AAtsushi's Blog
Security

[In Progress] PCCSE Course

→ 日本語版を読む
  • Overview
    • Prisma Cloud Visibility, Compliance, and Governance: Onboarding and Setup
      • Prisma Cloud Compute
        • Detailed Protection
      • Onboarding Public Cloud Accounts
      • User Management
        • Resources in User Management
        • Roles
          • Creating Roles
          • Creating Users
          • SSO Configuration
      • General Settings
      • Access Keys
        • Trusted IP Addresses
      • Licensing
      • Anomaly Settings
      • Comprehension Check
    • Prisma Cloud Visibility, Compliance, and Governance: Monitoring Public Clouds
      • Core Concepts
        • Prisma Cloud Dashboard
          • Command Center
          • SecOps
          • NetSecOps
          • Data
          • Recommended Namespace Scheme
      • Policies
      • Alerts
        • Alert Status
      • Compliance Dashboard
      • Microsegmentation Namespaces
        • Namespace Levels
      • Comprehension Check
    • Prisma Cloud Visibility, Compliance, and Governance: Integrating with Third-Party Security Applications
      • Integrations Core Concepts
      • APIs Provided by Prisma Cloud
      • Knowledge Check
    • Prisma Cloud Visibility, Compliance, and Governance: Generating Reports
      • Generating and Downloading Compliance Reports
      • Compliance Standard Reports
      • Alert Reports
      • Comprehension Check
    • Prisma Cloud Visibility, Compliance, and Governance: Troubleshooting and Support
      • Overview of Troubleshooting and Support
      • Troubleshooting Common Issues
      • Getting Help in Prisma Cloud
      • Comprehension Check

Overview

I am working through the PCCSE course on Beacon, the official Prisma Cloud learning site.

This course consists of three enable paths.

I will start with the first enable path, but even the first enable path alone contains the following volume of content, so in this post I will take notes on the section in bold: Visibility, Compliance, and Governance.

  • Visibility, Compliance, and Governance
    • Prisma Cloud Onboarding and Initial Setup
    • Prisma Cloud Monitoring Public Clouds
    • Prisma Cloud Integrating with Third-Party Applications
    • Prisma Cloud Generating Reports
    • Prisma Cloud Troubleshooting and Support
  • Onboarding and Managing Prisma Cloud
    • Remediation: Investigating Security Issues with RQL
    • Remediation: Remediating Security Issues
    • Prisma Cloud Onboarding: Setup
    • Prisma Cloud Onboarding: Configuration
    • Prisma Cloud Onboarding: Troubleshooting
    • Prisma Cloud Integrations: Overview
    • Prisma Cloud Integration: Inbound Integrations
    • Prisma Cloud Integration: Outbound Integrations
    • Prisma Cloud Integration: Troubleshooting Integrations
    • Prisma Cloud Optimizations: Overview
    • Prisma Cloud Optimizations: Implementing Optimization
    • Prisma Cloud Optimizations: Optimization Troubleshooting
    • Prisma Cloud Developer Tools: Overview
    • Prisma Cloud Developer Tools: APIs
    • Prisma Cloud Developer Tools: GitHub
    • Prisma Cloud RQL
    • Prisma Cloud Alarm Center
    • Prisma Cloud Anomaly Detection
  • Prisma Cloud Data Security
    • Prisma Cloud Data Security: Overview
    • Prisma Cloud Data Security: Enabling Data Security on AWS Accounts
    • Prisma Cloud Data Security: Components
    • Prisma Cloud Data Security: Operations
    • Prisma Cloud Data Security for AWS Organizations
  • Prisma Cloud Network Analyzer
    • Prisma Cloud Network Analyzer

Prisma Cloud Visibility, Compliance, and Governance: Onboarding and Setup

Onboarding public cloud accounts into the Prisma Cloud environment, and initial setup and management of Prisma Cloud.

Objectives

Prisma Cloud Compute

Agentless and agent-based approaches to protect host, container, and serverless computing environments from vulnerabilities, malware, and compliance violations.

Two editions exist.

  • Prisma Cloud Enterprise Edition
  • Prisma Cloud Compute Edition

For the differences between each edition, refer to here.

