0% found this document useful (0 votes)

95 views

UTD CNSP 2.0 Cloud Operations Track

Uploaded by

Hải Nguyễn Nhật

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

95 views

UTD CNSP 2.0 Cloud Operations Track

Uploaded by

Hải Nguyễn Nhật

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 146

infosec-saas-sec-exception-4FolG6vM0bWM0mpeYVe1Q8UaS

ULTIMATE
TEST DRIVE
Cloud Native Security
Platform
with Prisma Cloud

Workshop Guide
UTD-CNSP-2.0 | Cloud Operations Track

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary Last Update: 20230831
Table of Content

Purpose of This Workshop Guide 4

Activity 0: Log in to the UTD Workshop 5
Task 1 - Log in to Your Ultimate Test Drive Class Environment 5
Task 2 - Docker Workstation Overview 7
Task 3 - Application Portal Overview 9
Task 4 - Kubernetes VM Overview 11
Activity 1: Prisma Cloud Overview 13
Task 1 - Log in to Prisma Cloud Enterprise Edition Console 13
Task 2 - Prisma Cloud Enterprise Edition Console Quick Overview 15
Task 3 - SecOps Dashboard in Prisma Cloud Enterprise Edition 18
Task 4 - Prisma Cloud Asset Inventory (CMDB) 21
Activity 2: Prisma Cloud Compute Edition Overview 25
Task 1 - Log in to Prisma Cloud Compute Edition Console 26
Task 2 - Prisma Cloud Compute Edition overview 28
Activity 3: Prisma Cloud Application Security 31
Task 1 - Bridgecrew VS Code Integration 31
Task 2 - Bridgecrew CLI scanning 36
Task 3 - Prisma Cloud Application Security - I 38
Task 4 - Prisma Cloud Application Security - II 43
Activity 4: Build Security 47
Task 1 - GitHub Actions: CI Setup I (Kubernetes Scan) 47
Task 2 - GitHub Actions: CI Setup II (Docker Image Scan) 51
Task 3 - Docker Image scanning with Twistcli 58
Activity 5: Deployment Security 64
Task 1 - Setup Kubernetes Cluster 64
Task 2 - Setup ArgoCD 65
Task 3 - Setup Prisma Cloud Defender in Kubernetes 67
Task 4 - Setup Kubernetes Auditing and Admission Control 69
Task 5 - Setup Trusted Docker Images 72
Task 6 - Deploy Bank of Anthos Application 77
Task 7 - Registry Scanning 84
Activity 6: Runtime Defense - I 87
Task 1 - Check Container Model States 87
Task 2 - Container Process Monitoring 89
Task 3 - Runtime Network Control for DNS 91
Task 4 - Runtime Monitoring for File System 93
Task 5 - Secure Runtime 95
Task 6 - Incident Monitoring 100
Task 7 - Forensics 103
Activity 7: Runtime Defense - II 105
Task 1 - Vulnerability Overview 105

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 2

Task 2 - Setup rule to detect log4j attacks 107
Task 3 - Run Log4j attack 110
Task 4 - Block log4j attacks and images 114
Activity 8: Prisma Cloud Data Security 118
Task 1 - Data Security Overview 118
Task 2 - Examine Sensitive Objects discovered by the Data Security module. 120
Activity 9 [Optional]: Prisma Cloud Integrations 123
Task 1 - Prometheus and Grafana Integration 123
Task 2 - Webhook Integration 128
Task 3 - Splunk Integration 132
Task 4 - Mail Integration 140
Activity 10: Feedback on Ultimate Test Drive 144
Task 1: Take the online survey 144
Appendix 1: On-board a AWS Account 145

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 3

Purpose of This Workshop Guide
The activities outlined in this Workshop Guide are meant to contain all the information necessary to navigate the
workshop interface, complete the workshop activities, and troubleshoot any potential issues with the lab
environment. This guide is meant to be used in conjunction with the information and guidance provided by your
facilitator.
This workshop guide covers only basic topics and is not a substitute for training classes conducted by Palo Alto
Networks Authorized Training Centers. Please contact your partner or regional sales manager for more
information on available training and how to register for one near you.

Cloud Operations Track Overview

1. Description:
a. The Cloud Operations Track is designed for professionals who work with cloud infrastructure and
operations. If the persona is responsible for designing, building, deploying, or maintaining
cloud-based applications, and has exposure to DevOps practices, automation, and cloud
platforms, then this track is right for them.
b. In this track, we will showcase the capabilities of Prisma Cloud and how it can help enhance the
security posture of their organization by integrating with the tools and processes used in this
track.
2. Targeted Teams: Release Engineering, Infrastructure Operations, Platform and Infrastructure delivery,
DevOps, Site Reliability Engineering (SRE)
3. Targeted Personas: DevOps, DevSecOps, Site Reliability Engineer (SRE), Automation Engineer,
Release Engineer, Cloud Engineer, Cloud Architect, Platform Engineer, Infrastructure and Operations
Engineer.

Once These Activities Have Been Completed

You should be able to:
1. Configure and review the Prisma Cloud Enterprise Edition console.
2. Configure and review the Prisma Cloud Compute Edition (PCCE) console.

Note: Unless specified, the Google Chrome web browser will be used to perform any tasks outlined in the
following activities.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 4

Activity 0: Log in to the UTD Workshop
In this activity, you will:

● Log in to the Ultimate Test Drive Workshop

● Understand the layout of the environment and its various components.
● (Optional) Subscribe to the Prisma Cloud free trial

Task 1 - Log in to Your Ultimate Test Drive Class Environment

Before beginning this workshop, make sure your laptop is installed with a modern browser that supports HTML
5.0. We recommend using the latest version of Firefox®, Chrome, or Internet Explorer. We also recommend you
install the latest Java® client for your browser.

Step 1. Open a browser window and navigate to the class URL. If you have an invitation email, you will find
the class URL and passphrase there. Otherwise, your instructor will provide them.

Step 2. Complete the registration form and click Register and Login at the bottom.

Step 3. Depending on your browser, you may be asked to install a plugin. Please click yes to allow the plugin
to be installed, then continue the login process.

Step 4. Once you log in, the environment will be created automatically for you. The upper left-hand corner will
show you the progress of the preparation. You will see the lab availability time when it is ready for use.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 5

The CNSP UTD lab environment consists of the following tabs:

1. Overview: A quick overview of lab environment and lab activities

2. Workshop Guide: Click this tab to open the lab guide
3. Prisma Cloud Enterprise Edition: Click this tab to login on Prisma Cloud Enterprise Edition
demo tenant console
4. Docker Workstation: Click this tab to connect to a VM running PCCE and other containers
5. Survey: A short survey to get your feedback

Note: You can leverage the keyboard > send text feature inside of CloudShare when the guide instructs you to
copy/paste linux commands. Also note that when copying/pasting commands, make sure to remove the line
breaks if any before commands are executed.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 6

Task 2 - Docker Workstation Overview

The Docker workstation provided in this workshop has multiple applications running on it in the form of Docker
containers such as:

● Prisma Cloud Compute Edition

● Console
● Defender
● Prometheus
● Grafana
● Splunk
● Visual Studio Code
● Jenkins
● Registery2
● DVWA - Damn Vulnerable Web Application docker container is a PHP/MySQL web application that is very
vulnerable.
● Webhook tester
● Locally hosted mail server

All of the above applications are accessible via the Application Portal tab from your CloudShare environment.

To access and login to Docker workstation, follow these steps:

Step 1. Select the Docker Workstation tab to open the ssh terminal that is already logged in to this VM. If
not already logged in, use the CloudShare interface to login.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 7

If you prefer to use your own terminal from your laptop, you can ssh to this VM using the External Address and
the user name and password under Connection Details in the Connectivity section.

Note: You can also SSH to Docker Workstation from your laptop terminal (MAC) or Putty (Windows) using the
external address and login credentials as highlighted in the screenshot.

ssh sysadmin@<external address>

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 8

Task 3 - Application Portal Overview
The Application Portal is one stop shop for all the applications that are used in this workshop. Under the hood, it
utilizes Kasm Workspaces, which is a streaming platform for delivering browser-based access to applications, and
web services and this setup is running as a docker container within the Docker workstation. Within this
workspace, Chrome browser is preinstalled and it provides a secure and isolated browsing environment.

Below are some key points to note:

1. Credentials: kasm_user/p@lo@lto
2. Homepage: http://homepage:3000 (henceforth referred to as Homepage).
3. The Application Portal, upon startup, opens the webpage: If Homepage is not loaded, please refresh the
browser tab or open a new browser tab and navigate to aforementioned URL
4. Homepage provides you access to the various applications used within this workshop.
5. These applications are all running as Docker containers and they are accessible via their internal IPs only
via the Application portal.
6. This ensures that the traffic doesn’t go out the internet, making the setup a bit more secure and reduces
latency.

Below are the list of applications that are accessible via Application Portal and the respective tracks where these
are used in the lab:
1. Prisma Cloud Compute Edition: Click this tab to login on Prisma Cloud Compute Edition (PCCE)
console (Common for all the Tracks)
➢ Credentials: admin/p@lo@lto
2. Prometheus: Monitoring and Alerting Toolkit (Common for all the Tracks)
3. Grafana: Analytics and interactive visualization web application (Common for all the Tracks)
➢ Credentials: admin/admin
4. Splunk: Log aggregation (Common for all the Tracks)
➢ Credentials: admin/password
5. Webhook Receiver: Webhook container to receive incoming webhooks (Common for all the Tracks)
6. Mail Server: Locally hosted mail server (Common for all the Tracks)
7. Visual Studio Code: IDE (Cloud Operations and Developer Tracks)
➢ Credentials: admin/password
8. Jenkins: CICD (Development Track)
➢ Credentials: admin/p@lo@lto
9. DVWA: Damn Vulnerable Web Application docker container is a PHP/MySQL web application

Below are the steps to access the Application Portal:

Step 1. Select the Application Portal tab to open the portal.

Step 2. Credentials: kasm_user/p@lo@lto

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 9

Step 3. Once logged in, when you click inside the page, allow the clipboard permission when prompted.

Step 4. Below are some screenshots of the interface.

Step 5. Important: This is a browser in browser setup running as a Docker container. DO NOT open more
than 3-4 browser tabs at the same time as it may cause resource exhaustion on the Docker
workstation VM.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 10

Step 6. If due to inactivity, you see a blue screen when you access the Application Portal, click on “Connect”
option

Task 4 - Kubernetes VM Overview

The Kubernetes VM provided in this workshop is running a single node Kubenetes cluster launched via k3s.
Within the lab, you will be working with this VM to perform various things such as deploying Prisma Cloud
defender, Argo CD, running log4j attacks etc.

To access and login to Kubernetes VM, follow these steps:

Step 1. Select the Kubernetes tab to open the ssh terminal that is already logged in to this VM. If not already
logged in, use the CloudShare interface to login.

If you prefer to use your own terminal from your laptop, you can ssh to this VM using the External Address and
the user name and password under Connection Details in the Connectivity section.

Note: You can also SSH to Docker Workstation from your laptop terminal (MAC) or Putty (Windows) using the
external address and login credentials as highlighted in the screenshot.

ssh sysadmin@<external address>

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 11

End of Activity 0

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 12

Activity 1: Prisma Cloud Overview
Prisma Cloud is a comprehensive cloud-native security platform with the industry’s broadest security and
compliance coverage. It protects cloud native applications, data, network, compute, storage, users, and
higher-level PaaS services across cloud platforms. Prisma Cloud enables Cloud Security Posture Management
(CSPM) and Cloud Workload Protection Platform (CWPP) for comprehensive visibility and threat detection across
your organization’s hybrid, multi-cloud infrastructure. It dynamically discovers resources as they are deployed and
correlates cloud-service-provided data to enable security and compliance insights into your cloud applications and
workloads.

In this activity, you will:

● Log in to Prisma Cloud Lab account

● Learn about the Prisma Cloud console and help center
● Review how to on-board a AWS account on Prisma Cloud tenant

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Log in to Prisma Cloud Enterprise Edition Console

Complexity: Easy

Key Takeaways:
● Logging into Prisma Cloud
● View onboarded Cloud Accounts

Step 1. Click on the Prisma Cloud Enterprise Edition tab to open the demo tenant login.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 13

Step 2. Follow the screen to login and then click on the Prisma Cloud icon.

