An administrator needs to detect and alert on any activities performed by a root account.
Which policy type should be used?
An administrator needs to detect and alert on any activities performed by a root account.
Which policy type should be used?
The correct policy type to detect and alert on root account activities is 'audit event'. Audit event policies are designed to monitor audit events in your environment for potential security violations, including activities performed by a root account. These policies help in flagging sensitive events such as root activities, which are critical to maintaining the security of the cloud environment.
D https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-policies/prisma-cloud-threat-detection
D - It should be with event type RQL, but I did it with config-run policy type as well, in AWS can be done with that type of policy
D --> Audit Event—A set of RQL based policies that monitors audit events in your environment for potential policy violations. You create audit policies to flag sensitive events such as root activities or configuration changes that may potentially put your cloud environment at risk. To view all of the audit event policies available, apply a filter for Policy Type and select Audit Event. Refer to Create a Network or Audit Event Policy to learn how to create custom audit event policies.
D. audit event