UTD CNSP Workshop Guide

Download as pdf or txt
Download as pdf or txt
You are on page 1of 110

ULTIMATE

TEST DRIVE
Cloud Native Security
Platform
with Prisma Cloud and Prisma Cloud Compute

Workshop Guide
UTD-CNSP-1.3 | CSPM | Cloud Code Security | CIEM | CWP

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 1
Table of Content
Purpose of This Workshop Guide 5

Activity 0: Log in to the UTD Workshop 6


Task 1 - Log in to Your Ultimate Test Drive Class Environment 6
Task 2 - [Optional] Subscribe to Prisma Cloud Free Trial 7

Part 1 - Prisma Cloud Enterprise Edition 10

Activity 1: Prisma Cloud Overview 10


Task 1 - Log in to Prisma Cloud Enterprise Edition Console 11
Task 2 - Prisma Cloud Enterprise Edition Console Quick Overview 12
Task 3 - SecOps Dashboard in Prisma Cloud Enterprise Edition 15
Task 4 – Prisma Cloud Asset Inventory (CMDB) 17

Activity 2: Investigate and Remediate Cloud Service Configuration Alerts 20


Task 1 - Review a Prisma Cloud Alert 20
Task 2 - Analyze the Audit Trail 22
Task 3 - Remediate a Security Event 23

Activity 3: Prisma Cloud Network Monitoring 25


Task 1 - Investigate a Network Alert 25
Task 2 - Modifying the RQL to search for Suspicious Network Activity 27
Task 3 - Examining the Network Blast Radius of a potentially compromised host 29
Task 4 - Examining the Traffic from a Suspicious IPs 29
Task 5 - Examining the Host Vulnerability Findings 30

Activity 4: Prisma Cloud Data Security 32


Task 1 - Data Security Overview 32
Task 2 - Examine Sensitive Objects discovered by Data Security 33

Activity 5: Prisma Cloud Code Security 36


Task 1 - Examine code that have secrets hardcoded/exposed 36
Task 2 - Investigate issues related to misconfigured Kubernetes resource definitions 37
Task 3 - Examine vulnerabilities that occur due to vulnerable packages within Dockerfiles 38
Task 4 - Investigate misconfigurations in storage related resource definition 39

Activity 6: Prisma Cloud IAM Security 42


Task 1 - Prisma Cloud IAM Policies Dashboard 42
Task 2 - Investigate over-privileged AWS IAM permissions 43
Task 3 - Use RQL queries to determine permissions 45

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 2
Part 2 - Prisma Cloud Compute Edition 47

Activity 7: Prisma Cloud Compute Edition 47


Task 1 - PCCE-VM Overview 48
Task 2 - Log in to PCCE-VM 49
Task 3 - Log in to Prisma Cloud Compute Edition Console 50
Task 4 - Prisma Cloud Compute Edition overview 51
Task 5 - Runtime Events and Container Modeling 52

Activity 8: Adding AWS Account in Prisma Cloud Compute 53


Task 1 - Login to AWS Account 53
Task 2 - Create IAM Access Key 54
Task 3 - Add the AWS Accoun t 55

Activity 9: AWS Serverless Security 57


Task 1 - Review and test sample application 57
Task 2 - Secure your Lambda function with Compute Serverless Defender 59
Task 3 - Setup serverless DNS runtime protection 60
Task 4 - Setup WAAS for Serverless 63

Activity 10: Container Runtime Defense 67


Task 1 - Check Container Model States 67
Task 2 - Container Process Monitoring 68
Task 3 - Runtime Network Control for DNS 73
Task 4 - Runtime Monitoring for File System 74
Task 5 - Incident Monitoring 75
Task 6 - Crypto Miner Container Detection 75
Task 7 - Forensics 77

Activity 11: Container Vulnerability Management and Registry Scanning 77


Task 1 - Vulnerability Overview 77
Task 2 - Create Vulnerability Rule to Block Images 79
Task 3 - Detect and block Log4j vulnerable images 80
Task 4 - Registry Scanning 83

Activity 12: CICD Integration 85


Task 1 - Jenkins Integration 85
Task 2 - Jenkins CI Scanning 87
Task 3 - Jenkins Enforce Security 89

Activity 13: Web-Application and API Security (WAAS) 92


Task 1 - Initialize DVWA container 92

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 3
Task 2 - Create WAAS rule to protect web application 93
Task 3 - Initialize SwaggerAPI container 95
Task 4 - Create WAAS rule for API Protection 96
Task 5 - Validate the API Protection 98

Activity 14: Agentless Scanning 100


Task 1: Prisma Cloud Compute Agentless Scanning 100

Activity 15: Compliance Management 103


Task 1 - Compliance Explorer 103
Task 2 - Create Compliance Rule 104
Task 3 - Trusted Images 105

Activity 16: Feedback on Ultimate Test Drive 108


Task 1: Take the online survey 108

Appendix 1: On-board a AWS Account 109

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 4
Purpose of This Workshop Guide
The activities outlined in this Workshop Guide are meant to contain all the information necessary to navigate the
workshop interface, complete the workshop activities, and troubleshoot any potential issues with the lab
environment. This guide is meant to be used in conjunction with the information and guidance provided by your
facilitator.
This workshop guide covers only basic topics and is not a substitute for training classes conducted by Palo Alto
Networks Authorized Training Centers. Please contact your partner or regional sales manager for more
information on available training and how to register for one near you.

Lab Activities Overview


1. Part 1: Prisma Cloud Enterprise Edition
● Lab activities 1-4 are focussed on Cloud Security Posture Management (CSPM)
● Lab activity 5 is focussed on Cloud Code Security
● Lab activity 6 is focussed on Cloud Infrastructure Entitlement Management (CIEM)

2. Part 2: Cloud Workload Protection (CWP) with Prisma Cloud Compute Edition
● Lab activities 7-15

Once These Activities Have Been Completed


You should be able to:
1. Configure and review the Prisma Cloud Enterprise Edition console and investigate the alerts
2. Configure and review the Prisma Cloud Compute Edition (PCCE) console

Note: Unless specified, the Google Chrome web browser will be used to perform any tasks outlined in the
following activities.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 5
Activity 0: Log in to the UTD Workshop
In this activity, you will:

● Log in to the Ultimate Test Drive Workshop


● Understand the layout of the environment and its various components.
● (Optional) Subscribe to the Prisma Cloud free trial

Task 1 - Log in to Your Ultimate Test Drive Class Environment

Before beginning this workshop, make sure your laptop is installed with a modern browser that supports HTML
5.0. We recommend using the latest version of Firefox®, Chrome, or Internet Explorer. We also recommend you
install the latest Java® client for your browser.

Step 1: Open a browser window and navigate to the class URL. If you have an invitation email, you will find
the class URL and passphrase there. Otherwise, your instructor will provide them.

Step 2: Complete the registration form and click Register and Login at the bottom.

Step 3: Depending on your browser, you may be asked to install a plugin. Please click yes to allow the plugin
to be installed, then continue the login process.

Step 4: Once you log in, the environment will be created automatically for you. The upper left-hand corner will
show you the progress of the preparation. You will see the lab availability time when it is ready for use.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 6
The CNSP UTD lab environment consists of the following tabs:

1. Overview: A quick overview of lab environment and lab activities


2. Workshop Guide: Click this tab to open the lab guide
3. Prisma Cloud Enterprise Edition: Click this tab to login on Prisma Cloud Enterprise Edition
demo tenant console
4. Prisma Cloud Compute Edition: Click this tab to login on Prisma Cloud Compute Edition
(PCCE) console
5. PCCE-VM: Click this tab to connect to a VM running PCCE and other containers
6. Jenkins-GUI: Login to the Jenkins console
7. Survey: A short surrey to get your feedback

Note: You can leverage the keyboard > send text feature inside of CloudShare when the guide instructs you to
copy/paste linux commands. Also note that when copying/pasting commands, make sure to remove the line
breaks if any before commands are executed.

Task 2 - [Optional] Subscribe to Prisma Cloud Free Trial


Prisma Cloud is a SaaS service and is available from the Palo Alto Networks Marketplace, you can also find
Prisma Cloud available on the Amazon Web Services (AWS) and Google Cloud Platform (GCP) Marketplace. A
free trial version is currently only available from Palo Alto Networks marketplace. If you have an existing AWS,
Azure or GCP account and you would like to try using Prisma Cloud to discover and detect risky configurations in
your account, this activity will show how you can subscribe to the Prisma Cloud free trial version from Palo Alto
Networks Marketplace.

To get the most out of the Prisma Cloud trial, you will need to onboard your public cloud account(s) of choice to
Prisma Cloud. This process requires that you have the correct permissions to authenticate and authorize the
connection between Prisma Cloud and your public cloud account for retrieval of data. We recommend you take a
quick look at the following onboarding requirements to ensure you have the proper access to your public cloud
account before subscribing to the Prisma Cloud trial.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 7
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platform-to-prism
a-cloud/cloud-account-onboarding.html#idd7795ef9-4841-43f1-8ce3-bc57cb5ce7bb

We recommended you sign up for a Prisma Cloud trial account to try it on your own after you have completed this
workshop. When your trial account is ready, you can follow Appendix 1 in this guide to learn how to connect your
AWS account to your Prisma Cloud trial account. To connect other public cloud services to your Prisma Cloud trial
account, you can visit here for more details.

To sign up for a Prisma Cloud Free Trial:

Step 1: Go to Palo Alto Networks Marketplace https://marketplace.paloaltonetworks.com/

Step 2: Scroll down and then click on the View app.

Step 3: Click on Free Trial and then Create Account.

Note: The free trial version is valid for 30 days.

Step 4: Enter the personal and company information requested in the form. Required fields are indicated with
red asterisks. Accept the privacy agreement and click on Create an account.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 8
NOTE: You are required to use your company email or any non-personal email to create a new
account for the trail. Personal email with domains such as @gmail.com or @outlook.com is restricted
from the free trial.

Step 5: After completing the trial account registration process, your trial tenant will be ready for you within 24
hours. You will receive a welcome email that includes a link to log in to the Prisma Cloud tenant once
it’s ready.

End of Activity 0

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 9
There are two parts in this workshop that focus on the different parts of the Prisma Cloud product:

● Part 1: Prisma Cloud Enterprise Edition


○ Lab activities 1-4 are focussed on Cloud Security Posture Management (CSPM)
○ Lab activity 5 is focussed on Cloud Code Security
○ Lab activity 6-7 are focussed on Cloud Infrastructure Entitlement Management (CIEM)
○ Lab activity 8 is focussed on Cloud Workload Protection Platform (CWPP)

● Part 2: Cloud Workload Protection (CWP) with Prisma Cloud Compute Edition
○ Lab activities 9-14

You can start with either Part 1 or Part 2 of this lab based on your interest.

