PAM-DEF CyberArk Defender – PAM exam dumps questions are the best

material for you to test all the related CyberArk exam topics. By using the PAM-
DEF exam dumps questions and practicing your skills, you can increase your
confidence and chances of passing the PAM-DEF exam.

Features of Dumpsinfo’s products

Instant Download
Free Update in 3 Months
Money back guarantee
PDF and Software
24/7 Customer Support

Besides, Dumpsinfo also provides unlimited access. You can get all
Dumpsinfo files at lowest price.

CyberArk Defender – PAM PAM-DEF exam free dumps questions are

available below for you to study.

Full version: PAM-DEF Exam Dumps Questions

1.You are creating a Dual Control workflow for a team’s safe.

Which safe permissions must you grant to the Approvers group?
A. List accounts, Authorize account request
B. Retrieve accounts, Access Safe without confirmation
C. Retrieve accounts, Authorize account request
D. List accounts, Unlock accounts
Answer: C
Explanation:
When setting up a Dual Control workflow for a team’s safe in CyberArk’s Privileged Access
Management (PAM), the Approvers group must be granted specific permissions to function effectively
within the workflow. The permissions required for the Approvers group are to ‘Retrieve accounts’
and ‘Authorize account request’. This allows the Approvers to retrieve the necessary account details
and also to authorize requests for access as part of the dual control mechanism. These permissions
ensure that the workflow operates smoothly and securely, with the Approvers having the ability to
review and approve access requests as needed.
Reference: The answer is derived from the best practices and guidelines provided in the CyberArk
Defender PAM course and learning resources, which include the official CyberArk documentation and
study guides. Specifically, the CyberArk documentation outlines the importance of the ‘Retrieve
accounts’ and ‘Authorize account request’ permissions for Approvers in a Dual Control workflow

2.In the screenshot displayed, you just configured the usage in CyberArk and want to update its
password.
What is the least intrusive way to accomplish this?

A. Use the “change” button on the usage’s details page.

B. Use the “change” button on the parent account’s details page.
C. Use the “sync” button on the usage’s details page.
D. Use the “reconcile” button on the parent account’s details page.
Answer: C
Explanation:
A usage is a configuration that allows CyberArk to manage passwords for files, such as XML or INI
files, that are stored on remote machines. A usage is associated with a parent account, which is the
account that has access to the file. To update the password of a usage, the least intrusive way is to
use the “sync” button on the usage’s details page. This will synchronize the password value
between the Vault and the file, without changing the actual password. The “change” button will
initiate a password change process by the CPM, which will generate a new random password for the
usage and the file. The “reconcile” button will initiate a password reconcile process by the CPM,
which will use a reconcile account to reset the password of the usage and the file to the value stored
in the Vault.
Reference: Usages, Manage passwords for usages
3.Which report shows the accounts that are accessible to each user?
A. Activity report
B. Entitlement report
C. Privileged Accounts Compliance Status report
D. Applications Inventory report
Answer: B
Explanation:
The report that shows the accounts that are accessible to each user is the Entitlement report.
According to the web page in the edge browser, the Entitlement report provides information about
users’ entitlement rights in PAM - Self-Hosted regarding user, Safe, active platform, target machine,
target account, etc. This report includes each user’s effective access control and authorization level
on each account that the user has access to in PAM - Self-Hosted. The Entitlement report can be
generated in PVWA or PrivateArk1.

4.You want to give a newly-created group rights to review security events under the Security pane.
You also want to be able to update the status of these events. Where must you update the group to
allow this?
A. in the PTAAuthorizationGroups parameter, found in Administration > Options > PTA
B. in the PTAAuthorizationGroups parameter, found in Administration > Options > General
C. in the SecurityEventsAuthorizationGroups parameter, found in Administration > Security > Options
D. in the SecurityEventsFeedAuthorizationGroups parameter, found in Administration > Options >
General
Answer: D
Explanation:
https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PTA/Security-
Events.htm?TocPath=End User%7CSecurity Events%7C_____2#Permissions