This is a bit confusing, but there is a case where the word "Compute" is used in a different sense from the Compute in Prisma Cloud Compute Edition above. That is Palo Alto Networks Prisma Cloud Compute, which provides workload protection capabilities. It was previously a service from Twistlock, a company providing container security.

When Compute appears on its own, it often refers to Palo Alto Networks Prisma Cloud Compute.

Detailed Protection

  • Radar: An overview view for monitoring and understanding your computing environment
  • Defend: Create rules for policies and compliance requirements of computing resources
  • Monitoring: Monitor events
  • Manage: View logs for Defenders and related computing collections

Onboarding Public Cloud Accounts

  • Configuration is required on both the cloud side and the Prisma Cloud side
  • Cloud-side configuration differs by public cloud
    • For AWS, an IAM account (read-only or read/write permissions) and VPC flow log configuration are required
  • Prisma Cloud-side configuration
    • Settings -> Cloud Account -> Add Cloud Account -> Select the public cloud
    • Select Monitor or Monitor and Protect. For Monitor and Protect, Write permissions are required in addition to Read permissions to perform Remediation on resources
    • Enter the resource ID of the public cloud account
    • Select the account group on the Prisma Cloud side

User Management

  • Manage individuals who can access the instance by defining them as users in the system.
  • Create account groups and assign users to them.
  • Use roles to specify what various users and account groups can view and perform.

Resources in User Management

  • User / Account Group
  • Permission Group
  • Role

Roles

Prisma Cloud and Compute have the following roles. Note that role names differ between Prisma Cloud and Compute.

Prisma Cloud / Compute

  • System Admin / Sys Admin
    • Full control and access to all Prisma Cloud settings
  • Account Group Admin / Auditor
    • Read/write permissions for cloud accounts and account groups
  • Account Group Read-Only / DevSecOps
    • Read-only access to specified sections of Prisma Cloud
  • Cloud Provisioning Admin / Defender Manager
    • Read/write permissions for cloud accounts and account groups
  • Account and Cloud Provisioning Admin / Auditor
    • A combination of Account Group Admin and cloud Provisioning Admin permissions
  • Build and Deploy Security / DevOps/CI
    • Restricts permissions for DevOps users who need access to a subset of Compute features and API access to run IDE, SCM, and CI/CD plugins for IaC (Infrastructure as Code) and image vulnerability scanning
  • Developer / DevOps
    • Restricts permissions for developers or DevOps users who need access to a subset of Code Security features
    • Enables read-only permissions to view/update repository settings and view code security configuration for accessible repositories, except for generating access keys and viewing and fixing issues from IaC scan results in Code Security

Creating Roles

Video

  • Settings > Access Control > Add > Role
  • Give the role a name and link it to a Permission Group and Account Group
  • A set of permissions is granted to the Permission Group, and by linking the Permission Group to the role, the scope of permissions handled by that role is defined (as I understand it).

Creating Users

Video

  • Setting > Access Control > User
  • Enter a username and email address, and assign a role
  • Multiple roles can be assigned. In that case, a default role must be specified. When multiple roles exist, you switch between them to use them. To switch, click the person icon at the bottom of the left menu and change the Active Role.

SSO Configuration

External SSO providers such as Okta can be used.

  • Setting > Access Control > SSO

General Settings

Access Keys

Video

Used when accessing the Prisma Cloud API from computer programs.

  • Setting > Access Control > Add > Access Key
  • Access keys are displayed under Setting > Access Control > Access Keys
  • When an access key is created, it is automatically associated with the role used at login. The role assigned to an access key cannot be changed.
  • Deleting a role automatically deletes the access keys associated with that role.

Trusted IP Addresses

Video

Doc

  • Setting > Trusted IP Addresses > Trusted Alert IP Addresses > Add Trusted Alert IP Addresses
  • Give it a name and enter the public IP address range
  • When connecting to a public cloud from an external network, add the network range (public IP) to Trusted Alert IP Addresses. When a public cloud is accessed from a network address not in the Trusted Alert IP Addresses list, a label can be applied to it, and alerts can be analyzed based on that label.

