New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Paloalto Networks PCCSE Prisma Certified Cloud Security Engineer Exam Practice Test

Demo: 78 questions
Total 260 questions

Prisma Certified Cloud Security Engineer Questions and Answers

Question 1

What is the order of steps in a Jenkins pipeline scan?

(Drag the steps into the correct order of occurrence, from the first step to the last.)

Options:

Question 2

An administrator needs to write a script that automatically deactivates access keys that have not been used for 30 days.

In which order should the API calls be used to accomplish this task? (Drag the steps into the correct order from the first step to the last.) Select and Place:

Options:

Question 3

Based on the following information, which RQL query will satisfy the requirement to identify VM hosts deployed to organization public cloud environments exposed to network traffic from the internet and affected by Text4Shell RCE (CVE-2022-42889) vulnerability?

• Network flow logs from all virtual private cloud (VPC) subnets are ingested to the Prisma Cloud Enterprise Edition tenant.

• All virtual machines (VMs) have Prisma Cloud Defender deployed.

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 4

A Prisma Cloud Administrator onboarded an AWS cloud account with agentless scanning enabled successfully to Prisma Cloud. Which item requires deploying defenders to be able to inspect the risk on the onboarded AWS account?

Options:

A.

Host compliances risks

B.

Container runtime risks

C.

Container vulnerability risks

D.

Host vulnerability risks

Question 5

A Prisma Cloud Administrator needs to enable a Registry Scanning for a registry that stores Windows images. Which of the following statement is correct regarding this process?

Options:

A.

They can deploy any type of container defender to scan this registry.

B.

There are Windows host defenders deployed in your environment already.

C.

There are Windows host defenders deployed in your environment already. Therefore, they do not need to deploy any additional defenders.

D.

A defender is not required to configure this type of registry scan.

Question 6

Which two information types cannot be seen in the data security dashboard? (Choose two).

Options:

A.

Bucket owner

B.

Object Data Profile by Region

C.

Top Publicly Exposed Objects By Data Profile

D.

Object content

E.

Total objects

Question 7

Which Defender type performs registry scanning?

Options:

A.

Serverless

B.

Container

C.

Host

D.

RASP

Question 8

A customer has a requirement to scan serverless functions for vulnerabilities.

Which three settings are required to configure serverless scanning? (Choose three.)

Options:

A.

Defender Name

B.

Region

C.

Credential

D.

Console Address

E.

Provider

Question 9

Which two options may be used to upgrade the Defenders with a Console v20.04 and Kubernetes deployment? (Choose two.)

Options:

A.

Run the provided curl | bash script from Console to remove Defenders, and then use Cloud Discovery to automatically redeploy Defenders.

B.

Remove Defenders DaemonSet, and then use Cloud Discovery to automatically redeploy the Defenders.

C.

Remove Defenders, and then deploy the new DaemonSet so Defenders do not have to automatically update on each deployment.

D.

Let Defenders automatically upgrade.

Question 10

Which option identifies the Prisma Cloud Compute Edition?

Options:

A.

Package installed with APT

B.

Downloadable, self-hosted software

C.

Software-as-a-Service (SaaS)

D.

Plugin to Prisma Cloud

Question 11

Which categories does the Adoption Advisor use to measure adoption progress for Cloud Security Posture Management?

Options:

A.

Visibility, Compliance, Governance, and Threat Detection and Response

B.

Network, Anomaly, and Audit Event

C.

Visibility, Security, and Compliance

D.

Foundations, Advanced, and Optimize

Question 12

Where can Defender debug logs be viewed? (Choose two.)

Options:

A.

/var/lib/twistlock/defender.log

B.

From the Console, Manage > Defenders > Manage > Defenders. Select the Defender from the deployed Defenders list, then click Actions > Logs

C.

From the Console, Manage > Defenders > Deploy > Defenders. Select the Defender from the deployed Defenders list, then click Actions > Logs

D.

/var/lib/twistlock/log/defender.log

Question 13

Which two CI/CD plugins are supported by Prisma Cloud as part of its DevOps Security? (Choose two.).

