Prisma Certified Cloud Security Engineer (PCCSE) Study Guide October 2022 Prisma Certified Cloud Security Engineer (PCCSE) Table of Contents How to Use This Study Guide 9 About the PCCSE Exam 9 Exam Format 9 How to Take This Exam 10 Disclaimer 10 Audience and Qualifications Skills Required 10 10 Domain 1: Cloud Security Posture Management (CSPM) 1.1 Identify assets in a cloud account 11 11 1.1.1 Inventory of resources in a cloud account 11 1.1.2 Resource configuration history 12 1.1.3 Asset configuration changes 13 1.1.4 References 14 1.2 Configure policies 14 1.2.1 Custom policies 14 1.2.2 Policy types 14 1.2.3 Supported variables within configuration-run custom policies 15 1.2.4 References 15 1.3 Configure compliance standards 16 1.3.1 Standards 16 1.3.2 Reports 18 1.3.3 References 1.4 Configure alerting and notification 23 23 1.4.1 Alert states 23 1.4.2 Alert rules 24 1.4.3 Alert notifications and reports 29 1.4.4 Alert workflow 31 1.4.5 References 31 1.5 Use third-party integrations 32 1.5.1 Inbound and outbound notifications 32 1.5.2 References 34 1.6 Perform ad hoc investigations 35 1.6.1 Resource configuration with RQL 37 1.6.2 User activity using RQL 38 1.6.3 Network activity using RQL 38 1.6.4 Anomalous event(s) 39 1.6.5 Asset details using RQL 43 1.6.6 References 43 1.7 Remediate alerts Prisma Certified Cloud Security Engineer (PCCSE) 44 2 1.7.1 Autoremediation 44 1.7.2 Manual versus automation remediation 47 1.7.3 References 47 1.8 Use SecOps Dashboard 47 1.8.1 Internet-connected assets by source network traffic behavior 47 1.8.2 Components 49 1.8.3 References 50 Domain 2: Cloud Workload Protection (CWP) 2.1 Monitor and defend against image vulnerabilities 2.1.1 Options available in the Monitor section 51 51 51 2.1.2 Options available in the Policies section 57 2.1.3 References 58 2.2 Monitor and defend against host vulnerabilities 58 2.2.1 Options available in the Monitor section 59 2.2.2 Options available in the Policies section 60 2.2.3 Reference 2.3 Monitor and enforce image/container compliance 60 60 2.3.1 Options available in the Monitor section 60 2.3.2 Options available in the Policies section 61 2.3.3 References 63 2.4 Monitor and enforce host compliance 63 2.4.1 Options available in the Monitor section 64 2.4.2 Options available in the Policies section 64 2.4.3 References 65 2.5 Monitor and defend containers and hosts during runtime 65 2.5.1 Container models 66 2.5.2 Host observations 67 2.5.3 Runtime policies 67 2.5.4 Runtime audits 68 2.5.5 Incidents using Incident Explorer 68 2.5.6 References 70 2.6 Monitor and protect against serverless vulnerabilities 71 2.6.1 Monitor 71 2.6.2 Policy 72 2.6.3 Auto-protect 72 2.6.4 References 2.7 Configure WAAS 74 74 2.7.1 Application specifications 74 2.7.2 API methods 76 2.7.3 REST API endpoints 76 2.7.4 DoS protection 83 2.7.5 Access controls to limit inbound sources 85 Prisma Certified Cloud Security Engineer (PCCSE) 3 2.7.6 Network lists 86 2.7.7 Access controls to enforce HTTP headers and file uploads 87 2.7.8 Bot protection 88 2.7.9 Rules 94 2.7.10 Audit logs 95 2.7.11 Reference 2.8 Monitor and protect registries 95 96 2.8.1 Scanning 96 2.8.2 CI 97 2.8.3 References: 97 Domain 3: Install, Upgrade, and Backup 3.1 Deploy and manage console for the compute edition 98 98 3.1.1. Prisma Cloud release software 98 3.1.2 Console in Onebox configuration 99 3.1.3 Upgrade on Console 100 3.1.4 Business use case to determine the Prisma Cloud version to use 101 3.1.5 Tenant versus Scale projects 102 3.1.6 References 103 3.2 Deploy and manage Defenders 103 3.2.1 Types 103 3.2.2 Networking for Defender-to-Console connectivity 107 3.2.3 Upgrade and compatibility 107 3.2.4 Reference 3.3 Configure Agentless Security 3.3.1 Agent versus Agentless 111 112 112 3.3.2 Cloud discovery 113 3.3.3 Reference 116 3.4 Backup and Restore console 116 3.4.1 Backup management 116 3.4.2 Disaster recovery 117 3.4.3 Reference 3.5 Manage authentication 118 118 3.5.1 Certificates 118 3.5.2 Secrets and credentials store 120 3.5.3 References 131 3.6 Onboard accounts 131 3.6.1 Onboard cloud accounts 131 3.6.2 Account groups 132 3.6.3 References 133 3.7 Configure access control 133 3.7.1 Users, roles, and permission groups 133 3.7.2 Access control troubleshooting 138 Prisma Certified Cloud Security Engineer (PCCSE) 4 3.7.3 Service accounts and access keys 139 3.7.4 Single Sign On 146 3.7.5 Role-based access control for Docker Engine (CWP) 147 3.7.6 Admission control with Open Policy Agent (CWP) 153 3.7.7 Resource lists and collections 157 3.7.8 Reference 157 3.8 Configure logging 158 3.8.1 Audit logging 158 3.8.2 Defender logging 159 3.8.3 References 159 3.9 Manage enterprise settings 160 3.9.1 Anomaly settings 160 3.9.2 Idle timeout 163 3.9.3 Auto-enable policies 164 3.9.4 Alert-dismissal reason 164 3.9.5 User attribution 165 3.9.6 Licensing 166 3.9.7 Access key maximum validity 167 3.9.8 References 168 3.10 Configure third-party integrations 168 3.10.1 Inbound and outbound notifications 168 3.10.2 Supported capabilities 169 3.10.3 Reference 170 3.11 Leverage Cloud and Compute APIs 3.11.1 Authenticate with APIs 170 170 3.11.2 API documentation 171 3.11.3 Policies and custom queries by API 172 3.11.4 Alerts and Reports using APIs 176 3.11.5 Vulnerability results via API 180 3.11.6 Access keys 181 3.11.7 Data security and IAM APIs 183 3.11.8 References 183 3.12 Leverage Adoption Advisor and Alarm Center 184 3.12.1 Notification rule 184 3.12.2 Adoption Advisor guidance 190 3.12.3 Reference 3.13 Access Knowledge Center and Help Center 192 192 3.13.1 Knowledge Center 192 3.13.2 Help Center 192 3.13.3 Feature requests 192 3.13.4 PCCSE 192 3.13.5 Live Community 193 Prisma Certified Cloud Security Engineer (PCCSE) 5 3.13.6 Product status updates 193 3.13.7 Docs, Prisma Cloud Privacy and Support options 193 3.13.8 References 193 Domain 4: Cloud Network Security and Identity-based Microsegmentation Enterprise Edition 195 4.1 Configure Cloud network analyzer 195 4.1.1 Network exposure policy 195 4.1.2 RQL 197 4.1.3 References 4.2 Deploy and manage enforces 197 198 4.2.1 Processing units 198 4.2.2 Namespaces 198 4.2.3 Tags and identity 201 4.2.4 Network rulesets 203 4.2.5 Out-of-the box rules 209 4.2.6 Application profiling 211 4.2.7 References 212 4.3 Manage local changes in a remote repository (dev-prod) configuration 213 4.3.1 Types 213 4.3.2 Networking for Enforcers to Console connectivity 214 4.3.3 Reference 222 4.4 Use NetSecOps dashboard 223 4.4.1 flows 223 4.4.2 References 223 Domain 5: Prisma Cloud Code Security (PCCS) 5.1 Implement scanning for IAC templates 225 225 5.1.1 Terraform and Cloudformation scanning configurations 225 5.1.2 OOTB IAC scanning integrations 225 5.1.3 API scanning 226 5.1.4 IAC scanning integration 227 5.1.5 Supply-chain security 228 5.1.6 Handling scanned issues 231 5.1.7 Repository scanning 238 5.1.8 Reference 5.2 Configure policies in Console for IAC scanning 242 242 5.2.1 OOTB policies 242 5.2.2 Custom build policies 243 5.2.3 Types of config policies 249 5.2.4 Prisma configuration files 250 5.2.5 References 250 5.3 Configure CI policies for Computer scanning Prisma Certified Cloud Security Engineer (PCCSE) 250 6 5.3.1 Default CI policies 250 5.3.2 Custom CI policies 251 5.3.3 References 252 5.4 Manage configuration settings 252 5.4.1 Code reviews 252 5.4.2 Code repository settings 252 5.4.3 Notifications 255 5.4.4 Pull Request and Tagging bots 259 5.4.5 References 263 Domain 6: Identity and Access Management (IAM)/Identity and Access Management (IAM)/Prisma Cloud Data Security (PCDS) 265 6.1 Calculate net effective permissions 265 6.1.1 AWS calculation 265 6.1.2 Azure calculation 266 6.1.3 References 266 6.2 Investigate incidents and create IAM policies 266 6.2.1 RQL queries 266 6.2.2 IAM policies 266 6.2.3 References 6.3 Integrate IAM with IdP 267 268 6.3.1 Azure active directory 268 6.3.2 Okta 268 6.3.3 References 273 6.4 Remediate alerts 274 6.4.1 Manual versus automatic 274 6.4.2 AWS remediation 274 6.4.3 Azure remediation 281 6.4.4 References 286 6.5 Monitor Scan Results 286 6.5.1 Data dashboard 286 6.5.2 Data Inventory 290 6.5.3 Resource Explorer 294 6.5.4 Object Explorer 295 6.5.5 Exposure Evaluation 296 6.5.6 References 298 6.6 Assess Data Policies and Alerts 299 6.6.1 Data policy vs data pattern 299 6.6.2 Alerts 299 6.6.3 References 300 6.7 Define data security scan settings 301 6.7.1 Scan configuration 301 6.7.2 Data profile and pattern 303 Prisma Certified Cloud Security Engineer (PCCSE) 7 6.7.3 File extensions 304 6.7.4 Snippet masking 308 6.7.5 References 309 Appendix A: Sample Questions with Answers 311 Appendix B: Answers to the Sample Test 319 Continuing Your Learning Journey with Palo Alto Networks 327 Prisma Certified Cloud Security Engineer (PCCSE) 8 How to Use This Study Guide Welcome to the Palo Alto Networks Prisma Certified Cloud Security Engineer (PCCSE) Study Guide. The purpose of this guide is to help you prepare for your PCCSE exam and achieve your PCCSE credential. You can read through this study guide from start to finish, or you may jump straight to topics you would like to study. Hyperlinked cross-references will help you locate important definitions and background information from earlier sections. About the PCCSE Exam The Prisma Certified Cloud Security Engineer certification validates the knowledge, skills, and abilities required to onboard, deploy, and administer all aspects of Prisma Cloud. PCCSE-certified individuals have demonstrated in-depth knowledge of Palo Alto Networks Prisma Cloud technology and resources. More information is available from the Palo Alto Networks public page at: https://www.paloaltonetworks.com/services/education Technical documentation is located at: https://beacon.paloaltonetworks.com/student/collection/710725-prisma-certified-cloud-security-eng ineer-pccse?sid=77de5d28-6423-4603-8d52-3487a52c45c3&sid_i=0 Exam Format The test format is 75-85 items. Candidates will have five minutes to review the NDA, 70-80 minutes to complete the exam questions, and five minutes to complete a survey at the end of the exam. The approximate distribution of items by topic (Exam Domain) and topic weightings are shown in the following table. This exam is based on Product version Prisma Cloud 22.9.2. (Compute 22.06.) Exam Domain Weight (%) Cloud Security Posture Management (CSPM) 21% Cloud Workload Protection (CWP) 21% Install, Upgrade, and Backup / Prisma Cloud Administration 19% Cloud Network Security and Identity-Based Microsegmentation Enterprise Edition 11% Prisma Cloud Code Security (PCCS) 12% Prisma Certified Cloud Security Engineer (PCCSE) 9 Identity and Access Management (IAM)/ Prisma Cloud Data Security (PCDS) 16% TOTAL 100% How to Take This Exam The exam is available through the third-party Pearson VUE testing platform. To register for the exam, visit: https://home.pearsonvue.com/paloaltonetworks Disclaimer This study guide is intended to provide information about the objectives covered by this exam, related resources, and recommended courses. The material contained within this study guide is not intended to guarantee that a passing score will be achieved on the exam. Palo Alto Networks recommends that candidates thoroughly understand the objectives indicated in this guide and use the resources and courses recommended in this guide where needed to gain that understanding. Audience and Qualifications The PCCSE Certification is designed for users interested in demonstrating knowledge, skills, and abilities with Prisma Cloud, including cloud security, customer success, and cybersecurity architects. Skills Required ● ● ● ● You can design, develop, and maintain detection checks for cloud security policies and compliance standards You can research on cloud attack techniques, tactics, and detections based on events and network flow logs You can participate in the public outreach forums and represent the recommendations adhering to Palo Alto Networks standards You have 0-3 years of experience working on public cloud, experience in Python, knowledge of containers, Kubernetes, Terraform, and cloud technologies Recommended Training: Palo Alto Networks strongly recommends that you attend the following instructor-led training courses or equivalent digital-learning courses: ● ● ● ● Prisma Cloud: Cloud Security Posture Management Prisma Cloud: Cloud Network Security Prisma Cloud: Cloud Workload Protection Prisma Cloud: Cloud Code Security Prisma Certified Cloud Security Engineer (PCCSE) 10 Domain 1: Cloud Security Posture Management (CSPM) This domain describes Cloud Security Posture Management (CSPM). Prisma Cloud is a cloud native security platform that enables you to secure your cloud native infrastructure and cloud native applications using a single dashboard. It offers comprehensive visibility and threat detection across your organization’s hybrid, multicloud infrastructure. 1.1 Identify assets in a cloud account To know the state of your cloud infrastructure, you need visibility into all the assets and infrastructure that make up your cloud environment and a pulse on your security posture. Whether you want to detect a misconfiguration or you want to continually assess your security posture and adherence to specific compliance standards Prisma Cloud provides out-of-the-box policies (auditable controls) for ongoing reporting and measurement. 1.1.1 Inventory of resources in a cloud account The Asset Inventory dashboard (on the Inventory tab) provides a snapshot of the current state of all cloud resources or assets that you are monitoring and securing using Prisma Cloud. From the dashboard, you gain operational insight over all the Palo Alto Networks cloud infrastructure, Prisma Certified Cloud Security Engineer (PCCSE) 11 including assets and services such as Compute Engine instances, virtual machines, Cloud Storage buckets, accounts, subnets, gateways, and load balancers. Assets are displayed by default for all account groups, which the service monitors, for the most recent time range (last full hour). Resources that belong to cloud accounts that are disabled on Prisma Cloud are not included in the Asset Inventory. The interactive dashboard provides filters to change the scope of data displayed, so that you can analyze information you want to view in greater detail. 1.1.2 Resource configuration history ● Resource Summary—Shows the count of the Total Unique Resources monitored by Prisma Cloud. Click the link to view all the assets on the Asset Explorer. Prisma Certified Cloud Security Engineer (PCCSE) 12 For all these assets, you can toggle to view the following details as a numeric value or a percentage: o Pass—Displays the resources without any open alerts. Click the link for the passed resources and you will be redirected to the Asset Explorer that is filtered to display all the resources that have Scan Status set to Pass. o Low/Medium/High—Displays the resources that have generated low-, medium-, or high-severity alerts. On the asset inventory, when a resource triggers multiple alerts, the asset severity assigned to it matches the highest risk to which it is exposed. When you click the link, you will be redirected to the Asset Explorer that is filtered to display all the resources that match the corresponding Asset Severity level. o The View Alerts link enables you to view a list of all resources that have open alerts sorted by severity. Click each link to view the Alerts Overview sorted for low-, medium-, or high-severity alerts. You can review the policies that triggered the alerts along with a count of the total number of alerts for each policy. o Fail—Displays the total number of resources that have generated at least one open alert when the hourly snapshot was generated. Click the link and you will be redirected to the Asset Explorer that is filtered to display all resources that have Scan Status set to Failed. 1.1.3 Asset configuration changes At a glance, the Asset Inventory dashboard has four sections: ● Resource Summary—See description in Section 1.1.2. Prisma Certified Cloud Security Engineer (PCCSE) 13 ● Asset Trend—Trend line to help you monitor the overall health of your cloud resources starting when you added the first cloud account to Prisma Cloud through the time when the hourly snapshot was generated. The green, blue, and red trend lines are overlaid to visually display the passed and failed resources against the total resource count. The trends depict the overall security posture of your resources and how they are performing over time so you can identify sudden surges with failed policy checks or sustained improvements with passed policy checks. ● Asset Classification—Bar graph for each cloud type (default), region name, account name, or service name that depicts the ratio of passed to failed resources for policy checks. ● Tabular data—The table enables you to group the results by account name, cloud region, or service name (default) and then drill down to view granular information on the resource types within your cloud accounts. All global resources for each cloud are grouped under AWS Global, Alibaba Cloud Global, Azure Global, and GCP Global. Each row displays the service name with details on the cloud type (which you can filter on), and the percentage of resources that pass policy checks to which you want to adhere. The links in each column help you explore and gain the additional context you may need to take action. 1.1.4 References ● Asset Inventory, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-clouddashboards/asset-inventory 1.2 Configure policies 1.2.1 Custom policies Create a custom policy with remediation rules that are tailored to meet the requirements of your organization. When creating a new policy, you can either build the query using RQL or use a saved search to automatically populate the query you need to match on your cloud resources. For Cloud Code Security, you can also create configuration policies to scan your infrastructure-as-code (IaC) templates that are used to deploy cloud resources. The policies used for scanning IaC templates use a JSON query instead of RQL. If you want to enable autoremediation, Prisma Cloud requires write access to the cloud platform to successfully execute the remediation commands. 1.2.2 Policy types You can create any of the following types of policies: ● Config—Configuration policies monitor your resource configurations for potential policy violations. Configuration policies on Prisma Cloud can be of two subtypes—Build or Run—to enable a layered approach. Build policies enable you to check for security misconfigurations in the IaC templates and ensure that these issues do not make their way into production. Prisma Certified Cloud Security Engineer (PCCSE) 14 Run policies monitor resources and check for potential issues once these cloud resources are deployed. See Create a Configuration Policy. ● Data—Data policies protect against malware and enable data classification. To identify sensitive data in cloud storage buckets, they use machine learning and pattern matching. See Use Data Policies to Scan for Data Exposure or Malware. ● Network—Network policies monitor network activities in your environment. See Create a Network or Audit Event Policy. ● Audit Event—Event policies monitor audit events in your environment for potential policy violations. Create audit policies to flag sensitive events such as root activities or configuration changes that may potentially put your cloud environment at risk. See Create a Network or Audit Event Policy. ● IAM—IAM policies monitor the identities in your cloud environment for excess or unused permissions. See Create an IAM Policy. 1.2.3 Supported variables within configuration-run custom policies CLI remediation is available for config from queries only. You can add up to five CLI commands and use a semicolon to separate the commands in the sequence. The sequence is executed in the order defined in policy; if a CLI command fails, the execution stops at that command. The parameters that you can use to create remediation commands are displayed on the interface as CLI variables. A syntax example is: gcloud -q compute --project=${account} firewall-rules delete ${resourceName}; gsutil versioning set off gs://${resourceName};: ● ● ● ● ● ● ● $account—Account is the Account ID of your account in Prisma Cloud. $azurescope—(Azure only) Allows you to specify the node in the Azure resource hierarchy where the resource is deployed. $gcpzoneid—(GCP only) Allows you to specify the zone in the GCP project, folder, or organization where the resource is deployed. $region—Region is the name of the cloud region to which the resource belongs. resourcegroup—(Azure only) Allows you to specify the name of the Azure Resource Group that triggered the alert. $resourceid—Resource ID is the identification of the resource that triggered the alert. $resourcename—Resource name is the name of the resource that triggered the alert. 1.2.4 References ● ● Create a Custom Policy on Prisma Cloud, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloudpolicies/create-a-policy Policy types, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloudpolicies/create-a-policy Prisma Certified Cloud Security Engineer (PCCSE) 15 ● Create a Custom Policy on Prisma Cloud, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloudpolicies/create-a-policy 1.3 Configure compliance standards 1.3.1 Standards You can create your own custom compliance standards that are tailored to your own business needs, standards, and organizational policies. When defining a custom compliance standard, you can add requirements and sections. A custom compliance standard that has a minimum of one requirement and one section can be associated with policies that check for adherence to your standards. You can create an all-new standard or clone an existing compliance standard and edit it. ● Clone an existing compliance standard to customize. 