Summer Special Flat 65% Limited Time Discount offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

CyberArk PAM-DEF CyberArk Defender - PAM Exam Practice Test

Page: 1 / 24
Total 239 questions

CyberArk Defender - PAM Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$42  $119.99

PDF Study Guide

  • Product Type: PDF Study Guide
$36.75  $104.99
Question 1

You want to create a new onboarding rule.

Where do you accomplish this?

Options:

A.

In PVWA, click Reports > Unmanaged Accounts > Rules

B.

In PVWA, click Options > Platform Management > Onboarding Rules

C.

In PrivateArk, click Tools > Onboarding Rules

D.

In PVWA, click Accounts > Onboarding Rules

Question 2

What does the minvalidity parameter on a platform policy determine?

Options:

A.

time between a password retrieval and the account becoming eligible for a password change

B.

timeout for users signed into the PVWA as configured in the global settings

C.

minimum amount of time that Just in Time access is valid

D.

time in minutes before an empty safe will be automatically deleted

Question 3

What are the mandatory fields when onboarding from Pending Accounts? (Choose two.)

Options:

A.

Address

B.

Safe

C.

Account Description

D.

Platform

E.

CPM

Question 4

You need to enable the PSM for all platforms.

Where do you perform this task?

Options:

A.

Platform Management > (Platform) > UI & Workflows

B.

Master Policy > Session Management

C.

Master Policy > Privileged Access Workflows

D.

Administration > Options > Connection Components

Question 5

Secure Connect provides the following. Choose all that apply.

Options:

A.

PSM connections to target devices that are not managed by CyberArk.

B.

Session Recording

C.

Real-time live session monitoring.

D.

PSM connections from a terminal without the need to login to the PVWA

Question 6

Which file must be edited on the Vault to configure it to send data to PTA?

Options:

A.

dbparm.ini

B.

PARAgent.ini

C.

my.ini

D.

padr.ini

Question 7

What is the purpose of the PrivateArk Server service?

Options:

A.

Executes password changes

B.

Maintains Vault metadata

C.

Makes Vault data accessible to components

D.

Sends email alerts from the Vault

Question 8

Where can reconcile and/or logon accounts be linked to an account? (Choose two.)

Options:

A.

account settings

B.

platform settings

C.

master policy

D.

safe settings

E.

service account settings

Question 9

Platform settings are applied to _________.

Options:

A.

The entire vault.

B.

Network Areas

C.

Safes

D.

Individual Accounts

Question 10

Which built-in report from the reports page in PVWA displays the number of days until a password is due to expire?

Options:

A.

Privileged Accounts Inventory

B.

Privileged Accounts Compliance Status

C.

Activity Log

D.

Privileged Accounts CPM Status

Question 11

A Logon Account can be specified in the Master Policy.

Options:

A.

TRUE

B.

FALSE

Question 12

If a user is a member of more than one group that has authorizations on a safe, by default that user is granted________.

Options:

A.

the vault will not allow this situation to occur.

B.

only those permissions that exist on the group added to the safe first.

C.

only those permissions that exist in all groups to which the user belongs.

D.

the cumulative permissions of all groups to which that user belongs.

Question 13

Where can you check that the LDAP binding is using TCP/636?

Options:

A.

in Active Directory under "Users OU" => "User Properties" => "External Bindings" => "Port"

B.

in PVWA, under "LDAP Integration" => "LDAP" => "Directories" => "" => "Hosts" => "Host"

C.

in PrivateArk Client, under "Tools" => "Administrative Tools" => "Directory Mapping" => ""

D.

From the PVWA, connect to the domain controller using Test-NetConnection on Port 636.

Question 14

What is the chief benefit of PSM?

Options:

A.

Privileged session isolation

B.

Automatic password management

C.

Privileged session recording

D.

‘Privileged session isolation’ and ‘Privileged session recording’

Question 15

A Simple Mail Transfer Protocol (SMTP) integration is critical for monitoring Vault activity and facilitating workflow processes, such as Dual Control.

Options:

A.

True

B.

False

Question 16

Which Master Policy Setting must be active in order to have an account checked-out by one user for a pre-determined amount of time?

Options:

A.

Require dual control password access Approval

B.

Enforce check-in/check-out exclusive access

C.

Enforce one-time password access

D.

Enforce check-in/check-out exclusive access & Enforce one-time password access

Question 17

You want to build a connector that connects to a website through the Web applications for PSM framework.

Which default connector do you duplicate and modify?

Options:

A.

PSM-ChromeSample

B.

PSM-WebForm

C.

PSM-WebApp

D.

PSM-WebAppSample

Question 18

To change the safe where recordings are kept for a specific platform, which setting must you update in the platform configuration?