NOTE: If you see a page expired message then refresh the web page by clicking on the Home
button as highlighted in below screen capture.

Step 3. Use the icons from the Action panel virtual keyboard to go back, forward and home screen while using
the Prisma Cloud console.

Step 4. To check the on-boarded public cloud accounts click on the Settings on the left-hand side and select
Account Groups. Click on the 4 Cloud Account(s) under Default Account Group. You can see the
public cloud accounts connected to this Prisma Cloud demo account.

NOTE: The screenshots captured in this workshop guide might vary slightly from the actual lab account.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 14

We have already connected AWS, Azure and GCP accounts to this Prisma Cloud service, and this lab
account can be used for testing across all three public cloud providers.

Task 2 - Prisma Cloud Enterprise Edition Console Quick Overview

Complexity: Easy

Scenario: Prisma Cloud Enterprise Overview

Key Takeaways:
● View SecOps dashboard
● View Policies
● Compliance Dashboard

When you access Prisma Cloud, you first see the homepage. You can then use the following tabs to interact with
the data and visualize the traffic flow and connection details to and from the different resources in your cloud
deployment; review the default policy rules and compliance standards; and explore how the web interface is
organized to help you and DevSecOps teams to monitor cloud resources.
● Dashboard
● Inventory
● Investigate
● Policies
● Compliance
● Alerts
● Compute
● Settings

Step 1. Click on the Dashboard > SecOps to review the Dashboard. The Dashboard provides a graphical
view of all assets deployed across multiple public cloud environments. You can use the predefined or
custom Time Range to view current trends or historical data. Or use the Cloud Accounts to focus on
specific public cloud accounts.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 15

Step 2. The Inventory > Assets provides visibility into all the assets contained within the onboarded cloud
accounts. From this view, you will be able to find out which assets passed and which ones failed to
comply with the current policies.

Step 3. The Investigate tab helps in identifying security threats and vulnerabilities, creating and saving
investigative queries, and analyzing impacted resources. To conduct investigations, Prisma Cloud
provides a proprietary query language called Resource Query Language (RQL) that is similar to SQL.

Step 4. The Policies tab shows the Prisma Cloud policy which is a set of one or more constraints or
conditions that must be adhered to. Any new or existing resources that violate these policies are
automatically detected.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 16

Prisma Cloud provides predefined default policies for configurations and access controls that adhere
to established security best practices such as PCI, GDPR, ISO 27001:2013,and NIST, and a larger set
of policies that enable you to validate security best practices with an impact beyond regulatory
compliance. In addition to these predefined policies, you can create custom policies to monitor for

Step 5. The Compliance > Overview dashboard enables you to view, access, report, monitor and review their
cloud infrastructure health compliance posture. You can also create compliance reports and run them
immediately, or schedule them on a recurring basis to measure your compliance over time.

Step 6. Click on the Compute tab to open up the Compute module in Prisma Cloud. Prisma Cloud offers a
rich set of cloud workload protection (CWPP) capabilities. Collectively, these features are called
Compute.

The Compute tab enables cloud native assets anywhere they operate - regardless of whether running
as containers, serverless functions, non-container hosts, or any combination of them.

Prisma Cloud Compute is also available to install as a self hosted deployment known as Prisma
Cloud Compute Edition. We have provided access to Prisma Cloud Compute Edition for the cloud
workload protection lab activities in Part 2 of this lab.

For more information on Prisma Cloud Compute (in Enterprise Edition) vs Compute Edition, please
visit here for a detailed comparison.

Step 7. The Alerts > Overview allows the admin to view the list of discovered violations and anomalies, drill
into the details and look up remediation options, and create alert rules and notification templates.
When you access Prisma Cloud, you first see the Alerts.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 17

Before we dive deeper into alerts, we will take a look at the assets that are visible and protected by
Prisma Cloud.

Task 3 - SecOps Dashboard in Prisma Cloud Enterprise Edition

Complexity: Easy

Scenario: Prisma Cloud Enterprise Overview

Key Takeaways:
● SecOps dashboard
● Assets exposed to the internet and traffic that they are taking.

The Dashboard SecOps provides a graphical view of the performance of resources that are connected to the
internet, the risk rating for all accounts that Prisma Cloud is monitoring, the policy violations over time and a list of
the policies that have generated the maximum number of alerts across your cloud resources. It makes the
security challenges visible to you as a quick summary, so you can dig in.

Step 1. Click the Dashboard > SecOps, set the Time Range to All Time.

Step 2. Scroll down and click on one of the Top Internet Trafficked Assets by Traffic Type, such as the RDP.
Click on one of the resources, such as PANW-WindowsBastionServer-awsjamconfig to open an
investigation pane for the workload to see what traffic is coming from the internet. Expand the time range
to the last 6 months and you’ll see details about the workloads that are taking traffic directly from the
Internet.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 18

Step 3. Click on the arrow from the Suspicious IP to analyze the traffic towards the
PANW-WindowsBastionServer-awsjamconfig host.

Question: Did the workload take traffic from the Suspicious IP?

Step 4. Now go to the Dashboard > SecOps and scroll down to the bottom of the page and view the connections
from the Internet Connected Assets by Source Network Traffic Behavior map.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 19

Step 5. Drill down into one of the “pink” bubbles to explore where the traffic is originating from and the type of
traffic. For example, for each pink bubble drills down until a red bubble appears and shows what traffic is
seen towards your cloud accounts.

Note that if you do not see graphical data for the pink bubble you selected, try a different one. When you
do this, your graph may look different than what’s indicated in the screenshot

Step 6. Click on View Details to go to the Investigate tab with the subsequent network information.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 20

Task 4 - Prisma Cloud Asset Inventory (CMDB)

Complexity: Easy

Scenario: Prisma Cloud Enterprise Overview

Key Takeaways:
● Prisma Cloud Asset Inventory

Public cloud environments are very dynamic environments, and a very common customer pain point is visibility
and asset inventory tracking. You can’t protect what they don’t know about, that is why a central cloud
Configuration Management Database(CMDB) is the foundation for building and implementing a solid Cloud
Security program.

The Asset Inventory dashboard (on the Inventory tab) provides a snapshot of the current state of all cloud
resources or assets that you are monitoring and securing using Prisma Cloud. From the dashboard, you gain
operational insight over all our cloud infrastructure, including assets and services such as Compute Engine
instances, Virtual machines, Cloud Storage buckets, Accounts, Subnets, Gateways, and Load Balancers.

Step 1. Click the Inventory > Assets tab.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 21

Step 2. Set the Asset Inventory’s Date filter to Most Recent.

Step 3. In the Prisma Cloud Asset Inventory dashboard, scroll down the page and search for and click on the
Google VPC line item in the table in the Service Name column. This will open up the Google VPC assets
view.

Step 4. In the Asset Inventory / GCP | Google VPC page, you can see a quick count on all the number of
unique VPC assets.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 22

Step 5. Scroll down to the Resource Type summary, and click on the (!) icon under Actions for the Google VPC
Firewall Rule to see a list of firewall configurations that have violated the Prisma Cloud Security policies.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 23

Step 6. You’ll now see a list of GCP firewall assets that are violating the policy, and you can click each of them to
analyze configurations. Now try out a number of other different resources under the Asset Inventory to
explore other Cloud Resources.

Note: Prisma Cloud allows you to easily discover all your cloud resources
across all of your cloud accounts and gives you a security posture view with
regard to those resources. It also allows you to easily drill down to get
details of each resource and whether it has passed or failed a policy. This
enables you to get quite granular at a per resource level.

End of Activity 1

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 24

Activity 2: Prisma Cloud Compute Edition Overview
Prisma Cloud offers a rich set of cloud workload protection capabilities. Collectively, these features are called
Compute. Compute has a dedicated management interface, called Compute Console, that can be accessed in
one of two ways, depending on the product you have.
Prisma Cloud Enterprise Edition — Hosted by Palo Alto Networks. Prisma Cloud Enterprise Edition is a SaaS
offering. It includes both the Cloud Security Posture Management (CSPM) and Cloud Workload Protection
Platform (CWPP) modules. Access the Compute Console, which contains the CWPP module, from the Compute
tab in the Prisma Cloud UI.

Prisma Cloud Compute Edition (PCCE) - Hosted by you in your environment. Prisma Cloud Compute Edition
(PCCE) is a self-hosted offering that’s deployed and managed by you. It includes the Prisma Cloud Compute
module only. You can download the Prisma Cloud Compute Edition software from the Palo Alto Networks
Customer Support Portal. Compute Console is delivered as a container image, so you can run it on any host with
a container runtime (e.g. Docker Engine).

With Prisma Cloud Compute Edition (PCCE), Radar is the primary interface for monitoring and understanding
your environment. It is the default view when you first log into PCCE Console. It is designed to let you visualize
and navigate through all of Prisma Cloud’s data. For example, you can visualize connectivity between

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 25

microservices, then instantly drill into the per-layer vulnerability analysis tool, assess compliance, and investigate
incidents, all without leaving the Radar canvas.

PCC features to be used:

● Cluster pivot
● Host pivot

In this activity you will:

● Review and operate the Radar
● Review image for easy analysis of your containerized apps
● Review network traffic flows
● Review runtime, vulnerability or compliance issue they contain

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Log in to Prisma Cloud Compute Edition Console

Complexity: Easy

Scenario: Accessing Prisma Cloud Compute Edition

Key Takeaways:
● Different ways to access Prisma Cloud Compute Edition in the lab.

Step 1. There are a couple of ways to access the Prisma Cloud Compute Edition Console (PCCE Console) in
this lab.

Step 2. Approach 1 - Application Portal:

a) Head over to the Application Portal as outlined in Activity 0 > Task 3.

b) Click on Prisma Cloud Compute Console . Henceforth referred to as PCCE Console

c) When presented a Security exception, click on Advanced > Proceed to 10.160.154.170 (unsafe)

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 26

d) Login to the PCCE console using the following credentials, with Local/LDAP in the drop down:

➢ Credentials: admin/p@lo@lto

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 27

Step 3. Approach 2 - Via External Address:

a) Click on Docker Workstation CloudShare Tab. From the left pane, select Connectivity > Connection
Details > External Address (when you click on it, the address will be copied to clipboard)

b) On your laptop browser, navigate to: https://<external address>:8083

Note: You will get a security exception, please ignore it for this lab and proceed to the login page. We
are using a self-signed certificate, which causes the exception.

Step 4. If the message Your connection is not private opens, click Advanced, and then Proceed to <IP
address> (unsafe). Non Chrome browsers might have a different behavior

Step 5. Login to the PCCE console using the following credentials, with Local/LDAP in the drop down:

➢ Credentials: admin/p@lo@lto

Task 2 - Prisma Cloud Compute Edition overview

Complexity: Easy

Scenario: Prisma Cloud Compute Edition Overview

Key Takeaways:
● Containers and Hosts discovered by Prisma Cloud
● Radar view

This task guides you through key elements of the Prisma Cloud Compute console to ensure that you are aware of
them. Use this time to explore these elements at your own pace to discover points of interest.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 28

Step 1. Once logged in, you will be placed in Radars, the primary interface for monitoring and understanding
your environment. It is designed to let you visualize and navigate through all of Prisma Cloud
Compute’s data. Click on any container to view the details on that container.The defender and the
console containers are the key components for Prisma Cloud Compute Edition.

Step 2. Change the View based on different Radar view categories by clicking the dropdown on the top left
corner

Step 3. Click Radars > Hosts, then click the docker-workstation host icon to review the host dashboard.
There is only one host in this lab.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 29

Step 4. Change the View based on different Radar view categories by clicking the dropdown on the top left
corner.

End of Activity 2

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 30

Activity 3: Prisma Cloud Application Security
Background: Application Security on Prisma Cloud enables you to add security checks to your existing IaC
(Infrastructure-as-Code) model, ensuring security throughout the build lifecycle. In this section, you will see how
Prisma Cloud can scan Infrastructure-as-Code (IaC) templates in Terraform, CloudFormation, Dockerfiles, and
Kubernetes to identify misconfigurations in code.