1. On Prisma Cloud, select Compliance Standards. 2. Hover over the standard you want to clone, and click Clone. When you clone, Prisma Cloud creates a new standard with the same name with “Copy” in the prefix. You can then edit the cloned compliance standard to include the requirements, sections, and policies you need. ● Create a compliance standard from scratch. 3. On Prisma Cloud, select Compliance > Standards > + Add New. Prisma Certified Cloud Security Engineer (PCCSE) 16 4. Enter a name and description for the new standard and click Save . sargets 5. Add requirements to your custom compliance standard. ○ Select the custom compliance standard you just added and click + Add New. ○ Enter a requirement, name, and a description and click Save . 6. Add sections to your custom compliance standard after adding the requirement. ○ Select the requirement for which you are adding the section and click +Add New. Prisma Certified Cloud Security Engineer (PCCSE) 17 ○ 7. Enter a name for the Section a Description and click Save . Although you have added the custom standard to Prisma Cloud, it is not listed on the Compliance Standards table on Compliance > Overview until you add at least one policy to it. Add policies to your custom compliance standard. You must associate Prisma Cloud Default policies or your custom policies to the compliance standard to monitor your cloud resources for adherence to the internal guidelines or benchmarks that matter to you. The RQL in the policy specifies the check for the resource configuration, anomaly, or event. ○ ○ ○ ○ Select Policies. Filter the policies you want to associate with the standard. You can filter by cloud type, policy type, and policy severity to find the rules you want to attach. Select the policy rule to edit, on 3 Compliance Standards click + and associate the policy with the custom compliance standard. Confirm your changes. 1.3.2 Reports Creating compliance reports is the best way to monitor your cloud accounts across all cloud types—AWS, Azure, and GCP—and ensure that you are adhering to all compliance standards. You can create compliance reports based on a cloud compliance standard for immediate online viewing or download, or schedule recurring reports so you can monitor compliance to the standard over time. From a single report, you have a consolidated view of how well all of your cloud accounts are adhering to the selected standard. Each report details how many resources and accounts are being monitored against the standard, and how many of those resources passed or failed the compliance check. In addition, the report provides detailed findings for each section of the standard, including a Prisma Certified Cloud Security Engineer (PCCSE) 18 description of the requirements in each section, which resources failed the compliance check, and recommendations for fixing the issues, so that you can prioritize what you need to do to become compliant. From the Compliance Reports dashboard, you can also view or download historic reports so that you can see your compliance trend. Step 1: Log in to Prisma Cloud. Step 2: Create a new report. 1. Select Compliance > Overview and select the standard for which you want to create a new compliance report. 2. On the page for the compliance standard you selected, click Create Report. Prisma Certified Cloud Security Engineer (PCCSE) 19 3. Enter the following information and Save the report. ● ● ● Enter a descriptive Name for the report. Enter the Email address to which to send report when scheduled. Select whether you want to run the report One Time or Recurring. If you select Recurring, you must also specify how often you want to run the report, the interval, day of the week, and the time when you want the recurring report to run. Step 3: View your compliance reports. After you create a compliance report, it will automatically run at the time you specified. You can then view and manage your reports as follows: ● To see the list of all compliance reports that have run, select Compliance > Reports. You can use the filters to narrow the list of compliance reports shown, or you can search for the report. ● To view a compliance report, click the report name. A graphical view of the report displays, showing the number of unique cloud resources, how many of them passed, the number and severity of those that failed (you can toggle this to show percentages instead), and a graphical representation of how well your cloud accounts are doing against all sections of the standard. If this report has run before, you can also see the compliance trend over time. Finally, the report summarizes compliance against each Prisma Certified Cloud Security Engineer (PCCSE) 20 requirement of the standard. To drill down into details on a particular requirement of the standard, click the requirement name. ● If you want to refine the report so that it only shows the details you are interested, clone it. You can then use the Compliance filters to customize the report to show only the information you are interested in. You can use the Compliance filters to set the report timeframe and narrow the report to only show compliance information for specific cloud accounts, cloud regions, or cloud types. As you add or remove filters, the report updates so that you can see your changes reflected in the report. When the cloned report shows the information you want it to, click Create Report to save it as a new report instance. Prisma Certified Cloud Security Engineer (PCCSE) 21 ● You can Download Report as a PDF. If the Download button is grayed out, the report has already been scheduled for download. You can also download the details about compliance with each requirement of the standard to a CSV file by clicking the download icon. ● You can also download the compliance reports from Compliance > Reports using the Download icon that corresponds to the specific report you want to download. Note that for recurring reports, this downloads the most recent report generated. ● For recurring reports, use the corresponding History icon to view the report history. You can then view individual instances of the compliance report, or download them. ● To edit the recurrence settings of a report you added, or to add or remove email addresses of report recipients, click the corresponding Edit icon. Prisma Certified Cloud Security Engineer (PCCSE) 22 ● For recurring reports, you can toggle Enable Scheduling to indicate whether you want to automatically include a PDF of the report to the recipients you defined, or whether you want administrators to be able to download the report on demand rather than emailing it. With this setting enabled, the report will automatically be emailed according to the recurrence schedule you defined. With it disabled, the report will not be emailed but can be downloaded on demand. 1.3.3 References ● ● Create a Custom Compliance Standard, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloudcompliance/create-a-custom-compliance-standard Add a New Compliance Report, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloudcompliance/add-a-new-compliance-report 1.4 Configure alerting and notification Prisma Cloud alerts can trigger a notification to a manual and/or automatic remediation: 1.4.1 Alert states Prisma Cloud lets you surface critical policy breaches by sending alerts to any number of channels. Alerts ensure that significant events are put in front of the right audience at the right time. See the links for more details. ● Alert mechanism ● AWS Security Hub ● Cortex XDR alerts ● Cortex XSOAR alerts Prisma Certified Cloud Security Engineer (PCCSE) 23 ● Email alerts ● Google Cloud Pub/Sub ● Google Cloud Security Command Center ● IBM Cloud Security Advisor ● JIRA Alerts ● PagerDuty alerts ● ServiceNow alerts ● Slack Alerts ● Splunk alerts ● Webhook alerts 1.4.2 Alert rules After you have deployed your resources on the cloud platform of your choice, alert rules (for run-time checks) enable you to define the policy violations in a selected set of cloud accounts for which you want to trigger alerts. When you create an alert rule for run-time checks, you select the account groups to which the rule applies and the corresponding set of policies for which you want to trigger alerts. You can add more granularity to the rule by excluding some cloud accounts from the selected account groups, by specifying specific regions for which to send alerts, and even by narrowing down the rule to specific cloud resources identified by resource tags. This provides you with flexibility in how you manage alerts and ensures that you can adhere to the administrative boundaries you defined. You can create a single alert rule that alerts on all policy rules, or you can define granular alert rules that send very specific sets of alerts for specific cloud accounts, regions, and even resources to specific destinations. When you create an alert rule, you can Configure Prisma Cloud to Automatically Remediate Alerts, which enables Prisma Cloud to automatically run the CLI command required to remediate the policy violation directly in your cloud environments. Automated remediation is only available for default policies (Config policies only) that are designated as Remediable ( ) on the Policies page. In addition, if you Configure External Integrations on Prisma Cloud with third-party tools, defining granular alert rules enables you to send only the alerts you need to enhance your existing operational, ticketing, notification, and escalation workflows with the addition of Prisma Cloud alerts on policy violations in all your cloud environments. To see any existing integrations, go to Settings > Integrations. Step 1: Select Alert > Alert Rules and Add Alert Rule. Step 2: In Add Details, enter a Name for the alert rule and, optionally, a Description to communicate the purpose of the rule. ● You can enable the optional Auto-Actions, Alert Notifications, and Auto-Remediation settings up front. If you enable any of these options, they are displayed as additional steps in Prisma Certified Cloud Security Engineer (PCCSE) 24 the alert rule creation process. For example, if you enable Alert Notifications, the Configure Notifications step is displayed. ● Click Next. Step 3: Assign Targets to add more granularity for which cloud resources trigger alerts for this alert rule, and then provide more criteria as needed: ● Select the Account Groups to which you want this alert rule to apply. ● Exclude Cloud Accounts and Regions from your selected account group—If there are some cloud accounts and regions in the selected account groups for which you do not want to trigger alerts, select the accounts and regions from the list. ● Select Include Tag Resource Lists to easily manage or identify the type of your resources—To trigger alerts only for specific resources in the selected cloud accounts, enter the Key and Value of the resource tag you created for the resource in your cloud environment. Tags apply only to Config and Network policies. When you add multiple resource tags, it uses the Boolean logical OR operator. ● After defining the target cloud resources, click Next. Prisma Certified Cloud Security Engineer (PCCSE) 25 Step 4: Select the policies for which you want this alert rule to trigger alerts and, optionally, Configure Prisma Cloud to Automatically Remediate Alerts. ● ● Either Select All Policies or select the specific policies that match the filter criteria for which you want to trigger alerts on this alert rule. Selecting All Policies will create a large volume of alerts. It is recommended that you use a granular filtered selection for more relevant and high-fidelity alerts. To help you find the specific group of policies for which you want this rule to alert: ○ Filter Results—Enter a Search term to filter the list of policies to those with specific keywords. ○ ○ Column Picker—Click Edit ( ) to modify which columns to display. Sort—Click the corresponding Sort icon ( ) to sort on a specific column. Click Next. Prisma Certified Cloud Security Engineer (PCCSE) 26 Step 5: You can automatically dismiss alerts that have specific tags as defined on the resource and added to the Resource Lists on Prisma Cloud. The details of the reason for dismissal is included in the alert rule L2 view. If you enabled Limited GA Auto-Actions in the Add Details screen, when you update an alert rule, all existing alerts with matching tags are autodismissed. When an alert has been dismissed and you update the alert rule, the alert will continue to stay dismissed. Add a Reason, Requestor, and Approver for the automatic dismissal and click Next. Step 6: (Optional) Send Prisma Cloud Alert Notifications to Third-Party Tools. By default, all alerts triggered by the alert rule display on the Alerts page. If you Configure External Integrations on Prisma Cloud, you can also send Prisma Cloud alerts triggered by this alert rule to third-party tools. For example, you can Send Alert Notifications to Amazon SQS or Send Alert Notifications to Jira. For Prisma Cloud Data Security, see Generate Alerts for Data Policies. In addition, you can configure the alert rule to Send Alert Notifications Through Email. If you want to delay the alert notifications for Config alerts, you can configure Prisma Cloud to Trigger notification for config alert only after the alert is open for a specific number of minutes. Step 7: (Optional) Configure Notifications to enable alert notifications for all states. If you want to receive external notifications for when an existing alert status has changed, you can configure Prisma Cloud to generate alerts when an existing alert is Dismissed, Snoozed, or Ignored. The options for configuring the notification settings are: Prisma Certified Cloud Security Engineer (PCCSE) 27 ● Notify when alert is—Select this dialog box to configure the alert states; the Open state is enabled by default. After selecting the alert states, select the integration services for which you want to generate alerts. ● Trigger notification for config alert only after the alert is open for—Specify the length of time (in minutes) you want to wait after an alert is generated before sending notifications. This value does not apply for recurring (or scheduled) notifications. Step 8: View the Summary of all the alert rule. Edit if you want to change any setting and Save the alert rule. Prisma Certified Cloud Security Engineer (PCCSE) 28 Step 9: To verify that the alert rule triggers the expected alerts, select Alerts Overview and ensure that you see the alerts that you expect to see there. If you configured the rule to Send Prisma Cloud Alert Notifications to Third-Party Tools, make sure you also see the alert notifications in those tools. 1.4.3 Alert notifications and reports Prisma Cloud continually monitors all of your cloud environments to detect misconfigurations (such as exposed cloud storage instances), advanced network threats (such as cryptojacking and data exfiltration), potentially compromised accounts (such as stolen access keys), and vulnerable hosts. Prisma Cloud then correlates configuration data with user behavior and network traffic to provide context around misconfigurations and threats in the form of actionable alerts. Although Prisma Cloud begins monitoring and correlating data as soon as you onboard the cloud account, there are tasks you need to perform before you see alerts generated by policy violations in your cloud environments. The first task to Enable Prisma Cloud Alerts is to add the cloud account to an account group during onboarding. Next, create an alert rule that associates all of the cloud accounts in an account group with the set of policies for which you want Prisma Cloud to generate alerts. You can view the alerts for all of your cloud environments directly from Prisma Cloud and drill down into each to view specific policy violations. If you have internal networks that you want to exclude from being flagged in an alert, you can add Trusted IP Addresses on Prisma Cloud. Prisma Certified Cloud Security Engineer (PCCSE) 29 From the Alerts Overview page, you can see the alert coverage, based on percentage as well as severity, and also investigate more closely based on policies. You can easily access the policy that triggered the alert and view the details on the resources and the policy recommendations in separate tabs. In addition, Prisma Cloud provides the out-of-the-box ability to Configure External Integrations on Prisma Cloud with third-party technologies, such as SIEM platforms, ticketing systems, messaging systems, and automation frameworks, so that you can continue using your existing operational, escalation, and notification tools. To monitor your cloud infrastructures more efficiently and provide visibility into actionable events across all your cloud workloads, you can also: ● ● Generate Reports on Prisma Cloud Alerts on demand or schedule reports on open alerts and email them to your stakeholders Send the Alert Payload to a third-party tool Generate Reports on Prisma Cloud Alerts You can generate two reports on alerts—the Cloud Security Assessment report and the Business Unit report. These reports enable you to inform your stakeholders of the status of the cloud assets and how they are doing against Prisma Cloud security and compliance policy checks. Sharing the reports on a regular basis enables stakeholders to monitor progress without requiring access to the Prisma Cloud administrator console. The Cloud Security Assessment report is a PDF report that summarizes the risks from open alerts in the monitored cloud accounts for a specific cloud type. The report includes an executive summary and a list of policy violations, including a page with details for each policy that includes the description and the compliance standards that are associated with it, as well as the number of resources that passed and failed the check within the specified time period. The Business Unit report is a .csv file that includes the total number of resources that have open alerts against policies for any compliance standard, and you can generate the report on demand or Prisma Certified Cloud Security Engineer (PCCSE) 30 on a recurring schedule. You can opt to create an overview report that shows you how you are doing across all your business units, or get a little more granular about each of the cloud accounts you want to monitor. You can also generate the Business Unit report to review policy violations that are associated with specific compliance standards. The overview report lists cloud resources by account group and aggregates information about the number of resources failing and the failure percentage against each policy. In contrast, the detailed Business Unit report lists cloud resources by account group, account name, and account ID, and it includes information about the number of resources failing against each policy and the status of cloud resources that have been scanned against that policy. The status can be pass or fail; a status of “pass” means that the count of resources that failed the policy check is zero. To create a new report: Step 1: Select Alerts > Reports > +Add New. Step 2: Enter a Name and select a Report Type. 1.4.4 Alert workflow Prisma Cloud lets you surface critical policy breaches by sending alerts to any number of channels. Alerts ensure that significant events are put in front of the right audience at the right time. Alerts are built on the following constructs: ● Alert profile – Specifies which events should be sent to which channel. You can create any number of alert profiles, where each profile gives you granular control over which audience should receive which notifications. ● Alert channel – Messaging medium over which alerts are sent. Prisma Cloud supports email, JIRA, Slack, PagerDuty, and others. ● Alert trigger – Events that require further scrutiny. Alerts are raised when the rules that make up your policy are violated. When something in your environment violates a rule, an audit is logged, and an alert is sent to any matching alert profile (channel, audience). You can configure Prisma Cloud to notify the appropriate party when an entire policy, or even a specific rule, is violated. You can also set up alerts for Defender health events. These events tell you when Defender unexpectedly disconnects from the Console. Alerts are sent when a Defender has been disconnected for more than six hours. Not all triggers are available for all channels. For example, new JIRA issues can only be opened when vulnerability rules are triggered. 1.4.5 References ● Alerts, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/alert s Prisma Certified Cloud Security Engineer (PCCSE) 31 ● ● ● ● Create an Alert Rule for Run-Time Checks, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prism a-cloud-alerts/create-an-alert-rule Prisma Cloud Alerts and Notifications, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prism a-cloud-alerts/prisma-cloud-alert-notifications Generate Reports on Prisma Cloud Alerts, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prism a-cloud-alerts/generate-reports-on-prisma-cloud-alerts Alert mechanism, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/alert s/alert_mechanism 1.5 Use third-party integrations Prisma Cloud provides multiple out-of-the-box integration options that you can use to integrate Prisma Cloud into your existing security workflows and with the technologies you already use. The Amazon GuardDuty, AWS Inspector, Qualys, and Tenable integrations are inbound or pull-based integrations where Prisma Cloud periodically polls for the data and retrieves it from the external integration system; all other integrations are outbound or push-based integrations where Prisma Cloud sends data about an alert or error to the external integration system. 