This PDF contains a set of carefully selected practice questions for the

PAM-DEF exam. These questions are designed to reflect the structure,

difficulty, and topics covered in the actual exam, helping you reinforce
your understanding and identify areas for improvement.

What's Inside:

1. Topic-focused questions based on the latest exam objectives

2. Accurate answer keys to support self-review
3. Designed to simulate the real test environment
4. Ideal for final review or daily practice

Important Note:

This material is for personal study purposes only. Please do not

redistribute or use for commercial purposes without permission.

For full access to the complete question bank and topic-wise explanations, visit:
CertQuestionsBank.com

Our YouTube: https://www.youtube.com/@CertQuestionsBank

FB page: https://www.facebook.com/certquestionsbank
Share some PAM-DEF exam online questions below.
1.In a rule using “Privileged Session Analysis and Response” in PTA, which session options are
available to configure as responses to activities?
A. Suspend, Terminate, None
B. Suspend, Terminate, Lock Account
C. Pause, Terminate, None
D. Suspend, Terminate
Answer: A
Explanation:
https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PTA/Security-
Configuration.htm?TocPath=End User%7CSecurity Events%7C_____3
These are the session response options that can be configured in a rule using Privileged Session
Analysis and Response in PTA. These options determine how PTA reacts to suspicious activities
detected in a privileged session. Suspend means that the session is paused and the user is notified.
Terminate means that the session is ended and the user is disconnected. None means that no action
is taken on the session, but the event is still recorded and reported. You can find more information
about these options and how to configure them in the reference below.
Reference: Configure security events

2.Which processes reduce the risk of credential theft? (Choose two.)

A. require dual control password access approval
B. require password change every X days
C. enforce check-in/check-out exclusive access
D. enforce one-time password access
Answer: B, D
Explanation:

3.The Active Directory User configured for Windows Discovery needs which permission(s) or
membership?
A. Member of Domain Admin Group
B. Member of LDAP Admin Group
C. Read and Write Permissions
D. Read Only Permissions
Answer: D
Explanation:
The Active Directory User configured for Windows Discovery requires Read Only Permissions. This
level of permission allows the user to query and discover objects within the Active Directory without
the ability to modify any objects or settings. Having read-only access is sufficient for discovery
purposes, as it enables the user to retrieve necessary information without posing a risk of
unintended changes to the directory1.
Reference: Microsoft Learn: Configure discovery methods1

4.What is the correct process to install a custom platform from the CyberArk Marketplace?
A. Locate the custom platform in the Marketplace and click Import.
B. Download the platform from the Marketplace and import it using the PVWA.
C. Contact CyberArk Support for guidance on how to import the platform.
D. Duplicate an existing platform and align the setting to match the platform from the Marketplace.
Answer: B
Explanation:
The correct process to install a custom platform from the CyberArk Marketplace involves downloading
the platform package from the Marketplace and then importing it using the Privileged Vault Web
Access (PVWA). This process allows you to add new platforms that are not included in the default
installation directly into the CyberArk Privileged Access Manager (PAM) - Self-Hosted1.
Reference: CyberArk Docs - Add New Platforms1
CyberArk Docs - Manage platforms2

5.In the Private Ark client, how do you add an LDAP group to a CyberArk group?
A. Select Update on the CyberArk group, and then click Add > LDAP Group
B. Select Update on the LDAP Group, and then click Add > LDAP Group
C. Select Member Of on the CyberArk group, and then click Add > LDAP Group
D. Select Member Of on the LDAP group, and then click Add > LDAP Group
Answer: C
Explanation:
To add an LDAP group to a CyberArk group, you need to use the Private Ark client and follow these
steps1:
In the Users and Groups tree, select the CyberArk group that you want to add the LDAP group to.
In the Properties pane, click Member Of.
Click Add > LDAP Group.
In the LDAP Group dialog box, enter the name of the LDAP group and click OK.
Reference: Add an LDAP group to a Vault group

