PCCSE: Prisma Certified Cloud
Security Engineer
The Prisma Certified Cloud Security Engineer (PCCSE) certification validates the knowledge, skills and abilities required to onboard, deploy and administer all aspects of Prisma Cloud. Individuals with the PCCSE certification will have demonstrated in-depth knowledge of Palo Alto Networks Prisma Cloud technology and resources .
Certification Objectives
The cloud has changed all aspects of application development lifecycles. The Prisma Cloud platform offers the industry’s broadest security and compliance coverage—for applications, data, and the entire cloud native technology stack—throughout the development lifecycle and across multi- and hybrid cloud environments. The certification objectives cover Prisma Cloud, Prisma Cloud Enterprise, and Prisma Cloud Compute.
Palo Alto Networks Certifications not only benefits organizations, but also benefits the individuals by showcasing their knowledge of the Palo Alto Networks product portfolio. It provides an immediate improvement of their professional profile and aligns them with the fastest-growing security company for those with their sights on the future.
Target Audience
Anyone interested in demonstrating knowledge, skill and abilities with Prisma Cloud including cloud security, customer success, DevOps, cloud support, professional services and Appsec engineers, cybersecurity architects, and team leads.
Enablement Path
This certification has no prerequisites. Recommended training include s the Prisma Cloud Monitoring and Securing (EDU-150) course, the Prisma Cloud: Onboarding and Operationalizing (EDU-152) course, PCC training, and experience with containers, cloud architecture and computing.
Palo Alto Networks Education
The technical curriculum developed and authorized by Palo Alto Networks and delivered by Palo Alto Networks Authorized Training Partners helps provide the knowledge and expertise that prepare you to protect our digital way of life. Our trusted certifications validate your knowledge of the Palo Alto Networks product portfolio and your ability to help prevent successful cyberattacks and safely enable applications.
Domain Weight (%)