1.5.1 Inbound and outbound notifications ● Amazon GuardDuty—Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts and workloads. Prisma Cloud integrates with Amazon GuardDuty and ingests vulnerability data to provide you with additional context on risks in the cloud. ● AWS Inspector—AWS Inspector assesses applications for exposure, vulnerabilities, and deviations from best practices. It also produces a detailed list of security findings prioritized by level of severity. Prisma Cloud integrates with AWS inspector and ingests vulnerability data and Security best-practice deviations to provide you with additional context about risks in the cloud. ● Amazon S3—Amazon Simple Storage Service (Amazon S3) is designed to make web-scale computing easier. You can use Amazon S3 to store and retrieve any amount of data using highly scalable, reliable, fast, and inexpensive data storage. Prisma Cloud can send alerts to an Amazon S3 bucket/folder. ● AWS Security Hub—AWS Security Hub is a central console where you can view and monitor the security posture of your cloud assets directly from the Amazon console. Because the Prisma Cloud application monitors your assets on the AWS cloud and sends alerts on resource misconfigurations, compliance violations, network security risks, and anomalous user activities, you have a comprehensive view of all your cloud assets across all your AWS accounts directly from the Security Hub console. Prisma Certified Cloud Security Engineer (PCCSE) 32 ● Amazon SQS—Amazon Simple Queue Service (SQS) helps you send, receive, and store messages that pass between software components at any volume without losing messages and without requiring other services to be always available. Prisma Cloud can send alerts to Amazon SQS, and you can set up the AWS CloudFormation service to enable custom workflows. ● Azure Sentinel—Azure Sentinel is a scalable, cloud native, Security Information Event Management (SIEM), and security orchestration, automatation, and response (SOAR) solution. You can configure Prisma Cloud to send alerts to Azure Sentinel by creating a Logic Apps workflow and Webhook integration. ● Azure Service Bus queue—Azure Service Bus is a managed messaging infrastructure designed to transfer data between applications as messages. With the Prisma Cloud and Azure Service Bus queue integration, you can send alerts to the queue and set up custom workflows to process the alert payload. ● Cortex XSOAR—Cortex XSOAR (formerly Demisto) is a security orchestration, automation, and response (SOAR) platform that enables you to streamline your incident management workflows. With the Prisma Cloud and Cortex XSOAR integration, you can automate the process of managing Prisma Cloud alerts and the incident lifecycle with playbook-driven response actions. ● Email—Configure Prisma Cloud to send alerts as emails to your email account. ● Google Cloud SCC—Google Cloud Security Command Center (SCC) is the security and data risk database for Google Cloud Platform. Google Cloud SCC enables you to understand your security and data attack surface by providing inventory, discovery, search, and management of your assets. Prisma Cloud integrates with Google Cloud SCC and sends alerts to the Google Cloud SCC console to provide centralized visibility into security and compliance risks of your cloud assets. ● Jira—Jira is an issue tracking, ticketing, and project-management tool. Prisma Cloud integrates with Jira and sends notifications of Prisma Cloud alerts to your Jira accounts. ● Microsoft Teams—Microsoft Teams is cloud-based team collaboration software that is part of the Office 365 suite of applications and is used for workplace chat, video meetings, file storage, and application integration. The Prisma Cloud integration with Microsoft Teams enables you to monitor your assets and send alerts on resource misconfigurations, compliance violations, network security risks, and anomalous user activities—either as they happen or as consolidated summary cards. ● PagerDuty—PagerDuty enables alerting, on-call scheduling, escalation policies, and incident tracking to increase the uptime of your apps, servers, websites, and databases. The PagerDuty integration enables you to send Prisma Cloud alert information to PagerDuty service. The incident response teams can investigate and remediate the security incidents. Prisma Certified Cloud Security Engineer (PCCSE) 33 ● Qualys—Qualys specializes in vulnerability-management security software that scans hosts for potential vulnerabilities. Prisma Cloud integrates with the Qualys platform and ingests vulnerability data to provide you with additional context about risks in the cloud. ● ServiceNow—ServiceNow is an incident, asset, and ticket management tool. Prisma Cloud integrates with ServiceNow and sends notifications of Prisma Cloud alerts as ServiceNow tickets. ● Slack—Slack is an online instant messaging and collaboration system that enables you to centralize all your notifications. You can configure Prisma Cloud to send notifications of Prisma Cloud alerts through your Slack channels. ● Splunk—Splunk is a software platform that searches, analyzes, and visualizes machine-generated data gathered from websites, applications, sensors, and devices. Prisma Cloud integrates with cloud-based Splunk deployments and enables you to view Prisma Cloud alerts through the Splunk event collector. Prisma Cloud can integrate with on-premises Splunk instances through the AWS SQS integration. ● Tenable—Tenable.io is a cloud-hosted vulnerability-management solution that provides visibility and insight into dynamic assets and vulnerabilities. Prisma Cloud integrates with Tenable and ingests vulnerability data to provide you with additional context about risks in the cloud. ● Webhooks—The webhooks integration enables you to pass information in JSON format to any third-party integrations that are not natively supported on Prisma Cloud. With a webhook integration, you can configure Prisma Cloud to send alerts to the webhook URL as an HTTP POST request so that any services or applications that subscribe to the webhook URL receive alert notifications as soon as Prisma Cloud detects an issue. For outbound integrations: ● You can check status updates on demand in Settings Integrations by clicking the Get Status icon for the relevant integration. The status check displays red if the integration fails validation checks for accessibility or credentials; it displays green when the integration is working and all templates are valid. To review the list of integrations that do not support the status checks, see Prisma Cloud Integrations—Supported Capabilities. Status errors are displayed to help you find and fix potential issues. ● When you Send Prisma Cloud Alert Notifications to Third-Party Tools, the value of the cloud service provider in the cloudType field for the resource that generated the alert the values is in lowercase letters—for example, “aws” or “alibaba_cloud”. 1.5.2 References ● Third-party integration, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-exte rnal-integrations-on-prisma-cloud/prisma-cloud-integrations Prisma Certified Cloud Security Engineer (PCCSE) 34 ● Inbound and outbound notifications, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-exte rnal-integrations-on-prisma-cloud/prisma-cloud-integrations 1.6 Perform ad hoc investigations Ad hoc investigations happen when an administrator sees a vulnerability or suspicious activity and decides to investigate further. This investigation has two purposes: 1. 2. Identify whether the relevant entity (virtual machine instance, Docker container, etc.) really has been broken into. For example, a vulnerability could exist but never have been exploited. If the entity has been broken into, identify the harm done and whether the entity itself was used as a conduit for attacking other entities. An investigation typically starts with an RQL query that shows details about what is happening. For example, here is the result of a query asking which APIs were used and when: Prisma Certified Cloud Security Engineer (PCCSE) 35 Next, you can drill down for additional information about a specific data point, which in this case is the query for the cloudresourcemanager.googleapis.com in June 2020. This query returns a list of the items that were aggregated. In this case, it is a list of events. Prisma Certified Cloud Security Engineer (PCCSE) 36 You can then click the eye icon on any line in the list for its full details. 1.6.1 Resource configuration with RQL Prisma Cloud Resource Query Language (RQL) is a powerful and flexible tool that helps you gain security and operational insights about your deployments in public cloud environments. You can use RQL to perform configuration checks on resources deployed on different cloud platforms and to gain visibility and insights into user and network events. You can use these security insights to create policy guardrails that secure your cloud environments. RQL is a structured query language that resembles Structured Query Language (SQL). RQL supports the following types of queries: ● Config—Use Config Query to search for the configuration of the cloud resources. Prisma Certified Cloud Security Engineer (PCCSE) 37 ● ● Event—Use Event Query to search and audit all the console and API access events in your cloud environment. Network—Use Network Query to search real-time network events in your environment. Use RQL to find answers to fundamental questions that help you understand what is happening on your network. For example, you can find answers to the following questions: ● ● ● ● Do I have S3 buckets with encryption disabled? Do I have databases that are directly accessible from the internet? Who uses a root account to manage day-to-day administrative activities on my network? Which cloud resources are missing critical patches, making them exploitable? 1.6.2 User activity using RQL Event queries help you to detect and investigate console and API access events, monitor privileged activities, detect account compromise, and detect unusual user behavior in your cloud environments. To investigate events, use “event from cloud.audit_logs where” queries in the search box on the Investigate tab of the Prisma Cloud administrative console. The query uses the event data that Prisma Cloud ingested from the audit logs to help you learn who did what and when on your cloud assets. ● ● Event Query Attributes Event Query Examples 1.6.3 Network activity using RQL When you onboard your cloud accounts to Prisma Cloud, it monitors network configuration and traffic logs to and from your assets deployed on the cloud environment. You can then use this data to find previously unidentified network security risks: ● ● Flow Log-based Network Query: Query for incidents and threats that are based on flow logs. Configuration-based Network Query: Query for true exposures that are based on configuration. Flow Log-based Network Query Prisma Cloud provides the “network from vpc.flow_record” network query, which is based on networking logs, such as virtual private cloud (VPC) flow logs. You can use this query to detect when services, applications, or databases are exposed to the internet and fix risky configuration issues, or to search for assets that are receiving traffic and connections from suspicious IP addresses to prevent data exfiltration attempts before it is too late. Configuration-based Network Query Prisma Cloud also provides the “config from network where” network query, which is based on network configuration you can use this query to identify overly exposed resources by providing end-to-end network path visibility from any source, such as AWS EC2 virtual machine, DB instance, or Lambda application to any destination, such as the internet, another VPC, or on-premises networks. This visibility into the associations between security groups and compute instances helps Prisma Certified Cloud Security Engineer (PCCSE) 38 you identify network security risks before they become incidents. Prisma Cloud does not send traffic or read network logs for performing network path analysis. 1.6.4 Anomalous event(s) Review your options when using “event from cloud.audit_logs where” on the Investigate tab of the Prisma Cloud administrative console: Each attribute allows you to narrow your search criteria. As you use these attributes, the autosuggestion feature shows the available expressions and the Operators that are applicable for each attribute. ● alert.id Use the alert.id attribute to view alert details on the Investigate tab. For example, you can visualize the alert details for a set of alerts such as P-8444, P-8421, and P-8420. event from cloud.audit_logs where alert.id IN (‘P-8444’, ‘P-8421’, ‘P-8420’) ● anomaly.type Use the anomaly.type to view details on specific anomaly policies. The autosuggestion displays the different anomaly policies that are supported with this attribute. event from cloud.audit_logs where anomaly.type = 'Excessive Login Failures' Prisma Certified Cloud Security Engineer (PCCSE) 39 ● cloud.account Use the cloud.account attribute to narrow the audit search to one or more cloud accounts that you connected to Prisma Cloud. For example, you can list entities or users who deleted security groups from a given cloud account: event from cloud.audit_logs where cloud.account = 'Developer Sandbox' AND operation IN ( 'DeleteSecurityGroup' ) ● cloud.account.group Use the cloud.account.group attribute to narrow your search to only the cloud accounts in your cloud account group. For example, you can list entities or users who deleted virtual private clouds in all your AWS accounts: event from cloud.audit_logs where operation = 'DeleteVpc' AND cloud.account.group = 'All my AWS accounts' event from cloud.audit_logs where cloud.account.group = 'All my AWS accounts' AND cloud.service = 'autoscaling.amazonaws.com' AND user = 'maxusertest__gahp1Tho' ● Cloud.type Use the cloud.type attribute to narrow your search to a specific cloud platform. Supported options are AWS, Azure, and GCP. Prisma Certified Cloud Security Engineer (PCCSE) 40 For example, you can list all users who deleted S3 buckets: event from cloud.audit_logs where cloud.type = 'aws' AND cloud.service = 's3.amazonaws.com' AND operation = 'DeleteBucket' ● cloud.region Use the cloud.region attribute to narrow the audit search to one or more cloud regions. For example, you can list entities or users who deleted access keys from a given cloud account: event from cloud.audit_logs where cloud.account = 'Developer Sandbox' AND cloud.region = 'AWS Canada' AND operation IN ( 'DeleteAccessKey' ) ● cloud.service Use the cloud.service attribute to search for information using a specific service name in your cloud accounts. For example, you can review details for users who performed operations, such as deleting cloud trail logs or disabling or stopping logging events: event from cloud.audit_logs where cloud.service = 'cloudtrail.amazonaws.com' AND operation IN ( 'DeleteTrail' , 'DisableLogging' , 'StopLogging' ) ● crud Use the crud attribute to search for information on users or entities who performed create, read, update, or delete operations. Prisma Certified Cloud Security Engineer (PCCSE) 41 For example, you can list all Azure resources that were deleted: event from cloud.audit_logs where cloud.account in ( 'Azure - Microsoft Azure Sponsorship' ) and crud = 'delete' ● Has.anomaly Use the has.anomaly attribute to search for information on events that include anomalies. For example, you can list all events that have identified anomalies for a cloud type: event from cloud.audit_logs where cloud.type = 'azure' AND has.anomaly ● operation An operation is an action that users perform on resources in a cloud account. Use the operation attribute to start typing the name of the operation in which you are interested, and Prisma Cloud autocompletes a list of operations that match your search criteria. For example, you can list details of delete operations on VPCs, VPC endpoints, and VPC peering connections: event from cloud.audit_logs where operation in ( 'DeleteVpc' , 'DeleteVpcEndpoints' 'DeleteVpcPeeringConnection' ) ● Subject Use this attribute to search for actions that a specific user or an instance performed on your cloud account. For example, you can list console login operations by Ben: event from cloud.audit_logs where operation = 'ConsoleLogin' AND subject = 'ben' ● Role Use this attribute to filter the search results by role. For example, you can look for events performed by the Okta role: event from cloud.audit_logs where role = ’OktaDevReadWriteRole’ ● json.rule Use this attribute to filter specific elements included in the JSON configuration related to a cloud resource. The json.rule attribute enables you to look for specific configurations—parse JSON-encoded values, extract data from JSON, or search for a value within any configuration policy for cloud accounts that you are monitoring using Prisma Cloud. Prisma Certified Cloud Security Engineer (PCCSE) 42 Use the automatic suggest feature to see the available values for json.rule. For example, you can check for login failures on the console: event from cloud.audit_logs where cloud.account = 'Sandbox' AND json.rule = $.responseElements.ConsoleLogin != 'Success' 1.6.5 Asset details using RQL For details of the Asset Inventory dashboard, see Section 1.1.1. 1.6.6 References ● ● ● ● ● Prisma Cloud Resource Query Language, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer ence/rql#idde117f54-0bc9-497a-a8d3-fe6cac849b65 Event Query, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer ence/event-query#id7f21ba55-c711-4996-be59-3e6ce80ea9e4 Network Query, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer ence/network-query Network Flow Log Query Attributes, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer ence/network-query/network-flow-log-query-attributes#id96c19819-a48e-40a6-843c-2ad88d 8a7fb3 Network Flow Log Query Examples, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer ence/network-query/network-flow-log-query-examples#id76bff997-dacb-4a4c-94f9-485070 35b498 Prisma Certified Cloud Security Engineer (PCCSE) 43 ● ● ● Network Exposure Query Attributes, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer ence/network-query/network-query-attributes#id192IH0E0GW5 Network Exposure Query Examples, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer ence/network-query/network-query-examples#id192IH0G0XVC Event Query Attributes, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer ence/event-query/event-query-attributes 1.7 Remediate alerts 1.7.1 Autoremediation If you want Prisma Cloud to automatically resolve policy violations, such as misconfigured security groups, you can configure Prisma Cloud for automated remediation. To automatically resolve a policy violation, Prisma Cloud runs the CLI command associated with the policy in the cloud environments where it discovered the violation. On Prisma Cloud, you can enable automated remediation for default policies (Config policies only) that are designated as remediable (indicated by in the Remediable column) and for any cloned or custom policies that you add. To enable automated remediation, identify the set of policies that you want to remediate automatically and verify that Prisma Cloud has the required permissions in the associated cloud environments. Then Create an Alert Rule for Run-Time Checks that enables automated remediation for the set of policies you identified. If you want to use automated remediation using serverless functions for your cloud resources on AWS, use the runbooks on GitHub. The Prisma Cloud platform sends alert messages to an AWS SQS queue, which in turn invokes a Lambda function, index_prisma.py. The function then calls the appropriate runbook script to remediate the alert(s). To use AWS Lambda for automatic remediation, you do not need to give Prisma Cloud read-write access to your AWS accounts; it is an alternative way for you to try remediation for violating resources. Step 1: Verify that Prisma Cloud has the required privileges to remediate the policies you plan to configure for automated remediation. ● To view remediable policies, select Policies and set the filter to Remediable > True. Prisma Certified Cloud Security Engineer (PCCSE) 44 ● ● Select a policy for which you want to enable remediation. On the Alerts Overview page, click Alerts. ● You can edit the policy that triggered the alert and view the details on the resources and the policy recommendations in separate tabs. Select the Alert ID and the slide-out panel provides a better view of the alert details. Prisma Certified Cloud Security Engineer (PCCSE) 45 ● You will see the list of resources that triggered the alert under Violating Resources. Review the required privileges in the CLI Command Description to identify which permissions Prisma Cloud requires in the associated cloud environments to be able to remediate violations of the policy. ● ● Click Edit Policy to access the policy directly from the alert. Click the Recommendation tab to view the policy that triggered the alert. Step 2: Create an Alert Rule for Run-Time Checks or modify an existing alert rule. Prisma Certified Cloud Security Engineer (PCCSE) 46 Step 3: On the Select Policies page, enable Automated Remediation and then Continue to acknowledge the impact of automated remediation on your application. The list of available policies updates to show only those policies that are remediable (as indicated by in the Remediable column). Step 4: Finish configuring and Save the new alert rule or Confirm your changes to an existing alert rule. When you save the alert rule, Prisma Cloud automatically runs the remediation CLI to resolve policy violations for all open alerts, regardless of when they were generated, and updates the alert status to Resolved. 