Part 1 - Prisma Cloud Enterprise Edition

Activity 1: Prisma Cloud Overview


Prisma Cloud is a comprehensive cloud-native security platform with the industry’s broadest security
and compliance coverage. It protects cloud native applications, data, network, compute, storage, users,
and higher-level PaaS services across cloud platforms. Prisma Cloud enables Cloud Security Posture
Management (CSPM) and Cloud Workload Protection Platform (CWPP) for comprehensive visibility
and threat detection across your organization’s hybrid, multi-cloud infrastructure. It dynamically
discovers resources as they are deployed and correlates cloud-service-provided data to enable security
and compliance insights into your cloud applications and workloads.

In this activity, you will:

● Log in to Prisma Cloud Lab account


● Learn about the Prisma Cloud console and help center
● Review how to on-board a AWS account on Prisma Cloud tenant

Note: This is a standalone activity and is not dependent on other activities.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 10
Task 1 - Log in to Prisma Cloud Enterprise Edition Console

Step 1: Click on the Prisma Cloud Enterprise Edition tab to open the demo tenant login.

Step 2: Follow the screen to login and then click on the Prisma Cloud icon.

NOTE: If you see a page expired message then refresh the web page by clicking on the Home
button as highlighted in below screen capture.

Step 3: Use the icons from the Action panel virtual keyboard to go back, forward and home screen while using
the Prisma Cloud console.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 11
Step 4: To check the on-boarded public cloud accounts click on the Settings on the left-hand side and select
Cloud Accounts from the drop down list. You can see the public cloud accounts connected to this
Prisma Cloud demo account.

NOTE: The screenshots captured in this workshop guide might vary slightly from the actual lab account.

We have already connected AWS, Azure and GCP accounts to this Prisma Cloud service, and this lab
account can be used for testing across all three public cloud providers.

Step 5: If you click on Add Cloud Account, you will get an access denied message.

NOTE: The Prisma Cloud Enterprise Edition account used in this lab is a read-only account, it does
not have full access to the Prisma Cloud Service and access to some functions is denied. This
account cannot make changes to the configuration of the associated Prisma Cloud Services.

Task 2 - Prisma Cloud Enterprise Edition Console Quick Overview


When you Access Prisma Cloud, you first see the Alerts. You can then use the following tabs to interact with the
data and visualize the traffic flow and connection details to and from the different resources in your cloud
deployment; review the default policy rules and compliance standards; and explore how the web interface is
organized to help you and DevSecOps teams to monitor cloud resources.
● Dashboard
● Inventory
● Investigate
● Policies
● Compliance
● Alerts
● Compute
● Settings

Step 1: Click on the Dashboard > SecOps to review the Dashboard. The Dashboard provides a graphical
view of all assets deployed across multiple public cloud environments. You can use the predefined or
custom Time Range to view current trends or historical data. Or use the Cloud Accounts to focus on
specific public cloud accounts.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 12
Step 2: The Inventory > Assets provides visibility into all the assets contained within the onboarded cloud
accounts. From this view, you will be able to find out which assets passed and which ones failed to
comply with the current policies.

Step 3: The Investigate tab helps in identifying security threats and vulnerabilities, creating and saving
investigative queries, and analyzing impacted resources. To conduct investigations, Prisma Cloud
provides a proprietary query language called Resource Query Language (RQL) that is similar to SQL.

Step 4: The Policies tab shows the Prisma Cloud policy which is a set of one or more constraints or
conditions that must be adhered to. Any new or existing resources that violate these policies are
automatically detected.

Prisma Cloud provides predefined default policies for configurations and access controls that adhere
to established security best practices such as PCI, GDPR, ISO 27001:2013,and NIST, and a larger set
of policies that enable you to validate security best practices with an impact beyond regulatory
compliance. In addition to these predefined policies, you can create custom policies to monitor for
violations and enforce your own organizational standards.

If Policy Mode is not visible in the middle pane then click on the filter icon to add the Policy Mode and
then select the Custom.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 13
Step 5: The Compliance > Overview dashboard enables you to view, access, report, monitor and review their
cloud infrastructure health compliance posture. You can also create compliance reports and run them
immediately, or schedule them on a recurring basis to measure your compliance over time.

Step 6: Click on the Compute tab to open up the Compute module in Prisma Cloud. Prisma Cloud offers a
rich set of cloud workload protection (CWPP) capabilities. Collectively, these features are called
Compute.

The Compute tab enables cloud native assets anywhere they operate - regardless of whether running
as containers, serverless functions, non-container hosts, or any combination of them.

Prisma Cloud Compute is also available to install as a self hosted deployment known as Prisma
Cloud Compute Edition. We have provided access to Prisma Cloud Compute Edition for the cloud
workload protection lab activities in Part 2 of this lab.

For more information on Prisma Cloud Compute (in Enterprise Edition) vs Compute Edition, please
visit here for a detailed comparison.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 14
Step 7: The Alerts > Overview allows the admin to view the list of discovered violations and anomalies, drill
into the details and look up remediation options, and create alert rules and notification templates.
When you access Prisma Cloud, you first see the Alerts.

Before we dive deeper into alerts, we will take a look at the assets that are visible and protected by
Prisma Cloud.

Task 3 - SecOps Dashboard in Prisma Cloud Enterprise Edition

The Dashboard SecOps provides a graphical view of the performance of resources that are connected to the
internet, the risk rating for all accounts that Prisma Cloud is monitoring, the policy violations over time and a list of
the policies that have generated the maximum number of alerts across your cloud resources. It makes the
security challenges visible to you as a quick summary, so you can dig in.

Step 1. Click the Dashboard > SecOps, set the Time Range to All Time.

Step 2. Scroll down and click on one of the Top Internet Trafficked Assets by Traffic Type, such as the RDP.
Click on one of the resources, such as PANW-WindowsBastionServer-awsjamconfig to open an
investigation pane for the workload to see what traffic is coming from the internet. Expand the time range
to the last 6 months and you’ll see details about the workloads that are taking traffic directly from the
Internet.

Step 3. Click on the arrow from the Suspicious IP to analyze the traffic towards the
PANW-WindowsBastionServer-awsjamconfig host.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 15
Question: Did the workload take traffic from the Suspicious IP?

Step 4. Now go to the Dashboard > SecOps and scroll down to the bottom of the page and view the connections
from the Internet Connected Assets by Source Network Traffic Behavior map.

Step 5. Drill down into one of the “pink” bubbles to explore where the traffic is originating from and the type of
traffic. For example, for each pink bubble drills down until a red bubble appears and shows what traffic is
seen towards your cloud accounts.

Step 6. Click on View Details to go to the Investigate tab with the subsequent network information.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 16
Task 4 – Prisma Cloud Asset Inventory (CMDB)
Public cloud environments are very dynamic environments, and a very common customer pain point is visibility
and asset inventory tracking. You can’t protect what they don’t know about, that is why a central cloud
Configuration Management Database(CMDB) is the foundation for building and implementing a solid Cloud
Security program.

The Asset Inventory dashboard (on the Inventory tab) provides a snapshot of the current state of all cloud
resources or assets that you are monitoring and securing using Prisma Cloud. From the dashboard, you gain
operational insight over all our cloud infrastructure, including assets and services such as Compute Engine
instances, Virtual machines, Cloud Storage buckets, Accounts, Subnets, Gateways, and Load Balancers.

Step 1. Click the Inventory > Assets tab.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 17
Step 2. Set the Asset Inventory to Most Recent.

Step 3. In the Prisma Cloud Asset Inventory dashboard, scroll down the page and search for and click on the
Google VPC line item in the table in the Service Name column. This will open up the Google VPC assets
view.

Step 4. In the Asset Inventory / GCP | Google VPC page, you can see a quick count on all the number of
unique VPC assets.

Step 5. Scroll down to the Resource Type summary, and click on the Red Caution (!)/View Alerts, for the Google
VPC Firewall Rule to see a list of firewall configurations that have violated the Prisma Cloud Security
policies.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 18
You’ll now see a list of GCP firewall assets that are violating the policy, and you can click each of them to
analyze configurations.

Step 6. You’ll now see a list of GCP firewall assets that are violating the policy, and you can click each of them to
analyze configurations. Now try out a number of other different resources under the Asset Inventory to
explore other Cloud Resources.

Note: Prisma Cloud allows you to easily discover all your cloud resources
across all of your cloud accounts and gives you a security posture view with
regard to those resources. It also allows you to easily drill down to get
details of each resource and whether it has passed or failed a policy. This
enables you to get quite granular at a per resource level.

End of Activity 1

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 19
Activity 2: Investigate and Remediate Cloud Service
Configuration Alerts
Background: This example demonstrates how Prisma Cloud alerts on risky Azure Firewall Rules configurations
and how you can leverage the Prisma Cloud data correlation to analyze the Firewall risks in more detail.
In this activity you will:

● View Alert on risky Firewall Rule configurations.


● Analyze the current Firewall Rule configuration settings.
● Analyze the change history for the Firewall Rule configuration settings(show how the Firewall
Rule got to the current state).
● View how Prisma Cloud remediation commands can be leveraged to remediate / auto-remediate
security findings.

Note: This is a standalone activity and is not dependent on other activities.

Hint: As you navigate the alerts view in the Prisma Cloud console you can click the
“Add filters” button (marked with green in the below screenshot) to enable/disable the
needed filters on the left side of the console.

Task 1 - Review a Prisma Cloud Alert

Step 1: In the Prisma Cloud Enterprise Edition console, click the Alerts tab and then Overview.

Step 2: Select the Reset Filters icon on the top right corner of the screen to reset all filters and set the Time
Range to All Time.

Step 3: Select Add Filter icon and select the following options

A. Cloud Type = Azure


B. Alert Status = Open
C. Policy Type = Config

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 20
Step 4: In the results pane, use the search bar on the upper right to search for Azure Network Security
Group, find and click on the alerts number in the Alerts Column that allows all traffic on RDP port
3389.

Step 5: Click the corresponding value for the Alert ID column next to the Resource Name to see the alert
overview.

Step 6: Then click the View Details option, which shows you the current Firewall configuration for the selected
firewall rule.

Step 7: In the Resource Config Tab, You’ll now see the current Firewall configuration settings for the selected
firewall rule. You can see here that there is a security group that allows all inbound traffic to port 3389,
which should not be used as a best security practice. Close the Configuration window once ready to
move on.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 21
Note: With Prisma Cloud you are able to view Alerts that have been triggered due to a
policy violation for a configuration, network or audit policy. It also allows you to
drill down and examine the alert as well as the resource configuration to examine what
may have caused the violation.

Task 2 - Analyze the Audit Trail

Step 1: Under the Resource Name column, click the name of the firewall rule Windows-rdp to view the Audit
Trail for the firewall rule.

