New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

PAM-DEF CyberArk Defender - PAM Questions and Answers

Questions 4

Arrange the steps to restore a Vault using PARestore for a Backup in the correct sequence.

Options:

Buy Now
Questions 5

In a default CyberArk installation, which group must a user be a member of to view the “reports” page in PVWA?

Options:

A.

PVWAMonitor

B.

ReportUsers

C.

PVWAReports

D.

Operators

Buy Now
Questions 6

Which option in the Private Ark client is used to update users’ Vault group memberships?

Options:

A.

Update > General tab

B.

Update > Authorizations tab

C.

Update > Member Of tab

D.

Update > Group tab

Buy Now
Questions 7

The Active Directory User configured for Windows Discovery needs which permission(s) or membership?

Options:

A.

Member of Domain Admin Group

B.

Member of LDAP Admin Group

C.

Read and Write Permissions

D.

Read Only Permissions

Buy Now
Questions 8

You are configuring CyberArk to use HTML5 gateways exclusively for PSM connections.

In the PVWA, where do you set DefaultConnectionMethod to HTML5?

Options:

A.

Options > Privileged Session Management UI

B.

Options > Privileged Session Management

C.

Options > Privileged Session Management Defaults

D.

Options > Privileged Session Management Interface

Buy Now
Questions 9

Which of the following are secure options for storing the contents of the Operator CD, while still allowing the contents to be accessible upon a planned Vault restart? (Choose three.)

Options:

A.

Store the CD in a physical safe and mount the CD every time Vault maintenance is performed

B.

Copy the entire contents of the CD to the system Safe on the Vault

C.

Copy the entire contents of the CD to a folder on the Vault Server and secure it with NTFS permissions

D.

Store the server key in a Hardware Security Module (HSM) and copy the rest the keys from the CD to a folder on the Vault Server and secure it with NTFS permissions

Buy Now
Questions 10

Time of day or day of week restrictions on when password verifications can occur configured in ____________________.

Options:

A.

The Master Policy

B.

The Platform settings

C.

The Safe settings

D.

The Account Details

Buy Now
Questions 11

Match each key to its recommended storage location.

Options:

Buy Now
Questions 12

During a High Availability node switch you notice an error and the Cluster Vault Manager Utility fails back to the original node.

Which log files should you check to investigate the cause of the issue? (Choose three.)

Options:

A.

CyberArk Webconsole.log

B.

VaultDB.log

C.

PM_Error.log

D.

ITALog.log

E.

ClusterVault.console.log

F.

logiccontainer.log

Buy Now
Questions 13

For each listed prerequisite, identify if it is mandatory or not mandatory to run the PSM Health Check.

Options:

Buy Now
Questions 14

What is required to enable access over SSH to a Unix account through both PSM and PSMP?

Options:

A.

The platform must contain connection components for PSM-SSH and PSMP-SSH.

B.

PSM and PSMP must already have stored the SSH Fingerprint for the Unix host.

C.

The 'Enable PSMP' setting in the Unix platform must be set to Yes.

D.

A duplicate platform (Called) with the PSMP settings must be created.

Buy Now
Questions 15

In order to connect to a target device through PSM, the account credentials used for the connection must be stored in the vault?

Options:

A.

True.

B.

False. Because the user can also enter credentials manually using Secure Connect.

C.

False. Because if credentials are not stored in the vault, the PSM will log into the target device as PSM Connect.

D.

False. Because if credentials are not stored in the vault, the PSM will prompt for credentials.

Buy Now
Questions 16

When creating an onboarding rule, it will be executed upon .

Options:

A.

All accounts in the pending accounts list

B.

Any future accounts discovered by a discovery process

C.

Both “All accounts in the pending accounts list” and “Any future accounts discovered by a discovery process”

Buy Now
Questions 17

If the AccountUploader Utility is used to create accounts with SSH keys, which parameter do you use to set the full or relative path of the SSH private key file that will be attached to the account?

Options:

A.

KeyPath

B.

KeyFile

C.

