[In Progress] PCCSE Course
→ 日本語版を読む- Overview
- Prisma Cloud Visibility, Compliance, and Governance: Onboarding and Setup
- Prisma Cloud Compute
- Detailed Protection
- Onboarding Public Cloud Accounts
- User Management
- Resources in User Management
- Roles
- Creating Roles
- Creating Users
- SSO Configuration
- General Settings
- Access Keys
- Trusted IP Addresses
- Licensing
- Anomaly Settings
- Comprehension Check
- Prisma Cloud Compute
- Prisma Cloud Visibility, Compliance, and Governance: Monitoring Public Clouds
- Core Concepts
- Prisma Cloud Dashboard
- Command Center
- SecOps
- NetSecOps
- Data
- Recommended Namespace Scheme
- Prisma Cloud Dashboard
- Policies
- Alerts
- Alert Status
- Compliance Dashboard
- Microsegmentation Namespaces
- Namespace Levels
- Comprehension Check
- Core Concepts
- Prisma Cloud Visibility, Compliance, and Governance: Integrating with Third-Party Security Applications
- Integrations Core Concepts
- APIs Provided by Prisma Cloud
- Knowledge Check
- Prisma Cloud Visibility, Compliance, and Governance: Generating Reports
- Generating and Downloading Compliance Reports
- Compliance Standard Reports
- Alert Reports
- Comprehension Check
- Prisma Cloud Visibility, Compliance, and Governance: Troubleshooting and Support
- Overview of Troubleshooting and Support
- Troubleshooting Common Issues
- Getting Help in Prisma Cloud
- Comprehension Check
- Prisma Cloud Visibility, Compliance, and Governance: Onboarding and Setup
Overview
I am working through the PCCSE course on Beacon, the official Prisma Cloud learning site.
This course consists of three enable paths.
- Prisma Cloud: Cloud Security Posture Management
- 15 hours total
- Prisma Cloud: Cloud Network Security
- 5 hours total
- Prisma Cloud: Cloud Infrastructure Entitlement Management
- 0.5 hours total
I will start with the first enable path, but even the first enable path alone contains the following volume of content, so in this post I will take notes on the section in bold: Visibility, Compliance, and Governance.
- Visibility, Compliance, and Governance
- Onboarding and Managing Prisma Cloud
- Remediation: Investigating Security Issues with RQL
- Remediation: Remediating Security Issues
- Prisma Cloud Onboarding: Setup
- Prisma Cloud Onboarding: Configuration
- Prisma Cloud Onboarding: Troubleshooting
- Prisma Cloud Integrations: Overview
- Prisma Cloud Integration: Inbound Integrations
- Prisma Cloud Integration: Outbound Integrations
- Prisma Cloud Integration: Troubleshooting Integrations
- Prisma Cloud Optimizations: Overview
- Prisma Cloud Optimizations: Implementing Optimization
- Prisma Cloud Optimizations: Optimization Troubleshooting
- Prisma Cloud Developer Tools: Overview
- Prisma Cloud Developer Tools: APIs
- Prisma Cloud Developer Tools: GitHub
- Prisma Cloud RQL
- Prisma Cloud Alarm Center
- Prisma Cloud Anomaly Detection
- Prisma Cloud Data Security
- Prisma Cloud Network Analyzer
- Prisma Cloud Network Analyzer
Prisma Cloud Visibility, Compliance, and Governance: Onboarding and Setup
Onboarding public cloud accounts into the Prisma Cloud environment, and initial setup and management of Prisma Cloud.
Objectives
- Describe the role Prisma Cloud plays in cloud security posture
- Access the Prisma Cloud platform via a web browser
- Onboard public cloud accounts to Prisma Cloud
- Perform Prisma Cloud user management
- Configure Prisma Cloud settings
- Configure Prisma Cloud enterprise settings
Prisma Cloud Compute
Agentless and agent-based approaches to protect host, container, and serverless computing environments from vulnerabilities, malware, and compliance violations.
Two editions exist.
For the differences between each edition, refer to here.
