nerdexam
Palo_Alto_Networks

PCCSE · Question #114

Given the following RQL: Which audit event snippet is identified by the RQL? A. B. C. D.

The correct answer is B. "payload": { > "requestMetadata": { "callerSuppliedUserAgent": "terraform/0.14.0 (+https://www.terraform.io Terraform-Plugin-SDK/2.1.0 terraform-provider-google/3.50.0) gcloud/345.0.0 call "v1.compute.firewall-rules.delete" }, "request": { "type": "type.googleapis.com/compute.backendServices.delete". The correct answer is B, which shows a GCP (Google Cloud Platform) audit log snippet. It contains a 'requestMetadata' field with a 'callerSuppliedUserAgent' referencing Terraform and a GCP provider, and a 'request' type referencing 'compute.backendServices.delete'. RQL queries ta

Security Operations and Incident Response

Question

Given the following RQL:

Which audit event snippet is identified by the RQL? A. B. C. D.

Exhibits

PCCSE question #114 exhibit 1
PCCSE question #114 exhibit 2

Options

  • A"eventTime": "2021-05-19T14:34:05Z", "eventSource": "iam.amazonaws.com", "eventName": "AttachRolePolicy", "awsRegion": "us-east-1"
  • B"payload": { > "requestMetadata": { "callerSuppliedUserAgent": "terraform/0.14.0 (+https://www.terraform.io Terraform-Plugin-SDK/2.1.0 terraform-provider-google/3.50.0) gcloud/345.0.0 call "v1.compute.firewall-rules.delete" }, "request": { "type": "type.googleapis.com/compute.backendServices.delete"
  • C"resource": "projects /buckets/gvtest110221", "permission": "storage.buckets.setIamPolicy", "resourceAttributes": {}, "granted": true
  • D"userIdentity": { "type": "Root", "principalId": "68499955112419", "arn": "arn:aws:iam::684999551124:root", "accountId": "68499955112419", "accessKeyId": "AKIAYGS61234567890"

How the community answered

(55 responses)
  • A
    16% (9)
  • B
    73% (40)
  • C
    7% (4)
  • D
    4% (2)

Explanation

The correct answer is B, which shows a GCP (Google Cloud Platform) audit log snippet. It contains a 'requestMetadata' field with a 'callerSuppliedUserAgent' referencing Terraform and a GCP provider, and a 'request' type referencing 'compute.backendServices.delete'. RQL queries targeting GCP audit events (using 'cloud.type = gcp' and 'operation' conditions) would match this structure. Options A and D are AWS CloudTrail events (identifiable by fields like 'eventSource', 'awsRegion', and 'arn'), and option C is an AWS S3/IAM permission event - none of which would match a GCP-targeted RQL query.

Topics

#RQL#Audit Events#Prisma Cloud#Security Operations

Community Discussion

No community discussion yet for this question.

Full PCCSE Practice