ObjectName

D.

Address

Buy Now
Questions 18

Which item is an option for PSM recording customization?

Options:

A.

Windows events text recorder with automatic play-back

B.

Windows events text recorder and universal keystrokes recording simultaneously

C.

Universal keystrokes text recorder with windows events text recorder disabled

D.

Custom audio recording for windows events

Buy Now
Questions 19

Which is the primary purpose of exclusive accounts?

Options:

A.

Reduced risk of credential theft

B.

More frequent password changes

C.

Non-repudiation (individual accountability)

D.

To force a ‘collusion to commit’ fraud ensuring no single actor may use a password without authorization

Buy Now
Questions 20

When an account is unable to change its own password, how can you ensure that password reset with the reconcile account is performed each time instead of a change?

Options:

A.

Set the parameter RCAllowManualReconciliation to Yes.

B.

Set the parameter ChangePasswordinResetMade to Yes.

C.

Set the parameter IgnoreReconcileOnMissingAccount to No.

D.

Set the UnlockUserOnReconcile to Yes.

Buy Now
Questions 21

Which Cyber Are components or products can be used to discover Windows Services or Scheduled Tasks that use privileged accounts? Select all that apply.

Options:

A.

Discovery and Audit (DMA)

B.

Auto Detection (AD)

C.

Export Vault Data (EVD)

D.

On Demand Privileges Manager (OPM)

E.

Accounts Discovery

Buy Now
Questions 22

An auditor initiates a live monitoring session to PSM server to view an ongoing live session. When the auditor’s machine makes an RDP connection the PSM server, which user will be used?

Options:

A.

PSMAdminConnect

B.

Shadowuser

C.

PSMConnect

D.

Credentials stored in the Vault for the target machine

Buy Now
Questions 23

When a DR Vault Server becomes an active vault, it will automatically fail back to the original state once the Primary Vault comes back online.

Options:

A.

True; this is the default behavior

B.

False; this is not possible

C.

True, if the AllowFailback setting is set to “yes” in the padr.ini file

D.

True, if the AllowFailback setting is set to “yes” in the dbparm.ini file

Buy Now
Questions 24

One can create exceptions to the Master Policy based on ____________________.

Options:

A.

Safes

B.

Platforms

C.

Policies

D.

Accounts

Buy Now
Questions 25

What is the primary purpose of Dual Control?

Options:

A.

Reduced risk of credential theft

B.

More frequent password changes

C.

Non-repudiation (individual accountability)

D.

To force a 'collusion to commit' fraud ensuring no single actor may use a password without authorization.

Buy Now
Questions 26

You have been asked to delegate the rights to unlock users to Tier 1 support. The Tier 1 support team already has an LDAP group for its members.

Arrange the steps to do this in the correct sequence.

Options:

Buy Now
Questions 27

When the CPM connects to a database, which interface is most commonly used?

Options:

A.

Kerberos

B.

ODBC

C.

VBScript

D.

Sybase

Buy Now
Questions 28

Which authorizations are required in a recording safe to allow a group to view recordings?

Options:

Buy Now
Questions 29

Target account platforms can be restricted to accounts that are stored m specific Safes using the Allowed Safes property.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 30

You have been asked to identify the up or down status of Vault services.

Which CyberArk utility can you use to accomplish this task?

Options:

A.

Vault Replicator

B.

PAS Reporter

C.

Remote Control Agent

D.

Syslog

Buy Now
Questions 31

It is possible to leverage DNA to provide discovery functions that are not available with auto-detection.

Options:

A.

TRUE

B.

FALS

Buy Now
Questions 32

How does the Vault administrator apply a new license file?

Options:

A.

Upload the license.xml file to the system Safe and restart the PrivateArk Server service

B.

Upload the license.xml file to the system Safe

C.

Upload the license.xml file to the Vault Internal Safe and restart the PrivateArk Server service

D.

Upload the license.xml file to the Vault Internal Safe

Buy Now
Questions 33

Which master policy settings ensure non-repudiation?