This is a bit confusing, but there is a case where the word "Compute" is used in a different sense from the Compute in Prisma Cloud Compute Edition above. That is Palo Alto Networks Prisma Cloud Compute, which provides workload protection capabilities. It was previously a service from Twistlock, a company providing container security.
When Compute appears on its own, it often refers to Palo Alto Networks Prisma Cloud Compute.
Detailed Protection
- Radar: An overview view for monitoring and understanding your computing environment
- Defend: Create rules for policies and compliance requirements of computing resources
- Monitoring: Monitor events
- Manage: View logs for Defenders and related computing collections
Onboarding Public Cloud Accounts
- Configuration is required on both the cloud side and the Prisma Cloud side
- Cloud-side configuration differs by public cloud
- Prisma Cloud-side configuration
- Settings -> Cloud Account -> Add Cloud Account -> Select the public cloud
- Select
MonitororMonitor and Protect. ForMonitor and Protect,Writepermissions are required in addition toReadpermissions to perform Remediation on resources - Enter the resource ID of the public cloud account
- Select the account group on the Prisma Cloud side
User Management
- Manage individuals who can access the instance by defining them as users in the system.
- Create account groups and assign users to them.
- Use roles to specify what various users and account groups can view and perform.
Resources in User Management
- User / Account Group
- Permission Group
- Role
Roles
Prisma Cloud and Compute have the following roles. Note that role names differ between Prisma Cloud and Compute.
Prisma Cloud / Compute
- System Admin / Sys Admin
- Full control and access to all Prisma Cloud settings
- Account Group Admin / Auditor
- Read/write permissions for cloud accounts and account groups
- Account Group Read-Only / DevSecOps
- Read-only access to specified sections of Prisma Cloud
- Cloud Provisioning Admin / Defender Manager
- Read/write permissions for cloud accounts and account groups
- Account and Cloud Provisioning Admin / Auditor
- A combination of Account Group Admin and cloud Provisioning Admin permissions
- Build and Deploy Security / DevOps/CI
- Restricts permissions for DevOps users who need access to a subset of Compute features and API access to run IDE, SCM, and CI/CD plugins for IaC (Infrastructure as Code) and image vulnerability scanning
- Developer / DevOps
- Restricts permissions for developers or DevOps users who need access to a subset of Code Security features
- Enables read-only permissions to view/update repository settings and view code security configuration for accessible repositories, except for generating access keys and viewing and fixing issues from IaC scan results in Code Security
Creating Roles
- Settings > Access Control > Add > Role
- Give the role a name and link it to a Permission Group and Account Group
- A set of permissions is granted to the Permission Group, and by linking the Permission Group to the role, the scope of permissions handled by that role is defined (as I understand it).
Creating Users
- Setting > Access Control > User
- Enter a username and email address, and assign a role
- Multiple roles can be assigned. In that case, a default role must be specified. When multiple roles exist, you switch between them to use them. To switch, click the person icon at the bottom of the left menu and change the Active Role.
SSO Configuration
External SSO providers such as Okta can be used.
- Setting > Access Control > SSO
General Settings
Access Keys
Used when accessing the Prisma Cloud API from computer programs.
- Setting > Access Control > Add > Access Key
- Access keys are displayed under Setting > Access Control > Access Keys
- When an access key is created, it is automatically associated with the role used at login. The role assigned to an access key cannot be changed.
- Deleting a role automatically deletes the access keys associated with that role.
Trusted IP Addresses
- Setting > Trusted IP Addresses > Trusted Alert IP Addresses > Add Trusted Alert IP Addresses
- Give it a name and enter the public IP address range
- When connecting to a public cloud from an external network, add the network range (public IP) to Trusted Alert IP Addresses. When a public cloud is accessed from a network address not in the Trusted Alert IP Addresses list, a label can be applied to it, and alerts can be analyzed based on that label.
Licensing
- Setting > Licensing
- License information (license type, plan, start date, expiry date, billing method, serial number, etc.) and license usage can be checked
- Usage per cloud account can be checked
Apparently 1 license equals 100 credits. The number of credits consumed differs per resource. For details, the Macnica site is easy to understand.
