0% found this document useful (0 votes)

55 views

UTD CNSP 2.0 Security Track

Uploaded by

Hải Nguyễn Nhật

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

55 views

UTD CNSP 2.0 Security Track

Uploaded by

Hải Nguyễn Nhật

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 104

infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

ULTIMATE
TEST DRIVE
Cloud Native Security
Platform
with Prisma Cloud

Workshop Guide
UTD-CNSP-2.0 | Security Track

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary Last Update: 20230831
Table of Content

Purpose of This Workshop Guide 4

Activity 0: Log in to the UTD Workshop 5
Task 1 - Log in to Your Ultimate Test Drive Class Environment 5
Task 2 - Docker Workstation Overview 7
Task 3 - Application Portal Overview 9
Task 4 - Kubernetes VM Overview 11
Activity 1: Prisma Cloud Overview 13
Task 1 - Log in to Prisma Cloud Enterprise Edition Console 13
Task 2 - Prisma Cloud Enterprise Edition Console Quick Overview 15
Task 3 - SecOps Dashboard in Prisma Cloud Enterprise Edition 18
Task 4 - Prisma Cloud Asset Inventory (CMDB) 21
Activity 2: Prisma Cloud Compute Edition Overview 25
Task 1 - Log in to Prisma Cloud Compute Edition Console 26
Task 2 - Prisma Cloud Compute Edition overview 28
Activity 3: Adding AWS Account in Prisma Cloud Compute 31
Task 1 - Login to AWS Account and review the setup 31
Task 2 - Create IAM Access Key for the AWS Account 32
Task 3 - Add the AWS Account and setup scanning 34
Activity 4: Investigate and Remediate Cloud Service Configuration Alerts 38
Task 1 - Review a Prisma Cloud Alert 38
Task 2 - Analyze the Audit Trail 40
Task 3 - Remediate a Security Event 41
Activity 5: Prisma Cloud Network Monitoring 43
Task 1 - Investigate a Network Alert 43
Task 2 - Modifying the RQL to search for Suspicious Network Activity 45
Task 3 - Examining the Network Blast Radius of a potentially compromised host 47
Task 4 - Examining the Traffic from Suspicious IPs 48
Task 5 - Examining the Host Vulnerability Findings 50
Activity 6: Prisma Cloud Application Security 51
Task 1 - Examine code that has secrets hardcoded/exposed 51
Task 2 - Investigate IaC Misconfigurations 52
Task 3 - Examine vulnerabilities in code 54
Task 4 - Prisma Cloud Application Security 55
Task 5 - Auto Remediation 59
Activity 7: Compliance Management 61
Task 1 - Prisma Cloud Enterprise - Compliance Explorer 61
Task 2 - Prisma Cloud Compute - Compliance Explorer 64
Activity 8: Prisma Cloud Data Security 66
Task 1 - Data Security Overview 66
Task 2 - Examine Sensitive Objects discovered by the Data Security module. 68
Activity 9: Prisma Cloud IAM Security 71

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 2

Task 1 - Explore IAM Policies Dashboard 71
Task 2 - Investigate over-privileged AWS IAM permissions 72
Task 3 - Use RQL queries to determine net permissions 74
Activity 10: Agentless Scanning 77
Task 1 - Prisma Cloud Compute Agentless scanning 77
Activity 11 [Optional]: Prisma Cloud Integrations 80
Task 1 - Prometheus and Grafana Integration 80
Task 2 - Webhook Integration 85
Task 3 - Splunk Integration 90
Task 4 - Mail Integration 98
Activity 12: Feedback on Ultimate Test Drive 102
Task 1: Take the online survey 102
Appendix 1: On-board a AWS Account 103

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 3

Purpose of This Workshop Guide
The activities outlined in this Workshop Guide are meant to contain all the information necessary to navigate the
workshop interface, complete the workshop activities, and troubleshoot any potential issues with the lab
environment. This guide is meant to be used in conjunction with the information and guidance provided by your
facilitator.
This workshop guide covers only basic topics and is not a substitute for training classes conducted by Palo Alto
Networks Authorized Training Centers. Please contact your partner or regional sales manager for more
information on available training and how to register for one near you.

Security Track Overview

1. Description:
a. The Security Track is designed for professionals who work in network security, information
security, and cybersecurity engineering. If the persona is responsible for securing networks and
systems, then this track is right for them.
b. In this track, we will showcase the capabilities of Prisma Cloud and how it can help enhance the
security posture of their organization by integrating with the tools and processes used in this
track.
2. Targeted Teams: Network Security, Information Security, Cybersecurity Engineering
3. Targeted Personas: Information Security Engineer, Network Security Engineer, Systems Engineer,
Security Analyst, Cloud Security, Architect

Once These Activities Have Been Completed

You should be able to:
1. Configure and review the Prisma Cloud Enterprise Edition console.
2. Configure and review the Prisma Cloud Compute Edition (PCCE) console.

Note: Unless specified, the Google Chrome web browser will be used to perform any tasks outlined in the
following activities.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 4

Activity 0: Log in to the UTD Workshop
In this activity, you will:

● Log in to the Ultimate Test Drive Workshop

● Understand the layout of the environment and its various components.
● (Optional) Subscribe to the Prisma Cloud free trial

Task 1 - Log in to Your Ultimate Test Drive Class Environment

Before beginning this workshop, make sure your laptop is installed with a modern browser that supports HTML
5.0. We recommend using the latest version of Firefox®, Chrome, or Internet Explorer. We also recommend you
install the latest Java® client for your browser.

Step 1. Open a browser window and navigate to the class URL. If you have an invitation email, you will find
the class URL and passphrase there. Otherwise, your instructor will provide them.

Step 2. Complete the registration form and click Register and Login at the bottom.

Step 3. Depending on your browser, you may be asked to install a plugin. Please click yes to allow the plugin
to be installed, then continue the login process.

Step 4. Once you log in, the environment will be created automatically for you. The upper left-hand corner will
show you the progress of the preparation. You will see the lab availability time when it is ready for use.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 5

The CNSP UTD lab environment consists of the following tabs:

1. Overview: A quick overview of lab environment and lab activities

2. Workshop Guide: Click this tab to open the lab guide
3. Prisma Cloud Enterprise Edition: Click this tab to login on Prisma Cloud Enterprise Edition
demo tenant console
4. Docker Workstation: Click this tab to connect to a VM running PCCE and other containers
5. Survey: A short survey to get your feedback

Note: You can leverage the keyboard > send text feature inside of CloudShare when the guide instructs you to
copy/paste linux commands. Also note that when copying/pasting commands, make sure to remove the line
breaks if any before commands are executed.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 6

Task 2 - Docker Workstation Overview

The Docker workstation provided in this workshop has multiple applications running on it in the form of Docker
containers such as:

● Prisma Cloud Compute Edition

● Console
● Defender
● Prometheus
● Grafana
● Splunk
● Visual Studio Code
● Jenkins
● Registery2
● DVWA - Damn Vulnerable Web Application docker container is a PHP/MySQL web application that is very
vulnerable.
● Webhook tester
● Locally hosted mail server

All of the above applications are accessible via the Application Portal tab from your CloudShare environment.

To access and login to Docker workstation, follow these steps:

Step 1. Select the Docker Workstation tab to open the ssh terminal that is already logged in to this VM. If
not already logged in, use the CloudShare interface to login.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 7

If you prefer to use your own terminal from your laptop, you can ssh to this VM using the External Address and
the user name and password under Connection Details in the Connectivity section.

Note: You can also SSH to Docker Workstation from your laptop terminal (MAC) or Putty (Windows) using the
external address and login credentials as highlighted in the screenshot.

ssh sysadmin@<external address>

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 8

Task 3 - Application Portal Overview
The Application Portal is one stop shop for all the applications that are used in this workshop. Under the hood, it
utilizes Kasm Workspaces, which is a streaming platform for delivering browser-based access to applications, and
web services and this setup is running as a docker container within the Docker workstation. Within this
workspace, Chrome browser is preinstalled and it provides a secure and isolated browsing environment.

Below are some key points to note:

1. Credentials: kasm_user/p@lo@lto
2. Homepage: http://homepage:3000 (henceforth referred to as Homepage).
3. The Application Portal, upon startup, opens the webpage: If Homepage is not loaded, please refresh the
browser tab or open a new browser tab and navigate to aforementioned URL
4. Homepage provides you access to the various applications used within this workshop.
5. These applications are all running as Docker containers and they are accessible via their internal IPs only
via the Application portal.
6. This ensures that the traffic doesn’t go out the internet, making the setup a bit more secure and reduces
latency.

Below are the list of applications that are accessible via Application Portal and the respective tracks where these
are used in the lab:
1. Prisma Cloud Compute Edition: Click this tab to login on Prisma Cloud Compute Edition (PCCE)
console (Common for all the Tracks)
➢ Credentials: admin/p@lo@lto
2. Prometheus: Monitoring and Alerting Toolkit (Common for all the Tracks)
3. Grafana: Analytics and interactive visualization web application (Common for all the Tracks)
➢ Credentials: admin/admin
4. Splunk: Log aggregation (Common for all the Tracks)
➢ Credentials: admin/password
5. Webhook Receiver: Webhook container to receive incoming webhooks (Common for all the Tracks)
6. Mail Server: Locally hosted mail server (Common for all the Tracks)
7. Visual Studio Code: IDE (Cloud Operations and Developer Tracks)
➢ Credentials: admin/password
8. Jenkins: CICD (Development Track)
➢ Credentials: admin/p@lo@lto
9. DVWA: Damn Vulnerable Web Application docker container is a PHP/MySQL web application

Below are the steps to access the Application Portal:

Step 1. Select the Application Portal tab to open the portal.

Step 2. Credentials: kasm_user/p@lo@lto

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 9

Step 3. Once logged in, when you click inside the page, allow the clipboard permission when prompted.

Step 4. Below are some screenshots of the interface.