Step 2: You will be taken to an Audit Trail for the resources where you will be able to see the timeline of the
configuration changes made on the resource from the time it was discovered by Prisma Cloud. This is
continuously monitored by Prisma Cloud and any changes to the configuration are recorded.

Step 3: Click on the "</>" to view the resource configuration

Step 4: You can get further information associated with the resources including Config, Network and Alerts
sections on the left pane.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 22
Task 3 - Remediate a Security Event
Step 1. Head back to the Alerts Overview > Azure Network Security Group allows all traffic on RDP Port
3389 screen (using the Keyboard : Back controls). Make sure to set the “Time Range” filter to “All Time”.
Click on the Alert number in the Alert Count column and click the "Recommendation" tab next to the
Violating Resources column, which will show you the Prisma Cloud remediation recommendation
associated with this alert.

Step 2. Prisma Cloud will provide recommended remediation steps to resolve this alert. But since the lab account
only has read-only access to the environment, you will not be able to execute the steps in the lab. Prisma
Cloud auto-remediation can be enabled and/or Prisma Cloud remediation commands can be sent
upstream to automation frameworks, ticketing systems, SIEM solutions for execution.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 23
Step 3. Now go ahead and review a few more remediation examples of the configuration alerts.

Note: With Prisma Cloud you are able to get a DVR(Digital Video Recording) of
your resource configuration so that you can easily understand what are the
changes that were made over time to identify when the alert violation occurred
and who made the change. Prisma Cloud can also be used to Remediate those
violating configuration in your resources by issuing the CLI commands to
correct those misconfigurations. This can also be set to Auto Remediate.

End of Activity 2

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 24
Activity 3: Prisma Cloud Network Monitoring

Background: This example demonstrates how Prisma Cloud can be used to alert on suspicious network
traffic, and how to analyze networks in the Prisma Cloud console.
In this activity you will:

● View a Network Alert for suspicious activity


● Analyze the Network Visualization to trace resources that may have been impacted
● View the traffic that is reaching your cloud workloads
● Examine Vulnerabilities that have been detected on your cloud Workload to understand the risk
posture

Note: This is a standalone activity and is not dependent on other activities.

Hint: As you navigate the alerts view in the Prisma Cloud console you can click the
“Add filters” button to enable/disable the needed filters on the left side of the
console.

Task 1 - Investigate a Network Alert

Step 1. In the Prisma Cloud Enterprise Edition console, click the Alerts tab and then Overview.

Step 2. Select the Reset Filters icon on the top right corner of the screen to reset all filters and set the Time
Range to All Time.

Step 3. Click on Add Filter icon and select the following options:

A. Alert Status = Open


B. Policy Type = Network
C. Cloud Account = AWS UTD Account

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 25
Step 4. Search for the Instances exposed to network traffic and click on Alerts (number) in Alert Count Column

Step 5. Search for the linux using the search bar. Click on the corresponding value in the Alert ID Column for
LinuxBastion. Then click "Investigate".

Step 6. In the Investigate window, change the time range to Past 7 days in the top right corner.You’ll now see a
network map with the workloads(virtual machines) that have received traffic from public IP addresses
within the time range selected in the top right corner of the console.

Step 7. You can click the Download button to download traffic details in a csv file for review. You can open the
csv file in either excel or notepad

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 26
Task 2 - Modifying the RQL to search for Suspicious Network Activity

Prisma Cloud Resource Query Language (RQL) is a powerful and flexible tool that helps you gain security and
operational insights about your deployments in public cloud environments. You can use RQL to perform
configuration checks on resources deployed on different cloud platforms and to gain visibility and insights into
user and network events. You can use these security insights to create policy guardrails that secure your cloud
environments. We are going to take a closer look at the RQL here.

Note: Animation may take some time to load after the RQL query is executed.

Step 1. Following on from the previous example, modify the RQL at the top of the page, and delete the following
string AND accepted.bytes > 0 AND cloud.account = 'AWS Prod' AND cloud.region = 'AWS Oregon'
AND dest.resource IN (resource where tag ('name') ='LinuxBastion', and press enter.

Step 2. The new text in the RQL search bar should look like this. You will now see a network map of traffic coming
from suspicious IP Addresses.

Step 3. You will now see a network map of traffic coming from suspicious IP Addresses. Your diagram may look a
little different as the cloud environment is very dynamic.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 27
Step 4. Single-click on PANW-WebServer in the network map, and explore the Instance Summary sections on
the right side to review some of the instance information such as IP addresses, VPC, Account Names,
etc.

Step 5. Click the Network Summary section on the right side of the console and see the Firewall Rules applied
to the selected workload. You can see there are no limitations on both inbound and out-bound traffic,
which is a security risk.

Step 6. Click on the Traffic Summary (under Network Summary) to see the percentage of traffic from each source
IP. Press ESC to close the Traffic Summary window.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 28
Task 3 - Examining the Network Blast Radius of a potentially compromised host

Prisma Cloud can be used to analyze East-West traffic (lateral movement) in the cloud environment. We are going
to take a quick look here.

Step 1. Continuing from the last task, ensure the Past 7 days is selected in the time range next to the RQL
search field.

Step 2. Double click the LinuxBastion host in the network map to analyze the East – West traffic (blast radius)
behind the LinuxBastion host.

Step 3. Review the Instance Summary of the LinuxBastion to get some idea of where this VM is hosted.

Task 4 - Examining the Traffic from Suspicious IPs

Step 1. In the network map, click on the communication links from the Suspicious IPs to the LinuxBastion VM.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 29
Step 2. You’ll now see a list of ports and traffic information on the right side of the console. What port(s) are the
suspicious IPs using to access the LinuxBastion VM?

Step 3. Click the View Details option to open a more detailed view of the inbound traffic to the LinuxBastion VM.

Step 4. Review the Threat Feed Source column that indicates the services that identify those IPs as suspicious. If
you see AutoFocus, that is the threat intelligence service provided by Palo Alto Networks, see here for
more details. You can download the list of suspicious IP addresses and access the LinuxBastion VM for
further analysis or action. Click ESC to close the details window.

Task 5 - Examining the Host Vulnerability Findings

Step 1. Click on the LinuxBastion VM, and under the Instance Summary, click the Resource ID to investigate
further on the VM.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 30
Step 2. Go to the Findings tab at the top of the page to get details on 3rd Party Vulnerability findings. Notice the
findings by AWS GuardDuty.

Step 3. In this case the host has vulnerabilities and is taking traffic directly from a suspicious Internet IP and
should be investigated further.

End of Activity 3

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 31
Activity 4: Prisma Cloud Data Security
Background: This section showcases the Data Security capabilities of Prisma Cloud and how it enables you to
discover and classify data stored in AWS S3 buckets and protect accidental exposure, misuse, or sharing of
sensitive data. To identify and detect confidential and sensitive data, Prisma Cloud Data Security integrates with
Palo Alto Network's Enterprise DLP service and provides built-in data profiles, which include data patterns that
match sensitive information such as PII, health care, financial information and Intellectual Property. In addition to
protecting your confidential and sensitive data, your data is also protected against threats—known and unknown
(zero-day) malware—using the Palo Alto Networks WildFire service.

In this activity you will:

● Get an overview of Data Security via Prisma Cloud dashboard and inventory
● Examine Sensitive Objects discovered by Data Security

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Data Security Overview

Step 1. Navigate to Prisma Cloud > Dashboard > Data and select the following filters:

Time Range: All Time


Cloud Accounts: AWS UTD Account

Step 2. This dashboard provides a good overview and representation of detections by the Data Security module.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 32
Step 3. Navigate to Prisma Cloud > Inventory > Data and select the following filters:

Time Range: All Time


Cloud Account: AWS UTD Account
Cloud Service: Amazon S3

Step 4. This provides an overview of the Data inventory of the connected Cloud Account and a specific S3 bucket
based on the selected filters.

Task 2 - Examine Sensitive Objects discovered by the Data Security module.

Step 1. Click on the number in the Sensitive Objects column. In this page, for the Data Profiles filter, make
sure that the following options are selected: Financial information, Healthcare, Intellectual Property,
PII

Step 2. Set the Time Range to All Time.

Step 3. In the results, search for and select 26_all_patterns_test.txt. This displays all the sensitive information
detected by the Data Security module in that specific file/object Now, under the Snippets column, if
there's a snippet available, “available” keyword should be highlighted which can be selected to display

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 33
the snippet which triggered the alert. There are multiple snippets that are detected based on selected
data profiles and feel free to check out different snippets that are generated.

Note: If the snippet is not available, select Generate Snippet and the snippet will be generated and it will
take a few moments for it to complete.

Step 4. Navigate to Prisma Cloud > Inventory > Data and select the following filters:

Time Range: All Time


Cloud Account: AWS UTD Account
Malware: True
Cloud Service: Amazon S3

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 34
Step 5. Click on the number in the Malware column and in the search bar and click on any of the files to find
details about the detected malware.

End of Activity 4

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 35
Activity 5: Prisma Cloud Code Security
Background: Code Security on Prisma Cloud enables you to add security checks to your existing IaC
(Infrastructure-as-Code) model, ensuring security throughout the build lifecycle. In this section, you will see how
Prisma Cloud can scan Infrastructure-as-Code (IaC) templates in Terraform, CloudFormation, Dockerfiles, and
Kubernetes to identify misconfigurations in code.

In this activity you will:

● Examine code that have secrets hardcoded/exposed


● Investigate issues related to misconfigured Kubernetes resource definitions
● Examine vulnerabilities that occur due to vulnerable packages within Dockerfiles
● Investigate misconfigurations in storage related resource definitions

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Examine code that has secrets hardcoded/exposed

Step 1. Navigate to Prisma Cloud > Code Security > Projects and select the below filters.

Status: Errors
Category: Secrets

Step 2. The above filter lists all the resource definitions (Terraform and AWS CloudFormation) where secrets are
hard coded or exposed. Explore the different code blocks that are matched by this filter.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 36
Task 2 - Investigate issues related to misconfigured Kubernetes resource definitions

Step 1. Navigate to Prisma Cloud > Code Security > Projects and select the below filters. Make sure to
unselect the filters selected in the previous task(s) first.

Status: Errors
Category: Kubernetes
Severity: High and Medium

Step 2. The above filter lists all the issues/misconfiguration within Kubernetes related resources/code resource
definitions (CloudFormation, Terraform and Kubernetes manifests). Explore the different code blocks that
are matched by this filter.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 37
Task 3 - Examine vulnerabilities that occur due to vulnerable packages within Dockerfiles

Step 1. Navigate to Prisma Cloud > Code Security > Projects and select the below filters. Make sure to
unselect the filters selected in the previous task(s) first.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 38
Category: Vulnerabilities
Severity: High and Medium

Step 2. The above filter lists all the resource definitions (Dockerfiles) vulnerable base-image, package or code is
detected. Explore the different code blocks that are matched by this filter.

