EMT Practice Test

1. Question Content...


Question List

Question1: An administrator needs to detect and alert on any activities performed by a root account.
Which policy type should be used?

Question2: A customer does not want alerts to be generated from network traffic that originates from trusted internal networks.
Which setting should you use to meet this customer's request?

Question3: Console is running in a Kubernetes cluster, and you need to deploy Defenders on nodes within this cluster.
Which option shows the steps to deploy the Defenders in Kubernetes using the default Console service name?

Question4: A customer has Prisma Cloud Enterprise and host Defenders deployed
What are two options that allow an administrator to upgrade Defenders'? (Choose two )

Question5: You are an existing customer of Prisma Cloud Enterprise. You want to onboard a public cloud account and immediately see all of the alerts associated with this account based off ALL of your tenant's existing enabled policies. There is no requirement to send alerts from this account to a downstream application at this time.
Which option shows the steps required during the alert rule creation process to achieve this objective?

Question6: Which two IDE plugins are supported by Prisma Cloud as part of its DevOps Security? (Choose two.)

Question7: Which three steps are involved in onboarding an account for Data Security? (Choose three.)

Question8: You are tasked with configuring a Prisma Cloud build policy for Terraform. What type of query is necessary to complete this policy?

Question9: One of the resources on the network has triggered an alert for a Default Config policy.
Given the following resource JSON snippet:

Which RQL detected the vulnerability?
A)

B)

C)

D)

Question10: You are an existing customer of Prisma Cloud Enterprise. You want to onboard a public cloud account and immediately see all of the alerts associated with this account based off ALL of your tenant's existing enabled policies. There is no requirement to send alerts from this account to a downstream application at this time.
Which options shows the steps required during the alert rule creation process to achieve this objective?

Question11: How are the following categorized?
Backdoor account access Hijacked processes Lateral movement
Port scanning

Question12: The security team wants to protect a web application container from an SQLi attack. Which type of policy should the administrator create to protect the container?

Question13: The security team wants to protect a web application container from an SQLi attack? Which type of policy should the administrator create to protect the container?

Question14: Which option identifies the Prisma Cloud Compute Edition?

Question15: Move the steps to the correct order to set up and execute a serverless scan using AWS DevOps.

Question16: Which three fields are mandatory when authenticating the Prisma Cloud plugin in the IntelliJ application?
(Choose three.)

Question17: Review this admission control policy:
match[{"msg": msg}] { input.request.operation == "CREATE" input.request.kind.kind == "Pod" input.request.resource.resource == "pods" input.request.object.spec.containers[_].securityContext.privileged msg := "Privileged"
}
Which response to this policy will be achieved when the effect is set to "block"?

Question18: The Unusual protocol activity (Internal) network anomaly is generating too many alerts. An administrator has been asked to tune it to the option that will generate the least number of events without disabling it entirely.
Which strategy should the administrator use to achieve this goal?

Question19: Which API calls can scan an image named myimage: latest with twistcli and then retrieve the results from Console?

Question20: A customer has a requirement to automatically protect all Lambda functions with runtime protection. What is the process to automatically protect all the Lambda functions?

Question21: Which step is included when configuring Kubernetes to use Prisma Cloud Compute as an admission controller?

Question22: During an initial deployment of Prisma Cloud Compute, the customer sees vulnerabilities in their environment.
Which statement correctly describes the default vulnerability policy?

Question23: Which port should a security team use to pull data from Console's API?

Question24: An administrator has been tasked with creating a custom service that will download any existing compliance report from a Prisma Cloud Enterprise.
tenant-In which order will the APIs be executed for this service? (Drag the steps into the correct order of occurrence from the first step to the last)

Question25: A customer is reviewing Container audits, and an audit has identified a cryptominer attack. Which three options could have generated this audit? (Choose three.)

Question26: A Prisma Cloud administrator is tasked with pulling a report via API. The Prisma Cloud tenant is located on app2.prismacloud.io.
What is the correct API endpoint?

Question27: A customer finds that an open alert from the previous day has been resolved. No auto-remediation was configured.
Which two reasons explain this change in alert status? (Choose two.)

Question28: What is the order of steps to create a custom network policy?
(Drag the steps into the correct order of occurrence, from the first step to the last.)

Question29: A customer wants to monitor the company's AWS accounts via Prisma Cloud, but only needs the resource configuration to be monitored for now.
Which two pieces of information do you need to onboard this account? (Choose two.)

Question30: The compliance team needs to associate Prisma Cloud policies with compliance frameworks. Which option should the team select to perform this task?

Question31: A customer does not want alerts to be generated from network traffic that originates from trusted internal networks.
Which setting should you use to meet this customer's request?

