Prisma Certified Cloud Security Engineer (PCCSE) — Question 206

Which RQL query is used to detect certain high-risk activities executed by a root user in AWS?

Answer options

• A. event from cloud.audit_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey' , 'DeleteAlarms' ) AND user = 'root'
• B. event from cloud.security_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey' , 'DeleteAlarms' ) AND user = 'root'
• C. config from cloud.audit_logs where operation IN ( 'ChangePassword', 'ConsoleLogin', 'DeactivateMFADevice', 'DeleteAccessKey', 'DeleteAlarms' ) AND user = 'root'
• D. event from cloud.audit_logs where Risk.Level = 'high' AND user = 'root'

Correct answer: A

Explanation

The correct answer, A, accurately captures the RQL query that monitors specific high-risk operations executed by the root user within the AWS environment. Options B and C involve incorrect log sources and do not comply with the requirement of detecting high-risk activities. Option D focuses on a general risk level rather than specific high-risk operations performed by the root user.