PCCSE · Question #161
Anomaly policy uses which two logs to identify unusual network and user activity? (Choose two.)
The correct answer is A. Network flow B. Audit. Prisma Cloud anomaly policies rely on two primary log sources to detect unusual behavior. Network flow logs (A) are used to baseline and identify abnormal network traffic patterns, such as port scans, unusual data volumes, or connections to suspicious IPs. Audit logs (B) capture
Question
Anomaly policy uses which two logs to identify unusual network and user activity? (Choose two.)
Options
- ANetwork flow
- BAudit
- CTraffic
- DUsers
How the community answered
(35 responses)- A89% (31)
- C9% (3)
- D3% (1)
Explanation
Prisma Cloud anomaly policies rely on two primary log sources to detect unusual behavior. Network flow logs (A) are used to baseline and identify abnormal network traffic patterns, such as port scans, unusual data volumes, or connections to suspicious IPs. Audit logs (B) capture API-level user activity and are used to detect unusual user behavior such as logins from atypical geolocations, credential abuse, or access pattern anomalies. Traffic (C) and Users (D) are not distinct log types used by anomaly policies in Prisma Cloud's terminology - the platform specifically references 'network flow' and 'audit' logs as the two sources for anomaly detection.
Topics
Community Discussion
No community discussion yet for this question.