PSE Prisma Cloud Professional

Study Guide
March 2022

PSE Prisma Cloud Professional by Palo Alto Networks

Table of Contents
Table of Contents 2

How to Use This Study Guide 5

What Has Changed in This Study Guide 5

About the PSE Prsima Cloud Professional Exam 5

Exam Format 5
How to Take This Exam 6
Disclaimer 6

Audience and Qualifications 6

Skills Required 6

Recommended Training 6

Domain 1: Business Value 7

1.1 Identify the business value of the five pillars of the Prisma Cloud platform 7
1.1.1 Identify the business value of Cloud Code Security 7
1.1.2 Identify the business value of Cloud Security Posture Management 7
1.1.3 Identify the business value of Cloud Workload Protection (CWP) 9
1.1.4 Identify the business value of Cloud Network Security 9
1.1.5 Identify the business value of Cloud Identity Security 10
1.1.6 References 11

Domain 2 Competitive Differentiators 12

2.1 Identify the value of cloud-native application protection platforms (CNAPPs) 12
2.1.1 Explain how Palo Alto Networks satisfies the requirements defined by CNAPP 12
2.1.2 Demonstrate the comprehensive coverage across the workload lifecycle (Build, Ship,
Run) 15
2.1.3 Identify the visibility, monitoring, and automation capabilities of Prisma Cloud 18
2.1.4 Describe how Palo Alto Networks provides a holistic view of risk via the vulnerability and
compliance dashboards 20
2.1.5 References 24

Domain 3 Architecture and Planning 25

3.1 Describe the architectural deployment concepts of Prisma Cloud Compute (PCC) 25
3.1.1 Differentiate between the types of Defenders 25
3.1.2 Differentiate between the types of Defenders 25
3.1.3 Describe the continuous integration, continuous delivery/deployment (CI/CD) pipeline
and static analysis capabilities 27
3.1.4 Identify ways to deploy the Defenders 28
3.1.5 Explain how the console is hosted and that it must meet connectivity Requirements 28
3.1.6 References 28
3.2 Describe the architectural deployment concepts of Prisma Cloud 29

PSE Prisma Cloud Professional by Palo Alto Networks 2

 3.2.1 Identify the logs that will be ingested 29
3.2.2 Identify the application program interface (API) that will be called and the permissions
required 29
3.2.3 Identify the types of available integrations 30
3.2.4 Explain how to onboard accounts 31
3.2.5 Identify the different machine learning settings 33
3.2.6 Explain the threat lifecycle in staging and development environments 34
3.2.7 Explain the benefits of Security by Design/Shift Left 36
3.2.8 References 36

Domain 4: Demonstration and Valuation 37

4.1 Design a customer-appropriate proof of concept (POC) for PCC 37
4.1.1 Integrate with the customer build pipeline 37
4.1.2 Integrate PCC into the customer environment to scan registries 39
4.1.3 Install PCC into the customer test environment 41
4.1.4 Test runtime for containers and hosts 43
4.1.5 Test Web Application and API Security (WAAS) features 51
4.1.6 Deploy Serverless Defender with auto-protect 54
4.1.7 Scan functions with console API for vulnerabilities and compliance 64
4.1.8 References 70
4.2 Design a customer-appropriate POC for Prisma Cloud 70
4.2.1 Assess the asset inventory and monitor the cloud resources 71
4.2.2 Conduct compliance reporting and use out-of-the-box policies 74
4.2.3 Demonstrate understanding of integration of alerts with downstream tools 79
4.2.4 Create custom policies with Resource Query Language (RQL) 83
4.2.5 Demonstrate understanding of entitlement permissions with Identity and Access
Management (IAM) 84
4.2.6 References 86
4.3 Design a customer-appropriate POC for code security 86
4.3.1 Integrate with the customer repositories 86
4.3.2 Integrate Checkov with customer integrated development environment (IDE) /
command-line interface (CLI) 88
4.3.3 Create a custom Infrastructure as Code (IaC) build policy 88
4.3.4 Compare and contrast fix/suppress options 93
4.3.5 Describe code security application within customer repositories 100
4.3.6 References 100

Domain 5 Deployment / Implementation Best Practices 102

5.1 Describe best practice deployment strategies for PCC 102
5.1.1 Differentiate between software as a service (SaaS) and self_host console 102
5.1.2 Describe how WAAS routes traffic 103
5.1.3 Describe Defender traffic through proxy 106
5.1.4 Describe Defender connectivity to console 107
5.1.5 References 109

PSE Prisma Cloud Professional by Palo Alto Networks 3

 5.2 Describe best practice for deploying/operationalizing for Prisma Cloud 109
5.2.1 Differentiate between single account and org onboarding 109
5.2.2 Explain how to map users to roles with permission and account groups 112
5.2.3 Demonstrate understanding of alert rules and integrations 114
5.2.4 Differentiate between onboarding for Amazon Web Services (AWS), Google Cloud
Platform (GCP), and Azure 118
5.2.5 References 119

Appendix A: Sample Questions 120

Appendix B: Answers to Sample Questions 123

Appendix C: What’s Different in This Study Guide 126

Continuing Your Learning Journey with Palo Alto Networks 127

PSE Prisma Cloud Professional by Palo Alto Networks 4

How to Use This Study Guide
Welcome to the Palo Alto Networks PSE: Prisma Cloud Professional Study Guide. The purpose of
this guide is to help you prepare for your PSE: Prisma Cloud Professional exam and achieve your
PSE credential.