Licensing

  • Setting > Licensing
  • License information (license type, plan, start date, expiry date, billing method, serial number, etc.) and license usage can be checked
  • Usage per cloud account can be checked

Doc

Apparently 1 license equals 100 credits. The number of credits consumed differs per resource. For details, the Macnica site is easy to understand.

Anomaly Settings

  • Not only monitors assets and resources of cloud service providers, but also monitors users and roles to detect and alert on anomalous activity
  • Detecting anomalous activity helps prevent misuse and potential account compromise

Video

  • There are two types of settings under Settings > Anomaly: Alerts and Thresholds, and Anomaly Trusted List.
  • In Alerts and Thresholds, you can configure how aggressively the anomaly detection model is trained for anomaly detection items pre-defined by Prisma Cloud, such as port scan activity.
  • On the other hand, in the Anomaly Trusted List, you can link resources such as IP addresses with anomaly detection items (such as port scanning). This allows specific IPs to be excluded from anomaly detection. The target resources are not limited to IP addresses; they also include machine images, ports, cloud services, and more.

Comprehension Check

  • What are the two configuration requirements when onboarding an AWS public cloud?
  • What are the two types of data that Prisma Cloud provides visibility into from public cloud accounts?
  • What are the two permission groups supported by Prisma Cloud?
  • Which public cloud providers does Prisma Cloud support?
  • True or false? Roles cannot be used to define the permission scope of an account group.
  • What is used to provide a secure method of accessing the Prisma Cloud API?
  • True or False? Trusted IP addresses use allow lists so that specific IP addresses do not trigger alerts.
  • Which Prisma Cloud features use behavioral analytics to prevent attacks and insider threats by monitoring and identifying specific types of activity?

Prisma Cloud Visibility, Compliance, and Governance: Monitoring Public Clouds

Key concepts, policies, alerts, and compliance standards in Prisma Cloud.

Objectives

  • Use the Prisma Cloud dashboard to check the status of public cloud accounts
  • Describe Prisma Cloud policies
  • Explain the relationship between policies and alerts
  • Configure alert rules and alert notifications
  • Access the compliance dashboard

Core Concepts

  • Resource
    • An entity in a public cloud environment
    • When you onboard a public cloud account, Prisma Cloud retrieves the cloud resources
  • Policy
    • A statement of acceptable state or behavior
    • Policies have a type that indicates the basic mechanism used to enforce the policy
    • There are 4 types of policies: Config, Audit Event, Network, and Anomaly
  • Alert Rule
    • A collection of account groups and policies
    • Configures which policies to apply to which account groups
  • Alert
    • An alert is triggered when a policy defined in an alert rule is violated
    • Alert states are four: Open, Resolved, Snoozed, and Dismissed

Prisma Cloud Dashboard

  • Command Center
  • SecOps
  • NetSecOps
  • Data

Command Center

doc

The Command Center dashboard lets you check alert counts.

  • Security incidents (incidents such as unauthorized external access, computer virus infections, internal data leaks, etc.)
  • Misconfiguration
  • Security weaknesses and vulnerabilities (Exposure)
  • Identity Risks (risks in ID access management)
  • Data Risks (Data exposure, etc.)

SecOps

doc

The SecOps dashboard lets you check the following.

  • Asset types and counts
  • Alert counts over time
  • Number of internet-facing assets and their locations on a map
  • Asset counts per protocol connecting to the internet
  • Number of monitored accounts

NetSecOps

  • A dashboard for checking microsegmentation network flows
  • Network flows for the current namespace and child namespaces can be checked
  • You can navigate to another namespace from the top left

Data

  • Check the number of private and public buckets
  • Categories of publicly exposed data profiles and the count per category
  • Number of data policy violations

Policies

  • A set of one or more constraints or conditions that must be adhered to
  • Policies include Predefined Policies and Custom Policies
  • Predefined Policies: Conform to established security best practices such as PCI, GDPR, HIPAA, and NIST. Cannot be modified.

Alerts

  • There are two types of alerts: Alerts and Anomaly Alerts.
  • Alerts are associated with one or more policies. Alerts are triggered based on inspection by Resource Query Language (RQL).
  • Anomaly Alerts, on the other hand, trigger alerts based on machine learning-based inspection.