Options:

A.

Require password verification every X days and enforce one-time password access.

B.

Enforce check-in/check-out exclusive access and enforce one-time password access.

C.

Allow EPV transparent connections ('Click to connect') and enforce check-in/check-out exclusive access.

D.

Allow EPV transparent connections ('Click to connect') and enforce one-time password access.

Buy Now
Questions 34

To manage automated onboarding rules, a CyberArk user must be a member of which group?

Options:

A.

Vault Admins

B.

CPM User

C.

Auditors

D.

Administrators

Buy Now
Questions 35

Which CyberArk utility allows you to create lists of Master Policy Settings, owners and safes for output to text files or MSSQL databases?

Options:

A.

Export Vault Data

B.

Export Vault Information

C.

PrivateArk Client

D.

Privileged Threat Analytics

Buy Now
Questions 36

What are the mandatory fields when onboarding from Pending Accounts? (Choose two.)

Options:

A.

Address

B.

Safe

C.

Account Description

D.

Platform

E.

CPM

Buy Now
Questions 37

When a group is granted the 'Authorize Account Requests' permission on a safe Dual Control requests must be approved by

Options:

A.

Any one person from that group

B.

Every person from that group

C.

The number of persons specified by the Master Policy

D.

That access cannot be granted to groups

Buy Now
Questions 38

CyberArk recommends implementing object level access control on all Safes.

Options:

A.

True

B.

False

Buy Now
Questions 39

In your organization the “click to connect” button is not active by default.

How can this feature be activated?

Options:

A.

Policies > Master Policy > Allow EPV transparent connections > Inactive

B.

Policies > Master Policy > Session Management > Require privileged session monitoring and isolation > Add Exception

C.

Policies > Master Policy > Allow EPV transparent connections > Active

D.

Policies > Master Policy > Password Management

Buy Now
Questions 40

Match each PTA alert category with the PTA sensors that collect the data for it.

Options:

Buy Now
Questions 41

You created a new safe and need to ensure the user group cannot see the password, but can connect through the PSM.

Which safe permissions must you grant to the group? (Choose two.)

Options:

A.

List Accounts Most Voted

B.

Use Accounts Most Voted

C.

Access Safe without Confirmation

D.

Retrieve Files

E.

Confirm Request

Buy Now
Questions 42

When managing SSH keys, the CPM stores the Public Key

Options:

A.

In the Vault

B.

On the target server

C.

A & B

D.

Nowhere because the public key can always be generated from the private key.

Buy Now
Questions 43

Which methods can you use to add a user directly to the Vault Admin Group? (Choose three.)

Options:

A.

REST API

B.

PrivateArk Client

C.

PACLI

D.

PVWA

E.

Active Directory

F.

Sailpoint

Buy Now
Questions 44

You want to create a new onboarding rule.

Where do you accomplish this?

Options:

A.

In PVWA, click Reports > Unmanaged Accounts > Rules

B.

In PVWA, click Options > Platform Management > Onboarding Rules

C.

In PrivateArk, click Tools > Onboarding Rules

D.

In PVWA, click Accounts > Onboarding Rules

Buy Now
Questions 45

tsparm.ini is the main configuration file for the Vault.

Options:

A.

True

B.

False

Buy Now
Questions 46

You have been asked to create an account group and assign three accounts which belong to a cluster. When you try to create a new group, you receive an unauthorized error; however, you are able to edit other aspects of the account properties.

Which safe permission do you need to manage account groups?

Options:

A.

create folders Most Voted

B.

specify next account content

C.

rename accounts

D.

manage safe

Buy Now
Questions 47

What is the purpose of the PrivateArk Database service?

Options:

A.

Communicates with components

B.

Sends email alerts from the Vault

C.

Executes password changes

D.

Maintains Vault metadata

Buy Now
Questions 48

Accounts Discovery allows secure connections to domain controllers.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 49

You receive this error:

“Error in changepass to user domain\user on domain server(\domain.(winRc=5) Access is denied.”

Which root cause should you investigate?