Anomaly Settings
- Not only monitors assets and resources of cloud service providers, but also monitors users and roles to detect and alert on anomalous activity
- Detecting anomalous activity helps prevent misuse and potential account compromise
- There are two types of settings under Settings > Anomaly: Alerts and Thresholds, and Anomaly Trusted List.
- In Alerts and Thresholds, you can configure how aggressively the anomaly detection model is trained for anomaly detection items pre-defined by Prisma Cloud, such as port scan activity.
- On the other hand, in the Anomaly Trusted List, you can link resources such as IP addresses with anomaly detection items (such as port scanning). This allows specific IPs to be excluded from anomaly detection. The target resources are not limited to IP addresses; they also include machine images, ports, cloud services, and more.
Comprehension Check
- What are the two configuration requirements when onboarding an AWS public cloud?
- What are the two types of data that Prisma Cloud provides visibility into from public cloud accounts?
- What are the two permission groups supported by Prisma Cloud?
- Which public cloud providers does Prisma Cloud support?
- True or false? Roles cannot be used to define the permission scope of an account group.
- What is used to provide a secure method of accessing the Prisma Cloud API?
- True or False? Trusted IP addresses use allow lists so that specific IP addresses do not trigger alerts.
- Which Prisma Cloud features use behavioral analytics to prevent attacks and insider threats by monitoring and identifying specific types of activity?
Prisma Cloud Visibility, Compliance, and Governance: Monitoring Public Clouds
Key concepts, policies, alerts, and compliance standards in Prisma Cloud.
Objectives
- Use the Prisma Cloud dashboard to check the status of public cloud accounts
- Describe Prisma Cloud policies
- Explain the relationship between policies and alerts
- Configure alert rules and alert notifications
- Access the compliance dashboard
Core Concepts
- Resource
- Policy
- A statement of acceptable state or behavior
- Policies have a type that indicates the basic mechanism used to enforce the policy
- There are 4 types of policies: Config, Audit Event, Network, and Anomaly
- Alert Rule
- A collection of account groups and policies
- Configures which policies to apply to which account groups
- Alert
- An alert is triggered when a policy defined in an alert rule is violated
- Alert states are four: Open, Resolved, Snoozed, and Dismissed
Prisma Cloud Dashboard
- Command Center
- SecOps
- NetSecOps
- Data
Command Center
The Command Center dashboard lets you check alert counts.
- Security incidents (incidents such as unauthorized external access, computer virus infections, internal data leaks, etc.)
- Misconfiguration
- Security weaknesses and vulnerabilities (Exposure)
- Identity Risks (risks in ID access management)
- Data Risks (Data exposure, etc.)
SecOps
The SecOps dashboard lets you check the following.
- Asset types and counts
- Alert counts over time
- Number of internet-facing assets and their locations on a map
- Asset counts per protocol connecting to the internet
- Number of monitored accounts
NetSecOps
- A dashboard for checking microsegmentation network flows
- Network flows for the current namespace and child namespaces can be checked
- You can navigate to another namespace from the top left
Data
- Check the number of private and public buckets
- Categories of publicly exposed data profiles and the count per category
- Number of data policy violations
Recommended Namespace Scheme
- Parent namespace: Represents the organization.
- Child namespaces: Cloud accounts, private cloud, bare-metal infrastructure, projects, or teams.
- Grandchild namespaces: Represents either a Kubernetes/OpenShift cluster or a VM. Each cluster needs its own grandchild namespace. Multiple VMs can be placed in a namespace if needed.
- Great-grandchild namespaces: Kubernetes namespaces within a cluster.
Policies
- A set of one or more constraints or conditions that must be adhered to
- Policies include
Predefined PoliciesandCustom Policies Predefined Policies: Conform to established security best practices such as PCI, GDPR, HIPAA, and NIST. Cannot be modified.
Alerts
- There are two types of alerts: Alerts and Anomaly Alerts.
- Alerts are associated with one or more policies. Alerts are triggered based on inspection by Resource Query Language (RQL).
- Anomaly Alerts, on the other hand, trigger alerts based on machine learning-based inspection.