5.You received a notification from one of your CyberArk auditors that they are missing Vault level
audit permissions. You confirmed that all auditors are missing the Audit Users Vault permission.
Where do you update this permission for all auditors?
A. Private Ark Client > Tools > Administrative Tools > Directory Mapping > Vault Authorizations
B. Private Ark Client > Tools > Administrative Tools > Users and Groups > Auditors > Authorizations
tab
C. PVWA User Provisioning > LDAP integration > Vault Auditors Mapping > Vault Authorizations
D. PVWA> Administration > Configuration Options > LDAP integration > Vault Auditors Mapping >
Vault Authorizations
Answer: B
Explanation:
To update the Vault level audit permissions for all auditors, you would use the Private Ark Client.
Specifically, you would navigate to the Tools menu, select Administrative Tools, then Users and
Groups. Within the Users and Groups section, you would select the Auditors group and go to the
Authorizations tab. Here, you can manage and update the permissions for the Auditor group,
including the Audit Users Vault permission. This ensures that all members of the Auditors group have
the necessary permissions to perform their audit functions within the Vault1.
Reference: CyberArk’s official documentation on predefined users and groups, which includes
information on the Auditor user and the permissions associated with this role1.
Information on the administrative tools available in the Private Ark Client, which are used for
managing users and groups, including auditors2.
6.Which change could CyberArk make to the REST API that could cause existing scripts to fail?
A. adding optional parameters in the request
B. adding additional REST methods
C. removing parameters
D. returning additional values in the response
Answer: C
Explanation:
Changes to the REST API that could cause existing scripts to fail include removing parameters. When
parameters are removed from an API, scripts that rely on those parameters being present may no
longer function correctly because they expect certain data to be available. This can lead to errors or
unexpected behavior in the scripts that use the API1.
Reference: CyberArk Docs: REST APIs1

7.You have been asked to secure a set of shared accounts in CyberArk whose passwords will need
to be used by end users. The account owner wants to be able to track who was using an account at
any given moment.
Which security configuration should you recommend?
A. Configure one-time passwords for the appropriate platform in Master Policy.
B. Configure shared account mode on the appropriate safe.
C. Configure both one-time passwords and exclusive access for the appropriate platform in Master
Policy.
D. Configure object level access control on the appropriate safe.
Answer: C
Explanation:
One-time passwords and exclusive access are security features that can be configured for a platform
in the Master Policy. These features enhance the security and accountability of shared accounts by
ensuring that each password is used only once and by only one user at a time. One-time passwords
generate a new password for each check-out and check-in of an account, preventing password reuse
and exposure. Exclusive access prevents multiple users from accessing the same account
simultaneously, avoiding conflicts and confusion. By configuring both one-time passwords and
exclusive access for the appropriate platform, the account owner can track who was using an account
at any given moment and ensure that the passwords are always secure and unique.
Reference: One-Time Passwords, Exclusive Access, Master Policy

8.In the Private Ark client under the Tools menu > Administrative Tools > Users and Groups, which
option do you use to update users’ Vault group memberships?
A. Update > General tab
B. Update > Authorizations tab
C. Update > Member Of tab
D. Update > Group tab
Answer: C
Explanation:
In the PrivateArk client, to update users’ Vault group memberships, you use the Member Of tab. After
logging in as an administrative user and navigating to the Users and Groups window, you select a
user and click Update. In the Member Of tab, you can manage the user’s group memberships by
adding or removing them from groups within the Vault1.
Reference: CyberArk Docs - Manage users in PrivateArk client1

9.When running a “Privileged Accounts Inventory” Report through the Reports page in PVWA on a
specific safe, which permission/s are required on that safe to show complete account inventory
information?
A. List Accounts, View Safe Members
B. Manage Safe Owners
C. List Accounts, Access Safe without confirmation
D. Manage Safe, View Audit
Answer: A
Explanation:
The Privileged Accounts Inventory Report provides information about all the privileged accounts in the
system, based on different filters, such as safe, platform, policy, and owner. To run this report through
the Reports page in PVWA on a specific safe, the user needs to have the following permissions on
that safe:
List Accounts: This permission allows the user to view the accounts in the safe and their properties,
such as name, address, platform, and policy.
View Safe Members: This permission allows the user to view the members of the safe and their
authorizations, such as owners, users, and groups.
These permissions are required to show complete account inventory information for the specific safe.
Other permissions, such as Manage Safe Owners, Access Safe without confirmation, Manage Safe,
and View Audit, are not relevant for this report.
Reference: Reports and Audits - CyberArk, Safe Member Authorizations