In this activity you will learn:

● Bridgecrew integration with VS Code

● Bridgecrew CLI scanning
● Prisma Cloud Application Security module

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Bridgecrew VS Code Integration

Complexity: Easy

Product(s): Bridgecrew and Prisma Cloud Enterprise Edition (Application Security)

Scenario:
● There is already a containerized microservice bank application (Bank-of-Anthos) that exists and you
are working on deploying it on your Kubernetes cluster.
● You are now working on developing Kubernetes manifests to do that and make it production ready.
● You want to ensure there are no misconfigurations in the code during the coding phase.

Key Takeaways:
● Development starts with code and Prisma Cloud aims to provide security right from the first step, where
it all begins, by integrating right into your IDE

Step 1. Headover to the Application Portal in CloudShare as outlined in Activity 0 > Task 3

Step 2. Click on VS Code. When prompted for password, enter the credential password

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 31

Step 3. If prompted, select Yes, I trust the authors prompt.

If you see the insecure context warning pop up on the bottom right of your VS Code screen, you can safely
ignore that by clicking I Understand

Step 4. The necessary Checkov extension has been pre installed and configured for you. To review, click on
Extensions Icon and in the results, you can see Checkov extension

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 32

Step 5. Explore the code that’s presetup for you for this task. We will be working on
Kubernetes(bank-of-anthos) and Terraform Code(terraform-aws).

Step 6. Checkov scans happen automatically. However, to manually initiate a Checkov scan, click on Settings >
View > Command Palette and then type Checkov and select Checkov Scan from the result by clicking
on it. This will initiate a Checkov scan against the code in context.

Step 7. Kubernetes(bank-of-anthos)

1. Expand the bank-of-anthos folder tree from the left pane and click on the file frontend.yaml.
Note: It may take a few seconds for the red underlines to appear after opening a file in the editor

2. Notice how the line 15 is underlined in red ? That’s a result of a Checkov scan and it indicates
that there are misconfigurations found in this code.

3. Hovering your mouse over the underlined code will provide more information about the detected
violations/misconfigurations

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 33

4. Looking at one of the violations, it’s about Privileged containers in fronend.yaml (line 45).

5. Clicking on CKV_K8S_16 will take you to the Bridgecrew website where there’s more information
about the failed check.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 34

6. Other detected violations in the same file can easily be identified from the right navigation bar

7. Click on other files within bank-of-anthos folder to see other detected violations

Step 8. Terraform (terraform-aws)

1. Expand the terraform-aws folder tree from the left pane and click on the file eks.tf.
Note: It may take a few seconds for the red underlines to appear after opening a file in the editor

2. Scroll down to line 72. Notice how the line 72 is underlined in red ? That’s a result of a Checkov
scan and it indicates that there are misconfigurations found in this code.

3. Hovering your mouse over the underlined code will provide more information about the detected
violations/misconfigurations

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 35

4. Repeat the process for other files in terraform-aws (try ec2.tf)

Task 2 - Bridgecrew CLI scanning

Complexity: Easy

Product(s): Bridgecrew and Prisma Cloud Enterprise Edition (Application Security)

Key Takeaways:
● Bridgecrew cli scanning using Python PIP package.
● Free bridgecrew API key can be obtained by signing up for a Bridgecrew account
● All the bridecrew/checkov features are integrated seamlessly into Prisma Cloud Enterprise.

Step 1. Login to Docker workstation via SSH. We will work with the same Bank-of-Anthos and Terraform code as
in the previous activity.

Step 2. Ensure that checkov/bridgecrew PIP package is installed

pip3 install checkov==2.3.237

Step 3. Since the code is already set up, we can run the scan right away. Change into the following dir:

cd /home/sysadmin/setup/volumes/vs-code/project && clear && ls

Step 4. Kubernetes (Bank-of-Anthos) scan:

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 36

checkov --quiet --skip-check LOW --framework kubernetes \
--directory bank-of-anthos --bc-api-key $BC_API_KEY

Through all the command line arguments, we are scanning Kubernetes framework code (--framework
kubernetes) , hiding all the passing checks (--quiet) and skipping LOW severity violations
(--skip-check LOW) and focussing only on MEDIUM, HIGH and CRITICAL severity alerts.

Step 5. Terraform (terraform-aws) scan:

checkov --quiet --check HIGH,CRITICAL --framework terraform --directory \

terraform-aws --bc-api-key $BC_API_KEY

Note: We are scanning for HIGH and CRITICAL (--check HIGH,CRITICAL) severity violations. Explore
checkov CLI Reference for more information.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 37

Task 3 - Prisma Cloud Application Security - I
Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● Your team has a Github source code repository and you want to assess the security posture by
scanning the repo to see if there are any misconfigurations and vulnerabilities before it’s deployed.

Key Takeaways:
● Explore Prisma Cloud Application Security module.
● Explore detected misconfigurations and vulnerabilities in code such as Terraform, Kubernetes
manifests etc.
● Use different filters to filter out the detections by this module
● Prisma Cloud’s automated fix feature.

Step 1. Navigate to Prisma Cloud > Application Security > Projects. Below are a few examples of filters
that you can use. Make sure that there’s nothing selected for the Severities filter.

Step 2. Example #1: Select the Secrets tab and set the repository filter to UltimateTestDrive/utd-vuln-code

Step 3. The above filter lists all the resource definitions (Terraform and AWS CloudFormation) where secrets
are hard coded or exposed. Explore the different code blocks that are matched by this filter.

Step 4. Click on cnf.yaml and on the right pane, select issues and scroll down to see the details.

Step 5. Example #2: Select the IaC Misconfiguration tab and set the below filters:

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 38

Repository: UltimateTestDrive/utd-vuln-code
Issue Status: Errors
Severities: Critical, High

Note: Once you apply the filter, you may need to scroll down the page to find the highlighted result.

Step 6. The above filter lists all the issues/misconfiguration within the selected repository. Explore the different
code blocks that are matched by this filter.

Step 7. Select AWS S3 bucket ACL grants READ permission to everyone and click on one of the entries
that has the label Has Fix. See the screenshot above.

Step 8. Optionally, click on the overview tab. Here you can add an additional filter by clicking on the filter icon
on the left and selecting IaC Categories and selecting Kubernetes to filter only Kubernetes related
code. Once you apply the filter, explore the filtered results before proceeding to the next step.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 39

Step 9. Filter example #3: Select the Vulnerabilities tab and set the below filters:

Repository: UltimateTestDrive/utd-vuln-code
Issue Status: Errors
Code Categories: Vulnerabilities
Severities: Critical, High

Step 10. The above filter lists all the resource definitions (Dockerfiles) vulnerable base-image, package or code
is detected. Explore the different code blocks that are matched by this filter.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 40

Step 11. If you had clicked on the CVE link, to return to Prisma Cloud Screen, select CloudShare > Keyboard
> Home

Step 12. Navigate to Prisma Cloud > Application Security > Projects and click on the overview tab. Select
the below filters. Make sure to unselect the filters selected in the previous task(s) first.

Repository: UltimateTestDrive/utd-vuln-code

Step 13. From your left pane, select the filter icon to add a filter: IaC Labels and select Has Fix

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 41

Step 14. Clicking on any of the results will display the Details section that contains information on what the fix is
and is highlighted in green.

Step 15. Please note that you will not be able to see “Fix” and “Submit” (grayed out) options as we are using a
user with Read-Only permissions for the purpose of the lab. “Fix” and “Submit” options will apply the
Prisma Cloud suggested fix and commit the changes to the source control repository. The “Fix” and
“Submit” options are included in the screenshots to demonstrate the capabilities of the Application
Security module.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 42

Step 16. Clicking on + icon against a file or sub results of the file will create a fix and will be added to the staged
PR. When you click Submit, the PR will be created with all the fixes that you selected.

Task 4 - Prisma Cloud Application Security - II

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● Your team has a Github source code repository which is onboarded into Prisma Cloud.
● Whenever your team creates a PR (pull request), you would like automated scans to be performed on
the changes and you’d like the PR to automatically be received by Prisma Cloud and have it comment
it’s findings on the PR

Key Takeaways:
● Prisma Cloud Pull request review feature.

Step 1. Head over to utd-vuln-code Github repository. This repo contains intentionally vulnerable code and this
repo has already been onboarded within Prisma Cloud, which we will review in a bit.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 43

Step 2. Head over to the open pull requests in the Github repo.

Step 3. Here, you can see various comments by Prisma Cloud that occur automatically when a pull request is
created for an onboarded source code repository.

Step 4. Looking closely at one of the findings and comments, you can see the violation title and description
and also information on how to fix it. You can also see the code snippet which triggered this violation.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 44

Step 5. Scrolling to the top of the PR, clicking on View reviewed changes brings up another interesting view
which you can explore.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 45

Step 6. You can also view these findings in Prisma Cloud as well. Head over to Prisma Cloud > Application
Security > Projects > VCS Pull Requests and select the following filters:

1. Repositories: UltimateTestDrive/utd-vuln-code
2. Pull Request: #1 - Second Commit

Step 7. Navigate to Docker Workstation and in the terminal run the below commands to stop VS Code
container in preparation for the next set of activities:

docker stop code-server

docker stop nginx

End of Activity 3

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 46

Activity 4: Build Security
Background: Continuous Integration (CI) is a development lifecycle practice that has expanded with the growth
of the cloud. CI provides your organization with the ability to rapidly and continuously develop, update and
maintain your cloud based applications. The assembly and testing of your code into usable software packages is
automated by CI systems (e.g., Github Actions, Jenkins etc) that integrate with the different code repositories and
package management systems. These CI systems produce deployable artifacts that are consumed by the release
processes to drive frequent deployments. Prisma Cloud provides visibility and control within your Code/Build
processes to identify vulnerabilities and compliance violations before progressing to the next phase of the
application’s lifecycle.

In this activity you will learn:

● Github Actions CI Setup I with Prisma Cloud

● Github Actions CI Setup II with Prisma Cloud
● Docker image scanning with twistcli
● Prerequisite: Github Account (signup here if you don’t have one). Please make sure you are
logged into your GitHub before proceeding further.

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - GitHub Actions: CI Setup I (Kubernetes Scan)

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● There is already a containerized microservice bank application (Bank-of-Anthos) that exists and you
are working on deploying it on your Kubernetes cluster.
● You’ve developed the Kubernetes manifests for it in Task 1 of previous activity and you think it’s
production ready.
● You’ve pushed your code to the development branch in GitHub and created a pull request (PR) to the
main branch.
● You've configured Prisma Cloud IaC scan via GitHub actions to run when a PR is created.
Key takeaways:
● Understand how Prisma Cloud can integrate with Github Actions to scan IaC during build phase.
● See how Prisma Cloud can perform Kubernetes IaC scan and cause the build to fail if
misconfigurations are found.

Integrating Prisma Cloud with GitHub Actions makes it possible for Prisma Cloud Application Security to scan
your Infrastructure-as-code files, review scan results in a number of formats, display Incidents on the Console and
cause a build to fail if security vulnerabilities are found. For this activity, we will be working with a Github
repository that contains intentionally misconfigured and vulnerable code.

Step 1. Head over Development branch of the Bank of Anthos application Github repository which contains
Kubernetes manifests to deploy the Bank of Anthos application.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 47

Step 2. Review the Github Actions workflow YAML file, which runs a Bridgecrew scan on the Kubernetes
manifests within this repo whenever there’s a pull request created to the Main branch. To understand
more about this Workflow file, head over to this short readme document.

Step 3. In summary, the build will detect any MEDIUM, HIGH and CRITICAL misconfigurations within the code
that is being scanned. To see a triggered workflow Github Action, head over to Github Actions.

Step 4. Click on Kubernetes scan tile to see the workflow run log within the log, you can see that there are
multiple steps that get executed. Expand Run Kubernetes Scan step

Step 5. At the beginning of the output of Run Kubernetes Scan step, you can see the summary of the scan.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 48

Step 6. Focussing on one of the detected violations, we can notice the following things:

o Check ID: Bridgecrew check ID (eg CKV_K8S_19)

o Severity: Severity of the Alert (eg MEDIUM)

o File: Violating file and the line numbers (eg: /contacts.yaml: 15-93)

o Guide: The guide to fix the violation (eg https://docs.bridgecrew.io/docs/bc_k8s_18 )

Step 7. You can scroll through the output to see other detected violations. Towards the end of the output of Run
Kubernetes Scan step.