Task 4 - Investigate misconfigurations in storage related resource definitions

Step 1. Navigate to Prisma Cloud > Code Security > Projects and select the below filters. Make sure to
unselect the filters selected in the previous task(s) first.

Status: Errors
Category: Storage
Severity: High and Critical

Step 2. The above filter lists all the resource definitions (CloudFormation and Terraform) related to storage.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 39
Explore the different code blocks that are matched by this filter.

Step 3. Within each block, you can see the code fix that's automatically suggested to remediate the issue
(highlighted in Green)

Step 4. Please note that you will not be able to see “Fix” and “Submit” (grayed out) options as we are using a
user with Read-Only permissions for the purpose of the lab. “Fix” and “Submit” options will apply the
Prisma Cloud suggested fix and commit the changes to the source control repository. The “Fix” and
“Suppress” options are included in the screenshots to demonstrate the capabilities of the Code Security
module.

Step 5. Clicking on Policy Details > View Guidelines will open up a documentation page for that specific alert.

Step 6. Clicking on the commit icon will take you to the source code repository.

Step 7. Clicking on Fix will automatically add the fix to the code and you can notice in the top right part of the
screen a submit button. Clicking the Submit button automatically creates a PR for the code repository.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 40
However, for the purpose of the lab, Prisma Cloud has read-only permissions to the repository in context
and pull requests will not be created.

End of Activity 5

Activity 6: Prisma Cloud IAM Security


Background: Prisma Cloud IAM Security helps you address the security challenges of managing IAM in cloud
environments. Prisma Cloud IAM Security capabilities automatically calculate effective permissions across cloud

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 41
service providers, detect overly permissive access and suggest corrections to reach least privilege entitlements. It
includes out-of-the-box policies that govern IAM best practices to help you identify risky permissions and get to
the ideal set of privileges for your deployment.

In this activity you will:

● Explore IAM Policies Dashboard


● Investigate over-privileged AWS IAM permissions
● Use RQL queries to determine permissions

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Explore IAM Policies Dashboard

Step 1. Navigate to Prisma Cloud > Policies. Select the filter button and apply the following filters:

Policy Type: IAM


Policy Mode: Prisma Cloud Default

Step 2. The dashboard should display all the default Prisma Cloud Policies that come out of the box

Task 2 - Investigate over-privileged AWS IAM permissions

Step 1. Navigate to Prisma Cloud > Alerts > Overview. Select the filter button and apply the following filters:

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 42
Time Range: All Time
Time Range Type: Alert Opened
Alert Status: Open
Policy Type: IAM
CloudAccount: AWS UTD Account

Step 2. In the search bar, type in the following to filter the alert: "AWS EC2 with IAM wildcard resource
access"

Step 3. Click on the number in the Alerts column. This should display all the violating resources.

Step 4. Click on the Alert ID in the Alert ID column for any resource from the list and select investigate.

Step 5. Click on the "<>" icon in the Actions column to view the resource config.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 43
Step 6. Head back to the Alerts Overview (step 1 - 4) and select the Recommendation option to view the
suggestion to remediate the resource violation.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 44
Task 3 - Use RQL queries to determine net permissions

Step 1. In this task, we will find out, with a simple RQL query, the net effective permissions of an IAM user to
demonstrate the effectiveness of IAM RQL queries in Prisma Cloud

Step 2. Navigate to Prisma Cloud > Investigate and paste the below query in the search (CTRL+V on your
keyboard should work for pasting into Prisma Cloud VM).

config from iam where source.cloud.resource.name = 'demo-user' AND


dest.cloud.account = 'AWS UTD Account'

Step 3. Click on the "Graph" icon.

Step 4. This graph shows the permissions that the IAM user “demo-user” holds within AWS Account named
“AWS UTD Account”

Step 5. Within the destination column of the graph, select “codecommit” (or run the query below) and select the
expand icon to see the granular permissions.

config from iam where source.cloud.resource.name = 'demo-user' ANDdest.cloud.account =


'AWS UTD Account' AND dest.cloud.service.name = 'codecommit'

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 45
Step 6. From the screenshot, you can see that there’s a “*” (wildcard) permission assigned, which is not a best
practice implementation in a production environment.

Step 7. From the top right corner of the Investigate page, select “clear all” to clear the previous query and run the
following query to determine which roles and users have access to a specific S3 bucket

config from iam where dest.cloud.service.name = 's3' AND dest.cloud.resource.type =


'object' AND action.name = 'S3:GetObject' AND dest.cloud.account = 'AWS UTD Account'
and dest.cloud.resource.name = 'elasticbeanstalk'

Step 8. After you run the above RQL query, select the “Graph” button. In the “Source” column, select “IAM” and
expand the tile.

Step 9. After you run the above RQL query, select the “Graph” button. In the “Source” column, select “IAM” and
expand the tile to see the full permission.

End of Activity 6

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 46
Part 2 - Prisma Cloud Compute Edition

Activity 7: Prisma Cloud Compute Edition


Prisma Cloud offers a rich set of cloud workload protection capabilities. Collectively, these features are called
Compute. Compute has a dedicated management interface, called Compute Console, that can be accessed in
one of two ways, depending on the product you have.

Prisma Cloud Enterprise Edition — Hosted by Palo Alto Networks. Prisma Cloud Enterprise Edition is a SaaS
offering. It includes both the Cloud Security Posture Management (CSPM) and Cloud Workload Protection
Platform (CWPP) modules. Access the Compute Console, which contains the CWPP module, from the Compute
tab in the Prisma Cloud UI. Prisma Cloud UI is what you have been using in Part 1 of this workshop.

Prisma Cloud Compute Edition (PCCE) - Hosted by you in your environment. Prisma Cloud Compute Edition
(PCCE) is a self-hosted offering that’s deployed and managed by you. It includes the Prisma Cloud Compute
module only. You can download the Prisma Cloud Compute Edition software from the Palo Alto Networks
Customer Support Portal. Compute Console is delivered as a container image, so you can run it on any host with
a container runtime (e.g. Docker Engine). This is what we will be using in Part 2 of this workshop.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 47
With Prisma Cloud Compute Edition (PCCE), Radar is the primary interface for monitoring and understanding
your environment. It is the default view when you first log into PCCE Console. It is designed to let you visualize
and navigate through all of Prisma Cloud’s data. For example, you can visualize connectivity between
microservices, then instantly drill into the per-layer vulnerability analysis tool, assess compliance, and investigate
incidents, all without leaving the Radar canvas.

PCC features to be used:


● Cluster pivot
● Host pivot

In this activity you will:


● Review and operate the Radar
● Review image for easy analysis of your containerized apps
● Review network traffic flows
● Review runtime, vulnerability or compliance issue they contain

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - PCCE-VM Overview

The PCCE VM provided in this workshop has the following containers running in it:

● Prisma Cloud Compute Edition


○ Console
○ Defender
● Shellinabox - Shell In A Box implements a web server that can export arbitrary command line tools to a
web based terminal emulator.
● Httpd
● Jenkins
● Registery2
● DVWA - Damn Vulnerable Web Application docker container is a PHP/MySQL web application that is very
vulnerable.
● SwaggerAPI - Petstore

DVWA and SwaggerAPI containers are not pre-installed, they will be installed as part of the lab activities.

You will be using all these containers in different activities in this lab.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 48
Task 2 - Log in to PCCE-VM

Step 1: Select the PCCE-VM tab to open the ssh terminal that is already logged in to this VM. If not already
logged in, use the CloudShare interface to login.

If you prefer to use your own terminal from your laptop, you can ssh to this VM using the External Address and
the user name and password under Connection Details in the Connectivity section.

Note: You can also SSH to PCCE-VM from your laptop terminal (MAC) or Putty (Windows) using the external
address and login credentials as highlighted in the screenshot.

ssh sysadmin@<external address>

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 49
Step 2: Once logged in, Run the following command to check the current running containers:

docker ps

The result should appear like the screenshot below. We will install new containers in the PCCE-VM in
the later part of the lab.

If the PCCE-VM resolution is too high or too low for your laptop display, you can also click the Full
screen icon to maximize the display.

To exit the full-screen mode, use the esc key on our keyboard or click the black arrow at the top of the
window to open the dropdown menu; then click Exit.

Troubleshooting missing/non-running containers:


1. If there are no containers running including twistlock_console and twistlock_defender containers, then,
revert the environment at Environment Actions > Revert and retry to see if that helped.

2. If only twistlock_console and twistlock_defender containers are running and containers such as
jenkins_docker, webserver etc are not present, then revert the environment. If that doesn't help, you
can manually start the containers by running the following command:

sudo bash /home/sysadmin/prisma-compute-files/start_containers_for_lab.sh

Task 3 - Log in to Prisma Cloud Compute Edition Console


Step 1: Click the Prisma Cloud Compute Edition tab to open a new browser tab.

Or you can type the following URL to access the PCCE console with the port number 8083 to access
the Prisma Cloud Compute Edition.

https://<external address>:8083

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 50
Note: You will get a security exception, please ignore it for this lab and proceed to the login page. We
are using a self-signed certificate, which causes the exception.

Step 2: If the message "Your connection is not private" opens, click Advanced, and then Proceed to <IP
address> (unsafe)

Step 3: Login to the PCCE console using the following credentials, with Local/LDAP in the drop down:

Username: admin

Password: p@lo@lto

Task 4 - Prisma Cloud Compute Edition overview


This task guides you through key elements of the Prisma Cloud Compute console to ensure that you
are aware of them. Use this time to explore these elements at your own pace to discover points of
interest.

Step 1: Once logged in, you will be placed in Radars, the primary interface for monitoring and understanding
your environment. It is designed to let you visualize and navigate through all of Prisma Cloud
Compute’s data. Click on any container to view the details on that container.The defender and the
console containers are the key components for Prisma Cloud Compute Edition.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 51
Step 2: Click Radars > Hosts, then click the prismacompute host icon to review the host dashboard. There
is only one host in this lab.

Step 3: Change the View based on different Radar view categories by clicking the dropdown on the top left
corner.

Task 5 - Runtime Events and Container Modeling


Step 1: Go back to Radars > Containers, clicking on shellinabox:0.1 container will bring up a detailed view
on the status of the image.

Step 2: You can go directly to any Runtime events for this container, view vulnerability and compliance lists

End of Activity 7

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 52
Activity 8: Adding AWS Account in Prisma Cloud Compute
In this activity you will:
● Login to AWS Account and review the setup
● Add the AWS Account to Prisma Cloud Compute and setup scanning

Task 1 – Login to AWS Account and review the setup


Step 1. Click the Public Clouds icon in the lower left corner. Click Public Clouds Log to make sure all the
resources have been created and deployed successfully.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo
environment. It does so by giving you temporary AWS credentials that you use to sign in and access the AWS
console for the duration of the lab.