10.A Vault Administrator team member can log in to CyberArk, but for some reason, is not given Vault
Admin rights.
Where can you check to verify that the Vault Admins directory mapping points to the correct AD
group?
A. PVWA > User Provisioning > LDAP Integration > Mapping Criteria
B. PVWA > User Provisioning > LDAP Integration > Map Name
C. PVWA > Administration > LDAP Integration > Mappings
D. PVWA > Administration > LDAP Integration > AD Groups
Answer: C
Explanation:
The directory mappings are the rules that define how users and groups from an external directory,
such as Active Directory (AD), are mapped to roles and authorizations in CyberArk. To verify that the
Vault Admins directory mapping points to the correct AD group, you need to check the Mappings
page in the PVWA. This page displays the list of existing directory mappings in the Vault and their
properties, such as mapping name, LDAP branch, domain groups, and mapping authorizations. You
can edit or delete a directory mapping from this page, or create a new one using the Create Directory
Mapping button.
Reference: Directory Maps, Create directory mapping, Get directory mapping list

11.DRAG DROP
Match the log file name with the CyberArk Component that generates the log.
Answer:

Explanation:
Reference: Log Files
[Defender PAM Sample Items Study Guide], Question 46, page 16

12.What is the primary purpose of One Time Passwords?

A. Reduced risk of credential theft
B. More frequent password changes
C. Non-repudiation (individual accountability)
D. To force a 'collusion to commit' fraud ensuring no single actor may use a password without
authorization.
Answer: A
Explanation:
One Time Passwords (OTPs) are passwords that are valid for only one use or a limited time period.
The primary purpose of OTPs is to reduce the risk of credential theft, which is a common attack
vector for hackers and malicious insiders. By using OTPs, the exposure of the credentials is
minimized, and the attacker cannot reuse the stolen password to access the target system. OTPs
also enhance the security of the authentication process, as they add an extra layer of verification to
the user’s identity. OTPs can be generated by various methods, such as SMS, email, hardware
tokens, software tokens, etc1.
The other options are not the primary purpose of OTPs, because:
B. More frequent password changes. This is not the primary purpose of OTPs, but a consequence of
using them. OTPs require more frequent password changes, as they expire after one use or a limited
time period. However, this is not the main goal of using OTPs, but rather a means to achieve the goal
of reducing the risk of credential theft.
C. Non-repudiation (individual accountability). This is not the primary purpose of OTPs, but a benefit
of using them. Non-repudiation means that the user cannot deny performing an action or accessing a
resource, as there is sufficient evidence to prove their identity and activity. OTPs can help achieve
non-repudiation, as they are unique and personal to each user, and can be traced back to the user’s
device or account. However, this is not the main goal of using OTPs, but rather an advantage of using
them.
D. To force a ‘collusion to commit’ fraud ensuring no single actor may use a password without
authorization. This is not the primary purpose of OTPs, but a feature of using them. OTPs can help
prevent unauthorized access to privileged accounts, as they require the user to have both the OTP
and the regular password to access the target system. This means that no single actor can use the
password without authorization, as they would need the cooperation of another actor who has the
OTP. However, this is not the main goal of using OTPs, but rather a capability of using them.
Reference: 1: One-time password

13.As long as you are a member of the Vault Admins group, you can grant any permission on any
safe that you have access to.
A. TRUE
B. FALSE
Answer: B
Explanation:
Being a member of the Vault Admins group does not automatically grant you any permission on any
safe that you have access to. The Vault Admins group is a predefined group that is created during the
installation or upgrade of the vault. This group has the Vault Admin authorization, which allows its
members to perform administrative tasks on the vault, such as managing users, groups, platforms,
policies, and safes1. However, this authorization does not include any safe member authorizations,
such as View, Retrieve, Use, or Manage Safe2. Therefore, to grant any permission on a safe, you
need to be added as a safe member with the appropriate authorizations, either directly or through
another group. The Vault Admins group can be added to safes with all safe member authorizations,
but this is not done automatically for all safes. By default, this group is only added to a number of
system safes, such as the Password Manager Safe, the PVWAConfig Safe, and the Notification
Methods Safe3. For other safes, the Vault Admins group can be added manually by the safe owner or
another user with the Manage Safe authorization4.
Reference: 1: Predefined users and groups, Predefined groups subsection
2: [CyberArk Privileged Access Security Implementation Guide], Chapter 3: Managing Safes, Section:
Safe Authorizations, Table 2-1: Safe Authorizations
3: What default groups can be automatically added to Safes when they are created?
4: [CyberArk Privileged Access Security Administration Guide], Chapter 3: Managing Safes, Section:
Adding Safe Members

14.What is the purpose of the Immediate Interval setting in a CPM policy?