Step 5. Important: This is a browser in browser setup running as a Docker container. DO NOT open more
than 3-4 browser tabs at the same time as it may cause resource exhaustion on the Docker
workstation VM.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 10

Step 6. If due to inactivity, you see a blue screen when you access the Application Portal, click on “Connect”
option

Task 4 - Kubernetes VM Overview

The Kubernetes VM provided in this workshop is running a single node Kubenetes cluster launched via k3s.
Within the lab, you will be working with this VM to perform various things such as deploying Prisma Cloud
defender, Argo CD, running log4j attacks etc.

To access and login to Kubernetes VM, follow these steps:

Step 1. Select the Kubernetes tab to open the ssh terminal that is already logged in to this VM. If not already
logged in, use the CloudShare interface to login.

If you prefer to use your own terminal from your laptop, you can ssh to this VM using the External Address and
the user name and password under Connection Details in the Connectivity section.

Note: You can also SSH to Docker Workstation from your laptop terminal (MAC) or Putty (Windows) using the
external address and login credentials as highlighted in the screenshot.

ssh sysadmin@<external address>

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 11

End of Activity 0

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 12

Activity 1: Prisma Cloud Overview
Prisma Cloud is a comprehensive cloud-native security platform with the industry’s broadest security and
compliance coverage. It protects cloud native applications, data, network, compute, storage, users, and
higher-level PaaS services across cloud platforms. Prisma Cloud enables Cloud Security Posture Management
(CSPM) and Cloud Workload Protection Platform (CWPP) for comprehensive visibility and threat detection across
your organization’s hybrid, multi-cloud infrastructure. It dynamically discovers resources as they are deployed and
correlates cloud-service-provided data to enable security and compliance insights into your cloud applications and
workloads.

In this activity, you will:

● Log in to Prisma Cloud Lab account

● Learn about the Prisma Cloud console and help center
● Review how to on-board a AWS account on Prisma Cloud tenant

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Log in to Prisma Cloud Enterprise Edition Console

Complexity: Easy

Key Takeaways:
● Logging into Prisma Cloud
● View onboarded Cloud Accounts

Step 1. Click on the Prisma Cloud Enterprise Edition tab to open the demo tenant login.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 13

Step 2. Follow the screen to login and then click on the Prisma Cloud icon.

NOTE: If you see a page expired message then refresh the web page by clicking on the Home
button as highlighted in below screen capture.

Step 3. Use the icons from the Action panel virtual keyboard to go back, forward and home screen while using
the Prisma Cloud console.

Step 4. To check the on-boarded public cloud accounts click on the Settings on the left-hand side and select
Account Groups. Click on the 4 Cloud Account(s) under Default Account Group. You can see the
public cloud accounts connected to this Prisma Cloud demo account.

NOTE: The screenshots captured in this workshop guide might vary slightly from the actual lab account.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 14

We have already connected AWS, Azure and GCP accounts to this Prisma Cloud service, and this lab
account can be used for testing across all three public cloud providers.

Step 5. If you click on Add Cloud Account, you will get an access denied message.

NOTE: The Prisma Cloud Enterprise Edition account used in this lab is a read-only account, it does
not have full access to the Prisma Cloud Service and access to some functions is denied. This
account cannot make changes to the configuration of the associated Prisma Cloud Services.

Task 2 - Prisma Cloud Enterprise Edition Console Quick Overview

Complexity: Easy

Scenario: Prisma Cloud Enterprise Overview

Key Takeaways:
● View SecOps dashboard
● View Policies
● Compliance Dashboard

When you Access Prisma Cloud, you first see the Alerts. You can then use the following tabs to interact with the
data and visualize the traffic flow and connection details to and from the different resources in your cloud
deployment; review the default policy rules and compliance standards; and explore how the web interface is
organized to help you and DevSecOps teams to monitor cloud resources.
● Dashboard
● Inventory
● Investigate
● Policies
● Compliance
● Alerts
● Compute
● Settings

Step 1. Click on the Dashboard > SecOps to review the Dashboard. The Dashboard provides a graphical
view of all assets deployed across multiple public cloud environments. You can use the predefined or
custom Time Range to view current trends or historical data. Or use the Cloud Accounts to focus on
specific public cloud accounts.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 15

Step 2. The Inventory > Assets provides visibility into all the assets contained within the onboarded cloud
accounts. From this view, you will be able to find out which assets passed and which ones failed to
comply with the current policies.

Step 3. The Investigate tab helps in identifying security threats and vulnerabilities, creating and saving
investigative queries, and analyzing impacted resources. To conduct investigations, Prisma Cloud
provides a proprietary query language called Resource Query Language (RQL) that is similar to SQL.

Step 4. The Policies tab shows the Prisma Cloud policy which is a set of one or more constraints or
conditions that must be adhered to. Any new or existing resources that violate these policies are
automatically detected.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 16

Prisma Cloud provides predefined default policies for configurations and access controls that adhere
to established security best practices such as PCI, GDPR, ISO 27001:2013,and NIST, and a larger set
of policies that enable you to validate security best practices with an impact beyond regulatory
compliance. In addition to these predefined policies, you can create custom policies to monitor for

Step 5. The Compliance > Overview dashboard enables you to view, access, report, monitor and review their
cloud infrastructure health compliance posture. You can also create compliance reports and run them
immediately, or schedule them on a recurring basis to measure your compliance over time.

Step 6. Click on the Compute tab to open up the Compute module in Prisma Cloud. Prisma Cloud offers a
rich set of cloud workload protection (CWPP) capabilities. Collectively, these features are called
Compute.

The Compute tab enables cloud native assets anywhere they operate - regardless of whether running
as containers, serverless functions, non-container hosts, or any combination of them.

Prisma Cloud Compute is also available to install as a self hosted deployment known as Prisma
Cloud Compute Edition. We have provided access to Prisma Cloud Compute Edition for the cloud
workload protection lab activities in Part 2 of this lab.

For more information on Prisma Cloud Compute (in Enterprise Edition) vs Compute Edition, please
visit here for a detailed comparison.

Step 7. The Alerts > Overview allows the admin to view the list of discovered violations and anomalies, drill
into the details and look up remediation options, and create alert rules and notification templates.
When you access Prisma Cloud, you first see the Alerts.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 17

Before we dive deeper into alerts, we will take a look at the assets that are visible and protected by
Prisma Cloud.

Task 3 - SecOps Dashboard in Prisma Cloud Enterprise Edition

Complexity: Easy

Scenario: Prisma Cloud Enterprise Overview

Key Takeaways:
● SecOps dashboard
● Assets exposed to the internet and traffic that they are taking.

The Dashboard SecOps provides a graphical view of the performance of resources that are connected to the
internet, the risk rating for all accounts that Prisma Cloud is monitoring, the policy violations over time and a list of
the policies that have generated the maximum number of alerts across your cloud resources. It makes the
security challenges visible to you as a quick summary, so you can dig in.

Step 1. Click the Dashboard > SecOps, set the Time Range to All Time.

Step 2. Scroll down and click on one of the Top Internet Trafficked Assets by Traffic Type, such as the RDP.
Click on one of the resources, such as PANW-WindowsBastionServer-awsjamconfig to open an
investigation pane for the workload to see what traffic is coming from the internet. Expand the time range
to the last 6 months and you’ll see details about the workloads that are taking traffic directly from the
Internet.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 18

Step 3. Click on the arrow from the Suspicious IP to analyze the traffic towards the
PANW-WindowsBastionServer-awsjamconfig host.

Question: Did the workload take traffic from the Suspicious IP?

Step 4. Now go to the Dashboard > SecOps and scroll down to the bottom of the page and view the connections
from the Internet Connected Assets by Source Network Traffic Behavior map.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 19

Step 5. Drill down into one of the “pink” bubbles to explore where the traffic is originating from and the type of
traffic. For example, for each pink bubble drills down until a red bubble appears and shows what traffic is
seen towards your cloud accounts.

Note that if you do not see graphical data for the pink bubble you selected, try a different one. When you
do this, your graph may look different than what’s indicated in the screenshot.

Step 6. Click on View Details to go to the Investigate tab with the subsequent network information.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20

Task 4 - Prisma Cloud Asset Inventory (CMDB)

Complexity: Easy

Scenario: Prisma Cloud Enterprise Overview

Key Takeaways:
● Prisma Cloud Asset Inventory

Public cloud environments are very dynamic environments, and a very common customer pain point is visibility
and asset inventory tracking. You can’t protect what they don’t know about, that is why a central cloud
Configuration Management Database(CMDB) is the foundation for building and implementing a solid Cloud
Security program.

The Asset Inventory dashboard (on the Inventory tab) provides a snapshot of the current state of all cloud
resources or assets that you are monitoring and securing using Prisma Cloud. From the dashboard, you gain
operational insight over all our cloud infrastructure, including assets and services such as Compute Engine
instances, Virtual machines, Cloud Storage buckets, Accounts, Subnets, Gateways, and Load Balancers.

Step 1. Click the Inventory > Assets tab.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 21

Step 2. Set the Asset Inventory’s Date filter to Most Recent.

Step 3. In the Prisma Cloud Asset Inventory dashboard, scroll down the page and search for and click on the
Google VPC line item in the table in the Service Name column. This will open up the Google VPC assets
view.

Step 4. In the Asset Inventory / GCP | Google VPC page, you can see a quick count on all the number of
unique VPC assets.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 22

Step 5. Scroll down to the Resource Type summary, and click on the (!) icon under Actions for the Google VPC
Firewall Rule to see a list of firewall configurations that have violated the Prisma Cloud Security policies.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 23

Step 6. You’ll now see a list of GCP firewall assets that are violating the policy, and you can click each of them to
analyze configurations. Now try out a number of other different resources under the Asset Inventory to
explore other Cloud Resources.

Note: Prisma Cloud allows you to easily discover all your cloud resources
across all of your cloud accounts and gives you a security posture view with
regard to those resources. It also allows you to easily drill down to get
details of each resource and whether it has passed or failed a policy. This
enables you to get quite granular at a per resource level.