6.A new colleague created a directory mapping between the Active Directory groups and the Vault.
Where can the newly Configured directory mapping be tested?
A. Connect to the Active Directory and ensure the organizational unit exists.
B. Connect to Sailpoint (or similar tool) to ensure the organizational unit is correctly named; log in to
the PVWA with "Administrator" and confirm authentication succeeds.
C. Search for members that exist only in the mapping group to grant them safe permissions through
the PVWA.
D. Connect to the PrivateArk Client with the Administrator Account to see if there is a user in the Vault
Admin Group.
Answer: C
Explanation:
The newly configured directory mapping can be tested by searching for members that exist only in the
mapping group to grant them safe permissions through the PVWA (Privileged Vault Web Access).
This process allows you to verify that the directory mapping is functioning correctly by ensuring that
only the intended users, who are part of the specific Active Directory group, are granted access to the
safes in the CyberArk Vault12.
Reference: CyberArk Docs - Create directory mapping1
CyberArk Docs - Edit directory mapping3
CyberArk Docs - LDAP Integration in PVWA

7.Which command configures email alerts within PTA if settings need to be changed post install?
A. /opt/tomcat/utility/emailConfiguration.sh
B. /opt/PTA/emailConfiguration.sh
C. /opt/PTA/utility/emailConfig.sh
D. /opt/tomcat/utility/emailSetup.sh
Answer: A
Explanation:
The command to configure email alerts within PTA (Privileged Threat Analytics) after the initial
installation is /opt/tomcat/utility/emailConfiguration.sh. This command is used to start the PTA
utility that allows you to set up email notifications for various alerts. During the configuration
process, you will be prompted to enter details such as the SMTP/S protocol, email server IP address,
SMTP port, sender’s email address, and recipient’s email address. If the mail server requires
authentication, you will also need to provide the username and password for the user that will send
email notifications1.
Reference: CyberArk’s official documentation provides a detailed procedure on how to configure PTA
to send alerts to emails, including the use of the /opt/tomcat/utility/emailConfiguration.sh command

8.The Password upload utility can be used to create safes.

A. TRUE
B. FALSE
Answer: A
Explanation:
The Password Upload utility can be used to create safes, as well as password objects, folders, and
platforms. The Password Upload utility works with the CyberArk Password Vault to create password
objects from a passwords list and store them in the Vault. This enables you to upload large numbers
of passwords automatically and makes the Vault implementation process quicker and more
automatic. The Password Upload utility initiates the Vault environment required to store passwords in
the safe and start working with them. This includes creating new safes, adding the CPM user as a
safe owner, and sharing the safe with the Password Vault Web Access1.
Reference: 1: Password Upload Utility

9.PTA can automatically suspend sessions if suspicious activities are detected in a privileged
session, but only if the session is made via the CyberArk PSM.
A. True
B. False, the PTA can suspend sessions whether the session is made via the PSM or not
Answer: B
Explanation:
The PTA can automatically suspend sessions if suspicious activities are detected in a privileged
session, regardless of the session method. The PTA can suspend sessions that are made via the
PSM, the PVWA, or directly to the target system. The PTA can also suspend sessions that are made
via SSH, RDP, or other protocols.
Reference: Defender PAM Sample Items Study Guide, page 24
PTA User Guide, page 17

10.By default, members of which built-in groups will be able to view and configure Automatic
Remediation and Session Analysis and Response in the PVWA?
A. Vault Admins
B. Security Admins
C. Security Operators
D. Auditors
Answer: B
Explanation:
Security Admins are the built-in group that can view and configure Automatic Remediation and
Session Analysis and Response in the PVWA. These features are part of the Privileged Threat
Analytics (PTA) module, which is designed to detect and respond to anomalous activities and risky
behaviors in the privileged environment. Security Admins have the permissions to access the PTA
settings and configure the policies and actions for Automatic Remediation and Session Analysis and
Response.
Reference: Defender PAM Sample Items Study Guide, page 18, question 49
Privileged Threat Analytics Implementation Guide, page 9, section “Security Admins”

11.Which statement is true about setting the reconcile account at the platform level?
A. This is the only way to enable automatic reconciliation of account passwords.
B. CPM performance will be improved when the reconcile account is set at the platform level.
C. A rule can be used to specify the reconcile account dynamically or a specific reconcile account can
be selected.
D. This configuration prevents the association from becoming broken if the reconcile account is
moved to a different safe.
Answer: C
Explanation:
Setting the reconcile account at the platform level allows for flexibility in how the reconcile account
is specified. A rule can be used to dynamically determine the appropriate reconcile account, or a
specific reconcile account can be selected and configured directly in the platform settings. This
approach provides the ability to manage reconciliation accounts more efficiently and adapt to
different scenarios1.
Reference: CyberArk Community - Associate reconcile account with a specific platform