A. To control how often the CPM looks for System Initiated CPM work.
B. To control how often the CPM looks for User Initiated CPM work.
C. To control how often the CPM rests between password changes.
D. To Control the maximum amount of time the CPM will wait for a password change to complete.
Answer: B
Explanation:
The Immediate Interval setting in a CPM policy is used to control how often the CPM looks for User
Initiated CPM work, such as manual password changes, retrievals, or requests. The Immediate
Interval setting defines the frequency, in minutes, that the CPM will check the accounts that are
associated with the policy and perform the actions that were initiated by the users. For example, if the
Immediate Interval is set to 2, the CPM will check the accounts every 2 minutes and change, retrieve,
or authorize the passwords according to the user requests. The Immediate Interval setting does not
affect System Initiated CPM work, such as password changes, verifications, or reconciliations that are
triggered by the policy settings, such as Expiration Period or One Time Password. These actions are
controlled by the Interval setting in the CPM policy. The Immediate Interval setting also does not
control how often the CPM rests between password changes or the maximum amount of time the
CPM will wait for a password change to complete. These parameters are configured in the CPM.ini
file, which is stored in the root folder of the <CPM username> Safe.
Reference: [Defender PAM eLearning Course], Module 5: Password Management, Lesson 5.1: CPM
Policies, Slide
9: CPM Policy Settings
[Defender PAM Sample Items Study Guide], Question 6: CPM Policy Settings
[CyberArk Documentation Portal], CyberArk Privileged Access Security Implementation Guide,
Chapter 5: Managing Passwords, Section: CPM Policy Settings, Subsection: Immediate Interval

15.What must you specify when configuring a discovery scan for UNIX? (Choose two.)
A. Vault Administrator
B. CPM Scanner
C. root password for each machine
D. list of machines to scan
E. safe for discovered accounts
Answer: B, D
Explanation:
When configuring a discovery scan for UNIX, you must specify the CPM Scanner and the list of
machines to scan. The CPM Scanner is the component responsible for executing the discovery
process, and it requires a list of target machines to scan for new and modified accounts and their
dependencies. This list can be provided in the form of a CSV file for UNIX machines1. The discovery
process will then scan the predefined machines to identify privileged accounts that should be
onboarded into the Vault for secure and automated management according to enterprise
compliance policies2.
Reference: CyberArk Docs - Manage discovery processes1
CyberArk Docs - Scan for accounts using Account Discovery

16.To ensure all sessions are being recorded, a CyberArk administrator goes to the master policy and
makes configuration changes.
Which configuration is correct?
A. Require privileged session monitoring and isolation = inactive; Record and save session activity =
active.
B. Require privileged session monitoring and isolation = inactive; Record and save session activity =
inactive.
C. Require privileged session monitoring and isolation = active; Record and save session activity =
active.
D. Require privileged session monitoring and isolation = active; Record and save session activity =
inactive.
Answer: C
Explanation:
This configuration ensures that privileged sessions are monitored and isolated, and all session
activities are recorded and saved for future reference 1.

17.Which service should NOT be running on the DR Vault when the primary Production Vault is up?
A. PrivateArk Database
B. PrivateArk Server
C. CyberArk Vault Disaster Recovery (DR) service
D. CyberArk Logical Container
Answer: C
Explanation:
The user that is automatically added to all Safes and cannot be removed is the Master user. The
Master user is a predefined user that is created during the Vault installation and has full permissions
on all Safes and accounts. The Master user is the only user that can perform certain tasks, such as
creating other predefined users, managing the Vault configuration, and restoring the Vault from a
backup. The Master user cannot be deleted or modified by any other user, and is always a member of
every Safe12.
Reference: Predefined users and groups - CyberArk, section “Master”
Safes and Safe members - CyberArk, section “Safe members overview”

18.Which of the following logs contains information about errors related to PTA?
A. ITAlog.log
B. diamond.log
C. pm_error.log
D. WebApplication.log
Answer: B
Explanation:
According to the web search results, the diamond.log is the main log file that records the PTA system
activities, such as receiving and processing events, generating alerts, and sending notifications1. The
diamond.log also contains information about errors related to PTA, such as connection failures,
configuration issues, parsing problems, or internal exceptions2. The diamond.log can be found in the
/opt/tomcat/logs directory on the PTA machine1. The debug level of the diamond.log can be changed
using the changeLogLevel.sh utility or manually editing the log4j.properties file1. The diamond.log can
be used for troubleshooting PTA issues and viewing statistics

19.What is the chief benefit of PSM?