Options:

A.

SessionRecorderSafe Most Voted

B.

SessionSafe

C.

RecordingsPath

D.

RecordingLocation

Question 19

When running a “Privileged Accounts Inventory” Report through the Reports page in PVWA on a specific safe, which permission/s are required on that safe to show complete account inventory information?

Options:

A.

List Accounts, View Safe Members

B.

Manage Safe Owners

C.

List Accounts, Access Safe without confirmation

D.

Manage Safe, View Audit

Question 20

Match the connection component to the corresponding OS/Function.

Options:

Question 21

Which report provides a list of account stored in the vault.

Options:

A.

Privileged Accounts Inventory

B.

Privileged Accounts Compliance Status

C.

Entitlement Report

D.

Active Log

Question 22

How much disk space do you need on the server for a PAReplicate?

Options:

A.

500 GB

B.

1 TB

C.

same as disk size on Satellite Vault

D.

same as disk size on Primary Vault

Question 23

If PTA is integrated with a supported SIEM solution, which detection becomes available?

Options:

A.

unmanaged privileged account

B.

privileged access to the Vault during irregular days

C.

riskySPN

D.

exposed credentials

Question 24

What is the maximum number of levels of authorization you can set up in Dual Control?

Options:

A.

1

B.

2

C.

3

D.

4

Question 25

Which report shows the accounts that are accessible to each user?

Options:

A.

Activity report

B.

Entitlement report

C.

Privileged Accounts Compliance Status report

D.

Applications Inventory report

Question 26

Which user(s) can access all passwords in the Vault?

Options:

A.

Administrator

B.

Any member of Vault administrators

C.

Any member of auditors

D.

Master

Question 27

When a group is granted the 'Authorize Account Requests' permission on a safe Dual Control requests must be approved by

Options:

A.

Any one person from that group

B.

Every person from that group

C.

The number of persons specified by the Master Policy

D.

That access cannot be granted to groups

Question 28

What can you do to ensure each component server is operational?

Options:

A.

Logon to PVWA with v10 UI, navigate to Healthcheck, and validate each component server is connected to the Vault.

B.

Ping each component server to ensure connectivity.

C.

Use the PrivateArk client to connect to the Vault server and validate all the services are running.

D.

Install the Vault Server interface on a remote machine to avoid interactive logon to the Vault OS and review the ITALog.log through the Vault Server interface.

Question 29

Users are unable to launch Web Type Connection components from the PSM server. Your manager asked you to open the case with CyberArk Support.

Which logs will help the CyberArk Support Team debug the issue? (Choose three.)

Options:

A.

PSMConsole.log

B.

PSMDebug.log

C.

PSMTrace.log

D.

.Component.log

E.

PMconsole.log

F.

ITAlog.log

Question 30

The Privileged Access Management solution provides an out-of-the-box target platform to manage SSH keys, called UNIX Via SSH Keys.

How are these keys managed?

Options:

A.

CyberArk stores Private keys in the Vault and updates Public keys on target systems.

B.

CyberArk stores Public keys in the Vault and updates Private keys on target systems.

C.

CyberArk does not store Public or Private keys and instead uses a reconcile account to create keys on demand.

D.

CyberArk stores both Private and Public keys and can update target systems with either key.

Question 31

During a High Availability node switch you notice an error and the Cluster Vault Manager Utility fails back to the original node.

Which log files should you check to investigate the cause of the issue? (Choose three.)

Options:

A.

CyberArk Webconsole.log

B.

VaultDB.log

C.

PM_Error.log

D.

ITALog.log

E.

ClusterVault.console.log

F.

logiccontainer.log

Question 32

Which of the following logs contains information about errors related to PTA?

Options:

A.

ITAlog.log

B.

diamond.log

C.

pm_error.log

D.

WebApplication.log

Question 33

Before failing back to the production infrastructure after a DR exercise, what must you do to maintain audit history during the DR event?

Options:

A.

Ensure that the Production Instance replicates changes that occurred from the Disaster Recovery Instance.

B.

Briefly stop and start the Disaster Recovery Instance before attempting to fail components back to the Production Instance.

C.

Stop the CPM services before starting the production server.

D.

Perform an IIS Reset on all PVWA servers.

Question 34

Which of the following files must be created or configured m order to run Password Upload Utility? Select all that apply.

Options:

A.

PACli.ini

B.

Vault.ini

C.

conf.ini

D.

A comma delimited upload file

Question 35

How much disk space do you need on a server to run a full replication with PAReplicate?

Options:

A.

500 GB

B.

1 TB

C.

same as disk size on Satellite Vault

D.

at least the same disk size as the Primary Vault

Question 36

The password upload utility must run from the CPM server

Options:

A.