12.Due to corporate storage constraints, you have been asked to disable session monitoring and
recording for 500 testing accounts used for your lab environment.
How do you accomplish this?
A. Master Policy>select Session Management>add Exceptions to the platform(s)>disable Session
Monitoring and Recording policies
B. Administration>Platform Management>select the platform(s)>disable Session Monitoring and
Recording Most Voted
C. Polices>Access Control (Safes)>select the safe(s)>disable Session Monitoring and Recording
policies
D. Administration>Configuration Options>Options>select Privilege Session Management>disable
Session Monitoring and Recording policies
Answer: D
Explanation:
To disable session monitoring and recording for a large number of accounts due to storage
constraints, you would navigate to the Administration section of the CyberArk Privileged Access
Security (PAS) solution, specifically to the Configuration Options. From there, you would select the
Privilege Session Management (PSM) options and disable the Session Monitoring and Recording
policies. This action would apply the changes to the specified accounts, thus disabling the session
monitoring and recording features for them1.
Reference: The answer is based on general knowledge of CyberArk PAS and best practices for
managing session policies within the system. For specific steps and detailed procedures, please refer
to the official CyberArk Defender PAM course materials and documentation

13.Which service should NOT be running on the DR Vault when the primary Production Vault is up?
A. PrivateArk Database
B. PrivateArk Server
C. CyberArk Vault Disaster Recovery (DR) service
D. CyberArk Logical Container
Answer: C
Explanation:
The user that is automatically added to all Safes and cannot be removed is the Master user. The
Master user is a predefined user that is created during the Vault installation and has full permissions
on all Safes and accounts. The Master user is the only user that can perform certain tasks, such as
creating other predefined users, managing the Vault configuration, and restoring the Vault from a
backup. The Master user cannot be deleted or modified by any other user, and is always a member of
every Safe12.
Reference: Predefined users and groups - CyberArk, section “Master”
Safes and Safe members - CyberArk, section “Safe members overview”

14.What is the maximum number of levels of authorization you can set up in Dual Control?
A. 1
B. 2
C. 3
D. 4
Answer: B
Explanation:
Dual Control is a feature that allows you to set up a workflow for approving access requests to
sensitive accounts. You can configure up to two levels of authorization for each account, meaning
that you need up to two different authorizers to approve the request before the user can access the
account. The authorizers can be either users or groups, and they can have different approval
methods, such as email, SMS, or CyberArk interface.
Reference: [Defender PAM] course, Module 5: Privileged Session Management, Lesson 5.2: Dual
Control [Defender PAM Sample Items Study Guide], Question 31 [CyberArk Documentation], Dual
Control

15.Which of the following files must be created or configured m order to run Password Upload Utility?
Select all that apply.
A. PACli.ini
B. Vault.ini
C. conf.ini
D. A comma delimited upload file
Answer: A, C, D
Explanation:
: To run the Password Upload Utility, you need to create or configure the following files:
A comma delimited upload file: This is a text file that contains the passwords and their properties that
will be uploaded to the Vault. The file must have a .csv extension and follow a specific format. The
first line in the file defines the names of the password properties as specified in the Password Vault.
Every other line represents a single password object and its property values, according to the
properties specified in the first line1.
PACli.ini: This is a configuration file that stores the parameters for the PACli, which is a command-line
interface that enables communication between the Password Upload Utility and the Vault. The
PACli.ini file must be located in the same folder as the Password Upload Utility executable file. The
file must contain the following parameters: Vault, User, Password, and LogFile2.
conf.ini: This is a configuration file that stores the parameters for the Password Upload Utility. The
conf.ini file must be located in the same folder as the Password Upload Utility executable file. The file
must contain the following parameters: InputFile, LogFile, and ErrorFile3.
You do not need to create or configure the following file to run the Password Upload Utility: Vault.ini:
This is a configuration file that stores the parameters for the Vault server, such as the database
name, port, and password. This file is not used by the Password Upload Utility, and it is not located in
the same folder as the Password Upload Utility executable file. The Vault.ini file is located in the Vault
installation folder, and it is used by the Vault service and the PrivateArk Client4.
Reference: 1: Create the Password File
2: PACli.ini
3: Password Upload Utility Parameter File (conf.ini)
4: [CyberArk Privileged Access Security Implementation Guide], Chapter 2: Installing the Vault,
Section: Configuring the Vault, Subsection: Vault.ini