A. Privileged session isolation
B. Automatic password management
C. Privileged session recording
D. ‘Privileged session isolation’ and ‘Privileged session recording’
Answer: D
Explanation:
According to the web search results, the chief benefit of PSM is to provide both privileged session
isolation and privileged session recording. Privileged session isolation means that the PSM server
acts as a proxy between the user and the target machine, preventing the user from directly accessing
the target machine or exposing the privileged account credentials. Privileged session recording
means that the PSM server captures and stores a video and a transcript of the user’s activity on the
target machine, enabling auditing and monitoring of the privileged session. These benefits help to
enhance the security and compliance of the privileged access management solution, as they prevent
credential exposure, restrict unauthorized access, detect malicious activity, and provide evidence for
forensic analysis
20.A Simple Mail Transfer Protocol (SMTP) integration is critical for monitoring Vault activity and
facilitating workflow processes, such as Dual Control.
A. True
B. False
Answer: A
Explanation:
According to the web search results, a Simple Mail Transfer Protocol (SMTP) integration is critical for
monitoring Vault activity and facilitating workflow processes, such as Dual Control. SMTP is a
protocol that enables the sending and receiving of email messages. By integrating SMTP with
CyberArk Defender PAM, the Event Notification Engine (ENE) can automatically send email
notifications about PAM activities to predefined users1. For example, the ENE can notify users about
password requests, password confirmations, password changes, password verifications, password
reconciliations, password access, password usage, password expiration, and password
violations1. The ENE can also notify users about system events, such as Vault backup, Vault restore,
Vault shutdown, Vault startup, and Vault license expiration1. These notifications help to monitor the
Vault activity and ensure compliance with the security policies.
SMTP integration is also essential for facilitating workflow processes, such as Dual Control. Dual
Control is a feature that enables authorized Safe owners to either grant or deny requests to access
accounts. This feature adds an additional measure of protection, in that it enables you to see who
wants to access the information in the Safe, when, and for what purpose. The Master Policy enables
organizations to ensure that passwords can only be retrieved after permission or ‘confirmation’ has
been granted from an authorized Safe Owner(s). This is known as Dual Control2. SMTP integration
enables the ENE to send email notifications to the requesters and the confirmers about the status of
the password requests. The ENE can also send reminders to the confirmers if they have not
responded to the requests within a specified time period2. These notifications help to streamline the
workflow process and ensure timely and secure access to the accounts.
Reference: Email notifications - CyberArk
Dual Control - CyberArk

21.In addition to add accounts and update account contents, which additional permission on the safe
is required to add a single account?
A. Upload Accounts Properties
B. Rename Accounts
C. Update Account Properties
D. Manage Safe
Answer: C
Explanation:
In addition to the permissions to add accounts and update account contents, the permission to
Update Account Properties is required to add a single account to a safe in CyberArk. This permission
allows the user to modify the properties of an account, which is a necessary step when adding a new
account to ensure that all relevant details and configurations are correctly
set1.
Reference: The information provided is based on general knowledge of CyberArk PAM best practices
and the permissions required for account management as outlined in CyberArk’s official
documentation

22.Which statement about the Master Policy best describes the differences between one-time
password and exclusive access functionality?
A. Exclusive access means that only a specific group of users may use the account. After an account
on a one-time password platform is used, the account is deleted from the safe automatically.
B. Exclusive access locks the account indefinitely. One-time password can be used replace invalid
account passwords.
C. Exclusive access is enabled by default in the Master Policy. One-time password should only be
enabled for emergencies.
D. Exclusive access allows only one person to check-out an account at a time. One-time password
schedules an account for a password change after the MinValidityPeriod period expires.
Answer: D
Explanation:
The Master Policy in CyberArk defines the behavior of one-time passwords and exclusive
accessExclusive access ensures that only one user can check out an account at any given time,
effectively locking the account during its use to prevent simultaneous access1. On the other
hand, one-time password functionality is designed to change the account’s password after it is used,
based on a timer set by the MinValidityPeriod parameter in the policy file. This means that once the
password is checked out and the timer expires, the Central Policy Manager (CPM) will change the
password2. These settings are often used together to maintain accountability and security for the
usage of shared privileged accounts.
Reference: CyberArk Docs: One-time passwords and exclusive accounts1
CyberArk Knowledge Article: CPM: What is the difference between “One Time” and “Exclusive”
passwords?2

23.Which user is automatically added to all Safes and cannot be removed?

