オンライン問題で最適なPCCSE試験練習問題(最新の250問題)
練習問題PCCSE素晴らしい練習用のPrisma Certified Cloud Security Engineerテスト問題
質問 # 57
Given this information:
The Console is located at https://prisma-console.mydomain.local The username is: cluster The password is: password123 The image to scan is: myimage:latest Which twistcli command should be used to scan a Container for vulnerabilities and display the details about each vulnerability?
- A. twistcli images scan --console-address prisma-console.mydomain.local -u cluster -p password123 -- vulnerability-details myimage:latest
- B. twistcli images scan --console-address https://prisma-console.mydomain.local -u cluster -p password123 -- details myimage:latest
- C. twistcli images scan --address prisma-console.mydomain.local -u cluster -p password123 --vulnerability- details myimage:latest
- D. twistcli images scan --address https://prisma-console.mydomain.local -u cluster -p password123 --details myimage:latest
正解:D
解説:
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/tools/twistcli_scan_images
質問 # 58
Which two filters are available in the SecOps dashboard? (Choose two.)
- A. Cloud Region
- B. Service Name
- C. Time range
- D. Account Groups
正解:C、D
質問 # 59
Which option shows the steps to install the Console in a Kubernetes Cluster?
- A. Download and extract release tarball Download the YAML for Console Deploy Console YAML using kubectl
- B. Download the Console and Defender image Download YAML for Defender from the document site Deploy Defender YAML using kubectl
- C. Download and extract release tarball Generate YAML for Console
Deploy Console YAML using kubectl - D. Download the Console and Defender image Generate YAML for Defender
Deploy Defender YAML using kubectl
正解:C
質問 # 60
Which statement about build and run policies is true?
- A. Build policies enable you to check for security misconfigurations in the IaC templates.
- B. Run policies monitor network activities in the environment and check for potential issues during runtime.
- C. The four main types of policies are: Audit Events, Build, Network, and Run.
- D. Every type of policy has auto-remediation enabled by default.
正解:A
解説:
A true statement about build and run policies is A. Build policies enable you to check for security misconfigurations in the IaC templates. This capability is crucial for identifying potential security issues early in the development process, allowing for proactive mitigation before deployment, thereby enhancing the overall security posture of the applications and infrastructure being developed.
質問 # 61
An administrator has deployed Console into a Kubernetes cluster running in AWS. The administrator also has configured a load balancer in TCP passthrough mode to listen on the same ports as the default Prisma Compute Console configuration.
In the build pipeline, the administrator wants twistcli to talk to Console over HTTPS. Which port will twistcli need to use to access the Prisma Compute APIs?
- A. 0
- B. 1
- C. 2
- D. 3
正解:A
解説:
https://docs.prismacloudcompute.com/docs/compute_edition_21_04/tools/twistcli.html#connectivity-to-console
質問 # 62
A security team has been asked to create a custom policy.
Which two methods can the team use to accomplish this goal? (Choose two.)
- A. edit the query in the out-of-the-box policy
- B. disable an out-of-the-box policy
- C. clone an existing policy
- D. add a new policy
正解:C、D
解説:
To create a custom policy within a cloud security platform like Prisma Cloud, security teams have the flexibility to either add a new policy from scratch or clone an existing one to serve as a foundation for customization. Adding a new policy allows for the creation of a completely tailored rule set based on specific security requirements. Cloning an existing policy, on the other hand, provides a quick start by using the structure of an already established policy, which can then be modified to fit particular needs. This approach is beneficial for maintaining consistency with existing policies while addressing unique security scenarios. Disabling an out-of-the-box policy (option C) or editing the query in an out-of-the-box policy (option D) are actions that might be taken to customize policy enforcement but do not equate to the creation of a new custom policy.
質問 # 63
Based on the following information, which RQL query will satisfy the requirement to identify VM hosts deployed to organization public cloud environments exposed to network traffic from the internet and affected by Text4Shell RCE (CVE-2022-42889) vulnerability?
* Network flow logs from all virtual private cloud (VPC) subnets are ingested to the Prisma Cloud Enterprise Edition tenant.
* All virtual machines (VMs) have Prisma Cloud Defender deployed.
- A.

- B.

- C.

- D.