16.You are logging into CyberArk as the Master user to recover an orphaned safe.
Which items are required to log in as Master?
A. Master CD, Master Password, console access to the Vault server, Private Ark Client
B. Operator CD, Master Password, console access to the PVWA server, PVWA access
C. Operator CD, Master Password, console access to the Vault server, Recover.exe
D. Master CD, Master Password, console access to the PVWA server, Recover.exe
Answer: A
Explanation:
The Master user is a predefined user that has complete control over the entire system and can
manage a full recovery when necessary. To log in as the Master user, you need the following items:
Master CD: This is a physical CD that contains the Private Recovery Key, which is a file named
RecPrv.key. This key is used to decrypt the Vault data and authenticate the Master user. The Master
CD must be inserted into the Vault server’s CD drive.
Master Password: This is a password that is set by the Master user during the initial installation of the
Vault. It is used to log in to the Vault with the Master user name. The Master password can be reset
by the Master user if needed.
Console access to the Vault server: This is a direct access to the Vault server machine, either
physically or remotely. The Master user can only log in from the Vault server machine, not from any
other client machine.
Private Ark Client: This is a graphical user interface that allows the Master user to connect to the
Vault and perform various tasks, such as recovering orphaned safes, activating predefined users, and
managing network areas. The Private Ark Client must be installed on the Vault server machine and
configured to use PrivateArk authentication method.
Reference: How to log in as the Master user, Predefined users and groups, Log in as Master from
CyberArk PrivateArk Client

17.You are configuring CyberArk to use HTML5 gateways exclusively for PSM connections.
In the PVWA, where do you set DefaultConnectionMethod to HTML5?
A. Options > Privileged Session Management UI
B. Options > Privileged Session Management
C. Options > Privileged Session Management Defaults
D. Options > Privileged Session Management Interface
Answer: A
Explanation:
To configure CyberArk to use HTML5 gateways exclusively for PSM connections, you need to set the
DefaultConnectionMethod to HTML5 in the PVWA. This is done by logging in to the PVWA with an
administrative user, navigating to Options > Privileged Session Management UI, and setting the
DefaultConnectionMethod to HTML51. This configuration ensures that HTML5 sessions are triggered
only for PSM machines associated with the HTML5 Gateway1.
Reference: CyberArk Docs - Secure Access with an HTML5 Gateway1

18.A newly created platform allows users to access a Linux endpoint. When users click to connect,
nothing happens.
Which piece of the platform is missing?
A. PSM-SSH Connection Component
B. UnixPrompts.ini
C. UnixProcess.ini
D. PSM-RDP Connection Component
Answer: A
Explanation:
A platform is a set of parameters that defines how CyberArk manages passwords and sessions for a
specific type of account or system. To allow users to access a Linux endpoint, the platform needs to
have a PSM-SSH connection component, which enables transparent connections to Linux machines
using the SSH protocol. The PSM-SSH connection component is configured in the Master Policy and
defines the settings for the PSM connection, such as the port, the authentication method, and the
terminal type. If the platform is missing the PSM-SSH connection component, the users will not be
able to click to connect to the Linux endpoint.
Reference: Connection Components, PSM-SSH Connection Component

19.A Logon Account can be specified in the Master Policy.

A. TRUE
B. FALSE
Answer: B
Explanation:
A Logon Account cannot be specified in the Master Policy. The Master Policy is a set of rules that
define the security and compliance policy of privileged accounts in the organization, such as access
workflows, password management, session monitoring, and auditing1. The Master Policy does not
include any technical settings that determine how the system manages accounts on various
platforms1. A Logon Account is a technical setting that defines the account that the CPM uses to log
on to a target system and perform password management tasks, such as changing, verifying, or
reconciling passwords2. A Logon Account can be specified in the Platform Management settings,
which are configured by the IT administrator for each platform2. The Platform Management settings
are independent of the Master Policy and can be customized according to the organization’s
environment and security policies1.
Reference: The Master Policy
[Platform Management]

20.What is the purpose of the CyberArk Event Notification Engine service?

