nerdexam
Palo_Alto_Networks

PCCSE · Question #246

Based on the following information, which RQL query will satisfy the requirement to identify VM hosts deployed to organization public cloud environments exposed to network traffic from the internet an

The correct answer is A. network from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type. To find internet-exposed VM hosts affected by a specific CVE using network flow data, the correct RQL uses 'network from vpc.flow_record' with a vulnerability finding filter.

Cloud Network Security

Question

Based on the following information, which RQL query will satisfy the requirement to identify VM hosts deployed to organization public cloud environments exposed to network traffic from the internet and affected by Text4Shell RCE (CVE-2022-42889) vulnerability?

  • Network flow logs from all virtual private cloud (VPC) subnets are

ingested to the Prisma Cloud Enterprise Edition tenant.

  • All virtual machines (VMs) have Prisma Cloud Defender deployed.

Options

  • Anetwork from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type
  • Bconfig from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type
  • Cnetwork from vpc.flow_record where bytes > 0 AND finding.type IN ('Host Vulnerability') AND
  • Dconfig from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances'

How the community answered

(29 responses)
  • A
    83% (24)
  • B
    3% (1)
  • C
    10% (3)
  • D
    3% (1)

Why each option

To find internet-exposed VM hosts affected by a specific CVE using network flow data, the correct RQL uses 'network from vpc.flow_record' with a vulnerability finding filter.

Anetwork from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.typeCorrect

The 'network from vpc.flow_record' data source is correct because the requirement explicitly states that VPC flow logs are ingested and that network exposure from the internet must be validated. The 'dest.resource IN (resource where finding.type ...' construct correctly cross-references network flow targets against resources flagged with a specific vulnerability finding type, enabling correlation of network reachability with CVE presence on defender-protected hosts. This is the standard RQL pattern for combining network exposure with workload vulnerability data.

Bconfig from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type

'config from vpc.flow_record' is not valid RQL syntax - the 'config from' source is used for cloud resource configuration queries, not for network flow log analysis.

Cnetwork from vpc.flow_record where bytes > 0 AND finding.type IN ('Host Vulnerability') AND

This option places 'finding.type' directly in the flow record filter rather than in a nested resource subquery, which is syntactically incorrect for correlating flow data with vulnerability findings on destination resources.

Dconfig from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances'

'config from cloud.resource' queries EC2 instance configuration metadata but cannot correlate network flow exposure with vulnerability findings in a single query, and does not use the ingested VPC flow log data.

Concept tested: Prisma Cloud RQL network flow and vulnerability correlation query

Source: https://docs.prismacloud.io/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-query-attributes

Topics

#RQL#Network Flow Logs#Host Vulnerability Management#Internet Exposure

Community Discussion

No community discussion yet for this question.

Full PCCSE Practice