Which policy type should be used?

An administrator needs to detect and alert on any activities performed by a root account.

Which policy type should be used?
A . config-run
B . config-build
C . network
D . audit event

View Answer

Answer: D

Explanation:

To detect and alert on activities performed by a root account, an audit event policy should be used. An audit event policy is a type of policy that can be used to detect suspicious activities or events that may be related to security threats. This type of policy will allow the administrator to monitor and alert on any activities performed by a root account.

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-policies/prisma-cloud-threat-detection

The correct policy type to use in order to detect and alert on any activities performed by a root account is an "audit event" policy. An audit event policy is designed to monitor and record a series of chronological events in the order they occur, typically used to track user activities and changes within the system. When a root account performs any actions, an audit event policy will log these events, allowing the administrator to review and potentially set up alerts if suspicious or unauthorized activities are detected. This type of policy is crucial for security and compliance purposes as it helps ensure that all actions performed with root privileges are legitimate and authorized.

Reference to this can be found in most cloud security platforms that offer CSPM (Cloud Security Posture Management) solutions. For example, within Prisma Cloud by Palo Alto Networks, audit events are a part of the Activity Monitoring features, which track user activities and system changes to facilitate investigations into suspicious or unauthorized actions.