A. It sends email messages from the Central Policy Manager (CPM)
B. It sends email messages from the Vault
C. It processes audit report messages
D. It makes Vault data available to components
Answer: B
Explanation:
The purpose of the CyberArk Event Notification Engine service is to send email notifications about
Privileged Access Security solution activities automatically to predefined users. It is installed
automatically as part of the Vault server installation as a service. The Event Notification Engine (ENE)
can be configured to send email notifications for various events, such as password changes,
password verifications, account onboarding, account deletion, audit reports, alerts, and more. The
ENE can also support encrypted and authenticated email notifications, as well as high availability
implementations1.
Reference: Event Notification Engine - CyberArk, section “Event Notification Engine”

21.You are concerned about the Windows Domain password changes occurring during business
hours.
Which settings must be updated to ensure passwords are only rotated outside of business hours?
A. In the platform policy -
Automatic Password Management > Password Change > ToHour & FromHour
B. in the Master Policy
Account Change Window > ToHour & From Hour
C. Administration Settings -
CPM Settings > ToHour & FromHour
D. On each individual account -
Edit > Advanced > ToHour & FromHour
Answer: B
Explanation:
To ensure that Windows Domain password changes occur outside of business hours, the settings
that must be updated are found in the Master Policy under the Account Change Window section.
Here, you can specify the ToHour and FromHour to define the time frame outside of which the
passwords should be rotated. This setting allows you to control when password changes can occur,
ensuring that they do not interfere with business operations by taking place during non-business
hours1.
Reference: CyberArk Docs - Set password policies

22.You notice an authentication failure entry for the DR user in the ITALog.
What is the correct process to fix this error? (Choose two.)
A. PrivateArk Client > Tools > Administrative Tools > Users and Groups > DR User > Update >
Authentication > Update Password.
B. Create a new credential file, on the DR Vault, using the CreateCredFile utility and the newly set
password.
?. Create a new credential file, on the Primary Vault, using the CreateCredFile utility and the newly
set password.
D. PVWA > User Provisioning > Users and Groups > DR User > Update Password.
E. PrivateArk Client > Tools > Administrative Tools > Users and Groups > PAReplicate User > Update
>
Authentication > Update Password.
Answer: A, B
Explanation:
When an authentication failure for the DR user is noticed in the ITALog, the correct process to fix this
error involves two steps. First, you need to update the password for the DR user. This is done through
the PrivateArk Client by navigating to Tools > Administrative Tools > Users and Groups > DR User >
Update > Authentication > Update Password. After updating the password, the next step is to create
a new credential file on the DR Vault using the CreateCredFile utility with the newly set
password. This ensures that the DR Vault has the updated credentials necessary for the DR user to
authenticate successfully12.
Reference: CyberArk’s official documentation on troubleshooting authentication issues, which
includes steps on updating user passwords and creating new credential files1.
Community discussions and support articles on resolving DR user authentication failures, which
provide practical insights and recommended actions2

23.The Vault administrator can change the Vault license by uploading the new license to the system
Safe.
A. True
B. False
Answer: A
Explanation:
According to the web search results, the Vault administrator can change the Vault license by
uploading the new license to the system Safe123. This can be done either from the Vault machine or
from a remote machine using the PrivateArk client. The new license file should be named license.xml
and replace the current one in the system Safe. This can be done without having to reinstall the Vault
or restart the service.

