Palo Alto Networks PAN-CSP Online Practice Questions and Exam Preparation

Palo Alto Networks PAN-CSP Online Questions & Answers

• Question 161:

  Which `kind` of Kubernetes object is Configured to ensure that Defender is acting as the admission controller?

  A. MutatingWebhookconfiguration
  B. DestinationRules
  C. ValidatingWebhookconfiguration
  D. PodSecurityPolicies
  C. ValidatingWebhookconfiguration

  ---

  Explanation

  In the context of Kubernetes, an admission controller is a piece of code that intercepts requests to the Kubernetes API server before the persistence of the object, but after the request is authenticated and authorized. The admission controller lets you apply complex validation and policy controls to objects before they are created or updated. The ValidatingWebhookConfiguration is a Kubernetes object that tells the API server to send an admission validation request to a service (the admission webhook) when a request to create, update, or delete a Kubernetes object matches the rules defined in the configuration. The webhook can then approve or deny the request based on custom logic. The MutatingWebhookConfiguration is similar but is used to modify objects before they are created or updated, which is not the primary function of an admission controller acting in a protective or validating capacity.

  DestinationRules are related to Istio service mesh and are not relevant to Kubernetes admission control.

  PodSecurityPolicies (PSPs) are a type of admission controller in Kubernetes but they are predefined by Kubernetes and do not require a specific configuration object like ValidatingWebhookConfiguration. PSPs are also deprecated in recent versions of Kubernetes.

  Therefore, the correct answer is C. ValidatingWebhookConfiguration, as it is the Kubernetes object used to configure admission webhooks for validating requests, which aligns with the role of Defender acting as an admission controller in Prisma Cloud.

  References from the provided documents: The documents uploaded do not contain specific details about Kubernetes objects or Prisma Cloud's integration with Kubernetes. However, this explanation aligns with general Kubernetes practices and Prisma Cloud's capabilities in securing Kubernetes environments.

  References:

  https://docs.paloaltonetworks.com/prisma/prisma-cloud/21-04/prisma-cloud-compute-edition-admin/access_control/open_policy_agent.html

• Question 162:

  Which RQL query type is invalid?

  A. Event
  B. IAM
  C. Incident
  D. config
  C. Incident

  ---

  Explanation

  Within Prisma Cloud's Resource Query Language (RQL), the "Incident" query type is invalid because RQL is designed to query configuration and posture information of cloud resources, not incident data. The valid RQL query types include "Config" for querying resource configurations, "Network" for querying network-related information, "IAM" for querying identity and access management configurations, and "Event" for querying audit events. The focus on resource configurations and audit events aligns with Prisma Cloud's capabilities in cloud security posture management (CSPM) and cloud workload protection platform (CWPP), providing insights into resource configurations, compliance, and network traffic.

  https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/rql

• Question 163:

  Which two services require external Notifications to be enabled for policy violations in the Prisma Cloud environment? (Choose two.)

  A. Splunk
  B. QROC
  C. SQS
  D. Email
  A. Splunk
  C. SQS

  ---

  Explanation

  B - not couse there is no such integration like QROC

  D - not couse: "For all channels except email, to enable notification of policy violations in your cloud environments in your existing operational workflows, you must Configure External Integrations on Prisma Cloud."

• Question 164:

  Which two statements are true about the differences between build and run config policies? (Choose two.)

  A. Run and Network policies belong to the configuration policy set.
  B. Build and Audit Events policies belong to the configuration policy set.
  C. Run policies monitor resources, and check for potential issues after these cloud resources are deployed.
  D. Build policies enable you to check for security misconfigurations in the IaC templates and ensure that these issues do not get into production.
  E. Run policies monitor network activities in your environment, and check for potential issues during runtime.
  C. Run policies monitor resources, and check for potential issues after these cloud resources are deployed.
  D. Build policies enable you to check for security misconfigurations in the IaC templates and ensure that these issues do not get into production.

  ---

  Explanation

  In the context of Prisma Cloud, Build and Run policies serve distinct purposes in securing cloud environments. Build policies are designed to evaluate Infrastructure as Code (IaC) templates before deployment. These policies help identify and remediate security misconfigurations in the development phase, ensuring that vulnerabilities are addressed before the infrastructure is provisioned. This proactive approach enhances security by preventing misconfigurations from reaching production environments.

  On the other hand, Run policies are applied to resources that are already deployed in the cloud. These policies continuously monitor the cloud environment, detecting and alerting on potential security issues that arise in the runtime. Run policies help maintain the security posture of cloud resources by identifying deviations from established security baselines and enabling quick remediation of identified issues. Both Build and Run policies are integral to a comprehensive cloud security strategy, addressing security concerns at different stages of the cloud resource lifecycle--from development and deployment to ongoing operation.

• Question 165:

  A customer wants to turn on Auto Remediation.

  Which policy type has the built-in CLI command for remediation?