1.7.2 Manual versus automation remediation The IAM Security module provides two options for remediating alerts so that you can enforce the principle of least privilege across your AWS and Azure environments. You can manually remediate the alerts by copying the AWS or Azure CLI commands and then running them in your cloud environment, or you can configure a custom Python script to automate the remediation steps. ● Manually Remediate IAM Security Alerts—Copy and paste the CLI commands for your AWS or Azure environments and then execute them to manually remove excess permissions. ● Custom Python scripts—Copy, paste, and configure the custom Python scripts so that you can automate the steps of executing the CLI commands to remediate excess permissions in your AWS or Azure environments. 1.7.3 References ● ● Configure Prisma Cloud to Automatically Remediate Alerts, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prism a-cloud-alerts/configure-prisma-cloud-to-automatically-remediate-alerts Remediate Alerts for IAM Security, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-i am-security/remediate-alerts-for-iam-security 1.8 Use SecOps Dashboard 1.8.1 Internet-connected assets by source network traffic behavior Top Internet-Connected Resources This graph displays top internet connected workloads by role, so you know which workloads are connecting to the internet most of the time and are prone to malicious attacks. For this report, ELB & NAT Gateway data are filtered out, but the graph includes data from other roles. The data in this chart is based on the account and the time filter. Connections from the Internet On a world map, you can see the inbound and outbound connections to different workloads across the globe so that you can visualize where the connections are originating from and see whether Prisma Certified Cloud Security Engineer (PCCSE) 47 the traffic is regular internet traffic or suspicious traffic and you can see all accepted traffic from suspicious IP addresses. By default, the map shows aggregated numbers by specific regions in the map, but you can zoom in on any of the regions in the map to get more granular detail on the specific location. You can use the multiselect filter option available on the map to only present information for the type of workload(s) you are interested in viewing traffic for. By default, the map filters out traffic to destination resources that are allowed to accept inbound connections such as NAT gateways, ELB, web servers, and HTTP traffic. To see the network graph representing connections, click any of the connections from a specific region and you will be redirected to the Investigate page to see the network graph. The network query will carry forward the IP address, destination resources, and time filters so you can pinpoint a specific incident. Prisma Certified Cloud Security Engineer (PCCSE) 48 1.8.2 Components The Dashboard > SecOps page provides a graphical view of the performance of resources that are connected to the internet, the risk rating for all accounts that Prisma Cloud is monitoring, the policy violations over time, and a list of the policies that have generated the maximum number of alerts across your cloud resources. You can filter by time range, account groups, and cloud accounts to dig in and review a quick summary of your security challenges. Monitored Accounts This graph shows the number of accounts Prisma Cloud is monitoring. Prisma Certified Cloud Security Engineer (PCCSE) 49 Monitored Resources Prisma Cloud considers any cloud entity that you work with to be a resource. Examples of resources include AWS Elastic Compute Cloud, relational databases, AWS RedShift, load balancers, security groups, and NAT gateways. The Resources graph shows the total number of resources that you currently manage. It gives you a view into the potential growth in the number of resources in your enterprise over a period of time. Hover over the graph to see data at different points in the timeline. Open Alerts Whenever a resource violates a policy, Prisma Cloud generates an alert to inform you of the policy violation. The Open Alerts graph displays the number of alerts that were opened within the selected time period and helps you visualize the trend across five equal time slices. The first point in the timeline represents all open alerts since the cloud account was onboarded or up to the preceding three years of the selected time range. In each slice, the count includes alerts that are opened or have remained open through the period using the last updated status. When you close or dismiss an alert, the last updated status is reset, and this change determines whether or not the alert is counted within a time slice. Top Instances by Role This graph summarizes top open ports in your cloud environments and the percentage of the traffic directed at each type of port. The purpose of this graph is to show what types of applications (web server, database) the top workloads are running. Alerts by Severity Alerts are graphically displayed and classified based on their severity into High, Medium, and Low. By clicking the graph, you can directly reach the alerts section. Policy Violations by Type over Time This graph displays the type of policy violations—network, configuration, audit event—over a period of time. The redirections of Counts to Alerts page may not match this graph because this chart shows only the newly created (open) alerts in a time period, whereas after redirection, you may only see those alerts that have not changed status to resolved/dismissed and are still open. Top Policy Violations This graph displays the alerts generated by each type of policy over a period of time. 1.8.3 References ● SecOps Dashboard, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-clouddashboards/secops Prisma Certified Cloud Security Engineer (PCCSE) 50 Domain 2: Cloud Workload Protection (CWP) In this domain, you can validate your knowledge of how to use Prisma Cloud to protect your workloads, whether they are running as virtual machines, Docker containers, or serverless functions. This protection involves three different areas: 1. 2. 3. Protecting against known vulnerabilities by scanning, updating, and removing libraries known to contain those vulnerabilities. Monitoring for compliance with standards that improve security. Reducing the attack surface by deploying the Cloud Native Application Firewall (CNAF). 2.1 Monitor and defend against image vulnerabilities This task shows you how Prisma Cloud Compute can scan the Docker images you intend to use to identify any vulnerabilities so you can take steps to remove those vulnerabilities before they can be abused and put the integrity of the container at risk. 2.1.1 Options available in the Monitor section In this task, you learn to secure the hosts that run your application by removing vulnerable code. Even if you use Docker, a chain is only as strong as its weakest link, and a Docker container running inside an insecure host is vulnerable if that host is successfully attacked. Prisma Certified Cloud Security Engineer (PCCSE) 51 Vulnerability Explorer Most scanners find and list vulnerabilities, but Vulnerability Explorer takes it a step further by analyzing the data within the context of your environment. Because Prisma Cloud can see how the containers run in your environment, it can identify the biggest risks and prioritize them for remediation. To view Vulnerability Explorer, open Console, then go to Monitor > Vulnerabilities > Vulnerability Explorer. Roll-ups The charts at the top of the Vulnerability Explorer help you answer two questions: 1. How many common vulnerabilities and exposures (CVEs) do you have? For each object type (image, host, function), the chart reports a count of vulnerabilities in each object class in your environment as a function of time. Consider an environment that has just a single image, where that image has three vulnerabilities: one high, one medium, and one low. Then at time=today on the Images vulnerabilities chart, you could read the following values: ● ● ● ● Critical - 0 High - 1 Medium - 1 Low - 1 2. How many images do you need to fix? Prisma Certified Cloud Security Engineer (PCCSE) 52 For each object type (image, host, function), the chart reports a count of the highest severity vulnerability in each object class in your environment as a function of time. Consider an environment that has just a single image, where that image has three vulnerabilities: one high, one medium, and one low. Then at time=today on the Impacted images chart, you could read the following values: ● ● ● ● Critical - 0 High - 1 Medium - 0 Low - 0 Let’s look at it another way with a different set of data. Assume the reading at t=today reports the following values, where t is some point on the x-axis of the chart: ● ● ● ● Critical - 1 High - 1 Medium - 0 Low - 2 If your policy calls for addressing all critical vulnerabilities, then the chart tells you that there is precisely one image in your environment that has at least one critical vulnerability. Therefore, your work for today is to fix one image. That image might also have two high vulnerabilities and 20 low vulnerabilities, which you will see when you open the image’s scan report, but this chart is not designed to give you the total number of vulnerabilities. Search tool The search tool at the top of the page lets you determine if any image or host in your environment is impacted by a specific vulnerability (whether it is in the top ten list or not). Top ten lists Vulnerability Explorer gives you a ranked list of the most critical vulnerabilities in your environment based on a scoring system. There are separate top ten lists for the container images, hosts, and functions in your environment. The top ten table is driven by a risk score. The most important factor in the risk score is the vulnerability’s severity. But additional factors are taken into account, such as: ● ● ● Is a fix available from the vendor? Is the container exposed to the internet? Are ingress ports open? Prisma Certified Cloud Security Engineer (PCCSE) 53 ● ● Is the container privileged? Is an exploit available? The underlying goal of the risk score is to make it actionable so you know whether you should address the vulnerability, and with what urgency. Factors that contribute to the risk score are shown in the Risk Factors column. Running containers can introduce additional environmental factors that increase the calculated score for a vulnerability. For example, when the container runs as root, it could exacerbate the problem. A list of container traits that heighten the risk are listed in the detailed information dialog when you click a row in the top ten table. Prisma Certified Cloud Security Engineer (PCCSE) 54 Risk factors Risk factors are combined to determine a vulnerability’s risk score. Vulnerabilities with the highest risk scores appear in the top ten lists. Risk factors can also be used to prioritize individual vulnerabilities for mitigation. For example, if your cluster runs containers from disparate business groups, a major concern might be container breakouts. DoS vulnerabilities would likely be much less important than remote code execution vulnerabilities, particularly if exploit code were available, you were running as root, and you didn’t have AppArmor or SELinux applied. To filter vulnerabilities based on risk factors: open the image, host, or function scan report; open the Vulnerabilities tab; and select one or more risk factors. Prisma Cloud supports the following risk factors: ● ● ● ● ● ● ● {Critical | High | Medium} severity—Vulnerability severity. Has fix—Fix is available from the distributor, vendor, or package maintainer. Remote execution—Vulnerability can be exploited to run arbitrary code. DoS—Component is vulnerable to denial-of-service attacks, such as buffer overflow attacks, ICMP floods, and so on. Recent vulnerability—Vulnerability was reported in the current or previous year. Exploit exists—Code and procedures to exploit the vulnerability are publicly available. Attack complexity: low—Vulnerability is easily exploited. Prisma Certified Cloud Security Engineer (PCCSE) 55 ● ● ● ● ● ● ● Attack vector: network—Vulnerability is remotely exploitable. The vulnerable component is bound to the network, and the attacker’s path is through the network. Reachable from the internet—Vulnerability exists in a container exposed to the internet. To detect this risk factor, CNNF must be enabled and network objects must be defined for external sources under Radar > Settings. Then, if a connection is established between the defined external source and the container, the container is identified as reachable from the internet. Listening ports—Vulnerability exists in a container that is listening on network ports. Container is running as roo —Vulnerability exists in a container running with elevated privileges. No mandatory security profile applied—Vulnerability exists in a container running with no Security profile. Running as privileged container —Vulnerability exists in a container running with --privileged flag. Package in use—Vulnerability exists in a component that is actually running. For example, if Redis is running in a container or on a host as a service, then all the following (hypothetical) vulnerabilities could be surfaced by filtering on this risk factor: redis (main process) CVE-XXX, CVE-XXX |- libssl (dependent package) CVE-XXX, CVE-XXX |- libzip (dependent package) CVE-XXX, CVE-XXX Risk trees Risk trees list all the images, namespaces, containers, and hosts that are vulnerable to a specific CVE. Risk trees are useful because they show you how you are exposed to a given vulnerability. Because Prisma Cloud already knows which vulnerabilities impact which packages, which packages are in which images, which containers are derived from which images, which containers run in which namespaces, and which hosts run which containers, it can show you the full scope of your exposure to a vulnerability across all objects in your environment. For each top ten vulnerability, Prisma Cloud shows you a vulnerability risk tree. To see the vulnerability tree for a given CVE, click the corresponding row in the top ten table to open a detailed CVE assessment dialog. Prisma Certified Cloud Security Engineer (PCCSE) 56 You can also generate a risk tree for any arbitrary CVE in your environment by entering the CVE ID into the search bar at the top of the page, then clicking the result in the table to open a detailed CVE assessment dialog. Recalculating statistics Statistical data is calculated every 24 hours. You can force Console to recalculate the statistics for the current day with the current data by clicking the Refresh button in the top left of Vulnerability Explorer. The Refresh button has a red marker when new data is available to be crunched. 2.1.2 Options available in the Policies section Prisma Certified Cloud Security Engineer (PCCSE) 57 Vulnerability policies are composed of discrete rules. Rules declare the actions to take when vulnerabilities are found in the resources in your environment. They also control the data surfaced in Prisma Cloud Console, including scan reports and Radar visualizations. Rules let you target segments of your environment and specify actions to take when vulnerabilities of a given type are found. For example: Block images with critical severity vulnerabilities from being deployed to prod environment hosts There are separate vulnerability policies for containers, hosts, and serverless functions. Host and serverless rules offer a subset of the capabilities of container rules, the big difference being that container rules support blocking. Creating vulnerability rules Prisma Cloud ships with simple default vulnerability policies for containers, hosts, and serverless functions. These policies have a rule named Default - alert all components, which sets the alert threshold to low. With this rule, all vulnerabilities in images, hosts, and functions are reported. As you build out your policy, you will create rules that filter out insignificant information, such as low-severity vulnerabilities, and surface vital information, such as critical vulnerabilities. Rule order is important. Prisma Cloud evaluates the rule list from top to bottom until it finds a match based on the object filters. By default, Prisma Cloud optimizes resource usage by only scanning images with running containers. Therefore, you might not see a scan report for an image when it is first pulled into your environment unless it has been run. To scan all images on the hosts in your environment, go to Manage > System > Scan, set Only scan images with running containers to Off, and click Save. To create a vulnerability rule: Step 1: Open Console. Step 2: Go to Defend > Vulnerabilities > {Images | Hosts | Functions}. Step 3: Click Add rule. Step 4: Enter a rule name and configure the rule. Configuration options are discussed in the following sections. Step 5: Click Save. Step 6: View the impact of your rule. Go to Monitor > Vulnerabilities to view the scan reports. 2.1.3 References ● ● Vulnerability Explorer, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/vuln erability_management/vuln_explorer Vulnerability management rules, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/vuln erability_management/vuln_management_rules 2.2 Monitor and defend against host vulnerabilities Prisma Certified Cloud Security Engineer (PCCSE) 58 2.2.1 Options available in the Monitor section Prisma Cloud scans all hosts where Defender is installed. Defender scans hosts for the following types of vulnerabilities: ● ● ● ● Host configuration: Vulnerabilities in the host setup. Docker daemon configuration: Vulnerabilities that stem from misconfiguring your Docker daemons. A Docker daemon derives its configuration from various files, including /etc/sysconfig/docker or /etc/default/docker. Misconfigured daemons affect all container instances on a host. Docker daemon configuration files: Vulnerabilities that arise from improperly securing critical configuration files with the correct permissions. Docker security operations: Recommendations and reminders for extending your current security best practices to include containers. Prisma Cloud implements the checks from: ● ● ● CIS Distribution Independent Linux v2.0.0 CIS Amazon Linux 2 Benchmark v1.0.0 (for AL 2) CIS Amazon Linux Benchmark v2.1.0 (for AL 1) Reviewing host scan reports Prisma Cloud lets you filter the displayed hosts by searching for specific hosts or by collection. Collections support AWS tags. When creating new collections, specify the tags you want to use for filtering in the Labels field. Step 1: Open Console, then go to Monitor > Compliance > Hosts > Running Hosts. Step 2: Click a host in the list. A report for the compliance issues on the host is shown. Prisma Certified Cloud Security Engineer (PCCSE) 59 All vulnerabilities identified in the latest host scan can be exported to a CSV file by clicking the CSV button in the top right of the table. 2.2.2 Options available in the Policies section For discussion of vulnerability policies see Section 2.1.2. 2.2.3 Reference ● Host scanning, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com pliance/host_scanning 2.3 Monitor and enforce image/container compliance 2.3.1 Options available in the Monitor section Compliance Explorer is a reporting tool for compliance rate. Metrics present the compliance rate for resources in your environment on a per-check, per-rule, and per-regulation basis. Report data can be exported to CSV files for further investigation. The key pivot for Compliance Explorer is failed compliance checks. Compliance Explorer tracks each failed check and the resources impacted by each failed check. From there, you can further slice and dice the data by secondary categories, such as collection, benchmark, and issue severity. Compliance Explorer helps you answer these types of questions: ● What is the compliance rate for the entire estate? Prisma Certified Cloud Security Engineer (PCCSE) 60 ● ● What is the compliance rate for some segment of the estate? What is the compliance rate relative to the checks that you consider important? ○ Segment by benchmark. ○ Segment by specific compliance policy rules. Prisma Cloud supports compliance policies for containers, images, hosts, and serverless functions. ● Which resources (containers, images, hosts, serverless functions) are failing the compliance checks you care about? To view Compliance Explorer, go to Monitor > Compliance > Compliance Explorer. 