Step 8. You can also see the result of the Passing Github workflow run for comparison. The QA branch of this
same repo contains the code that contains fixes for all the Medium, HIGH and CRITICAL violations
detected during a failed run from the Development branch. Below are the details:

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 49

o Github Workflow Action: https://github.com/utd-prisma-cloud1/bank-of-anthos/actions (follow
steps 4 - 7 to review this run)

Step 9. To see the scan results in Prisma Cloud, navigate to Prisma Cloud > Application Security > Projects.
Select CI/CD Runs at the top (see screenshot below). Select the following filters:

o Repositories: 951206484523005952_utd-prisma-cloud1/bank-of-anthos

o CICD Run: #1 (development)

o Issue State: Error

You can change the CICD Run filter to QA and Issue Status to Passed to see the results of QA branch scan.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 50

Task 2 - GitHub Actions: CI Setup II (Docker Image Scan)

Complexity: Medium and Hard

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● As the frontend application pod in the Kubernetes Bank-Of-Anthos application needs to be highly
reliable, you want to make it robust by offloading health check logic to a sidecar container.
● You’re building a Docker image that you're considering for this purpose but you want to evaluate it first.
● For your Docker image, you are using a base Ubuntu image that looks safe and it is recommended by
a colleague/article.
● You’ve pushed your code to the Development branch in GitHub and created a pull request (PR) to the
main branch.
● You've configured GitHub actions to run when a PR is created to build the Docker image, perform
Prisma Cloud Image scan and also Sandbox scan.
Key takeaways:
● Understand how Prisma Cloud can integrate with Github Actions to scan Docker images and detect
vulnerabilities early on before the images are even stored in the registry.
● See how Prisma Cloud Sandbox scanning can detect critical security vulnerabilities, which are not
traditionally detected by Docker image scanning.
By integrating Prisma Cloud with GitHub Actions, you can scan your Infrastructure-as-code files, review scan
results in a number of formats, display Incidents on the Console and cause a build to fail if security vulnerabilities
are found.

Step 1. Head over Development branch of the Ubuntu Docker image Github repository which contains source
code to build Ubuntu based Docker image. Review the README.md of the repository to know more
about the code.

Step 2. Review the Github Actions workflow YAML file, which runs a Bridgecrew scan on the Kubernetes
manifests within this repo whenever there’s a pull request created to the Main branch. To understand
about this Workflow file and steps involved in this scan, head over to this workflow readme document.

Step 3. In summary, the build will detect any HIGH and CRITICAL vulnerabilities within the code that is being

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 51

scanned. This is also configured in Prisma Cloud Enterprise as well. Whether the build passes or fails if a
certain severity vulnerability is found, is controlled by CI rule in Prisma Cloud Enterprise.

Step 4. Navigate to Prisma Cloud Enterprise > Compute > Defend > Vulnerabilities > Images > CI and click
on the rule Block images with High and Critical vulnerabilities.

Step 5. The build runs the following scans: Docker image scan and Docker image Sandbox scan. To see a
triggered workflow Action, head over to Github Actions and select any run.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 52

Step 6. Click on Docker Image Scan tile to see the workflow run log within the log, you can see that there are
multiple steps that get executed.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 53

Step 7. Docker Image Scan:

o Expand the Docker Image Scan step to see the result of the Docker image scan that’s run
against the locally built Docker image from the previous step in the Github workflow Action run
(Docker Build step).

o Explore the different vulnerabilities detected by this scan and the severity of the alert (similar to
what we did in previous task)

o To see the result of this scan in Prisma Cloud, head over to Prisma Cloud Enterprise >
Compute > Monitor > Vulnerabilities > Images > CI .In the filter option, type in
ultimatetestdrive/ubuntu and hit return.

Step 8. Docker Image Sandbox Scan:

o Expand the Docker Image Sandbox Scan step to see the result of the Docker image sandbox

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 54

scan that’s run against the locally built Docker image from the Docker Build step in the Github
workflow Action run.

o Explore the different vulnerabilities detected by this scan and the severity of the alert (similar to
what we did in previous task)

o To see the result of this scan in Prisma Cloud, head over to Prisma Cloud Enterprise >

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 55

Compute > Monitor > Runtime > Image Analysis Sandbox and click on the latest analyses

Step 9. For a more end to end example of a single Github workflow action that involves complex scan of different
types of code such as Terraform, Kubernetes and Docker Images, please complete step 10 and this is
optional.

Step 10. prisma-cloud-demo github repository contains full IaC scan. Below are key pieces of information:

o Code in the Development branch contains intentionally misconfigured code and code in QA
branch contains code that contains all the fixes.
o See the repository readme doc to understand about this repository.
o See the workflow readme doc to understand about this Github workflow YAML file.
o Github Failed Build
o Github Passing Build

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 56

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 57
Task 3 - Docker Image scanning with Twistcli

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● You’re building a Docker image that you want to deploy in your environment but you are not using
Github Actions or a CICD setup as of now but you still want to perform a scan to ensure that the image
contains no security vulnerabilities.
● Your Docker image code is ready and you are ready to perform the image and sandbox scan with
Prisma Cloud Twistcli.
● See the scan results in terminal as well as Prisma Cloud Compute Edition Console (PCCE Console)
Key takeaways:
● Understand how Prisma Cloud can scan Docker images and detect vulnerabilities early on before the
images are even stored in the registry.
● See how Prisma Cloud Sandbox scanning can detect critical security vulnerabilities, which are not
traditionally detected by Docker image scanning.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 58

Step 1. Login to Docker Workstation VM via SSH and ensure that twistcli is installed by running the following
script (you can also examine the script first):

cd ~ && bash /home/sysadmin/apps/install-twistcli.sh

Step 2. Clone the Development branch of Ubuntu docker image repository:

git clone https://github.com/utd-prisma-cloud1/ubuntu.git --branch development

cd ubuntu

Step 3. Build the Docker image (period at the end of the below line is part of the command)

docker build -t ubuntu:latest .

Step 4. Run twistcli Docker image scan:

twistcli images scan --address https://10.160.154.170:8083/ --user admin \

--password p@lo@lto --details ubuntu:latest

Step 5. It will take a few seconds or a minute for the Docker image scan to be complete. Once that is done, we
can examine the results of the scan in the CLI output.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 59

Step 6. The scan results are also available in the Prisma Cloud Compute Console and you can see the URL of
the scan result towards the end of the CLI output. Copy that and paste it into the Application Portal
browser to see the results. Alternatively, you can navigate to Prisma Cloud Compute Edition > Monitor
> Vulnerabilities > Images > CI and click on the latest scan result: Ubuntu:latest

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 60

Step 7. Run twistcli Docker image Sandbox scan:

sudo twistcli sandbox --address https://10.160.154.170:8083/ \

--user admin --password p@lo@lto --analysis-duration 1m ubuntu:latest

Here we are specifying that the sandbox analysis be performed on the Ubuntu image that we built earlier
and the analysis duration is set to 1 minute.

Once the scan is done, you can examine the results in the CLI output as well as the Prisma Cloud
Compute Edition Console. Repeat steps 5 - 6 for this.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 61

Step 8. To view the sandbox scan in Prisma Cloud Compute Edition console, you can copy the link at the end
of the cli scan result and paste it in the Application Portal browser. Alternatively, you can navigate to
PCCE Console > Monitor > Runtime > Image analysis sandbox and click on the latest analysis.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 62

End of Activity 4

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 63

Activity 5: Deployment Security
Background: Continuous Deployment (CD) provides the automation of testing and deployment of applications
within your clouds’ runtime environments. With modern automation, cloud applications are in a continuous cycle of
development, testing and release. This notion of continuous change is a fundamental challenge of managing
cloud applications. Prisma Cloud identifies vulnerability and compliance issues within applications that are staged
for deployment. With Prisma Cloud you can enforce policies to ensure only trusted applications are allowed to
launch within the cloud runtime environment.

In this activity you will learn:

● Setup Kubernetes Cluster and deploy Argo CD

● Install Prisma Cloud Defender in Kubernetes
● Setup Kubernetes Admission and Auditing
● Setup Prisma Cloud Trusted Docker images rule
● Deploy Bank-of-Anthos application
● Explore Container Runtime protection
● Explore log4j Protections
● Registry Scanning

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Setup Kubernetes Cluster

Complexity: Easy

Scenario:
● We will need to deploy the Bank-of-Anthos application on Kubernetes and we will use ArgoCD to do
that, which also runs on Kubernetes cluster.
● We need to setup Kubernetes cluster

Argo CD in this context, will connect to our Github repository that we were working with in the previous activity
(Bank-Of-Anthos) and our infrastructure (Kubernetes) and deploy the Bank-of-Anthos application.

Step 1. Login via SSH to the Kubernetes VM as outlined in Activity 0 > Task 4

Step 2. Run the following script to setup your Kubernetes cluster (it will take approximately less than 2 mins for
the creation to be complete):

bash /home/sysadmin/apps/00-k3s-setup.sh

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 64

Step 3. Once done, run the below commands to verify that everything is working:

alias kubectl='k3s kubectl'

kubectl get pods -A

Task 2 - Setup ArgoCD

Complexity: Easy

Scenario:
● Argo CD is a continuous delivery tool that lets you deploy your application on a Kubernetes cluster.
● We will be using Argo CD to deploy Bank-Of-Anthos application from the previous activities on our
Kubernetes cluster

Step 1. Run the command to examine the ArgoCD setup script, which sets up required kubernetes namespaces
and other things:

cat /home/sysadmin/apps/01-argo-setup.sh

Step 2. When ready, run the script:

bash /home/sysadmin/apps/01-argo-setup.sh

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 65

Step 3. Once the script executes successfully, scroll down to the end of the script output to retrieve the login
credentials. Once you find it, make a note of it as you will be using that to login to the GUI.

Step 4. Head over to the Application Portal > ArgoCD tile and login using the credentials that you copied from
the previous step.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 66

Step 5. When ArgoCD is initially deployed, there will be no ArgoCD applications. Later during the lab, we will
deploy the Bank of Anthos application.

Task 3 - Setup Prisma Cloud Defender in Kubernetes

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● You have a Kubernetes cluster where you intend to run critical workloads and you want to secure your
cluster with Prisma Cloud by running defender.
● The process is the same for all flavors of Kubernetes - EKS, AKS, GKE etc. For simplicity we will be
working with a single node self hosted Kubernetes cluster running k3s

Key takeaways:
● Understand the process to deploy Prisma Cloud defender on Kubernetes to secure your cluster.

Step 1. Login via SSH to the Kubernetes VM as outlined in Activity 0 > Task 4 .

Step 2. Run the command to examine the setup script:

cat /home/sysadmin/apps/02-install-defender.sh

Step 3. When ready, run the script:

bash /home/sysadmin/apps/02-install-defender.sh

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 67

Step 4. Run the following command to see the status of the defender deployment:

kubectl -n twistlock get pod -o wide

Step 5. Head over to Prisma Cloud Compute Edition Console > Manage > Defenders to verify the successful
deployment. It might take 1-2 mins for the defender to show up as active after it was deployed from step 4

Step 6. Navigate to Prisma Cloud Compute Edition Console > Radars > Hosts to see the newly added
Kubernetes host. If you don’t see it yet, click on the Refresh icon (see the screenshot)

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 68

Step 7. We have now successfully deployed Prisma Cloud Defender on the Kubernetes cluster.

Task 4 - Setup Kubernetes Auditing and Admission Control

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● You have a Kubernetes cluster where you intend to run critical workloads and you have Prisma Cloud
defender running.
● You want to create security guardrails in your Kubernetes environment by enforcing policies such as
protecting against misconfigured or overprivileged pods etc.

Key takeaways:
● Setup Kubernetes Auditing.
● Explore and understand Prisma Cloud’s integration with Open Policy Agent (OPA) and enable and set
up an Admission controller to secure your Kubernetes environment.