Options:

A.

BitBucket

B.

Visual Studio Code

C.

CircleCI

D.

IntelliJ

Question 14

An administrator has been tasked with a requirement by your DevSecOps team to write a script to continuously query programmatically the existing users, and the user’s associated permission levels, in a Prisma Cloud Enterprise tenant.

Which public documentation location should be reviewed to help determine the required attributes to carry out this step?

Options:

A.

Prisma Cloud Administrator’s Guide (Compute)

B.

Prisma Cloud API Reference

C.

Prisma Cloud Compute API Reference

D.

Prisma Cloud Enterprise Administrator’s Guide

Question 15

An administrator wants to enforce a rate limit for users not being able to post five (5) .tar.gz files within five (5) seconds.

What does the administrator need to configure?

Options:

A.

A ban for DoS protection with an average rate of 5 and file extensions match on .tar.gz on WAAS

B.

A ban for DoS protection with a burst rate of 5 and file extensions match on .tar.gz on CNNF

C.

A ban for DoS protection with a burst rate of 5 and file extensions match on .tar gz on WAAS

D.

A ban for DoS protection with an average rate of 5 and file extensions match on .tar.gz on CNNF

Question 16

Which two integrations enable ingesting host findings to generate alerts? (Choose two.)

Options:

A.

Splunk

B.

Tenable

C.

JIRA

D.

Qualys

Question 17

Which two integrated development environment (IDE) plugins are supported by Prisma Cloud as part of its Code Security? (Choose two.)

Options:

A.

Visual Studio Code

B.

IntelliJ

C.

BitBucket

D.

CircleCI

Question 18

A Prisma Cloud administrator is tasked with pulling a report via API. The Prisma Cloud tenant is located on app2.prismacloud.io.

What is the correct API endpoint?

Options:

A.

https://api.prismacloud.io

B.

https://api2.eu.prismacloud.io

C.

httsp://api.prismacloud.cn

D.

https://api2.prismacloud.io

Question 19

A customer wants to be notified about port scanning network activities in their environment. Which policy type detects this behavior?

Options:

A.

Network

B.

Port Scan

C.

Anomaly

D.

Config

Question 20

Which of the following is displayed in the asset inventory?

Options:

A.

EC2 instances

B.

Asset tags

C.

SSO users

D.

Federated users

Question 21

What are two built-in RBAC permission groups for Prisma Cloud? (Choose two.)

Options:

A.

Group Membership Admin

B.

Group Admin

C.

Account Group Admin

D.

Account Group Read Only

Question 22

What factor is not used in calculating the net effective permissions for a resource in AWS?

Options:

A.

AWS 1AM policy

B.

Permission boundaries

C.

IPTables firewall rule

D.

AWS service control policies (SCPs)

Question 23

What happens when a role is deleted in Prisma Cloud?

Options:

A.

The access key associated with that role is automatically deleted.

B.

Any integrations that use the access key to make calls to Prisma Cloud will stop working.

C.

The users associated with that role will be deleted.

D.

Any user who uses that key will be deleted.

Question 24

A customer wants to scan a serverless function as part of a build process. Which twistcli command can be used to scan serverless functions?

Options:

A.

twistcli function scan

B.

twistcli scan serverless

C.

twistcli serverless AWS

D.

twiscli serverless scan

Question 25

Which three OWASP protections are part of Prisma Cloud Web-Application and API Security (WAAS) rule? (Choose three.)

Options:

A.

DoS Protection

B.

Local file inclusion

C.

SQL injection

D.

Suspicious binary

E.

Shellshock

Question 26

Which set of steps is the correct process for obtaining Console images for Prisma Cloud Compute Edition?

Options:

A.

To retrieve Prisma Cloud Console images using basic authentication:

1. Access registry.twistlock.com and authenticate using "docker login."

2. Retrieve the Prisma Cloud Console images using "docker pull."

B.