Linking to the Default Alert Rule

  • Alerts > Alert Rules
  • Enable the status of Default Alert Rule
  • Select Default Alert Rule
  • Under Assign Targets, add the account groups you want to link to the default alert rule
  • Under Assign Policies, Select all policies is enabled by default, which tends to generate a large number of alerts

Alert Status

doc

  • Open: The policy violation that triggered the alert has been identified, but the violation has not yet been resolved
  • Resolved: When the issue causing the policy violation is resolved, the alert automatically transitions to the Resolved state
  • Snoozed: Temporarily dismisses an alert for a specified period. When the timer expires, the alert automatically changes to Open or Resolved depending on whether the issue was fixed
  • Dismissed: The alert was manually dismissed despite the underlying issue not being resolved. Closed alerts can be manually reopened if needed

Compliance Dashboard

  • Displays monitored resources that match or violate compliance standard policies
  • Compliance > Overview

Microsegmentation Namespaces

doc

  • Microsegmentation namespaces define logical groups of resources
  • They have a hierarchical relationship, like folders in a file system
  • Objects can be propagated from parent to child, but not from child to child or child to parent

Why configure microsegmentation namespaces?

  • Because rulesets are propagated and applied to resources in lower-level namespaces, resources in lower namespaces can be kept compliant with security requirements
  • Grouping resources by exposure level to users outside the organization makes it easier to control access using network rulesets
  • Only related resources can be viewed. Unauthorized changes are prevented and the principle of least privilege can be followed

Namespace Levels

Comprehension Check

  • Which two actions must have been taken before Prisma Cloud can generate an alert? (Choose two.)
  • Which two options should you check to determine whether Prisma Cloud is ingesting public cloud data?
  • Which of the following two are alert states?
  • True or false? Prisma Cloud Enterprise Edition resides in the public cloud.
  • Which Prisma Cloud feature is used to establish security constraints or conditions that must be adhered to?
  • Which of the following is triggered when a resource violates one or more policies?
  • A key difference between the Compliance Dashboard and the Asset Inventory Dashboard is that the Compliance Dashboard:
  • Which three of the following are alert states?

Prisma Cloud Visibility, Compliance, and Governance: Integrating with Third-Party Security Applications

Integration with third-party security applications.

Objectives

  • Describe Prisma Cloud's support for third-party integrations
  • List the steps to configure third-party integrations in Prisma Cloud
  • Identify platforms supported for inbound integration
  • Identify Prisma Cloud policies that rely on third-party data ingestion
  • Identify platforms supported for outbound integration
  • Configure notification channels in alert rules
  • Make RESTful API calls in Prisma Cloud

Integrations Core Concepts

  • Multiple integration options are available

  • Integration options are available in two areas: data ingestion and outbound alert notifications

  • For data ingestion (inbound) integrations, you can integrate with four platforms: Qualys, Tenable, Amazon GuardDuty, and Amazon Inspector

  • Integrations can be enabled, disabled, or deleted

  • The integration process differs slightly for each application

Integrating with Tenable and checking ingested data with RQL

doc

  • Create an access key and secret key in Tenable (used by Prisma Cloud to call the Tenable API)
  • Settings > Integration > Add Integration > Select Tenable
  • Enter the access key and secret key, and run a connection test with Test
  • Host vulnerability information collected from Tenable can be displayed
  • Run RQL in the Investigate screen to check host vulnerabilities, etc.
    • config from cloud.resource where cloud.type = 'aws' AND finding.type = 'Host Vulnerability'
    • Clicking a resource found with RQL lets you check the Audit Trail (when the resource violated a policy), etc.

Integrating with Splunk to send outbound alert notifications

When an alert fires in Prisma Cloud, notifications can be sent to third-party platforms such as Splunk, Amazon SQS, and Microsoft Teams. The following uses Splunk as an example.

doc

  • First, get the Splunk HTTP event URL and Auth Token
  • Settings > Integration > Add Integration > Splunk
  • Enter the HTTP event URL and Auth Token, run a connection test with Test, then save
  • Navigate to Alert > Alert Rules
  • Open an existing alert rule and navigate to Configure Notifications
  • Enable Splunk and select the HTTP event notification configured earlier. Save at the end.

