Use VCE Exam Simulator to open VCE files
PSE-Prisma Cloud Palo Alto Networks Practice Test Questions and Exam Dumps
Question 1
Which two cloud-native providers are supported by Prisma Cloud? (Choose two.)
A. DigitalOcean
B. Azure
C. IBM Cloud
D. Oracle Cloud
Answer: B, D
Explanation:
Prisma Cloud, developed by Palo Alto Networks, is a comprehensive Cloud Native Security Platform (CNSP) designed to provide security and compliance coverage across various cloud environments. Its multicloud support ensures that organizations can maintain a consistent security posture across different cloud service providers.Palo Alto Networks+1Oracle Blogs+1
Supported Cloud Providers:
Azure: Prisma Cloud offers extensive integration with Microsoft Azure, enabling organizations to monitor and secure their Azure resources effectively. This includes visibility into Azure virtual machines, resource hierarchies, and compliance monitoring. TECHCOMMUNITY.MICROSOFT.COM
Oracle Cloud: Prisma Cloud provides comprehensive security and compliance support for Oracle Cloud Infrastructure (OCI). This integration allows for the protection of applications and data within OCI, ensuring that workloads are secure regardless of the underlying compute technology. Palo Alto Networks+1Oracle Blogs+1
Unsupported Cloud Providers:
DigitalOcean: While DigitalOcean is a popular cloud service provider, there is no current indication that Prisma Cloud offers direct integration or support for DigitalOcean's infrastructure.
IBM Cloud: Similarly, IBM Cloud is not listed among the cloud service providers that Prisma Cloud supports.
Given the above information, the two cloud-native providers supported by Prisma Cloud are Azure and Oracle Cloud.
Question 2
An image containing medium vulnerabilities without available fixes is being deployed into the sock-shop namespace. Prisma Cloud is configured for vulnerability management within the organization's continuous integration (CI) tool and registry.
What will occur during the attempt to deploy this image from the CI tool into the sock-shop namespace?
A. The image will pass the CI policy but will be blocked by the deployed policy; therefore, it will not be deployed.
B. The CI policy will fail the build; therefore, the image will not be deployed.
C. The image will be deployed successfully, and all vulnerabilities will be reported.
D. The image will be deployed successfully, but no vulnerabilities will be reported.
Answer: C. The image will be deployed successfully, and all vulnerabilities will be reported.
Explanation:
In Prisma Cloud, vulnerability management policies can be configured to define how images with vulnerabilities are handled during the CI/CD pipeline and deployment phases. These policies can specify actions such as alerting or blocking based on the severity of detected vulnerabilities.
In the scenario described, the image contains medium-severity vulnerabilities without available fixes. Typically, organizations configure their CI policies to alert on medium-severity vulnerabilities rather than block the build, especially when no fixes are available. This approach allows development to continue while still informing teams of potential issues.
Additionally, the deployed policy (which governs the behavior of running containers) is often configured similarly, allowing deployment but monitoring for vulnerabilities.
Therefore, during the attempt to deploy this image:
The CI policy will not fail the build because medium vulnerabilities without fixes are typically set to alert, not block.
The image will be deployed successfully into the sock-shop namespace.
All detected vulnerabilities will be reported by Prisma Cloud, providing visibility to the security and development teams.
This aligns with best practices, where organizations aim to balance security with development velocity by allowing deployments while maintaining visibility into potential risks.
The image with medium vulnerabilities lacking available fixes will pass the CI policy, be deployed successfully, and all vulnerabilities will be reported by Prisma Cloud.
Question 3
Which statement applies to optimization of registry scans with version pattern matching?
A. It requires Linux images to rely on optimizing registry scans due to various Linux elements.
B. It is only necessary in registries with tens of thousands of repositories and millions of images.
C. It is best practice to always optimize registry scans for faster results.
D. It is rarely successful in the Windows Operating System (OS).
Correct Answer: C
Explanation:
Registry scanning is a key component of vulnerability management in cloud-native security platforms like Prisma Cloud. As container registries grow in scale—both in terms of repositories and the number of image versions—scan efficiency becomes critical. One technique Prisma Cloud supports to make scans more efficient is version pattern matching, which enables targeted scanning of image versions that match specific naming patterns or tags.
What is Version Pattern Matching?