24.What is the configuration file used by the CPM scanner when scanning UNIX/Linux devices?
A. UnixPrompts.ini
B. plink.exe
C. dbparm.ini
D. PVConfig.xml
Answer: A
Explanation:
The configuration file used by the CPM scanner when scanning UNIX/Linux devices is
UnixPrompts.ini. This file is located in the CPM scanner installation folder and can be customized
according to the UNIX/Linux machine’s specific configuration. The file contains parameters that
define the prompts and paths for various commands and files used by the CPM scanner, such as
login password, sudo password, sudo error, passwd file, group file, shadow file, and sudoers
file.
Reference: Configure the CPM Scanner, CPM Scanner parameters file (CACPMScanner.exe.config)

25.Assuming a safe has been configured to be accessible during certain hours of the day, a Vault
Admin may still access that safe outside of those hours.
A. TRUE
B. FALSE
Answer: A
Explanation:
A Vault Admin may still access a safe outside of the hours that it has been configured to be
accessible, as long as he has the Bypass Safe Time Restrictions authorization on the Vault. The
Bypass Safe Time Restrictions authorization enables a user to access any safe in the Vault,
regardless of the time restrictions that are defined for that safe. This authorization is useful for
emergency situations or maintenance tasks that require access to safes outside of the normal
working hours. By default, the Vault Admins group has this authorization, as well as other
administrative authorizations on the Vault1.
Reference: 1: Vault Member Authorizations

26.When running a “Privileged Accounts Inventory” Report through the Reports page in PVWA on a
specific safe, which permission/s are required on that safe to show complete account inventory
information?
A. List Accounts, View Safe Members
B. Manage Safe Owners
C. List Accounts, Access Safe without confirmation
D. Manage Safe, View Audit
Answer: A
Explanation:
The Privileged Accounts Inventory Report provides information about all the privileged accounts in the
system, based on different filters, such as safe, platform, policy, and owner. To run this report through
the Reports page in PVWA on a specific safe, the user needs to have the following permissions on
that safe:
List Accounts: This permission allows the user to view the accounts in the safe and their properties,
such as name, address, platform, and policy.
View Safe Members: This permission allows the user to view the members of the safe and their
authorizations, such as owners, users, and groups.
These permissions are required to show complete account inventory information for the specific safe.
Other permissions, such as Manage Safe Owners, Access Safe without confirmation, Manage Safe,
and View Audit, are not relevant for this report.
Reference: Reports and Audits - CyberArk, Safe Member Authorizations

27.Via Password Vault Web Access (PVWA), a user initiates a PSM connection to the target Linux
machine using RemoteApp. When the client’s machine makes an RDP connection to the PSM
server, which user will be utilized?
A. Credentials stored in the Vault for the target machine
B. Shadowuser
C. PSMConnect
D. PSMAdminConnect
Answer: C
Explanation:
According to the CyberArk Defender PAM documentation1, when a user initiates a PSM connection
to the target Linux machine using RemoteApp via PVWA, the client’s machine makes an RDP
connection to the PSM server using the PSMConnect user. The PSMConnect user is a local or
domain user that starts PSM sessions on the PSM machine. The PSMConnect user has limited
permissions and access rights on the PSM server, and its credentials are managed by the CPM. The
PSMConnect user retrieves the credentials of the target account from the vault and uses them to
establish a
secure connection to the target machine. The user can then interact with the target machine through
the PSM session, while the PSM server records and audits the session activity.

28.Which methods can you use to add a user directly to the Vault Admin Group? (Choose three.)
A. REST API
B. PrivateArk Client
C. PACLI
D. PVWA
E. Active Directory
F. Sailpoint
Answer: A, B, C
Explanation:
To add a user directly to the Vault Admin Group in CyberArk, you can use the following methods:
REST API: The REST API allows for programmatic management of users and groups within the
Vault, including adding users to the Vault Admin Group1.
PrivateArk Client: The PrivateArk Client provides a graphical interface for managing users and
groups, and it can be used to add users directly to the Vault Admin Group2.
PACLI: The PACLI (Privileged Access Command Line Interface) is a command-line tool that enables
administrators to manage the Vault, including adding users to groups2.
These methods provide different ways to manage users and their group memberships within the
CyberArk Vault, offering flexibility for administrators to choose the most suitable approach for their
needs.
Reference: CyberArk’s official documentation on using the REST API to manage users and groups1.
Information on managing users and groups through the PrivateArk Client and PACLI2.

29.You want to create a new onboarding rule.

