Palo Alto Networks PCCSE Exam Practice Test Instant Access

Question 1

Which two CI/CD plugins are supported by Prisma Cloud as part of its Code Security? (Choose two.)

ACheckov

BVisual Studio Code

CCircleCI

DIntelliJ

Answer : A, C

https://live.paloaltonetworks.com/t5/blogs/what-is-changing-for-ci-cd-plugins/ba-p/461676

Prisma Cloud has announced changes to its CI/CD plugins due to the acquisition of Bridgecrew1.The existing IaC functionality in Prisma Cloud will be replaced by a Prisma ''cloud code security'' (CCS) module that delivers Bridgecrew integration in Prisma Cloud1.As part of this change, several CI/CD plugins that Prisma Cloud currently uses will either be replaced or modified1.

According to the information from the link, bothCheckovandCircleCIare listed as integrations that will switch to the Prisma ''cloud code security'' (CCS) module1.Checkov is an open-source command-line interface (CLI) utility that includes more than 750 predefined policies and supports custom policies1.CircleCI is a continuous integration and continuous delivery platform1.

Question 2

Console is running in a Kubernetes cluster, and Defenders need to be deployed on nodes within this cluster.

How should the Defenders in Kubernetes be deployed using the default Console service name?

AFrom the deployment page in Console, choose 'twistlock-console' for Console identifier, generate DaemonSet file, and apply DaemonSet to the twistlock namespace.

BFrom the deployment page, configure the cloud credential in Console and allow cloud discovery to auto-protect the Kubernetes nodes.

CFrom the deployment page in Console, choose 'twistlock-console' for Console identifier and run the 'curl | bash' script on the master Kubernetes node.

DFrom the deployment page in Console, choose 'pod name' for Console identifier, generate DaemonSet file, and apply the DaemonSet to twistlock namespace.

Answer : A

In Kubernetes environments, deploying Defenders to protect nodes involves leveraging DaemonSets, which ensure that every node in the cluster runs a copy of a specific pod. When the Console is running within a Kubernetes cluster, it's essential to correctly reference the Console service to ensure seamless communication between Defenders and the Console. Option A is the most straightforward and Kubernetes-native method for deploying Defenders. By choosing 'twistlock-console' as the Console identifier on the deployment page within the Console, users can generate a DaemonSet configuration file tailored for the Twistlock namespace. This approach ensures that the Defenders are correctly configured to communicate with the Console, providing comprehensive security coverage across the Kubernetes nodes. This method aligns with best practices for deploying security agents in Kubernetes and is supported by Prisma Cloud (formerly Twistlock) documentation, which provides step-by-step instructions for deploying Defenders using DaemonSets.

Question 3

Which step should a SecOps engineer implement in order to create a network exposure policy that identifies instances accessible from any untrusted internet sources?

AIn Policy Section-> Add Policy-> Config type -> Define Policy details Like Name,Severity-> Configure RQL query 'config from network where source.network = UNTRUSTJNTERNET and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS*' -> define compliance standard -> Define recommendation for remediation & save.

BIn Policy Section-> Add Policy-> Network type -> Define Policy details Like Name.Severity-> Configure RQL query 'network from vpc.flow_record where source.publicnetwork IN ('Suspicious IPs', 'Internet IPs') and dest.resource IN (resource where role IN ('Instance ))' -> define compliance standard -> Define recommendation for remediation & save.

CIn Policy Section-> Add Policy-> Network type -> Define Policy details Like Name.Severity-> Configure RQL query 'network from vpc.flow_record where source.publicnetwork IN ('Suspicious IPs', 'Internet IPs') and dest.resource IN (resource where role IN ( Instance ))' -> define compliance standard -> Define recommendation for remediation & save.

DIn Policy Section-> Add Policy-> Network type -> Define Policy details Like Name.Severity-> Configure RQL query 'config from network where source.network = UNTRUSTJNTERNET and dest.resource.type = 'Instance' and dest.cloud.type = 'AWS'' -> Define recommendation for remediation & save.

Answer : A

To create a network exposure policy that identifies instances accessible from any untrusted internet sources, a SecOps engineer would need to navigate to the Policy section within Prisma Cloud and add a new policy of the Config type. They would define the details of the policy such as the name and severity level and then configure the RQL query to specify conditions that match instances accessible from untrusted internet sources. The RQL query provided in the answer specifies that the source of the network traffic should be from an untrusted internet and that the destination resource should be an instance in the AWS cloud. After defining the compliance standards and providing recommendations for remediation, the policy can be saved to be enforced within the environment.

Question 4

Which two elements are included in the audit trail section of the asset detail view? (Choose two).

AConfiguration changes

BFindings

COverview

DAlert and vulnerability events

Answer : A, D

The audit trail section of an asset's detail view in Prisma Cloud typically includes a log of configuration changes and alert and vulnerability events associated with the asset. These elements are crucial for tracking the history of modifications to an asset's configuration and the security incidents that have affected it. This information is instrumental in understanding the security posture of the asset over time and in conducting thorough investigations after a security event has been detected.

Question 5

Taking which action will automatically enable all severity levels?

ANavigate to Settings > Enterprise Settings and enable all severity levels in the alarm center.

BNavigate to Policies > Settings and enable all severity levels in the alarm center.

CNavigate to Settings > Enterprise Settings and ensure all severity levels are checked under 'auto-enable default policies.

DNavigate to Policies > Settings and ensure all severity levels are checked under 'auto-enable default policies.

Answer : D

In Prisma Cloud, to automatically enable all severity levels for alerts, a user would need to navigate to the Policies section, then to Settings. Within this area, there is an option for 'auto-enable default policies,' which, when checked for all severity levels, ensures that any default policies related to those severities are automatically activated. This is a configuration setting that streamlines the alerting process by ensuring that all relevant severity levels are covered by the default policies without the need for manual intervention.

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-policies/manage-prisma-cloud-policies

Step 1- To enable global settings for Prisma Cloud default policies click 'Settings' and select 'Enterprise Settings' Step 2- To enable policies based on severity, select Auto enable new default policies of the type---Critical, High, Medium, Low or Informational.

Question 6

Which policy type should be used to detect and alert on cryptominer network activity?

AAudit event

BAnomaly

CConfig-build

DConfig-run

Answer : B

To detect and alert on cryptominer network activity, the policy type that should be used is an Anomaly policy. Anomaly policies in Prisma Cloud are designed to identify unusual and potentially malicious activities, including the network patterns typical of cryptomining operations. These policies leverage behavioral analytics to spot deviations from normal operations, making Option B the correct answer.

Suspicious network actors---Exposes suspicious connections by inspecting the network traffic to and from your cloud environment and correlating it with AutoFocus, Palo Alto Networks threat intelligence feed. AutoFocus identifies IP addresses involved in suspicious or malicious activity and classifies them into one of eighteen categories. Some examples of the categories are Backdoor, Botnet, Cryptominer, DDoS, Ransomware, Rootkit, and Worm. There are thirty-six policies, two for each of the eighteen categories---internal and external. https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-policies/anomaly-policies

Question 7

Prisma Cloud supports which three external systems that allow the import of vulnerabilities and provide additional context on risks in the cloud? (Choose three.)

ASplunk

BQualys

CAmazon Inspector

DAmazon GuardDuty

EServiceNow

Answer : B, C, D

Palo Alto Networks PCCSE Prisma Certified Cloud Security Engineer Exam Practice Test