PCCSE: Prisma Certified Cloud Security Engineer

For a runtime audit generated for a host with a message indicating a service attempting to obtain capability by executing a script, the root cause for this runtime audit is most likely related to D. Default rule that alerts on suspicious runtime behavior. This default rule is designed to flag unusual or potentially harmful activities that could indicate a security risk, prompting further investigation.

To detect and alert on activities performed by a root account, an audit event policy should be used. An audit event policy is a type of policy that can be used to detect suspicious activities or events that may be related to security threats. This type of policy will allow the administrator to monitor and alert on any activities performed by a root account.

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-policies/prisma-cloud-threat-detection

The correct policy type to use in order to detect and alert on any activities performed by a root account is an 'audit event' policy. An audit event policy is designed to monitor and record a series of chronological events in the order they occur, typically used to track user activities and changes within the system. When a root account performs any actions, an audit event policy will log these events, allowing the administrator to review and potentially set up alerts if suspicious or unauthorized activities are detected. This type of policy is crucial for security and compliance purposes as it helps ensure that all actions performed with root privileges are legitimate and authorized.

Reference to this can be found in most cloud security platforms that offer CSPM (Cloud Security Posture Management) solutions. For example, within Prisma Cloud by Palo Alto Networks, audit events are a part of the Activity Monitoring features, which track user activities and system changes to facilitate investigations into suspicious or unauthorized actions.

To immediately see all alerts associated with a newly onboarded public cloud account based on existing enabled policies, it is essential to assign the account to an account group and then create an alert rule that applies to this account group. By selecting 'select all policies,' the alert rule will trigger alerts for all existing enabled policies without the need to specify individual policies or add alert notifications for downstream applications.

The given admission control policy is designed to evaluate pod creation requests in a Kubernetes environment, specifically targeting the creation of privileged pods, which can pose significant security risks.

Option D: The policy will block the creation of a privileged pod is the correct answer when the effect of the policy is set to ''block''. In this context, the policy's logic checks if a pod being created is set to run in privileged mode (a high-risk configuration that grants the pod extended system privileges). If such a configuration is detected, the policy triggers an action to block the pod's creation, thereby preventing the deployment of privileged pods that could undermine the security posture of the Kubernetes environment.

Kubernetes Admission Controllers Documentation: Provides a comprehensive overview of admission controllers in Kubernetes, including how they can be used to enforce policy decisions, such as preventing the creation of privileged pods.

Best Practices for Kubernetes Security: Discusses the importance of admission control policies in maintaining the security and integrity of Kubernetes environments, with specific emphasis on the risks associated with privileged pods.

The activities listed (Backdoor account access, Hijacked processes, Lateral movement, Port scanning) are categorized as incidents (option B). Incidents represent security events or patterns of activity that indicate potential security breaches or malicious behavior within the environment. Prisma Cloud identifies and classifies such activities as incidents to highlight significant security concerns that require investigation and potential remediation. This categorization helps security teams prioritize their response efforts, focusing on activities that pose a real threat to the integrity and security of the cloud environment. By distinguishing incidents from other types of security findings, Prisma Cloud enables more effective incident response and threat management processes.

To enable a user to interact programmatically with Prisma Cloud APIs and for a nonhuman entity to access keys, the correct action is to create a role and assign it to the Service Account (D). Service accounts in Prisma Cloud are designed for programmatic access by applications or automated tools, allowing these entities to interact with Prisma Cloud APIs securely. By creating a specific role with the necessary permissions and assigning it to a service account, administrators can ensure that the entity has the appropriate level of access required for its operations, aligning with the principle of least privilege and enhancing the security posture of API interactions.