You can read through this study guide from start to finish, or you may jump straight to topics you
would like to study. Hyperlinked cross-references will help you locate important definitions and
background information from earlier sections.

About the PSE Prisma Cloud Professional Exam

This exam covers the knowledge, skills, and abilities pre-sales engineers need to position Palo Alto
Networks Prisma Cloud deployments and present and demonstrate the suite’s superiority.

More information is available from the Palo Alto Networks public page at:
https://theloop.paloaltonetworks.com/loop/se-pse-certifications-page-for-se-leaders

Technical documentation is located at here: Partner Training Portal

Exam Format

The test format is 60 multiple-choice questions. Candidates will have five minutes to complete the
Non-Disclosure Agreement, 80 minutes (1 hour, 20 minutes) to complete the exam questions, and
five minutes to complete an exit survey.

The approximate distribution of items by topic (Exam Domain) and topic weightings are shown in
the following table.

This exam is based on Product version

Exam Domain Weight (%)

Business Value 17%

Competitive Differentiators 13%

Architecture and Planning 25%

Demonstration and Evaluation 30%

Deployment/Implementation Best Practices 15%

TOTAL 100%

How to Take This Exam

The exam is available through the third-party Pearson VUE testing platform.
To register for the exam, visit: https://home.pearsonvue.com/paloaltonetworks

PSE Prisma Cloud Professional by Palo Alto Networks 5

To register for the PSE Professional exams on the Pearson VUE website, candidates need to add a
Private Access Code:
1. PSE-PAC (if you are taking the exam at a testing center)
2. PSE-OP (if you are taking the exam at home or in the office)

Full instructions on how to schedule the exam can be found at:

https://www.paloaltonetworks.com/content/dam/pan/en_US/partners/marketing/docs/pse-exam
instructions.pdf.

Disclaimer

This study guide is intended to provide information about the objectives covered by this exam,
related resources, and recommended courses. The material contained within this study guide is not
intended to guarantee that a passing score will be achieved on the exam. Palo Alto Networks
recommends that candidates thoroughly understand the objectives indicated in this guide and use
the resources and courses recommended in this guide where needed to gain that understanding.

Audience and Qualifications

The intended audience for the PSE: Prisma Cloud Professional Exam:
● Specialist Pre-Sales System Engineers (Partner/Internal)
● Internal Core Pre-Sales System Engineers
● Partner and Internal Solutions Architects - Consulting Engineers
● Customer Success Engineers
● Technology Partner Engineers

Skills Required

The successful candidate can:

● independently, effectively, and technically position the Palo Alto Networks Prisma Cloud
solution.
● demonstrate understanding of current products, features, and technologies.
● demonstrate understanding of cloud technologies.
● demonstrate advanced proficiency of how workload protection is architected on public
providers with Prisma Cloud.
● successfully run and deliver a Prisma Cloud compliance and risk assessment.
● proficiently deploy and configure a Prisma Cloud proof-of-value (POV) or 30-day evaluation.

The successful candidate has also:

● passed the PSE: Prisma Cloud Associate Exam.

Recommended Training
Palo Alto Networks strongly recommends that you attend the following instructor-led training
courses or equivalent digital-learning courses:
● PSE Foundation

PSE Prisma Cloud Professional by Palo Alto Networks 6

● PSE Prisma Cloud Associate Course
● SE Boot Camp (internal only)

PSE Prisma Cloud Professional by Palo Alto Networks 7

Domain 1: Business Value

1.1 Identify the business value of the five pillars of the Prisma Cloud platform

1.1.1 Identify the business value of Cloud Code Security

Prisma Cloud Code Security helps address cloud infrastructure misconfigurations in code before
they become alerts or incidents that security teams then need to triage. It enables you to embed
your existing DevOps resources and it operates within the DevSecOps model to provide
developer-friendly feedback so that your developers can fix configuration issues before the code is
released to be deployed into your environments. During the stage of development to deployment,
the agile teams typically are focused on working on Infrastructure-as-Code (IaC), where the team
branches their work from the main branch and implements changes to resources, checks for
dependency, implements change provisioning, and eventually merges and deploys the changes.
During this process however, security checks are missed. Prisma Cloud’s Code Security provides
these teams with features to add security checks to their existing IaC model, thereby ensuring
security throughout the build lifecycle.

