nerdexam
Palo_Alto_Networks

PCCSE · Question #90

A DevOps lead reviewed some system logs and notices some odd behavior that could be a data exfiltration attempt The DevOps lead only has access to vulnerability data in Prisma Cloud Compute, so the De

The correct answer is A. The SecOps lead should use the Incident Explorer page and Monitor > Events > Container Audits. To investigate the runtime aspects of a potential data exfiltration attack, SecOps should use two key pages: (1) Incident Explorer, which aggregates and correlates runtime incidents detected by Prisma Cloud Defend and provides an attack timeline, and (2) Monitor > Events > Contai

Security Operations and Incident Response

Question

A DevOps lead reviewed some system logs and notices some odd behavior that could be a data exfiltration attempt The DevOps lead only has access to vulnerability data in Prisma Cloud Compute, so the DevOps lead passes this information to SecOps Which pages in Prisma Cloud Compute can the SecOps lead use to investigate the runtime aspects of this attack?

Options

  • AThe SecOps lead should use the Incident Explorer page and Monitor > Events > Container Audits
  • BThe SecOps lead should review the vulnerability scans in the CI/CD process to determine blame
  • CThe SecOps lead should investigate the attack using Vulnerability Explorer and Runtime Radar
  • DThe SecOps lead should use Incident Explorer and Compliance Explorer.

How the community answered

(32 responses)
  • A
    75% (24)
  • B
    3% (1)
  • C
    16% (5)
  • D
    6% (2)

Explanation

To investigate the runtime aspects of a potential data exfiltration attack, SecOps should use two key pages: (1) Incident Explorer, which aggregates and correlates runtime incidents detected by Prisma Cloud Defend and provides an attack timeline, and (2) Monitor > Events > Container Audits, which shows granular audit events such as process execution, network connections, and file system activity that could indicate exfiltration. Vulnerability Explorer and Compliance Explorer (C, D) are for scan/compliance analysis, not runtime behavior investigation. Reviewing CI/CD vulnerability scans (B) is not relevant to a live runtime incident.

Topics

#Prisma Cloud Compute#Runtime Security#Incident Response#Container Audits

Community Discussion

No community discussion yet for this question.

Full PCCSE Practice