Examice

Exam PCCSE All QuestionsBrowse all questions from this exam

Question 237

Which RQL query is used to detect certain high-risk activities executed by a root user in AWS?

event from cloud.audit_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey' , 'DeleteAlarms' ) AND user = 'root'

event from cloud.security_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey' , 'DeleteAlarms' ) AND user = 'root'

config from cloud.audit_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey', 'DeleteAlarms' ) AND user = 'root'

event from cloud.audit_logs where Risk.Level = 'high' AND user = 'root'

Correct Answer: A

To detect high-risk activities performed by a root user in AWS, the correct RQL query should target the specific actions (operations) and the user performing these actions. The query 'event from cloud.audit_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey' , 'DeleteAlarms' ) AND user = 'root'' directly addresses this by focusing on audit logs for specific high-risk operations carried out by the root user.

Discussion

piipoOption: A

Detect risky changes executed by a root user. https://docs.prismacloud.io/en/classic/rql-reference/rql-reference/event-query/event-query-examples

stock28_CAOption: A

A https://docs.prismacloud.io/en/classic/rql-reference/rql-reference/event-query/event-query-examples https://docs.prismacloud.io/en/classic/rql-reference/rql-reference/event-query/event-query-examples#idda895fd2-4496-4b31-9766-7d50215dcc18