End of Activity 1

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 24

Activity 2: Prisma Cloud Compute Edition Overview
Prisma Cloud offers a rich set of cloud workload protection capabilities. Collectively, these features are called
Compute. Compute has a dedicated management interface, called Compute Console, that can be accessed in
one of two ways, depending on the product you have.
Prisma Cloud Enterprise Edition — Hosted by Palo Alto Networks. Prisma Cloud Enterprise Edition is a SaaS
offering. It includes both the Cloud Security Posture Management (CSPM) and Cloud Workload Protection
Platform (CWPP) modules. Access the Compute Console, which contains the CWPP module, from the Compute
tab in the Prisma Cloud UI.

Prisma Cloud Compute Edition (PCCE) - Hosted by you in your environment. Prisma Cloud Compute Edition
(PCCE) is a self-hosted offering that’s deployed and managed by you. It includes the Prisma Cloud Compute
module only. You can download the Prisma Cloud Compute Edition software from the Palo Alto Networks
Customer Support Portal. Compute Console is delivered as a container image, so you can run it on any host with
a container runtime (e.g. Docker Engine).

With Prisma Cloud Compute Edition (PCCE), Radar is the primary interface for monitoring and understanding
your environment. It is the default view when you first log into PCCE Console. It is designed to let you visualize
and navigate through all of Prisma Cloud’s data. For example, you can visualize connectivity between

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 25

microservices, then instantly drill into the per-layer vulnerability analysis tool, assess compliance, and investigate
incidents, all without leaving the Radar canvas.

PCC features to be used:

● Cluster pivot
● Host pivot

In this activity you will:

● Review and operate the Radar
● Review image for easy analysis of your containerized apps
● Review network traffic flows
● Review runtime, vulnerability or compliance issue they contain

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Log in to Prisma Cloud Compute Edition Console

Complexity: Easy

Scenario: Accessing Prisma Cloud Compute Edition

Key Takeaways:
● Different ways to access Prisma Cloud Compute Edition in the lab.

Step 1. There are a couple of ways to access the Prisma Cloud Compute Edition Console (PCCE Console) in
this lab.

Step 2. Approach 1 - Application Portal:

a) Head over to the Application Portal as outlined in Activity 0 > Task 3.

b) Click on Prisma Cloud Compute Console . Henceforth referred to as PCCE Console

c) When presented a Security exception, click on Advanced > Proceed to 10.160.154.170 (unsafe)

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 26

d) Login to the PCCE console using the following credentials, with Local/LDAP in the drop down:

➢ Credentials: admin/p@lo@lto

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 27

Step 3. Approach 2 - Via External Address:

a) Click on Docker Workstation CloudShare Tab. From the left pane, select Connectivity > Connection
Details > External Address (when you click on it, the address will be copied to clipboard)

b) On your laptop browser, navigate to: https://<external address>:8083

Note: You will get a security exception, please ignore it for this lab and proceed to the login page. We
are using a self-signed certificate, which causes the exception.

Step 4. If the message Your connection is not private opens, click Advanced, and then Proceed to <IP
address> (unsafe). Non Chrome browsers might have a different behavior

Step 5. Login to the PCCE console using the following credentials, with Local/LDAP in the drop down:

➢ Credentials: admin/p@lo@lto

Task 2 - Prisma Cloud Compute Edition overview

Complexity: Easy

Scenario: Prisma Cloud Compute Edition Overview

Key Takeaways:
● Containers and Hosts discovered by Prisma Cloud
● Radar view

This task guides you through key elements of the Prisma Cloud Compute console to ensure that you are aware of
them. Use this time to explore these elements at your own pace to discover points of interest.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 28

Step 1. Once logged in, you will be placed in Radars, the primary interface for monitoring and understanding
your environment. It is designed to let you visualize and navigate through all of Prisma Cloud
Compute’s data. Click on any container to view the details on that container.The defender and the
console containers are the key components for Prisma Cloud Compute Edition.

Step 2. Change the View based on different Radar view categories by clicking the dropdown on the top left
corner

Step 3. Click Radars > Hosts, then click the docker-workstation host icon to review the host dashboard.
There is only one host in this lab.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 29

Step 4. Change the View based on different Radar view categories by clicking the dropdown on the top left
corner.

End of Activity 2

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 30

Activity 3: Adding AWS Account in Prisma Cloud Compute
In this activity you will:
● Login to AWS Account and review the setup
● Add the AWS Account to Prisma Cloud Compute and setup scanning

Task 1 - Login to AWS Account and review the setup

Complexity: Easy

Scenario: AWS Account onboarding in Prisma Cloud Compute

Key Takeaways:
● How to access and use lab provided AWS Account

Step 1. Click the Public Clouds icon in the lower left corner. Click Public Clouds Log to make sure all the
resources have been created and deployed successfully.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo
environment. It does so by giving you temporary AWS credentials that you use to sign in and access the AWS
console for the duration of the lab.

Step 2. Click on the Public Clouds icon. A Public Cloud pop up window will appear. Keep this window open.
You are going to use the AWS credentials from this pop up window to login on AWS console

Step 3. Right click on the value for the Account ID in the Public Clouds section in CloudShare and select
Copy link address

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 31

Step 4. Open an incognito browser tab/window in your computer and paste the link that was copied in the
previous step. Use the credentials displayed on the screen from the previous step for your
environment to login to AWS Console

Step 5. [Important] Change the AWS region to N. Virginia by clicking on the region drop down arrow and
select the US East (N. Virginia) us-east-1

Step 6. In the AWS console select the search for service box and type cloudformation. Click on
Cloudformation service and select Stacks and you should be able to see 2 stacks.

Step 7. Agentless CloudFormation stack creates an IAM policy that is required for Agentless scanning
capabilities of Prisma Cloud Compute. The second CloudFormation Stack AWS-EC2 is responsible
for creating 2 EC2 instances which will be scanned by the Agentless module, which will be covered in
this lab. For the ease of lab, these prerequisites are already created for you.

Task 2 - Create IAM Access Key for the AWS Account

Complexity: Easy

Scenario: AWS Account onboarding in Prisma Cloud Compute

Key Takeaways:
● Create AWS IAM Access Key

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 32

Step 1. In the AWS console > Services > IAM > Users (to get to the IAM console, you can also do: AWS >
Search > IAM) . Click on the user name wus-cloudshare.

Step 2. In the account summary page, click on the Security Credentials tab and then scroll down to the
Access Keys section click Create access key.

Then select Command Line Interface radio button and select the I Understand the above…
checkbox and click Next and then click Create access key

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 33

Step 3. Click on Download .csv file. Make sure you download the secret access key file.

Step 4. Open the accessKeys.csv file to make sure you have downloaded the key (Note that after you close
the dialog box, you can’t retrieve this secret access key again.) You can open the csv file and you
should see the Access Key ID and the Secret access key in the file. We will be using this
information later during the lab.

Task 3 - Add the AWS Account and setup scanning

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario: AWS Account onboarding in Prisma Cloud Compute Edition

Key Takeaways:
● Use the AWS Credentials created in the previous task.
● Onboarding AWS Account and setting up Agentless scanning

Step 1. Head back to CloudShare Portal > Docker Workstation Tab. Select Connection Details and click
on the External Address to copy the external address

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 34

Step 2. Navigate to PCCE Console > Manage > Defenders > Names. Click on Add SAN and paste the
string that you had copied and click Add SAN. Once you add this, you will be logged out and you will
need to re-authenticate with PCCE Console

Step 3. Navigate to PCCE Console > Manage > Cloud Account. Select Add Account and select/enter the
following details and click Next:
● Cloud Provider: AWS
● Region Type: Regular Regions
● Account Name: UTD-Account
● Authentication Method: Access Key
● Access Key: Paste the Access Key created previously
● Secret Key: Paste the Access Key created previously

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 35

Step 4. In the Agentless Scanning screen, select the previously added external Address from the
Console URL drop down menu and click Next

Step 5. In the serverless scan screen, click next.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 36

Step 6. For Discovery features, enable the option Cloud Discovery and click Add Account

Step 7. Navigate to PCCE Console > Monitor > Vulnerabilities and select "Hosts" from the top menu and
select Scan Agentless.

Step 8. This will start the discovery process of Cloud Resources within the onboarded account and will also
initial Agentless scanning, which we will come back to in later sections during this workshop

End of Activity 3

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 37

Activity 4: Investigate and Remediate Cloud Service
Configuration Alerts
Background: This example demonstrates how Prisma Cloud alerts on risky Azure Firewall Rules configurations
and how you can leverage the Prisma Cloud data correlation to analyze the Firewall risks in more detail.
In this activity you will:

● View Alert on risky Firewall Rule configurations.

● Analyze the current Firewall Rule configuration settings.
● Analyze the change history for the Firewall Rule configuration settings(show how the Firewall
Rule got to the current state).
● View how Prisma Cloud remediation commands can be leveraged to remediate / auto-remediate
security findings.

Note: This is a standalone activity and is not dependent on other activities.

Hint: As you navigate the alerts view in the Prisma Cloud console you can click the
“Add filters” button (marked with green in the below screenshot) to enable/disable the
needed filters on the left side of the console.

Task 1 - Review a Prisma Cloud Alert

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● Your organization has an Azure account and cloud resources in it. It's currently boarded into the Prisma
Cloud.
● You want to view alerts on risky Firewall Rule configurations to gain a better understanding of the
security posture of your Azure Cloud Account.

Key takeaways:
● Understand how you can leverage the Prisma Cloud data correlation to analyze the Firewall risks in
more detail.

Step 1. Navigate to Prisma Cloud Enterprise Edition console > Alerts > Overview.

Step 2. Select the Reset Filters icon on the top right corner of the screen to reset all filters and set the Time
Range to All Time.

Step 3. In the filter options, select the following:

A. Cloud Account = Azure Account

B. Alert Status = Open
C. Policy Type = Config

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 38

Step 4. In the results pane, use the search bar on the upper right to search for Azure Network Security
Group, find and click on the alerts number in the Alerts Column that allows all traffic on RDP port
3389.