Step 2. Click on the Public Clouds icon. A Public Cloud pop up window will appear. Keep this window open.
You are going to use the AWS credentials from this pop up window to login on AWS console

Step 3. Right click on the value for the Account ID in the Public Clouds section in CloudShare and select
“Copy link address”

Step 4. Open an incognito browser tab/window in your computer and paste the link that was copied in the
previous step. Use the credentials displayed on the screen from the previous step for your

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 53
environment to login to AWS Console

Step 5. [Important] Change the AWS region to N. Virginia by clicking on the region drop down arrow and
select the US East (N. Virginia) us-east-1

Step 6. In the AWS console select the search for service box and type cloudformation. Click on
Cloudformation service and select Stacks and you should be able to see 2 stacks.

Step 7. Agentless CloudFormation stack creates an IAM policy that is required for Agentless scanning
capabilities of Prisma Cloud Compute. The second CloudFormation Stack AWS-EC2 is responsible
for creating 2 EC2 instances which will be scanned by the Agentless module, which will be covered in
this lab. For the ease of lab, these prerequisites are already created for you.

Task 2 – Create IAM Access Key for the AWS Account


Step 1. In the AWS console, go to Services > IAM > Users. You should see your user account there. Click
on the user name “wus-cloudshare”.

Step 2. In the account summary page click on the Security credentials tab and then click Create access
key.

Step 3. Click on Download .csv file. Make sure you download the secret access key file.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 54
Step 4. Open the accessKeys.csv file to make sure you have downloaded the key (Note that after you close
the dialog box, you can’t retrieve this secret access key again.) You can open the csv file and you
should see the Access Key ID and the Secret access key in the file.

Task 3 – Add the AWS Account and setup scanning


Step 1. Navigate to Prisma Cloud Compute > Manage > Defenders > Names.

Step 2. If you see a banner that says “Console’s address isn’t in the SAN list”, ”Select "Click to add" from
the top banner and refresh the page

Step 3. Navigate to Prisma Cloud Compute > Manage > Authentication. Select "Credential Store" from
the top menu and click "Add Credential" and enter the following details:
● Name: AWS
● Type: AWS
● Subtype: Access Key
● Access Key: Paste the Access Key created previously
● Secret Key: Paste the Access Key created previously

Step 4. Navigate to Prisma Cloud Compute > Manage > Cloud Accounts and click "Add Account". Select
AWS from the list.

Step 5. Select the credential that was previously created.

Step 6. For Discovery settings, select the option "Run Discover scan to identify ..." and click next

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 55
Step 7. For "Defense Settings", select "Agentless scan" and click next

Step 8. Under Scanning select the following options:


● Console Address: From the drop down, select the FQDN that matches the pattern: *.vm.cld.sr
● Regions: Select "Custom Regions" and under the drop down, select "N Virginia"

Step 9. click next and in the "Summary section", select "Done”

Step 10. Navigate to Prisma Cloud Compute > Monitor > Vulnerabilities and select "Hosts" from the top
menu and select "Scan Agentless".

Step 11. This will start the discovery process of Cloud Resources within the onboarded account and will also
initial Agentless scanning, which we will come back to in later sections during this workshop

End of Activity 8

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 56
Activity 9: AWS Serverless Security
Background: Prisma Cloud can scan serverless functions for vulnerabilities. Prisma Cloud supports AWS
Lambda, Google Cloud Functions, and Azure Functions.
Serverless computing is an execution model in which a cloud provider dynamically manages the allocation of
machine resources and schedules the execution of functions provided by users. Serverless architectures delegate
the operational responsibilities, along with many security concerns, to the cloud provider. In particular, your app
itself is still prone to attack. The vulnerabilities in your code and associated dependencies are the footholds
attackers use to compromise an app. Prisma Cloud can show you a function’s dependencies, and surface the
vulnerabilities in those dependent components.

PCC features to be used:


● Prisma Cloud Serverless Security
● Prisma Cloud Serverless Defender for Python

In this activity you will:


● Secure your AWS Lambda Function
● Setup Serverless DNS Runtime Protection
● Setup WAAS for Serverless

Note: This activity is dependent on Activity 8.

Task 1 – Review and test Sample Python Application on AWS Lambda

Step 1. Head over to AWS Console > Lambda > select "PrismCloud-Demo-LambdaFunction" and
explore the lambda function code

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 57
Step 2. Test the Lambda function by selecting "Test" > "Create new event", enter a name of your choice
and paste the following JSON under "Event JSON" and select "Test"

{ "cmd": "echo This test is good!" }

Step 3. The result should look similar to below

Step 4. Create the test cases for the lambda function and save (execution comes at later stage). Navigate to
AWS Console > Lambda > select "PrismCloud-Demo-LambdaFunction" > "Test" > "Create new
event"

- name: "sqlInjection"
JSON: { "body": "SELECT * FROM products WHERE id = 10; DROP members--" }

Paste the following JSON under "Event JSON" and click "Format JSON" and select "Save"

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 58
Step 5. Repeat the above for each of the JSON blocks below

- name: XSSAttack
JSON: { "body": "<script>alert(1);</script>" }

- name: curl
JSON: { "cmd": "curl google.com" }

- name: runSubProcess
JSON: { "cmd": "echo This test is good!" }

Task 2 – Secure your Lambda Function with Compute Serverless Defender


Step 1. Login to PCCE-VM and run the following command: "aws configure" to configure aws cli access.
● Access Key: Paste the Access Key created previously
● Secret Key: Paste the Secret Key created previously
● Region: us-east-1

Step 2. Once the aws-cli is successfully configure, run the following command to verify if the cli access is
setup correctly: aws sts get-caller-identity

Step 3. run the following command: "cd /home/sysadmin/lambda && bash lambda.sh"

Step 4. The lambda.sh script performs the following tasks:


● Add the Public URL of the Prisma Cloud Compute to the list of DNS names and IP addresses
Defenders use to connect to Console. This is important as the serverless defender in AWS will
use this FQDN to connect to the Console
● Download the python serverless defender code from Prisma Cloud Compute via API
● Embed the serverless defender in to our Lambda Python
● Upload the new ZIP file to AWS Lambda
● Update Lambda configuration

Step 5. Once the above script execution is complete, head over to AWS Console > Lambda > select
"PrismCloud-Demo-LambdaFunction" and review the new version of the code that was uploaded
in the previous step. Notice that the index.py has 2 additional lines referencing the Serverless
Defender functions that were generated by Prisma Cloud Compute. The Serverless defender code

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 59
should be within the "twistlock" folder within AWS Lambda.

Step 6. This demonstrates how easy it is to integrate Serverless defender code into your own
Lambda/Serverless code to secure your Serverless environments

Task 3 – Setup Serverless DNS Runtime Protection

Step 1. Head over to AWS Console > Lambda > select "PrismCloud-Demo-LambdaFunction"

Step 2. Select the "Test" menu and from the "Event name" dropdown, select "runSubProcess" and click on
"Test". The execution of the test should be successful.

Step 3. Navigate to Prisma Cloud Compute console > Monitor > Events and click on "Serverless Audits"
button and show process alert. This alert is triggered as the only allowed process is the Lambda
function main process (which in this case is the Python 3.7 runtime)

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 60
Step 4. Navigate to Prisma Cloud > Defend > Runtime > ServerlessPolicy and select "Add Rule" with the
Name - "Protect All Lambda Functions"

Step 5. Navigate to "Networking" tab and under DNS Section, add paloaltonetworks.com and
amazon.com and click “Save”

Step 6. Head over to AWS Console > Lambda > select "PrismCloud-Demo-LambdaFunction" and repeat
step 2 but for "curl" test event.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 61
Step 7. Go back to Prisma Cloud Compute console > Monitor > Events and click on "Serverless Audits"
and show Network DNS Query alert based on trying to curl to google.com which is not in the list of
allowed domains.

Step 8. Navigate to Prisma Cloud > Defend > Runtime > "Protect All Lambda Functions". Under the
Networking section, change DNS rule to "Prevent" from "Alert" and click save.

Step 9. Head over to AWS Console > Lambda > select "PrismCloud-Demo-LambdaFunction" and repeat
step 2 but for "curl" test event. This time, you should be able to see within the Lambda execution logs
that the the google.com is not resolved (If it's not, please re-run the test a couple of times as it takes a
few seconds for the Policy updates from the Prisma Cloud Console to be pulled by the defenders).

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 62
Step 10. Go back to Prisma Cloud Compute console > Monitor > Events and click on "Serverless
Audits" and show Network DNS Query alert based on trying to curl to google.com which is not in the
list of allowed domains.

Task 4 – Setup WAAS for Serverless


Step 1. When you deploy a serverless defender into your Lambda function, you automatically get a Layer 7
firewall for your serverless function which checks the “body” of incoming requests for potential
attacks.

Step 2. Create a new rule in Prisma Cloud Compute console > Defend > WAAS > Serverless called
"Firewall All Lambda Functions" and set everything to prevent.

Step 3. Within the “Scope” section, select the text field to add a new collection by clicking “+ Add
Collection”.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 63
Step 4. For the “Name”, type in “All Lambda Functions” and click save.

Step 5. Select the newly created collection via checkbox and click the button “Select Collections”

Step 6. Click “Save” when you are taken to the “Create new WAAS rule” window.

Step 7. Head over to AWS Console > Lambda > select "PrismCloud-Demo-LambdaFunction" run
XSSAttack and sqlInjection events.

Step 8. You should see the attack is prevented in AWS Lambda results (HTTP response should be null).If it's
not, please re-run the test a couple of times as it takes a few seconds for the Policy updates from the
Prisma Cloud Console to be pulled by the defenders.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 64
Step 9. Navigate to Prisma Cloud Compute > Monitor > Events > WAAS for Serverless and you should
see XSS and SQL attack entries. Click on each one to examine the event.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 65
End of Activity 9

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 66
Activity 10: Container Runtime Defense
Background: Runtime defense is the set of features that provide both predictive and threat based active
protection for running containers. For example, predictive protection includes capabilities like determining when a
container runs a process not included in the origin image or creates an unexpected network socket. Threat based
protection includes capabilities like detecting when malware is added to a container or when a container connects
to a botnet.
Prisma Cloud has distinct sensors for file system, network, and process activity. Each sensor is implemented
individually, with its own set of rules and alerting. The runtime defense architecture is unified to both simplify the
admin experience and to show more detail about what Prisma Cloud automatically learns from each image.
Runtime defense has two principle object types: models and rules.