Question32: Which intensity setting for anomaly alerts is used for the measurement of 100 events over 30 days?

Question33: The Unusual protocol activity (Internal) network anomaly is generating too many alerts An administrator has been asked to tune it to the option that will generate the least number of events without disabling it entirely.
Which strategy should the administrator use to achieve this goal?

Question34: What is the order of steps in a Jenkins pipeline scan?
(Drag the steps into the correct order of occurrence, from the first step to the last.)

Question35: The security auditors need to ensure that given compliance checks are being run on the host. Which option is a valid host compliance policy?

Question36: A customer is interested in PCI requirements and needs to ensure that no privilege containers can start in the environment.
Which action needs to be set for "do not use privileged containers"?

Question37: If you are required to run in an air-gapped environment, which product should you install?

Question38: Which container image scan is constructed correctly?

Question39: You have onboarded a public cloud account into Prisma Cloud Enterprise. Configuration Resource ingestion is visible in the Asset Inventory for the onboarded account, but no alerts are being generated for the configuration assets in the account.
Config policies are enabled in the Prisma Cloud Enterprise tenant, with those policies associated to existing alert rules. ROL statements on the investigate matching those policies return config resource results successfully.
Why are no alerts being generated?

Question40: Which authentication mechanism is supported by Prisma Cloud?

Question41: Which step is included when configuring Kubernetes to use Prisma Cloud Compute as an admission controller?

Question42: An administrator wants to install the Defenders to a Kubernetes cluster. This cluster is running the console on the default service endpoint and will be exporting to YAML.
Console Address: $CONSOLE_ADDRESS Websocket Address: $WEBSOCKET_ADDRESS User: $ADMIN_USER Which command generates the YAML file for Defender install?

Question43: Given the following RQL:

Which audit event snippet is identified by the RQL?
A)

B)

C)

D)

Question44: A customer has serverless functions that are deployed in multiple clouds.
Which serverless cloud provider is covered be "overly permissive service access" compliance check?

Question45: The security team wants to enable the "block" option under compliance checks on the host.
What effect will this option have if it violates the compliance check?

Question46: The development team wants to block Cross Site Scripting attacks from pods in its environment. How should the team construct the CNAF policy to protect against this attack?

Question47: A customer is deploying Defenders to a Fargate environment. It wants to understand the vulnerabilities in the image it is deploying.
How should the customer automate vulnerability scanning for images deployed to Fargate?

Question48: A security team is deploying Cloud Native Application Firewall (CNAF) on a containerized web application.
The application is running an NGINX container. The container is listening on port 8080 and is mapped to host port 80.
Which port should the team specify in the CNAF rule to protect the application?

Question49: A DevOps lead reviewed some system logs and notices some odd behavior that could be a data exfiltration attempt The DevOps lead only has access to vulnerability data in Prisma Cloud Compute, so the DevOps lead passes this information to SecOps Which pages in Prisma Cloud Compute can the SecOps lead use to investigate the runtime aspects of this attack?

Question50: Given this information:
The Console is located at https://prisma-console.mydomain.local The username is: cluster The password is: password123 The image to scan is: myimage:latest Which twistcli command should be used to scan a Container for vulnerabilities and display the details about each vulnerability?

Question51: Match the service on the right that evaluates each exposure type on the left.
(Select your answer from the pull-down list. Answers may be used more than once or not at all.)

Question52: Which statement is true regarding CloudFormation templates?

Question53: What is the maximum number of access keys a user can generate in Prisma Cloud with a System Admin role?

Question54: A customer finds that an open alert from the previous day has been resolved. No auto-remediation was configured.
Which two reasons explain this change in alert status? (Choose two.)

Question55: A customer does not want alerts to be generated from network traffic that originates from trusted internal networks. Which setting should you use to meet this customer's request?

Question56: An administrator has deployed Console into a Kubernetes cluster running in AWS. The administrator also has configured a load balancer in TCP passthrough mode to listen on the same ports as the default Prisma Compute Console configuration In the build pipeline, the administrator wants twistcli to talk to Console over HTTPS Which port will twistcli need to use to access the Prisma Compute APIs?

Question57: A S3 bucket within AWS has generated an alert by violating the Prisma Cloud Default policy "AWS S3 buckets are accessible to public" The policy definition follows:
config where cloud type = 'aws' AND api name='aws-s3api-get-bucket-acr AND json.rule="((((acl grants{?(@ grantee='AllUsers')] size > 0) or policyStatusisPubiic is true) and publicAccessBlockConfiguration does not exist) or ((ad.grantsp(@ grantee=='AII Users')] size > 0) and publicAccessBlockConfiguration ignorePubhcAds is false) or (policyStatus isPublic is true and publicAccessBlockConfiguration.restrictPublicBuckets is false)) and websiteConfiguration does not exist" Why did this alert get generated?