Version pattern matching is a method of filtering which images should be scanned, based on matching version strings or naming conventions (e.g., v1.*, release-*, *latest). This prevents the platform from scanning every version of every image, which is resource-intensive and often redundant if many versions are historical or unused.
This functionality can be used in conjunction with cron-based or event-driven scanning in integrated CI/CD pipelines or when monitoring large image registries (e.g., Docker Hub, ECR, GCR).
Why C is Correct:
It is considered best practice to optimize registry scans using version pattern matching, regardless of the size of the registry, because:
It reduces unnecessary resource consumption by excluding unimportant or historical image versions.
It speeds up scan completion times, providing faster feedback on vulnerable images.
It supports targeted vulnerability detection in production-critical images (e.g., tagged "latest", "stable", or "prod").
Therefore, even in small or medium-scale environments, applying version pattern filters streamlines scanning efforts, making C the correct and universally recommended approach.
Why the Other Options Are Incorrect:
A. It requires Linux images to rely on optimizing registry scans due to various Linux elements:
While Linux images are commonly scanned, optimization is not exclusive to Linux. The concept of version pattern matching applies equally to all images regardless of OS. This statement incorrectly ties the optimization specifically to Linux elements.B. It is only necessary in registries with tens of thousands of repositories and millions of images:
This is too narrow and conditional. While optimization becomes critical at massive scales, it is still beneficial in smaller environments. Hence, saying it’s “only necessary” at scale underplays its broader usefulness and makes it incorrect.D. It is rarely successful in the Windows Operating System (OS):
There is no evidence or standard to support that version pattern matching is less effective on Windows-based images. Pattern matching is based on image tags, which are not OS-dependent. This statement is misleading.
Version pattern matching is a strategic optimization tool that allows organizations to selectively scan only the most relevant container image versions. It is not limited by operating system, nor should it be reserved only for massive environments. It is a recommended best practice for improving scan performance and precision in any deployment size.
Thus, the correct answer is C.
Question 4
What is the Prisma Cloud Enterprise required configuration to identify Amazon Web Services (AWS) Elastic Cloud Compute (EC2) instances that have been tagged as "Private"?
A. Open the Asset Dashboard, filter on tags, and choose "Private."
B. Generate a CIS compliance report and review the "Asset Summary."
C. Create an RQL config query to identify resources with the tag "Private."
D. Create an RQL network query to identify traffic from resources tagged "Private."
Correct Answer: C
Explanation:
In Prisma Cloud Enterprise Edition, identifying resources based on custom tags, such as EC2 instances tagged as “Private,” is best accomplished using Resource Query Language (RQL). RQL is the foundation for querying the configuration state of cloud assets. Specifically, when you're trying to filter resources based on metadata such as tags, the appropriate type of query is a config query, not a network or anomaly query.
Understanding RQL and Tags
RQL (Resource Query Language) enables cloud security teams to write custom policies and searches that analyze the configuration metadata of cloud services. EC2 instance tags (such as “Environment:Private” or “Visibility:Private”) are metadata attributes. Prisma Cloud ingests these tags from AWS and allows you to construct queries to search or alert based on those values.
To detect EC2 instances with a "Private" tag, a typical config RQL query would look something like this:
config where cloud.type = 'AWS' AND api.name = 'aws-ec2-describe-instances' AND json.rule = tags[*].key equals "Visibility" and tags[*].value equals "Private"
This query checks:
That the cloud is AWS
That the resource is an EC2 instance
That it contains a tag with key and value identifying it as "Private"
Such a configuration allows ongoing monitoring, alerting, and compliance evaluation of tagged assets.
Why the Other Options Are Incorrect:
A. Open the Asset Dashboard, filter on tags, and choose "Private.":
While the Asset Dashboard can show tags and basic filtering, it does not allow granular querying or continuous policy enforcement. This method is also limited in automation and scalability. It’s useful for ad hoc inspection, not continuous monitoring or policy configuration.B. Generate a CIS compliance report and review the "Asset Summary.":
The CIS compliance report is geared toward specific security benchmarks (e.g., AWS CIS Foundations), and does not provide tag-based filtering. It's not intended for identifying assets based on custom tags like "Private."D. Create an RQL network query to identify traffic from resources tagged "Private.":
Network RQL queries are used to evaluate network activity, such as traffic flows or connections. While network policies may also reference tags in advanced use cases, tag detection alone—without analyzing traffic—belongs in the config query domain, not network.