Options:

A.

The account does not have sufficient permissions to change its own password.

B.

The domain controller is unreachable.

C.

The password has been changed recently and minimum password age is preventing the change.

D.

The CPM service is disabled and will need to be restarted.

Buy Now
Questions 50

What can you do to ensure each component server is operational?

Options:

A.

Logon to PVWA with v10 UI, navigate to Healthcheck, and validate each component server is connected to the Vault.

B.

Ping each component server to ensure connectivity.

C.

Use the PrivateArk client to connect to the Vault server and validate all the services are running.

D.

Install the Vault Server interface on a remote machine to avoid interactive logon to the Vault OS and review the ITALog.log through the Vault Server interface.

Buy Now
Questions 51

For an account attached to a platform that requires Dual Control based on a Master Policy exception, how would you configure a group of users to access a password without approval.

Options:

A.

Create an exception to the Master Policy to exclude the group from the workflow process.

B.

Edith the master policy rule and modify the advanced’ Access safe without approval’ rule to include the group.

C.

On the safe in which the account is stored grant the group the’ Access safe without audit’ authorization.

D.

On the safe in which the account is stored grant the group the’ Access safe without confirmation’ authorization.

Buy Now
Questions 52

Match each permission to where it can be found.

Options:

Buy Now
Questions 53

What is the purpose of the HeadStartlnterval setting m a platform?

Options:

A.

It determines how far in advance audit data is collected tor reports

B.

It instructs the CPM to initiate the password change process X number of days before expiration.

C.

It instructs the AIM Provider to ‘skip the cache' during the defined time period

D.

It alerts users of upcoming password changes x number of days before expiration.

Buy Now
Questions 54

If a password is changed manually on a server, bypassing the CPM, how would you configure the account so that the CPM could resume management automatically?

Options:

A.

Configure the Provider to change the password to match the Vault’s Password

B.

Associate a reconcile account and configure the platform to reconcile automatically

C.

Associate a logon account and configure the platform to reconcile automatically

D.

Run the correct auto detection process to rediscover the password

Buy Now
Questions 55

Which parameters can be used to harden the Credential Files (CredFiles) while using CreateCredFile Utility? (Choose three.)

Options:

A.

Operating System Username

B.

Host IP Address

C.

Client Hostname

D.

Operating System Type (Linux/Windows/HP-UX)

E.

Vault IP Address

F.

Time Frame

Buy Now
Questions 56

As long as you are a member of the Vault Admins group, you can grant any permission on any safe that you have access to.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 57

Where can PTA be configured to send alerts? (Choose two.)

Options:

A.

SIEM

B.

Email

C.

Google Analytics

D.

EVD

E.

PAReplicate

Buy Now
Questions 58

Which certificate type do you need to configure the vault for LDAP over SSL?

Options:

A.

the CA Certificate that signed the certificate used by the External Directory

B.

a CA signed Certificate for the Vault server

C.

a CA signed Certificate for the PVWA server

D.

a self-signed Certificate for the Vault

Buy Now
Questions 59

What is the chief benefit of PSM?

Options:

A.

Privileged session isolation

B.

Automatic password management

C.

Privileged session recording

D.

‘Privileged session isolation’ and ‘Privileged session recording’

Buy Now
Questions 60

Which command generates a full backup of the Vault?

Options:

A.

PAReplicate.exe Vault.ini /LogonFromFile user.ini /FullBackup

B.

PAPreBackup.exe C:\PrivateArk\Server\Conf\Vault.ini Backup/Asdf1234 /full

C.

PARestore.exe PADR ini /LogonFromFile vault.ini /FullBackup

D.

CAVaultManager.exe RecoverBackupFiles /BackupPoolName BkpSvr1

Buy Now
Questions 61

VAULT authorizations may be granted to_____.

Options:

A.

Vault Users

B.

Vault Groups

C.

LDAP Users

D.

LDAP Groups

Buy Now
Questions 62

Which parameter controls how often the CPM looks for Soon-to-be-expired Passwords that need to be changed.