Step 1. Navigate to Prisma Cloud Compute Edition Console > Defend > Access and select Kubernetes tab
and enable Kubernetes auditing.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 69

Step 2. Click on Add Rule > Select from existing rules

Step 3. Select all the rules in the and click on Add

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 70

Step 4. Navigate to Prisma Cloud Compute Edition Console > Defend > Access and select Admission tab
and enable Admission Control.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 71

Task 5 - Setup Trusted Docker Images

Complexity: Medium

Product(s): Prisma Cloud Compute Edition

Scenario:
● You have a Kubernetes cluster where you intend to run critical workloads and you have Prisma Cloud
defender running.
● You want to ensure that all your Kubernetes deployments use Docker images from your trusted docker
repository.
● Ensure that the Bank-of-Anthos application uses Docker images from your own trusted image repo.

Key takeaways:
● Prisma Cloud’s trusted images functionality.

Step 1. Navigate to Prisma Cloud Compute Edition Console > Compliance and select Trusted images tab
and select Trust Groups sub tab and click on Add group.

Step 2. Select the following options:

● Name: UTD-GCR-Bank-of-Anthos
● Registry: us-central1-docker.pkg.dev
● Repository: panw-utd-public-cloud/utd-demo-images/utd-cnsp/bank-of-anthos-ci/*
● Click on Add to Group
● Registry: docker.io
● Repository: rancher/*
● Click on Add to Group

Step 3. Click on Save

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 72

Step 4. Navigate to Prisma Cloud Compute Edition Console > Compliance and select Trusted images tab
and select Policy and enable Trusted images rule. Then click on Add rule

Step 5. Name the rule as GCR-Bank-of-Anthos-Rule

Step 6. Click on Scope > +Add Collection and set the following options:

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 73

● Name: Kubernetes-Scope
● Hosts: kubernetes

Step 7. Click on save

Step 8. Click on Select Collections

Step 9. You will now be back on the create new trust page. Here, under Allowed section, click on Select
Groups and then select the UTD-GCR-Bank-of-Anthos rule that we created before and click Apply

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 74

Step 10. You can optionally specify a message for Custom message for blocked request

Step 11. Set the Effect to Block

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 75

Step 12. Click save. Now your rule should look like this:

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 76

Task 6 - Deploy Bank of Anthos Application

Complexity: Medium

Product(s): Prisma Cloud Compute Edition

Scenario:
● You have set up Kubernetes audits, Admission controller and Trusted images rules within Prisma
Cloud. Now, time to see it in action.
● Deploy the Bank of Anthos application via ArgoCD to see failing and passing deployments and the
alerts triggered by it.

Key takeaways:
● Prisma Cloud Kubernetes audits, Admission controller and Trusted images alerts.

Step 1. The ArgoCD apps can also be deployed as a YAML manifest. For the sake of simplicity in this
workshop, the necessary configuration has already been saved within a YAML file.

Step 2. Head over to Kubernetes VM and run the following command to see the application that we are
deploying:
cat /home/sysadmin/apps/01-dev-argo-app.yaml

Step 3. We are deploying 2 versions of the same Bank-of-Anthos applications but based on different Github
branches in the same repo.

Step 4. In the example below, here are some things to note:

● targetRevision: Maps to the upstream Github branch

● repoURL: This is the Github repo URL of our Bank-of-Anthos application
Step a. namespace (line 14): Kubernetes namespace in which the application will be deployed in.

Step 5. You can apply the same principles to the second ArgoCD application 02-qa-argo-app.yaml file, which
gets deployed in the QA Kubernetes namespace.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 77

Step 6. When ready, apply manifest:

kubectl apply -f /home/sysadmin/apps/01-dev-argo-app.yaml

Step 7. Once you deploy it, you can see the apps in the Argo CD GUI

Step 8. Head over to Prisma Cloud > Monitor > Events . Select Admission Audits . You can see that there
are a lot of misconfigured Kubernetes deployments that Prisma Cloud Admission Controller detected.

Step 9. Click on any of the Audits to see details. Notice that it’s only set to Alert. We will be revisiting this in
just a bit.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 78

Step 10. Some of the deployments in the bank-of-anthos application are using untrusted images. Let's see if
they were blocked. Navigate to Prisma Cloud > Monitor > Events . Select Trust Audits .

Step 11. You can see the blocked images that were being pulled from gcr (untrusted)

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 79

Step 12. Clicking on it, will bring up a window with more details

Step 13. Head back to ArgoCD and you should see that the deployment is degraded and failed.

Step 14. Head back to the Kubernetes cluster, run the below command and you can see that the Pods failed
because the images were blocked. And describing one of the Pods, we can see the blocked output.

kubectl -n development get po

kubectl -n development describe po ledger-db-0

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 80

Step 15. We will now deploy the same bank-of-anthos application but a different version of it, which contains all
the fixes (trusted images and remediated Kubernetes manifests) and we will deploy this in the QA
kubernetes namespace and we will delete the old one.

Step 16. First, we have to clean up the previous deployment to free up resources and ports. Head over to
ArgoCD and click DELETE on development-bank-of-anthos. Also confirm at the prompt by typing in
development-bank-of-anthos

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 81

Step 17. Once the tile disappears from ArgoCD, run the below command:

kubectl apply -f /home/sysadmin/apps/02-qa-argo-app.yaml

Step 18. Now, head over to ArgoCD and you should see the newly deployed app

Step 19. It takes about 1-2 mins for the application to be ready. You can monitor the state in ArgoCD and/or in
the Kubernetes cluster. Within the cluster, you can run: kubectl -n qa get pods -w

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 82

Step 20. Once the application is healthy, you can navigate to the Application Portal and access the
bank-of-anthos application !

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 83

Task 7 - Registry Scanning

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● Your organization has a Docker registry where all the Docker images are stored.
● You want to scan the images in your registry to ensure that there are no images with critical
vulnerabilities making their way into the production environment.

Key takeaways:
● Understand how Prisma Cloud can integrate effortlessly with the existing Docker registry in your
infrastructure to scan Docker images.

Registry is a system used for storing and distributing container images. Prisma Cloud can scan container images
in both public and private repositories on both public and private registries.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 84

Step 1. Go to Docker Workstation shell prompt and run the following command to Authenticate to the Registry
server

docker login registry-server:5000 -u admin -p p@lo@lto

Step 2. Add a container image to the registry with the following command.

docker tag vulnerables/web-dvwa registry-server:5000/web-dvwa

docker push registry-server:5000/web-dvwa

Step 3. Go to Defend > Vulnerabilities > Images and click on Registry Settings.

Step 4. Click on +Add Registry, and enter the following info in the settings:

A. Version : Docker Registry V2

B. Registry: https://registry-server:5000

C. Click the drop next to the Credentials field, click on Add to add new Credentials
a. Name: registry-server
b. Type: Basic Authentication
c. Username: admin
d. Password: p@lo@lto

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 85

D. Click Save to save the new credential
E. Click Add to add the new registry.

Step 5. Click Save and Scan next to Add Registry and scanning will start.

Step 6. Go to Monitor > Vulnerabilities > Images > Registries

Step 7. The repository has been scanned and you can see the alerts from the vulnerable images that are
uploaded to the registry.

End of Activity 5

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 86

Activity 6: Runtime Defense - I
Background: Runtime defense is the set of features that provide both predictive and threat based active
protection for running containers. For example, predictive protection includes capabilities like determining when a
container runs a process not included in the origin image or creates an unexpected network socket. Threat based
protection includes capabilities like detecting when malware is added to a container or when a container connects
to a botnet.
Prisma Cloud has distinct sensors for file system, network, and process activity. Each sensor is implemented
individually, with its own set of rules and alerting. The runtime defense architecture is unified to both simplify the
admin experience and to show more detail about what Prisma Cloud automatically learns from each image.
Runtime defense has two principle object types: models and rules.

PCC features to be used:

● Container Models
● Runtime defense for processes
● Runtime defense for networking
● Runtime defense for file systems

In this activity you will:

● Create runtime policies for Process, Network and File System.
● Test and review event logs to confirm activity

Note: This activity is dependent on Activity 5.

Task 1 - Check Container Model States

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● You have deployed the Bank-of-Anthos application from the previous activity and you see a suspicious
deployment named manual-run.
● You want to understand what it is doing and take measures to prevent malicious/suspicious things.

Key takeaways:
● Explore the prebuilt malicious setup.
● Container Models.

Step 1. Head over to Kubernetes VM and run the below commands to understand the setup and workloads
that we’ll be investigating.

kubectl -n qa get po -l app=manual-run

kubectl -n qa get deploy manual-run

The output of the first command lists out Pod that is part of a Kubernetes deployment named

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 87

manual-run. Normally, as soon as this pod starts up, it starts doing malicious things, which sets off
alerts. But for the purpose of this lab, we have modified the startup command so that the Pod does
nothing but sleep. This gives us a chance to perform interactive things with that Pod.

Step 2. Navigate to Monitor > Runtime > Container Models. Search for ubuntu:malware (shorthand for the
Container image that our malicious deployments are using)

Step 3. If the state(s) are in “Learning”, then click on three dots in the Actions column, choose Manual
Relearning. Click on Action again, and choose Manual Relearning again to stop the learning.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 88

Task 2 - Container Process Monitoring

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● You have deployed the Bank-of-Anthos application from the previous activity and you see a suspicious
deployment named auto-run.
● Use Prisma Cloud to monitor processes during runtime and enforce protections.

Key takeaways:
● Prisma Cloud runtime monitoring for processes.

Step 1. Login to Kubernetes VM and run the below commands:

kubectl -n qa exec -it deploy/manual-run -- bash /opt/manual-run.sh

Step 2. Navigate to Prisma Cloud > Monitor > Events > Container Audits and clear the existing filter.

Step 3. Set the below filters. After each filter, hit the Return (or Enter) key
Step 1. Filter 1 - ubuntu:malware
Step 2. Hit return

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 89

Step 3. Filter 2 - Event type: Crypto Miner Process
Step 4. Hit return

Step 4. Clicking on the result will bring up more details about the identified process. Once done reviewing,
close it.

Step 5. Navigate to Prisma Cloud > Monitor > Events > Admission Audits and clear the existing filter. Set
the following filter: Operation: Connect

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 90

Step 6. This will list out the events where you/someone connected to a Pod (step 1 of this task). You can click
on the result and view the event. When done, click close.

Task 3 - Runtime Network Control for DNS

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● You have deployed the Bank-of-Anthos application from the previous activity and you want to monitor
the container processes in one of the Pods.
● Use Prisma Cloud to monitor processes during runtime and enforce protections.

Key takeaways:
● Prisma Cloud runtime networking monitoring.

Step 1. Navigate to Prisma Cloud > Monitor > Events > Container Audits and clear the existing filter.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 91

Step 2. Set the below filters. After each filter, hit the Return (or Enter) key
● Filter 1 - ubuntu:malware
● Hit return
● Filter 2 - Category: network
● Hit return

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 92

Step 3. This filter returns all the results for Network audits and a vertical port scanning process was detected
by Prisma Cloud.

Task 4 - Runtime Monitoring for File System

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Key takeaways:
● Runtime monitoring for file systems.

Step 1. Navigate to Prisma Cloud > Monitor > Events > Container Audits and clear the existing filter.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 93

Step 2. Set the below filters. After each filter, hit the Return (or Enter) key
a) Filter 1 - ubuntu:malware
b) Hit return
c) Filter 2 - Category: filesystem
d) Hit return

Step 3. Explore the event related to /usr/bin/useradd. Clicking on that, we can see that there was a user
created by the script

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 94

Task 5 - Secure Runtime

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Key takeaways:
● Runtime defense for processes, networking, filesystem and crypto miner protection.

Step 1. Navigate to Monitor > Runtime > Container Models. Search for ubuntu:malware (shorthand for the
Container image that our malicious deployments are using)

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 95

Step 2. In the results row click on three dots (...) and then click Copy Into Rule.

