PCCSE · Question #246
Based on the following information, which RQL query will satisfy the requirement to identify VM hosts deployed to organization public cloud environments exposed to network traffic from the internet an
The correct answer is A. network from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type. To find internet-exposed VM hosts affected by a specific CVE using network flow data, the correct RQL uses 'network from vpc.flow_record' with a vulnerability finding filter.
Question
Based on the following information, which RQL query will satisfy the requirement to identify VM hosts deployed to organization public cloud environments exposed to network traffic from the internet and affected by Text4Shell RCE (CVE-2022-42889) vulnerability?
- Network flow logs from all virtual private cloud (VPC) subnets are
ingested to the Prisma Cloud Enterprise Edition tenant.
- All virtual machines (VMs) have Prisma Cloud Defender deployed.
Options
- Anetwork from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type
- Bconfig from vpc.flow_record where bytes > 0 AND dest.resource IN (resource where finding.type
- Cnetwork from vpc.flow_record where bytes > 0 AND finding.type IN ('Host Vulnerability') AND
- Dconfig from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-ec2-describe-instances'
How the community answered
(29 responses)- A83% (24)
- B3% (1)
- C10% (3)
- D3% (1)
Why each option
To find internet-exposed VM hosts affected by a specific CVE using network flow data, the correct RQL uses 'network from vpc.flow_record' with a vulnerability finding filter.
The 'network from vpc.flow_record' data source is correct because the requirement explicitly states that VPC flow logs are ingested and that network exposure from the internet must be validated. The 'dest.resource IN (resource where finding.type ...' construct correctly cross-references network flow targets against resources flagged with a specific vulnerability finding type, enabling correlation of network reachability with CVE presence on defender-protected hosts. This is the standard RQL pattern for combining network exposure with workload vulnerability data.
'config from vpc.flow_record' is not valid RQL syntax - the 'config from' source is used for cloud resource configuration queries, not for network flow log analysis.
This option places 'finding.type' directly in the flow record filter rather than in a nested resource subquery, which is syntactically incorrect for correlating flow data with vulnerability findings on destination resources.
'config from cloud.resource' queries EC2 instance configuration metadata but cannot correlate network flow exposure with vulnerability findings in a single query, and does not use the ingested VPC flow log data.
Concept tested: Prisma Cloud RQL network flow and vulnerability correlation query
Source: https://docs.prismacloud.io/en/enterprise-edition/content-collections/search-and-investigate/network-queries/network-query-attributes
Topics
Community Discussion
No community discussion yet for this question.