Palo Alto Networks PCCSE Practice Test - Questions Answers, Page 10
List of questions
Related questions
Question 91

A customer has a requirement to restrict any container from resolving the name www.evil-url.com.
How should the administrator configure Prisma Cloud Compute to satisfy this requirement?
Explanation:
To restrict any container from resolving the name www.evil-url.com, the administrator should set www.evil-url.com as a blocklisted DNS name in the default Container policy and set the effect to prevent. This configuration in Prisma Cloud, or similar CSPM tools, ensures that any attempt to resolve the specified blocklisted DNS name within any container will be prevented, thus enhancing security by proactively blocking potential communication with known malicious domains.
Reference to this feature can be found in the documentation of CSPM tools that offer runtime protection for containers. These tools allow administrators to define security policies that can include DNS-based controls to prevent containers from accessing known malicious or undesirable URLs, thereby preventing potential data exfiltration, malware communication, or other security threats
Question 92

Which API calls can scan an image named myimage: latest with twistcli and then retrieve the results from Console?
Explanation:
You can have twistcli generate a detailed report for each scan. The following procedure shows you how to scan an image with twistcli, and then retrieve the results from Console.
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/tools/twistcli_scan_images
Question 93

Given the following RQL:
event from cloud.audit_logs where operation IN ('CreateCryptoKey', 'DestroyCryptoKeyVersion', 'v1.compute.disks.createSnapshot')
Which audit event snippet is identified?
A)
B)
C)
D)
Explanation:
The given RQL (Resource Query Language) query is looking for specific audit events related to cryptographic key actions and snapshot creation. The snippet that matches this query is Option C, which contains the statement indicating permissions that allow any action ('Action': '*') and the reference to the version date '2012-10-17' that corresponds to the policy within the audit log.
This can be cross-referenced with cloud provider documentation, such as AWS CloudTrail or Google Cloud Audit Logs, which record user activities and API usage. The RQL provided would be used in a CSPM tool to query these audit logs for the specified events.
Question 94

Which two of the following are required to be entered on the IdP side when setting up SSO in Prisma Cloud? (Choose two.)
Explanation:
When setting up Single Sign-On (SSO) in Prisma Cloud on the Identity Provider (IdP) side, it is essential to configure the Assertion Consumer Service (ACS) URL and the Service Provider (SP) Entity ID. The ACS URL is the endpoint to which the IdP will send the SAML assertion, and the SP Entity ID is a unique identifier for the service provider that often resembles a URL but does not necessarily point to a location. These elements are crucial for establishing the trust relationship between the IdP and the service provider, enabling secure user authentication and authorization.
Question 95

An administrator sees that a runtime audit has been generated for a container.
The audit message is:
''/bin/ls launched and is explicitly blocked in the runtime rule. Full command: ls -latr''
Which protection in the runtime rule would cause this audit?
Explanation:
The protection in the runtime rule that would cause the audit message indicating '/bin/ls launched and is explicitly blocked in the runtime rule' is related to 'Processes'. In container security, a runtime rule set to monitor and restrict processes can block specific executables or commands from running within a container. If the rule is triggered, it indicates that a process that is explicitly denied by the policy attempted to execute, which in this case is the 'ls' command.
https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-12/prisma-cloud-compute-edition-admin/runtime_defense/runtime_audits
Question 96

Which data security default policy is able to scan for vulnerabilities?
Explanation:
The data security default policy capable of scanning for vulnerabilities is 'Objects containing Malware'. In cloud security, malware scanning is an essential feature of CSPM tools that allows for the identification of malicious software within objects stored in the cloud. A policy that scans for objects containing malware ensures that any files or code bases in the cloud environment are examined for potential threats, protecting the cloud resources from being compromised.
Question 97

Which three fields are mandatory when authenticating the Prisma Cloud plugin in the IntelliJ application? (Choose three.)
Explanation:
When authenticating the Prisma Cloud plugin in the IntelliJ application, the mandatory fields are the Secret Key, Prisma Cloud API URL, and Access Key. These credentials are required to securely authenticate and enable the plugin to communicate with the Prisma Cloud API, ensuring that the plugin can perform its intended functions within the development environment.
Question 98

Which of the following are correct statements regarding the use of access keys? (Choose two.)
Explanation:
Regarding the use of access keys, it is correct that up to two access keys can be active at any time for a single IAM user in AWS, and access keys are used for programmatic API calls to AWS services. This allows for rotation of keys without immediate invalidation of the old key and ensures secure access to AWS services via APIs.
Question 99

The development team is building pods to host a web front end, and they want to protect these pods with an application firewall.
Which type of policy should be created to protect this pod from Layer7 attacks?
Explanation:
To protect the pods hosting a web front end from Layer 7 attacks, the development team should create a Web Application and API Security (WAAS) rule targeted at the image name of the pods. This approach allows the policy to specifically protect the applications running within the pods against sophisticated attacks that target the application layer.
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas/deploy_waas
Question 100

A manager informs the SOC that one or more RDS instances have been compromised and the SOC needs to make sure production RDS instances are NOT publicly accessible.
Which action should the SOC take to follow security best practices?
Explanation:
Following best practices, the Security Operations Center (SOC) should enable a policy that checks for publicly accessible AWS RDS database instances and then manually remediate each instance confirmed to be part of the production environment. This approach ensures that only those resources that should not be publicly accessible are modified, avoiding unintended access restrictions on non-production instances.
Question