Palo Alto Networks System Engineer – Prisma Cloud — Question 34

Which Resource Query Language (RQL) query monitors all "delete" activities for the user "user1"?

Answer options

• A. event where crud = 'delete' AND subject = 'user1'
• B. event where crud = 'delete'
• C. event where crud = 'delete' AND subject = 'user1' AND cloud.type = 'aws'
• D. event where subject = 'user1'

Correct answer: A

Explanation

Option A is correct because it specifically checks for both the 'delete' action and the user 'user1'. Option B only tracks 'delete' actions without specifying the user, making it incomplete. Option C includes an additional filter for 'cloud.type' which is unnecessary for tracking just user1's delete actions. Option D only filters by the subject without focusing on the 'delete' action.