Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
MuleSoft
Okta
Palo Alto Networks
Salesforce
SAP
All Vendors
  1. Home
  2. Palo Alto Networks
  3. PCCSE

Palo Alto Networks PCCSE Exam (page: 2)
Palo Alto Networks Prisma Certified Cloud Security Engineer
Updated on: 28-Jul-2025

Viewing Page 2 of 51
PCCSE PDF 260 Questions

Which statement is true about obtaining Console images for Prisma Cloud Compute Edition?

  1. To retrieve Prisma Cloud Console images using basic auth:
    1. Access registry.paloaltonetworks.com, and authenticate using `docker login'.
    2. Retrieve the Prisma Cloud Console images using `docker pull'.
  2. To retrieve Prisma Cloud Console images using basic auth:
    1. Access registry.twistlock.com, and authenticate using `docker login'.
    2. Retrieve the Prisma Cloud Console images using `docker pull'.
  3. To retrieve Prisma Cloud Console images using URL auth:
    1. Access registry-url-auth.twistlock.com, and authenticate using the user certificate.
    2. Retrieve the Prisma Cloud Console images using `docker pull'.
  4. To retrieve Prisma Cloud Console images using URL auth:
    1. Access registry-auth.twistlock.com, and authenticate using the user certificate.
    2. Retrieve the Prisma Cloud Console images using `docker pull'.

Answer(s): A

Explanation:

Retrieving Prisma Cloud Console images involves accessing a specific registry provided by Palo Alto Networks and authenticating using basic authentication with 'docker login'. Once authenticated, the user can pull the Prisma Cloud Console images using the 'docker pull' command. This process is part of the initial setup for deploying Prisma Cloud Console in an environment, allowing users to obtain the necessary images to run the Console, which serves as the central management interface for Prisma Cloud. The detailed steps, including the specific registry URL and authentication method, are typically provided in the Prisma Cloud documentation, ensuring that users have the information needed to successfully retrieve and deploy Console images.



Which two statements are true about the differences between build and run config policies? (Choose two.)

  1. Run and Network policies belong to the configuration policy set.
  2. Build and Audit Events policies belong to the configuration policy set.
  3. Run policies monitor resources, and check for potential issues after these cloud resources are deployed.
  4. Build policies enable you to check for security misconfigurations in the IaC templates and ensure that these issues do not get into production.
  5. Run policies monitor network activities in your environment, and check for potential issues during runtime.

Answer(s): C,D

Explanation:

In the context of Prisma Cloud, Build and Run policies serve distinct purposes in securing cloud environments. Build policies are designed to evaluate Infrastructure as Code (IaC) templates before deployment. These policies help identify and remediate security misconfigurations in the development phase, ensuring that vulnerabilities are addressed before the infrastructure is provisioned. This proactive approach enhances security by preventing misconfigurations from reaching production environments.
On the other hand, Run policies are applied to resources that are already deployed in the cloud. These policies continuously monitor the cloud environment, detecting and alerting on potential security issues that arise in the runtime. Run policies help maintain the security posture of cloud resources by identifying deviations from established security baselines and enabling quick remediation of identified issues.
Both Build and Run policies are integral to a comprehensive cloud security strategy, addressing security concerns at different stages of the cloud resource lifecycle--from development and deployment to ongoing operation.



A security team notices a number of anomalies under Monitor > Events. The incident response team works with the developers to determine that these anomalies are false positives.

What will be the effect if the security team chooses to Relearn on this image?

  1. The model is deleted, and Defender will relearn for 24 hours.
  2. The anomalies detected will automatically be added to the model.
  3. The model is deleted and returns to the initial learning state.
  4. The model is retained, and any new behavior observed during the new learning period will be added to the existing model.

Answer(s): D

Explanation:

In Prisma Cloud, when anomalies are detected and the security team chooses to Relearn on a specific image, the existing behavioral model for that image is not deleted. Instead, the system retains the model and enters a new learning period, during which it observes the behavior of the container based on the image. If new behaviors are observed during this period, they are added to the existing model, thereby refining and updating the model to reflect the current operational profile of the container. This approach allows for dynamic adaptation to changes in container behavior while preserving the valuable insights and patterns already established in the model. The Relearn function is part of Prisma Cloud's adaptive capabilities, enabling it to maintain accurate and up-to-date behavioral models that reflect the evolving nature of containerized applications.



A customer does not want alerts to be generated from network traffic that originates from trusted internal networks.

Which setting should you use to meet this customer's request?

  1. Trusted Login IP Addresses
  2. Anomaly Trusted List
  3. Trusted Alert IP Addresses
  4. Enterprise Alert Disposition

Answer(s): C

Explanation:

B --> Anomaly Trusted List--Exclude trusted IP addresses when conducting tests for PCI compliance or penetration testing on your network. Any addresses included in this list do not generate alerts against the Prisma Cloud Anomaly Policies that detect unusual network activity such as the policies that detect internal port scan and port sweep activity, which are enabled by default. C --> Trusted Alert IP Addresses--If you have internal networks that connect to your public cloud infrastructure, you can add these IP address ranges (or CIDR blocks) as trusted ... Prisma Cloud default network policies that look for internet exposed instances also do not generate alerts when the source IP address is included in the trusted IP address list and the account hijacking anomaly policy filters out activities from known IP addresses. Also, when you use RQL to query network traffic, you can filter out traffic from known networks that are included in the trusted IP address list. For a customer who does not want alerts to be generated from network traffic originating from trusted internal networks, the appropriate setting is C. Trusted Alert IP Addresses. This setting allows for specifying certain IP addresses as trusted, meaning alerts will not be triggered by activities from these IPs, ensuring that internal network traffic is not flagged as potentially malicious.



A DevOps lead reviewed some system logs and notices some odd behavior that could be a data exfiltration attempt. The DevOps lead only has access to vulnerability data in Prisma Cloud Compute, so the DevOps lead passes this information to SecOps.

Which pages in Prisma Cloud Compute can the SecOps lead use to investigate the runtime aspects of this attack?

  1. The SecOps lead should investigate the attack using Vulnerability Explorer and Runtime Radar.
  2. The SecOps lead should use Incident Explorer and Compliance Explorer.
  3. The SecOps lead should use the Incident Explorer page and Monitor > Events > Container Audits.
  4. The SecOps lead should review the vulnerability scans in the CI/CD process to determine blame.

Answer(s): C

Explanation:

To investigate the runtime aspects of a potential data exfiltration attempt, the SecOps lead in Prisma

Cloud Compute should focus on areas that provide insights into runtime activity and potential threats. C. The SecOps lead should use the Incident Explorer page and Monitor > Events > Container Audits. These sections provide detailed information on security incidents and container-level activities, enabling a thorough investigation into the runtime behavior that might indicate a security issue.



Viewing Page 2 of 51



Share your comments for Palo Alto Networks PCCSE exam with other users:

VoiceofMidnight 12/17/2023 4:07:00 PM

Delayed the exam until December 29th.
UNITED STATES


Umar Ali 8/29/2023 2:59:00 PM

A and D are True
Anonymous


vel 8/28/2023 9:17:09 AM

good one with explanation
Anonymous


Gurdeep 1/18/2024 4:00:15 PM

This is one of the most useful study guides I have ever used.
CANADA