To retrieve Prisma Cloud Console images using URL authentication:

1. Access registry-url-auth.twistlock.com and authenticate using the user certificate.

2. Retrieve the Prisma Cloud Console images using "docker pull."

C.

To retrieve Prisma Cloud Console images using URL authentication:

1. Access registry-auth.twistlock.com and authenticate using the user certificate.

2. Retrieve the Prisma Cloud Console images using "docker pull."

D.

To retrieve Prisma Cloud Console images using basic authentication:

1. Access registry.paloaltonetworks.com and authenticate using "docker login."

2. Retrieve the Prisma Cloud Console images using "docker pull."

Question 27

Which report includes an executive summary and a list of policy violations, including a page with details for each policy?

Options:

A.

Compliance Standard

B.

Business Unit

C.

Cloud Security Assessment

D.

Detailed

Question 28

Which step is included when configuring Kubernetes to use Prisma Cloud Compute as an admission controller?

Options:

A.

copy the Console address and set the config map for the default namespace.

B.

create a new namespace in Kubernetes called admission-controller.

C.

enable Kubernetes auditing from the Defend > Access > Kubernetes page in the Console.

D.

copy the admission controller configuration from the Console and apply it to Kubernetes.

Question 29

Which order of steps map a policy to a custom compliance standard?

(Drag the steps into the correct order of occurrence, from the first step to the last.)

Options:

Question 30

On which cloud service providers can new API release information for Prisma Cloud be received?

Options:

A.

AWS. Azure. GCP. Oracle, IBM

B.

AWS. Azure. GCP, IBM, Alibaba

C.

AWS. Azure. GCP. Oracle, Alibaba

D.

AWS. Azure. GCP, IBM

Question 31

A customer has a development environment with 50 connected Defenders. A maintenance window is set for Monday to upgrade 30 stand-alone Defenders in the development environment, but there is no maintenance window available until Sunday to upgrade the remaining 20 stand-alone Defenders.

Which recommended action manages this situation?

Options:

A.

Go to Manage > Defender > Manage, then click Defenders, and use the Scheduler to choose which Defenders will be automatically upgraded during the maintenance window.

B.

Find a maintenance window that is suitable to upgrade all stand-alone Defenders in the development environment.

C.

Upgrade a subset of the Defenders by clicking the individual Actions > Upgrade button in the row that corresponds to the Defender that should be upgraded during the maintenance window.

D.

Open a support case with Palo Alto Networks to arrange an automatic upgrade.

Question 32

Which role does Prisma Cloud play when configuring SSO?

Options:

A.

JIT

B.

Service provider

C.

SAML

D.

Identity provider issuer

Question 33

Which statement applies to Adoption Advisor?

Options:

A.

It helps adopt security capabilities at a fixed pace regardless of the organization's needs.

B.

It only provides guidance during the deploy phase of the application lifecycle.

C.

It is only available for organizations that have completed the cloud adoption journey.

D.

It includes security capabilities from subscriptions for CSPM, CWP, CCS, OEM, and Data Security.

Question 34

Under which tactic is “Exploit Public-Facing Application” categorized in the ATT&CK framework?

Options:

A.

Defense Evasion

B.

Initial Access

C.

Execution

D.

Privilege Escalation

Question 35

An administrator needs to detect and alert on any activities performed by a root account.

Which policy type should be used?

Options:

A.

config-run

B.

config-build

C.

network

D.

audit event

Question 36

An administrator has a requirement to ingest all Console and Defender logs to Splunk.

Which option will satisfy this requirement in Prisma Cloud Compute?

Options:

A.

Enable the API settings for logging.

B.

Enable the CSV export in the Console.

C.

Enable the syslog option in the Console

D.

Enable the Splunk option in the Console.

Question 37

The security auditors need to ensure that given compliance checks are being run on the host. Which option is a valid host compliance policy?

Options:

A.

Ensure functions are not overly permissive.

B.

Ensure host devices are not directly exposed to containers.

C.

Ensure images are created with a non-root user.

D.

Ensure compliant Docker daemon configuration.

Question 38

Which statement accurately characterizes SSO Integration on Prisma Cloud?

Options:

A.

Prisma Cloud supports IdP initiated SSO, and its SAML endpoint supports the POST and GET methods.

B.

Okta, Azure Active Directory, PingID, and others are supported via SAML.

C.

An administrator can configure different Identity Providers (IdP) for all the cloud accounts that Prisma Cloud monitors.

D.

An administrator who needs to access the Prisma Cloud API can use SSO after configuration.

Question 39

Which component(s), if any, will Palo Alto Networks host and run when a customer purchases Prisma Cloud Enterprise Edition?

Options:

A.

Defenders

B.

Console

C.

Jenkins

D.

twistcli

Question 40

Which field is required during the creation of a custom config query?

Options:

A.

resource status

B.

api.name

C.

finding.type

D.

cloud.type

Question 41

Which three incident types will be reflected in the Incident Explorer section of Runtime Defense? (Choose three.)

Options:

A.

Crypto miners

B.

Brute Force

C.

Cross-Site Scripting

D.

Port Scanning

E.

SQL Injection

Question 42

Which options show the steps required to upgrade Console when using projects?

Options:

A.

Upgrade all Supervisor Consoles Upgrade Central Console

B.

Upgrade Central Console

Upgrade Central Console Defenders

C.

Upgrade Defender Upgrade Central Console

Upgrade Supervisor Consoles

D.

Upgrade Central Console Upgrade all Supervisor Consoles

Question 43

A customer wants to harden its environment from misconfiguration.

Prisma Cloud Compute Compliance enforcement for hosts covers which three options? (Choose three.)

Options:

A.

Docker daemon configuration files

B.

Docker daemon configuration

C.

Host cloud provider tags

D.

Host configuration

E.

Hosts without Defender agents

Question 44

On which cloud service providers can you receive new API release information for Prisma Cloud?

Options:

A.

AWS, Azure, GCP, Oracle, IBM

B.

AWS, Azure, GCP, Oracle, Alibaba

C.

AWS, Azure, GCP, IBM

D.

AWS, Azure, GCP, IBM, Alibaba

Question 45

Which policy type in Prisma Cloud can protect against malware?

Options:

A.

Data

B.

Config

C.

Network

D.

Event

Question 46

Which options show the steps required after upgrade of Console?

Options:

A.

Uninstall Defenders Upgrade Jenkins Plugin

Upgrade twistcli where applicable

Allow the Console to redeploy the Defender

B.

Update the Console image in the Twistlock hosted registry Update the Defender image in the Twistlock hosted registry Uninstall Defenders

C.

Upgrade Defenders Upgrade Jenkins Plugin Upgrade twistcli where applicable

D.

Update the Console image in the Twistlock hosted registry Update the Defender image in the Twistlock hosted registry Redeploy Console

Question 47

What are the subtypes of configuration policies in Prisma Cloud?

Options:

A.

Build and Deploy

B.

Monitor and Analyze

C.

Security and Compliance

D.

Build and Run

Question 48

What is the function of the external ID when onboarding a new Amazon Web Services (AWS) account in Prisma Cloud?

Options:

A.

It is a unique identifier needed only when Monitor & Protect mode is selected.

B.

It is the resource name for the Prisma Cloud Role.

C.

It is a UUID that establishes a trust relationship between the Prisma Cloud account and the AWS account in order to extract data.

D.

It is the default name of the PrismaCloudApp stack.

Question 49

Which two frequency options are available to create a compliance report within the console? (Choose two.)

Options:

A.

One-time

B.

Monthly

C.

Recurring

D.

Weekly

Question 50

When configuring SSO how many IdP providers can be enabled for all the cloud accounts monitored by Prisma Cloud?

Options:

A.

2

B.

4

C.

1

D.

3

Question 51

Console is running in a Kubernetes cluster, and Defenders need to be deployed on nodes within this cluster.

How should the Defenders in Kubernetes be deployed using the default Console service name?

Options:

A.

From the deployment page in Console, choose "twistlock-console" for Console identifier, generate DaemonSet file, and apply DaemonSet to the twistlock namespace.

B.

From the deployment page, configure the cloud credential in Console and allow cloud discovery to auto-protect the Kubernetes nodes.

C.

From the deployment page in Console, choose "twistlock-console" for Console identifier and run the "curl | bash" script on the master Kubernetes node.

D.

From the deployment page in Console, choose "pod name" for Console identifier, generate DaemonSet file, and apply the DaemonSet to twistlock namespace.

Question 52

An administrator has access to a Prisma Cloud Enterprise.

What are the steps to deploy a single container Defender on an ec2 node?

Options:

A.

Pull the Defender image to the ec2 node, copy and execute the curl | bash script, and start the Defender to ensure it is running.

B.

Execute the curl | bash script on the ec2 node.

C.

Configure the cloud credential in the console and allow cloud discovery to auto-protect the ec2 node.

D.

Generate DaemonSet file and apply DaemonSet to the twistlock namespace.

Question 53

What is an automatically correlated set of individual events generated by the firewall and runtime sensors to identify unfolding attacks?

Options:

A.

policy

B.

incident

C.

audit

D.

anomaly

Question 54

Prisma Cloud supports sending audit event records to which three targets? (Choose three.)

Options:

A.

SNMP Traps

B.

Syslog

C.

Stdout

D.

Prometheus

E.

Netflow

Question 55

The security team wants to enable the “block” option under compliance checks on the host.

What effect will this option have if it violates the compliance check?

Options:

A.

The host will be taken offline.

B.

Additional hosts will be prevented form starting.

C.

Containers on a host will be stopped.

D.

No containers will be allowed to start on that host.

Question 56

An administrator sees that a runtime audit has been generated for a container.

The audit message is:

“/bin/ls launched and is explicitly blocked in the runtime rule. Full command: ls -latr”

Which protection in the runtime rule would cause this audit?

Options:

A.

Networking

B.

File systems

C.

Processes

D.

Container

Question 57

The compliance team needs to associate Prisma Cloud policies with compliance frameworks. Which option should the team select to perform this task?

Options:

A.

Custom Compliance

B.

Policies

C.

Compliance

D.

Alert Rules

Question 58

Which option shows the steps to install the Console in a Kubernetes Cluster?

Options:

A.

Download the Console and Defender image Generate YAML for Defender

Deploy Defender YAML using kubectl

B.

Download and extract release tarball Generate YAML for Console

Deploy Console YAML using kubectl

C.

Download the Console and Defender image Download YAML for Defender from the document site Deploy Defender YAML using kubectl

D.

Download and extract release tarball Download the YAML for Console Deploy Console YAML using kubectl

Question 59

Console is running in a Kubernetes cluster, and you need to deploy Defenders on nodes within this cluster.

Which option shows the steps to deploy the Defenders in Kubernetes using the default Console service name?

Options:

A.

From the deployment page in Console, choose pod name for Console identifier, generate DaemonSet file, and apply the DaemonSet to twistlock namespace.

B.

From the deployment page configure the cloud credential in Console and allow cloud discovery to auto-protect the Kubernetes nodes.

C.

From the deployment page in Console, choose twistlock-console for Console identifier, generate DaemonSet file, and apply DaemonSet to the twistlock namespace.

D.

From the deployment page in Console, choose twistlock-console for Console identifier, and run the curl | bash script on the master Kubernetes node.

Question 60

Which two fields are required to configure SSO in Prisma Cloud? (Choose two.)

Options:

A.

Prisma Cloud Access SAML URL

B.

Identity Provider Issuer

C.

Certificate

D.

Identity Provider Logout URL

Question 61

What is a benefit of the Cloud Discovery feature?

Options:

A.

It does not require any specific permissions to be granted before use.

B.

It helps engineers find all cloud-native services being used only on AWS.

C.

It offers coverage for serverless functions on AWS only.

D.

It enables engineers to continuously monitor all accounts and report on the services that are unprotected.

Question 62

Which alerts are fixed by enablement of automated remediation?

Options:

A.

All applicable open alerts regardless of when they were generated, with alert status updated to "resolved"

B.

Only the open alerts that were generated before the enablement of remediation, with alert status updated to "resolved"

C.

All applicable open alerts regardless of when they were generated, with alert status updated to "dismissed"

D.

Only the open alerts that were generated after the enablement of remediation, with alert status updated to "resolved"

Question 63

Which three actions are available for the container image scanning compliance rule? (Choose three.)

Options:

A.

Allow

B.

Snooze

C.

Block

D.

Ignore

E.

Alert

Question 64

What are the three states of the Container Runtime Model? (Choose three.)

Options:

A.

Initiating

B.

Learning

C.

Active

D.

Running

E.

Archived

Question 65

In Azure, what permissions need to be added to Management Groups to allow Prisma Cloud to calculate net effective permissions?

Options:

A.

Microsoft.Management/managementGroups/descendants/read

B.

Microsoft.Management/managementGroups/descendants/calculate

C.

PaloAltoNetworks.PrismaCloud/managementGroups/descendants/read

D.

PaloAltoNetworks.PrismaCloud/managementGroups/

Question 66

You are an existing customer of Prisma Cloud Enterprise. You want to onboard a public cloud account and immediately see all of the alerts associated with this account based off ALL of your tenant’s existing enabled policies. There is no requirement to send alerts from this account to a downstream application at this time.

Which option shows the steps required during the alert rule creation process to achieve this objective?

Options:

A.

Ensure the public cloud account is assigned to an account group Assign the confirmed account group to alert rule

Select “select all policies” checkbox as part of the alert rule Confirm the alert rule

B.

Ensure the public cloud account is assigned to an account group Assign the confirmed account group to alert rule

Select one or more policies checkbox as part of the alert rule Confirm the alert rule

C.

Ensure the public cloud account is assigned to an account group Assign the confirmed account group to alert rule

Select one or more policies as part of the alert rule Add alert notifications

Confirm the alert rule

D.

Ensure the public cloud account is assigned to an account group Assign the confirmed account group to alert rule

Select “select all policies” checkbox as part of the alert rule Add alert notifications

Confirm the alert rule

Question 67

Which ban for DoS protection will enforce a rate limit for users who are unable to post five (5) “. tar.gz" files within five (5) seconds?

Options:

A.

One with an average rate of 5 and file extensions match on “. tar.gz" on Web Application and API Security (WAAS)

B.

One with an average rate of 5 and file extensions match on “. tar.gz" on Cloud Native Network Firewall (CNNF)

C.

One with a burst rate of 5 and file extensions match on “. tar.gz" on Web Application and API Security (WAAS) *

D.

One with a burst rate of 5 and file extensions match on “. tar.gz" on Cloud Native Network Firewall (CNNF)

Question 68

A customer is deploying Defenders to a Fargate environment. It wants to understand the vulnerabilities in the image it is deploying.

How should the customer automate vulnerability scanning for images deployed to Fargate?

Options:

A.

Set up a vulnerability scanner on the registry

B.

Embed a Fargate Defender to automatically scan for vulnerabilities

C.

Designate a Fargate Defender to serve a dedicated image scanner

D.

Use Cloud Compliance to identify misconfigured AWS accounts

Question 69

Which statement is true regarding CloudFormation templates?

Options:

A.

Scan support does not currently exist for nested references, macros, or intrinsic functions.

B.

A single template or a zip archive of template files cannot be scanned with a single API request.

C.

Request-Header-Field ‘cloudformation-version’ is required to request a scan.

D.

Scan support is provided for JSON, HTML and YAML formats.

Question 70

Which two of the following are required to be entered on the IdP side when setting up SSO in Prisma Cloud? (Choose two.)

Options:

A.

Username

B.

SSO Certificate

C.

Assertion Consumer Service (ACS) URL

D.