  A. Anomaly
  B. Audit Event
  C. Network
  D. config
  D. config

  ---

  Explanation

  References:

  https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-policies/create-a-policy.htmlInPrismaCloud,Configpolicieshavebuilt-inCLIcommandsforauto-remediation.Thesepolicieshelpinidentifyingmisconfigurationswithincloudenvironmentsandcanautomaticallyexecuteremediationcommandstocorrecttheconfigurationswithoutmanualintervention.ThisfeatureispartofPrismaCloud'scomprehensiveapproachtomaintainingcloudsecurityposturebyensuringthatcloudresourcesareconfiguredinaccordancewithbestpracticesandcompliancestandards.

• Question 166:

  The security team wants to target a CNAF policy for specific running Containers.

  How should the administrator scope the policy to target the Containers?

  A. scope the policy to Image names.
  B. scope the policy to namespaces.
  C. scope the policy to Defender names.
  D. scope the policy to Host names.
  B. scope the policy to namespaces.

• Question 167:

  One of the resources on the network has triggered an alert for a Default config policy.

  Given the following resource JSON snippet:

  

  Which RQL detected the vulnerability?

  

  A. config from cloud.resource where api.name = 'aws-ecs-service' AND json.rule = launchType equals EC2 as X; config from cloud.resource where api.name = 'aws-ecs-cluster' AND json.rule = status equals ACTIVE and registeredContainerInstancesCount equals 0 as Y; filter '$.X.clusterArn equals $.Y.clusterArn'; show Y;
  B. config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-credential-report' AND json.rule = '(access_key_1 active is true and access_key_1 last_rotated != N/A and_DateTime.ageInDays(access_key_1 last_rotated) > 90) or (access_key_2 active is true and access_key_2 last_rotated != N/A and DateTime.ageInDays(access_key_2 last_rotated) > 90)'
  C. config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-images' AND json.rule = image.platform contains windows and image.imageId contains ami-1e542176
  D. config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = isShared is false and (ipPermissions[*].ipProtocol equals tcp or ipProtocol equals icmp or ipProtocol equals icmpv6 or ipProtocol equals udp) and (ipRanges[*] contains 0.0.0.0/0 or ipv6Ranges[*].cidrIpv6 contains ::/0)) exists
  B. config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-credential-report' AND json.rule = '(access_key_1 active is true and access_key_1 last_rotated != N/A and_DateTime.ageInDays(access_key_1 last_rotated) > 90) or (access_key_2 active is true and access_key_2 last_rotated != N/A and DateTime.ageInDays(access_key_2 last_rotated) > 90)'

  ---

  Explanation

  The correct RQL (Resource Query Language) that detected the vulnerability is:

  config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get- credential-report' AND json.rule = '(access_key_1_active is true and access_key_1_last_rotated != N/A and DateTime. ageInDays (access_key_1_last_rotated) > 90) or (access_key_2_active is true and access_key_2_last_rotated != N/A and _DateTime. ageInDays (access_key_2_last_rotated) > 90)' This RQL is designed to check the age of the AWS IAM user's access keys to ensure that they are rotated within a recommended period, typically 90 days. If the access keys have not been rotated within this timeframe, it would be considered a security risk or vulnerability, as old keys may potentially be compromised. By enforcing access key rotation, it minimizes the risk of unauthorized access. The reference for this type of policy check can be seen in cloud security best practices that advocate for regular rotation of access keys to minimize the potential impact of key compromise. CSPM tools like Prisma Cloud include such checks to automate compliance with these best practices.

• Question 168:

  A customer wants to monitor its Amazon Web Services (AWS) accounts via Prisma Cloud, but only needs the resource configuration to be monitored at present.

  Which two pieces of information are needed to onboard this account? (Choose two.)

  A. CloudTrail
  B. Role ARN
  C. Active Directory ID
  D. External ID
  B. Role ARN
  D. External ID

  ---

  Explanation

  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OD3CAM&lang=en_US%E2%80%A9

• Question 169:

  Which type of RQL query should be run to determine if AWS Elastic Compute Cloud (EC2) instances without encryption was enabled?

  A. NETWORK
  B. CONFIG
  C. EVENT
  D. SECURITY
  B. CONFIG

  ---

  Explanation

  To determine if AWS EC2 instances are running without encryption enabled, the appropriate RQL (Resource Query Language) type to use is CONFIG. CONFIG queries in Prisma Cloud are designed to inspect the configuration states of cloud resources and identify compliance with best practices or specific security requirements. By running a CONFIG query, administrators can assess the configuration settings of EC2 instances, including whether encryption features are enabled or not. This type of query allows for deep inspection of resource configurations within cloud environments, making it the ideal choice for identifying unencrypted EC2 instances and thereby helping to ensure data protection and compliance with security policies.

• Question 170:

  DRAG DROP

  You wish to create a custom policy with build and run subtypes.

  Match the query types for each example.

  (Select your answer from the pull-down list. Answers may be used more than once or not at all.)

  Select and Place:

  

  

  ---

  References:

  https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-policies/create-a-policy.html