Options:

A.

HeadStartInterval

B.

Interval

C.

ImmediateInterval

D.

The CPM does not change the password under this circumstance

Buy Now
Questions 63

Customers who have the ‘Access Safe without confirmation’ safe permission on a safe where accounts are configured for Dual control, still need to request approval to use the account.

Options:

A.

TRUE

B.

FALSE

Buy Now
Questions 64

Secure Connect provides the following. Choose all that apply.

Options:

A.

PSM connections to target devices that are not managed by CyberArk.

B.

Session Recording

C.

Real-time live session monitoring.

D.

PSM connections from a terminal without the need to login to the PVWA

Buy Now
Questions 65

You want to give a newly-created group rights to review security events under the Security pane. You also want to be able to update the status of these events.

Where must you update the group to allow this?

Options:

A.

in the PTAAuthorizationGroups parameter, found in Administration > Options > PTA

B.

in the PTAAuthorizationGroups parameter, found in Administration > Options > General

C.

in the SecurityEventsAuthorizationGroups parameter, found in Administration > Security > Options

D.

in the SecurityEventsFeedAuthorizationGroups parameter, found in Administration > Options > General

Buy Now
Questions 66

The Vault administrator can change the Vault license by uploading the new license to the system Safe.

Options:

A.

True

B.

False

Buy Now
Questions 67

What is the primary purpose of One Time Passwords?

Options:

A.

Reduced risk of credential theft

B.

More frequent password changes

C.

Non-repudiation (individual accountability)

D.

To force a 'collusion to commit' fraud ensuring no single actor may use a password without authorization.

Buy Now
Questions 68

A new domain controller has been added to your domain. You need to ensure the CyberArk infrastructure can use the new domain controller for authentication.

Which locations must you update?

Options:

A.

on the Vault server in Windows\System32\Etc\Hosts and in the PVWA Application under Administration > LDAP Integration > Directories > Hosts

B.

on the Vault server in Windows\System32\Etc\Hosts and on the PVWA server in Windows\System32\Etc\Hosts

C.

in the Private Ark client under Tools > Administrative Tools > Directory Mapping

D.

on the Vault server in the certificate store and on the PVWA server in the certificate store

Buy Now
Questions 69

You are concerned about the Windows Domain password changes occurring during business hours.

Which settings must be updated to ensure passwords are only rotated outside of business hours?

Options:

A.

In the platform policy -

Automatic Password Management > Password Change > ToHour & FromHour

B.

in the Master Policy

Account Change Window > ToHour & From Hour

C.

Administration Settings -

CPM Settings > ToHour & FromHour

D.

On each individual account -

Edit > Advanced > ToHour & FromHour

Buy Now
Questions 70

Which report shows the accounts that are accessible to each user?

Options:

A.

Activity report

B.

Entitlement report

C.

Privileged Accounts Compliance Status report

D.

Applications Inventory report

Buy Now
Questions 71

Where can a user with the appropriate permissions generate a report? (Choose two.)

Options:

A.

PVWA > Reports

B.

PrivateArk Client

C.

Cluster Vault Manager

D.

PrivateArk Server Monitor

E.

PARClient

Buy Now
Questions 72

A Vault administrator have associated a logon account to one of their Unix root accounts in the vault. When attempting to verify the root account’s password the Central Policy Manager (CPM) will:

Options:

A.

ignore the logon account and attempt to log in as root

B.

prompt the end user with a dialog box asking for the login account to use

C.

log in first with the logon account, then run the SU command to log in as root using the password in the Vault

D.

none of these

Buy Now
Exam Code: PAM-DEF
Exam Name: CyberArk Defender - PAM
Last Update: Dec 26, 2024
Questions: 239
PAM-DEF pdf

PAM-DEF PDF

$25.5  $84.99
PAM-DEF Engine

PAM-DEF Testing Engine

$30  $99.99
PAM-DEF PDF + Engine

PAM-DEF PDF + Testing Engine

$40.5  $134.99