To identify AWS EC2 instances tagged with a value like “Private,” Prisma Cloud Enterprise uses its config RQL engine, which examines cloud configuration data, including tags. This enables users to create flexible, automated policies that alert or enforce conditions based on metadata attributes like tags.
Therefore, the correct answer is C.
Question 5:
Which two templates are supported by Cloud Code Security scan service? (Choose two.)
A. Azure Resource Manager (ARM)
B. Hyper Text Markup Language (HTML)
C. GitHub
D. Terraform
Correct Answers:
A. Azure Resource Manager (ARM)
D. Terraform
Explanation:
Prisma Cloud's Code Security module is designed to scan Infrastructure as Code (IaC) templates for misconfigurations, vulnerabilities, and compliance issues. It supports a variety of IaC frameworks, including:GitHub+1GitHub+1GitHub+1GitHub+1
Terraform: Widely used for defining and provisioning infrastructure across various cloud providers.
Azure Resource Manager (ARM) templates: Used to define infrastructure and configurations for Microsoft Azure deployments.
These templates are directly supported by Prisma Cloud's scanning capabilities.
Clarification on Other Options:
B. Hyper Text Markup Language (HTML): HTML is a markup language for creating web pages and is not used for defining infrastructure. Therefore, it is not within the scope of Prisma Cloud's IaC scanning capabilities.GitHub
C. GitHub: While Prisma Cloud integrates with GitHub to scan repositories containing IaC templates, GitHub itself is a platform, not a template format. Thus, it is not a template supported by the scan service.
Prisma Cloud's Code Security scan service supports scanning of Terraform and Azure Resource Manager (ARM) templates. These are the correct choices for templates supported by the service.
Question 6
Which type of Prisma Cloud Enterprise alert supports autoremediation?
A. network
B. audit
C. anomaly
D. config
Correct Answer: D
Explanation:
In Prisma Cloud Enterprise, config alerts are the only type of alerts that support auto-remediation. This is because config alerts are tied to Resource Query Language (RQL) policies that check the configuration state of cloud resources. When a noncompliant configuration is detected, Prisma Cloud can trigger automatic corrective actions based on defined remediation scripts.
Config alerts are typically generated by policies that evaluate infrastructure components across major cloud service providers such as AWS, Azure, and GCP. These policies look at things like whether S3 buckets are publicly accessible, whether logging is enabled, or whether encryption is applied. If these configurations deviate from security best practices or compliance requirements, Prisma Cloud not only generates an alert but can also apply auto-remediation through integration with cloud provider APIs, serverless functions (like AWS Lambda), or automation frameworks.
On the other hand, the other alert types—network, audit, and anomaly—are not designed for auto-remediation:
Network alerts focus on monitoring traffic flows and detecting risky or unauthorized communications, such as unexpected ingress from the internet. While they generate alerts, remediation actions like changing security group rules must be handled manually or through external playbooks.
Audit alerts are related to user or system activity and are generated by audit trails and logs. These are valuable for forensics and monitoring but are not connected to config change automation.
Anomaly alerts detect unusual patterns of behavior based on machine learning models. These require human review or further validation before any remediation can occur because automatically acting on anomalies could interrupt legitimate activity.
Because config alerts deal with static and declarative configuration states of resources, they are inherently the safest and most predictable to auto-remediate. For example, if a storage bucket is made public and this violates a policy, the platform can automatically update the resource to remove public access—this type of action is generally low-risk and reversible.
In conclusion, only config alerts in Prisma Cloud Enterprise support auto-remediation, making them a critical component of proactive cloud security posture management.
Question 7
What subcommand invokes the Prisma Cloud Compute (PCC) edition image scanner?
A. > twistcli images scan
B. > twistcli project scan
C. > twistcli scan projects
D. > twistcli scan images
Correct Answer: D
Explanation:
In Prisma Cloud Compute Edition (PCC), the command-line tool twistcli is used to perform various security-related tasks, including scanning container images for vulnerabilities. To invoke the image scanning functionality, the correct subcommand is:
twistcli scan images
This syntax properly instructs twistcli to perform a vulnerability scan on container images. The scan is the primary action verb, and images tells the tool what to scan—in this case, container images.