Code Security integrates with a wide variety of code repositories and continuous integration and
continuous delivery (CI/CD) workflows to secure cloud infrastructure and applications early in
development. You can scan Infrastructure-as-Code (IaC) templates in Terraform, CloudFormation,
ARM, and Kubernetes to identify and fix misconfigurations in code and for continuous governance
to enforce policies. Code Security on Prisma Cloud gives you instant feedback and options for
immediate resolutions to your scanned misconfigurations.

The Code Security will be available for Prisma Cloud tenants in the following environments:

● app.prismacloud.io
● app2.prismacloud.io
● app3.prismacloud.io
● app4.prismacloud.io
● app.anz.prismacloud.io
● app.ca.prismacloud.io
● app.eu.prismacloud.io
● app2.eu.prismacloud.io
● app.sg.prismacloud.io
● app.uk.prismacloud.io

1.1.2 Identify the business value of Cloud Security Posture Management

Cloud Security Posture Management (CSPM) leverages data from public cloud service providers to
deliver continuous visibility, security policy compliance, and threat detection across cloud resources,
users, data, and applications. CSPM includes shift-left capabilities to scan infrastructure-as-code
(IaC) templates across the application lifecycle. The API-based service enables granular visibility into
your resources deployed on public cloud platforms — Amazon Web Services (AWS), Google Cloud

PSE Prisma Cloud Professional by Palo Alto Networks 8

Platform (GCP), and Microsoft Azure — and into the network traffic that flows to these resources
from the internet and between instances.

Prisma™ Cloud also provides threat detection and response for resource misconfigurations and
workload vulnerabilities and provides visibility into user activity within each cloud environment.
Tracking user activity helps you identify account compromises, escalation of privileges with
privileged accounts, and insider threats from malicious users, unauthorized activity, and inadvertent
errors. Prisma Cloud continuously monitors your cloud environments to help ensure that your cloud
infrastructure is protected from these security threats.
In addition to providing visibility and reducing risks, Prisma Cloud facilitates Security Operations
Center (SOC) enablement and adherence to compliance standards. As the service automatically
discovers and monitors compliance for new resources that are deployed in your cloud environment,
it enables you to implement policy guardrails to ensure that resource configurations adhere to
industry standards and helps you integrate configuration change alerts into DevSecOps workflows
that automatically resolve issues as they are discovered. This capability streamlines the process of
identifying issues and detecting and responding to a list of prioritized risks to maintain an agile
development process and operational efficiency.

CSPM platform enforces and reports on key compliance standards across platforms, workloads, and
cloud services. It ensures compliance continuously across environments with the industry’s most
complete library of supported framework. It generates custom, audit-ready reports for your
standard and customer-specific, customized compliance standards with just a single click. Prisma
Cloud enables security teams to easily investigate and automatically remediate compliance
violations.

● Policies and Devops

o Prisma Cloud monitors, scans, and controls public cloud assets.
o Prisma Cloud has more than 100 default policies with different templates. These
policies have good coverage of Center for Internet Security (CIS) standards of three
major cloud providers: AWS, Azure, and GCP.
o Security is addressed in the beginning of DevOps cycles, even during IaC
deployments. IaC scan functionality is available via DevOps plugins, API, and CLI
connections.

● Network Security
o Network protection must be adapted for cloud native environments while still
enforcing consistent policies across hybrid environments. Prisma Cloud detects and
prevents network anomalies by enforcing container-level microsegmentation,
inspecting traffic flow logs, and leveraging advanced cloud native Layer 7 threat
prevention.
o Network visibility and anomaly detection
o Identity-based microsegmentation
o Cloud native firewalling

● Identity Security
o Management of numerous privileged users with access to an ever-expanding set of
sensitive resources can be challenging. Cloud provider resources also have

PSE Prisma Cloud Professional by Palo Alto Networks 9

 permission sets that need to be managed. Prisma Cloud helps you leverage the
identity of cloud resources to enforce security policies and ensure secure user
behavior across your cloud environments.
o Identity and Access Management (IAM) security
o Machine identity
o User and entity behavior analytics (UEBA)
o Prisma Cloud functions are focused on the following attributes to address the
challenges with public cloud deployment.

1.1.3 Identify the business value of Cloud Workload Protection (CWP)

Cloud Workload Protection (CWPP) helps secure cloud native applications across the application
lifecycle, defined by the requirement to protect hosts (VMs), containers, and serverless from a single
console.

Prisma Cloud Compute is a cloud workload protection platform (CWPP) for the modern era. It offers
holistic protection for hosts, containers, and serverless deployments in any cloud and across the
software lifecycle. Prisma Cloud Compute is cloud-native and API-enabled. It can protect all your
workloads, regardless of their underlying compute technology or the cloud in which they run.
Prisma™ Cloud offers cloud workload protection as either a SaaS option or a self-hosted solution
that you deploy and manage.

