Free PAM-DEF Sample Questions — CyberArk Defender – PAM

In the Private Ark client, how do you add an LDAP group to a CyberArk group?

• A. Select Update on the CyberArk group, and then click Add > LDAP Group
• B. Select Update on the LDAP Group, and then click Add > LDAP Group. С. Select Member Of on the CyberArk group, and then click Add > LDAP Group
• C. Select Member Of on the LDAP group, and then click Add > LDAP Group

Your organization has a requirement to allow only one user to "check out passwords" and connect through the PSM securely. What needs to be configured in the Master policy to ensure this will happen?

• A. Enforce check-in/check-out exclusive access = active; Require privileged session monitoring and isolation = active
• B. Enforce check-in/check-out exclusive access = inactive; Require privileged session monitoring and isolation = inactive
• C. Enforce check-in/check-out exclusive access = inactive; Record and save session activity = active
• D. Enforce check-in/check-out exclusive access = active; Record and save session activity = inactive

Where can you assign a Reconcile account? (Choose two.)

• A. in PVWA at the account level
• B. in PVWA in the platform configuration
• C. in the Master policy of the PVWA
• D. at the Safe level
• E. in the CPM settings

Users are unable to launch Web Type Connection components from the PSM server. Your manager asked you to open the case with CyberArk Support. Which logs will be most useful for the CyberArk Support Team to debug the issue? (Choose three.)

• A. PSMConsole.log
• B. PSMDebug.log
• C. PSMTrace.log
• D. <Session_ID>.Component.log
• E. PMconsole.log
• F. ITALog.log

How do you create a cold storage backup?

• A. On the DR Vault, install PAReplicate according to the Installation guide, configure the logon ini file, and define the Schedule tasks for full and incremental backups
• B. Install the Vault Backup utility on a different machine from the Enterprise Password Vault server and trigger the full backup
• C. Configure the backup options in the PVWA
• D. On the DR Vault, configure the cold storage backup path in TSParm.ini file

Which statement is true about setting the reconcile account at the platform level?

• A. This is the only way to enable automatic reconciliation of account passwords
• B. CPM performance will be improved when the reconcile account is set at the platform level
• C. rule can be used to specify the reconcile account dynamically or a specific reconcile account can be selected
• D. This configuration prevents the association from becoming broken if the reconcile account is moved to a different safe

In a default CyberArk installation, which group must a user be a member of to view the "reports" page in PVWA?

• A. PVWAMonitor
• B. ReportUsers
• C. PVWAReports
• D. Operators

Which statement is correct concerning accounts that are discovered, but cannot be added to the Vault by an automated onboarding rule?

• A. They are added to the Pending Accounts list
• B. They cannot be onboarded to the Password Vault
• C. They must be uploaded using third party tools
• D. They are not part of the Discovery Process

What are common ways that organizations leverage the CyberArk Blueprint for Identity Security Success? (Choose three.)

• A. to understand the identity attack chain
• B. to discover all digital identities
• C. to describe the explicit order of operations for Identity Security
• D. to assess an organization’s security posture
• E. to build an Identity Security roadmap
• F. to secure their human identities

What can you do to ensure each component server is operational?

• A. Logon to PVWA with v10 UI, navigate to Healthcheck, and validate each component server is connected to the Vault
• B. Ping each component server to ensure connectivity
• C. Use the PrivateArk client to connect to the Vault server and validate all the services are running
• D. Install the Vault Server interface on a remote machine to avoid interactive logon to the Vault OS and review the ITALog.log through the Vault Server interface

You are configuring a Vault HA cluster. Which file should you check to confirm the correct drives have been assigned for the location of the Quorum and Safes data disks?

• A. ClusterVault.ini
• B. my.ini
• C. vault.ini
• D. DBParm.ini

Which tools can you use to identify the machines and accounts that create the highest risk and are exposed to lateral movement? (Choose two.)

• A. Accounts Discovery Feed
• B. CyberArk DNA Report
• C. REST API Scripts
• D. CyberArk DNA Map
• E. Get-LocalUser Powershell cmdlet

Which CyberArk utility allows you to create lists of Master Policy Settings, owners and safes for output to text files or MSSQL databases?

• A. Export Vault Data
• B. Export Vault Information
• C. PrivateArk Client
• D. Privileged Threat Analytics

Which processes reduce the risk of credential theft? (Choose two.)

• A. require dual control password access approval
• B. require password change every X days
• C. enforce check-in/check-out exclusive access
• D. enforce one-time password access

A recently-hired colleague onboarded five new Local Accounts that are used for five standalone Windows Servers. After attempting to connect to the servers from PVWA, the colleague noticed that the "Connect" button was greyed out for all five new accounts. What can you do to help your colleague resolve this issue? (Choose two.)

• A. Verify that the address field is populated with an IP or FQDN of each server
• B. Verify that the correct PSM connection component appears within account platform settings
• C. Verify that the address field is blank and that the correct PSM connection component appears within account platform settings
• D. Notify the Windows Team that created the new accounts that the CyberArk PAM solution is not designed to manage local accounts on Windows Servers
• E. Verify that the "Disable automatic management for this account" setting for each account is not enabled

Which parameters can be used to harden the Credential Files (CredFiles) while using CreateCredFile Utility? (Choose three.)

• A. OS Username
• B. Current machine IP
• C. Current machine hostname
• D. Operating System Type (Linux/Windows/HP-UX)
• E. Vault IP Address
• F. Time Frame

Which usage can be added as a service account platform?

• A. Kerberos Tokens
• B. IIS Application Pools
• C. PowerShell Libraries
• D. Loosely Connected Devices

You have been asked to turn off the time access restrictions for a safe. Where is this setting found?

• A. PrivateArk Client
• B. RestAPI
• C. PVWA
• D. Vault

When should vault keys be rotated?

• A. when it is copied to file systems outside the vault
• B. annually
• C. whenever a CyberArk user leaves the organization
• D. when migrating to a new data center

You have been given the requirement that certain accounts cannot have their passwords updated during business hours. How can you set up a configuration to meet this requirement?

• A. Change settings on the CPM configuration safe so that access is permitted after business hours only
• B. Update the password change parameters of the platform to match the permitted time frame
• C. Disable automatic CPM management for all accounts that are assigned to this platform
• D. Add an exception to the Master Policy to allow the action for this platform during the permitted time