Free PCCSE Sample Questions — Prisma Certified Cloud Security Engineer

Which step is included when configuring Kubernetes to use Prisma Cloud Compute as an admission controller?

• A. copy the Console address and set the config map for the default namespace
• B. create a new namespace in Kubernetes called admission-controller
• C. enable Kubernetes auditing from the Defend > Access > Kubernetes page in the Console
• D. copy the admission controller configuration from the Console and apply it to Kubernetes

Which `kind` of Kubernetes object is configured to ensure that Defender is acting as the admission controller?

• A. MutatingWebhookConfiguration
• B. DestinationRules
• C. ValidatingWebhookConfiguration
• D. PodSecurityPolicies

Where can a user submit an external new feature request?

• A. Aha
• B. Help Center
• C. Support Portal
• D. Feature Request

When would a policy apply if the policy is set under Defend > Vulnerability > Images > Deployed?

• A. when a serverless repository is scanned
• B. when a Container is started form an Image
• C. when the Image is built and when a Container is started form an Image
• D. when the Image is built

Which type of compliance check is available for rules under Defend > Compliance > Containers and Images > CI?

• A. Host
• B. Container
• C. Functions
• D. Image

When an alert notification from the alarm center is deleted, how many hours will a similar alarm be suppressed by default?

• A. 12
• B. 8
• C. 24
• D. 4

Which IAM Azure RQL query would correctly generate an output to view users who have sufficient permissions to create security groups within Azure AD and create applications?

• A. config where api.name = ‘azure-active-directory-authorization-policy’ AND json.rule = defaultUserRolePermissions.allowedToCreateSecurityGroups is true and defaultUserRolePermissions.allowedToCreateApps is true
• B. config from cloud.resource where api.name = ‘azure-active-directory-authorization-policy’ AND json.rule = defaultUserRolePermissions exists
• C. config from network where api.name = ‘azure-active-directory-authorization-policy’ AND json.rule = defaultUserRolePermissions.allowedToCreateSecurityGroups is false and defaultUserRolePermissions.allowedToCreateApps is true
• D. config from cloud.resource where api.name = ‘azure-active-directory-authorization-policy’ AND json.rule = defaultUserRolePermissions.allowedToCreateSecurityGroups is true and defaultUserRolePermissions.allowedToCreateApps is true

You have onboarded a public cloud account into Prisma Cloud Enterprise. Configuration Resource ingestion is visible in the Asset Inventory for the onboarded account, but no alerts are being generated for the configuration assets in the account. Config policies are enabled in the Prisma Cloud Enterprise tenant, with those policies associated to existing alert rules. ROL statements on the investigate matching those policies return config resource results successfully. Why are no alerts being generated?

• A. The public cloud account is not associated with an alert notification
• B. The public cloud account does not have audit trail ingestion enabled
• C. The public cloud account does not access to configuration resources
• D. The public cloud account is not associated with an alert rule

An administrator has access to a Prisma Cloud Enterprise. What are the steps to deploy a single container Defender on an ec2 node?

• A. Pull the Defender image to the ec2 node, copy and execute the curl | bash script, and start the Defender to ensure it is running
• B. Execute the curl | bash script on the ec2 node
• C. Configure the cloud credential in the console and allow cloud discovery to auto-protect the ec2 node
• D. Generate DaemonSet file and apply DaemonSet to the twistlock namespace

Which RQL query is used to detect certain high-risk activities executed by a root user in AWS?

• A. event from cloud.audit_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey' , 'DeleteAlarms' ) AND user = 'root'
• B. event from cloud.security_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey' , 'DeleteAlarms' ) AND user = 'root'
• C. config from cloud.audit_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey', 'DeleteAlarms' ) AND user = 'root'
• D. event from cloud.audit_logs where Risk.Level = 'high' AND user = 'root'

Which three types of buckets exposure are available in the Data Security module? (Choose three.)

• A. Public
• B. Private
• C. International
• D. Differential
• E. Conditional

What is the primary purpose of Prisma Cloud Code Security?