The SaaS option, available with the Prisma Cloud Enterprise Edition, offers a single management
console for threat detection, prevention, and response for your heterogeneous environment where
your teams are leveraging public cloud platforms and a rich set of microservices to rapidly build and
deliver applications. The Compute tab on the Prisma Cloud administrative console enables you to
define policy and to monitor and protect the hosts, containers, and serverless functions within your
environment.

To monitor the workloads, you must deploy Prisma Cloud Defenders: the agents. All Defenders,
regardless of their type, connect back to the console using WebSocket over port 8084 to retrieve
policies and enforce vulnerability and compliance blocking rules to the environments where they
are deployed, and to send data back to the Compute tab within the Prisma Cloud administrative
console.

1.1.4 Identify the business value of Cloud Network Security

Cloud Network Security (CNS) helps protect cloud networks and applications, combining network
visibility and microsegmentation for full-stack network security across multi- and hybrid clouds.

Cloud Infrastructure Entitlement Management

Prisma Cloud enhances your network security posture within public cloud environments. It helps
you to find incidents and threats that are based on VPC flow logs and to assess the network
exposure of your cloud assets based on configuration. Prisma Cloud also ingests and monitors
network traffic from cloud services and allows you to query network events in your cloud
environments. You can detect when services, applications, or databases are exposed to the Internet
and if there are potential data exfiltration attempts. It also monitors network configuration and

PSE Prisma Cloud Professional by Palo Alto Networks 10

traffic logs to and from your assets deployed on the cloud environment after you’ve onboarded your
cloud accounts.
Prisma Cloud’s inbuilt cloud network analyzer engine automatically calculates net effective
reachability of cloud resources, such as EC2, RDS, and Redshift ENIs, and helps detect unrestricted
network access from the Internet or external network domain by using two main vectors:

● Routing path exists from source to destination.

● Net effectiveness of all cloud-native network security policies in the path.

Prisma Cloud network security capabilities include high fidelity alerts that provide rich context, so
you know exactly how a particular cloud asset is exposed and can prioritize the risk and take
meaningful action. It includes out-of-the-box policies that help you identify risky network exposure.

1.1.5 Identify the business value of Cloud Identity Security

Cloud Identity Engine is a free app on the hub and it gives Prisma Access read-only access to your
Active Directory information. With Cloud Identity Engine, you can easily implement user-based
security policy and decryption.

● Authentication. Enable only legitimate users to access your network. Connect Prisma Access
to your Identity Provider (IdP) and choose the authentication method you want to use.
● Cloud Identity Engine. Cloud Identity Engine is a free app on the hub and it gives Prisma
Access read-only access to your Active Directory information.
● Identity Redistribution. So that you can enforce your security policy consistently, Prisma
Access shares identity data that GlobalProtect discovers locally across your entire Prisma
Access environment. Prisma Access can also share identity data with on-premises devices at
remote network sites or service connection sites (HQ and data centers).

PSE Prisma Cloud Professional by Palo Alto Networks 11

1.1.6 References

● Cloud Code Security, Get Started with Prisma Cloud Code Security (paloaltonetworks.com)
● Cloud Security Posture Management, Cloud Security Posture Management | Prisma
Developer Docs | Palo Alto Networks (pan.dev)
● Cloud Workload Protection (CWP), Cloud Workload Protection Platform | Prisma Developer
Docs | Palo Alto Networks (pan.dev)
● Cloud Network Security, Prisma Cloud Network Security (paloaltonetworks.com)
● Cloud Identity Engine, Cloud Identity Engine (paloaltonetworks.com)

PSE Prisma Cloud Professional by Palo Alto Networks 12

Domain 2 Competitive Differentiators

2.1 Identify the value of cloud-native application protection platforms (CNAPPs)

2.1.1 Explain how Palo Alto Networks satisfies the requirements defined by CNAPP

The Cloud Native Security Platform (CNSP) secures cloud native applications.

Cloud Security Posture Management

Cloud Security Posture Management (CSPM) leverages data from public cloud service providers to
deliver continuous visibility, security policy compliance, and threat detection across cloud resources,
users, data, and applications. CSPM includes shift-left capabilities to scan infrastructure-as-code
(IaC) templates across the application lifecycle.

Cloud Workload Protection

Cloud Workload Protection (CWPP) helps secure cloud native applications across the application
lifecycle, defined by the requirement to protect hosts (VMs), containers, and serverless from a single
console.

Cloud Networking Security

Cloud Network Security (CNS) helps protect cloud networks and applications, combining network
visibility and microsegmentation for full-stack network security across multi- and hybrid clouds.