2.3.2 Options available in the Policies section The CIS Benchmarks provide consensus-oriented best practices for securely configuring systems. Prisma Cloud provides checks that validate the recommendations in the following CIS Benchmarks: ● ● ● ● ● Docker Benchmark Kubernetes Benchmark Openshift Benchmark (note: part of Kubernetes CIS benchmarks) Distribution Independent Linux Amazon Web Services Foundations We have graded each check using a system of four possible scores: critical, high, medium, and low. This scoring system lets you create compliance rules that take action, depending on the severity of the violation. If you want to be reasonably certain that your environment is secure, address all critical and high checks. By default, all critical and high checks are set to alert, and all medium and low checks are set to ignore. We expect customers to review, but probably never fix, medium and low checks. There are just a handful of checks that are graded as critical. “Critical” is reserved for situations where your container environment is exposed to the internet, where they are vulnerable to a direct attack by somebody on the outside. They should be addressed immediately. Prisma Cloud has not implemented CIS checks marked as Not Scored. These checks are hard to define in a strict way. Other checks might not be implemented because the logic is resource-heavy, results depend on user input, or files cannot be parsed reliably. Additional details about Prisma Cloud’s implementation of the CIS benchmarks The compliance-rule dialog provides some useful information. Compliance rules for containers can be created under Defend > Compliance > Containers and Images, while compliance rules for hosts can be created under Defend > Compliance > Hosts. Benchmark versions—To see which version of the CIS benchmark is supported in the product, click the All types drop-down list. Prisma Certified Cloud Security Engineer (PCCSE) 61 Grades—To see Prisma Cloud’s grade for a check, see the corresponding Severity column. Built-in policy library —To enable the checks for the PCI DSS, HIPAA, NIST SP 800-190, and GDPR standards, select the appropriate template. Prisma Certified Cloud Security Engineer (PCCSE) 62 Compliance checks Prisma Cloud Labs compliance checks are designed by our research team. They fill gaps that are not offered by other benchmarks. Like all compliance checks, Prisma Cloud’s supplementary checks monitor and enforce a baseline configuration across your environment. Prisma Cloud Labs compliance checks can be enabled or disabled in custom rules. New rules can be created under Defend > Compliance > Policy. Container checks ● 596—Potentially dangerous NET_RAW capability enabled – Checks if a running container has the NET_RAW capability enabled. This capability grants an application the ability to craft raw packets. In the hands of an attacker, NET_RAW can enable a wide variety of networking exploits, such as ARP-spoofing and hijacking a cluster’s DNS traffic. ● 597—Secrets in clear text environment variables (container and serverless function check) – Checks if a running container (instantiated from an image) or serverless function contains sensitive information in its environment variables. These environment variables can be easily exposed with docker inspect, and thus compromise privacy. ● 598—Container app is running with weak settings – Weak settings incidents indicate that a well-known service is running with a nonoptimal configuration. This check covers settings for common applications, specifically: Mongo, Postgres, Wordpress, Redis, Kibana, Elasitc Search, RabbitMQ, Tomcat, Haproxy, KubeProxy, Httpd, Nginx, MySql, and registries. These settings check for such things as the use of default passwords, requiring SSL, etc. The output for a failed compliance check will contain a Cause field that gives specifics on the exact settings detected that caused a failure. ● 599—Container is running as root (container check) – Checks if the user value in the container configuration is root. If the user value is 0, root, or “” (empty string), the container is running as a root user, and the policy’s configured effect (ignore, alert, or block) is actuated. 2.3.3 References ● ● ● Compliance Explorer, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com pliance/compliance_explorer CIS Benchmarks, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com pliance/cis_benchmarks Compliance checks, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com pliance/prisma_cloud_compliance_checks 2.4 Monitor and enforce host compliance Prisma Certified Cloud Security Engineer (PCCSE) 63 2.4.1 Options available in the Monitor section Prisma Cloud helps enterprises monitor and enforce compliance for hosts, containers, and serverless environments. Use the compliance-management system to enforce standard configurations and security best practices. ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● Compliance Explorer Enforce compliance checks CIS Benchmarks Prisma Cloud Labs compliance checks Serverless functions compliance checks Windows compliance checks DISA STIG compliance checks Custom compliance checks Trusted images Host scanning VM image scanning Fargate scanning Detect secrets Cloud discovery OSS license management 2.4.2 Options available in the Policies section Prisma Cloud can monitor and enforce compliance settings across your environment. Out of the box, Prisma Cloud supports hundreds of discrete checks that cover images, containers, hosts, clusters, and clouds. Applications are typically built with numerous components. Many components have established best practices for securing them against attack. Not everyone has the bandwidth to painstakingly work through the details of every best practice to determine which ones are the most important. Prisma Cloud lets your security team centrally review all best practices, enable the ones that align with your organization’s security mandate, and then evenly enforce them across your environment. Prisma Cloud’s predefined checks are based on industry standards, such as the CIS benchmarks, as well as research and recommendations from Prisma Cloud Labs. Additionally, you can implement your own compliance checks with scripts. Enforcement Compliance rules are defined and applied in the same way as vulnerability rules. Checks that can be performed on static images are performed as images that are scanned (either in the registry or on local hosts). Results are then displayed in the compliance reports under Monitor > Compliance on the Console. When compliance rules are configured with block actions, they are enforced when a container is created. If the instantiated container violates your policy, Prisma Cloud prevents the container from being created. Note that compliance enforcement is only one part of a defense in depth approach. Because compliance enforcement is applied at creation, it is possible that a user with appropriate access Prisma Certified Cloud Security Engineer (PCCSE) 64 could later change the configuration of a container, making it noncompliant after deployment. In these cases, the runtime layers of the defense-in-depth model provide protection by detecting anomalous activity, such as unauthorized processes. Assume that you want to block any container that runs as root. The flow for blocking such a container is: 1. Prisma Cloud admin creates a new compliance rule that blocks containers from running as root. 2. The admin optionally targets the rule to specific resources, such as a set of hosts, images, or containers. 3. Someone with rights to create containers attempts to deploy a container to the environment. 4. Prisma Cloud compares the image being deployed to the compliance state that it detected when it scanned the image. For deploy-time parameters, the specific Docker client commands that are sent are also analyzed. 5. ● If the comparison determines that the image is compliant with the policy, the “docker run” command is allowed to proceed as normal, and the return message from Docker Engine is sent back to the user. ● If the comparison determines that the image is not compliant, the container_create command is blocked and Prisma Cloud returns an error message back to the user describing the violation. All activities are centrally logged in Console and (optionally) syslog in both success and failure cases. 2.4.3 References ● ● Compliance, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com pliance Manage compliance, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com pliance/manage_compliance 2.5 Monitor and defend containers and hosts during runtime Runtime defense is the set of features that provide both predictive and threat-based active protection for running containers. For example, predictive protection includes capabilities like determining when a container runs a process not included in the origin image or creates an unexpected network socket. Threat-based protection includes capabilities such as detecting when malware is added to a container or when a container connects to a botnet. Prisma Cloud Compute has distinct sensors for file system, network, and process activity. Each sensor is implemented individually, with its own set of rules and alerts. The runtime defense Prisma Certified Cloud Security Engineer (PCCSE) 65 architecture is unified to simplify the administrator experience and to show more detail about what Prisma Cloud automatically learns from each image. Runtime defense has two principle object types: models and rules. 2.5.1 Container models Models are the results of the autonomous learning that Prisma Cloud performs every time we see a new image in an environment. A model is the allow list for what a given container image should be doing, across all runtime sensors. Prisma Cloud automatically creates and maintains models. They provide an easy way for administrators to view and understand what Prisma Cloud has learned about their images. For example, a model for an Apache image would detail the specific processes that should run within containers derived from the image and which network sockets should be exposed. Navigate to Monitor > Runtime > Container Models. Click the image to view the model. There is a 1:1 relationship between models and images: Every image has a model and every model applies to a single unique image. For each image, a unique model is created and mapped to the image digest. So, even if there are multiple images with the same tags, Prisma Cloud creates unique models for each image. Models are built from both static analysis (such as building a hashed process map based on parsing an init script in a Dockerfile ENTRYPOINT) and dynamic behavioral analysis (such as observing actual process activity during early runtime of the container). Models can be in one of three modes: Active, Archived, or Learning. For containers in Kubernetes clusters, Prisma Cloud considers the image, namespace, cluster, and deployment (YAML) file when it creates models. ● ● When the same image runs in multiple different clusters, Prisma Cloud creates separate models for each image in each cluster. When the same image runs in multiple different namespaces, Prisma Cloud creates separate models for each image in each namespace. Prisma Certified Cloud Security Engineer (PCCSE) 66 ● ● When there are multiple running instances of an image in the same namespace, Prisma Cloud creates a single model. When there are multiple running instances of an image in the same namespace, but started from different deployment (YAML) files, Prisma Cloud creates multiple container models, one for each deployment. Prisma Cloud shows you how models map to specific images. Go to Monitor > Runtime > Container Models, click a model in the table, and click the General tab. 2.5.2 Host observations Host observations ● Track SSH events—As part of the host observation capability, we are also full tracking all SSH activities, which is enabled by default in new rules. Tracking can be disabled via this toggle. 2.5.3 Runtime policies Host runtime policy By default, Prisma Cloud ships with an empty host runtime policy. An empty policy disables runtime defense entirely. Creating a new rule enables runtime defense. When Defender is installed, it automatically starts collecting data about the underlying host. To create a rule, open Console, go to Defend > Runtime > Host Policy, and click Add rule. Create new rules to enhance host protection. Prisma Certified Cloud Security Engineer (PCCSE) 67 ● ● ● Rules are assigned with names to provide an indication of the target of each rule. The scope of each rule is determined by the collection assigned to that rule. Prisma Cloud uses rule order and pattern matching to determine which rule to apply for each workload. Anti-malware provides a set of capabilities that lets you alert or prevent malware activity and exploit attempts. 2.5.4 Runtime audits The document summarizes all the runtime audits (detections) that are available in Prisma Cloud Compute. For each detection, you can learn more about what it actually detects, how to enable or disable it, avoid false positives, relevant workloads (Containers, Hosts, Serverless and App-embedded), and if the audit also generates an incident. 2.5.5 Incidents using Incident Explorer Incident Explorer elevates raw audit data to actionable security intelligence, which enables a more rapid and effective response to incidents. You do not have to manually sift through reams of audit data because Incident Explorer automatically correlates individual events that are generated by the firewall and runtime sensors to identify unfolding attacks. Audit events that are generated as a byproduct of an attack rarely occur in isolation. Attackers might modify a configuration file to open a backdoor, establish a new listener to shovel data out of the environment, run a port scan to map the environment, or download a rootkit to hijack a node. Prisma Certified Cloud Security Engineer (PCCSE) 68 Each of these attacks is made up of a sequence of process, file system, and network events. Prisma Cloud’s runtime sensors generate an audit each time an anomalous event outside the allow-list security model is detected. Incident Explorer sews these discrete events together to show the progression of a potential attack. To learn more about the challenges of incident response in cloud native environments, and how Prisma Cloud can help, see this webinar recording. Viewing incidents To view incidents, go to Monitor > Runtime > Incident Explorer. Click an incident to examine the events in the kill chain. Clicking on individual events shows more information about what triggered the audit. After you have examined the incident, and have taken any necessary action, you can declutter your workspace by archiving the incident. All the raw audit events that comprise the incident can be found in the Audit Data tab. To see the individual events and export the data to a CSV file, go to Monitor > Events > Container audits / Host audits / App-Embedded audits. Incident Explorer is organized to let you quickly access the data you need to investigate an incident. The following diagram shows the contextual data presented with each incident: Prisma Certified Cloud Security Engineer (PCCSE) 69 ● ● ● ● ● (1) Story—Sequence of audits that triggered the incident. (2) Image, container, and host reports—Scan reports for each resource type. Scan reports list vulnerabilities, compliance issues, and so on. (3) Connections—Incident-specific radar that shows all connections to and from the container involved in the incident. Its purpose is to help you assess risk by showing you a connection graph for the compromised asset. (4) Documentation—Detailed steps for investigating and mitigating every incident type. (5) Forensics—Supplemental data collected and stored by Defender to paint a better picture of the events that led to an incident. 2.5.6 References ● ● ● ● Runtime defense for containers, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/runti me_defense/runtime_defense_containers Host Observations, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/runti me_defense/runtime_defense_hosts Host runtime policy, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/runti me_defense/runtime_defense_hosts Runtime audits, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/runti me_defense/runtime_audits Prisma Certified Cloud Security Engineer (PCCSE) 70 ● Incident Explorer, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/runti me_defense/incident_explorer 2.6 Monitor and protect against serverless vulnerabilities This task shows you how to identify and protect against vulnerabilities in serverless apps. The term “serverless” does not mean that there is no server. It means that for most purposes you can ignore the server because it is managed by the service provider. However, it still is implemented on a virtual machine, possibly on a Docker container, that runs an application runtime environment such as Node.js or Tomcat. This environment, and any libraries you import into your serverless app, still can contain vulnerabilities. 2.6.1 Monitor Prisma Cloud can scan serverless functions for vulnerabilities. Prisma Cloud supports AWS Lambda, Google Cloud Functions, and Azure Functions. Serverless computing is an execution model in which a cloud provider dynamically manages the allocation of machine resources and schedules the execution of functions that users provide. Serverless architectures delegate the operational responsibilities, along with many security concerns, to the cloud provider. In particular, your app itself is still prone to attack. The vulnerabilities in your code and associated dependencies are the footholds attackers use to compromise an app. Prisma Cloud can show you a function’s dependencies, and surface the vulnerabilities in those dependent components. Capabilities For serverless, Prisma Cloud can scan Node.js, Python, Java, C#, Ruby, and Go packages. For a list of supported runtimes, see system requirements. Prisma Cloud scans are triggered by the following events: ● ● ● When the settings change, including when new functions are added for scanning. When you explicitly click the Scan button in the Monitor > Vulnerabilities > Functions > Scanned Functions page. Periodically. By default, Prisma Cloud rescans serverless functions every 24 hours, but you can configure a custom interval in Manage > System > Scan. Scan a serverless function Configure Prisma Cloud to periodically scan your serverless functions. Unlike image scans, all function scans are handled by Console. Step 1: Open Console. Step 2: Go to Defend > Vulnerabilities > Functions > Functions. Step 3: Click Add scope. In the dialog, enter these settings: ● (AWS only) Select Scan only latest versions to just scan the latest version of each function. Otherwise, the scan will cover all versions of each function up to the specified Limit value. Prisma Certified Cloud Security Engineer (PCCSE) 71 ● ● ● ● ● (AWS only) Select Scan Lambda Layers to enable function layer scans as well. (AWS only) Specify which regions to scan in AWS Scanning scope. By default, the scope is applied to Regular regions. Other options include China regions or Government regions. Specify a Limit for the number of functions to scan. Select the accounts to scan by credential. If you wish to add an account, click Add credential. Click Add. Step 5: Click the green Save button. Step 6: View the scan report. Go to Monitor > Vulnerabilities > Functions > Scanned functions. All vulnerabilities identified in the latest serverless scan report can be exported to a CSV file by clicking on the CSV button in the top right of the table. 2.6.2 Policy Prisma Cloud Labs has developed compliance checks for serverless functions. Currently, only AWS Lambda is supported. In AWS Lambda, every function has an execution role. Execution roles are identities with permission policies that control what functions can and cannot do in AWS. When you create a function, you specify an execution role. When the function is invoked, it assumes this role. When Prisma Cloud scans the functions in your environment, it inspects the execution role for overly permissive access to AWS services and resources. Two fields are inspected: resource and action. Resource Specifies the objects to which the permission policy applies. Resources are specified with ARNs. ARNs let you unambiguously specify a resource across all of AWS. ARNs have the following format: arn:partition:service:region:account-id:resource Where: ● service—Identifies the AWS product, such as Amazon S3, IAM, or CloudWatch Logs. ● resource—Identifies the objects in the service. It often includes the resource type, followed by the resource name itself. For example, the following ARN uniquely identifies the user Francis in the IAM service: arn:aws:iam::586975633310:user/Francis Action Describes the tasks that can be performed on the service. For example, ec2:StartInstances, iam:ChangePassword, and s3:GetObject. Wildcards can be used to grant access to all the actions of a given AWS service. For example, s3:* applies to all S3 actions. 2.6.3 Auto-protect Prisma Certified Cloud Security Engineer (PCCSE) 72 Serverless auto-defend lets you automatically add the Serverless Defender to the AWS Lambda functions deployed in your account. Prisma Cloud uses the AWS API to deploy the Serverless Defender as a Lambda layer based on the auto-defend rules. Auto-defend is an additional option for deploying the Serverless Defender, in addition to manually adding it as a dependency or adding it as a Lambda layer. Serverless auto-defend supports the following runtimes: ● ● ● Node.js 12.x, 14.x Python 3.6, 3.7, 3.8 Ruby 2.7 Limitations Auto-protect is implemented with a layer. AWS Lambda has a limit of five layers per function. If your functions have multiple layers, and they might exceed the layer limit with auto-defend, consider protecting them with the embedded option. Required permissions Prisma Cloud needs the following permissions to automatically protect Lambda functions in your AWS account. Add the following policy to an IAM user or role: { "Version": "2012-10-17", "Statement": [ { "Sid": "PrismaCloudComputeServerlessAutoProtect", "Effect": "Allow", "Action": [ "lambda:PublishLayerVersion", "lambda:UpdateFunctionConfiguration", "lambda:GetLayerVersion", "lambda:GetFunctionConfiguration", "iam:SimulatePrincipalPolicy", "lambda:GetFunction", "lambda:ListFunctions", "iam:GetPolicyVersion", "iam:GetRole", "iam:ListRolePolicies", "iam:ListAttachedRolePolicies", "iam:GetRolePolicy", "iam:GetPolicy", "lambda:ListLayerVersions", "lambda:ListLayers", "lambda:DeleteLayerVersion", "kms:Decrypt", "kms:Encrypt", "kms:CreateGrant" ], Prisma Certified Cloud Security Engineer (PCCSE) 73 "Resource": "*" } ] } Serverless auto-defend rules To secure one or multiple AWS Lambda functions using serverless auto-defend: 1. 