TRUE

B.

FALSE

Question 37

tsparm.ini is the main configuration file for the Vault.

Options:

A.

True

B.

False

Question 38

When a DR Vault Server becomes an active vault, it will automatically revert back to DR mode once the Primary Vault comes back online.

Options:

A.

True; this is the default behavior

B.

False, the Vault administrator must manually set the DR Vault to DR mode by setting “FailoverMode=no” in the padr.ini file

C.

True, if the AllowFailback setting is set to “yes” in the padr.ini file

D.

False, the Vault administrator must manually set the DR Vault to DR mode by setting “FailoverMode=no” in the dbparm.ini file

Question 39

Which command generates a full backup of the Vault?

Options:

A.

PAReplicate.exe Vault.ini /LogonFromFile user.ini /FullBackup

B.

PAPreBackup.exe C:\PrivateArk\Server\Conf\Vault.ini Backup/Asdf1234 /full

C.

PARestore.exe PADR ini /LogonFromFile vault.ini /FullBackup

D.

CAVaultManager.exe RecoverBackupFiles /BackupPoolName BkpSvr1

Question 40

Which keys are required to be present in order to start the PrivateArk Server service?

Options:

A.

Recovery public key

B.

Recovery private key

C.

Server key

D.

Safe key

Question 41

Which usage can be added as a service account platform?

Options:

A.

Kerberos Tokens

B.

IIS Application Pools

C.

PowerShell Libraries

D.

Loosely Connected Devices

Question 42

You have associated a logon account to one your UNIX cool accounts in the vault. When attempting to [b]change [/b] the root account’s password the CPM will…..

Options:

A.

Log in to the system as root, then change root's password

B.

Log in to the system as the logon account, then change roofs password

C.

Log in to the system as the logon account, run the su command to log in as root, and then change root’s password.

D.

None of these

Question 43

Users can be resulted to using certain CyberArk interfaces (e.g.PVWA or PACLI).

Options:

A.

TRUE

B.

FALS

Question 44

The Vault administrator can change the Vault license by uploading the new license to the system Safe.

Options:

A.

True

B.

False

Question 45

VAULT authorizations may be granted to_____.

Options:

A.

Vault Users

B.

Vault Groups

C.

LDAP Users

D.

LDAP Groups

Question 46

Which change could CyberArk make to the REST API that could cause existing scripts to fail?

Options:

A.

adding optional parameters in the request

B.

adding additional REST methods

C.

removing parameters

D.

returning additional values in the response

Question 47

Which dependent accounts does the CPM support out-of-the-box? (Choose three.)

Options:

A.

Solaris Configuration file

B.

Windows Services

C.

Windows Scheduled

D.

Windows DCOM Applications

E.

Windows Registry

F.

Key Tab file

Question 48

You are configuring a Vault HA cluster.

Which file should you check to confirm the correct drives have been assigned for the location of the Quorum and Safes data disks?

Options:

A.

ClusterVault.ini

B.

my.ini

C.

vault.ini

D.

DBParm.ini

Question 49

Arrange the steps to restore a Vault using PARestore for a Backup in the correct sequence.

Options:

Question 50

You are configuring CyberArk to use HTML5 gateways exclusively for PSM connections.

In the PVWA, where do you set DefaultConnectionMethod to HTML5?

Options:

A.

Options > Privileged Session Management UI

B.

Options > Privileged Session Management

C.

Options > Privileged Session Management Defaults

D.

Options > Privileged Session Management Interface

Question 51

Which one the following reports is NOT generated by using the PVWA?

Options:

A.

Accounts Inventory

B.

Application Inventory

C.

Sales List

D.

Convince Status

Question 52

In a default CyberArk installation, which group must a user be a member of to view the “reports” page in PVWA?

Options:

A.

PVWAMonitor

B.

ReportUsers

C.

PVWAReports

D.

Operators

Question 53

Which Cyber Are components or products can be used to discover Windows Services or Scheduled Tasks that use privileged accounts? Select all that apply.

Options:

A.

Discovery and Audit (DMA)

B.

Auto Detection (AD)

C.

Export Vault Data (EVD)

D.

On Demand Privileges Manager (OPM)

E.

Accounts Discovery

Question 54

By default, members of which built-in groups will be able to view and configure Automatic Remediation and Session Analysis and Response in the PVWA?

Options:

A.

Vault Admins

B.

Security Admins

C.

Security Operators

D.

Auditors

Question 55

In order to connect to a target device through PSM, the account credentials used for the connection must be stored in the vault?

Options:

A.

True.

B.

False. Because the user can also enter credentials manually using Secure Connect.

C.

False. Because if credentials are not stored in the vault, the PSM will log into the target device as PSM Connect.

D.