正解:B
解説:
The RQL query in Option A is designed to identify VM hosts that are exposed to internet traffic and are affected by the Text4Shell RCE vulnerability (CVE-2022-42889). This query looks for network flow records with byte transfers indicating activity and filters for resources with host vulnerability findings sourced from 'Prisma Cloud'. It also checks for exposure to suspicious or internet IPs, satisfying the criteria for the given scenario.
質問 # 64
A manager informs the SOC that one or more RDS instances have been compromised and the SOC needs to make sure production RDS instances are NOT publicly accessible.
Which action should the SOC take to follow security best practices?
- A. Enable "AWS S3 bucket is publicly accessible" policy and add policy to an auto-remediation alert rule.
- B. Enable "AWS RDS database instance is publicly accessible" policy and add policy to an auto-remediation alert rule.
- C. Enable "AWS RDS database instance is publicly accessible" policy and for each alert, check that it is a production instance, and then manually remediate.
- D. Enable "AWS S3 bucket is publicly accessible" policy and manually remediate each alert.
正解:C
解説:
Following best practices, the Security Operations Center (SOC) should enable a policy that checks for publicly accessible AWS RDS database instances and then manually remediate each instance confirmed to be part of the production environment. This approach ensures that only those resources that should not be publicly accessible are modified, avoiding unintended access restrictions on non-production instances.
質問 # 65
Which statement accurately characterizes SSO Integration on Prisma Cloud?
- A. An administrator can configure different Identity Providers (IdP) for all the cloud accounts that Prisma Cloud monitors.
- B. Prisma Cloud supports IdP initiated SSO, and its SAML endpoint supports the POST and GET methods.
- C. An administrator who needs to access the Prisma Cloud API can use SSO after configuration.
- D. Okta, Azure Active Directory, PingID, and others are supported via SAML.
正解:B
質問 # 66
An administrator wants to retrieve the compliance policies for images scanned in a continuous integration (CI) pipeline.
Which endpoint will successfully execute to enable access to the images via API?
- A. GET /api/v22.01/policies/compliance
- B. GET /api/v22.01/policies/compliance/ci/serverless
- C. GET /api/v22.01/policies/compliance/ci
- D. GET /api/v22.01/policies/compliance/ci/images
正解:A
解説:
To retrieve compliance policies for images scanned in a continuous integration (CI) pipeline via Prisma Cloud's API, the correct endpoint to use is GET /api/v22.01/policies/compliance (A). This endpoint provides access to the comprehensive list of compliance policies defined within Prisma Cloud, including those applicable to images in the CI pipeline. It allows administrators to programmatically retrieve and review the policies to ensure that images meet the organization's compliance standards before they are deployed. The other options (B, C, D) specify endpoints that do not match the standard API endpoint format used by Prisma Cloud for accessing compliance policies, making them incorrect.
質問 # 67
What are two built-in RBAC permission groups for Prisma Cloud? (Choose two.)
- A. Account Group Admin
- B. Group Membership Admin
- C. Group Admin
- D. Account Group Read Only
正解:B、C
質問 # 68
You wish to create a custom policy with build and run subtypes. Match the query types for each example.
(Select your answer from the pull-down list. Answers may be used more than once or not at all.)
正解:
解説:

質問 # 69
Review this admission control policy:
Which response to this policy will be achieved when the effect is set to "block"?
- A. The policy will block the creation of a privileged pod
- B. The policy will replace Defender with a privileged Defender
- C. The policy will block all pods on a Privileged host
- D. The policy will alert only the administrator when a privileged pod is created
正解:B
質問 # 70
An administrator has deployed Console into a Kubernetes cluster running in AWS. The administrator also has configured a load balancer in TCP passthrough mode to listen on the same ports as the default Prisma Compute Console configuration.
In the build pipeline, the administrator wants twistcli to talk to Console over HTTPS. Which port will twistcli need to use to access the Prisma Compute APIs?
- A. 0
- B. 1
- C. 2
- D. 3
正解:A
解説:
Explanation
https://docs.prismacloudcompute.com/docs/compute_edition_21_04/tools/twistcli.html#connectivity-to-console
質問 # 71
What is the default namespace created by Defender DaemonSet during deployment?
- A. Default
- B. Redlock
- C. Twistlock
- D. Defender
正解:D
質問 # 72
During the Learning phase of the Container Runtime Model, Prisma Cloud enters a "dry run" period for how many hours?
- A. 0
- B. 1
- C. 2
- D. 3
正解:D
質問 # 73
An administrator wants to retrieve the compliance policies for images scanned in a continuous integration (CI) pipeline.
Which endpoint will successfully execute to enable access to the images via API?
- A. GET /api/v22.01/policies/compliance/ci/images
- B. GET /api/v22.01/policies/compliance/ci/serverless
- C. GET /api/v22.01/policies/compliance/ci
- D. GET /api/v22.01/policies/compliance
正解:A
質問 # 74
Match the correct scanning mode for each given operation.
(Select your answer from the pull-down list. Answers may be used more than once or not at all.)
正解:
解説:
質問 # 75
The development team wants to fail CI jobs where a specific CVE is contained within the image. How should the development team configure the pipeline or policy to produce this outcome?
- A. Set the specific CVE exception as an option using the magic string in the Console.
- B. Set the specific CVE exception in Console's CI policy.
- C. Set the specific CVE exception as an option in Jenkins or twistcli.
- D. Set the specific CVE exception as an option in Defender running the scan.
正解:B
解説:
Reference tech docs: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/continuous_integration/set_policy_ci_plugins.html Vulnerability rules that target the build tool can allow specific vulnerabilities by creating an exception and setting the effect to 'ignore'. Block them by creating an exception and setting hte effect to 'fail'. For example, you could create a vulnerability rule that explicitly allows CVE-2018-1234 to suppress warnings in the scan results.
質問 # 76
A customer has a requirement to scan serverless functions for vulnerabilities. Which three settings are required to configure serverless scanning? (Choose three )
- A. Credential
- B. Region
- C. Provider
- D. Console Address
- E. Defender Name
正解:C、D、E
質問 # 77
Given this information:
The Console is located at https://prisma-console.mydomain.local The username is: cluster The password is: password123 The image to scan is: myimage:latest Which twistcli command should be used to scan a Container for vulnerabilities and display the details about each vulnerability?
- A. twistcli images scan --console-address prisma-console.mydomain.local -u cluster -p password123 -- vulnerability-details myimage:latest
- B. twistcli images scan --console-address https://prisma-console.mydomain.local -u cluster -p password123 -- details myimage:latest
- C. twistcli images scan --address prisma-console.mydomain.local -u cluster -p password123 --vulnerability- details myimage:latest
- D. twistcli images scan --address https://prisma-console.mydomain.local -u cluster -p password123 --details myimage:latest
正解:C
質問 # 78
Which container scan is constructed correctly?
- A. twistcli images scan -u api -p api --address https://us-west1.cloud.twistlock.com/us-3-123456789 -- container myimage/latest
- B. twistcli images scan -u api -p api --address https://us-west1.cloud.twistlock.com/us-3-123456789 --details myimage/latest
- C. twistcli images scan -u api -p api --docker-address https://us-west1.cloud.twistlock.com/us-3-123456789 myimage/latest
- D. twistcli images scan --docker-address https://us-west1.cloud.twistlock.com/us-3-123456789 myimage/ latest
正解:B
解説:
The correct construction for a container scan using the TwistCLI tool provided by Prisma Cloud (formerly Twistlock) is shown in option C. This command uses the TwistCLI tool to scan a container image, specifying the necessary authentication credentials (username and password with '-u' and '-p' flags), the address of the Prisma Cloud instance (with the '--address' flag), and the image to be scanned (in this case, 'myimage/latest'). The inclusion of the '--details' flag is a common practice to obtain detailed scan results, which is crucial for in-depth analysis and remediation efforts. This command structure aligns with the standard usage of TwistCLI for image scanning purposes, as documented in Prisma Cloud's official resources and guides.
質問 # 79
A DevOps lead reviewed some system logs and notices some odd behavior that could be a data exfiltration attempt The DevOps lead only has access to vulnerability data in Prisma Cloud Compute, so the DevOps lead passes this information to SecOps Which pages in Prisma Cloud Compute can the SecOps lead use to investigate the runtime aspects of this attack?
- A. The SecOps lead should use the Incident Explorer page and Monitor > Events > Container Audits
- B. The SecOps lead should investigate the attack using Vulnerability Explorer and Runtime Radar
- C. The SecOps lead should review the vulnerability scans in the CI/CD process to determine blame
- D. The SecOps lead should use Incident Explorer and Compliance Explorer.
正解:D
質問 # 80
Which type of query is used for scanning Infrastructure as Code (laC) templates?
- A. XML
- B. RQL
- C. API
- D. JSON
正解:D
質問 # 81
......
リアルなPCCSE試験別格な練習試験問題:https://jp.fast2test.com/PCCSE-premium-file.html
100%合格率でリアルなPCCSE試験成功ゲット:https://drive.google.com/open?id=1JPPHy5e7qcMlK1BNihCiyygd728JvTiF