Where do you accomplish this?
A. In PVWA, click Reports > Unmanaged Accounts > Rules
B. In PVWA, click Options > Platform Management > Onboarding Rules
C. In PrivateArk, click Tools > Onboarding Rules
D. In PVWA, click Accounts > Onboarding Rules
Answer: D
Explanation:
To create a new onboarding rule, you accomplish this in the Privileged Vault Web Access (PVWA) by
navigating to Accounts > Onboarding Rules. Once there, you can click on Create rule to start the New
onboarding rule wizard and proceed with the configuration of the rule. This process allows you to set
up rules that automatically onboard newly discovered accounts, minimizing manual effort and
reducing the chance of human error1.
Reference: CyberArk Docs - Onboarding rules

30.DRAG DROP
Match each PTA alert category with the PTA sensors that collect the data for it.

Answer:
Explanation:
Comprehensive The Privileged Threat Analytics (PTA) sensors are designed to collect specific types
of data to detect potential security threats. For the alert category of Unmanaged privileged account,
the Network Sensor and PTA Windows Agent are responsible for collecting the relevant dat
a. Similarly, for the alert category of Anomalous access to multiple machines, data is collected from
Logs, the Vault, and optionally from AWS and Azure. The Suspicious activities detected in a
privileged session category relies on data from Logs, the Vault, and optionally from AD, AWS,
and Azure. Lastly, the Suspected credentials theft category also utilizes the Network Sensor and PTA
Windows Agent for data collection.
Reference: CyberArk’s official training materials and documentation provide detailed information on
PTA sensors and the types of data they collect for different alert categories.

31.1.If a user is a member of more than one group that has authorizations on a safe, by default that
user is granted________.
A. the vault will not allow this situation to occur.
B. only those permissions that exist on the group added to the safe first.
C. only those permissions that exist in all groups to which the user belongs.
D. the cumulative permissions of all groups to which that user belongs.
Answer: D
Explanation:
When a user is a member of more than one group that has authorizations on a safe, by default that
user is granted the cumulative permissions of all groups to which that user belongs. This means that
the user will have the highest level of access that any of the groups have on the safe. For example, if
one group has View and Retrieve permissions, and another group has Add and Delete permissions,
the user will have View, Retrieve, Add, and Delete permissions on the safe. This is the default
behavior of the vault, unless the Exclusive option is enabled on the safe. The Exclusive option
restricts the user’s permissions to only those of the group added to the safe first.
Reference: [Defender PAM eLearning Course], Module 3: Safes and Permissions, Lesson 3.2: Safe
Permissions, Slide 8: Cumulative Permissions
[Defender PAM Sample Items Study Guide], Question 1: Safe Permissions
[CyberArk Documentation Portal], CyberArk Privileged Access Security Implementation Guide,
Chapter 3: Managing Safes, Section: Safe Properties, Subsection: Exclusive

32.What is the purpose of the Immediate Interval setting in a CPM policy?

A. To control how often the CPM looks for System Initiated CPM work.
B. To control how often the CPM looks for User Initiated CPM work.
C. To control how often the CPM rests between password changes.
D. To Control the maximum amount of time the CPM will wait for a password change to complete.
Answer: B
Explanation:
The Immediate Interval setting in a CPM policy is used to control how often the CPM looks for User
Initiated CPM work, such as manual password changes, retrievals, or requests. The Immediate
Interval setting defines the frequency, in minutes, that the CPM will check the accounts that are
associated with the policy and perform the actions that were initiated by the users. For example, if the
Immediate Interval is set to 2, the CPM will check the accounts every 2 minutes and change, retrieve,
or authorize the passwords according to the user requests. The Immediate Interval setting does not
affect System Initiated CPM work, such as password changes, verifications, or reconciliations that are
triggered by the policy settings, such as Expiration Period or One Time Password. These actions are
controlled by the Interval setting in the CPM policy. The Immediate Interval setting also does not
control how often the CPM rests between password changes or the maximum amount of time the
CPM will wait for a password change to complete. These parameters are configured in the CPM.ini
file, which is stored in the root folder of the <CPM username> Safe.
Reference: [Defender PAM eLearning Course], Module 5: Password Management, Lesson 5.1: CPM
Policies, Slide
9: CPM Policy Settings
[Defender PAM Sample Items Study Guide], Question 6: CPM Policy Settings
[CyberArk Documentation Portal], CyberArk Privileged Access Security Implementation Guide,
Chapter 5: Managing Passwords, Section: CPM Policy Settings, Subsection: Immediate Interval