Step 3. Anti-malware - Click on the Anti-malware. Under Anti-malware monitoring and set the Prisma
Cloud advanced threat protection to Prevent

Step 4. Process-Monitoring - Click on the Processes tab

1) Under Denied & all other processes, set the first 2 items to Prevent under Anti-malware and exploit
prevention and the last 2 to block

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 96

2) Under explicitly denied processes, specify the following processes and set the rule to Prevent:
i) /bin/netcat
ii) /opt/xmrig-96.19.2/xmrig
iii) /bin/nc.traditional

Step 5. Network-Monitoring - Click on the Networking tab

1) Under Denied & all other network activity, set the outbound IP to 1.1.1.1 and set the Outbound IPs
effect to Block

2) Scroll down to the DNS Section and enable it.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 97

3) Under Denied and all other domains, set the following domain: btc.ss.poolin.me and set the Domains
effect to Prevent

Step 6. File-system Monitoring - Click on File-System tab

1) Set all the items to Prevent under Denied & all other paths > Anti-malware and exploit prevention

2) For Paths list, set /usr/bin/ and set the Paths effect to Prevent

3) Click Save. You will be asked whether to relearn the container model. Click Don’t Relearn.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 98

Step 7. On the Kubernetes VM , exec into the Pod again and run the following commands to test the rules that
we configured.

Step 8. Run: kubectl -n qa exec -it deploy/manual-run sh ; Now that we have an interactive
shell for the Pod, let’s re-run commands from the manual-run.sh that we ran before.

1) Process and Crypto moner Defense: /opt/xmrig-6.19.2/xmrig --help

2) Network Defense - I: nslookup btc.ss.poolin.me

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 99

3) Network Defense - II: /bin/netcat

4) Network Defense - III : curl 1.1.1.1

5) The previous command will terminate the shell. To reinitiate, run the below command:

kubectl -n qa exec -it deploy/manual-run sh

6) Filesystem (defense against modified binary) : gcc /tmp/main2.c -o /usr/bin/main3.o

7) Filesystem : useradd test

Task 6 - Incident Monitoring

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● The Ubuntu application that was deployed as a sidecar to bank-of-anthos application, is involved in an
incident.
● Investigate the incident.
● Use Prisma Cloud to monitor processes during runtime and enforce protections.

Key takeaways:
● Prisma Cloud Incident monitoring.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 100
Step 1. At the Prisma Cloud Compute console, go to RADAR View by navigating to Radars > Containers,
and clear all the filters.

Step 2. Select the filter icon and select qa namespace checkbox to filter Pods only from QA namespace.

Step 3. You can use your mouse to zoom in and out of the Radar graph view to view a container/pod closely.

Step 4. Find the ubuntu container and click the image to bring up details for the image.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 101
Step 5. Go to Monitor > Runtime > Incident Explorer

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● View Incidents on Prisma Cloud Compute
● Use Prisma Cloud to monitor processes during runtime and enforce protections.

Key takeaways:
● Prisma Cloud Forensics

Step 1. From the Incident Explorer view on the Prisma Cloud Compute console, click View live forensic.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 103
Step 2. The Forensics view shows the events that were detected.

Step 3. Run the below command in Docker-Workstation VM to clean up containers from previous task to free
up some resources:

docker stop registry

End of Activity 6

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 104
Activity 7: Runtime Defense - II
Background: Identify and prevent vulnerabilities across the entire application lifecycle while prioritizing risk for
your cloud native environments. Integrate vulnerability management into any process, while continuously
monitoring, identifying, and preventing risks to all the hosts, images, and functions in your environment. Prisma
Cloud combines vulnerability detection with an always up-to-date threat feed and knowledge about your runtime
deployments to prioritize risks specifically for your environment.

PCC features to be used:

● Vulnerability Management.
● Logging and reporting for verification
● WaaS

In this activity you will:

● Review Vulnerability Explorer
● Create image vulnerability rule
● Enforce security with vulnerability rule
● Run log4j attack
● Secure your environment from log4j attacks

Note: This is an optional activity. This activity is dependent on Activity 5.

Task 1 - Vulnerability Overview

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● In your environment, you are trying to get an overview of Images, Hosts and Function vulnerabilities
trend over the time

Key takeaways:
● Prisma Cloud - Vulnerability overview.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 105
Step 1. Navigate to PCCE Console > Monitor > Vulnerabilities. This gives an overview of Images, Hosts
and Function vulnerabilities trend over the time

Step 2. Scroll down to the Top critical vulnerabilities (CVEs) section to view the top 10 CVEs based on Risk
Score. It may take a few moments for the vulnerabilities to become visible.

Step 3. The Risk Score takes into account the CVE’s severity, and other info such as is there a fix, is the
container reachable from the Internet, etc.

Step 4. This allows customer to prioritize which CVEs to fix first in their environment, among the hundreds of
CVEs discovered

Step 5. Go to PCCE Console > Monitor > Vulnerabilities > Images

This gives an overview of the number of vulnerabilities found in each image, color coded Brown for
Critical, Red for High severity, Orange for Medium severity, and Yellow for Low severity.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 106
Step 6. Click on vulnerables/web-dvwa:latest image to open the details page. Note, there is a High
vulnerability in the image.

Step 7. Select the Layers tab. This shows the vulnerabilities found at each layer of the container image.

Step 8. Click Close to close the Image details window.

Task 2 - Setup rule to detect log4j attacks

Complexity: Medium

Product(s): Prisma Cloud Compute Edition

Scenario:
● In this task, you will set up a rule to alert when a log4j attack occurs.
● Later in this activity, we will update this rule to block these attacks instead of alerts.

Key takeaways:
● Prisma Cloud WAAS

Step 1. Head over the PCCE Console > Defend > WAAS > Container > In-line. Click on Add Rule . Use the
name Log4j-WaaS-Inline

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 107
Step 2. Click in Scope field > Add Collection and set the following options:

a) Name: Log4j-Image-Collection

b) Images: us-central1-docker.pkg.dev/panw-utd-public-cloud/utd-public-images/utd-cnsp/log4j-victim:1.0

c) Click Save

d) In this screen, select Log4j-Image-Collection checkbox and click Select Collections and then click save

Step 3. Expand the WaaS rule that we created in previous step and click on +Add App

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 108
Step 4. In the Create new WAAS app screen:

a) Scroll down and click on + Add endpoint and leave all the default options that are preselected

b) Scroll further down and select create

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 109
c) Scroll up and head over the Custom rule column in the same Create new WAAS app screen. Click on
Select Rules

d) In the Custom rules search bar, type in log4j and hit return. Select all the resulting items and click
Apply. At the next screen, click Save.

Task 3 - Run Log4j attack

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● In this task, you will create log4j vulnerable Kubernetes deployment and perform the lo4j attack in your
Kubernetes cluster.
● We will then examine the alerts that were triggered as a result of this attack. This will utilize the rules
that we set up in the previous tasks.

Key takeaways:
● Perform log4j attack in Kubernetes.
● Explore the triggered alerts/events in Prisma Cloud.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 110
Step 1. Deploy the vulnerable log4j and the attacker applications within your Kubernetes setup (you can
examine the code first if you’d like).

kubectl apply -f /home/sysadmin/apps/03-log4j.yaml

Step 2. Monitor the Pods and wait until they are fully Running:

kubectl get pods -w

Once they are running, you can press CTRL+C to exit out of the previous command and proceed with
next steps

Step 3. As part of the log4j attack, a malware sample is downloaded to /tmp directory. Before we run the
attack, let’s make sure there’s no malware (file named as malware-sample):

kubectl exec -it deploy/victim -- ls /tmp

Step 4. Run the attack and verify. You should see a string Hello World after the first command executes and a
malware-sample downloaded after the second command executes.

kubectl exec -it deploy/att-svr -- bash /app/attack.sh

kubectl exec -it deploy/victim -- ls /tmp

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 111
Step 5. To see if the actual attack was detected, head over to Prisma Cloud Compute Console > Events >
WAAS for Containers. Scroll down further to and click on the number corresponding to Custom Rule
under Attack type

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 112
Step 6. Examine the detected event. Scrolling down further to the forensic event, you can see that the attack
was detected.

Step 7. Navigate to Prisma Cloud Compute Console > Monitor > WAAS and examine the WAAS dashboard.
Scrolling down to the Event Traffic Sources, you can find the log4j attack event here .

Complexity: Medium

Product(s): Prisma Cloud Compute Edition

Scenario:
● Now that you understand how to create rules to detect log4j images and attacks, in this task, we will
update the rules to block them.

Key takeaways:
● Explore Prisma Cloud WaaS
● Explore Prisma Cloud Runtime Protection

Step 1. Block Log4j attacks:

a) Head over the PCCE Console > Defend > WAAS > Container > In-line. Expand the previously created
rule Log4j-WaaS-Inline

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 114
b) Under the App list, we had created an app previously. For that app, click on 3 dots under the Actions
column and click edit.

c) Head over to Custom rules and under user-selected custom rules, change the Alert setting to Prevent
and click save

Step 2. Re-run Log4j attack:

a) Navigate to Kubernetes VM and run the following command:

kubectl exec -it deploy/att-svr -- bash /app/attack.sh

b) This time, you will not see a Hello World! message

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 115
c) Run the below command in preparation for the next step:

kubectl delete -f /home/sysadmin/apps/03-log4j.yaml

Step 3. Block Log4j Images:

a) Go to PCCE Console > Defend > Vulnerabilities > Images > Deployed

b) Click on +Add Rule to add a new rule called “Block Log4j vulnerability”

c) Go to Advanced settings and click on +Add exception with the following configurations:
CVE: CVE-2021-44228
Effect: Block

d) Click Add

e) Repeat steps 6 and 7 for the following 2 additional Log4j CVEs: CVE-2021-45046 and CVE-2021-4104
and click save.

f) Run the following command to redeploy the log4j vulnerable application and this time, you will see that
the Victim Pod will not get to the running state

kubectl apply -f /home/sysadmin/apps/03-log4j.yaml

kubectl get po
kubectl describe po -l app=victim

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 117
Activity 8: Prisma Cloud Data Security
Background: This section showcases the Data Security capabilities of Prisma Cloud and how it enables you to
discover and classify data stored in AWS S3 buckets and protect accidental exposure, misuse, or sharing of
sensitive data. To identify and detect confidential and sensitive data, Prisma Cloud Data Security integrates with
Palo Alto Network's Enterprise DLP service and provides built-in data profiles, which include data patterns that
match sensitive information such as PII, health care, financial information and Intellectual Property. In addition to
protecting your confidential and sensitive data, your data is also protected against threats—known and unknown
(zero-day) malware—using the Palo Alto Networks WildFire service.

In this activity you will:

● Get an overview of Data Security via Prisma Cloud dashboard and inventory
● Examine Sensitive Objects discovered by Data Security

Note: This is a standalone activity and is not dependent on other activities.

Task 1 - Data Security Overview

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Scenario:
● You have AWS S3 bucket(s) in your organization, where you store certain data.
● You want to discover and classify data stored in AWS S3 buckets and protect against accidental
exposure, misuse, or sharing of sensitive data.

Key takeaways:
● Explore Prisma Cloud Data Security Dashboard to get an overview of the assets discovered by it.

Step 1. Navigate to Prisma Cloud > Dashboard > Data and select the following filters:

Time Range: All Time

Cloud Accounts: AWS UTD Account

Step 2. This dashboard provides a good overview and representation of detections by the Data Security module.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 118
UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 119
Step 3. Navigate to Prisma Cloud > Inventory > Data and select the following filters:

Time Range: All Time

Cloud Account: AWS UTD Account
Cloud Service: Amazon S3

Step 4. This provides an overview of the Data inventory of the connected Cloud Account and a specific S3 bucket
based on the selected filters.

Task 2 - Examine Sensitive Objects discovered by the Data Security module.

Complexity: Easy

Product(s): Prisma Cloud Enterprise Edition

Key takeaways:
● To identify and detect confidential and sensitive data, Prisma Cloud Data Security integrates with Palo
Alto Network's Enterprise DLP service and provides built-in data profiles, which include data patterns
that match sensitive information such as PII, health care, financial information and Intellectual Property.
● Protect data against threats - known and unknown (zero-day) malware—using the Palo Alto Networks
WildFire service.

Step 1. Click on the number in the Sensitive Objects column. In this page, for the Data Profiles filter, make
sure that the following options are selected: Financial information, Healthcare, Intellectual Property,
PII

Step 2. Set the Time Range to All Time.

Step 3. In the results, search for and select 26_all_patterns_test.txt. This displays all the sensitive information
detected by the Data Security module in that specific file/object Now, under the Snippets column, if
there's a snippet available, “available” keyword should be highlighted which can be selected to display
the snippet which triggered the alert. There are multiple snippets that are detected based on selected
data profiles and feel free to check out different snippets that are generated.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 120
Note: If the snippet is not available, select Generate Snippet and the snippet will be generated and it will
take a few moments for it to complete.

