Which step should a SecOps engineer implement in order to create a network exposure policy that identifies instances accessible from any untrusted internet sources?
Answer : A
To create a network exposure policy that identifies instances accessible from any untrusted internet sources, a SecOps engineer would need to navigate to the Policy section within Prisma Cloud and add a new policy of the Config type. They would define the details of the policy such as the name and severity level and then configure the RQL query to specify conditions that match instances accessible from untrusted internet sources. The RQL query provided in the answer specifies that the source of the network traffic should be from an untrusted internet and that the destination resource should be an instance in the AWS cloud. After defining the compliance standards and providing recommendations for remediation, the policy can be saved to be enforced within the environment.
Question 2
Which statement is true about obtaining Console images for Prisma Cloud Compute Edition?
Answer : B
Retrieving Prisma Cloud Console images involves accessing a specific registry provided by Palo Alto Networks and authenticating using basic authentication with 'docker login'. Once authenticated, the user can pull the Prisma Cloud Console images using the 'docker pull' command. This process is part of the initial setup for deploying Prisma Cloud Console in an environment, allowing users to obtain the necessary images to run the Console, which serves as the central management interface for Prisma Cloud. The detailed steps, including the specific registry URL and authentication method, are typically provided in the Prisma Cloud documentation, ensuring that users have the information needed to successfully retrieve and deploy Console images.
Question 3
Which two IDE plugins are supported by Prisma Cloud as part of its DevOps Security? (Choose two.)
Answer : B, D
Prisma Cloud supports integration with various Integrated Development Environments (IDEs) as part of its DevOps Security offerings, including Visual Studio Code (Option B) and IntelliJ (Option D). These integrations allow developers to scan their Infrastructure as Code (IaC) templates and application code for vulnerabilities and compliance issues directly within their preferred development environments, promoting a 'shift left' security approach. BitBucket (Option A) and CircleCI (Option C) are more commonly associated with Continuous Integration/Continuous Deployment (CI/CD) pipelines rather than being IDEs.
Question 4
A customer has a requirement to automatically protect all Lambda functions with runtime protection. What is the process to automatically protect all the Lambda functions?
Answer : D
Automatically protecting all Lambda functions with runtime protection in Prisma Cloud can be achieved by configuring a serverless auto-protect rule. This feature allows for the automatic application of runtime protection policies to all Lambda functions without the need for manual intervention or embedding defenders in each function. The auto-protect rule ensures that as new Lambda functions are deployed, they are automatically protected based on the predefined security policies, maintaining a consistent security posture across all serverless functions.
This approach leverages the capabilities of Prisma Cloud to integrate seamlessly with serverless architectures, providing a layer of security that is both comprehensive and adaptive to the dynamic nature of serverless computing. By automating the protection process, organizations can ensure that their serverless functions are always covered by the latest security policies, reducing the risk of vulnerabilities and attacks.
Question 5
An administrator wants to install the Defenders to a Kubernetes cluster. This cluster is running the console on the default service endpoint and will be exporting to YAML.
Which command generates the YAML file for Defender install?
Answer : D
The correct command to generate the YAML file for Defender install in a Kubernetes cluster, considering the console and websocket addresses, as well as the admin user, would typically involve specifying the addresses and user details. The option D seems most aligned with standard practices for such commands, where you export the Defender configuration for Kubernetes, specifying the console and websocket addresses along with the user details.
Question 6
Web-Application and API Security (WAAS) provides protection for which two protocols? (Choose two.)
Answer : A, D
Web-Application and API Security (WAAS) is a feature within Prisma Cloud that focuses on protecting web applications and APIs from various threats and vulnerabilities. The primary protocols it provides protection for are HTTP (Hypertext Transfer Protocol) and TLS (Transport Layer Security). HTTP is the foundation of data communication for the World Wide Web, and TLS is a cryptographic protocol designed to provide communications security over a computer network. While SSH (Secure Shell) is a protocol for secure remote login and other secure network services, and Tomcat Web Connector via AJP (Apache JServ Protocol) is used for Tomcat server communication, they are not the primary focus of WAAS protection.
Question 7
Which action would be applicable after enabling anomalous compute provisioning?
Answer : D
Enabling anomalous compute provisioning in Prisma Cloud allows for the detection of unusual and potentially unauthorized activities related to the creation of compute instances. This feature is particularly useful for identifying scenarios where an unauthorized network of compute instances might be established, either accidentally due to misconfigurations or maliciously for purposes such as cryptojacking. Cryptojacking involves the unauthorized use of someone else's compute resources to mine cryptocurrency, and anomalous compute provisioning can help in identifying such activities by highlighting unusual patterns in the provisioning of compute resources.
All Official Question Types