Palo Alto Networks PCCSE Exam Practice Test Instant Access

Question 1

An S3 bucket within AWS has generated an alert by violating the Prisma Cloud Default policy ''AWS S3 buckets are accessible to public''. The policy definition follows:

config where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule="((((acl.grants[? (@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee=='AllUsers')] size > 0) and publicAccessBlockConfiguration.ignorePublicAcis is false) or (policyStatus.isPublic is true and publicAccessBlockConfiguration.restrictPublicBuckets is false)) and websiteConfiguration does not exist"

Why did this alert get generated?

Aan event within the cloud account

Bnetwork traffic to the S3 bucket

Cconfiguration of the S3 bucket

Danomalous behaviors

Answer : C

The alert 'AWS S3 buckets are accessible to public' is generated due to the configuration of the S3 bucket, which has been set in a way that allows public access. The policy definition provided checks for various conditions that would make an S3 bucket publicly accessible, such as grants to 'AllUsers', the absence of a 'publicAccessBlockConfiguration', or specific configurations that do not restrict public access. Therefore, the alert is triggered by the configuration settings of the S3 bucket that violate the policy's criteria for public accessibility.

Question 2

An administrator sees that a runtime audit has been generated for a Container. The audit message is ''DNS resolution of suspicious name wikipedia.com. type A''.

Why would this message appear as an audit?

AThe DNS was not learned as part of the Container model or added to the DNS allow list.

BThis is a DNS known to be a source of malware.

CThe process calling out to this domain was not part of the Container model.

DThe Layer7 firewall detected this as anomalous behavior.

Answer : A

The runtime audit message indicating 'DNS resolution of suspicious name wikipedia.com. type A' would appear as an audit because the DNS was not learned as part of the Container model or added to the DNS allow list (option A). In cloud security platforms like Prisma Cloud, runtime protection policies monitor the behavior of running containers and compare it against a learned model of expected behavior. If a container attempts to resolve a DNS name that was not observed during the learning phase or specifically allowed, it triggers an audit event to alert security teams of potentially malicious activity.

Question 3

A customer wants to harden its environment from misconfiguration.

Prisma Cloud Compute Compliance enforcement for hosts covers which three options? (Choose three.)

ADocker daemon configuration files

BDocker daemon configuration

CHost cloud provider tags

DHost configuration

EHosts without Defender agents

Answer : A, B, D

Prisma Cloud Compute Compliance enforcement for hosts covers several aspects to ensure a secure and compliant host environment, particularly within containerized environments. These include:

Docker daemon configuration files: Ensuring that Docker daemon configuration files are set up according to best security practices is crucial. These files contain various settings that control the behavior of the Docker daemon, and misconfigurations can lead to security vulnerabilities.

Docker daemon configuration: Beyond just the configuration files, the overall configuration of the Docker daemon itself is critical. This encompasses runtime settings and command-line options that determine how Docker containers are executed and managed on the host.

Host configuration: The security of the underlying host on which Docker and other container runtimes are installed is paramount. This includes the configuration of the host's operating system, network settings, file permissions, and other system-level settings that can impact the security of the containerized applications running on top.

By focusing on these areas, Prisma Cloud ensures that not just the containers but also the environment they run in is secure, adhering to compliance standards and best practices to mitigate risks associated with containerized deployments.

Question 4

A security team notices a number of anomalies under Monitor > Events. The incident response team works with the developers to determine that these anomalies are false positives.

What will be the effect if the security team chooses to Relearn on this image?

AThe model is deleted, and Defender will relearn for 24 hours.

BThe anomalies detected will automatically be added to the model.

CThe model is deleted and returns to the initial learning state.

DThe model is retained, and any new behavior observed during the new learning period will be added to the existing model.

Answer : D

In Prisma Cloud, when anomalies are detected and the security team chooses to Relearn on a specific image, the existing behavioral model for that image is not deleted. Instead, the system retains the model and enters a new learning period, during which it observes the behavior of the container based on the image. If new behaviors are observed during this period, they are added to the existing model, thereby refining and updating the model to reflect the current operational profile of the container. This approach allows for dynamic adaptation to changes in container behavior while preserving the valuable insights and patterns already established in the model. The Relearn function is part of Prisma Cloud's adaptive capabilities, enabling it to maintain accurate and up-to-date behavioral models that reflect the evolving nature of containerized applications.

Question 5

In Prisma Cloud for Azure Net Effective Permissions Calculation, the following Azure permission levels are supported by which three permissions? (Choose three).

AResources

BTenant

CSubscription

DResource groups

EManagement Group

Answer : A, C, E

https://docs.prismacloud.io/en/classic/cspm-admin-guide/prisma-cloud-iam-security/context-used-to-calculate-effective-permissions

Question 6

What are two key requirements for integrating Okta with Prisma Cloud when multiple Amazon Web Services (AWS) cloud accounts are being used? (Choose two.)

ASuper Administrator permissions

BA valid subscription for the IAM security module

CAn Okta API token for the primary AWS account

DMultiple instances of the Okta app

Answer : B, D

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-iam-security/integrate-prisma-cloud-with-okta

Question 7

An administrator has a requirement to ingest all Console and Defender logs to Splunk.

Which option will satisfy this requirement in Prisma Cloud Compute?

AEnable the API settings for logging.

BEnable the CSV export in the Console.

CEnable the syslog option in the Console

DEnable the Splunk option in the Console.

Answer : C

Log into Console. / Go to Manage > Alerts > Logging. / Configure Prisma Cloud to send audit event records to syslog, stdout and Prometheus.

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/audit/logging

To ingest all Console and Defender logs into Splunk within Prisma Cloud Compute, the most effective method is to enable the syslog option in the Console. This configuration allows the direct export of logs in a format compatible with Splunk, facilitating real-time log analysis and monitoring. This setup supports continuous security monitoring and advanced threat detection capabilities by utilizing Splunk's extensive data processing and visualization tools.

Palo Alto Networks PCCSE Prisma Certified Cloud Security Engineer Exam Practice Test