Cloud Infrastructure Entitlement Management

Cloud Infrastructure Entitlement Management (CIEM) enables visibility and control over cloud
identities to ensure least-privileged user access governing cloud resources, compute, and data.

PSE Prisma Cloud Professional by Palo Alto Networks 13

Data Security — Discovery, Classification, and Malware Detection for AWS S3

● Prisma Cloud Data Security is purpose-built to address the challenges of discovering and
protecting data at the scale and velocity common in public cloud environments.
o These new capabilities reduce the burden on security teams by providing a cloud
native solution that leverages Palo Alto Networks Enterprise DLP engine to help
easily discover and protect sensitive data that is stored across public cloud
environments.
o The Data Security module also uses Palo Alto Networks industry-leading WildFire
service to detect known and unknown malware that may have infiltrated the
customer’s Amazon Web Services Simple Storage Service (AWS S3) buckets.
o At launch, Prisma Cloud Data Security will enter limited GA and be available to a
subset of Prisma Cloud Enterprise Edition customers.

Web Application and API Security — Protecting Web Applications and APIs from Attacks

● Cloud native applications are made up of a combination of containers, functions, and

underlying host compute resources, and they require protection for front-end facing web
applications and APIs. The latest release integrates Web Application and API Security into
the Prisma Cloud unified agent framework.

Configuring Web Application and API Security in Prisma Cloud

● Users can protect applications against the OWASP Top 10 critical security risks for web
applications, secure APIs from application-layer attacks, implement file upload protection,
and more — all from a single dashboard integrated with the protection already leveraged
today.

PSE Prisma Cloud Professional by Palo Alto Networks 14

Managing Identity-Based Microsegmentation in Prisma Cloud

Identity-Based Microsegmentation provides end-to-end visibility of network communications to

network and cloud security teams, along with comprehensive security policy control and
management. In the weeks after launch, the module will enter live preview and be available to a
subset of Prisma Cloud Enterprise Edition customers.

IAM Security — Establishing Least Privilege for Cloud Identities

● Securing user identity in the cloud presents tremendous challenges for cloud infrastructure
and security teams. Improper Identity and Access Management (IAM) configurations, such
as overly permissive roles, reusing roles, dormant roles, or exposed resources can
have profound consequences for cloud security.

PSE Prisma Cloud Professional by Palo Alto Networks 15

Prisma Cloud IAM Security policies
With this latest release of Prisma Cloud 2.0, users can leverage our IAM Security module to gain
visibility into effective permissions and user activity, implement governance over excessive or
unused permissions, and respond to issues with least-privilege recommendations or automated
remediation.

2.1.2 Demonstrate the comprehensive coverage across the workload lifecycle (Build, Ship, Run)

Operationalizing Prisma Cloud can be broken into discrete steps:

1. Learn. Learn about Prisma Cloud concepts and how it all works.

2. Plan and deploy. Map Prisma Cloud onto your environment. Pick a deployment pattern and
customize it for your needs. Factor in automation, high availability, and disaster recovery.
Install Prisma Cloud in your environment.

3. Secure your environment (config, observe, gain Ops experience).

Configure Prisma Cloud features and define policy. Gain operational experience. Most
customers focus on putting one subsystem into operation at a time, and they typically
do it in the following order:

● Vulnerability management
● Compliance
● Runtime defense and firewalls

PSE Prisma Cloud Professional by Palo Alto Networks 16

These are three points where Prisma Cloud can block a container:

Build

Build time. Prisma Cloud scans images after they are built to ensure they comply with your
vulnerability and compliance rules. If not, the build is deemed failed (blocked).

Asset Management and Vulnerability Management

When Defender is installed, it automatically starts scanning images, containers, and hosts for
vulnerabilities. Study this data before configuring any additional vulnerability scanning. Next,
configure Prisma Cloud to scan your registries. Then install and configure the Prisma Cloud Jenkins
plugin. If you use a CI tool other than Jenkins, then use twistcli, a stand-alone command line utility,
to scan the images emitted from the build. Finally, configure Prisma Cloud to scan your serverless
functions.

Prisma Cloud can gate both the CI and CD segments of your pipeline. Images are built in the CI
segment of the pipeline. After an image is built, Prisma Cloud scans it for vulnerabilities according
to thresholds defined in your policy. If the image passes the scan, it is promoted to the registry. If
the image does not pass the scan, then the build is deemed failed.

Configuration and Compliance

Prisma Cloud has hundreds of compliance checks. Most of them are based on the CIS Benchmarks,
including the Docker Engine benchmark, Kubernetes benchmark, and Distribution Independent

PSE Prisma Cloud Professional by Palo Alto Networks 17

Linux benchmark. Our security research team graded each check (Critical, High, Medium, and Low)
so that you can focus on the issues most likely to expose your environment to a direct attack from
someone on the outside. The default rule sets all Critical and High checks to alert, and all Medium
and Low checks to ignore.

