Which RQL will trigger the following audit event activity?
Which RQL will trigger the following audit event activity?
The correct answer is the query 'event from cloud.audit_logs where operation = ConsoleLogin AND user = ‘root’'. This RQL query accurately identifies an audit event where a user with root privileges logs into the AWS console, as indicated by the 'eventName' being 'ConsoleLogin' and the 'userIdentity.type' being 'Root' in the provided event data.
A seems to be the best response.
A Event Query- Used to detect and investigate console and API access events, monitor privileged activities, detect account compromise, and detect unusual user behavior in your cloud environments. See Event Query Attributes & Examples (https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-reference/event-query#id7f21ba55-c711-4996-be59-3e6ce80ea9e4) The RQL "event from cloud.audit_logs where operation = ConsoleLogin AND user = ‘root’’ searches for console login operations performed by a root user.
A this is event login.