PCC features to be used:


● Container Models
● Runtime defense for processes
● Runtime defense for networking
● Runtime defense for file systems

In this activity you will:


● Create runtime policies for Process, Network and File System.
● Test and review event logs to confirm activity

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Check Container Model States


Step 1: Check Container models state by navigating to Monitor > Runtime > Container Models.

Step 2: If the states of both shellinabox and httpd containers are “Active”, then proceed to the next step.

Step 3: If the state(s) are in “Learning”, then click on three dots in the Actions column, choose “Manual
Relearning”. Click on Action again, and choose “Manual Relearning” again to stop the learning.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 67
Task 2 - Container Process Monitoring
The steps in this task will use the shellinabox container to start a process that will then be detected
and blocked by Process Monitoring functionality

Step 1: Confirm that the shellinabox container is running, is allowed to run without restrictions, and obtain its
container ID. Do the following:

Switch to the SSH session.

Access the shellinabox container by running the following commands:

docker exec -it $(docker ps -aqf name="shellinabox") bash

Run the command “top” to validate the Runtime policy. The command must be able to run.

Step 2: To exit out of the “top” command screen, press “q” or “CTRL+C”. Confirm that Prisma Cloud Compute
was able to detect the top command run.

Go back to the PCCE console and navigate to Monitor > Events > Container Audits and click on the
shellinabox:0.1 image to check if the “top” command alert is generated against the runtime rule.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 68
Note: In case the “top” command executes and no alerts are generated, then check if the container model “state”
is “Active”. If it is in Learning / Relearning, click on the three dots under “Actions” and click the “Manual Learning”
options two times to change the state to “Active”.

Step 3: Go to Monitor > Runtime > Container Models and click on the shellinabox image row.

Step 4: Select the History tab. Review the commands executed in the shellinabox container.

Step 5: Click Close to go back to the Container Models

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 69
Step 6: At the Container Models tab, create a Runtime Rule.

A. In the shellinabox row click on three dots (...) and then click Copy Into Rule.

B. Select the Processes tab. Change the Effect of Denied & Fallback to Prevent.

C. Select the Networking tab. Configure IP and DNS Monitoring


a. In IP connectivity section, under Denied & Fallback, add 1.1.1.1 to the list of denied
outbound IP
b. In DNS Section click Disable to enable the DNS monitoring
c. Add *.google.com to the list of allowed domains, and change the Denied & Fallback
Effect to Prevent.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 70
D. Select the File System tab. Configure File System Monitoring by changing the Effect to Prevent

E. Click Save to save the Runtime Rule.


a. You will be asked whether to relearn the container model
b. Click Don’t Relearn.

Step 7: Go back to the Shellinabox container shell prompt and run the command “top” again. Observe the
results with the rule applied.

The “top” command is now not allowed to run.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 71
Step 8: On PCCE console a container audit event is generated at Monitor > Events > Container Audits

Step 9: Go to the Defend > Runtime to change the existing Runtime Rule

A. In the shellinabox row click on three dots(...) and then click Edit.
B. Under Processes, change the Effect to Block.
C. Click “Save” to save the Runtime Rule.
D. Remember to click Don’t Relearn when saving the rule.

Step 10: Go back to the shellinabox container. Run the “top” command again and you will be logged out of the
shellinabox container. The shellinabox container is stopped (and deleted).

Note the result on the shell prompt. The container was stopped completely because of the Block
effect. Hence you are being kicked out of the shellinabox container and back to the system prompt.
You can also run a docker ps to confirm the container is no longer there.

Step 11: On the PCCE console a container audit event is generated at Monitor > Events > Container Audits.
The container was stopped.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 72
Step 12: On the PCCE console go to the Defend > Runtime > Container Policy to change the Runtime Rule
to implement a less restrictive setting.

A. In the shellinabox row click on three dots(...) and then click Manage
B. Under Processes, change the Effect to Alert
C. Add /bin/ping as an allowed process name
D. Click Save to save the Runtime Rule
E. Remember to click Don’t Relearn when saving the rule

Task 3 - Runtime Network Control for DNS


Step 1: Go to the PCCE-VM shell prompt and start another Shellinabox container.

docker run --rm -d --name shellinabox shellinabox:0.1

Note: if you see an error “The container name is already in use”, please re-check and complete Task 1
in this activity.

Step 2: Access the shellinabox container by running the following commands:

docker exec -it $(docker ps -aqf name="shellinabox") bash

A. Run “ping -c 5 www.google.com” - Successfully resolves the domain


B. Run “ping -c 5 www.yahoo.com” - Unable to resolve the domain

Step 3: Return to the PCCE console and navigate to Monitor > Events > Container Audits and check if the
“ping” command alert is generated against the runtime rule.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 73
Step 4: Run “curl 1.1.1.1” - Command runs successfully however the connection is refused.

Step 5: Return to the PCCE console and navigate to Monitor > Events > Container Audits and check if the
“curl” command alert is generated against the runtime rule.

Task 4 - Runtime Monitoring for File System


This task demonstrates File System monitoring functionality, and must be run after Task 1, to leverage the
Runtime policy created in that task.
Step 1: Continue in the shellinabox container, run the following commands to generate the events required for
this task

A. cd /
B. wget www.google.com
C. exit

Step 2: Return to the PCCE console and navigate to Monitor > Events > Container Audits and check if the
“wget” command generated an event.

Note the following results:

A. The previous step tried to download the index file and store on the local storage
B. However, in the Runtime Policy created in Task 1, the “/” directory is not on the allowed list, and
thus writing to “/” is not permitted

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 74
Task 5 - Incident Monitoring
This task explores ways to view incidents on the PCCE console.
Step 1: At the PCCE console, go to RADAR View by navigating to Radars > Containers, and look for the
Shellinabox image

It is now surrounded by a pink outline, which indicates it has been involved in an incident.

Step 2: Click the image to bring up details for the image.

Step 3: Go to Monitor > Runtime > Incident Explorer

Task 6 - Crypto Miner Container Detection


This task leverages a container in the environment that contains a crypto miner, to demonstrate how PCC detects
these applications in an environment.
Step 1: Review the Default policy under Defend Runtime.

Step 2: Go back to the Docker VM, at the system shell, run the command to create the crypto miner container.

docker run --rm -d servethehome/monero_cpu_minergate

After a few minutes, you will notice a Crypto Miner incident.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 75
Step 3: Go to Monitor > Runtime > Incident Explorer to view the new crypto minor.

Task 7 - Forensics
This task leverages the crypto1 miner event generated in Task 5.
Step 1: From the Incident Explorer view on the PCCE console, click View live forensic.

Step 2: The Forensics view shows the events that detected on the monero_cpu_minergate container

End of Activity 10

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 76
Activity 11: Container Vulnerability Management and Registry
Scanning
Background: Identify and prevent vulnerabilities across the entire application lifecycle while prioritizing risk for
your cloud native environments. Integrate vulnerability management into any CI process, while continuously
monitoring, identifying, and preventing risks to all the hosts, images, and functions in your environment. Prisma
Cloud combines vulnerability detection with an always up-to-date threat feed and knowledge about your runtime
deployments to prioritize risks specifically for your environment.

PCC features to be used:


● Vulnerability Management.
● Logging and reporting for verification

In this activity you will:


● Review Vulnerability Explorer
● Create image vulnerability rule
● Enforce security with vulnerability rule
● Registry scanning

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Vulnerability Overview

Step 1: At the PCCE console, go to Monitor > Vulnerabilities. This gives an overview of Images, Hosts and
Function vulnerabilities trend over the time

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 77
Step 2: Scroll down to the Top critical vulnerabilities (CVEs) section to view the top 10 CVEs based on Risk
Score. It may take a few moments for the vulnerabilities to become visible.

Step 3: The Risk Score takes into account the CVE’s severity, and other info such as is there a fix, is the
container reachable from the Internet, etc.

Step 4: This allows customer to prioritize which CVEs to fix first in their environment, among the hundreds of
CVEs discovered

Step 5: At the PCCE console, go to Monitor > Vulnerabilities > Images

This gives an overview of the number of vulnerabilities found in each image, colour coded Brown for
Critical, Red for High severity, Orange for Medium severity, and Yellow for Low severity.

Step 6: Click on httpd image to open the details page. Note, there is a High vulnerability in the httpd image.

Step 7: Select the Layers tab. This shows the vulnerabilities found at each layer of the container image.

Step 8: Click Close to close the Image details window.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 78
Task 2 - Create Vulnerability Rule to Block Images

Step 1: At the PCCE console, go to Defend > Vulnerabilities > Images > Deployed

Step 2: Click on +Add Rule to add a new rule called “Block-High-Vulnerability” with the following
configurations

A. Alert Threshold: Medium - An Alert will be generated if an image with Medium and above
severity is run
B. Block Threshold: High - An image with High vulnerability and above will not be allowed to run
C. Click Save to save the changes.

Step 3: Go to PCCE Shell prompt and run the following command:

docker run --rm -d --name webserver2 -p 30001:80 httpd:latest

The command is Blocked by the Vulnerability rule as indicated in the error message.

Step 4: Return to the PCCE console, and go to Monitor > Events and click on Docker Audits to view the
blocked event.

Step 5: To prepare the environment for the next task, we will delete or disable the policy that we just created.
Go to Defend > Vulnerabilities > Images > Deployed. Delete / disable the rule before proceeding to
the next step by clicking the 3 dots (...) under the Actions column.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 79
Task 3 - Detect and block Log4j vulnerable images

Step 1: Deploy log4j vulnerable elasticsearch container:

docker run -d -p 9200:9200 -p 9300:9300 --name elasticsearch -e "discovery.type=single-node"


-e "ES_JAVA_OPTS=-Xms512m -Xmx512m" elasticsearch:5.6.13

Step 2: At the PCCE console, go to Monitor > Vulnerabilities > Images > Deployed. Click on elasticsearch
image and filter using the keyword: "CVE-2021-44228" to view the vulnerability details

Step 3: Stop and remove the container in preparation for next steps via PCCE VM:

docker stop $(docker ps -aqf name=elasticsearch)


docker rm $(docker ps -aqf name=elasticsearch)

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 80
Step 4: At the PCCE console, go to Defend > Vulnerabilities > Images > Deployed

Step 5: Click on +Add Rule to add a new rule called “Block Log4j vulnerability”

Step 6: Go to Advanced settings and click on +Add exception with the following configurations:
CVE: CVE-2021-44228
Effect: Block

Step 7: Click Add

Step 8: Repeat steps 6 and 7 for the following 2 additional Log4j CVEs: CVE-2021-45046 and
CVE-2021-4104 and click save.