When deploying Prisma Cloud, you need to tune the default compliance policy to suit your
environment.

Deploy

Before the container runs: Prisma Cloud scans images before they run to ensure they comply with
your vulnerability and compliance policies.

When the container is running: If an anomaly is detected where a container’s activity deviates from
its known baseline activity, then the Prisma Cloud runtime defense system can block (stop) the
container.
Developers use various tools to build and deploy cloud native applications. Operationalizing security
controls that work seamlessly across these tools remains a challenge.

Run
Runtime protection: Be sure to scan for vulnerabilities that may exist in your production
environment. Equally important is setting up active defenses, like firewalls and workload isolation,
that can mitigate the risk and impact of a breach.

Maintenance and operations: Respond to incidents and alerts. Add and tweak rules and policy as
new apps are brought online. Upgrade Prisma Cloud as new releases are published. The timeline
should be used as a framework for deploying Prisma Cloud. Do not pay too much attention to the
number of weeks for each step. The steps are more important than the actual time spent. Timelines
vary substantially from organization to organization.

PSE Prisma Cloud Professional by Palo Alto Networks 18

2.1.3 Identify the visibility, monitoring, and automation capabilities of Prisma Cloud

Prisma Cloud provides an agentless architecture that requires no changes to your host, container
engine, or applications. Prisma Cloud is deployed as a set of containers, as a service on your hosts,
or as a runtime component of your serverless function. For environments that do not support
deployment of Prisma Cloud as a privileged peer, we offer runtime application self-protection
(RASP) capabilities.

Prisma Cloud DevOps Security enables DevOps and security teams to identify insecure
configurations in Infrastructure-as-Code (IaC) templates and vulnerabilities in container images so
that security issues are identified before actual resources are deployed in runtime environments.

To identify potential issues, you can scan content in your IaC templates such as AWS
CloudFormation Templates (JSON or YAML format), HashiCorp Terraform templates (HCL format),
and Kubernetes App manifests (JSON or YAML format) against a list of IaC policies.

Upon deployment, Prisma Cloud immediately begins working to secure your container and cloud
environment. Prisma Cloud supports discovery of assets within your cloud environment, allowing
you to easily identify assets that are not protected and to add them.

Prisma Cloud is easily integrated into your container build process with support for continuous
integration (CI) systems and registry/serverless repository scanning capabilities.

Prisma Cloud Compute is a cloud workload protection platform (CWPP) for the modern era. It offers
holistic protection for hosts, containers, and serverless deployments in any cloud and across the
software lifecycle. Prisma Cloud Compute is cloud-native and API-enabled. It can protect all your
workloads, regardless of their underlying compute technology or the cloud in which they run.

Console
Prisma Cloud Compute Console serves as the user interface within Prisma Cloud. The graphical user
interface (GUI) lets you define policy, configure and control your Prisma Cloud deployment, and
view the overall health (from a security perspective) of your container environment. Console also
provides an API for customers who want to control Prisma Cloud programmatically to build out

PSE Prisma Cloud Professional by Palo Alto Networks 19

their own integrations or custom tooling. The API is thoroughly documented. Endpoints are
provided for all features, functions, and controls offered in the GUI.

When installing Prisma Cloud Compute, install Console first, then install Defender. Defender is the
component of Prisma Cloud that runs on each host; more detail is provided below. Defender can be
installed from the deployment tabs in Console’s graphical user interface. Defender, as the initiator
of the connection, requires network connectivity to the Console.

Prisma Cloud provides automation in the product that generates the required artifacts for common
orchestration platforms such as Kubernetes, OpenShift, and Swarm. Prisma Cloud can also
generate Helm charts to ease deployment for organizations that have adopted Helm as their
packaging standard.

Defender
Prisma Cloud Defenders enforce the policies defined in Console and send event data up to the
Console for correlation. There are several types of Defenders and, depending on the assets in your
environment that require protection, you may end up deploying all of them or only a subset.
Defenders support the full variety of workloads in cloud native environments:

● Container Defender: This Defender type is deployed as a container on every asset running
containers in your infrastructure.
● Host Defender: This Defender type is deployed for virtual machines that do not run
containers.
● Fargate Defender: This Defender type deploys as part of your Fargate deployment.
● Serverless Defender: This Defender type deploys as part of your serverless function and
provides Runtime Application Self Protection (RASP) capabilities.

In general, deploy Container Defender whenever you can. It offers the most features and can
simultaneously protect both containers and host. This means that nothing needs to be embedded
inside your containers for Defender to be able to protect them.

PSE Prisma Cloud Professional by Palo Alto Networks 20

By default, Defender establishes a connection to Console on TCP port 8084, but you can customize
the port to meet the needs of your environment. All traffic between the Defender and the console is
TLS encrypted.