2. 3. Define a serverless protection runtime policy. Define a serverless WAAS policy. Add a serverless auto-defend rule. 2.6.4 References ● ● ● Serverless function scanning, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/vuln erability_management/serverless_functions Serverless functions compliance checks, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com pliance/serverless Auto-defend serverless functions, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/insta ll/install_defender/auto_defend_serverless 2.7 Configure WAAS 2.7.1 Application specifications WAAS (Web-Application and API Security, formerly known as CNAF, Cloud Native Application Firewall) is a web application firewall (WAF) designed for HTTP-based web applications deployed directly on hosts, as containers, application embedded or serverless functions. WAFs secure web applications by inspecting and filtering Layer 7 traffic to and from the application. WAAS enhances the traditional WAF protection model by deploying closer to the application, easily scaling up or down and allowing for inspection of “internal” traffic (east-to-west) from other microservices, as well as inbound traffic (north-to-south). For containerized web applications, WAAS binds to the application’s running containers, regardless of the cloud, orchestrator, node, or IP address where it runs, and without the need to configure any complicated routing. For noncontainerized web applications, WAAS simply binds to the host where the application runs. Highlights of WAAS capabilities: ● OWASP Top-10 Coverage—Protection against most critical security risks to web applications, including injection flaws, broken authentication, broken access control, security misconfigurations, etc. Prisma Certified Cloud Security Engineer (PCCSE) 74 ● API Protection—WAAS is able to enforce API traffic security based on definitions and specs provided in the form of Swagger or OpenAPI files. ● Access Control—WAAS controls access to protected applications using Geo-based, IP-based or HTTP Header-based user-defined restrictions. ● File Upload Control—WAAS secures application file uploads by enforcing file extension rules. ● Detection of Unprotected Web Applications—WAAS detects unprotected web applications and flags them in the radar view. ● Penalty Box for Attackers—WAAS supports a five-minute ban of IPs triggering one of its protections to slow down vulnerability scanners and other attackers probing the application. ● Bot Protection—WAAS detects good known bots as well as other bots, headless browsers, and automation frameworks. WAAS is also able to fend off cookie droppers and other primitive clients by mandating the use of cookies and JavaScript in order for the client to reach the protected origin. ● DoS Protection—WAAS is able to enforce rate limitation on IPs or Prisma Sessions to protect against high-rate and “low and slow” layer-7 DoS attacks. Architecture WAAS is deployed via Prisma Cloud Compute Defenders that operate as a transparent HTTP proxy, evaluating client requests against Security policies before relaying the requests to your application. Defenders are deployed into the environment in which the web applications run. The WAAS management console is independent of the Defenders and can be self-hosted or provided as a service (SaaS): When a firewall is deployed, Defender reroutes traffic bound for your web application to WAAS for inspection. If a connection is secured with TLS, Defender decrypts the traffic, examines the content, and then re-encrypts it. Prisma Certified Cloud Security Engineer (PCCSE) 75 Legitimate requests are passed to the target container or host. Requests triggering one or more WAAS protections generate a WAAS “event audit” and an action is taken based on the preconfigured action (see “WAAS Actions” below). WAAS event audits can be further explored in the Monitor section of Prisma Cloud Compute’s management console (Monitor > Events). In addition, event audits are registered in the Defender’s syslog thus allowing for integration with third-party analytics engines or SIEM platforms of choice. 2.7.2 API methods WAAS Actions Requests that trigger a WAAS protection are subject to one of the following actions: ● ● ● Alert - The request is passed to the protected application and an audit is generated for visibility. Prevent - The request is denied from reaching the protected application, an audit is generated and WAAS responds with an HTML page indicating the request was blocked. Ban - Can be applied on either IP or Prisma Session IDs. All requests originating from the same IP/Prisma Session to the protected application are denied for the configured time period (default is 5 minutes) following the last detected attack. 2.7.3 REST API endpoints WAAS can enforce API security based on specifications provided in the form of Swagger or OpenAPI files. Alternatively, you can manually define your API (e.g., paths, allowed HTTP Prisma Certified Cloud Security Engineer (PCCSE) 76 methods, parameter names, input types, value ranges, and so on). Once defined, you can configure the actions WAAS applies to requests that do not comply with the API’s expected behavior. Import API definition from Swagger or OpenAPI files 1. Click the App definition tab. 2. Click Import. 3. Select a file to load. 4. Click the API protection tab. Prisma Certified Cloud Security Engineer (PCCSE) 77 5. Review path and parameter definitions listed under API Resources. 6. Click the Endpoint setup tab. 7. Review protected endpoints listed under Protected Endpoints and verify configured base paths all end with a trailing *. 8. Go back to the API protection tab. Prisma Certified Cloud Security Engineer (PCCSE) 78 9. Configure an API protection action for the resources defined under API resources, and an action for all other resources. Define an API manually 1. Click the App definition tab. Prisma Certified Cloud Security Engineer (PCCSE) 79 2. Click the Endpoint setup tab. 3. Add protected endpoints under Protection endpoints and verify configured base paths all end with a trailing *. 4. Click the API protection tab. Prisma Certified Cloud Security Engineer (PCCSE) 80 5. Click Add path. 6. Enter Resource path(e.g. /product - resource paths should not end with a trailing ”/”). Paths entered in this section are additional subpaths to the base path defined in the previous endpoint section. For example, if in the endpoint definition hostname was set to www.example.com and base path was set to /api/v2/*, and in the API Protection tab resource path was set to /product, the full protected resource would be www.example.com/api/v2/product. 7. Select allowed methods. Prisma Certified Cloud Security Engineer (PCCSE) 81 8. For each allowed HTTP method, define parameters by selecting the method from Parameters for drop-down list. 1. 2. 3. Select an HTTP method from the drop-down list. Click Add parameter. Enter parameter definition. 9. Configure an API protection action for the resources defined under API resources, and an action for all other resources. Prisma Certified Cloud Security Engineer (PCCSE) 82 o o Parameter violation—Action to be taken when a request sent to one of the specified paths in the API resource list does not comply with the parameter provided definitions. Unspecified path(s)/method(s)—Action to be taken in one of the following cases: ■ Request sent to a resource path that is not specified in the API resources list. ■ Request sent using an unsupported HTTP method for a resource path in the API list. 2.7.4 DoS protection WAAS is able to enforce a rate limit on IPs or sessions to protect against high-rate and “low and slow” application-layer DoS attacks. DoS protection overview WAAS is able to limit the rate of requests to the protected endpoints within each app based on two configurable request rates: ● ● Burst Rate - Average rate of requests per second is calculated over a five-second period. Average Rate - Average rate of requests per second is calculated over a 120-second period. Users are able to specify match conditions for qualifying requests to be included in the count. Match conditions are based on HTTP methods, File Extensions, and HTTP response codes. Users are also able to specify Network lists to be excluded from the DoS protection-rate accounting. Enabling DoS protection Step 1: Enter DoS Protection tab and set the DoS Protection toggle to On. Prisma Certified Cloud Security Engineer (PCCSE) 83 Step 2: Set the effect with the action to apply once a threshold is reached. Step 3: Apply rate-limitation thresholds (requests per second) for Burst rate (calculated over five seconds) and for Average rate (calculated over 120 seconds). Step 4: To apply the rate limitation on a subset of requests, click the On button. Conditions can be specified as a combination (AND) of the following: ● ● ● HTTP Methods File Extensions - multiple extensions are allowed (e.g. .jpg, .jpeg, .png). HTTP Response Codes - specify either a single response code, a range or a combination of them (e.g. 302, 400-410, 500-599). Step 5: Multiple match conditions are allowed (OR relation between them). In the above example the following request would be counted against the rate limitation thresholds: Prisma Certified Cloud Security Engineer (PCCSE) 84 ● ● ● HEAD HTTP requests POST HTTP requests with file extension of .tar.gz GET or PUT HTTP requests with file extension of .jpg, .jpeg, .png to which the origin responded with and HTTP response code of 302 or in the range of 400-410 or in the range of 500-599 Step 6: Specify Network lists of IP addresses to be excluded from the rate accounting. DoS actions Requests that exceed the rate limitation thresholds are subject to one of the following actions: ● Alert—The request is passed to the protected application and an audit is generated for visibility. ● Ban—Can be applied to either the IP or Prisma Session. All requests originating from the same IP/Prisma Session to the protected application are denied for the configured time period (default is five minutes) following the last detected attack. 2.7.5 Access controls to limit inbound sources WAAS allows for control over how applications and end-users communicate with the protected web application. Network Controls Prisma Certified Cloud Security Engineer (PCCSE) 85 IP-based access control Network lists can be specified in: ● Denied inbound IP Sources - WAAS applies selected action (Alert or Prevent) for IP addresses in network lists. ● IP Exception List - Traffic that originates from IP addresses listed in this category is not inspected by any of the protections defined in this policy. Country-Based Access Control Specify country codes, ISO 3166-1 alpha-2 format, in one of the following categories (mutually exclusive): ● Denied Inbound Source Countries - WAAS applies selected action (Alert or Prevent) for requests originating from the specified countries. ● Allowed Inbound Source Countries - Requests originating from specified countries will be forwarded to the application (pending inspection). WAAS will apply an action of choice (Alert or Prevent) on all other requests that do not originate from the specified countries. 2.7.6 Network lists Network Lists allow administrators to create and maintain named IP address lists—for example, “Office Branches,” “Tor and VPN Exit Nodes,” “Business Partners,” etc. List entries are composed of IPv4 addresses or IP CIDR blocks. To access Network Lists, open Console, go to Defend > WAAS and select the Network List tab. Prisma Certified Cloud Security Engineer (PCCSE) 86 You can update lists manually or via batch import of entries from a CSV file. Once defined, Network Lists can be referenced and used in IP-based access control, user-defined bots and DoS protection. To export lists in CSV format, click export CSV. 2.7.7 Access controls to enforce HTTP headers and file uploads HTTP Header Controls WAAS lets you block or allow requests that contain specific strings in HTTP headers by specifying a header name and a value to match. The value can be a full or partial string match. Standard pattern matching is supported. If the Required toggle is set to On, WAAS applies the defined action on HTTP requests in which the specified HTTP header is missing. When the Required toggle is set to Off, no action will be applied for HTTP requests missing the specified HTTP header. HTTP Header fields consist of a name followed by a colon, and then the field value. When decoding field values, WAAS treats all commas as delimiters. For example, the Accept-Encoding request header advertises which compression algorithm the client supports. Accept-Encoding: gzip, deflate, br Prisma Certified Cloud Security Engineer (PCCSE) 87 WAAS rules do not support exact matching when the value in a multivalue string contains a comma because WAAS treats all commas as delimiters. To match this type of value, use wildcards. For example, consider the following header: User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.108 Safari/537.36 To match it, specify the following wildcard expression in your WAAS rule: Mozilla/5.0* File Upload Controls Attackers may try to upload malicious files, such as malware, to your systems. WAAS protects your applications against malware by restricting uploads to just the files that match any allowed content types. All other files will be blocked. Files are validated both by their extension and their magic numbers. Built-in support is provided for the following file types: ● ● ● ● ● Audio: aac, mp3, wav Compressed archives: 7zip, gzip, rar, zip Documents: odf, pdf, Microsoft Office (legacy, Ooxml) Images: bmp, gif, ico, jpeg, png Video: avi, mp4 WAAS rules let you explicitly allow additional file extensions. These lists provide a mechanism to extend support to file types with no built-in support, and as a fallback in case Prisma Cloud’s built-in inspectors fail to correctly identify a file of a given type. Any file with an allowed extension is automatically permitted through the firewall, regardless of its magic number. 2.7.8 Bot protection Prisma Certified Cloud Security Engineer (PCCSE) 88 Bot categories WAAS detects known good bots as well as other bots, headless browsers and automation frameworks. WAAS is also able to fend off cookie-dropping clients and other primitive clients by mandating the use of cookies and JavaScript in order for the client to reach the protected origin. Bots are sorted into the following categories: ● ● ● ● ● ● ● ● ● Search Engine Crawlers - Bots that systematically crawl and index the worldwide web to index pages for online searches. These are also known as spider bots or web crawlers. Business Analytics Bots - Bots that crawl, extract, and index business-related information. Educational Bots - Bots that crawl, extract, and index information for educational purposes, such as academic search engines. News Bots - Bots that crawl, extract, and index the latest news articles, usually for news-aggregation services. Financial Bots - Bots that crawl, extract, and index financial data. Content Feed Clients - Automated tools, services, or end-user clients that fetch web contents for feed readers. Archiving Bots - Bots that crawl, extract, and archive website information. Career Search Bots - Automated tools or online services that extract and index job-related postings. Media Search Bots - Bots that crawl, extract, and index media contents for search engines. This category contains various bots and other automation frameworks that cannot be classified by their activity or origin: ● Generic Bots - Clients with attributes that indicate an automated bot. Prisma Certified Cloud Security Engineer (PCCSE) 89 ● ● ● ● ● ● ● Web Automation Tools - Scriptable headless web browsers and similar web-automation tools. Web Scrapers - Automated tools or services that scrape website contents. API Libraries - Software code libraries for Web API communications. HTTP Libraries - Software code libraries for HTTP transactions. Request Anomalies - HTTP requests with anomalies that are not expected from common web browsers. Bot Impersonators - Bots and automation tools that impersonate known good bots to evade rate limitation and other restrictions. Browser Impersonators - Automated tools or services that impersonate common web browser software. Users can create custom signatures based on HTTP headers and source IPs. User-defined signatures are useful for tracking customer-specific bots, self-developed automation clients, and traffic that appears suspicious. Detection methods WAAS uses static and active methods for detecting bots. Static detection examines each incoming HTTP request and analyzes it to determine whether it was sent by a bot. Active detections make use of JavaScript and Prisma Sessions Cookies to detect and classify bots. Prisma Session Cookies set by WAAS are encrypted and signed to prevent cookie tampering. In addition, cookies include advanced protections against cookie-replay attacks where cookies are harvested and re-used in other clients. When enabled, JavaScript is injected periodically in server responses to collect browser attributes and flag anomalies typical to various bot frameworks. JavaScript fingerprint results are received and processed asynchronously and are used to classify sessions for future requests. Detection workflow Prisma Certified Cloud Security Engineer (PCCSE) 90 Deploying Bot Protection 1. Click the Bot protection tab. 2. Click Known Bots. Prisma Certified Cloud Security Engineer (PCCSE) 91 3. Choose actions for each bot category. Unknown bots 1. Click the Bot protection tab. 2. Click Unknown Bots. 3. Choose actions for each bot category. ● If Request anomalies are enabled, choose sensitivity threshold. Prisma Certified Cloud Security Engineer (PCCSE) 92 ● ● ● Strict enforcement—High sensitivity (a few anomalies suffice for classifying as bot) Moderate enforcement—Medium sensitivity Lax enforcement—Low sensitivity User-defined bots Click the Bot protection tab. Click User-defined bots. Click Define new bot button. Create bot signature by using a combination of the following fields: ● ● ● HTTP Header name - Specify HTTP header name to include in the signature. Header Values - Comma-separated list of values to be matched on in the HTTP header (wildcard is allowed). Inbound IP sources - Specify Network list of IP addresses from which the bot originates. Choose an action to apply. Enable active detections 1. Click the Bot protection tab. Prisma Certified Cloud Security Engineer (PCCSE) 93 2. Click Active bot detections. 3. Choose actions to apply. Session Validation - Action to apply when WAAS is unable to validate the session, either due to cookie tampering or cookie replay. JavaScript-based detection - Enable periodic injection of JavaScript to collect browser attributes and flag anomalies typical to various bot frameworks. JavaScript injection timeout - Once JavaScript is enabled, choose an action to apply when the browser does not send a response to the JavaScript injection in a timely manner. reCAPTCHA v2 integration - Enable Google’s reCAPTCHA v2 integration by specifying the site key, secret key and challenge type. 2.7.9 Rules WAAS custom rules offer an additional mechanism to protect your running web apps. Custom rules are expressions that give you a precise way to describe and detect discrete conditions in requests and responses. WAAS intercepts Layer 7 traffic, passes it to Prisma Cloud for evaluation. Expressions let you inspect various facets of requests and responses in a programmatic way, then take action when they evaluate to true. Custom rules can be used in container, host, and app-embedded WAAS policies. Prisma Certified Cloud Security Engineer (PCCSE) 94 In addition to your own custom rules, Prisma Labs ships and maintains rules for newly discovered threats. These system rules are distributed via the Intelligence Stream. By default, they are shipped in a disabled state. You can review, and optionally activate them at any time. System rules cannot be modified. However, you can clone and customize them to fit your own specific needs. 