Step 5. Click the corresponding value for the Alert ID column next to the Resource Name to see the alert
overview.

Step 6. Then click the View Details option, which shows you the current Firewall configuration for the selected
firewall rule.

Step 7. In the Resource Config Tab, You’ll now see the current Firewall configuration settings for the selected
firewall rule. You can see here that there is a security group that allows all inbound traffic to port 3389,
which should not be used as a best security practice. Close the Configuration window once ready to
move on.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 39

Note: With Prisma Cloud you are able to view Alerts that have been triggered due to a
policy violation for a configuration, network or audit policy. It also allows you to
drill down and examine the alert as well as the resource configuration to examine what
may have caused the violation.

Task 2 - Analyze the Audit Trail

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● You have identified an alert on risky Firewall Rule configuration from the previous task
● Now, you want to investigate and understand how the Firewall Rule got to the current state.

Key takeaways:
● Understand how you can leverage the Prisma Cloud data to analyze the audit trail

Step 1. Under the Resource Name column, click the name of the firewall rule Rdp to view the Audit Trail for
the firewall rule.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 40

Step 2. You will be taken to an Audit Trail for the resources where you will be able to see the timeline of the
configuration changes made on the resource from the time it was discovered by Prisma Cloud. This is
continuously monitored by Prisma Cloud and any changes to the configuration are recorded.

Step 3. Click on the </> to view the resource configuration

Step 4. You can get further information associated with the resources including Config

Task 3 - Remediate a Security Event

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● You have analyzed the audit trail and have all the context and background about the alert from the
previous tasks
● You now want to remediate that security event and resolve the alert.

Key takeaways:
● Understand how you can leverage the Prisma Cloud to remediate the security event effortlessly.

Step 1. Head back to the Alerts Overview > Azure Network Security Group allows all traffic on RDP Port
3389 screen (using the Keyboard : Back controls). Make sure to set the “Time Range” filter to “All Time”.
Click on the Alert number in the Alert Count column and click the "Recommendation" tab next to the
Violating Resources column, which will show you the Prisma Cloud remediation recommendation
associated with this alert.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 41

Step 2. Prisma Cloud will provide recommended remediation steps to resolve this alert. But since the lab account
only has read-only access to the environment, you will not be able to execute the steps in the lab. Prisma
Cloud auto-remediation can be enabled and/or Prisma Cloud remediation commands can be sent
upstream to automation frameworks, ticketing systems, SIEM solutions for execution.

Step 3. Now go ahead and review a few more remediation examples of the configuration alerts.

Note: With Prisma Cloud you are able to get a JSON of your resource
configuration so that you can easily understand what are the changes that were
made over time to identify when the alert violation occurred and who made the
change. Prisma Cloud can also be used to Remediate those violating
configuration in your resources by issuing the CLI commands to correct those
misconfigurations. This can also be set to Auto Remediate.

End of Activity 4

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 42

Activity 5: Prisma Cloud Network Monitoring

Background: This example demonstrates how Prisma Cloud can be used to alert on suspicious network traffic,
and how to analyze networks in the Prisma Cloud console.
In this activity you will:

● View a Network Alert for suspicious activity

● Analyze the Network Visualization to trace resources that may have been impacted
● View the traffic that is reaching your cloud workloads
● Examine Vulnerabilities that have been detected on your cloud Workload to understand the risk
posture

Note: This is a standalone activity and is not dependent on other activities.

Hint: As you navigate the alerts view in the Prisma Cloud console you can click the
“Add filters” button to enable/disable the needed filters on the left side of the
console.

Task 1 - Investigate a Network Alert

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● Your organization is operating in a hybrid cloud environment and you have compute resources
deployed across multiple Cloud providers.
● Some of these resources are internet facing.
● View a Network Alert for suspicious activity. detected by Prisma Cloud.

Key takeaways:
● Understand how Prisma Cloud can be used to alert on suspicious network traffic.

Step 1. In the Prisma Cloud Enterprise Edition console, click the Alerts tab and then Overview.

Step 2. Select the Reset Filters icon on the top right corner of the screen to reset all filters and set the Time
Range to All Time.

Step 3. Click on Add Filter icon and select the following options:

A. Alert Status = Open

B. Policy Type = Network
C. Cloud Account = AWS UTD Account

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 43

Step 4. Search for the Instances exposed to network traffic and click on Alerts (number) in Alert Count Column

Step 5. Search for the linux using the search bar. Click on the corresponding value in the Alert ID Column for
LinuxBastion. Then click Investigate.

Step 6. In the Investigate window, change the time range to Past 7 days in the top right corner.You’ll now see a
network map with the workloads(virtual machines) that have received traffic from public IP addresses
within the time range selected in the top right corner of the console.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 44

Step 7. You can click the Download button to download traffic details in a csv file for review. You can open the
csv file in either excel or notepad

Task 2 - Modifying the RQL to search for Suspicious Network Activity

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● Your organization is operating in a hybrid cloud environment and you have compute resources
deployed across multiple Cloud providers and some of these resources are internet facing.
● Analyze the Network Visualization to trace resources that may have been impacted.

Key takeaways:
● Understand how Prisma Cloud NEtwork Visualization can be used to to trace resources that may have
been impacted
● Prisma Cloud Resource Query Language (RQL)

Prisma Cloud Resource Query Language (RQL) is a powerful and flexible tool that helps you gain security and
operational insights about your deployments in public cloud environments. You can use RQL to perform
configuration checks on resources deployed on different cloud platforms and to gain visibility and insights into
user and network events. You can use these security insights to create policy guardrails that secure your cloud
environments. We are going to take a closer look at the RQL here.

Note: Animation may take some time to load after the RQL query is executed.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 45

Step 1. Following on from the previous example, modify the RQL at the top of the page, and delete the following
string AND accepted.bytes > 0 AND cloud.account = 'AWS Prod' AND cloud.region = 'AWS Oregon'
AND dest.resource IN (resource where tag ('name') ='LinuxBastion', and press enter.

Step 2. The new text in the RQL search bar should look like this. You will now see a network map of traffic coming
from suspicious IP Addresses.

Step 3. You will now see a network map of traffic coming from suspicious IP Addresses. Your diagram may look a
little different as the cloud environment is very dynamic.

Step 4. Single-click on PANW-WebServer in the network map, and explore the Instance Summary sections on
the right side to review some of the instance information such as IP addresses, VPC, Account Names,
etc.

Step 5. Click the Network Summary section on the right side of the console and see the Firewall Rules applied
to the selected workload. You can see there are no limitations on both inbound and out-bound traffic,
which is a security risk.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 46

Step 6. Click on the Traffic Summary (under Network Summary) to see the percentage of traffic from each source
IP. Press ESC to close the Traffic Summary window.

Task 3 - Examining the Network Blast Radius of a potentially compromised host

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Key takeaways:
● Understand how Prisma Cloud Network Visualization can be used to examine the blast radius.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 47

Prisma Cloud can be used to analyze East-West traffic (lateral movement) in the cloud environment. We are going
to take a quick look here.

Step 1. Continuing from the last task, ensure the Past 7 days is selected in the time range next to the RQL
search field.

Step 2. Double click the LinuxBastion host in the network map to analyze the East - West traffic (blast radius)
behind the LinuxBastion host.

Step 3. Review the Instance Summary of the LinuxBastion to get some idea of where this VM is hosted.

Task 4 - Examining the Traffic from Suspicious IPs

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Key takeaways:
● Understand how Prisma Cloud Network Visualization can be used to examine the blast radius.

Step 1. In the network map, click on the communication links from the Suspicious IPs to the LinuxBastion VM.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 48

Step 2. You’ll now see a list of ports and traffic information on the right side of the console. What port(s) are the
suspicious IPs using to access the LinuxBastion VM?

Step 3. Click the View Details option to open a more detailed view of the inbound traffic to the LinuxBastion VM.

Step 4. Review the Threat Feed Source column that indicates the services that identify those IPs as suspicious. If
you see AutoFocus, that is the threat intelligence service provided by Palo Alto Networks, see here for
more details. You can download the list of suspicious IP addresses and access the LinuxBastion VM for
further analysis or action. Click ESC to close the details window.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 49

Task 5 - Examining the Host Vulnerability Findings
Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● Your organization is operating in a hybrid cloud environment and you have compute resources
deployed across multiple Cloud providers and some of these resources are internet facing
● Examine Vulnerabilities that have been detected on your Cloud Workload to understand the risk
posture

Key takeaways:
● Understand how Prisma Cloud Network Visualization can be used to examine the blast radius.

Step 1. Click on the LinuxBastion VM, and under the Instance Summary, click the Resource ID to investigate
further on the VM.

Step 2. Go to the Findings tab at the top of the page to get details on 3rd Party Vulnerability findings. Notice the
findings by AWS GuardDuty.

Step 3. In this case the host has vulnerabilities and is taking traffic directly from a suspicious Internet IP and
should be investigated further.

Step 4. Click on the Vulnerabilities tab to look at host vulnerabilities for that resource.

End of Activity 5

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 50

Activity 6: Prisma Cloud Application Security
Background: Application Security on Prisma Cloud enables you to add security checks to your existing IaC
(Infrastructure-as-Code) model, ensuring security throughout the build lifecycle. In this section, you will see how
Prisma Cloud can scan Infrastructure-as-Code (IaC) templates in Terraform, CloudFormation, Dockerfiles, and
Kubernetes to identify misconfigurations in code.

In this activity you will:

● Examine code that have secrets hardcoded/exposed

● Investigate issues related to misconfigured Kubernetes resource definitions
● Examine vulnerabilities that occur due to vulnerable packages within Dockerfiles
● Investigate misconfigurations in storage related resource definitions

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Examine code that has secrets hardcoded/exposed

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● Your team has a Github source code repository and you want to assess the security posture by
scanning the repo to see if there are any misconfigurations and vulnerabilities before it’s deployed.