A. Auditor
B. Administrator
C. Master
D. Operator
Answer: C
Explanation:
The user that is automatically added to all Safes and cannot be removed is the Master user. The
Master user is a predefined user that is created during the Vault installation and has full permissions
on all Safes and accounts. The Master user is the only user that can perform certain tasks, such as
creating other predefined users, managing the Vault configuration, and restoring the Vault from a
backup. The Master user cannot be deleted or modified by any other user, and is always a member of
every Safe12.
Reference: Predefined users and groups - CyberArk, section “Master”
Safes and Safe members - CyberArk, section “Safe members overview”

24.It is possible to restrict the time of day, or day of week that a [b]reconcile[/b] process can occur
A. TRUE
B. FALSE
Answer: A
Explanation:
It is possible to restrict the time of day, or day of week that a reconcile process can occur by using the
Reconcile Safe option in the Platform Management section of the PrivateArk Client. This option allows
the administrator to define the reconcile schedule for each platform, which specifies when the
reconcile process can run and how often it should be performed. The reconcile schedule can be set to
run daily, weekly, monthly, or on specific days and times. By restricting the reconcile process, the
administrator can reduce the risk of unauthorized access to the accounts and improve the
performance of the system.
Reference: [Defender PAM Course], Module 5: Reconcile and Rotate, Lesson 1: Reconcile and
Rotate Overview,
Slide 9: Reconcile Safe
[Defender PAM Study Guide], Section 5.1: Reconcile and Rotate Overview, Page 24: Reconcile Safe
[CyberArk Documentation], Privileged Access Security Implementation Guide, Chapter 5: Configure
the Vault, Section 5.4: Configure Platforms, Subsection 5.4.2: Reconcile Safe

25.It is possible to leverage DNA to provide discovery functions that are not available with auto-
detection.
A. TRUE
B. FALSE
Answer: A
Explanation:
It is possible to leverage DNA to provide discovery functions that are not available with auto-
detection. Auto-detection is a feature that enables the CPM to automatically discover and onboard
accounts on target systems that are associated with a specific platform. Auto-detection can be
configured in the Platform Management settings for each platform that supports this functionality.
However, auto-detection has some limitations, such as requiring the CPM to have access to the
target system, not supporting all platforms, and not providing comprehensive information about the
accounts and their security risks1. DNA, on the other hand, is a standalone scanning tool that can
discover and audit privileged accounts across the network, regardless of the platform or the CPM
access. DNA can provide additional discovery functions, such as identifying machines vulnerable to
Pass-the-Hash attacks, collecting reliable and comprehensive audit information, and generating
reports and visual maps that evaluate the privileged account security status in the organization2. DNA
can also be used before or independently of the CyberArk PAM solution, as it does not require agents
to be installed on target systems2.
Reference: 1: Auto-detection
2: CyberArk DNA Overview

26.If a password is changed manually on a server, bypassing the CPM, how would you configure the
account so that the CPM could resume management automatically?
A. Configure the Provider to change the password to match the Vault’s Password
B. Associate a reconcile account and configure the platform to reconcile automatically
C. Associate a logon account and configure the platform to reconcile automatically
D. Run the correct auto detection process to rediscover the password
Answer: B
Explanation:
A reconcile account is a privileged account that has the permission to reset the password of another
account on the target system. By associating a reconcile account with the account that has been
changed manually, the CPM can use the reconcile account to restore the password of the account to
the value that is stored in the Vault, in case it is changed or out of sync. This process is called
password reconciliation and it ensures that the passwords are synchronized and available for use. To
configure the account so that the CPM can resume management automatically, the platform that the
account belongs to must have the following parameters set1:
RCAutomaticReconcileWhenUnsynched: This parameter determines whether passwords will be
reconciled automatically after the CPM detects a password on a remote machine that is not
synchronized with its corresponding password in the Vault. The acceptable values are Yes or No.
RCReconcileReasons: This parameter determines the codes that represent the CPM plugin errors
that will launch a reconciliation process. The acceptable values are plug-in return codes separated by
a comma.
RCFromHour, RCToHour: These parameters determine the time frame in hours during which the
CPM can reconcile passwords, either manually or automatically. The acceptable values are 0-23 or -1
for none.
RCExecutionDays: This parameter determines the days of the week when the CPM will reconcile
passwords. The acceptable values are days of the week, separated by commas.
Reference: 1: Password Reconciliation

