What is the order of steps to create a custom network policy?
(Drag the steps into the correct order of occurrence, from the first step to the last.)
Select and Place:
Question 2:
The development team wants to fail CI jobs where a specific CVE is contained within the image.
How should the development team Configure the pipeline or policy to produce this outcome?
A. Set the specific CVE exception as an option in Jenkins or twistcli. B. Set the specific CVE exception as an option in Defender running the scan. C. Set the specific CVE exception as an option using the magic string in the Console. D. Set the specific CVE exception in Console's CI policy.
D. Set the specific CVE exception in Console's CI policy.
Vulnerability rules that target the build tool can allow specific vulnerabilities by creating an exception and setting the effect to 'ignore'. Block them by creating an exception and setting hte effect to 'fail'. For example, you could create a vulnerability rule that explicitly allows CVE-2018-1234 to suppress warnings in the scan results. To fail CI jobs based on a specific CVE contained within an image, the development team should configure the policy within Prisma Cloud's Console, specifically within the Continuous Integration (CI) policy settings. By setting a specific CVE exception in the CI policy, the team can define criteria that will cause the CI process to fail if the specified CVE is detected in the scanned image. This approach allows for granular control over the build process, ensuring that images with known vulnerabilities are not promoted through the CI/CD pipeline, thereby maintaining the security posture of the deployed applications. This method is in line with best practices for integrating security into the CI/CD process, allowing for automated enforcement of security standards directly within the development pipeline.
Question 3:
Which role must be assigned to DevOps users who need access to deploy Container and Host Defenders in Compute?
A. Cloud Provisioning Admin B. Build and Deploy Security C. System Admin D. Developer
A customer has a large environment that needs to upgrade Console without upgrading all Defenders at one time.
What are two prerequisites prior to performing a rolling upgrade of Defenders? (Choose two.)
A. manual installation of the latest twistcli tool prior to the rolling upgrade B. all Defenders set in read-only mode before execution of the rolling upgrade C. a second location where you can install the Console D. additional workload licenses are required to perform the rolling upgrade E. an existing Console at version n-1
A. manual installation of the latest twistcli tool prior to the rolling upgrade E. an existing Console at version n-1
One of the resources on the network has triggered an alert for a Default config policy. Given the following resource JSON snippet:
Which RQL detected the vulnerability?
A. config from cloud.resource where api.name = 'aws-ecs-service' AND json.rule = launchType equals EC2 as X; config from cloud.resource where api.name = 'aws-ecs-cluster' AND json.rule = status equals ACTIVE and registeredContainerInstancesCount equals 0 as Y; filter '$.X.clusterArn equals $.Y.clusterArn'; show Y; B. config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-credential-report' AND json.rule = '(access_key_1 active is true and access_key_1 last_rotated != N/A and _DateTime.ageInDays(access_key_1 last_rotated) > 90) or (access_key_2 active is true and access_key_2 last_rotated != N/A and DateTime.ageInDays(access_key_2 last_rotated) > 90)' C. config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-images' AND json.rule = image.platform contains windows and image.imageId contains ami-1e542176 D. config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-security-groups' AND json.rule = isShared is false and (ipPermissions[*].ipProtocol equals tcp or ipProtocol equals icmp or ipProtocol equals icmpv6 or ipProtocol equals udp) and (ipRanges[*] contains 0.0.0.0/0 or ipv6Ranges[*].cidrIpv6 contains ::/0)) exists
B. config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get-credential-report' AND json.rule = '(access_key_1 active is true and access_key_1 last_rotated != N/A and _DateTime.ageInDays(access_key_1 last_rotated) > 90) or (access_key_2 active is true and access_key_2 last_rotated != N/A and DateTime.ageInDays(access_key_2 last_rotated) > 90)'
Explanation
The correct RQL (Resource Query Language) that detected the vulnerability is: config from cloud.resource where cloud.type = 'aws' and api.name = 'aws-iam-get- credential-report' AND json.rule = '(access_key_1_active is true and access_key_1_last_rotated != N/A and DateTime. ageInDays (access_key_1_last_rotated) > 90) or (access_key_2_active is true and access_key_2_last_rotated != N/A and _DateTime. ageInDays (access_key_2_last_rotated) > 90)' This RQL is designed to check the age of the AWS IAM user's access keys to ensure that they are rotated within a recommended period, typically 90 days. If the access keys have not been rotated within this timeframe, it would be considered a security risk or vulnerability, as old keys may potentially be compromised. By enforcing access key rotation, it minimizes the risk of unauthorized access. The reference for this type of policy check can be seen in cloud security best practices that advocate for regular rotation of access keys to minimize the potential impact of key compromise. CSPM tools like Prisma Cloud include such checks to automate compliance with these best practices.
Question 7:
Which option identifies the Prisma Cloud Compute Edition?
A. Package installed with APT B. Downloadable, self-hosted software C. Software-as-a-Service (SaaS) D. Plugin to Prisma Cloud
B. Downloadable, self-hosted software
Explanation
The Prisma Cloud Compute Edition is identified as
B. Downloadable, self-hosted software. This option indicates that Prisma Cloud Compute Edition is a solution that organizations can deploy within their own infrastructure, providing them with control over the installation, configuration, and management of the security platform.
Which policy type should be used to detect and alert on cryptominer network activity?
A. Anomaly B. Config-run C. Config-build D. Audit event
A. Anomaly
Explanation
Suspicious network actors-Exposes suspicious connections by inspecting the network traffic to and from your cloud environment and correlating it with AutoFocus, Palo Alto Networks threat intelligence feed. AutoFocus identifies IP addresses involved in suspicious or malicious activity and classifies them into one of eighteen categories. Some examples of the categories are Backdoor, Botnet, Cryptominer, DDoS, Ransomware, Rootkit, and Worm. There are thirty-six policies, two for each of the eighteen categories-internal and external.
An administrator wants to enforce a rate limit for users not being able to post five (5) .tar.gz files within five (5) seconds.
What does the administrator need to Configure?
A. A ban for DoS protection with an average rate of 5 and file extensions match on .tar.gz on WAAS B. A ban for DoS protection with a burst rate of 5 and file extensions match on .tar.gz on CNNF C. A ban for DoS protection with a burst rate of 5 and file extensions match on .tar gz on WAAS D. A ban for DoS protection with an average rate of 5 and file extensions match on .tar.gz on CNNF
C. A ban for DoS protection with a burst rate of 5 and file extensions match on .tar gz on WAAS
Explanation
Question 10:
How can an administrator investigate runtime security incidents in Prisma Cloud Compute?
A. Monitor > Events > Runtime Audits B. Manage > Alerts > Audit Logs C. Defend > Compliance > Investigate D. Policies > Enforcement Actions
A. Monitor > Events > Runtime Audits
Explanation
The Runtime Audits section under Monitor > Events provides insights into runtime security incidents.
Nowadays, the certification exams become more and more important and required by more and more
enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare
for the exam in a short time with less efforts? How to get a ideal result and how to find the
most reliable resources? Here on Vcedump.com, you will find all the answers.
Vcedump.com provide not only Palo Alto Networks exam questions,
answers and explanations but also complete assistance on your exam preparation and certification
application. If you are confused on your PCCSE exam preparations
and Palo Alto Networks certification application, do not hesitate to visit our
Vcedump.com to find your solutions here.