Let’s break down why the other options are incorrect:
A. twistcli images scan: This option reverses the correct order. The proper syntax in CLI tools like twistcli always places the action (in this case, scan) before the target (images). "images scan" is not a recognized command format.
B. twistcli project scan: This would be used in the context of scanning IaC (Infrastructure as Code) files or code projects—not container images. The term "project" refers to a folder or codebase, not a container artifact.
C. twistcli scan projects: Similar to option B, this syntax would apply if you were scanning code repositories or IaC templates using Prisma Cloud’s Code Security features, but not container images. Also, "projects" is not a valid noun for the scan subcommand in this context.
D. twistcli scan images: This is the correct format, as it follows the standard CLI syntax of specifying an action followed by the object. This subcommand initiates a vulnerability scan against the container image specified in the command arguments.
For example, to scan a Docker image named myapp:latest, you would use:
twistcli scan images myapp:latest
This command scans the specified image using the policies defined in Prisma Cloud Compute Edition, checking for Common Vulnerabilities and Exposures (CVEs), misconfigurations, and compliance violations.
In summary, twistcli is a powerful CLI utility provided by Prisma Cloud Compute Edition, and the correct subcommand to trigger an image scan is twistcli scan images, making D the only valid option.
Question 8
Where can rules be configured and viewed to configure trusted images?
A. Monitor > Compliance > Trusted Images
B. Monitor > Compliance > Images
C. Defend > Compliance > Trusted Images
D. Defend > Compliance > Images
Correct Answer: C
Explanation:
In Prisma Cloud Compute Edition, trusted image policies are crucial for enforcing container security. They allow you to define which images are authorized to run in your environment. This is vital for reducing the risk of deploying vulnerable, outdated, or unapproved images into production.
To configure and view rules for trusted images, you must navigate through the Defend section of the Prisma Cloud interface, not Monitor. The Defend module is where administrators define policies, enforcement rules, and controls that affect runtime behavior and scanning. Trusted image rules fall under this umbrella.
Therefore, the correct navigation path is:
Defend > Compliance > Trusted Images
Let’s analyze the options:
A. Monitor > Compliance > Trusted Images:
This is incorrect because the Monitor section is intended for viewing current and historical security posture—not for configuration. You can observe violations and system behavior here, but cannot define trusted image rules.B. Monitor > Compliance > Images:
This is also incorrect for the same reason. While you may see compliance results and scan reports here, rule creation or policy enforcement is not handled in the Monitor section.C. Defend > Compliance > Trusted Images:
This is the correct answer. In the Defend section, under Compliance, the Trusted Images page enables administrators to create allowlists of images that are considered safe. You can configure image patterns (e.g., by repo or tag), set trust rules, and ensure that only these images can be deployed in your environment.D. Defend > Compliance > Images:
Although this may show general compliance policies and violations across images, it is not the specific location for configuring trusted image rules. The distinction is important—Trusted Images has its own sub-page under Compliance for this purpose.
By using Defend > Compliance > Trusted Images, security teams can enforce best practices, such as:
Allowing only images from verified registries or repositories.
Ensuring images are signed and scanned.
Preventing the use of untrusted or unknown container images at runtime.
This setup is particularly important for CI/CD pipelines and runtime enforcement, ensuring security posture is maintained across the software delivery lifecycle.
Thus, the correct and only valid answer is C.
Question 9
Which two elements does Prisma Cloud monitor when analyzing for unusual user activity? (Choose two.)
A. Operating System (OS)
B. browser
C. location
D. time
Correct Answer: C, D
Explanation:
Prisma Cloud includes a powerful anomaly detection engine that monitors and identifies unusual user activity by leveraging behavioral analytics. This functionality is part of its User Behavior Analytics (UBA), which helps detect potential insider threats or compromised accounts by comparing current user activity against historical patterns.
Two key elements that Prisma Cloud uses to detect anomalous behavior are:
1. Location
Prisma Cloud tracks the geographical location from which users access cloud resources. By building a baseline of typical access locations (e.g., users typically log in from the U.S.), the system can flag access from unexpected locations (e.g., login from Russia or a previously unseen country) as anomalous. This helps detect possible credential theft or unauthorized access.
2. Time
Prisma Cloud also monitors access times to determine whether a user’s activity deviates from their normal usage pattern. For example, if a user typically logs in during business hours (e.g., 9 AM to 5 PM) but suddenly logs in at 3 AM, the system may flag this as suspicious. Time-based detection is crucial for identifying potential misuse or unauthorized access during off-hours.