Prisma Cloud provides automation in the product that generates the required artifacts for common
orchestration platforms such as Kubernetes, OpenShift, and Swarm. Prisma Cloud can also
generate Helm charts to ease deployment for organizations that have adopted Helm as their
packaging standard.

2.1.4 Describe how Palo Alto Networks provides a holistic view of risk via the vulnerability and
compliance dashboards

To know the state of your cloud infrastructure, you need visibility into all the assets and
infrastructure that make up your cloud environment and a pulse on your security posture.

PSE Prisma Cloud Professional by Palo Alto Networks 21

Whether you want to detect a misconfiguration or you want to continually assess your security
posture and adherence to specific compliance standards, Prisma Cloud provides out-of-the-box
policies (auditable controls) for ongoing reporting and measurement.

Policies are for risk assessment, and they help to reduce the risk of business disruptions. Prisma
Cloud provides policies that map to compliance standards, and also provides a larger set of policies
that enable prevention or detection of security risks to which your cloud assets are exposed.
Anomaly policies are an example of policies that are typically not a part of compliance standards.
Anomaly policies inform you of actions performed on your cloud assets by entities that are users,
services, or IAM roles that have authorization to access and modify your cloud assets. However, the
entities are not cloud assets.

PSE Prisma Cloud Professional by Palo Alto Networks 22

Prisma Cloud supports the need to keep track of potential risks and threats to your cloud
infrastructure with dashboards for your asset inventory, compliance posture, and out-of-the-box
policies that generate alerts for cloud assets that are in violation. When a policy is violated, an alert
is triggered in real time.

While alerts help you detect policy violations in real time and enable you to investigate what
happened, the Asset Inventory and Compliance dashboards also provide hourly snapshots of your
assets and compliance posture for the last full hour.

PSE Prisma Cloud Professional by Palo Alto Networks 23

From the Asset Inventory and the Compliance dashboards, you can directly access all open alerts
organized by severity. You can also view asset details as of the last hour from the Asset Explorer.

PSE Prisma Cloud Professional by Palo Alto Networks 24

2.1.5 References

● CNAPP, https://docs.paloaltonetworks.com/prisma/prisma-cloud.html
● Prisma Cloud Reference Architecture (Compute),
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-reference-architectur
e-compute/platform_components/defender.html
● Prisma App-specific Network Intelligence,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/tech
nology_overviews/app_specific_network_intelligence.html

PSE Prisma Cloud Professional by Palo Alto Networks 25

Domain 3 Architecture and Planning

3.1 Describe the architectural deployment concepts of Prisma Cloud Compute (PCC)

3.1.1 Differentiate between the types of Defenders

Prisma Cloud Defenders enforce the policies defined in Console and send event data up to the
Console for correlation. There are several types of Defenders and, depending on the assets in your
environment that require protection, you may end up deploying either all of them or a subset.
Defenders support the full variety of workloads in cloud native environments, as follows:

● Container Defender. This Defender type is deployed as a container on every asset running
containers in your infrastructure.
● Host Defender. This Defender type is deployed for virtual machines that do not run
containers.
● Fargate Defender. This Defender type deploys as part of your Fargate deployment.
● Serverless Defender. This Defender type deploys as part of your serverless function and
provides Runtime Application Self Protection (RASP) capabilities.

3.1.2 Differentiate between the types of Defenders

Prisma Cloud supports multi-tenancy and unlimited scale. We accomplish this with our project
capabilities.

Prisma Cloud supports two types of projects: tenant projects and scale projects.

Multi-tenancy is a feature of on-premises Console deployment. If you are using a SaaS Console, you
may have multiple tenants provisioned through your SaaS subscription.

Multi-tenancy — Tenant Projects

PSE Prisma Cloud Professional by Palo Alto Networks 26

 ● The Central Console has full visibility into the entire estate. Using the Central Console, you
can set up tenant projects that act as a self-contained Console and Defender setup. Users
can only see and administer their subsection of the estate.
● Tenant projects are like silos: they each have their own rules and settings that are created
and maintained separately from all other projects.
● This is represented in the left-hand side of the above diagram.

Scale — Scale Projects

● Each Console can support 5,000 Defenders. By utilizing scale projects, we can allocate
Consoles to a Central Console. This enables an unlimited number of Defenders.
● Defenders communicate to the scale project Console (5,000 Defenders per scale project
Console), which the scale project Console aggregates and sends to a Central Console.
● Policies and rules are inherited by the scale project from the Central Console. Users and
administrators operate from the Central Console, which pushes changes to the scale
projects.
● These are shown in the right-hand side of the above diagram.

Configuration of Projects
In essence, you deploy the Console that you want to become the Central Console and connect that
to another Console via the user interface. Prisma Cloud will then configure it appropriately.

By default, the master and its supervisor Consoles communicate over port 8083. You can configure
a different port by setting MANAGEMENT\ _PORT\ _HTTPS in twistlock.cfg at install time. All
Consoles must use the same value for MANAGEMENT\ _PORT\ _HTTPS.