2.7.10 Audit logs Audit logs are available through the Prisma SD-WAN web interface and provide records of administrators' configuration changes in a system. You can use these logs for compliance and troubleshooting purposes. They provide logs on changes made, owner of the change, time of change, and the scope of the change at a site, system, or a subset of sites. You may filter the audit logs by time range (with the ability to go back in time by at least six months), by site, by device, and by type such as security, network policy, system administration, and users. The Audit logs provide details on the number of attempted logins to an enterprise portal by a specific user from a particular IP address with information on all successful and failed attempts. Users will have a view of all system changes and access attempts. Audit logs auto-expire after two years, although the last two actions carried out on any resource are kept forever. They are accessible to the ROOT, SUPER, and IAM ADMIN user roles. Custom roles with GET and POST permissions for the audit log resource may access these logs. Audit logs support Regex queries and compare versions by rewinding or fast-forwarding to earlier or later versions and keeping a version static while changing the other version. Access the audit logs from the System Administration tab on the Prisma SD-WAN web interface, as well as directly from resources, such as sites, devices, SNMP traps, Syslog exports, NTP clients, server, BGP, static route, interface configuration, policy rule, policy set, stacked policy prefix, custom application, application override configuration, network contexts, circuit categories, IPSec profiles, Policies (Original), zones, and prefix filters. You can export audit logs CSV files through the Audit log menu. 2.7.11 Reference ● ● ● ● ● Web-Application and API Security (WAAS), https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas /waas-intro WAAS Actions, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas /waas-intro API Protection, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas /waas_api_protection DoS protection, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas /waas_dos_protection Network lists, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas /waas_access_control Prisma Certified Cloud Security Engineer (PCCSE) 95 ● ● ● ● Access controls to enforce HTTP headers and file uploads, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas /waas_access_control Bot protection, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas /waas_bot_protection WAAP custom rules, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas /waas_custom_rules Audit logs, https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/prisma-sd-wan-admin/prisma-sdwan-administrator-authorization-and-authentication/audit-log 2.8 Monitor and protect registries 2.8.1 Scanning Prisma Cloud can scan container images in public and private repositories on both public and private registries. The registry is a system for storing and distributing container images. The most well-known public registry is Docker Hub, although there are also registries from Amazon, Google, and others. Organizations can also set up their own internal private registries. Prisma Cloud can scan container images on all of these types of registries. After repository scanning is configured, Prisma Cloud automatically scans images for vulnerabilities. Periodic scans are run at an interval specified in Configure > System > Scan (by default, once every 24 hours). Deployment patterns Registry scanning is handled by Defenders. When you configure Prisma Cloud to scan a registry, you can select the scope of Defenders that will be used for performing the scan job. Any Container Defender running on a host with the Docker Engine container runtime or container runtime interface (CRI) can scan a registry, and any number of them can simultaneously operate as registry scanners. This gives you a lot of options when you are trying to determine how to cover disparate environments. Select a collection of Defenders that are defined by hostnames or AWS tags, and the scan job will be distributed between them according to the “Number of scanners” setting. When selecting the “All” collection, you let Prisma Cloud automatically distribute the scan job across all available Defenders. In general, you should configure Prisma Cloud with a large scope of Defenders, because it reduces operational complexity and improves resiliency. At scan-time, Prisma Cloud enumerates the available Defenders according to your scope, manages the resource pool, and handles issues such as restarting partially completed jobs. If you explicitly select one or two Defenders to handle scanning, the hosts where these Defenders run are a single point of failure. If the host fails, or gets destroyed, you have to reconfigure your scan settings with different Defenders. Prisma Certified Cloud Security Engineer (PCCSE) 96 Registry scanning is scoped by OS type. Windows Defenders can only scan Windows images, and Linux Defenders can only scan Linux images. If you remove an image from the registry, or the registry becomes unavailable, Prisma Cloud maintains the scan results according to your setup under Manage > System > Scan > Registry scan results. After the specified number of days, the scan results are purged. 2.8.2 CI Continuous integration and continuous delivery (CI/CD) systems automatically identify when a module, such as a container or a serverless function, is ready to be pushed into the pipeline. After a module is pushed, it goes through multiple tests before it is actually deployed as part of an application. Prisma Cloud allows one of those scans to be a compliance test. If you are using Jenkins or CloudBees, you can use the plugin. For other systems you will need to add a call to the executable, called twistcli. 2.8.3 References: ● ● ● ● Configure registry scans, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/vuln erability_management/registry_scanning CI, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/conti nuous_integration Integration with the CI Pipeline, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-reference-architectur e-compute/ci_pipeline Other CI Tools, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-reference-architectur e-compute/ci_pipeline/other_ci_tools Prisma Certified Cloud Security Engineer (PCCSE) 97 Domain 3: Install, Upgrade, and Backup 3.1 Deploy and manage console for the compute edition You can use a data-collection and user-interface platform hosted by Palo Alto Networks for Prisma Cloud Compute. Or, you can host your own console with software that is provided to you as a Docker image. 3.1.1. Prisma Cloud release software Prisma Cloud images are built from the Red Hat Universal Base Image 8 Minimal (UBI8-minimal), which is designed for applications that contain their own dependencies. With an active subscription or a valid license key, you can retrieve the images from a cloud registry. This option simplifies a lot of workflows, especially the install flow. You can optionally manage Prisma Cloud images in your own registry. You can push the Prisma Cloud images to your own private registry, and manage them from there as you see fit. The Defender image can be downloaded from Console, under Manage > System > Utilities, or from the Prisma Cloud API. There are two different methods for accessing images in the cloud registry: ● ● Basic authorization URL authorization Retrieving Prisma Cloud images using basic authorization Authenticate using Docker login or Podman login, then retrieve the Prisma Cloud images using docker pull or podman pull. For basic authorization, the registry is accessible at registry.twistlock.com. Prerequisites: ● You have your Prisma Cloud access token. Step 1: Authenticate with the registry. $ docker (or podman) login registry.twistlock.com Username: Password: Where Username can be any string, and Password must be your access token. Step 2: Pull the Defender image from the Prisma Cloud registry. $docker(orpodman)pull registry.twistlock.com/twistlock/defender:defender_<VERSION> Retrieving Prisma Cloud images using URL auth Retrieve Prisma Cloud images with a single command by embedding your access token into the registry URL. For URL authorization, the registry is accessible at registry-auth.twistlock.com. Prisma Certified Cloud Security Engineer (PCCSE) 98 By embedding your access token into the registry URL, you only need to run docker pull or podman pull. The docker login or podman login command isn’t required. The format for the registry URL is: registry-auth.twistlock.com/tw_<ACCESS-TOKEN>/<IMAGE>:<TAG> Prerequisites: ● You have a Prisma Cloud access token. ● The Docker or Podman client requires that repository names be lowercase. Therefore, all characters in your access token must be lowercase. To convert your access token to lowercase characters, use the following command: $ echo <ACCESS-TOKEN> | tr '[:upper:]' '[:lower:]' Step 1: Pull the Defender image from the Prisma Cloud registry. $ docker (or podman) pull \ registry-auth.twistlock.com/tw_<ACCESS-TOKEN>/twistlock/defender:defender_<VERSION> 3.1.2 Console in Onebox configuration Onebox provides a quick, simple way to install both Console and Defender onto a single host. It provides a fully functional, self-contained environment that is suitable for evaluating Prisma Cloud. Install Prisma Cloud Install Onebox with the twistlock.sh install script. Prerequisites: ● ● ● ● Your host meets the minimum system requirements. You have a license key. Port 8083 is open. Port 8083 (HTTPS) serves the Console UI. You can configure alternative ports in twistlock.cfg before installing. Port 8084 is open. Console and Defender communicate with each other on this port. Step 1: Download the latest Prisma Cloud release to the host where you’ll install Onebox. Step 2: Extract the tarball. All files must be in the same directory when you run the install. $ mkdir twistlock $ tar -xzf prisma_cloud_compute_<VERSION>.tar.gz -C twistlock/ Step 3: Configure Prisma Cloud for your environment. Open twistlock.cfg and review the default settings. The default settings are acceptable for most environments. Step 4: Install Prima Cloud. $ sudo ./twistlock.sh -s onebox ● -s – Agree to EULA. Prisma Certified Cloud Security Engineer (PCCSE) 99 ● ● -z – (Optional) Print additional debug messages. Useful for troubleshooting install issues. Onebox – Install both Console and Defender on the same host, which is the recommended configuration. Specify console to install just Console. Step 5: Verify that Prisma Cloud is installed and running: $ docker ps --format "table {{.ID}}\t{{.Status}}\t{{.Names}}" CONTAINER ID STATUS NAMES 764ecb72207e be5e385fea32 Up 5 minutes Up 5 minutes twistlock_defender_<VERSION> twistlock_console Configure Console Create your first admin user and enter your license key. Step 1: Open Prisma Cloud Console. In a browser window, navigate to 'https://<CONSOLE>:8083', where <CONSOLE> is the IP address or DNS name of the host where Console runs. Step 2: Create your first admin user. Consider using admin as the username. It’s a convenient choice because admin is the default user for many of Prisma Cloud’s utilities, including twistcli. Step 3: Enter your license key. Uninstall Use the twistlock.sh script to uninstall Prisma Cloud from your host. The script stops and removes all Prisma Cloud containers, removes all Prisma Cloud images, and deletes the /var/lib/twistlock directly, which contains your logs, certificates, and database. Step 1: Uninstall Prisma Cloud. $ sudo ./twistlock.sh -u Step 2: Verify that all Prisma Cloud containers have been stopped and removed from your host. $ docker ps -a Step 3: Verify that all Prisma Cloud images have been removed from your host. $ docker images 3.1.3 Upgrade on Console Upgrade Prisma Cloud Onebox. First upgrade Console. Console will then automatically upgrade all deployed Defenders for you. If Console fails to upgrade one or more Defenders, manually upgrade your Defenders. Step 1: Download the latest recommended release. Step 2: Unpack the downloaded tarball. Optional: you may wish to unpack the tarball to a different folder than any previous tarballs. Prisma Certified Cloud Security Engineer (PCCSE) 100 $ mkdir twistlock_<VERSION> $ tar -xzf prisma_cloud_compute_edition_<VERSION>.tar.gz -C twistlock_<VERSION>/ The setup package contains updated versions of twistlock.sh and twistlock.cfg. Step 3: Check the version of Prisma Cloud that will be installed: $ grep DOCKER_TWISTLOCK_TAG twistlock.cfg Step 4: Upgrade Prisma Cloud while retaining your current data and configs by using the -j option. The -j option merges your current configuration with any new configuration settings in the new version of the software. You must use the same install target in your upgrade as your original installation. There are two install targets: onebox and console, where onebox installs both Console and Defender onto a host and console just installs Console. To upgrade your onebox install, run: $ sudo ./twistlock.sh -syj onebox To upgrade your console install, run: $ sudo ./twistlock.sh -syj console Step 5: Go to Manage > Defenders > Manage and validate that Console has upgraded your Defenders. 3.1.4 Business use case to determine the Prisma Cloud version to use This article describes the key differences between Compute in Prisma Cloud Enterprise Edition and Prisma Cloud Compute Edition. Use this guide to determine which option is right for you. Prisma Certified Cloud Security Engineer (PCCSE) 101 3.1.5 Tenant versus Scale projects Prisma Cloud supports two types of projects: Tenant projects and Scale projects. For more information refer to the guide below or access our documentation on the feature, see here. Multitenancy is a feature of on-premises Console deployment. If you are using a SaaS Console, you may have multiple tenants provisioned through your SaaS subscription. Multitenancy - Tenant Projects Prisma Certified Cloud Security Engineer (PCCSE) 102 The Central Console has full visibility into the entire estate. You can then set up tenant projects that act as a self-contained Console and Defender setup. Users can only see and administer their subsection of the estate. Tenant projects are like silos. They each have their own rules and settings that are created and maintained separately from all other projects. This is represented in the left-hand side of the above diagram. Scale - Scale Projects Each Console can support 5,000 Defenders. By utilizing Scale Projects, we can allocate Consoles to a Central Console. This enables an unlimited number of Defenders. Defenders communicate to the scale project Console (5,000 Defenders per scale project Console) and the scale project Console aggregates and sends information to a Central Console. Policies and rules are inherited by the scale project from the Central Console. Users and administrators operate the Central Console which then pushes changes to the scale projects. These are shown in the right-hand side of the above diagram. 3.1.6 References ● ● ● ● ● Prisma Cloud container images, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/insta ll/twistlock_container_images Onebox, https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-01/prisma-cloud-compute-editio n-admin/install/install_onebox Upgrade Onebox, https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-01/prisma-cloud-compute-editio n-admin/upgrade/upgrade_onebox Prisma Cloud Enterprise Edition vs Compute Edition, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/welc ome/pcee_vs_pcce Tenant vs Scale projects:, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-reference-architectur e-compute/multitenancy_and_scale/projects 3.2 Deploy and manage Defenders 3.2.1 Types Defenders enforce the policies you set in Console. They come in a number of different flavors. Each flavor is designed to protect specific types of cloud-native resources and for optimal deployment into the environment, with full support for automated workflows. Use the following flowchart to choose the best Defender for the job. Prisma Certified Cloud Security Engineer (PCCSE) 103 In general, deploy Container Defender whenever you can. It offers the most features, it can simultaneously protect both containers and host, and nothing needs to be embedded inside your containers for Defender to be able to protect them. Container Defender (Linux and Windows) Install Container Defender on any host that runs a container workload. Container Defender protects both your containers and the underlying host. Docker must be installed on the host because this Defender type runs as a container. Prisma Certified Cloud Security Engineer (PCCSE) 104 Container Defender offers the richest set of capabilities. The deployment is also the simplest. After deploying Container Defender to a host, it can immediately protect and monitor your containers and host. No additional steps are required to rebuild your containers with an agent inside. Container Defender should always be your first choice whenever possible. There are some minimum requirements to run Container Defender. You should have full control over the host where Container Defender runs. It must be able to run alongside the other containers on the host with select kernel capabilities. And it must be able to run in the host’s network and process namespace. Deploy one Container Defender per host. Container Defender can be deployed in several ways: ● With cluster constructs - Container orchestrators often provide native capabilities for deploying agents, such as Defender, to every node in the cluster. Prisma Cloud leverages these capabilities to install Defender. Kubernetes and OpenShift, for example, offer DaemonSets As such, Container Defender is deployed as a DaemonSet on Kubernetes. ● As a stand-alone entity - Stand-alone Container Defenders are installed on hosts that are not part of a cluster. Host Defender (Linux and Windows) ● Host Defender utilizes Prisma Cloud’s model-based approach for protecting hosts that do not run containers. This Defender type lets you extend Prisma Cloud to protect all the hosts in your environment, regardless of their purpose. Defender runs as a systemd service on Linux and a Windows service on Windows. If Docker Engine is detected on the host, installation of this Defender type is blocked; install Container Defender instead. ● Deploy one Host Defender per host. Do not deploy Host Defender if you’ve already deployed Container Defender to a host. Container Defender offers the same host protection capabilities as Host Defender. Serverless Defender Serverless Defenders offer runtime protection for AWS Lambda functions. Serverless Defender must be embedded inside your functions. Deploy one Serverless Defender per function. App-Embedded Defender App-Embedded Defenders offer runtime protection for containers. Deploy App-Embedded Defender anywhere you can run a container, but you can’t run Container Defender. Container-on-demand services are a typical use case for App-Embedded Defender. They remove the underlying cluster, host, operating system, and software modules (such as Docker Engine) and present them as a single black box. Hooks into the operating system that Container Defender needs to monitor and protect resources aren’t available in these environments. Instead, embed App-Embedded Defender directly inside the container to establish a point of control. Prisma Cloud supports an automated workflow for embedding App-Embedded Defenders. Deploy one App-Embedded Defender per container. Deploy one Defender per task for Fargate. Fargate If you have an AWS Fargate task, deploy App-Embedded Fargate Defender. Prisma Certified Cloud Security Engineer (PCCSE) 105 A key attribute of the App-Embedded Fargate Defender is that you don’t need to change how the container images in the task are built. The process of embedding the App-Embedded Defender simply manipulates the task definition to inject a Prisma Cloud sidecar container, and start existing task containers with a new entry point, where the entry-point binary is hosted by the Prisma Cloud sidecar container. The transformation of an unprotected task to a protected task takes place at the task-definition level only. The container images in the task don’t need to be manually modified. This streamlined approach means that you don’t need to maintain two versions of an image (protected and unprotected). You simply maintain the unprotected version, and when you protect a task, Prisma Cloud dynamically injects App-Embedded Defender into it. The Prisma Cloud sidecar container has several jobs: ● ● ● It hosts the Defender binary that gets injected into containers in the task. It proxies all communication to Console. Even if you have multiple containers in a task, it appears as a single entity in Console’s dashboard. It synchronizes policy with Console and sends alerts to Console. Dockerfile The Docker image format, separate from the runtime, is becoming a universal runnable artifact. If you are not using Fargate, but something else that runs a Docker image, such as Azure Container Instances, use the App-Embedded Defender with the Dockerfile method. Provide a Dockerfile, and Prisma Cloud returns a new version of the Dockerfile in a bundle. Rebuild the new Dockerfile to embed Prisma Cloud into the container image. When the container starts, Prisma Cloud App-Embedded Defender starts as the parent process in the container, and it immediately invokes your program as its child. There are two big differences between this approach and the Fargate approach: ● With the Fargate approach, you don’t change the actual image. With the Dockerfile approach, you have the original image and a new protected image. You must modify the way your containers are built to embed App-Embedded Defender into them. You need to make sure you tag and deploy the right image. ● Each Defender binary makes its own connection to Console. In the Console dashboard, they are each counted as unique applications. Nothing prevents you from protecting a Fargate task using the Dockerfile approach, but it’s inefficient. Manual Use the manual approach to protect almost any type of runtime. If you are not running a Docker image, but you still want Prisma Cloud to protect it, deploy App-Embedded Defender with the manual method. Download the App-Embedded Defender, set up the required environment variables, then start your program as an argument to the App-Embedded Defender. If you choose the manual approach, you have to figure out how to deploy, maintain, and upgrade your app on your own. While the configuration is more complicated, it’s also the most universal option because you can protect almost any executable. Prisma Certified Cloud Security Engineer (PCCSE) 106 Tanzu Application Service Defender Tanzu Application Service (TAS) Defenders run on your TAS infrastructure. TAS Defenders provide nearly all the same capabilities as Container Defenders, as well as the ability to scan droplets in your blobstores for vulnerabilities. For specific differences between TAS Defenders and Container Defenders, see the TAS Defender install article. The TAS Defender is delivered as a tile that can be installed from your TAS Ops Manager Installation Dashboard. 