Step 4. Navigate to Prisma Cloud > Inventory > Data and select the following filters:

Time Range: All Time

Cloud Account: AWS UTD Account
Malware: True
Cloud Service: Amazon S3

Step 5. Click on the number in the Malware column and in the search bar and click on any of the files to find
details about the detected malware.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 122
Activity 9 [Optional]: Prisma Cloud Integrations
Background: Prisma Cloud provides multiple out-of-the-box integration options that you can use to integrate
Prisma Cloud into your existing security workflows and with the technologies you already use. In this activity you
will explore some of those integrations.

In this activity, following integrations are showcased:

● Prometheus and Grafana
● Webhook
● Splunk
● Mail

It’s recommended that you pick 1 or 2 tasks in this activity that are most relevant to you depending on
your interest.

Note: This is a standalone activity and not dependent on previous activity.

Task 1 - Prometheus and Grafana Integration

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● In your organization, you have an existing monitoring setup that consists of Prometheus and Grafana.
● You want to integrate Prisma Cloud with Prometheus and Grafana

Key takeaways:
● Prisma Cloud Prometheus and Grafana integration.

Step 1. We’ve already configured Prisma Cloud Compute and Prometheus instrumentation. Navigate to PCCE
Console > Manage > Alerts > Logging and you can see that Prometheus Instrumentation is
enabled.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 123
Note: Vulnerability and compliance data is refreshed every 24 hours. All other data is refreshed every 10 minutes.
To ensure a reliable and smoother user experience, the integration has been preconfigured. To review the
Prometheus configuration file, please run:

cat /home/sysadmin/setup/volumes/prometheus/prometheus.yml

Step 2. From the Application Portal, click on Prometheus to ensure that it’s up and running.

Step 3. Navigate to Prometheus > Status > Targets and notice that targets are Up. If not, wait for a few
seconds.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 124
Step 4. Navigate to Application Portal > Grafana (creds: admin/admin). When logging in for the first time, if
you are prompted to change the password, you can skip it by clicking Skip.

Step 5. Within Grafana, head over to Home > Connections > Data Sources

Step 6. The Grafana setup is already configured with Prometheus as its Data Source.

Step 7. Head back to Grafana Dashboard. There are already some Grafana Dashboards that are set up as
part of the bootstrap process to visualize data that would come in from Prisma Cloud, which we can
explore. Head over to Grafana > Home > Dashboards

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 125
Step 8. Expand Prisma-Cloud-Dashboards and click on Compute Prometheus Gauge

Step 9. In the top right corner of Grafana, select the drop down against Last 1Hour and select 5m

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 126
Step 10. This Dashboard provides a lot of useful pieces of information about Prisma Cloud Setup, which you
can explore. As we progress through the lab and as more data comes in, the Dashboards will be
populated with more information.

Step 11. Let’s repeat the process for the other Prisma-Cloud-Dashboards from step 7 . Head over to Grafana
> Home > Dashboards > Compute Prometheus Counters

Step 12. Navigate to Docker Workstation and in the terminal run the below commands to stop Prometheus and
Grafana containers in preparation for the next set of tasks as they aren’t needed anymore:

docker stop prometheus

docker stop grafana

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● In your organization, you have a custom setup that consumes incoming webhook data from multiple
sources and runs custom data processing and/or manipulation.
● You would like to configure Prisma Cloud alerting via webhooks feature.

Key takeaways:
● Prisma Cloud webhook integration.

Step 1. Navigate to PCCE Console > Manage > Alerts > Manage and click on Add Profile to add a provider

Step 2. Set the Profile name as Webhook and select Webhook in the Provider dropdown and click Next

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 128
Step 3. For the Triggers, enable the following and click next:
● Vulnerabilities: All
● Compliance: Container and Image compliance
● Runtime: Container runtime and Incidents
● Access: All

Step 4. Head over to the Application Portal and click on Webhook under Monitoring and Alerting

Step 5. Select Copy Webhook URL and head back to the Prisma Cloud Compute screen.

Step 6. Paste the copied URL into the Incoming webhook URL field and click Next

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 129
Step 7. Click on Send Test Alert and if the test was successful, click save.

Step 8. Head back to the webhook application page and you should see the test webhook data come in from
Prisma Cloud.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 130
Step 9. You have now successfully configured the Prsima Cloud Webhook integration. Let’s test it in real time.
Head back to the Docker Workstation and run the below command to trigger an incident:

docker run --name monero_cpu_minergate --rm -d

servethehome/monero_cpu_minergate

Step 10. Head back to the Webhook page to see the alert come in (the alert might differ in your case if a
different alert is triggered that was covered in previous tasks/activities):

Step 11. Navigate to Docker Workstation and in the terminal run the below commands to stop webhook and
redis containers in preparation for the next set of tasks as they aren’t needed anymore:

docker stop webhook

docker stop redis
docker stop monero_cpu_minergate

Complexity: Medium

Product(s): Prisma Cloud Compute Edition

Scenario:
● In your organization, you have an existing log aggregator such as Splunk setup.
● You would like to configure Prisma Cloud to ship alerts to Splunk

Key takeaways:
● Prisma Cloud Splunk integration.

Step 1. Navigate to Application Portal and select Splunk and login to Splunk (Credentials: admin/password).
Once done, click on Settings drop down from the Splunk landing page and select Data Inputs

Step 2. Click on +Add New corresponding to HTTP Event Collector row from the Data Inputs page

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 132
Step 3. Provide a Name - Prisma Cloud Compute for the event collector and click next

Step 4. In the Input Settings page, click on main under Select Allowed Indexes . Once you do this, you
should see the selected main item get copied over to the Selected item(s) box. Then click review

Step 5. Click Submit in the next page.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 133
Step 6. In the next page, make sure to copy the token value as we will need this when we configure Prisma
Cloud. Token value might appear grayed out but it can still be copied.

Step 7. Click on Settings drop down select Data Inputs

Step 8. Click on HTTP Event Collector

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 134
Step 9. Click on Global Settings and ensure that Enable SSL checkbox is unchecked and click save

Step 10. Navigate to PCCE Console > Manage > Alerts > Manage and click on Add Profile to add a provider

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 135
Step 11. In the next screen, set the Profile Name as “Splunk” and select “Splunk” as Provider and click next

Step 12. For the Triggers, enable the following and click next:
Vulnerabilities: All
Compliance: Container and Image compliance
Runtime: Container runtime and Incidents
Access: All

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 136
Step 13. In the next settings screen, you are required to input Auth token and Splunk HTTP event collector
URL . Scroll down to the bottom:

Auth Token: Paste the one that you have copied or made note of in Step 6.

URL: http://splunk-ip:8088/services/collector .Replace splunk-ip with the actual IP of the splunk

container , which can be obtained from the Splunk web page url

Step 14. Click Next. At the summary screen, click Send test Alert and click save.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 137
Step 15. Head back to Splunk and click on the Splunk Enterprise icon to get to the Splunk homepage. At the
homepage, click on Search and Reporting.

Step 16. Within the Search bar, enter the following search string: index=main and hit return or click the search
icon

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 138
Step 17. You have now successfully configured Prisma Cloud Integration with Splunk. Let’s test it in real time.
Head back to the Docker Workstation and run the below command to trigger an incident:

docker run --name monero_cpu_minergate --rm -d

servethehome/monero_cpu_minergate

Step 18. Head back to the previous Splunk page and within the Search bar, enter the following search string:
index=main and hit return or click the search. Click the first result and expand the message [+].

Step 19. Navigate to Docker Workstation and in the terminal run the below commands to stop splunk container
in preparation for the next set of tasks as they aren’t needed anymore:

docker stop splunk

docker stop monero_cpu_minergate

Complexity: Easy

Product(s): Prisma Cloud Compute Edition

Scenario:
● You would like to configure Prisma Cloud to send you emails when there’s an alert/incident.

Key takeaways:
● Prisma Cloud mail integration.

Step 1. Navigate to PCCE Console > Manage > Alerts > Manage and click on Add Profile to add a provider

Step 2. Set the Profile name as “Email” and select “Email” in the Provider dropdown and click Next

Step 3. For the Triggers, enable the following and click next:

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 140
● Vulnerabilities: All
● Compliance: Container and Image compliance
● Cloud Discovery: Cloud Discovery
● Runtime: Container runtime and Incidents
● Access: All

Step 4. Head over to the Application Portal and click on Mail and copy the IP address from the URL bar (IP
may be different in your case)

Step 5. Head back to the Prisma Cloud Compute screen and input the following information on the
configuration screen:
● SMTP Address: The IP that you copied (without the http:// )
● Port: 1025
● From: [email protected]
● Recipients - Static list of emails: [email protected]

Step 7. Click Next. At the summary screen, click Send test Alert and click save.

Step 8. Head over to the mail server and you should see the Prisma Cloud test alert.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 142
Step 9. You have now successfully configured Prisma Cloud and Email integration. Let’s test it in real time.
Head back to the Docker Workstation and run the below command to trigger an incident:

docker run --name monero_cpu_minergate --rm -d

servethehome/monero_cpu_minergate

Step 10. Navigate to Docker Workstation and in the terminal run the below commands to stop mail container as
they it isn’t needed anymore:

docker stop maildev

docker stop monero_cpu_minergate

End of Activity 9

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 143
Activity 10: Feedback on Ultimate Test Drive
Thank you for attending the Ultimate Test Drive workshop. We hope you have enjoyed the presentation
and lab activities that we have prepared for you. Please take a few minutes to complete the online survey
form to tell us what you think.

Task 1: Take the online survey

Step 1. In your lab environment, click on the Survey menu item in the left menu bar.

Step 2. Please complete the survey and let us know what you think about this workshop.

Congratulations! You have now successfully completed the Prisma Cloud Native Security Ultimate Test Drive
workshop.

End of Lab

Prisma Cloud trial provisioning will take a few hours to complete. It’s very likely your free trial version tenant will
not be ready during this workshop. You can refer to the steps here to connect your existing AWS account to the
Prisma Cloud trail when it is ready. To connect other public cloud services to your Prisma Cloud trial account, visit
here for more details.
To connect your AWS Organizations (only supported on public AWS) or AWS accounts on the public AWS, AWS
China, AWS GovCloud account to Prisma™ Cloud, you must complete some tasks on the AWS management
console and some on Prisma Cloud. You will need sufficient access rights on the AWS account in order to
complete the onboarding process. The onboarding workflow enables you to create a Prisma Cloud role with either
read-only access to your traffic flow logs or with limited read-write access to remediate incidents. With the correct
permissions, Prisma Cloud can successfully connect to and access your AWS account(s).

Step 1: Create a CloudWatch log group and enable flow logs on your AWS account.

Step 2: Download the CFT template to set up the Prisma Cloud role on AWS.

(1) CFT to setup a role to Monitor the AWS account:

https://s3.amazonaws.com/redlock-public/cft/rl-read-only.template

(2) CFT to setup a role to Monitor & Protect the AWS account:

https://s3.amazonaws.com/redlock-public/cft/rl-read-and-write.template

Step 3: Create CloudFormation stack to deploy one of the CFT downloaded in the previous step to setup the
Prisma Cloud role on AWS.

Step 4: Once CFT deployment is successful, copy the value of the Prisma CloudARN from stack Outputs.

Step 5: With your Prima Cloud trial account ready, login to the Prisma Cloud tenant console and select
Settings > Cloud Accounts > Add New.

Step 6: Select AWS as the Cloud to Protect.

NOTE: Access denied is expected if you do this step on a Prisma Cloud tenant used in this lab. The
demo account used in this lab is a read-only account, it does not have full access to the Prisma Cloud
Service and access to some functions is denied.

Step 7: Enter a Cloud Account Name and click Next.

A cloud account name is auto-populated for you. You can replace it with a cloud account name that
uniquely identifies your AWS account on Prisma Cloud.

Step 8: Select either the Monitor or Monitor & Protect Mode and click Next.