These two elements—location and time—are foundational in many modern cloud security tools for establishing behavioral baselines and identifying anomalies that could indicate security incidents.
Why the other options are incorrect:
A. Operating System (OS):
While Prisma Cloud may track what kind of endpoint or agent is used in some monitoring functions (e.g., host-level insights), the OS itself is not a primary dimension used in user behavior anomaly detection. Prisma Cloud focuses more on behavioral patterns rather than specific device internals for this purpose.B. Browser:
Similarly, browser type or version is not a core component of anomaly detection in Prisma Cloud’s UBA. Although this data might be logged for auditing or correlation purposes, it’s not typically used as a key behavior signal.
In user behavior analytics, location and time are two of the most effective and frequently used indicators for identifying anomalous access patterns. Prisma Cloud uses these dimensions to generate alerts when activity deviates from the established norm for a given user or role, which is especially important for identifying compromised credentials or malicious insiders.
Thus, the correct answer is C and D.
Question 10
How does Prisma Cloud Enterprise autoremediate unwanted violations to public cloud infrastructure?
A. It inspects the application program interface (API) call made to public cloud and blocks the change if a policy violation is found.
B. It makes changes after a policy violation has been identified in monitoring.
C. It locks all changes to public cloud infrastructure and stops any configuration changes without prior approval.
D. It uses machine learning (ML) to identify unusual changes to infrastructure.
Correct Answer: B
Explanation:
Prisma Cloud Enterprise enables auto-remediation of security and compliance violations in public cloud environments by leveraging its monitoring and policy enforcement capabilities. Auto-remediation is a powerful feature that enhances cloud security posture by automatically correcting or reversing configuration changes that violate predefined security policies.
How Prisma Cloud Enterprise Performs Auto-remediation
Auto-remediation in Prisma Cloud occurs in response to a detected violation, meaning that Prisma Cloud does not block actions in real time, but rather monitors cloud activity, detects violations after they occur, and then executes predefined remediation actions to resolve or mitigate the violation. These remediations can include actions such as:
Removing public access to an S3 bucket
Revoking insecure IAM permissions
Terminating vulnerable or misconfigured resources
Disabling exposed services or ports
Thus, the correct behavior is accurately described by:
B. It makes changes after a policy violation has been identified in monitoring.
Why the Other Options Are Incorrect:
A. It inspects the application program interface (API) call made to public cloud and blocks the change if a policy violation is found:
This describes a proactive or inline enforcement mechanism, which Prisma Cloud does not typically perform at the API gateway level. Prisma Cloud monitors cloud APIs after the fact rather than intercepting and blocking API calls.C. It locks all changes to public cloud infrastructure and stops any configuration changes without prior approval:
This is not accurate. Prisma Cloud does not operate by locking infrastructure or requiring approvals. It enforces policies through post-change detection and automated remediation—not by halting all activity preemptively.D. It uses machine learning (ML) to identify unusual changes to infrastructure:
While Prisma Cloud does incorporate ML-based anomaly detection in some areas (e.g., user behavior analytics), auto-remediation of infrastructure misconfigurations is based on rules and policies, not ML.
Prisma Cloud's auto-remediation capabilities operate after a policy violation is detected by continuously monitoring the public cloud environment via APIs. Once an unwanted change is identified (such as a security group being made overly permissive), it applies a predefined response—such as reverting the change, notifying security teams, or executing a script.
Therefore, the correct answer is B.
Top Training Courses
SY0-701
CompTIA Security+
$14.99
AZ-104
Microsoft Azure Administrator
$14.99
200-301
Cisco Certified Network Associate (CCNA)
$14.99
AWS Certified Solutions Architect - Associate SAA-C03
AWS Certified Solutions Architect - Associate SAA-C03
$14.99
AZ-305
Designing Microsoft Azure Infrastructure Solutions
$14.99
PL-300
Microsoft Power BI Data Analyst
$14.99
350-401
Implementing Cisco Enterprise Network Core Technologies (ENCOR)
$14.99
AZ-900
Microsoft Azure Fundamentals
$14.99
CS0-003
CompTIA CySA+ (CS0-003)
$14.99
CISSP
Certified Information Systems Security Professional
$14.99