27.Users who have the 'Access Safe without confirmation' safe permission on a safe where accounts
are configured for Dual control, still need to request approval to use the account.
A. TRUE
B. FALSE
Answer: B
Explanation:
Users who have the ‘Access Safe without confirmation’ safe permission on a safe where accounts
are configured for Dual control, do not need to request approval to use the account. The ‘Access
Safe without confirmation’ safe permission is a special permission that allows a user to bypass the
Dual control mechanism and access the accounts in the safe without requiring confirmation from
other authorized users. This permission can be useful for emergency situations or trusted users who
need immediate access to the accounts. However, this permission also increases the risk of
unauthorized or malicious access, so it should be granted with caution and monitored closely1.
Reference: 1: Access without confirmation

28.Which built-in report from the reports page in PVWA displays the number of days until a password
is due to expire?
A. Privileged Accounts Inventory
B. Privileged Accounts Compliance Status
C. Activity Log
D. Privileged Accounts CPM Status
Answer: A
Explanation:
The Privileged Accounts Inventory report in PVWA includes a column that displays the Age of the
password, which indicates the number of days since the password was created1. This information
can be used to determine how many days are left until a password is due to expire, based on the
password policy’s expiration settings.
Reference: CyberArk’s official documentation on PVWA reports provides a list of available reports
and their descriptions, including the Privileged Accounts Inventory report which contains details about
password age and other relevant information1.

29.Where can you check that the LDAP binding is using TCP/636?
A. in Active Directory under "Users OU" => "User Properties" => "External Bindings" => "Port"
B. in PVWA, under "LDAP Integration" => "LDAP" => "Directories" => "" => "Hosts" => "Host"
C. in PrivateArk Client, under "Tools" => "Administrative Tools" => "Directory Mapping" => ""
D. From the PVWA, connect to the domain controller using Test-NetConnection on Port 636.
Answer: D
Explanation:
To check that the LDAP binding is using TCP/636, you can use the Test-NetConnection cmdlet from
the PVWA to connect to the domain controller on Port 636. This method allows you to verify that the
LDAP service is listening on the secure port and that the connection can be established using
SSL/TLS,
which is typically associated with port 6361.
Reference: CyberArk Docs - LDAP Integration2
CyberArk Knowledge Article - How to test outgoing LDAP external directory connectivity to the vault

30.In the Private Ark client, how do you add an LDAP group to a CyberArk group?
A. Select Update on the CyberArk group, and then click Add > LDAP Group
B. Select Update on the LDAP Group, and then click Add > LDAP Group
C. Select Member Of on the CyberArk group, and then click Add > LDAP Group
D. Select Member Of on the LDAP group, and then click Add > LDAP Group
Answer: C
Explanation:
To add an LDAP group to a CyberArk group, you need to use the Private Ark client and follow these
steps1:
In the Users and Groups tree, select the CyberArk group that you want to add the LDAP group to.
In the Properties pane, click Member Of.
Click Add > LDAP Group.
In the LDAP Group dialog box, enter the name of the LDAP group and click OK.
Reference: Add an LDAP group to a Vault group

31.It is possible to restrict the time of day, or day of week that a [b]verify[/b] process can occur
A. TRUE
B. FALSE
Answer: A
Explanation:
It is possible to restrict the time of day, or day of week that a verify process can occur by using the
Verify Time Window parameter in the Platform Management page. This parameter allows the
administrator to define a time window for each platform, during which the verify process can be
performed. The verify process will not run outside of this time window, unless it is manually initiated
by the administrator. This feature can help reduce the load on the target systems and the network
during peak hours.
Reference: [Defender PAM Course], Module 4: Managing Accounts, Lesson 2: Account Verification,
Slide 8: Verify Time Window
[Defender PAM Documentation], Version 12.3, Administration Guide, Chapter 4: Managing
Platforms, Section: Verify Time Window

32.What is the purpose of the Interval setting in a CPM policy?