Step 9: Navigate to PCCE-VM and run the following command to verify if the vulnerability is blocked:

docker run -d -p 9200:9200 -p 9300:9300 --name elasticsearch -e "discovery.type=single-node"


-e "ES_JAVA_OPTS=-Xms512m -Xmx512m" elasticsearch:5.6.13

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 81
Step 10: At the PCCE console, under Monitor -> Events -> Docker audits, you can see that the container
deployment was blocked due to the policy.

Step 11: Delete or disable the rule in preparation for the next activities of the lab.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 82
Task 4 - Registry Scanning
Registry is a system used for storing and distributing container images. Prisma Cloud can scan
container images in both public and private repositories on both public and private registries.

Step 1: Go to PCCE shell prompt and run the following command to Authenticate to the Registry server

docker login registry-server:5000 -u admin -p p@lo@lto

Step 2: Check .docker/config.json with the following command.

cat .docker/config.json

Step 3: Add a container image to the registry with the following command.

docker tag vulnerables/web-dvwa registry-server:5000/web-dvwa && docker push


registry-server:5000/web-dvwa

Step 4: Go to Defend > Vulnerabilities > Images and click on Registry Settings.

Step 5: Click on +Add Registry, and enter the following info in the settings:

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 83
A. Version : Docker Registry V2
B. Registry: https://registry-server:5000

C. Click the drop next to the Credentials field, click on Add to add new Credentials
a. Name: registry-server
b. Type: Basic Authentication
c. Username: admin
d. Password: p@lo@lto

D. Click Save to save the new credential


E. Click Add to add the new registry.
Step 6: Click Save next to Add Registry and scanning will start.

Step 7: Go to Monitor > Vulnerabilities > Images > Registries

Step 8: The repository has been scanned and you can see the alerts from the vulnerable images that are
uploaded to the registry.

End of Activity 11

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 84
Activity 12: CICD Integration
Background: Prisma Cloud integrates security into your continuous integration workflows so you can find and fix
problems before they enter production. Prisma Cloud’s CI plugins surface vulnerability and compliance issues
directly in the build tool every time developers build their container images and serverless functions. Security
teams can set policies that only allow compliant and fully remediated images to progress down the pipeline.

PCC features to be used:


● Jenkins Integration
● CI vulnerability policy
● Logging and reporting for verification.

In this activity you will:


● Integrate Jenkins with PCC plugin
● Create and enforce vulnerability rule for CI scanning
● Test and review logs to confirm activity.

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Jenkins Integration


Step 1: Determine the IP address of the Prisma Cloud Compute console. This information will be used for
configuring the Jenkins server later in this task. At the PCCE console, run the following commands to
determine the IP address of the Prisma Cloud Compute console:

docker inspect $(docker ps -aqf name="console") | grep IPA

Step 2: Logon to the Jenkins console by clicking on the Jenkins-GUI tab or using the following information:

http://<external_address>:8080

Username: admin

Password: p@lo@lto

Note: If you see any issue accessing the Jenkins server, make sure that you are not behind another
NGFW or not sending traffic through GlobalProtect.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 85
If you have not noted down the external address then go to the PCCE-VM tab and copy the external
address under the Connection Details.

Step 3: At the Jenkins console, click Manage Jenkins > Configure System to configure the Jenkins server to
communicate with the Prisma Cloud Compute console.

Step 4: Scroll down to Prisma Cloud plugin configuration

Step 5: If needed, re-configure the address to match the console IP address identified in Step 1 of this task.

Step 6: Click on Test connection to test the connectivity.

Step 7: Click on Save to save the configuration.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 86
Task 2 - Jenkins CI Scanning
Step 1: Create a new Pipeline. At the dashboard, click New Item.

Step 2: Enter the item name and call it “My-Project”.

Step 3: Select “Pipeline” and click OK.

Step 4: Scroll down to the Pipeline section. Copy, paste the below script into the script box. Remove any
blank line added at the end of the script box.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 87
node {
stage('createImage') {
sh 'echo "Creating Dockerfile..."'
sh 'echo "FROM ubuntu:bionic" > Dockerfile'
sh 'echo "ENV MYSQL_HOST=DB_Server" >> Dockerfile'
sh 'echo "ENV MYSQL_PASSWORD=5TTnvuTDJJSq6" >> Dockerfile'
sh 'echo "LABEL description=Test_Twistlock_Jenkins_Plugin" >> Dockerfile'
sh 'docker build --no-cache -t dev/my-ubuntu:$BUILD_NUMBER .'
}
stage('twistlockScan') {
prismaCloudScanImage ca: '', cert: '', dockerAddress: 'unix:///var/run/docker.sock', image:
'dev/my-ubuntu:$BUILD_NUMBER', key: '', logLevel: 'info', podmanPath: '', project: '', resultsFile:
'prisma-cloud-scan-results.json', ignoreImageBuildTime:true
}
stage('twistlockPublish') {
prismaCloudPublish resultsFilePattern: 'prisma-cloud-scan-results.json'
}
}

Step 5: Select the “Use Groovy Sandbox” option and press Save.

Step 6: After saving the pipeline, go to the project page and click Build Now.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 88
Step 7: Clicking on the Build Number will bring you to the build status page.

Step 8: Click Console Output to see the build logs.

Step 9: Clicking on Image Vulnerabilities will let you view the scan results directly from the Jenkins console.

Task 3 - Jenkins Enforce Security


This task will demonstrate how Prisma Cloud Compute secures a Jenkins pipeline.

Step 1: Go to the PCCE console and navigate to Monitor > Vulnerabilities > Images > CI to check the status
of the scan.

Note the Failure Threshold of the default CI scan rule. This is set to off, so all scans will

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 89
Step 2: Go to Defend > Vulnerabilities > Images > CI.

Step 3: Click on +Add rule and configure the

A. Rule Name: Fail CI on Medium Threshold


B. Failure Threshold: Medium

Step 4: Click Save to save the changes.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 90
Step 5: Go back to the Jenkins server and in the project page, click Build Now to build again and you should
see the build failed because the threshold is now lower and can cause the build to fail.

Step 6: Go to Monitor / Vulnerabilities / Images / CI to check the status of the scans.Note that Build 2 failed
because the image has Medium severity vulnerabilities.

End of Activity 12

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 91
Activity 13: Web-Application and API Security (WAAS)
Background: Prisma Cloud provides protection for HTTP-based web applications deployed directly on hosts, as
containers, application embedded or serverless functions, by inspecting and filtering layer 7 traffic to and from the
application. The protection covers the OWASP Top-10 Web Application Security Risks, API Protection, Access
Control and File Upload Control.
WAAS includes many functionalities. In this section, only one use case for Web Application protection, and one
use case for API Protection, is examined.

PCC features to be used:


● WAAS Policy
● Logging and reporting for verification

In this activity you will:


● Create and enforce WAAS rules for web application and API protection
● Review logs to confirm activity

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Initialize DVWA container

Step 1: Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Go to
the PCCE-VM, start the DVWA container.

docker run --rm -d --name dvwa -p 8082:80 vulnerables/web-dvwa

Step 2: Access DVWA UI at:

http://<external address>:8082

Note: If you have not noted down the external address then go to the PCCE-VM tab and copy the
external address under the Connection Details.

Step 3: Login with the following credentials.

Username: admin

Password: password

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 92
Step 4: Scroll down and click Create / Reset Database to create a new database.

Step 5: Refresh the browser and Re-login.

Task 2 - Create WAAS rule to protect web application


Begin this task at the DVWA container to begin the attack.

Note: To avoid issues with this exercise, make sure that you are not behind another NGFW
or not sending traffic through GlobalProtect.

Step 1: On the DVWA console, click SQL Injection.

Step 2: Enter 1' or '1=1'# as the User ID and click Submit.

Step 3: SQL Injection was successful as there was no WAAS rule to protect the web application.

Step 4: Close the DVWA UI window.

Step 5: On the Prisma Cloud Compute console, go to Defend > WAAS > Container

Step 6: To create a new WAAS rule, click +Add Rule, and configure the rule with the following parameters and
apply it to the DVWA image.

A. Rule Name: WAAS_Protect_DVWA


B. Scope: Click to select collections and then click on +Add Collection
a. Rule Name: WAAS_Protect_DVWA
b. Images: vulnerables/web-dvwa:latest

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 93
c. Save the collection by clicking Save

C. Click Select Collections


D. Click Add New app.
E. Under App Definition, click Add Endpoint, add port 80 as the internal port, then click Create.

F. Scroll up and select the App Firewall tab, and set protection for “SQL Injection” to “Prevent”.

G. Save the rule by clicking Save.

Step 7: Test the newly created rule by accessing the DVWA UI.

http://<external address>:8082

Step 8: Click on “SQL Injection”.

Step 9: Enter 1' or '1=1'# as the User ID and click Submit

Step 10: The request is now denied.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 94
Step 11: On the Prisma Compute console, go to Monitor > Events and click on WAAS for Containers.

Step 12: The SQL Injection attack has been detected and prevented.

Step 13: [Important] Perform post-task cleanup, stop the DVWA container

docker stop $(docker ps | grep dvwa | awk '{print $1}')

Step 14: On the Prisma Compute console, go to Defend > WAAS > Container

Step 15: Click on three dots in the Actions column and select Delete to delete the rule.

Task 3 - Initialize SwaggerAPI container


This task generates a Swagger file that will be used in the next step to configure a WAAS rule.
Complete this step before proceeding.

Step 1: Start the SwaggerAPI container

docker run --rm --name swagger_api -d -e SWAGGER_HOST=http://<external address>:8082 -e


SWAGGER_URL=http://<external address>:8082 -e SWAGGER_BASE_PATH=/myapi -p
8082:8080 swaggerapi/petstore

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 95
Note: Remember to replace the external address in the above command.

If you see an error “port is already allocated” then go back to task 2 step 13 to stop the DVWA
container.

Step 2: Access the SwaggerAPI UI

http://<external address>:8082

Note: If you see a Failed to load API definition page, in the Explore bar, remove the space between
the port number 8082 and /myapi/…

Step 3: Right-click on the link, and Save Link As… to download the swagger.json file

Task 4 - Create WAAS rule for API Protection


For this task, use the swagger.json file that was created in the previous task.

Step 1: On the Prisma Cloud Compute console, go to Defend > WAAS > Container

Step 2: Click +Add Rule, and configure the rule to apply to the swaggerapi image.

A. Rule Name: WAAS_Protect_SwaggerAPI


B. Scope: Click to select collections and then click on +Add Collection
a. Rule Name: WAAS_Protect_SwaggerAPI
b. Images: swaggerapi/petstore:latest
c. Save the collection by clicking Save

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 96
Step 3: Click Select Collections

Step 4: Click Add New App

Step 5: To import the swagger.json file, click Import, select the swagger.json file you downloaded earlier.

This file defines the valid API paths, the methods for each path, and the types of the parameters.
Prisma Cloud Compute will protect against any requests that do not satisfy these rules.

