Cyber Monday 2024! Hurry Up, Grab the Special Discount - Save 25% - Ends In 00:00:00 Coupon code: SAVE25

- Free Preparation Discussions

Palo Alto Networks Exam PCCSE Topic 5 Question 84 Discussion

Actual exam question for Palo Alto Networks's PCCSE exam

Question #: 84
Topic #: 5

[All PCCSE Questions]

Which ROL query is used to detect certain high-risk activities executed by a root user in AWS?

Aevent from cloud.audit_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey' , 'DeleteAlarms' ) AND user = 'root'

Bevent from cloud.security_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey' , 'DeleteAlarms' ) AND user = 'root'

Cconfig from cloud.audit_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey', 'DeleteAlarms' ) AND user = 'root'

Devent from cloud.audit_logs where Risk.Level = 'high' AND user = 'root'

Show Suggested Answer

Suggested Answer: A

https://docs.prismacloud.io/en/classic/rql-reference/rql-reference/event-query/event-query-examples https://docs.prismacloud.io/en/classic/rql-reference/rql-reference/event-query/event-query-examples#idda895fd2-4496-4b31-9766-7d50215dcc18

by Maia at Aug 24, 2024, 05:21 PM

Limited Time Offer

25%

Off

Get Premium PCCSE Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Vanna

3 months ago

Haha, good one Detra. But seriously, A is the answer. Gotta love those audit logs, am I right?

upvoted 0 times

...

Reyes

3 months ago

I agree with Sheridan, A) seems to be the most relevant option for detecting high-risk activities by a root user

upvoted 0 times

...

Detra

3 months ago

Yeah, option A is the way to go. Gotta keep an eye on that root user, am I right? *wink wink*

upvoted 0 times

Isreal

2 months ago

Definitely, gotta keep an eye on that root user.

upvoted 0 times

...

Lindsey

3 months ago

Yeah, option A is the way to go.

upvoted 0 times

...

...

Sheridan

3 months ago

But A) specifically mentions high-risk activities, so I think it's more accurate

upvoted 0 times

...

Samira

3 months ago

I disagree, I believe the correct answer is D)

upvoted 0 times

...

Stephania

3 months ago

I agree with Quentin. The wording of option A matches the question perfectly.

upvoted 0 times

...

Quentin

3 months ago

Option A looks like the correct answer to me. It's specifically querying the audit logs for high-risk activities executed by the root user.

upvoted 0 times

Judy

2 months ago

Yes, option A seems to be the most relevant choice for detecting high-risk activities by the root user.

upvoted 0 times

...

Omega

2 months ago

I agree, option A is specifically querying the audit logs for high-risk activities by the root user.

upvoted 0 times

...

Talia

3 months ago

I think option A is the correct answer.

upvoted 0 times

...

...

Sheridan

4 months ago

I think the answer is A)

upvoted 0 times

...

az-700 pass4success az-104 200-301 200-201 cissp 350-401 350-201 350-501 350-601 350-801 350-901 az-720 az-305 pl-300

Warning: Cannot modify header information - headers already sent by (output started at /pass.php:70) in /pass.php on line 77