3.2.2 Networking for Defender-to-Console connectivity Connectivity Defender must be able to communicate with Console over the network because it pulls policies down and sends data (alerts, events, etc.) back to Console. By default, Defender establishes a connection to the Console on TCP port 8084 but you can customize the port to meet the needs of your environment. All traffic between the Defender and the console is TLS encrypted. 3.2.3 Upgrade and compatibility You can upgrade Prisma Cloud without losing any of your data or configurations. Upgrade the Console first. After upgrading the Console, upgrade your Defenders, and other Prisma Cloud components. You can upgrade from an immediate previous major version only. If your installation is more than one major release behind, you must upgrade in steps. For example, you cannot directly upgrade from version 19.11 to 20.09. You must upgrade from version 19.11 to 20.04, and then from 20.04 to 20.09. Console notifies you when new versions of Prisma Cloud are available. Notifications are displayed in the top-right corner of the dashboard. When you upgrade the Console, the old Console container is completely replaced with a new container. Because Prisma Cloud stores state information outside of the container, all your rules and settings are immediately available to the upgraded Prisma Cloud containers. Prisma Cloud state information is stored in a database in the location that is specified by DATA_FOLDER, which is defined in twistlock.cfg. By default, the database is located in /var/lib/twistlock. Prisma Certified Cloud Security Engineer (PCCSE) 107 Overview of the upgrade process First upgrade Console. Next, upgrade your Defenders. Finally, upgrade all other Prisma Cloud components, such as the Jenkins plugin. The upgrade process is vastly simplified when automatic Defender upgrades are enabled (enabled by default). The steps in the upgrade process are: 1. Upgrade Console. 2. Upgrade all deployed Defenders. ● ● 3. If Defender auto-upgrade is enabled— Console will upgrade deployed Defenders for you. If Console fails to upgrade one or more Defenders, it displays a banner at the top of the UI. If you’ve created an alert for Defender health events, Console emits a message on the alert channel for any Defender it fails to upgrade. Manually upgrade any Defenders that the Console could not auto-upgrade. If Defender auto-upgrade is disabled— Manually upgrade all deployed Defenders. Validate that all deployed Defenders have been upgraded. ● Review deployed Defenders and DaemonSets under Manage > Defenders > Manage. ● Filter the Status column by Upgrade. ● If any Defenders have the Upgrade status, manually upgrade them. 4. Manually upgrade all other Prisma Cloud Compute components, such as the Jenkins plugin, so that their versions exactly match Console’s version. Version numbers of installed components The currently installed version of Console is displayed in the bell menu. Prisma Certified Cloud Security Engineer (PCCSE) 108 The versions of your deployed Defenders are listed under Manage > Defenders > Manage: Prisma Cloud Compute components The versions of all deployed components should match exactly. To support the multistep upgrade process, older versions of Prisma Cloud components can continue to interoperate with newer versions of Console in a limited way. Plan to upgrade all Prisma Cloud components as soon as possible. After you upgrade the Console, upgrade the following components: ● ● ● ● Defenders - Console can automatically upgrade most Defender types for you. App-embedded Defenders and PCF Defenders (also known as Twistlock for Pivotal Platform) must be manually upgraded. Jenkins plugin twistcli If you are using projects, supervisor Consoles must match the Central Console version. Version mismatches Prisma Certified Cloud Security Engineer (PCCSE) 109 Console interoperates with older components on a best-effort basis. When older components interact with Console, Console displays some indicators in the dashboard: ● In Monitor > Events, any audits generated by older Defenders are marked with an out-of-date indicator. Links to the rules that triggered the audit are disabled (explanation follows). ● In Monitor > Vulnerabilities and Monitor > Compliance, any scan reports that are generated by older components (Defender registry scanners, Jenkins plugins, twistcli) are marked with an out-of-date indicator. Although older Defenders can interoperate with newer Consoles, their operation is restricted. Older Defenders fully protect your nodes using the policies and settings that were most recently cached before upgrading the Console. They can emit audits to Console and local logs, including syslog. However, they cannot access any API endpoint other than the upgrade endpoint, and they cannot share any new data with the Console. No new policies or settings can be pushed from Console to older Defenders. When Defender is in this state, its status is shown as “Upgrade needed” in Manage > Defenders > Manage. To restore older Defenders to a fully operational state, upgrade them so that their versions match Console’s version. Upgrading Console when using projects When you have one or more tenant or scale Projects, upgrade all Supervisors before upgrading the Central Console. During the upgrade process, there may be periods where the Supervisors appear disconnected. This is normal because the Supervisors are disconnected while the upgrade is occurring and the Central Console will recheck connectivity every 10 minutes. Within 10 minutes of upgrading all Supervisors and the Central Console, all Supervisors should appear healthy. Upgrade each Supervisor and then the Central Console using the appropriate procedure: ● ● ● ● ● ● Console - Onebox Console - Kubernetes Console - OpenShift Console - Helm Console - Docker Swarm Console - Amazon ECS Defender auto-upgrade support Most Defender types can be auto-upgraded. A handful must still be manually upgraded. The following table summarizes the Defender types, and which ones can be auto-upgraded. Prisma Certified Cloud Security Engineer (PCCSE) 110 Enabling Defender auto-upgrade By default, Defender auto-upgrade is enabled. You can check and change the setting in the Console. Step 1: Open Prisma Cloud Compute Console. Step 2: Go to Manage > Defenders > Manage. Step 3: Click Advanced Settings. Step 4: Set Automatically upgrade Defenders to On or Off. 3.2.4 Reference ● Defender types, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/insta ll/defender_types Prisma Certified Cloud Security Engineer (PCCSE) 111 ● ● Prisma™ Cloud, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-reference-architectur e-compute/platform_components/defender Upgrade Prisma Cloud, https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-09/prisma-cloud-compute-editio n-admin/upgrade/upgrade_process 3.3 Configure Agentless Security 3.3.1 Agent versus Agentless In cybersecurity, agents represent specialized software components that are installed on devices for performing security-related “actions.” Those actions include, but are not necessarily limited to: ● ● ● ● ● Security scanning and reporting System restarting and rebooting Applying software patches Making changes to configurations General system monitoring Due to their nature, it is crucial that the agents perform well in diverse environments, and they must also be low impact and low maintenance. Agent-based systems are modeled on the pull communication style. In this case, the client is the central server that pulls the data from the agents on demand. Agents typically have to be installed on each machine following an automated process. Once the agents are configured, they can receive requests from the central server for the results of security-related actions and status updates. Agentless security, on the other hand, performs many of the same actions, just without the agents. In practice, this means that we can inspect and review security scans and vulnerabilities on a remote machine without having to install an agent on that system. You may have to install software on a different layer of the system (like networking) to capture associated risk metrics, but you won’t need to have direct access to the host to install any service. Agentless systems, therefore, are based on the push communication style. In other words, the associated software pushes data to a remote system on a periodic basis. Because of the flexibility of this setup, agentless security solutions work well for baseline security monitoring. You can configure them to scan the whole infrastructure without having to install them to each subsystem. However, a central system still needs to be available to coordinate scanning and the deployment of patches. On the other hand, you may need to install agent-based systems to certain hosts that require stricter controls. For example, if you have hosts that deal with financial data, you might want to maximize your use of available security technology by installing agents that can carefully monitor and protect those systems, as well as improve their overall security posture. Prisma Certified Cloud Security Engineer (PCCSE) 112 Is Agentless or Agent-Based Security Better? Since both agentless and agent-based security are widely used today, you may be wondering which one you should choose. Actually, you should use both in order to achieve comprehensive security. It is still important to understand the pros and cons of each one so that you know when to use them effectively. To summarize, agentless systems have a number of features that make them appealing, including: ● ● ● ● ● Quicker setup and deployment: You don’t need to have direct access to all hosts to perform security scans. Less maintenance and lower provisioning costs. Wider initial visibility and greater scalability. Ideal for networks with large amounts of bandwidth. Need for a center host available to perform actions. On the other hand, agent-based systems have the following benefits over agentless systems: ● ● ● ● ● ● Enable in-depth scanning and monitoring of hosts. Agents can perform more specialized scanning of components and services. Can be used as a firewall because they can block network connections based on filtering rules. Offer runtime protection per host or per application. Provide security controls, such as the ability to block attacks and patch live systems. Are ideal for networks with limited bandwidth, locations within DMZ zones, or laptops that can be out of network reach. You can install the agent in systems without network connectivity. Do not need a central host because they can perform tasks independently. Once installed, the agent runs its set of actions on demand without needing to establish a connection to a server beforehand – even when it is disconnected from the enterprise network. 3.3.2 Cloud discovery It’s difficult to ensure that all your apps running on all the different types of cloud services are being properly secured. If you are using multiple cloud platforms, you might have many separate accounts per platform. You could easily have hundreds of combinations of providers, accounts, and regions where cloud native services are being deployed. Cloud Platforms discovery helps you find all cloud-native services being used in AWS, Azure, and Google Cloud, across all regions, and across all accounts. Cloud Provider discovery continuously monitors these accounts, detects when new services are added, and reports which services are unprotected. It helps mitigate your exposure to rogue deployments, abandoned environments, and sprawl. Cloud Platforms discovery offers coverage for the following services. Registries: ● AWS ● Azure Prisma Certified Cloud Security Engineer (PCCSE) 113 Serverless functions: ● AWS ● Azure ● Google Cloud ● Azure Managed platforms: ● AWS ECS ● AWS EKS ● Azure Kubernetes Service (AKS) ● Azure Container Instances (ACI) ● Google Kubernetes Engine (GKE) Virtual machines: ● AWS EC2 instances ● Azure VMs ● Google Cloud Platform (GCP) Compute Engine VM instances Auto-defend capabilities are available on these services. Auto-defend utilizes rule-based policies to automatically deploy Prisma Cloud Defenders via Console to protect resources in your environment. Prisma Cloud ingestion only provides information on the LATEST version of AWS serverless functions and not other versions. Ingestion Based Discovery After onboarding a cloud account into the platform, you can reuse the same onboarded account in Compute for Cloud Discovery without the need for additional permissions on cloud accounts. Cloud Discovery uses this ingested data to discover unprotected workloads across your monitored environment. By using the same ingested metadata from cloud providers for both CSPM and CWP, the time to scan for unprotected resources is reduced substantially, providing instant visibility into undefended workloads in your organization. Prisma Cloud needs an additional set of permissions to enable protection for these workloads. For example, to deploy Defenders automatically on undefended VM machines. Full feature-wise permissions listing is available along with protection mode for the onboarding template. Configuring cloud platforms discovery Set up Prisma Cloud to scan your cloud platform accounts for cloud-native resources and services. Then configure Prisma Cloud to protect them with a single click. Prerequisites: You onboarded cloud accounts in Prisma Cloud as described here. Step 1: Log in to Prisma Cloud. Step 2: Select Compute > Manage > Cloud Accounts. Step 3: Select the accounts to scan. If there are no accounts in the table, you can import Prisma Cloud onboarded accounts, using the “Add account” workflow and selecting “Prisma Cloud” as the provider. Prisma Certified Cloud Security Engineer (PCCSE) 114 Step 4: Select Bulk actions > Discovery configuration. Step 5: Enable Cloud discovery. Step 6: Save your changes. Step 7: Review the scan results. 1. Select Compute > Manage > Cloud Accounts to view the scan report in tabular format. ● Select the Show account details icon to see the discovery scan results for resources within the cloud account. 2. Select Radar > Cloud to view the scan report in a visual format. Prisma Certified Cloud Security Engineer (PCCSE) 115 In the Radar you can see the details for the resources that are protected using Defenders and agentless scanning across the services in each region. 3. Select Defend for the entities you want Prisma Cloud to scan for vulnerabilities. A new auto-defend rule is proposed. Select the appropriate credential, tweak the scan rule as desired, then click Add. 4. See the scan results on Compute > Monitor > Vulnerabilities > {Images > Registry|Functions}. 3.3.3 Reference ● ● Agent-Based and Agentless Security, https://www.paloaltonetworks.com/cyberpedia/what-is-the-difference-between-agent-base d-and-agentless-security Cloud discovery, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com pliance/cloud_discovery_saas 3.4 Backup and Restore console 3.4.1 Backup management Prisma Cloud automatically backs up all data and configuration files periodically. You can view all backups, make new backups, and restore specific backups from the Console UI. You can also restore specific backups using the twistcli command line utility. Prisma Cloud is implemented with containers that cleanly separate the application from its state and configuration data. To back up a Prisma Cloud installation, only the files in the data directory need to be archived. Because Prisma Cloud containers read their state from the files in the data Prisma Certified Cloud Security Engineer (PCCSE) 116 directory, Prisma Cloud containers do not need to be backed up, and they can be installed and restarted from scratch. When data recovery is enabled (default), Prisma Cloud archives its data files periodically and copies the backup file to a location you specify. The default path to the data directory is /var/lib/twistlock. You can specify a different path to the data directory in twistlock.cfg when you install Console. 3.4.2 Disaster recovery Restoring backups from the Console UI You can restore Console from a backup file directly from within the Console UI. The Console UI lists all available backups. Step 1: Open Console. Step 2: Go to Manage > System > Backup & Restore. Step 3: Click Restore on one of the system or manual backups. Step 4: After the database is reloaded from the backup file, restart Console. For a onebox installation, ssh to the host where Console runs, then run the following command: $ docker restart twistlock_console For a Kubernetes installation, delete the Console pod, and the replication controller will automatically restart it: // Get the name of Prisma Cloud Console pod: $ kubectl get po -n twistlock | grep console // Delete the Prisma Cloud Console pod: $ kubectl delete po <TWISTLOCK_CONSOLE> -n twistlock Restoring backups from twistcli You can restore Console from a backup using twistcli. Use this restore flow when Console is unresponsive and you cannot access the UI to force a restore to a known good state. Prerequisites: ● Your host can access the volume where the Prisma Cloud backups are stored. By default, backups are stored in /var/lib/twistlock-backup, although this path might have been customized at install time. ● Your host can access the Prisma Cloud’s data volume. By default, the data volume is located in /var/lib/twistlock, although this path might have been customized at install time. ● Your version of twistcli matches the version of the backup you want to restore. Step 1: Go to the directory where you unpacked the Prisma Cloud release. Step 2: Run the twistcli restore command. Run twistcli restore --help to see all arguments. ● List all available backups. To list all files in the default backup folder (/var/lib/twistlock-backup), run twistcli restore without any arguments: Prisma Certified Cloud Security Engineer (PCCSE) 117 $ ./twistcli restore To list all backup files in a specific location, run: $ ./twistcli restore <PATH/TO/FOLDER> ● Choose a file to restore by entering the number that corresponds with the backup file. For example: aqsa@aqsa-faith: ./twistcli restore --data-recovery-folder /var/lib/twistlock-backup/ Please select from the following: 0: backup1 2.5.91 2018-08-07 15:10:10 +0000 UTC 1: daily 2.5.91 2018-08-06 16:10:48 +0000 UTC 2: monthly 2.5.91 2018-08-06 16:10:48 +0000 UTC 3: weekly 2.5.91 2018-08-06 16:10:48 +0000 UTC Please enter your selection: 0 Step 3: After the database is reloaded from the backup file, re-install/restart Console. For a onebox installation, ssh to the host where Console runs, then rerun the installer: $ sudo ./twistlock.sh -ys onebox For a Kubernetes installation, delete the Console pod, and the replication controller will automatically restart it: // Get the name of Prisma Cloud Console pod: $ kubectl get po -n twistlock | grep console // Delete the Prisma Cloud Console pod: $ kubectl delete po <TWISTLOCK_CONSOLE> -n twistlock Downloading backup files Prisma Cloud Compute lets you download backup files so that they can be copied to another location. Backup files can be downloaded from the Console. Go to Manage > System > Backup & Restore, and click Actions > Export to download a backup. 3.4.3 Reference ● ● Backup and restore, https://docs.paloaltonetworks.com/prisma/prisma-cloud/21-08/prisma-cloud-compute-editio n-admin/configure/disaster_recovery Disaster Recovery, https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/confi gure/disaster_recovery 3.5 Manage authentication 3.5.1 Certificates To ensure trust between parties in a secure communication session, Prisma Access uses digital certificates. Each certificate contains a cryptographic key to encrypt plaintext or decrypt ciphertext. Prisma Certified Cloud Security Engineer (PCCSE) 118 Each certificate also includes a digital signature to authenticate the identity of the issuer. The issuer must be in the list of trusted certificate authorities (CAs) of the authenticating party. Optionally, the authenticating party verifies the issuer did not revoke the certificate.Prisma Access uses certificates to secure features like decryption and authentication, and to secure communication between all the clients, servers, users, and devices connecting to your network. Here are some of the keys and certificates that Prisma Access uses. ● Authentication—You can use certificate-based authentication for mobile users connecting to Prisma Access. Additionally, in deployments where Authentication policy identifies users who access HTTPS resources, designate a server certificate for the authentication portal. If you configure the authentication portal to use certificates for identifying users (instead of, or in addition to, interactive authentication), deploy client certificates also. ● Decrypting Trusted Sites—For outbound SSL/TLS traffic, if a firewall acting as a forward proxy trusts the CA that signed the certificate of the destination server, the firewall uses the forward trust CA certificate to generate a copy of the destination server certificate to present to the client. To set the private key size, see Configure the Key Size for SSL Forward Proxy Server Certificates. For added security, store the key on a hardware-security module (for details, see Secure Keys with a Hardware Security Module). ● Decrypting Untrusted Sites—For outbound SSL/TLS traffic, if a firewall acting as a forward proxy does not trust the CA that signed the certificate of the destination server, the firewall uses the forward untrust CA certificate to generate a copy of the destination server certificate to present to the client. Prisma Certified Cloud Security Engineer (PCCSE) 119