Key Takeaways:
● Explore Prisma Cloud Application Security module.
● Examine secrets hardcoded that’s detected by Prisma Cloud.

Step 1. Navigate to Prisma Cloud > Application Security > Projects. Below are a few examples of filters
that you can use. Make sure that there’s nothing selected for the Severities filter.

Step 2. Select the Secrets tab and set the repository filter to UltimateTestDrive/utd-vuln-code

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 51

Step 3. The above filter lists all the resource definitions (Terraform and AWS CloudFormation) where secrets
are hard coded or exposed. Explore the different code blocks that are matched by this filter.

Step 4. Click on cnf.yaml and on the right pane, select issues and scroll down to see the details.

Task 2 - Investigate IaC Misconfigurations

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Key Takeaways:
● Explore Prisma Cloud Application Security module.
● Explore detected misconfigurations in code such as Terraform, Kubernetes manifests etc.

Step 1. Select the IaC Misconfiguration tab and set the below filters:

Repository: UltimateTestDrive/utd-vuln-code
Issue Status: Errors
Severities: Critical, High

Note: Once you apply the filter, you may need to scroll down the page to find the highlighted result.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 52

Step 2. The above filter lists all the issues/misconfiguration within the selected repository. Explore the different
code blocks that are matched by this filter.

Step 3. Select AWS S3 bucket ACL grants READ permission to everyone and click on one of the entries
that has the label Has Fix. See the screenshot above.

Step 4. Optionally, click on the overview tab. Here you can add an additional filter by clicking on the filter icon
on the left and selecting IaC Categories and selecting Kubernetes to filter only Kubernetes related
code. Once you apply the filter, explore the filtered results before proceeding to the next step.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 53

Task 3 - Examine vulnerabilities in code
Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Key Takeaways:
● Explore Prisma Cloud Application Security module.
● Explore detected vulnerabilities in Docker code.

Step 1. Navigate to Prisma Cloud > Application Security > Projects and select the Vulnerabilities tab and set
the below filters:

Repository: UltimateTestDrive/utd-vuln-code
Issue Status: Errors
Code Categories: Vulnerabilities
Severities: Critical, High

Step 2. The above filter lists all the resource definitions (Dockerfiles) vulnerable base-image, package or code is
detected. Explore the different code blocks that are matched by this filter.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 54

Task 4 - Prisma Cloud Application Security
Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● Your team has a Github source code repository which is onboarded into Prisma Cloud.
● Whenever your team creates a PR (pull request), you would like automated scans to be performed on
the changes and you’d like the PR to automatically be received by Prisma Cloud and have it comment
it’s findings on the PR

Key Takeaways:
● Prisma Cloud Pull request review feature.

Step 1. Head over to utd-vuln-code Github repository. This repo contains intentionally vulnerable code and this
repo has already been onboarded within Prisma Cloud, which we will review in a bit.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 55

Step 2. Head over to the open pull requests in the Github repo.

Step 3. Here, you can see various comments by Prisma Cloud that occur automatically when a pull request is
created for an onboarded source code repository.

Step 4. Looking closely at one of the findings and comments, you can see the violation title and description
and also information on how to fix it. You can also see the code snippet which triggered this violation.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 56

Step 5. Scrolling to the top of the PR, clicking on View reviewed changes brings up another interesting view
which you can explore.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 57

Step 6. Navigate to Docker Workstation and in the terminal run the below commands to stop VS Code
container in preparation for the next set of activities:

Step 7. You can also view these findings in Prisma Cloud as well. Head over to Prisma Cloud > Application
Security > Projects > VCS Pull Requests and select the following filters:

● Repositories: UltimateTestDrive/utd-vuln-code
● Pull Request: #1 - Second Commit

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 58

Task 5 - Auto Remediation
Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Key Takeaways:
● Explore Prisma Cloud Application Security module.
● Prisma Cloud’s automated fix feature.

Step 1. Navigate to Prisma Cloud > Application Security > Projects > Overview tab and select the below
filters. Make sure to unselect the filters selected in the previous task(s) first.

Repository: UltimateTestDrive/utd-vuln-code

Step 2. From your left pane, select the filter icon to add a filter: IaC Labels and select Has Fix

Step 3. Clicking on any of the results will display Details section that contains information on what the fix is and is
highlighted in green

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 59

Step 4. Clicking on + icon against a file or sub results of the file will create a fix and will be added to the staged
PR. When you click Submit, the PR will be created with all the fixes that you selected.

Step 5. Please note that you will not be able to see “Fix” and “Submit” (grayed out) options as we are using a
user with Read-Only permissions for the purpose of the lab. “Fix” and “Submit” options will apply the
Prisma Cloud suggested fix and commit the changes to the source control repository. The “Fix” and
“Submit” options are included in the screenshots to demonstrate the capabilities of the Application
Security module.

End of Activity 6

Activity 7: Compliance Management

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 60

Background: Prisma Cloud helps enterprises monitor and enforce compliance for hosts, containers and
serverless environments. Use the compliance management system to enforce standard configurations and
security best practices.

PCC features to be used:

● Compliance Explorer

In this activity you will:

● Review Prisma Cloud Enterprise Compliance explorer.
● Review Prisma Cloud Compute Compliance explorer.

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Prisma Cloud Enterprise - Compliance Explorer

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● Your team/organization wants more visibility on Compliance in your environment.

Key Takeaways:
● Prisma Cloud Compliance Explorer.
● Compliance Explorer gives you a picture of the overall compliance of the entities in your environment.

Step 1. Go to Prisma Cloud Enterprise > Compliance > Overview

Step 2. Here you can see the compliance overview. You can also understand the Compliance Trend over a
period of time. You can also explore Compliance Coverage

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 61

Step 3. Scrolling a bit down, you can see the existing Compliance Standards. Clicking on one of the standards,
will bring up that Compliance Standard and the onboarded resources will be assessed for that standard
specifically.

Step 4. In the breadcrumbs on the top, click on Overview to get back to the previous screen.

Step 5. Clicking on View Requirements of a specific Compliance Standard will show the requirements of that
standard. You can also see the total number of Policies for that standard and the number of passing and

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 62

failed policies as well.

Step 6. Navigate to Prisma Cloud Enterprise > Compliance > Reports

Step 7. Click on Add Filter and select Cloud Account and then select AWS UTD Account. Here you can see the
Compliance reports for the selected AWS Cloud Account.

Step 8. Clicking on the Download icon, you will be able to download the report. However, you will not be able to
do that in this lab environment.

Step 9. Navigate to Prisma Cloud Enterprise > Compliance > Standards. Here you will be able to see all the
available Compliance Standards. You can explore different compliance standards and the applicable
Clouds as well.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 63

Task 2 - Prisma Cloud Compute - Compliance Explorer
Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● Your team/organization wants more visibility on Compliance in your Compute environment.

Key Takeaways:
● Prisma Cloud Compliance Explorer.
● Compliance Explorer gives you a picture of the overall compliance of the entities in your environment.

Step 1. Compute Section is available both in Prisma Cloud Enterprise Edition as well as Prisma Cloud Compute
Edition. Both offer the same capabilities. For this task, we will be looking at Prisma Cloud Compute
Edition compliance explorer

Step 2. Go to PCCE Console > Monitor > Compliance > Compliance Explorer. Here you can get an overview
of Compliance for your compute environment.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 64

Step 3. Clicking on the Containers tab will bring up the list of containers in the environment and shows the
Compliance status of that container.

Step 4. Clicking on Images tab, will bring up the list of images in the environment and provide the compliance
status of those images.

End of Activity 7

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 65

Activity 8: Prisma Cloud Data Security
Background: This section showcases the Data Security capabilities of Prisma Cloud and how it enables you to
discover and classify data stored in AWS S3 buckets and protect accidental exposure, misuse, or sharing of
sensitive data. To identify and detect confidential and sensitive data, Prisma Cloud Data Security integrates with
Palo Alto Network's Enterprise DLP service and provides built-in data profiles, which include data patterns that
match sensitive information such as PII, health care, financial information and Intellectual Property. In addition to
protecting your confidential and sensitive data, your data is also protected against threats—known and unknown
(zero-day) malware—using the Palo Alto Networks WildFire service.

In this activity you will:

● Get an overview of Data Security via Prisma Cloud dashboard and inventory
● Examine Sensitive Objects discovered by Data Security

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Data Security Overview

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● You have AWS S3 bucket(s) in your organization, where you store certain data.
● You want to discover and classify data stored in AWS S3 buckets and protect against accidental
exposure, misuse, or sharing of sensitive data.

Key takeaways:
● Explore Prisma Cloud Data Security Dashboard to get an overview of the assets discovered by it.

Step 1. Navigate to Prisma Cloud > Dashboard > Data and select the following filters:

Time Range: All Time

Cloud Accounts: AWS UTD Account

Step 2. This dashboard provides a good overview and representation of detections by the Data Security module.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 66

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 67
Step 3. Navigate to Prisma Cloud > Inventory > Data and select the following filters:

Time Range: All Time

Cloud Account: AWS UTD Account
Cloud Service: Amazon S3

Step 4. This provides an overview of the Data inventory of the connected Cloud Account and a specific S3 bucket
based on the selected filters.

Task 2 - Examine Sensitive Objects discovered by the Data Security module.

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Key takeaways:
● To identify and detect confidential and sensitive data, Prisma Cloud Data Security integrates with Palo
Alto Network's Enterprise DLP service and provides built-in data profiles, which include data patterns
that match sensitive information such as PII, health care, financial information and Intellectual Property.
● Protect data against threats - known and unknown (zero-day) malware—using the Palo Alto Networks
WildFire service.

Step 1. Click on the number in the Sensitive Objects column. In this page, for the Data Profiles filter, make
sure that the following options are selected: Financial information, Healthcare, Intellectual Property,
PII

Step 2. Set the Time Range to All Time.