Linking to the Default Alert Rule
- Alerts > Alert Rules
- Enable the status of
Default Alert Rule - Select
Default Alert Rule - Under
Assign Targets, add the account groups you want to link to the default alert rule - Under
Assign Policies,Select all policiesis enabled by default, which tends to generate a large number of alerts
Alert Status
- Open: The policy violation that triggered the alert has been identified, but the violation has not yet been resolved
- Resolved: When the issue causing the policy violation is resolved, the alert automatically transitions to the Resolved state
- Snoozed: Temporarily dismisses an alert for a specified period. When the timer expires, the alert automatically changes to Open or Resolved depending on whether the issue was fixed
- Dismissed: The alert was manually dismissed despite the underlying issue not being resolved. Closed alerts can be manually reopened if needed
Compliance Dashboard
- Displays monitored resources that match or violate compliance standard policies
- Compliance > Overview
Microsegmentation Namespaces
- Microsegmentation namespaces define logical groups of resources
- They have a hierarchical relationship, like folders in a file system
- Objects can be propagated from parent to child, but not from child to child or child to parent
Why configure microsegmentation namespaces?
- Because rulesets are propagated and applied to resources in lower-level namespaces, resources in lower namespaces can be kept compliant with security requirements
- Grouping resources by exposure level to users outside the organization makes it easier to control access using network rulesets
- Only related resources can be viewed. Unauthorized changes are prevented and the principle of least privilege can be followed
Namespace Levels
-
Top-level namespace
-
Second-level namespace
- Second-level namespaces represent cloud accounts (AWS, Azure, GCP)
- Automatically created when an account is onboarded and can be deleted
-
Third-level namespace
- Third-level namespaces differ based on the workload type: either VM or Kubernetes
- For Kubernetes resources, it must be the name of the Kubernetes cluster
- Otherwise, specify a name that logically defines the VMs contained
Comprehension Check
- Which two actions must have been taken before Prisma Cloud can generate an alert? (Choose two.)
- Which two options should you check to determine whether Prisma Cloud is ingesting public cloud data?
- Which of the following two are alert states?
- True or false? Prisma Cloud Enterprise Edition resides in the public cloud.
- Which Prisma Cloud feature is used to establish security constraints or conditions that must be adhered to?
- Which of the following is triggered when a resource violates one or more policies?
- A key difference between the Compliance Dashboard and the Asset Inventory Dashboard is that the Compliance Dashboard:
- Which three of the following are alert states?
Prisma Cloud Visibility, Compliance, and Governance: Integrating with Third-Party Security Applications
Integration with third-party security applications.
Objectives
- Describe Prisma Cloud's support for third-party integrations
- List the steps to configure third-party integrations in Prisma Cloud
- Identify platforms supported for inbound integration
- Identify Prisma Cloud policies that rely on third-party data ingestion
- Identify platforms supported for outbound integration
- Configure notification channels in alert rules
- Make RESTful API calls in Prisma Cloud
Integrations Core Concepts
-
Multiple integration options are available
-
Integration options are available in two areas: data ingestion and outbound alert notifications
-
For data ingestion (inbound) integrations, you can integrate with four platforms: Qualys, Tenable, Amazon GuardDuty, and Amazon Inspector
-
Integrations can be enabled, disabled, or deleted
-
The integration process differs slightly for each application
Integrating with Tenable and checking ingested data with RQL
- Create an access key and secret key in Tenable (used by Prisma Cloud to call the Tenable API)
- Settings > Integration > Add Integration > Select
Tenable - Enter the access key and secret key, and run a connection test with
Test - Host vulnerability information collected from Tenable can be displayed
- Run RQL in the Investigate screen to check host vulnerabilities, etc.
config from cloud.resource where cloud.type = 'aws' AND finding.type = 'Host Vulnerability'- Clicking a resource found with RQL lets you check the Audit Trail (when the resource violated a policy), etc.
Integrating with Splunk to send outbound alert notifications
When an alert fires in Prisma Cloud, notifications can be sent to third-party platforms such as Splunk, Amazon SQS, and Microsoft Teams. The following uses Splunk as an example.