A. To control how often the CPM looks for System Initiated CPM work.
B. To control how often the CPM looks for User Initiated CPM work.
C. To control how long the CPM rests between password changes.
D. To control the maximum amount of time the CPM will wait for a password change to complete.
Answer: A
Explanation:
The Interval setting in a CPM policy is used to control how often the CPM looks for System Initiated
CPM work, such as password changes, verifications, and reconciliations. The Interval setting defines
the frequency, in minutes, that the CPM will check the accounts that are associated with the policy
and perform the required actions. For example, if the Interval is set to 60, the CPM will check the
accounts every hour and change, verify, or reconcile the passwords according to the policy settings.
The Interval setting does not affect User Initiated CPM work, such as manual password changes or
retrievals, which are performed immediately upon request. The Interval setting also does not control
how long the CPM rests between password changes or the maximum amount of time the CPM will
wait for a password change to complete. These parameters are configured in the CPM.ini file, which
is stored in the root folder of the <CPM username> Safe.
Reference: [Defender PAM eLearning Course], Module 5: Password Management, Lesson 5.1: CPM
Policies, Slide
9: CPM Policy Settings
[Defender PAM Sample Items Study Guide], Question 4: CPM Policy Settings
[CyberArk Documentation Portal], CyberArk Privileged Access Security Implementation Guide,
Chapter 5: Managing Passwords, Section: CPM Policy Settings, Subsection: Interval

33.When a group is granted the 'Authorize Account Requests' permission on a safe Dual Control
requests must be approved by
A. Any one person from that group
B. Every person from that group
C. The number of persons specified by the Master Policy
D. That access cannot be granted to groups
Answer: C
Explanation:
When a group is granted the ‘Authorize Account Requests’ permission on a safe, dual control
requests must be approved by the number of persons specified by the Master Policy. This means that
the request will be sent to all the members of the group, but only a certain number of them need to
confirm it for the request to be authorized. The Master Policy defines the number of required
approvers for each level of confirmation, as well as the number of levels. For example, if the Master
Policy requires two approvers at the first level and one approver at the second level, then the request
will be sent to the group and two members of the group must confirm it before it is sent to the second
level of confirmation, where one more approver is needed.
Reference: Request access
Safe Members
CyberArk Defender - PAM Exam Practice Test

34.What is the purpose of the CyberArk Event Notification Engine service?

A. It sends email messages from the Central Policy Manager (CPM)
B. It sends email messages from the Vault
C. It processes audit report messages
D. It makes Vault data available to components
Answer: B
Explanation:
The purpose of the CyberArk Event Notification Engine service is to send email notifications about
Privileged Access Security solution activities automatically to predefined users. It is installed
automatically as part of the Vault server installation as a service. The Event Notification Engine (ENE)
can be configured to send email notifications for various events, such as password changes,
password verifications, account onboarding, account deletion, audit reports, alerts, and more. The
ENE can also support encrypted and authenticated email notifications, as well as high availability
implementations1.
Reference: Event Notification Engine - CyberArk, section “Event Notification Engine”

35.Where can you assign a Reconcile account? (Choose two.)

A. in PVWA at the account level
B. in PVWA in the platform configuration
 C. in the Master policy of the PVWA
D. at the Safe level
E. in the CPM settings
Answer: A, B
Explanation:
A Reconcile account can be assigned in the Privileged Vault Web Access (PVWA) at both the
account level and within the platform configuration. At the account level, a Reconcile account
password can be defined which will override the account specified in the platform1. In the platform
configuration, you can navigate to Platform Management, select the platform, edit it, and then expand
Automatic Password Management to enter the values in the ‘ReconcileAccountSafe’ and
‘ReconcileAccountName’ fields, which will apply to all accounts attached to that specific platform2.
Reference: CyberArk Docs - Reconcile Password1
CyberArk Community - Associate reconcile account with a specific platform

36.Users can be resulted to using certain CyberArk interfaces (e.g.PVWA or PACLI).

A. TRUE
B. FALSE
Answer: A
Explanation:
Users can be restricted to using certain CyberArk interfaces (e.g. PVWA or PACLI) by using the User
Type property. The User Type property is a parameter that can be configured in the User
Management settings for each user. The User Type property defines which interfaces the user can
access the Vault through, such as PVWA, PrivateArk Client, PACLI, PSM, etc. The User Type
property is determined by the CyberArk license and can be assigned to users when they are added to
the Vault or when their properties are updated. For example, if a user is assigned the User Type of
EPVUser, they can access the Vault through PVWA, PrivateArk Client, PrivateArk Webclient, PACLI,
and PIMSU. However, if a user is assigned the User Type of BizUser, they can only access the Vault
through PVWA1. Therefore, by using the User Type property, administrators can control and restrict
which CyberArk interfaces the users can use.
Reference: 1: Manage users, Types of users subsection

Powered by TCPDF (www.tcpdf.org)