Step 3. In the results, search for and select 26_all_patterns_test.txt. This displays all the sensitive information
detected by the Data Security module in that specific file/object Now, under the Snippets column, if
there's a snippet available, “available” keyword should be highlighted which can be selected to display
the snippet which triggered the alert. There are multiple snippets that are detected based on selected
data profiles and feel free to check out different snippets that are generated.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 68

Note: If the snippet is not available, select Generate Snippet and the snippet will be generated and it will
take a few moments for it to complete.

Step 4. Navigate to Prisma Cloud > Inventory > Data and select the following filters:

Time Range: All Time

Cloud Account: AWS UTD Account
Malware: True
Cloud Service: Amazon S3

Step 5. Click on the number in the Malware column and in the search bar and click on any of the files to find
details about the detected malware.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 69

End of Activity 8

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 70

Activity 9: Prisma Cloud IAM Security
Background: Prisma Cloud IAM Security helps you address the security challenges of managing IAM in cloud
environments. Prisma Cloud IAM Security capabilities automatically calculate effective permissions across cloud
service providers, detect overly permissive access and suggest corrections to reach least privilege entitlements. It
includes out-of-the-box policies that govern IAM best practices to help you identify risky permissions and get to
the ideal set of privileges for your deployment.

In this activity you will:

● Explore IAM Policies Dashboard

● Investigate over-privileged AWS IAM permissions
● Use RQL queries to determine permissions

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Explore IAM Policies Dashboard

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● You have an AWS Account for your team and you have many IAM roles and profiles.
● You want to get visibility into all the IAM policies and make sure that they aren’t over permissive and
maintain good security posture.

Key takeaways:
● Prisma Cloud IAM Security capabilities.
● Out of the box Prisma Cloud IAM governance policies.

Step 1. Navigate to Prisma Cloud > Policies. Select the filter button and apply the following filters:

Policy Type: IAM

Policy Mode: Prisma Cloud Default

Step 2. The dashboard should display all the default Prisma Cloud Policies that come out of the box

Task 2 - Investigate over-privileged AWS IAM permissions

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Key takeaways:
● Investigate over-privileged AWS IAM Permissions.

Step 1. Navigate to Prisma Cloud > Alerts > Overview. Select the filter button and apply the following filters:

Time Range: All Time

Time Range Type: Alert Opened
Alert Status: Open
Policy Type: IAM
CloudAccount: AWS UTD Account

Step 2. In the search bar, type in the following to filter the alert: AWS EC2 with IAM wildcard resource access

Step 3. Click on the number in the Alerts column. This should display all the violating resources.

Step 4. Click on the Alert ID in the Alert ID column for any resource from the list and select investigate.

Step 5. Click on the "<>" icon in the Actions column to view the resource config.

Step 6. Head back to the Alerts Overview (step 1 - 4) and select the Recommendation option to view the
suggestion to remediate the resource violation.

Task 3 - Use RQL queries to determine net permissions

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Key takeaways:
● Prisma Cloud RQL(Resource Query Language)

Step 1. In this task, we will find out, with a simple RQL query, the net effective permissions of an IAM user to
demonstrate the effectiveness of IAM RQL queries in Prisma Cloud

Step 2. Navigate to Prisma Cloud > Investigate and paste the below query in the search (CTRL+V on your
keyboard should work for pasting into Prisma Cloud VM).

config from iam where source.cloud.resource.name = 'demo-user' AND

dest.cloud.account = 'AWS UTD Account'

Step 3. Click on the "Graph" icon.

Step 4. This graph shows the permissions that the IAM user “demo-user” holds within AWS Account named
“AWS UTD Account”

Step 5. Within the destination column of the graph, select “codecommit” (or run the query below) and select the
expand icon to see the granular permissions.

config from iam where source.cloud.resource.name = 'demo-user' ANDdest.cloud.account =

'AWS UTD Account' AND dest.cloud.service.name = 'codecommit'

Step 6. From the screenshot, you can see that there’s a “*” (wildcard) permission assigned, which is not a best
practice implementation in a production environment.

Step 7. From the top right corner of the Investigate page, select “clear all” to clear the previous query and run the
following query to determine which roles and users have access to a specific S3 bucket

config from iam where dest.cloud.service.name = 's3' AND dest.cloud.resource.type =

'object' AND action.name = 'S3:GetObject' AND dest.cloud.account = 'AWS UTD Account'
and dest.cloud.resource.name = 'elasticbeanstalk'

Step 8. After you run the above RQL query, select the “Graph” button. In the “Source” column, select “IAM” and

expand the tile.

Step 9. After you run the above RQL query, select the “Graph” button. In the “Source” column, select “IAM” and
expand the tile to see the full permission.

End of Activity 9

Activity 10: Agentless Scanning
Background: This section outlines how Agentless scanning helps users inspect the risks and vulnerabilities of a
virtual machine without having to install an agent or affecting the execution of the instance. In a mixed
environment, having just agents or just agentless scanning will not meet all of the diverse security needs. A
combined approach is needed in order to ensure you have complete coverage. Prisma Cloud is proud to be the
first security platform to offer both agent-based and agentless security together from a single solution, giving you
and your teams the flexibility and choice to deploy or activate the right method of protection in a mixed
environment.

In this activity you will explore Prisma Cloud Compute Agentless scanning capabilities

Note: This activity is dependent on Activity 3.

Task 1 - Prisma Cloud Compute Agentless scanning

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● You have AWS EC2 instances where you cannot install Prisma Cloud Defenders but you want to have
complete coverage of all the resources.

Key takeaways:
● Prisma Cloud Agentless capabilities.

Step 1. Navigate to PCCE Console > Monitor > Vulnerabilities and select "Hosts".

Note: If you do not see more than 1 host listed under hosts, head to PCCE Console > Monitor > Hosts and click
on Scan Agentless and wait for a few minutes for the agentless scanning to be complete.

Step 2. The Agentless column in the table indicates whether or not the Agentless module was used to scan that
particular host.

Step 3. Identify one of the hosts where the agentless is enabled and hover the mouse over the number in the
"Risk Factors" column to see the risk factors associated with that host.

Step 4. Click on the identified host from the previous step to see the Host details gathered by the Agentless
module.

Step 5. Click on any of the identified vulnerabilities to see details, CVE and the risk factor score

Step 6. Click on the "Package Info" tab to see the list of packages installed on that host. Once done, click on the
"Close" button".

Step 7. Navigate from the "Hosts" tab at the top of the screen to "Vulnerability Explorer"

Step 8. On the same page, scrolling down further, you will see "Top critical vulnerabilities (CVEs)". Click on any
of the vulnerabilities. For example, selecting CVE-2021-3177 row and clicking on the corresponding entry
on the "Impacted Packages" column will show more information about the CVE and the hosts impacted
by this vulnerability.

End of Activity 10

Activity 11 [Optional]: Prisma Cloud Integrations
Background: Prisma Cloud provides multiple out-of-the-box integration options that you can use to integrate
Prisma Cloud into your existing security workflows and with the technologies you already use. In this activity you
will explore some of those integrations.

In this activity, following integrations are showcased:

● Prometheus and Grafana
● Webhook
● Splunk
● Mail

It’s recommended that you pick 1 or 2 tasks in this activity that are most relevant to you depending on
your interest.

Note: This is a standalone activity and not dependent on previous activity.

Task 1 - Prometheus and Grafana Integration

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● In your organization, you have an existing monitoring setup that consists of Prometheus and Grafana.
● You want to integrate Prisma Cloud with Prometheus and Grafana

Key takeaways:
● Prisma Cloud Prometheus and Grafana integration.

Step 1. We’ve already configured Prisma Cloud Compute and Prometheus instrumentation. Navigate to PCCE
Console > Manage > Alerts > Logging and you can see that Prometheus Instrumentation is
enabled.

Note: Vulnerability and compliance data is refreshed every 24 hours. All other data is refreshed every 10 minutes.
To ensure a reliable and smoother user experience, the integration has been preconfigured. To review the
Prometheus configuration file, please run:

cat /home/sysadmin/setup/volumes/prometheus/prometheus.yml

Step 2. From the Application Portal, click on Prometheus to ensure that it’s up and running.

Step 3. Navigate to Prometheus > Status > Targets and notice that targets are Up. If not, wait for a few
seconds.

Step 4. Navigate to Application Portal > Grafana (creds: admin/admin). When logging in for the first time, if
you are prompted to change the password, you can skip it by clicking Skip.

Step 5. Within Grafana, head over to Home > Connections > Data Sources

Step 6. The Grafana setup is already configured with Prometheus as its Data Source.

Step 7. Head back to Grafana Dashboard. There are already some Grafana Dashboards that are set up as
part of the bootstrap process to visualize data that would come in from Prisma Cloud, which we can
explore. Head over to Grafana > Home > Dashboards

Step 8. Expand Prisma-Cloud-Dashboards and click on Compute Prometheus Gauge

Step 9. In the top right corner of Grafana, select the drop down against Last 1Hour and select 5m

Step 10. This Dashboard provides a lot of useful pieces of information about Prisma Cloud Setup, which you
can explore. As we progress through the lab and as more data comes in, the Dashboards will be
populated with more information.

Step 11. Let’s repeat the process for the other Prisma-Cloud-Dashboards from step 7 . Head over to Grafana
> Home > Dashboards > Compute Prometheus Counters

Step 12. Navigate to Docker Workstation and in the terminal run the below commands to stop Prometheus and
Grafana containers in preparation for the next set of tasks as they aren’t needed anymore:

docker stop prometheus

docker stop grafana

Task 2 - Webhook Integration

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● In your organization, you have a custom setup that consumes incoming webhook data from multiple
sources and runs custom data processing and/or manipulation.
● You would like to configure Prisma Cloud alerting via webhooks feature.

Key takeaways:
● Prisma Cloud webhook integration.