- First, get the Splunk HTTP event URL and Auth Token
- Settings > Integration > Add Integration > Splunk
- Enter the HTTP event URL and Auth Token, run a connection test with
Test, then save - Navigate to Alert > Alert Rules
- Open an existing alert rule and navigate to
Configure Notifications - Enable Splunk and select the HTTP event notification configured earlier. Save at the end.
APIs Provided by Prisma Cloud
- Use the Prisma Cloud Rest API for integration with Prisma Cloud
- Supports HTTP methods: POST, PUT, GET, OPTIONS, DELETE, PATCH
- Responses in JSON
- An API access key is required to enable programmatic access to the REST API. By default, only system administrators have API access, and they can enable API access for other administrators. For instructions on generating an access key, see here.
- After obtaining an access key, send it in a REST API request to get a JSON Web token (JWT). Use the JWT to use the Prisma Cloud Rest API.
Knowledge Check
- Which two resources are provided on the Prisma Cloud API DOCs reference page?
- Which two platform capabilities are needed in order for Prisma Cloud to support third-party integrations?
- Tenable and Qualys are examples of which type of integration?
- Which two platforms support outbound integration? (Choose two.)
- What is the requirement for most API endpoint requests in Prisma Cloud?
- Which command is the best for taking a third-party platform temporarily offline?
- True or false? For an alert notification to be received by a third-party application, you need to enable the application in the Add Alert Rule view.
- Prisma Cloud API responses are returned in which format?
Prisma Cloud Visibility, Compliance, and Governance: Generating Reports
How to generate and download compliance reports, compliance standard reports, alert reports, and audit log reports.
Objectives
- Generating and downloading compliance reports
- Download compliance standard reports and compliance standard description reports
- Create custom compliance reports
- Create custom compliance standards
- Generating and viewing alert reports
- Explain alert dismissal and alert exceptions
- Download audit log reports
Generating and Downloading Compliance Reports
Downloading reports
- Compliance > Reports
- Click the Download button on the right to download
Creating reports
- Compliance > Compliance
- Apply filters according to the required report
- After filtering,
Create Reportwill appear in the upper right — click it, name it, and save- Filtering can be done by cloud type, account group, compliance standard (CIS, PCI, etc.), region, and cloud account
- Setting
Recurringallows you to create repeating reports and send them to a specific email address.
Compliance Standard Reports
Downloading compliance standard reports
- Compliance > Standards > Download to download a list of compliance standards (such as CIS)
- To see the contents of a specific compliance standard, click it on-screen and then click the Download button
Creating custom compliance standards
- Navigate to Compliance > Standards > Add Compliance Standard, give it a name, and save
- Click the created custom standard and click
Add Compliance Requirement - Assign a Requirement ID and name
- Click the created compliance requirement and click
Add Compliance Section, then assign a Section ID and save - Repeat this process to build the custom compliance standard. At this stage, no policies are associated yet.
Adding a policy to a custom compliance standard
- Policies > Edit a specific policy > Compliance Standards
- Scroll down and click the + button to add a compliance standard, then specify the target custom compliance standard, compliance requirement, and compliance section. This completes the addition.
Creating a custom policy
- Policies > Add Policy > Config
- Select Severity and Policy Subtype
RunSubtype: Scans cloud resources already deployed on the cloud platformBuildSubtype: Scans code repositories and IaC templates used to deploy cloud resources
- Create an RQL query to define the policy match criteria
- The following is for the case where an S3 bucket is not encrypted
config from cloud.resource where cloud.type = 'aws' AND api.name = 'aws-s3api-get-bucket-acl' AND json.rule = serverSideEncrypted is false
- In Compliance Standards, specify the compliance standard, requirement, and section to link the policy to
- Submit and save
Alert Reports
Creating and downloading an alert report (Cloud Security Assessment)
- Alerts > Reports > Add Alert Report
- Select Report Type
- Cloud Security Assessment or Business Unit Report
- Select Cloud Type (e.g., AWS) and optional items (account group, cloud account, region), then specify a time range and click Submit
- Click the Download button to the right of the target report to download it
- The report consists of Executive Summary, Configuration & Compliance Risks, Network Security Risks, and IAM Risks
Creating and downloading an alert report (Business Unit Report)
- Alerts > Reports > Add Alert Report
- Select Report Type
- Cloud Security Assessment or Business Unit Report
- Turning on the
Detailed Reportoption allows you to view policy violations per cloud account - Specifying an Email allows you to send the report directly
- Selecting Recurring allows you to send reports on a regular schedule
- Click the Download button to the right of the target report to download it
- The report is in CSV format and shows the number of resources in violation per policy
Audit Log Report
- The audit log report displays action history such as logins, password resets, profile changes, alert triggering, and deletion actions
- Records who did what, when, and from where (the Prisma Cloud user's IP address)
Downloading the audit log report
- Settings > Audit Logs > Download
- Contains timestamp, username, user's IP address, operation performed, and resource type
Comprehension Check
- How can users associate a custom policy with a compliance standard?