UTD-CNSP-2.0 ©2023 Palo Alto Networks, Inc. | Confidential and Proprietary 145
Mode selection decides whether to enable permissions to only monitor (read-only access) or to
monitor and protect (read-write access) the resources in your AWS cloud account.

Step 9: Paste the Prisma CloudARN (refer step 4) and click Next.

The Prisma Cloud ARN has the External ID and permissions required for enabling authentication
between Prisma Cloud and your AWS account.

Step 10: Select the account groups and click Next.

Step 11: Review the onboarding Status of your AWS account and click Done and then click Close.

The status check verifies the services that are enabled and disabled on your AWS account.

For more detailed information please take a look at below link:

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-cloud-platfor
m-to-prisma-cloud/onboard-your-aws-account/add-aws-cloud-account-to-prisma-cloud.html#id8cd842
21-0914-4a29-a7db-cc4d64312e56

End of Appendix-1

Azure Kubernetes Service Course Resource 3
No ratings yet
Azure Kubernetes Service Course Resource 3
245 pages
Cultural Diversity and Global Awareness Assignment 1
No ratings yet
Cultural Diversity and Global Awareness Assignment 1
5 pages
Coatings and Inks
No ratings yet
Coatings and Inks
50 pages
UTD CNSP 2.0 Security Track
No ratings yet
UTD CNSP 2.0 Security Track
104 pages
About Kubernetes and Security Practices - Short Edition: First Edition, #1
From Everand
About Kubernetes and Security Practices - Short Edition: First Edition, #1
Ami Adi
No ratings yet
Cloud Computing Lab Manual
No ratings yet
Cloud Computing Lab Manual
30 pages
AWS Partner Security Best Practices (Technical) - 200-SIPSBP-14-En-SG
No ratings yet
AWS Partner Security Best Practices (Technical) - 200-SIPSBP-14-En-SG
206 pages
Lab6 - Implement Azure Kubernetes Service
No ratings yet
Lab6 - Implement Azure Kubernetes Service
6 pages
Cloud Computing Lab Manual
No ratings yet
Cloud Computing Lab Manual
73 pages
Terraform Guide
No ratings yet
Terraform Guide
89 pages
Unit 5
No ratings yet
Unit 5
45 pages
Cloud Security Lecture 4
No ratings yet
Cloud Security Lecture 4
59 pages
Git Presentation
No ratings yet
Git Presentation
125 pages
AWS Risk and Compliance Whitepaper 020315
No ratings yet
AWS Risk and Compliance Whitepaper 020315
128 pages
Continuous Kubernetes Security PDF
No ratings yet
Continuous Kubernetes Security PDF
113 pages
Securing Data Center Public Cloud
No ratings yet
Securing Data Center Public Cloud
40 pages
SLA and DevsecOps
No ratings yet
SLA and DevsecOps
11 pages
Introduction to Appsec Combined Keynote PDF
No ratings yet
Introduction to Appsec Combined Keynote PDF
107 pages
VPC Notes
No ratings yet
VPC Notes
10 pages
Implementing Traffic Control in A Microsoft Azure Virtual Network Slides
No ratings yet
Implementing Traffic Control in A Microsoft Azure Virtual Network Slides
15 pages
Module 8: Network and Security: Hands-On
No ratings yet
Module 8: Network and Security: Hands-On
9 pages
Secure Your Critical Workload On AWS: Harry Lin, Solutions Architect Amazon Web Services November 2016
No ratings yet
Secure Your Critical Workload On AWS: Harry Lin, Solutions Architect Amazon Web Services November 2016
33 pages
Building ADFS Infrastructure On Azure
No ratings yet
Building ADFS Infrastructure On Azure
46 pages
World Bank-Cloud Readiness Pilot Assessment Report Final-PUBLIC
No ratings yet
World Bank-Cloud Readiness Pilot Assessment Report Final-PUBLIC
82 pages
Cloud Identity and Access Guide
No ratings yet
Cloud Identity and Access Guide
22 pages
Aws Lab
No ratings yet
Aws Lab
16 pages
CCSK Overview
No ratings yet
CCSK Overview
24 pages
Get Elements of Cloud Computing Security A Survey of Key Practicalities 1st Edition Mohammed M. Alani (Auth.) Free All Chapters
100% (4)
Get Elements of Cloud Computing Security A Survey of Key Practicalities 1st Edition Mohammed M. Alani (Auth.) Free All Chapters
52 pages
AWS Container Day A Journey To Modern App
No ratings yet
AWS Container Day A Journey To Modern App
60 pages
erwin-Data-Modeler-Navigator-Edition-User-Guide_140
No ratings yet
erwin-Data-Modeler-Navigator-Edition-User-Guide_140
135 pages
Cloud On Board - Core Infra v5
No ratings yet
Cloud On Board - Core Infra v5
241 pages
2023 - Prisma Cloud - THE STATE OF CLOUD-NATIVE SECURITY 2023 REPORT
100% (1)
2023 - Prisma Cloud - THE STATE OF CLOUD-NATIVE SECURITY 2023 REPORT
25 pages
AWS - Security Specialty
No ratings yet
AWS - Security Specialty
106 pages
VMware Best Practices Kubernetes Security
No ratings yet
VMware Best Practices Kubernetes Security
8 pages
Assignment ON Red Hat Cloud Services
No ratings yet
Assignment ON Red Hat Cloud Services
12 pages
Module 6 Guided Lab
No ratings yet
Module 6 Guided Lab
11 pages
Google Cloud Notes
No ratings yet
Google Cloud Notes
59 pages
22) Route53
100% (1)
22) Route53
38 pages
AWS Immersion Day EC2 Hands-On Lab
No ratings yet
AWS Immersion Day EC2 Hands-On Lab
8 pages
Intro To DevSecOps
100% (1)
Intro To DevSecOps
119 pages
Cloud Manual
No ratings yet
Cloud Manual
63 pages
ArgoCD Threat Model
No ratings yet
ArgoCD Threat Model
48 pages
Hacktricks Cloud
No ratings yet
Hacktricks Cloud
1,854 pages
Cluster Architecture - Kubernetes
100% (1)
Cluster Architecture - Kubernetes
29 pages
Migrate To AWS Using CloudEndure and AWS Migration Hub ENT313-R2
No ratings yet
Migrate To AWS Using CloudEndure and AWS Migration Hub ENT313-R2
18 pages
Security Guidance For Critical Areas of Focus in Cloud Computing v5 Release Presentation
No ratings yet
Security Guidance For Critical Areas of Focus in Cloud Computing v5 Release Presentation
51 pages
Security Information and Event Management: Category 7
No ratings yet
Security Information and Event Management: Category 7
33 pages
Azure Policy Governance Checklist
No ratings yet
Azure Policy Governance Checklist
8 pages
AWS+Partner+ +Containers+on+AWS+ (Technical) + +v1.0.1 Compressed
No ratings yet
AWS+Partner+ +Containers+on+AWS+ (Technical) + +v1.0.1 Compressed
170 pages
INFO636 Module2 CloudSecurity Slides
No ratings yet
INFO636 Module2 CloudSecurity Slides
116 pages
Guidelines Implementing Aws Waf
No ratings yet
Guidelines Implementing Aws Waf
28 pages
08 - AWS Cloud Security and Access Management
No ratings yet
08 - AWS Cloud Security and Access Management
19 pages
Unified Threat Detection For AWS Cloud and Containers - CSA
No ratings yet
Unified Threat Detection For AWS Cloud and Containers - CSA
23 pages
Multi-Cloud Red Team - Pt.1: Joas Antonio
100% (1)
Multi-Cloud Red Team - Pt.1: Joas Antonio
18 pages
CIS Kubernetes Benchmark v1.4.1
No ratings yet
CIS Kubernetes Benchmark v1.4.1
254 pages
AWS 100 Days Challenge Course Content
No ratings yet
AWS 100 Days Challenge Course Content
12 pages
Security Best Practices Acc Version
No ratings yet
Security Best Practices Acc Version
114 pages
Container Security Checklist
No ratings yet
Container Security Checklist
15 pages
DevOps Jumpstarting-Your-DevSecOps Jeff-Williams AppSecEU2018
No ratings yet
DevOps Jumpstarting-Your-DevSecOps Jeff-Williams AppSecEU2018
37 pages
Dockers and Kubernetes: A Way To Build Scalable and Portable Applications With Cloud
No ratings yet
Dockers and Kubernetes: A Way To Build Scalable and Portable Applications With Cloud
133 pages
Public Cloud Security 6.0 Study Guide-Online
No ratings yet
Public Cloud Security 6.0 Study Guide-Online
178 pages
AWS in ACTION Part -1: Real-world Solutions for Cloud Professionals
From Everand
AWS in ACTION Part -1: Real-world Solutions for Cloud Professionals
Poonam Devi
No ratings yet
Kchs - Lesson 3.0 - Philosophy Ppt-23 Revised
No ratings yet
Kchs - Lesson 3.0 - Philosophy Ppt-23 Revised
29 pages
Cushman620369 Cushman 280 2200 G Service and Repair Manual Copy
No ratings yet
Cushman620369 Cushman 280 2200 G Service and Repair Manual Copy
194 pages
FORMS Showing TENSE Forms Showing Aspect: Characters Using Only Gesture, Facial Expression, and Action.)
No ratings yet
FORMS Showing TENSE Forms Showing Aspect: Characters Using Only Gesture, Facial Expression, and Action.)
4 pages
Dome Roof Table
No ratings yet
Dome Roof Table
1 page
Toward Merging Untargeted and Targeted Methods in Mass Spectrometry-Based Metabolomics and Lipidomics
No ratings yet
Toward Merging Untargeted and Targeted Methods in Mass Spectrometry-Based Metabolomics and Lipidomics
22 pages
Ss Automobiles
No ratings yet
Ss Automobiles
1,820 pages
Fortigate Hardware
No ratings yet
Fortigate Hardware
83 pages
Conference ProceedingsPRAGUE
No ratings yet
Conference ProceedingsPRAGUE
348 pages
Process Costing Test Bank SOLUTION
No ratings yet
Process Costing Test Bank SOLUTION
7 pages
Abominations Spreads
No ratings yet
Abominations Spreads
10 pages
Red Hat Enterprise Linux-9-Upgrading From RHEL 8 to RHEL 9-En-US
No ratings yet
Red Hat Enterprise Linux-9-Upgrading From RHEL 8 to RHEL 9-En-US
61 pages
Insructions Trad Part 2
No ratings yet
Insructions Trad Part 2
25 pages
Standard PPT Draft 2 Updated 23 - Feb - 2024
No ratings yet
Standard PPT Draft 2 Updated 23 - Feb - 2024
225 pages
Lean and ABC Accounting
No ratings yet
Lean and ABC Accounting
3 pages
Nissan
No ratings yet
Nissan
15 pages
MTA SSG WinServer Individual Without Crop
No ratings yet
MTA SSG WinServer Individual Without Crop
65 pages
Fire Protection Systems
No ratings yet
Fire Protection Systems
20 pages
Noc19-Ae05 Assignment Week 05
No ratings yet
Noc19-Ae05 Assignment Week 05
4 pages
EX3G HMI PLC All-in-One User Manual
No ratings yet
EX3G HMI PLC All-in-One User Manual
2 pages
Screw Jack Tutorial
No ratings yet
Screw Jack Tutorial
16 pages
Digital Control Systems: Sampling and Reconstruction
No ratings yet
Digital Control Systems: Sampling and Reconstruction
20 pages
Kinder timetable 2025
No ratings yet
Kinder timetable 2025
1 page
Lecture 9 (Trypanosoma)
No ratings yet
Lecture 9 (Trypanosoma)
30 pages
VLSpec6 For Stress Relieving
No ratings yet
VLSpec6 For Stress Relieving
11 pages
Mba ' Notes Theory of Probabilities in Business Statistics PDF
No ratings yet
Mba ' Notes Theory of Probabilities in Business Statistics PDF
18 pages
Cooltec EQP-1 Program Equalizer Plug-In Suite - User Guide v0.2
No ratings yet
Cooltec EQP-1 Program Equalizer Plug-In Suite - User Guide v0.2
17 pages
Object-Oriented Systems Development
No ratings yet
Object-Oriented Systems Development
64 pages
Mendoza Resume
No ratings yet
Mendoza Resume
4 pages