False. Because if credentials are not stored in the vault, the PSM will prompt for credentials.

Question 56

The Accounts Feed contains:

Options:

A.

Accounts that were discovered by CyberArk in the last 30 days

B.

Accounts that were discovered by CyberArk that have not yet been onboarded

C.

All accounts added to the vault in the last 30 days

D.

All users added to CyberArk in the last 30 days

Question 57

Vault admins must manually add the auditors group to newly created safes so auditors will have sufficient access to run reports.

Options:

A.

TRUE

B.

FALSE

Question 58

When are external vault users and groups synchronized by default?

Options:

A.

They are synchronized once every 24 hours between 1 AM and 5 AM. Most Voted

B.

They are synchronized once every 24 hours between 7 PM and 12 AM.

C.

They are synchronized every 2 hours.

D.

They are not synchronized according to a specific schedule.

Question 59

Which processes reduce the risk of credential theft? (Choose two.)

Options:

A.

require dual control password access approval

B.

require password change every X days

C.

enforce check-in/check-out exclusive access

D.

enforce one-time password access

Question 60

Which statement is correct concerning accounts that are discovered, but cannot be added to the Vault by an automated onboarding rule?

Options:

A.

They are added to the Pending Accounts list and can be reviewed and manually uploaded.

B.

They cannot be onboarded to the Password Vault.

C.

They must be uploaded using third party tools.

D.

They are not part of the Discovery Process.

Question 61

A user with administrative privileges to the vault can only grant other users privileges that he himself has.

Options:

A.

TRUE

B.

FALSE

Question 62

CyberArk recommends implementing object level access control on all Safes.

Options:

A.

True

B.

False

Question 63

Which of these accounts onboarding methods is considered proactive?

Options:

A.

Accounts Discovery

B.

Detecting accounts with PTA

C.

A Rest API integration with account provisioning software

D.

A DNA scan

Question 64

Which Vault authorization does a user need to have assigned to able to generate the "Entitlement Report" from the reports page in PVWA? (Choose two.)

Options:

A.

Manage Users

B.

Audit Users

C.

Read Activity

D.

View Entitlements

E.

List Accounts

Question 65

What is the configuration file used by the CPM scanner when scanning UNIX/Linux devices?

Options:

A.

UnixPrompts.ini

B.

plink.exe

C.

dbparm.ini

D.

PVConfig.xml

Question 66

In the Private Ark client, how do you add an LDAP group to a CyberArk group?

Options:

A.

Select Update on the CyberArk group, and then click Add > LDAP Group

B.

Select Update on the LDAP Group, and then click Add > LDAP Group

C.

Select Member Of on the CyberArk group, and then click Add > LDAP Group

D.

Select Member Of on the LDAP group, and then click Add > LDAP Group

Question 67

When managing SSH keys, the CPM stores the Public Key

Options:

A.

In the Vault

B.

On the target server

C.

A & B

D.

Nowhere because the public key can always be generated from the private key.

Question 68

Ad-Hoc Access (formerly Secure Connect) provides the following features. Choose all that apply.

Options:

A.

PSM connections to target devices that are not managed by CyberArk.

B.

Session Recording.

C.

Real-time live session monitoring.

D.

PSM connections from a terminal without the need to login to the PVWA.

Question 69

In addition to add accounts and update account contents, which additional permission on the safe is required to add a single account?

Options:

A.

Upload Accounts Properties

B.

Rename Accounts

C.

Update Account Properties

D.

Manage Safe

Question 70

What is the purpose of the HeadStartlnterval setting m a platform?

Options:

A.

It determines how far in advance audit data is collected tor reports

B.

It instructs the CPM to initiate the password change process X number of days before expiration.

C.

It instructs the AIM Provider to ‘skip the cache' during the defined time period

D.

It alerts users of upcoming password changes x number of days before expiration.

Question 71

You are creating a Dual Control workflow for a team’s safe.

Which safe permissions must you grant to the Approvers group?

Options:

A.

List accounts, Authorize account request

B.

Retrieve accounts, Access Safe without confirmation

C.

Retrieve accounts, Authorize account request

D.

List accounts, Unlock accounts

Question 72

A new HTML5 Gateway has been deployed in your organization.

Where do you configure the PSM to use the HTML5 Gateway?

Options:

A.

Administration > Options > Privileged Session Management > Configured PSM Servers > Connection Details > Add PSM Gateway

B.

Administration > Options > Privileged Session Management > Add Configured PSM Gateway Servers

C.

Administration > Options > Privileged Session Management > Configured PSM Servers > Add PSM Gateway

D.

Administration > Options > Privileged Session Management > Configured PSM Servers > Connection Details

Page: 1 / 24
Total 239 questions