tool prior to the rolling upgrade

B.

all Defenders set in read-only mode before execution of the rolling upgrade

C.

a second location where you can install the Console

D.

additional workload licenses are required to perform the rolling upgrade

E.

an existing Console at version n-1

Question 42

What are the three states of the Container Runtime Model? (Choose three.)

Options:

A.

Initiating

B.

Learning

C.

Active

D.

Running

E.

Archived

Question 43

Which statement is true regarding CloudFormation templates?

Options:

A.

Scan support does not currently exist for nested references, macros, or intrinsic functions.

B.

A single template or a zip archive of template files cannot be scanned with a single API request.

C.

Request-Header-Field ‘cloudformation-version’ is required to request a scan.

D.

Scan support is provided for JSON, HTML and YAML formats.

Question 44

Match the correct scanning mode for each given operation.

(Select your answer from the pull-down list. Answers may be used more than once or not at all.)

Question # 44

Options:

Question 45

Which two roles have access to view the Prisma Cloud policies? (Choose two.)

Options:

A.

Build AND Deploy Security

B.

Auditor

C.

Dev SecOps

D.

Defender Manager

Question 46

Which policy type in Prisma Cloud can protect against malware?

Options:

A.

Data

B.

Config

C.

Network

D.

Event

Question 47

The development team is building pods to host a web front end, and they want to protect these pods with an application firewall.

Which type of policy should be created to protect this pod from Layer7 attacks?

Options:

A.

The development team should create a WAAS rule for the host where these pods will be running.

B.

The development team should create a WAAS rule targeted at all resources on the host.

C.

The development team should create a runtime policy with networking protections.

D.

The development team should create a WAAS rule targeted at the image name of the pods.

Question 48

Which role does Prisma Cloud play when configuring SSO?

Options:

A.

JIT

B.

Service provider

C.

SAML

D.

Identity provider issuer

Question 49

A Prisma Cloud administrator is onboarding a single GCP project to Prisma Cloud. Which two steps can be performed by the Terraform script? (Choose two.)

Options:

A.

enable flow logs for Prisma Cloud.

B.

create the Prisma Cloud role.

C.

enable the required APIs for Prisma Cloud.

D.

publish the flow log to a storage bucket.

Question 50

What is the correct method for ensuring key-sensitive data related to SSNs and credit card numbers cannot be viewed in Dashboard > Data view during investigations?

Options:

A.

Go to Settings > Data > Snippet Masking and select Full Mask.

B.

Go to Settings > Data > Data Patterns, search for SSN Pattern, edit it, and modify the proximity keywords.

C.

Go to Settings > Cloud Accounts > Edit Cloud Account > Assign Account Group and select a group with limited permissions.

D.

Go to Policies > Data > Clone > Modify Objects containing Financial Information publicly exposed and change the file exposure to Private.

Question 51

Which serverless cloud provider is covered by the "overly permissive service access" compliance check?

Options:

A.

Alibaba

B.

Azure

C.

Amazon Web Services (AWS)

D.

Google Cloud Platform (GCP)

Question 52

Which statement accurately characterizes SSO Integration on Prisma Cloud?

Options:

A.

Prisma Cloud supports IdP initiated SSO, and its SAML endpoint supports the POST and GET methods.

B.

Okta, Azure Active Directory, PingID, and others are supported via SAML.

C.

An administrator can configure different Identity Providers (IdP) for all the cloud accounts that Prisma Cloud monitors.

D.

An administrator who needs to access the Prisma Cloud API can use SSO after configuration.

Question 53

Which three types of buckets exposure are available in the Data Security module? (Choose three.)

Options:

A.

Public

B.

Private

C.

International

D.

Differential

E.

Conditional

Question 54

Which two proper agentless scanning modes are supported with Prisma Cloud? (Choose two).

Options:

A.

Spoke Account Mode

B.

Hub Account Mode

C.

Same Account Mode

D.

Main Account Mode

Question 55

Which action must be taken to enable a user to interact programmatically with the Prisma Cloud APIs and for a nonhuman entity to be enabled for the access keys?

Options:

A.

Create a role with System Admin and generate access keys.

B.

Create a user with a role that has minimal access.

C.

Create a role with Account Group Read Only and assign it to the user.

D.

Create a role and assign it to the Service Account.

Question 56

What are the two ways to scope a CI policy for image scanning? (Choose two.)

Options:

A.

container name

B.

image name

C.

hostname

D.

image labels

Question 57

Which three incident types will be reflected in the Incident Explorer section of Runtime Defense? (Choose three.)

Options:

A.

Crypto miners

B.

Brute Force

C.

Cross-Site Scripting

D.

Port Scanning

E.

SQL Injection

Question 58

Which two integrations enable ingesting host findings to generate alerts? (Choose two.)