Step 1. Navigate to PCCE Console > Manage > Alerts > Manage and click on Add Profile to add a provider

Step 2. Set the Profile name as Webhook and select Webhook in the Provider dropdown and click Next

Step 3. For the Triggers, enable the following and click next:
● Vulnerabilities: All
● Compliance: Container and Image compliance
● Runtime: Container runtime and Incidents
● Access: All

Step 4. Head over to the Application Portal and click on Webhook under Monitoring and Alerting

Step 5. Select Copy Webhook URL and head back to the Prisma Cloud Compute screen.

Step 6. Paste the copied URL into the Incoming webhook URL field and click Next

Step 7. Click on Send Test Alert and if the test was successful, click save.

Step 8. Head back to the webhook application page and you should see the test webhook data come in from
Prisma Cloud.

Step 9. You have now successfully configured the Prsima Cloud Webhook integration. Let’s test it in real time.
Head back to the Docker Workstation and run the below command to trigger an incident:

docker run --name monero_cpu_minergate --rm -d

servethehome/monero_cpu_minergate

Step 10. Head back to the Webhook page to see the alert come in (the alert might differ in your case if a
different alert is triggered that was covered in previous tasks/activities):

Step 11. Navigate to Docker Workstation and in the terminal run the below commands to stop webhook and
redis containers in preparation for the next set of tasks as they aren’t needed anymore:

docker stop webhook

docker stop redis
docker stop monero_cpu_minergate

Task 3 - Splunk Integration

Complexity: Medium

Product(s): Prisma Cloud Compute Edition

Scenario:
● In your organization, you have an existing log aggregator such as Splunk setup.
● You would like to configure Prisma Cloud to ship alerts to Splunk

Key takeaways:
● Prisma Cloud Splunk integration.

Step 1. Navigate to Application Portal and select Splunk and login to Splunk (Credentials: admin/password).
Once done, click on Settings drop down from the Splunk landing page and select Data Inputs

Step 2. Click on +Add New corresponding to HTTP Event Collector row from the Data Inputs page

Step 3. Provide a Name - Prisma Cloud Compute for the event collector and click next

Step 4. In the Input Settings page, click on main under Select Allowed Indexes . Once you do this, you
should see the selected main item get copied over to the Selected item(s) box. Then click review

Step 5. Click Submit in the next page.

Step 6. In the next page, make sure to copy the token value as we will need this when we configure Prisma
Cloud. Token value might appear grayed out but it can still be copied.

Step 7. Click on Settings drop down select Data Inputs

Step 8. Click on HTTP Event Collector

Step 9. Click on Global Settings and ensure that Enable SSL checkbox is unchecked and click save

Step 10. Navigate to PCCE Console > Manage > Alerts > Manage and click on Add Profile to add a provider

Step 11. In the next screen, set the Profile Name as “Splunk” and select “Splunk” as Provider and click next

Step 12. For the Triggers, enable the following and click next:
Vulnerabilities: All
Compliance: Container and Image compliance
Runtime: Container runtime and Incidents
Access: All

Step 13. In the next settings screen, you are required to input Auth token and Splunk HTTP event collector
URL . Scroll down to the bottom:

Auth Token: Paste the one that you have copied or made note of in Step 6.

URL: http://splunk-ip:8088/services/collector .Replace splunk-ip with the actual IP of the splunk

container , which can be obtained from the Splunk web page url

Step 14. Click Next. At the summary screen, click Send test Alert and click save.

Step 15. Head back to Splunk and click on the Splunk Enterprise icon to get to the Splunk homepage. At the
homepage, click on Search and Reporting.

Step 16. Within the Search bar, enter the following search string: index=main and hit return or click the search
icon

Step 17. You have now successfully configured Prisma Cloud Integration with Splunk. Let’s test it in real time.
Head back to the Docker Workstation and run the below command to trigger an incident:

docker run --name monero_cpu_minergate --rm -d

servethehome/monero_cpu_minergate

Step 18. Head back to the previous Splunk page and within the Search bar, enter the following search string:
index=main and hit return or click the search. Click the first result and expand the message [+].

Step 19. Navigate to Docker Workstation and in the terminal run the below commands to stop splunk container
in preparation for the next set of tasks as they aren’t needed anymore:

docker stop splunk

docker stop monero_cpu_minergate

Task 4 - Mail Integration

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● You would like to configure Prisma Cloud to send you emails when there’s an alert/incident.

Key takeaways:
● Prisma Cloud mail integration.

Step 1. Navigate to PCCE Console > Manage > Alerts > Manage and click on Add Profile to add a provider

Step 2. Set the Profile name as “Email” and select “Email” in the Provider dropdown and click Next

Step 3. For the Triggers, enable the following and click next:

● Vulnerabilities: All
● Compliance: Container and Image compliance
● Cloud Discovery: Cloud Discovery
● Runtime: Container runtime and Incidents
● Access: All

Step 4. Head over to the Application Portal and click on Mail and copy the IP address from the URL bar (IP
may be different in your case)

Step 5. Head back to the Prisma Cloud Compute screen and input the following information on the
configuration screen:
● SMTP Address: The IP that you copied (without the http:// )
● Port: 1025
● From: alerts@prismacloud.local
● Recipients - Static list of emails: admin@prismacloud.local

Step 6. Click Next

Step 7. Click Next. At the summary screen, click Send test Alert and click save.

Step 8. Head over to the mail server and you should see the Prisma Cloud test alert.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 100
Step 9. You have now successfully configured Prisma Cloud and Email integration. Let’s test it in real time.
Head back to the Docker Workstation and run the below command to trigger an incident:

docker run --name monero_cpu_minergate --rm -d

servethehome/monero_cpu_minergate

Step 10. Navigate to Docker Workstation and in the terminal run the below commands to stop mail container as
they it isn’t needed anymore:

docker stop maildev

docker stop monero_cpu_minergate

End of Activity 11

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 101
Activity 12: Feedback on Ultimate Test Drive
Thank you for attending the Ultimate Test Drive workshop. We hope you have enjoyed the presentation
and lab activities that we have prepared for you. Please take a few minutes to complete the online survey
form to tell us what you think.

Task 1: Take the online survey

Step 1. In your lab environment, click on the Survey menu item in the left menu bar.

Step 2. Please complete the survey and let us know what you think about this workshop.

Congratulations! You have now successfully completed the Prisma Cloud Native Security Ultimate Test Drive
workshop.

End of Lab

Prisma Cloud trial provisioning will take a few hours to complete. It’s very likely your free trial version tenant will
not be ready during this workshop. You can refer to the steps here to connect your existing AWS account to the
Prisma Cloud trail when it is ready. To connect other public cloud services to your Prisma Cloud trial account, visit
here for more details.
To connect your AWS Organizations (only supported on public AWS) or AWS accounts on the public AWS, AWS
China, AWS GovCloud account to Prisma™ Cloud, you must complete some tasks on the AWS management
console and some on Prisma Cloud. You will need sufficient access rights on the AWS account in order to
complete the onboarding process. The onboarding workflow enables you to create a Prisma Cloud role with either
read-only access to your traffic flow logs or with limited read-write access to remediate incidents. With the correct
permissions, Prisma Cloud can successfully connect to and access your AWS account(s).

Step 1: Create a CloudWatch log group and enable flow logs on your AWS account.

Step 2: Download the CFT template to set up the Prisma Cloud role on AWS.

(1) CFT to setup a role to Monitor the AWS account:

https://s3.amazonaws.com/redlock-public/cft/rl-read-only.template

(2) CFT to setup a role to Monitor & Protect the AWS account:

https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write.template

Step 3: Create CloudFormation stack to deploy one of the CFT downloaded in the previous step to setup the
Prisma Cloud role on AWS.

Step 4: Once CFT deployment is successful, copy the value of the Prisma CloudARN from stack Outputs.

Step 5: With your Prima Cloud trial account ready, login to the Prisma Cloud tenant console and select
Settings > Cloud Accounts > Add New.

Step 6: Select AWS as the Cloud to Protect.

NOTE: Access denied is expected if you do this step on a Prisma Cloud tenant used in this lab. The
demo account used in this lab is a read-only account, it does not have full access to the Prisma Cloud
Service and access to some functions is denied.

Step 7: Enter a Cloud Account Name and click Next.

A cloud account name is auto-populated for you. You can replace it with a cloud account name that
uniquely identifies your AWS account on Prisma Cloud.

Step 8: Select either the Monitor or Monitor & Protect Mode and click Next.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 103
Mode selection decides whether to enable permissions to only monitor (read-only access) or to
monitor and protect (read-write access) the resources in your AWS cloud account.

Step 9: Paste the Prisma CloudARN (refer step 4) and click Next.

The Prisma Cloud ARN has the External ID and permissions required for enabling authentication
between Prisma Cloud and your AWS account.

Step 10: Select the account groups and click Next.

Step 11: Review the onboarding Status of your AWS account and click Done and then click Close.

The status check verifies the services that are enabled and disabled on your AWS account.

