PCCSE · Question #23
An administrator sees that a runtime audit has been generated for a Container The audit message is DNS resolution of suspicious name wikipedia.com. type A". Why would this message appear as an audit?
The correct answer is D. The DNS was not learned as part of the Container model or added to the DNS allow list. The DNS audit for wikipedia.com appears because the domain was not part of the container's learned runtime model and was not added to the DNS allow list, causing Prisma Cloud to flag it as anomalous.
Question
An administrator sees that a runtime audit has been generated for a Container The audit message is DNS resolution of suspicious name wikipedia.com. type A". Why would this message appear as an audit?
Options
- AThe Layer7 firewall detected this as anomalous behavior
- BThis is a DNS known to be a source of malware
- CThe process calling out to this domain was not part of the Container model.
- DThe DNS was not learned as part of the Container model or added to the DNS allow list
How the community answered
(19 responses)- A5% (1)
- B16% (3)
- C5% (1)
- D74% (14)
Why each option
The DNS audit for wikipedia.com appears because the domain was not part of the container's learned runtime model and was not added to the DNS allow list, causing Prisma Cloud to flag it as anomalous.
The Layer 7 firewall in Prisma Cloud operates on HTTP/HTTPS application traffic, not DNS resolution anomaly detection, so it would not generate this specific type of DNS audit.
Wikipedia.com is a legitimate and widely known website, not a domain associated with malware or threat intelligence feeds, so its presence on a threat list is not the reason for the audit.
The audit is triggered by the unrecognized DNS name itself, not by an unknown process making the call - the process context is separate from the DNS model violation.
Prisma Cloud runtime defense builds a behavioral model for each container during a learning period, including the DNS names the container is expected to resolve. If wikipedia.com was not observed during learning and has not been manually added to the DNS allow list, any resolution attempt for that domain is flagged as a runtime anomaly and generates an audit regardless of whether the domain is itself malicious.
Concept tested: Prisma Cloud container runtime DNS model and audit generation
Source: https://docs.prismacloud.io/en/enterprise-edition/content-collections/runtime-security/runtime-defense/runtime-audits
Topics
Community Discussion
No community discussion yet for this question.