• A. To address cloud infrastructure misconfigurations in code before they become alerts or incidents
• B. To provide a platform for developers to create custom security policies for applications
• C. To offer instant feedback on application performance issues and bottlenecks
• D. To triage alerts and incidents in realtime during deployment

Which two options may be used to upgrade the Defenders with a Console v20.04 and Kubernetes deployment? (Choose two.)

• A. Run the provided curl | bash script from Console to remove Defenders, and then use Cloud Discovery to automatically redeploy Defenders
• B. Remove Defenders DaemonSet, and then use Cloud Discovery to automatically redeploy the Defenders
• C. Remove Defenders, and then deploy the new DaemonSet so Defenders do not have to automatically update on each deployment
• D. Let Defenders automatically upgrade

Based on the following information, which RQL query will satisfy the requirement to identify VM hosts deployed to organization public cloud environments exposed to network traffic from the internet and affected by Text4Shell RCE (CVE-2022-42889) vulnerability? • Network flow logs from all virtual private cloud (VPC) subnets are ingested to the Prisma Cloud Enterprise Edition tenant. • All virtual machines (VMs) have Prisma Cloud Defender deployed.

• A. network from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2022-42889')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
• B. config from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2022-42889')) AND source.publicnetwork = ('Internet IPs' or 'Suspicious IPs')
• C. network from vpc.flow_record where bytes > 0 AND finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2022-42889') AND source.publicnetwork = 'Internet IPs'
• D. config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances' AND json.rule = publicIpAddress exists AND finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2022-42889')

Which three types of classifications are available in the Data Security module? (Choose three.)

• A. Personally identifiable information
• B. Malicious IP
• C. Compliance standard
• D. Financial information
• E. Malware

An organization wants to be notified immediately to any `High Severity` alerts for the account group `Clinical Trials` via Slack. Which option shows the steps the organization can use to achieve this goal?

• A. 1. Configure Slack Integration 2. Create an alert rule and select "Clinical Trials" as the account group 3. Under the "Select Policies" tab, filter on severity and select "High" 4. Under the Set Alert Notification tab, choose Slack and populate the channel 5. Set Frequency to "As it Happens"
• B. 1. Create an alert rule and select "Clinical Trials" as the account group 2. Under the "Select Policies" tab, filter on severity and select "High" 3. Under the Set Alert Notification tab, choose Slack and populate the channel 4. Set Frequency to "As it Happens" 5. Set up the Slack Integration to complete the configuration
• C. 1. Configure Slack Integration 2. Create an alert rule 3. Under the "Select Policies" tab, filter on severity and select "High" 4. Under the Set Alert Notification tab, choose Slack and populate the channel 5. Set Frequency to "As it Happens"
• D. 1. Under the "Select Policies" tab, filter on severity and select "High" 2. Under the Set Alert Notification tab, choose Slack and populate the channel 3. Set Frequency to "As it Happens" 4. Configure Slack Integration 5. Create an Alert rule

Which two CI/CD plugins are supported by Prisma Cloud as part of its Code Security? (Choose two.)

• A. Checkov
• B. Visual Studio Code
• C. CircleCI
• D. IntelliJ

A customer wants to monitor its Amazon Web Services (AWS) accounts via Prisma Cloud, but only needs the resource configuration to be monitored at present. Which two pieces of information are needed to onboard this account? (Choose two.)

• A. CloudTrail
• B. Role ARN
• C. Active Directory ID
• D. External ID

A security team is deploying Cloud Native Application Firewall (CNAF) on a containerized web application. The application is running an NGINX container. The container is listening on port 8080 and is mapped to host port 80. Which port should the team specify in the CNAF rule to protect the application?

• A. 443
• B. 80
• C. 8080
• D. 8888

A customer has a requirement to scan serverless functions for vulnerabilities. What is the correct option to configure scanning?

• A. Configure serverless radar from the Defend > Compliance > Cloud Platforms page
• B. Embed serverless Defender into the function
• C. Configure a function scan policy from the Defend > Vulnerabilities > Functions page
• D. Use Lambda layers to deploy a Defender into the function