For more detailed information please take a look at below link:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platfor
m-to-prisma-cloud/onboard-your-aws-account/add-aws-cloud-account-to-prisma-cloud.html#id8cd842
21-0914-4a29-a7db-cc4d64312e56

End of Appendix-1

Teks 2
No ratings yet
Teks 2
12 pages
1-Getting Started
No ratings yet
1-Getting Started
55 pages
From C To Assembly To Shellcode - Hasherezade
No ratings yet
From C To Assembly To Shellcode - Hasherezade
35 pages
Guia de Usuario Archimate
No ratings yet
Guia de Usuario Archimate
146 pages
UTD CNSP Workshop Guide
No ratings yet
UTD CNSP Workshop Guide
110 pages
UTD CNSP 2.0 Developement Track
No ratings yet
UTD CNSP 2.0 Developement Track
132 pages
UTD-SASE-2.1 Workshop Guide-20231026
No ratings yet
UTD-SASE-2.1 Workshop Guide-20231026
109 pages
About Kubernetes and Security Practices - Short Edition: First Edition, #1
From Everand
About Kubernetes and Security Practices - Short Edition: First Edition, #1
Ami Adi
No ratings yet
A
No ratings yet
A
176 pages
Forcepoint ONE Lab Guide v1.0c
No ratings yet
Forcepoint ONE Lab Guide v1.0c
228 pages
DZone TR Data Pipelines 2022 Spotlight Dremio
No ratings yet
DZone TR Data Pipelines 2022 Spotlight Dremio
42 pages
Flutter - RBA Workshop ES - HANDSON - 2022
No ratings yet
Flutter - RBA Workshop ES - HANDSON - 2022
108 pages
6.4 Security Analyst Guide For Multi-Tenant
No ratings yet
6.4 Security Analyst Guide For Multi-Tenant
323 pages
SC-900 Exam Cram 2024 HANDOUT Id
No ratings yet
SC-900 Exam Cram 2024 HANDOUT Id
316 pages
Module 2
No ratings yet
Module 2
101 pages
Themikewylie Workshop Wireshark DC29 4hr
No ratings yet
Themikewylie Workshop Wireshark DC29 4hr
210 pages
Security Operations Center: By: Mohamad Mahmoud
No ratings yet
Security Operations Center: By: Mohamad Mahmoud
6 pages
INFO636 Module2 CloudSecurity Slides
No ratings yet
INFO636 Module2 CloudSecurity Slides
116 pages
ssl-tls-best-practice-workshop-student-guide-en
No ratings yet
ssl-tls-best-practice-workshop-student-guide-en
109 pages
D2T3 - Hands-On Purple Team Exercises
No ratings yet
D2T3 - Hands-On Purple Team Exercises
57 pages
Ie Epss Security LLD v1.0
No ratings yet
Ie Epss Security LLD v1.0
202 pages
Enterprise Security Script: Splunk Security Solutions Marketing October 2019
No ratings yet
Enterprise Security Script: Splunk Security Solutions Marketing October 2019
26 pages
03-Brkens-2023 (2021)
No ratings yet
03-Brkens-2023 (2021)
42 pages
244256-Exabeam Security Content in The Legacy Structure-Pdf-En
No ratings yet
244256-Exabeam Security Content in The Legacy Structure-Pdf-En
142 pages
DEVOPSv3.3 Master DevOps Glossary 10dec2020
No ratings yet
DEVOPSv3.3 Master DevOps Glossary 10dec2020
59 pages
1.elasticsearch Introduction Slides
No ratings yet
1.elasticsearch Introduction Slides
106 pages
Introduction to Appsec Combined Keynote PDF
No ratings yet
Introduction to Appsec Combined Keynote PDF
107 pages
Introduction To Teamwork in Project Management
No ratings yet
Introduction To Teamwork in Project Management
9 pages
CISO 2023 Challenges
No ratings yet
CISO 2023 Challenges
22 pages
CLS 1306 WXCC - AI&Orchestration
No ratings yet
CLS 1306 WXCC - AI&Orchestration
135 pages
SOAR - GIT Strategies - Read-Only
No ratings yet
SOAR - GIT Strategies - Read-Only
5 pages
An Ace Up The Sleeve PDF
No ratings yet
An Ace Up The Sleeve PDF
68 pages
ITCA 24 Sep 2022
No ratings yet
ITCA 24 Sep 2022
42 pages
M1 CDL Student Slides v2
No ratings yet
M1 CDL Student Slides v2
184 pages
FortiSOAR-7.0.1-Beginners Tutorial To FortiSOAR For Administrators
No ratings yet
FortiSOAR-7.0.1-Beginners Tutorial To FortiSOAR For Administrators
13 pages
Roadshow Advanced 7.2 V3.2 230711 Final All Geo
No ratings yet
Roadshow Advanced 7.2 V3.2 230711 Final All Geo
342 pages
Certified IT Service Manager (CITSM) - Delegate Pack
100% (1)
Certified IT Service Manager (CITSM) - Delegate Pack
166 pages
HAC - Pentest Solutions Brief HackerOne - L1R7 RGB
No ratings yet
HAC - Pentest Solutions Brief HackerOne - L1R7 RGB
2 pages
Theory of Literature
No ratings yet
Theory of Literature
112 pages
SSL Proxy
No ratings yet
SSL Proxy
25 pages
Prisma Cloud Container Security - Assessment
No ratings yet
Prisma Cloud Container Security - Assessment
8 pages
Capsule Labs
No ratings yet
Capsule Labs
131 pages
Nuevo Blueteam
No ratings yet
Nuevo Blueteam
100 pages
Edu en Vsanft7 Lec Se
No ratings yet
Edu en Vsanft7 Lec Se
724 pages
LTRSPM 2010 LG
No ratings yet
LTRSPM 2010 LG
110 pages
SecurityDayTunisia FortinetTeam Slides KB1 SecOPs
No ratings yet
SecurityDayTunisia FortinetTeam Slides KB1 SecOPs
28 pages
DEVOPS Lab Answers
No ratings yet
DEVOPS Lab Answers
210 pages
Dataonboarding
No ratings yet
Dataonboarding
17 pages
Lab Guide - Secure Meraki Network
No ratings yet
Lab Guide - Secure Meraki Network
53 pages
CDAC 5days E-Suraksha Introduction
No ratings yet
CDAC 5days E-Suraksha Introduction
124 pages
Top Security Orchestration Use Cases
No ratings yet
Top Security Orchestration Use Cases
17 pages
NetPro Template Sent
100% (1)
NetPro Template Sent
186 pages
AWS STP-Microsoft Workloads - Tech
No ratings yet
AWS STP-Microsoft Workloads - Tech
167 pages
Module 2
No ratings yet
Module 2
113 pages
Certy: Premium Exam Material
No ratings yet
Certy: Premium Exam Material
264 pages
SS002 KTWorkshop
No ratings yet
SS002 KTWorkshop
42 pages
Attacking Against DevOps Environment
No ratings yet
Attacking Against DevOps Environment
61 pages
Devops Slides
No ratings yet
Devops Slides
223 pages
Guide To Understanding FedRAMP 061312
100% (1)
Guide To Understanding FedRAMP 061312
53 pages
Corelight's Introductory Guide To Threat Hunting With Zeek (Bro) Logs
No ratings yet
Corelight's Introductory Guide To Threat Hunting With Zeek (Bro) Logs
6 pages
Brkent 2006
No ratings yet
Brkent 2006
102 pages
Defining Threat Intelligence Analysis Slides
No ratings yet
Defining Threat Intelligence Analysis Slides
16 pages
[FREE PDF sample] Linux in the Workplace 1st Edition Ssc ebooks
100% (4)
[FREE PDF sample] Linux in the Workplace 1st Edition Ssc ebooks
71 pages
MR Longs Exam Guide CAT Grade 11
No ratings yet
MR Longs Exam Guide CAT Grade 11
9 pages
CSS Layout - Inline-Block
No ratings yet
CSS Layout - Inline-Block
7 pages
AFI Fillers Auger B-Series
No ratings yet
AFI Fillers Auger B-Series
2 pages
Nima Part
No ratings yet
Nima Part
15 pages
IP Address To IP Location and Proxy Information IP2Location
No ratings yet
IP Address To IP Location and Proxy Information IP2Location
1 page
Sandipan Goswami - Computer Aided Bridge Engineering
No ratings yet
Sandipan Goswami - Computer Aided Bridge Engineering
402 pages
West Bengal State University Q16TQ20
No ratings yet
West Bengal State University Q16TQ20
6 pages
Using A Graphics Package Such As Adobe Photoshop or Macromedia Fireworks Save Different Types of Ima
No ratings yet
Using A Graphics Package Such As Adobe Photoshop or Macromedia Fireworks Save Different Types of Ima
4 pages
MCIT-103 - OOT - Lab - Manual
No ratings yet
MCIT-103 - OOT - Lab - Manual
29 pages
Exafspak Manual
No ratings yet
Exafspak Manual
56 pages
Microsoft PowerPoint1
No ratings yet
Microsoft PowerPoint1
15 pages
Computer Applications Assignment
No ratings yet
Computer Applications Assignment
4 pages
Project Report of Contact Management System - PDF - Databases - Software Testing
No ratings yet
Project Report of Contact Management System - PDF - Databases - Software Testing
118 pages
250+ TOP MCQs On Software Requirement Specification and Answers 2023
No ratings yet
250+ TOP MCQs On Software Requirement Specification and Answers 2023
6 pages
Escobedo Circuit Snippets
No ratings yet
Escobedo Circuit Snippets
31 pages
SummersGone 5 - BETA - Walkthrough Rev 1.1
No ratings yet
SummersGone 5 - BETA - Walkthrough Rev 1.1
17 pages
Download full Mac OS X Power Tools 1st Edition Dan Frakes ebook all chapters
100% (13)
Download full Mac OS X Power Tools 1st Edition Dan Frakes ebook all chapters
50 pages
Synopsis of Real Estate Management System
No ratings yet
Synopsis of Real Estate Management System
25 pages
Tumult Hype 2.5 Documentation
No ratings yet
Tumult Hype 2.5 Documentation
102 pages
Pet - Adoption - & - Accessories - Management - System Latest
No ratings yet
Pet - Adoption - & - Accessories - Management - System Latest
11 pages
Flyer E2ROIP
No ratings yet
Flyer E2ROIP
4 pages
CH 02
No ratings yet
CH 02
18 pages
CICS Interview Questions: Customer Information Control System (CICS)
No ratings yet
CICS Interview Questions: Customer Information Control System (CICS)
5 pages
CV - Alekh Ved
No ratings yet
CV - Alekh Ved
5 pages
15 Web Projects With Vanilla JavaScript Build 15 Mini Frontend Projects From Scratch With HTML5, CSS JavaScript (Alam, Asadullah)
100% (2)
15 Web Projects With Vanilla JavaScript Build 15 Mini Frontend Projects From Scratch With HTML5, CSS JavaScript (Alam, Asadullah)
320 pages
Cloud Computing Report
No ratings yet
Cloud Computing Report
30 pages
Operator'S Manual: KP-6299C/8299C/1299C
No ratings yet
Operator'S Manual: KP-6299C/8299C/1299C
83 pages

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.