APIs Provided by Prisma Cloud

doc

  • Use the Prisma Cloud Rest API for integration with Prisma Cloud
  • Supports HTTP methods: POST, PUT, GET, OPTIONS, DELETE, PATCH
  • Responses in JSON
  • An API access key is required to enable programmatic access to the REST API. By default, only system administrators have API access, and they can enable API access for other administrators. For instructions on generating an access key, see here.
  • After obtaining an access key, send it in a REST API request to get a JSON Web token (JWT). Use the JWT to use the Prisma Cloud Rest API.

Knowledge Check

  • Which two resources are provided on the Prisma Cloud API DOCs reference page?
  • Which two platform capabilities are needed in order for Prisma Cloud to support third-party integrations?
  • Tenable and Qualys are examples of which type of integration?
  • Which two platforms support outbound integration? (Choose two.)
  • What is the requirement for most API endpoint requests in Prisma Cloud?
  • Which command is the best for taking a third-party platform temporarily offline?
  • True or false? For an alert notification to be received by a third-party application, you need to enable the application in the Add Alert Rule view.
  • Prisma Cloud API responses are returned in which format?

Prisma Cloud Visibility, Compliance, and Governance: Generating Reports

How to generate and download compliance reports, compliance standard reports, alert reports, and audit log reports.

Objectives

  • Generating and downloading compliance reports
  • Download compliance standard reports and compliance standard description reports
  • Create custom compliance reports
  • Create custom compliance standards
  • Generating and viewing alert reports
  • Explain alert dismissal and alert exceptions
  • Download audit log reports

Generating and Downloading Compliance Reports

Downloading reports

  • Compliance > Reports
  • Click the Download button on the right to download

Creating reports

  • Compliance > Compliance
  • Apply filters according to the required report
  • After filtering, Create Report will appear in the upper right — click it, name it, and save
    • Filtering can be done by cloud type, account group, compliance standard (CIS, PCI, etc.), region, and cloud account
  • Setting Recurring allows you to create repeating reports and send them to a specific email address.

Compliance Standard Reports

Downloading compliance standard reports

  • Compliance > Standards > Download to download a list of compliance standards (such as CIS)
  • To see the contents of a specific compliance standard, click it on-screen and then click the Download button

Creating custom compliance standards

Video

  • Navigate to Compliance > Standards > Add Compliance Standard, give it a name, and save
  • Click the created custom standard and click Add Compliance Requirement
  • Assign a Requirement ID and name
  • Click the created compliance requirement and click Add Compliance Section, then assign a Section ID and save
  • Repeat this process to build the custom compliance standard. At this stage, no policies are associated yet.

Adding a policy to a custom compliance standard

Video

  • Policies > Edit a specific policy > Compliance Standards
  • Scroll down and click the + button to add a compliance standard, then specify the target custom compliance standard, compliance requirement, and compliance section. This completes the addition.

Creating a custom policy

Video

doc

  • Policies > Add Policy > Config
  • Select Severity and Policy Subtype
    • Run Subtype: Scans cloud resources already deployed on the cloud platform
    • Build Subtype: Scans code repositories and IaC templates used to deploy cloud resources
  • Create an RQL query to define the policy match criteria
    • The following is for the case where an S3 bucket is not encrypted
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-s3api-get-bucket-acl' AND json.rule = serverSideEncrypted is false
  • In Compliance Standards, specify the compliance standard, requirement, and section to link the policy to
  • Submit and save

Alert Reports

Creating and downloading an alert report (Cloud Security Assessment)

Video

  • Alerts > Reports > Add Alert Report
  • Select Report Type
    • Cloud Security Assessment or Business Unit Report
  • Select Cloud Type (e.g., AWS) and optional items (account group, cloud account, region), then specify a time range and click Submit
  • Click the Download button to the right of the target report to download it
  • The report consists of Executive Summary, Configuration & Compliance Risks, Network Security Risks, and IAM Risks

Creating and downloading an alert report (Business Unit Report)

