Prisma Certified Cloud Security Engineer (PCCSE) — Question 218

Based on the following information, which RQL query will satisfy the requirement to identify VM hosts deployed to organization public cloud environments exposed to network traffic from the internet and affected by Text4Shell RCE (CVE-2022-42889) vulnerability?

• Network flow logs from all virtual private cloud (VPC) subnets are ingested to the Prisma Cloud Enterprise Edition tenant.
• All virtual machines (VMs) have Prisma Cloud Defender deployed.

Answer options

• A. network from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2022-42889')) AND source.publicnetwork IN ('Internet IPs', 'Suspicious IPs')
• B. config from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2022-42889')) AND source.publicnetwork = ('Internet IPs' or 'Suspicious IPs')
• C. network from vpc.flow_record where bytes > 0 AND finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2022-42889') AND source.publicnetwork = 'Internet IPs'
• D. config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances' AND json.rule = publicIpAddress exists AND finding.type IN ('Host Vulnerability') AND finding.source IN ('Prisma Cloud') AND finding.name IN ('CVE-2022-42889')

Correct answer: A

Explanation

Option A is correct because it specifies the necessary conditions for network traffic and identifies the vulnerability in the VM hosts. Options B and C incorrectly use 'or' in a way that doesn't conform to RQL syntax and fail to capture all required public network conditions. Option D is focused on AWS resources but does not align with the VPC flow records, making it unsuitable for this query.