Question58: An administrator has been tasked with a requirement by your DevSecOps team to write a script to continuously query programmatically the existing users, and the user's associated permission levels, in a Prisma Cloud Enterprise tenant.
Which public documentation location should be reviewed to help determine the required attributes to carry out this step?

Question59: An administrator sees that a runtime audit has been generated for a host. The audit message is:
"Service postfix attempted to obtain capability SHELL by executing /bin/sh /usr/libexec/postfix/postfix- script.stop. Low severity audit, event is automatically added to the runtime model" Which runtime host policy rule is the root cause for this runtime audit?

Question60: Which order of steps map a policy to a custom compliance standard?
(Drag the steps into the correct order of occurrence, from the first step to the last.)

Question61: An administrator wants to install the Defenders to a Kubernetes cluster. This cluster is running the console on the default service endpoint and will be exporting to YAML Console Address SCONSOLE_ADDRESS Websocket Address SWEBSOCKHT_ADDRESS User: SADMIN USER Which command generates the YAML file for Defender install?
A)

B)

C)

D)

Question62: Which two CI/CD plugins are supported by Prisma Cloud as part of its DevOps Security? (Choose two.).

Question63: Which option shows the steps to install the Console in a Kubernetes Cluster?

Question64: A manager informs the SOC that one or more RDS instances have been compromised and the SOC needs to make sure production RDS instances are NOT publicly accessible.
Which action should the SOC take to follow security best practices?

Question65: A customer has a development environment with 50 connected Defenders. A maintenance window is set for Monday to upgrade 30 stand-alone Defenders in the development environment, but there is no maintenance window available until Sunday to upgrade the remaining 20 stand-alone Defenders.
Which recommended action manages this situation?

Question66: An administrator needs to write a script that automatically deactivates access keys that have not been used for
30 days In which order should the API calls be used to accomplish this task? (Drag the steps into the correct order from the first step to the last.)

Question67: Which two of the following are required to be entered on the IdP side when setting up SSO in Prisma Cloud?
(Choose two.)

Question68: Given the following JSON query:
$.resource[*].aws_s3_bucket exists
Which tab is the correct place to add the JSON query when creating a Config policy?

Question69: Review this admission control policy:

Which response to this policy will be achieved when the effect is set to "block"?

Question70: An S3 bucket within AWS has generated an alert by violating the Prisma Cloud Default policy "AWS S3 buckets are accessible to public". The policy definition follows:
config where cloud.type = 'aws' AND api.name='aws-s3api-get-bucket-acl' AND json.rule="((((acl.grants[? (@.grantee=='AllUsers')] size > 0) or policyStatus.isPublic is true) and publicAccessBlockConfiguration does not exist) or ((acl.grants[?(@.grantee=='AllUsers')] size > 0) and publicAccessBlockConfiguration.ignorePublicAcis is false) or (policyStatus.isPublic is true and publicAccessBlockConfiguration.restrictPublicBuckets is false)) and websiteConfiguration does not exist" Why did this alert get generated?

Question71: An administrator has deployed Console into a Kubernetes cluster running in AWS. The administrator also has configured a load balancer in TCP passthrough mode to listen on the same ports as the default Prisma Compute Console configuration.
In the build pipeline, the administrator wants twistcli to talk to Console over HTTPS. Which port will twistcli need to use to access the Prisma Compute APIs?

Question72: Match the correct scanning mode for each given operation.
(Select your answer from the pull-down list. Answers may be used more than once or not at all.)

Question73: Which policy type in Prisma Cloud can protect against malware?

Question74: A customer is reviewing Container audits, and an audit has identified a cryptominer attack. Which three options could have generated this audit? (Choose three.)

Question75: A customer has a requirement to restrict any container from resolving the name www.evil-url.com.
How should the administrator configure Prisma Cloud Compute to satisfy this requirement?

Question76: Which type of compliance check is available for rules under Defend > Compliance > Containers and Images
> CI?

Question77: An organization wants to be notified immediately to any "High Severity" alerts for the account group "Clinical Trials" via Slack.
Which option shows the steps the organization can use to achieve this goal?

Question78: Given this information:
* The Console is located at https//prisma-console mydomain local
* The username is ciuser
* The password is password123
* The Image to scan is myimage latest
Which twistcli command should be used to scan a Container for vulnerabilities and display the details about each vulnerability?