33.In accordance with best practice, SSH access is denied for root accounts on UNIX/LINUX system.
What is the BEST way to allow CPM to manage root accounts.
A. Create a privileged account on the target server. Allow this account the ability to SSH directly from
the CPM machine. Configure this account as the Reconcile account of the target server’s root
account.
B. Create a non-privileged account on the target server. Allow this account the ability to SSH directly
from the CPM machine. Configure this account as the Logon account of the target server’s root
account.
C. Configure the Unix system to allow SSH logins.
D. Configure the CPM to allow SSH logins.
Answer: B
Explanation:
https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/Using-Logon-
Accounts-for-SSH-and-Telnet-Connections.htm?Highlight=logon account

34.What does the minvalidity parameter on a platform policy determine?

A. time between a password retrieval and the account becoming eligible for a password change
B. timeout for users signed into the PVWA as configured in the global settings
C. minimum amount of time that Just in Time access is valid
D. time in minutes before an empty safe will be automatically deleted
Answer: A
Explanation:
The minvalidity parameter on a platform policy in CyberArk determines the minimum amount of time
that must pass between the retrieval of a password and when the account becomes eligible for a
password change. This parameter ensures that a user has a guaranteed period to use the password
before it is changed again, providing stability and predictability in password
management1.
Reference: The information provided is based on general knowledge of CyberArk PAM best practices
and the functionality of the minvalidity parameter as outlined in CyberArk’s official documentation

35.Which CyberArk group does a user need to be part of to view recordings or live monitor sessions?
A. Auditors
B. Vault Admin
C. DR Users
D. Operators
Answer: A
Explanation:
To view recordings or live monitor sessions, users must be part of the Auditors group or have the
appropriate permissions in the relevant Account Safes and Recording Safes12. The other groups do
not have the necessary permissions to access the recordings or monitor the sessions by default.
Reference: Monitor Active Sessions, Active Session Monitoring

36.Which of the following are secure options for storing the contents of the Operator CD, while still
allowing the contents to be accessible upon a planned Vault restart? (Choose three.)
A. Store the CD in a physical safe and mount the CD every time Vault maintenance is performed
B. Copy the entire contents of the CD to the system Safe on the Vault
C. Copy the entire contents of the CD to a folder on the Vault Server and secure it with NTFS
permissions
D. Store the server key in a Hardware Security Module (HSM) and copy the rest the keys from the CD
to a folder on the Vault Server and secure it with NTFS permissions
Answer: A, B, D
Explanation:
A. Store the CD in a physical safe and mount the CD every time Vault maintenance is performed.
This option ensures that the CD is kept in a secure location when not in use, and that the keys are
available when needed. This is the default option suggested by CyberArk1.
B. Copy the entire contents of the CD to the system Safe on the Vault. This option allows the Vault to
access the keys from the system Safe, which is a special Safe that stores the Vault configuration files
and keys. The system Safe is encrypted and protected by the Vault, and can only be accessed by
authorized users2.
D. Store the server key in a Hardware Security Module (HSM) and copy the rest the keys from the CD
to a folder on the Vault Server and secure it with NTFS permissions. This option provides an
additional layer of security for the server key, which is the most critical key for the Vault. An HSM is a
physical device that stores and manages cryptographic keys in a tamper-resistant and isolated
environment. The Vault can integrate with an HSM to store and retrieve the server key3. The rest of
the keys can be stored in a folder on the Vault Server and secured with NTFS permissions, which
restrict access to authorized users and groups.
The following option is not secure and should be avoided:
C. Copy the entire contents of the CD to a folder on the Vault Server and secure it with NTFS
permissions. This option exposes the keys to potential risks, such as unauthorized access, data
corruption, or deletion. NTFS permissions are not sufficient to protect the keys from malicious or
accidental actions. Moreover, this option does not comply with the CyberArk best practices, which
recommend to store the keys on a removable media or an HSM
 Get PAM-DEF exam dumps full version.

Powered by TCPDF (www.tcpdf.org)