Options:

A.

Splunk

B.

Tenable

C.

JIRA

D.

Qualys

Question 59

Which command should be used in the Prisma Cloud twistcli tool to scan the nginx:latest image for vulnerabilities and compliance issues?

A)

Question # 59

B)

Question # 59

C)

Question # 59

D)

Question # 59

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 60

A customer wants to turn on Auto Remediation.

Which policy type has the built-in CLI command for remediation?

Options:

A.

Anomaly

B.

Audit Event

C.

Network

D.

Config

Question 61

Who can access saved searches in a cloud account?

Options:

A.

Administrators

B.

Users who can access the tenant

C.

Creators

D.

All users with whom the saved search has been shared

Question 62

What is an automatically correlated set of individual events generated by the firewall and runtime sensors to identify unfolding attacks?

Options:

A.

policy

B.

incident

C.

audit

D.

anomaly

Question 63

When configuring SSO how many IdP providers can be enabled for all the cloud accounts monitored by Prisma Cloud?

Options:

A.

2

B.

4

C.

1

D.

3

Question 64

Which two information types cannot be seen in the data security dashboard? (Choose two).

Options:

A.

Bucket owner

B.

Object Data Profile by Region

C.

Top Publicly Exposed Objects By Data Profile

D.

Object content

E.

Total objects

Question 65

What is the order of steps to create a custom network policy?

(Drag the steps into the correct order of occurrence, from the first step to the last.)

Question # 65

Options:

Question 66

Where can Defender debug logs be viewed? (Choose two.)

Options:

A.

/var/lib/twistlock/defender.log

B.

From the Console, Manage > Defenders > Manage > Defenders. Select the Defender from the deployed Defenders list, then click Actions > Logs

C.

From the Console, Manage > Defenders > Deploy > Defenders. Select the Defender from the deployed Defenders list, then click Actions > Logs

D.

/var/lib/twistlock/log/defender.log

Question 67

Move the steps to the correct order to set up and execute a serverless scan using AWS DevOps.

Question # 67

Options:

Question 68

An administrator of Prisma Cloud wants to enable role-based access control for Docker engine.

Which configuration step is needed first to accomplish this task?

Options:

A.

Configure Docker’s authentication sequence to first use an identity provider and then Console.

B.

Set Defender’s listener type to TCP.

C.

Set Docker’s listener type to TCP.

D.

Configure Defender’s authentication sequence to first use an identity provider and then Console.

Question 69

Given the following RQL:

event from cloud.audit_logs where operation IN (‘CreateCryptoKey’, ‘DestroyCryptoKeyVersion’, ‘v1.compute.disks.createSnapshot’)

Which audit event snippet is identified?

A)

Question # 69

B)

Question # 69

C)

Question # 69

D)

Question # 69

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 70

During an initial deployment of Prisma Cloud Compute, the customer sees vulnerabilities in their environment.

Which statement correctly describes the default vulnerability policy?

Options:

A.

It blocks all containers that contain a vulnerability.

B.

It alerts on any container with more than three critical vulnerabilities.

C.

It blocks containers after 30 days if they contain a critical vulnerability.

D.

It alerts on all vulnerabilities, regardless of severity.

Question 71

Which two statements are true about the differences between build and run config policies? (Choose two.)

Options:

A.

Run and Network policies belong to the configuration policy set.

B.

Build and Audit Events policies belong to the configuration policy set.

C.

Run policies monitor resources, and check for potential issues after these cloud resources are deployed.

D.

Build policies enable you to check for security misconfigurations in the IaC templates and ensure that these issues do not get into production.

E.

Run policies monitor network activities in your environment, and check for potential issues during runtime.

Question 72

Given the following RQL:

Question # 72

Which audit event snippet is identified by the RQL?

A)

Question # 72

B)

Question # 72

C)

Question # 72

D)

Question # 72

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 73

Which data security default policy is able to scan for vulnerabilities?

Options:

A.

Objects containing Vulnerabilities

B.

Objects containing Threats

C.

Objects containing Malware

D.

Objects containing Exploits

Question 74

A customer wants to scan a serverless function as part of a build process. Which twistcli command can be used to scan serverless functions?

Options:

A.

twistcli function scan

B.

twistcli scan serverless

C.

twistcli serverless AWS

D.

twiscli serverless scan

Question 75

A customer is reviewing Container audits, and an audit has identified a cryptominer attack. Which three options could have generated this audit? (Choose three.)

Options:

A.

The value of the mined currency exceeds $100.

B.

High CPU usage over time for the container is detected.

C.

Common cryptominer process name was found.

D.

The mined currency is associated with a user token.

E.

Common cryptominer port usage was found.

Page: 1 / 25
Total 250 questions