Install and Upgrade 18%
Visibility, Security and Compliance 20%
Cloud Workload Protection Platform 22%
Data Loss Prevention 9%
Web Application and API Security 5%
Dev SecOps Security (Shift-Left) 11%
Prisma Cloud Administration (inc. Compute) 15%
Domain 1 Install and upgrade 18%
Task 1.1 Deploy and manage Console for the Compute Edition
1.1.1 Locate and download Prisma Cloud release software.
1.1.2 Install Console in onebox configuration.
1.1.3 Install Console in Kubernetes.
1.1.4 Perform upgrade on Console.
Task 1.2 Deploy and manage Defenders
1.2.1 Deploy Container Defenders.
1.2.2 Deploy Host Defenders.
1.2.3 Deploy Serverless Defenders.
1.2.4 Deploy App-embedded Defenders.
1.2.5 Configure networking for Defender to Console connectivity.
1.2.6 Perform upgrade on Defenders.
Domain 2 Visibility, Security and Compliance 20%
Task 2.1 Configure policies
2.1.1 Understand policies related to compliance standards.
2.1.2 Build custom policies.
2.1.3 Identify policy types.
Task 2.2 Configure alerting and notifications
2.2.1 Understand alert states.
2.2.2 Build alert rules.
2.2.3 Create alert notifications.
2.2.4 Investigate alerts.
Task 2.3 Understand third-party integrations
2.3.1 Understand inbound and outbound notifications.
Task 2.4 Perform ad hoc investigations
2.4.1 Investigate resource configuration with RQL.
2.4.2 Investigate user activity using RQL.
2.4.3 Investigate network activity using RQL.
2.4.4 Investigate anomalous user event(s)..
Task 2.5 Identify assets in a Cloud account
2.5.1 Identify inventory of resources in a cloud account.
2.5.2 Identify how to check resource configuration history.
Task 2.6 Use Prisma Cloud APIs
2.6.1 Use APIs for automation of tasks.
2.6.2 Use APIs for custom queries.
Domain 3 Cloud Workload Protection Platform 22%
Task 3.1 Monitor and Protect Against Image Vulnerabilities
3.1.1 Understand how to Investigate Image Vulnerabilities.
3.1.2 Configure Image Vulnerability Policy.
Task 3.2 Monitor and Protect Host Vulnerabilities
3.2.1 Understand how to Investigate Host Vulnerabilities.
3.2.2 Configure Host Vulnerability Policy.
Task 3.3 Monitor and Enforce Image/Container Compliance
3.3.1 Understand how to Investigate Image and Container Compliance.
3.3.2 Configure Image and Container Compliance Policy.
Task 3.4 Monitor and Enforce Host Compliance
3.4.1 Understand how to Investigate Host Compliance.
3.4.2 Configure Host Compliance Policy.
Task 3.5 Monitor and Enforce Container Runtime
3.5.1 Understand container models.
3.5.2 Configure container runtime policies.
3.5.3 Understand container runtime audits.
3.5.4 Investigate incidents using Incident Explorer.
Task 3.6 Configure cloud native application firewalls
3.6.1 Configure cloud native application firewall policies.
Task 3.7 Monitor and Protect Against Serverless Vulnerabilities
3.7.1 Understand how to Investigate Serverless Vulnerabilities.
3.7.2 Configure Serverless Vulnerability Policy.
3.7.3 Configure Serverless Auto-Protect functionality.
Domain 4 Data Loss Prevention 9%
Task 4.1 Onboarding
4.1.1 Configure CloudTrail and SNS.
4.1.2 Configure Scan options.
Task 4.2 Use Data Dashboard features
4.2.1 Classify objects.
4.2.2 List object permissions for visibility.
4.2.3 Viewing Data inventory.
4.2.4 Viewing Resource Explorer.
4.2.5 List Object Identifiers.
4.2.6 Knowing Object exposure states.
Task 4.3 Assess Data Policies and Alerts
4.3.1 Differentiate differences between malware and regular policies.
4.3.2 Understand the scope of alert notifications.
Domain 5 Web Application and API Security 5%
Task 5.1 Configure CNAF policies
Domain 6 Dev SecOps Security (Shift-Left) 11%
Task 6.1 Implement scanning for IAC templates
6.1.1 Differentiate between Terraform and Cloudformation scanning configurations.
6.1.2 List OOTB IAC scanning integrations.
6.1.3 Configure API scanning for IAC templates.
Task 6.2 Configure policies in Console for IAC scanning
6.2.1 Review OOTB policies for IAC scanning.
6.2.2 Configure custom build policies for IAC scanning.
Task 6.3 Integrate Compute scans into CI/CD pipeline
6.3.1 Integrate container scans into CI/CD pipeline.
6.3.2 Integrate serverless scans into CI/CD pipeline.
6.3.3 Identify different options for scanning: Twistclip and plugins.
Task 6.4 Configure CI policies for Compute scanning
6.4.1 Review default CI policies for Compute scanning.
6.4.2 Configure custom CI policies for Compute scanning.
Domain 7 Prisma Cloud Administration -include Compute 15%
Task 7.1 Onboard accounts
7.1.1 Onboarding cloud accounts.
7.1.2 Configure account groups.
Task 7.2 Configure RBAC
7.2.1 Differentiate between Prisma Cloud and Compute roles.
7.2.2 Configure Prisma Cloud and Compute roles.
Task 7.3 Configure admission controller
7.3.1 Configure defender as an admission controller.
7.3.2 Create OPA policies.
Task 7.4 Configure logging
7.4.1 Familiarize with audit logging.
7.4.2 Enable defender logging.
Task 7.5 Manage enterprise settings
7.5.1 Differentiate UEBA settings.
7.5.2 Configure idle timeout.
7.5.3 Set autoenable policies.
7.5.4 Set mandatory dismissal reason(s).
7.5.5 Enable user attribution.
Task 7.6 Understand third-party integrations
7.6.1 Understand inbound and outbound notifications.
7.6.2 Configure third-party integration for alerts.
Task 7.7 Leverage Compute APIs
7.7.1 Authenticate with APIs.
7.7.2 Locate API documentation.
7.7.3 List policies by API.
7.7.4 Manage alerts using APIs.
7.7.5 Create reports using APIs.
7.7.6 Download vulnerability results via API.
QUESTION 1
Given a default deployment of Console, a customer needs to identify the alerted compliance checks that are set by default.
Where should the customer navigate in Console?
A. Monitor > Compliance
B. Defend > Compliance
C. Manage > Compliance
D. Custom > Compliance
Correct Answer: B
Explanation/Reference:
Reference: https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/compliance/
manage_compliance.html
QUESTION 2
Which container scan is constructed correctly?
A. twistcli images scan -u api -p api –address https://us-west1.cloud.twistlock.com/us-3-123456789 — container myimage/latest
B. twistcli images scan –docker-address https://us-west1.cloud.twistlock.com/us-3-123456789 myimage/ latest
C. twistcli images scan -u api -p api –address https://us-west1.cloud.twistlock.com/us-3-123456789 –details myimage/latest
D. twistcli images scan -u api -p api –docker-address https://us-west1.cloud.twistlock.com/us-3-123456789 myimage/latest
Correct Answer: B
QUESTION 3
The development team wants to fail CI jobs where a specific CVE is contained within the image.
How should the development team configure the pipeline or policy to produce this outcome?
A. Set the specific CVE exception as an option in Jenkins or twistcli.
B. Set the specific CVE exception as an option in Defender running the scan.
C. Set the specific CVE exception as an option using the magic string in the Console.
D. Set the specific CVE exception in Console’s CI policy.
Correct Answer: C
QUESTION 4
Which three types of classifications are available in the Data Security module? (Choose three.)
A. Personally identifiable information
B. Malicious IP
C. Compliance standard
D. Financial information
E. Malware
Correct Answer: CDE
Actualkey Paloalto Networks PCCSE Exam pdf, CertkingdomPaloalto Networks PCCSE PDF
Best Paloalto Networks PCCSE Certification, Paloalto Networks PCCSE Training at certkingdom.com