Step 6: For the endpoint with TLS turned on, click on the Delete bin icon to delete the endpoint. You need to
scroll down to see the HTTP Host.

Step 7: For the remaining endpoint, click on the port number to expand the configuration option, and change
the port from “0” to “8080”.

Note: that if you see a character behind that HTTP host port number after the import, you will need to
delete the HTTP Host and re-enter the host info to remove that character, otherwise, the policy will not
work on the host.

Step 8: Click Save

Step 9: You protected endpoint should look like this:

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 97
Step 10: Click on App definition, change the API protection - Parameter violations to Prevent mode.

Step 11: click Save to save and close the window.

Task 5 - Validate the API Protection

Step 1: Go back and access the SwaggerAPI UI

http://<external address>:8082

Step 2: Look for the path /pet/{petId}


Note that the type of the petId is an integer

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 98
Step 3: Open a new tab in the browser and go to below URL to retrieve details of petId=1

http://<external address>:8082/myapi/pet/1

Step 4: You will be able to retrieve the details

Step 5: Open a new tab in the browser and go to the below URL to try to retrieve details of petId=a, which is
not an integer

http://<external address>:8082/myapi/pet/a

Step 6: You will see that access is denied.

Step 7: On the Prisma Compute console, go to Monitor > Events

Step 8: Select the WAAS for the Container tab.

Step 9: Scroll down to the Attack Type section and click on API Protection.

Step 10: Scroll down to the Forensic message section. The event shows that the request was blocked because
the value of petId is not an integer

End of Activity 13

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 99
Activity 14: Agentless Scanning
Background: This section outlines how Agentless scanning helps users inspect the risks and vulnerabilities of a
virtual machine without having to install an agent or affecting the execution of the instance. In a mixed
environment, having just agents or just agentless scanning will not meet all of the diverse security needs. A
combined approach is needed in order to ensure you have complete coverage. Prisma Cloud is proud to be the
first security platform to offer both agent-based and agentless security together from a single solution, giving you
and your teams the flexibility and choice to deploy or activate the right method of protection in a mixed
environment.

In this activity you will explore Prisma Cloud Compute Agentless scanning capabilities

Note: This activity is dependent on Activity 8.

Task 1 - Prisma Cloud Compute Agentless scanning

Step 1. Navigate to Prisma Cloud Compute > Monitor > Vulnerabilities and select "Hosts".

Note: If you do not see more than 1 host listed under hosts, head to Prisma Cloud Compute > Monitor > Hosts
and click on “Scan Agentless” and wait for a few minutes for the agentless scanning to be complete.

Step 2. "Agentless" column in the table indicates whether or not the Agentless module was used to scan that
particular host.

Step 3. Identify one of the hosts where the agentless is enabled and hover the mouse over the number in the
"Risk Factors" column to see the risk factors associated with that host.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 100
Step 4. Click on the identified host from the previous step to see the Host details gathered by the Agentless
module.

Step 5. Click on any of the identified vulnerabilities to see details, CVE and the risk factor score

Step 6. Click on the "Package Info" tab to see the list of packages installed on that host. Once done, click on the
"Close" button".

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 101
Step 7. Navigate from the "Hosts" tab at the top of the screen to "Vulnerability Explorer"

Step 8. On the same page, scrolling down further, you will see "Top critical vulnerabilities (CVEs)". Click on any
of the vulnerabilities. For example, selecting CVE-2021-3177 row and clicking on the corresponding entry
on the "Impacted Packages" column will show more information about the CVE and the hosts impacted
by this vulnerability.

End of Activity 14

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 102
Activity 15: Compliance Management
Background: Prisma Cloud helps enterprises monitor and enforce compliance for hosts, containers and
serverless environments. Use the compliance management system to enforce standard configurations
and security best practices.

PCC features to be used:


● Compliance Explorer
● Logging and reporting for verification

In this activity you will:


● Review Compliance explorer.
● Create Compliance rule
● Create Trusted images rules

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Compliance Explorer


Compliance Explorer gives you a picture of the overall compliance of the entities in your container environment.

Step 1. Go to Monitor > Compliance > Compliance Explorer. Compliance Explorer consists of two parts:

Roll-up charts — Show the overall compliance for each entity type.

Table of compliance issues — Lists all compliance checks that failed.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 103
Step 2. Click on one of the entries in the list, you can see a short description of the compliances. Click on the
name of the container and you can see the other compliance issues associated with this container.

Step 3. Click on the Containers tab in Compliance Explorer.

Step 4. Compliance status of each image is shown

Step 5. Clicking on Jenkins_docker image will bring up the Compliance details for jenkins image.

Task 2 - Create Compliance Rule


Step 1. Go to Defend > Compliance > Containers and Images and click on + Add Rule

Add a rule named: Compliance-rule


Type 597 in filter box to search for Rule 597 and set it to Block

Select the Scope section -> Add Collection with the following config:

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 104
● Name: Block shellinabox
● Images: select "shellinabox" from the dropdown menu

Click save and click select sections. Enter a simple message in the Custom message for blocked
requests field and click save.

Step 2. Go to the PCCE shell and launch the shellinabox container with the name “shellinabox2”.

docker run --rm -d --name shellinabox2 shellinabox:0.1

Step 3. Return to the PCCE console and go to Monitor > Events > Docker Audits and confirm that an event
was generated.

Step 4. Prepare the environment for subsequent tasks. Go to Defend > Compliance. Click on three dots (...)
and then select manage to change the Action of Rule 597 back to “Alert”.

Step 5. Click on Save to save the changes.

Task 3 - Trusted Images


Step 1. Go to the PCCE shell prompt and run the following command

docker run --rm -it --name ubuntu ubuntu:latest /bin/sh

Note: Check that the ubuntu:latest image is showing in the Console. You can use cmd cat
/etc/*release to check the release version.

Once it shows, exit from the container by issuing the command: exit

Step 2. Go to Defend > Compliance > Trusted Images > Policy

Step 3. Turn on Trusted images rules.

Step 4. Click on Add rule to add a rule with the name “Ubuntu Trusted Image” and configure the following:
A. Under “Allowed”, click on + Create group to create a group with below settings
a. Name: Base_Layers_for_Ubuntu
b. Type: Select “By Base Layers”
c. Image: Choose the ubuntu:latest image
d. Click Import, then Save

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 105
B. Change the Denied & Fallback Effect to Block.
C. Add a custom message “Block non Ubuntu Base Layer Images”
D. Click Save to save the rule

Step 5. Start another httpd container


docker run --rm -d --name webserver2 -p 30001:80 httpd:latest

Note: The httpd image is not based on ubuntu:latest base layer, and thus it was blocked.

Step 6. Start a container based on ubuntu:latest. Use the following command:

echo "FROM ubuntu:latest" | docker build --label deployment="Prod" -t "httpd:prod" -

docker run --rm -d --name webapp -p 30010:80 httpd:prod

The http:prod image is based on ubuntu:latest base layer, and thus it can run

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 106
Step 7. Go to Monitor / Events / Trust Audits to confirm that an event was generated at

Step 8. Go to Defend > Compliance > Trusted Images > Policy

Step 9. Prepare the environment for the next task. Disable the trusted images rule name “Trusted images
rules” before proceeding

End of Activity 15

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 107
Activity 16: Feedback on Ultimate Test Drive
Thank you for attending the Ultimate Test Drive workshop. We hope you have enjoyed the presentation
and lab activities that we have prepared for you. Please take a few minutes to complete the online survey
form to tell us what you think.

Task 1: Take the online survey


Step 1. In your lab environment, click on the Survey menu item in the left menu bar.

Step 2. Please complete the survey and let us know what you think about this workshop.

Congratulations! You have now successfully completed the Prisma Cloud Native Security Ultimate Test Drive
workshop.

End of Lab

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 108
Appendix 1: On-board a AWS Account

Prisma Cloud trial provisioning will take a few hours to complete. It’s very likely your free trial version tenant will
not be ready during this workshop. You can refer to the steps here to connect your existing AWS account to the
Prisma Cloud trail when it is ready. To connect other public cloud services to your Prisma Cloud trial account, visit
here for more details.
To connect your AWS Organizations (only supported on public AWS) or AWS accounts on the public AWS, AWS
China, AWS GovCloud account to Prisma™ Cloud, you must complete some tasks on the AWS management
console and some on Prisma Cloud. You will need sufficient access rights on the AWS account in order to
complete the onboarding process. The onboarding workflow enables you to create a Prisma Cloud role with either
read-only access to your traffic flow logs or with limited read-write access to remediate incidents. With the correct
permissions, Prisma Cloud can successfully connect to and access your AWS account(s).

Step 1: Create a CloudWatch log group and enable flow logs on your AWS account.

Step 2: Download the CFT template to set up the Prisma Cloud role on AWS.

(1) CFT to setup a role to Monitor the AWS account:

https://s3.amazonaws.com/redlock-public/cft/rl-read-only.template

(2) CFT to setup a role to Monitor & Protect the AWS account:

https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write.template

Step 3: Create CloudFormation stack to deploy one of the CFT downloaded in the previous step to setup the
Prisma Cloud role on AWS.

Step 4: Once CFT deployment is successful, copy the value of the Prisma CloudARN from stack Outputs.

Step 5: With your Prima Cloud trial account ready, login to the Prisma Cloud tenant console and select
Settings > Cloud Accounts > Add New.

Step 6: Select AWS as the Cloud to Protect.

NOTE: Access denied is expected if you do this step on a Prisma Cloud tenant used in this lab. The
demo account used in this lab is a read-only account, it does not have full access to the Prisma Cloud
Service and access to some functions is denied.

Step 7: Enter a Cloud Account Name and click Next.

A cloud account name is auto-populated for you. You can replace it with a cloud account name that
uniquely identifies your AWS account on Prisma Cloud.

Step 8: Select either the Monitor or Monitor & Protect Mode and click Next.

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 109
Mode selection decides whether to enable permissions to only monitor (read-only access) or to
monitor and protect (read-write access) the resources in your AWS cloud account.

Step 9: Paste the Prisma CloudARN (refer step 4) and click Next.

The Prisma Cloud ARN has the External ID and permissions required for enabling authentication
between Prisma Cloud and your AWS account.

Step 10: Select the account groups and click Next.

Step 11: Review the onboarding Status of your AWS account and click Done and then click Close.

The status check verifies the services that are enabled and disabled on your AWS account.

For more detailed information please take a look at below link:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platfor
m-to-prisma-cloud/onboard-your-aws-account/add-aws-cloud-account-to-prisma-cloud.html#id8cd842
21-0914-4a29-a7db-cc4d64312e56

End of Appendix-1

UTD-CNSP-1.3 ©2022 Palo Alto Networks, Inc. | Confidential and Proprietary 20220808 110

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy