Palo Alto Networks PAN-CSP Online Practice Questions and Exam Preparation

Palo Alto Networks PAN-CSP Online Questions & Answers

• Question 151:

  Which IAM RQL query would correctly generate an output to view users who enabled console access with both access keys and passwords?

  A. config from network where api.name = `aws-iam-get-credential-report' AND json.rule = cert_1_active is true or cert_2_active is true and password_enabled equals "true"
  B. config from cloud.resource where api.name = 'aws-iam-get-credential-report' AND json.rule = access_key_1_active is true or access_key_2_active is true and password_enabled equals "true"
  C. config from cloud.resource where api.name = 'aws-iam-get-credential-report' AND json.rule = access_key_1_active is false or access_key_2_active is true and password_enabled equals "*"
  D. config where api.name = `aws-iam-get-credential-report' AND json.rule= access_key_1_active is true or access_key_2_active is true and password_enabled equals "true"
  B. config from cloud.resource where api.name = 'aws-iam-get-credential-report' AND json.rule = access_key_1_active is true or access_key_2_active is true and password_enabled equals "true"

  ---

  Explanation

  Only "B" is proper query on Prisma

• Question 152:

  Which scanning method should be used to check container images for vulnerabilities before deployment?

  A. CI/CD pipeline integration
  B. Manual scanning at runtime
  C. Cloud storage scanning
  D. AWS Lambda scanning
  A. CI/CD pipeline integration

  ---

  Explanation

  CI/CD integration allows Prisma Cloud to scan images before they are deployed.

• Question 153:

  Which set of steps is the correct process for obtaining Console images for Prisma Cloud Compute Edition?

  A. 1. Access registry.paloaltonetworks.com, and authenticate using 'docker login'.2. Retrieve the Prisma Cloud Console images using 'docker pull'.
  B. 1. Access registry.twistlock.com, and authenticate using 'docker login'.2. Retrieve the Prisma Cloud Console images using 'docker pull'.
  C. 1. Access registry-url-auth.twistlock.com, and authenticate using the user certificate.2. Retrieve the Prisma Cloud Console images using 'docker pull'.
  D. 1. Access registry-auth.twistlock.com, and authenticate using the user certificate.2. Retrieve the Prisma Cloud Console images using 'docker pull'.
  B. 1. Access registry.twistlock.com, and authenticate using 'docker login'.2. Retrieve the Prisma Cloud Console images using 'docker pull'.

  ---

  Explanation

  Prisma Cloud, part of Palo Alto Networks' cloud security suite, offers Console images that can be retrieved for deployment in various environments. The correct process for obtaining these images involves using basic authentication with Docker, a widely-used containerization platform. Users must first access the official Palo Alto Networks registry at registry.paloaltonetworks.com. Here, they are required to authenticate using the "docker login" command, which prompts for credentials. Upon successful authentication, users can then use the "docker pull" command to retrieve the Prisma Cloud Console images. This method ensures secure access to the latest Console images for deployment within an organization's infrastructure, aligning with best practices for container image management and deployment.

• Question 154:

  A customer has serverless functions that are deployed in multiple clouds.

  Which serverless cloud provider is covered be "overly permissive service access" compliance check?

  A. Alibaba
  B. GCP
  C. AWS
  D. Azure
  C. AWS

  ---

  Explanation

  References:

  https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/compliance/serverless.html

  The serverless cloud provider covered by the "overly permissive service access" compliance check is AWS (Amazon Web Services). AWS Lambda, which is the serverless computing platform provided by AWS, may have functions that are assigned more permissions than they require to perform their operations, leading to security risks. In the context of CSPM tools, such as Prisma Cloud, checks for overly permissive service access would typically include examining the policies attached to AWS Lambda functions to ensure that they adhere to the principle of least privilege. Such checks help identify and rectify overly broad permissions that could potentially be exploited by attackers. The reference for this can be found in AWS best practices for Lambda security, which emphasize the importance of granting minimal privileges necessary for the Lambda function to perform its tasks, thereby reducing the potential attack surface.

• Question 155:

  Which Prisma Cloud feature can be used to monitor unusual outbound network activity from containers?

  A. Anomaly policies
  B. Network policies
  C. Compliance policies
  D. IAM policies
  A. Anomaly policies

  ---

  Explanation

  Anomaly policies detect unusual network behavior, such as excessive outbound traffic from a container.

• Question 156:

  Which of the below actions would indicate - "The timestamp on the compliance dashboard"?

  A. indicates the most recent data
  B. indicates the most recent alert generated
  C. indicates when the data was ingested
  D. indicates when the data was aggregated for the results displayed
  D. indicates when the data was aggregated for the results displayed

  ---

  Explanation

  The timestamp on the compliance dashboard in a cloud security context typically reflects the point in time when data from various sources is collected, processed, and then consolidated to present the compliance status or results. This aggregation process involves compiling data from multiple scans, logs, and other compliance-related information to provide a comprehensive overview of the current compliance posture. Therefore, the timestamp usually indicates when this aggregation was completed, ensuring that users are viewing the most up-to-date and relevant compliance information based on the latest data compilation.

  https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-compliance/compliance-dashboard

• Question 157:

  Which of the following is a reason for alert dismissal?

  A. SNOOZED_AUTO_CLOSE
  B. ALERT_RULE_ADDED
  C. POLICY_UPDATED
  D. USER_DELETED
  C. POLICY_UPDATED

  ---

  Explanation

  https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prisma-cloud-alerts/prisma-cloud-alert-resolution-reasons

• Question 158:

  An administrator has added a Cloud account on Prisma Cloud and then deleted it.

  What will happen if the deleted account is added back on Prisma Cloud within a 24-hour period?

  A. No alerts will be displayed.
  B. Existing alerts will be displayed again.
  C. New alerts will be generated.
  D. Existing alerts will be marked as resolved.
  B. Existing alerts will be displayed again.

  ---

  Explanation

  When an administrator adds a Cloud account to Prisma Cloud and then deletes it, if the deleted account is added back to Prisma Cloud within a 24-hour period, the existing alerts associated with that account will be displayed again. This behavior ensures continuity in monitoring and alerting, allowing security teams to retain visibility into potential security issues or compliance violations associated with the cloud account. Re-displaying existing alerts helps maintain a consistent security posture and ensures that no critical alerts are overlooked during the re-addition process

• Question 159:

  Which statement about build and run policies is true?

  A. Build policies enable you to check for security misconfigurations in the IaC templates.
  B. Every type of policy has auto-remediation enabled by default.
  C. The four main types of policies are: Audit Events, Build, Network, and Run.
  D. Run policies monitor network activities in the environment and check for potential issues during runtime.
  A. Build policies enable you to check for security misconfigurations in the IaC templates.

  ---

  Explanation

  A true statement about build and run policies is A. Build policies enable you to check for security misconfigurations in the IaC templates. This capability is crucial for identifying potential security issues early in the development process, allowing for proactive mitigation before deployment, thereby enhancing the overall security posture of the applications and infrastructure being developed.

• Question 160:

  A customer has Defenders connected to Prisma Cloud Enterprise. The Defenders are deployed as a DaemonSet in OpenShift.

  How should the administrator get a report of vulnerabilities on hosts?

  A. Navigate to Monitor > Vulnerabilities > CVE Viewer
  B. Navigate to Defend > Vulnerabilities > VM Images
  C. Navigate to Defend > Vulnerabilities > Hosts
  D. Navigate to Monitor > Vulnerabilities > Hosts
  D. Navigate to Monitor > Vulnerabilities > Hosts

  ---

  Explanation

  To view the vulnerabilities identified on a host, navigating to the "Monitor > Vulnerabilities > Hosts" section within the Prisma Cloud Console is the correct approach. This section is specifically designed to provide a comprehensive overview of all detected vulnerabilities within the host environment, offering detailed insights into each vulnerability's nature, severity, and potential impact. This pathway allows users to efficiently assess the security posture of their hosts, prioritize vulnerabilities based on their severity, and take appropriate remediation actions. The "Hosts" section under "Vulnerabilities" is tailored to display vulnerabilities related to host configurations, installed software, and other host-level security concerns, making it the ideal location within the Prisma Cloud Console for this purpose.