- How are compliance reports generated in Prisma Cloud?
- In what file format can alert reports be downloaded?
- True or false? Prisma Cloud supports the downloading of compliance reports.
- What are three of the five ways that reports can be customized in Prisma Cloud?
- True or False? Custom Compliance Standards reports are the best way for immediate online viewing of your compliance position.
- What is the primary use case for generating Audit Logs reports in Prisma Cloud?
- Which type of information does the Prisma Cloud Audit Logs report display?
Prisma Cloud Visibility, Compliance, and Governance: Troubleshooting and Support
Describing some troubleshooting scenarios.
Objectives
- Identify some common troubleshooting scenarios in Prisma Cloud
- Describe Amazon GuardDuty and Inspector
- Identify common issues with onboarding and data ingestion
- Identify common issues with alerts and alert rules
- Identify common issues with RQL queries
- Access the help center
- Create a support ticket in Prisma Cloud
Overview of Troubleshooting and Support
- A common issue is alerts not triggering as expected. In such cases, it is necessary to investigate security and compliance issues using RQL.
- AWS value-added services, Amazon GuardDuty, and Amazon Inspector can be used to enhance monitoring of AWS public cloud deployments.
Using Amazon GuardDuty
- Threat detection service
Using Amazon Inspector
- Security assessment service
Troubleshooting Common Issues
- Onboarding
- Issues with connecting to cloud accounts and ingesting resource and vulnerability data
- Alert Generation
- Verify that the cloud account is included in the alert rule
- Also verify that the policies associated with the alert rule are enabled
- RQL Query
- Querying an incorrect resource type
- The public cloud resource is an ephemeral resource and has already been deleted by the time of the query
Troubleshooting onboarding issues
- Settings > Cloud Accounts
- Check the status of the cloud account. If it is orange or red, click it and check what action is needed.
Troubleshooting alert issues
- Verify that Alert Rule is enabled
- Verify that the target cloud account is included in the alert rule
- Verify that the policy is enabled in the alert rule
- Verify that the Notification Channel is correctly configured
- Note that the public cloud resource may be an ephemeral resource that has already been deleted by the time of the query
Troubleshooting RQL query issues
- If you navigate to Investigate, run an RQL query, and the result is not as expected, take the following steps
- Navigate to Inventory > Assets and filter with the same criteria as the RQL query
- Use these results to review the RQL query again
Getting Help in Prisma Cloud
Access Online Help in Prisma Cloud
- Click the question mark icon in the lower right to access online help
How to create a support case from Prisma Cloud
- Creating a support case requires that your contract includes support case creation
- Click the question mark icon in the lower right and select Live Community
- Select Register in the upper right and choose
Register for a Support account - The
Customer Support Portalwill open. ClickGet Helpon theSupport Homepage, describe your issue, and click theGet Helpbutton - You can also view open support cases
Comprehension Check
- What are two useful Palo Alto Networks resources to check for help with Prisma Cloud? (Choose two.)
- What are three areas in Prisma Cloud where you may encounter issues and need to troubleshoot? (Choose three.)
- Issues with onboarding are generally due to which of the following?
- True or False? You can verify whether cloud accounts were properly configured for data ingestion by checking their status in Settings > Cloud Accounts.
- Which two third party applications are useful for monitoring and maintaining compliance on AWS accounts?