  • Alerts > Reports > Add Alert Report
  • Select Report Type
    • Cloud Security Assessment or Business Unit Report
  • Turning on the Detailed Report option allows you to view policy violations per cloud account
  • Specifying an Email allows you to send the report directly
  • Selecting Recurring allows you to send reports on a regular schedule
  • Click the Download button to the right of the target report to download it
  • The report is in CSV format and shows the number of resources in violation per policy

Audit Log Report

  • The audit log report displays action history such as logins, password resets, profile changes, alert triggering, and deletion actions
  • Records who did what, when, and from where (the Prisma Cloud user's IP address)

Downloading the audit log report

Video

  • Settings > Audit Logs > Download
  • Contains timestamp, username, user's IP address, operation performed, and resource type

Comprehension Check

  • How can users associate a custom policy with a compliance standard?
  • How are compliance reports generated in Prisma Cloud?
  • In what file format can alert reports be downloaded?
  • True or false? Prisma Cloud supports the downloading of compliance reports.
  • What are three of the five ways that reports can be customized in Prisma Cloud?
  • True or False? Custom Compliance Standards reports are the best way for immediate online viewing of your compliance position.
  • What is the primary use case for generating Audit Logs reports in Prisma Cloud?
  • Which type of information does the Prisma Cloud Audit Logs report display?

Prisma Cloud Visibility, Compliance, and Governance: Troubleshooting and Support

Describing some troubleshooting scenarios.

Objectives

  • Identify some common troubleshooting scenarios in Prisma Cloud
  • Describe Amazon GuardDuty and Inspector
  • Identify common issues with onboarding and data ingestion
  • Identify common issues with alerts and alert rules
  • Identify common issues with RQL queries
  • Access the help center
  • Create a support ticket in Prisma Cloud

Overview of Troubleshooting and Support

  • A common issue is alerts not triggering as expected. In such cases, it is necessary to investigate security and compliance issues using RQL.
  • AWS value-added services, Amazon GuardDuty, and Amazon Inspector can be used to enhance monitoring of AWS public cloud deployments.

Using Amazon GuardDuty

  • Threat detection service

Using Amazon Inspector

  • Security assessment service

Troubleshooting Common Issues

  • Onboarding
  • Alert Generation
    • Verify that the cloud account is included in the alert rule
    • Also verify that the policies associated with the alert rule are enabled
  • RQL Query
    • Querying an incorrect resource type
    • The public cloud resource is an ephemeral resource and has already been deleted by the time of the query

Troubleshooting onboarding issues

  • Settings > Cloud Accounts
  • Check the status of the cloud account. If it is orange or red, click it and check what action is needed.

Troubleshooting alert issues

  • Verify that Alert Rule is enabled
  • Verify that the target cloud account is included in the alert rule
  • Verify that the policy is enabled in the alert rule
  • Verify that the Notification Channel is correctly configured
  • Note that the public cloud resource may be an ephemeral resource that has already been deleted by the time of the query

Troubleshooting RQL query issues

  • If you navigate to Investigate, run an RQL query, and the result is not as expected, take the following steps
  • Navigate to Inventory > Assets and filter with the same criteria as the RQL query
  • Use these results to review the RQL query again

Getting Help in Prisma Cloud

Access Online Help in Prisma Cloud

  • Click the question mark icon in the lower right to access online help

How to create a support case from Prisma Cloud

  • Creating a support case requires that your contract includes support case creation
  • Click the question mark icon in the lower right and select Live Community
  • Select Register in the upper right and choose Register for a Support account
  • The Customer Support Portal will open. Click Get Help on the Support Home page, describe your issue, and click the Get Help button
  • You can also view open support cases

Comprehension Check

  • What are two useful Palo Alto Networks resources to check for help with Prisma Cloud? (Choose two.)
  • What are three areas in Prisma Cloud where you may encounter issues and need to troubleshoot? (Choose three.)
  • Issues with onboarding are generally due to which of the following?
  • True or False? You can verify whether cloud accounts were properly configured for data ingestion by checking their status in Settings > Cloud Accounts.
  • Which two third party applications are useful for monitoring and maintaining compliance on AWS accounts?