SP (Service Provider) Entity ID

Question 71

Given an existing ECS Cluster, which option shows the steps required to install the Console in Amazon ECS?

Options:

A.

The console cannot natively run in an ECS cluster. A onebox deployment should be used.

B.

Download and extract the release tarball

Ensure that each node has its own storage for Console data Create the Console task definition

Deploy the task definition

C.

Download and extract release tarball Download task from AWS

Create the Console task definition Deploy the task definition

D.

Download and extract the release tarball Create an EFS file system and mount to each node in the cluster Create the Console task definition Deploy the task definition

Question 72

Which of the following is a reason for alert dismissal?

Options:

A.

SNOOZED_AUTO_CLOSE

B.

ALERT_RULE_ADDED

C.

POLICY_UPDATED

D.

USER_DELETED

Question 73

A customer's Security Operations Center (SOC) team wants to receive alerts from Prisma Cloud via email once a day about all policies that have a violation, rather than receiving an alert every time a new violation occurs.

Which alert rule configuration meets this requirement?

Options:

A.

Configure an alert rule with all the defaults except selecting email within the "Alert Notifications" tab and specifying recipient.

B.

Configure an alert rule. Under the "Policies" tab, select "High Risk Severity Policies." In the "Set Alert Notifications" tab, select "Email > Recurring," set to repeat every 1 day, and enable "Email."

C.

Set up email integrations under the "Integrations" tab in "Settings" and create a notification template.

D.

Configure an alert rule. Under the "Policies" tab, select "All Policies." In the "Set Alert Notifications" tab, select "Email > Recurring," set to repeat every 1 day, and then enable "Email."

Question 74

Which port should a security team use to pull data from Console’s API?

Options:

A.

53

B.

25

C.

8084

D.

8083

Question 75

The development team wants to fail CI jobs where a specific CVE is contained within the image. How should the development team configure the pipeline or policy to produce this outcome?

Options:

A.

Set the specific CVE exception as an option in Jenkins or twistcli.

B.

Set the specific CVE exception as an option in Defender running the scan.

C.

Set the specific CVE exception as an option using the magic string in the Console.

D.

Set the specific CVE exception in Console’s CI policy.

Question 76

The development team is building pods to host a web front end, and they want to protect these pods with an application firewall.

Which type of policy should be created to protect this pod from Layer7 attacks?

Options:

A.

The development team should create a WAAS rule for the host where these pods will be running.

B.

The development team should create a WAAS rule targeted at all resources on the host.

C.

The development team should create a runtime policy with networking protections.

D.

The development team should create a WAAS rule targeted at the image name of the pods.

Question 77

Which IAM Azure RQL query would correctly generate an output to view users who have sufficient permissions to create security groups within Azure AD and create applications?

Options:

A.

config where api.name = ‘azure-active-directory-authorization-policy’ AND json.rule = defaultUserRolePermissions.allowedToCreateSecurityGroups is true and defaultUserRolePermissions.allowedToCreateApps is true

B.

config from cloud.resource where api.name = ‘azure-active-directory-authorization-policy’ AND json.rule = defaultUserRolePermissions exists

C.

config from network where api.name = ‘azure-active-directory-authorization-policy’ AND json.rule = defaultUserRolePermissions.allowedToCreateSecurityGroups is false and defaultUserRolePermissions.allowedToCreateApps is true

D.

config from cloud.resource where api.name = ‘azure-active-directory-authorization-policy’ AND json.rule = defaultUserRolePermissions.allowedToCreateSecurityGroups is true and defaultUserRolePermissions.allowedToCreateApps is true

Question 78

Which two statements explain differences between build and run config policies? (Choose two.)

Options:

A.

Run and Network policies belong to the configuration policy set.

B.

Build policies allow checking for security misconfigurations in the IaC templates and ensure these issues do not get into production.

C.

Run policies monitor network activities in the environment and check for potential issues during runtime.

D.

Run policies monitor resources and check for potential issues after these cloud resources are deployed.

Demo: 78 questions
Total 260 questions