PSE Prisma Cloud Professional by Palo Alto Networks 27

3.1.3 Describe the continuous integration, continuous delivery/deployment (CI/CD) pipeline and
static analysis capabilities

Engineering teams can integrate Prisma Cloud vulnerability and compliance scanning capabilities
into their development process. Prisma Cloud provides a native Jenkins plugin, as well as a
stand-alone command-line tool called twistcli, for integration with your continuous integration (CI)
pipeline.

Prisma Cloud CI integration enables automatic scans of your custom Docker images at build time.
Scans can detect vulnerabilities and compliance issues before your images are pushed to the
registry and deployed into production. Thresholds can be specified to fail builds of images that have
issues exceeding a specified severity.

The Prisma Cloud Jenkins plugin is compatible with Jenkins version 1.58 or higher. The Prisma
Cloud Jenkins plugin must be able to reach Prisma Cloud Console over the network. The Prisma
Cloud plugin depends on two other Jenkins plugins: Static Analysis Utilities and Dashboard View.

Scan reports show detailed information for each vulnerability, including information that can assist
with remediation (i.e., which package versions fix the vulnerability). Trend charts show how the
number of security issues has changed over time.

If your Jenkins server runs as a container, mount the Docker socket from the host into the Jenkins
container at runtime using: "-v /var/run/docker.sock:/var/run/docker.sock".

This enables the Prisma Cloud plugin to run Docker commands via the host’s Docker installation.

The results of the scans via Jenkins or twistcli are available in the Console.

PSE Prisma Cloud Professional by Palo Alto Networks 28

3.1.4 Identify ways to deploy the Defenders

Defender can be installed one of the following ways:

● One at a time, on each host that you want to protect: Use this method for simple
proof-of-concept environments or when you are not using an orchestrator. You can also
install Defenders via whichever configuration management or automation tools you are
already using (e.g., Ansible, Puppet, or Chef).
● As an orchestrator-native construct: For example, you can deploy Defender as a DaemonSet
in Kubernetes and OpenShift environments or as a global service in Docker Swarm
environments. Orchestrator-native constructs ensure that Defender is automatically
deployed to every node in the cluster, even as the cluster dynamically scales up or down.
● As a system service on hosts that do not have Docker.
● As a Windows system service on hosts that do not have Docker.
● As a part of your Fargate deployment, serverless function, or other cloud native workload
deployment.

By default, Defender establishes a connection to Console on TCP port 8084, but you can customize
the port to meet the needs of your environment. All traffic between the Defender and the console is
TLS encrypted.

3.1.5 Explain how the console is hosted and that it must meet connectivity Requirements

Prisma Cloud Compute Console is offered as an on-premises deployment or as a Software as a

Services (SaaS). Security capabilities are identical across the two options; however, customers may
opt for one deployment model or another based on their individual architecture needs.
For an on-premises deployment, regardless of how Console is installed and where it operates,
Console requires access to persistent storage. Console can be deployed using either your
orchestrator’s native HA capabilities or the built-in high availability (HA) capabilities of Prisma Cloud.
Defender, as the initiator of the connection, requires network connectivity to the Console.
When installing Prisma Cloud Compute, install Console first, then install Defender. Defender is the
component of Prisma Cloud that runs on each host; more detail is provided below. Defender can be
installed from the deployment tabs in Console’s graphical user interface. Defender, as the initiator
of the connection, requires network connectivity to the Console.

3.1.6 References

● Build-Time Inspection,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-reference-architectur
e-compute/ci_pipeline/build_time_inspection
● Manage Compliance,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com
pliance/manage_compliance
● Projects,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-reference-architectur
e-compute/multitenancy_and_scale/projects.html

PSE Prisma Cloud Professional by Palo Alto Networks 29

3.2 Describe the architectural deployment concepts of Prisma Cloud

3.2.1 Identify the logs that will be ingested

AWS
To monitor your AWS account, you must create a role that grants Prisma Cloud access to your flow
logs and read-only access (to retrieve and view the traffic log data) or a limited read-write access (to
retrieve traffic log data and remediate incidents). To authorize permission, you must copy the
policies from the relevant template and attach it to the role. Event logs associated with the
monitored cloud account are automatically retrieved on Prisma Cloud.

Azure
To enable Prisma™ Cloud to access Azure flow logs and monitor flow-related data (such as volume
of traffic generated by a host, top sources of traffic to the host, or to identify which ports are in use),
you must provide the required permissions.

Google
With VPC flow logs, Prisma Cloud helps you visualize flow information for resources deployed in
your GCP projects. VPC flow logs on GCP projects provide flow-level network information of packets
going to and from network interfaces that are part of a VPC (including a record of packets flowing
to a source port and destination port, as well as the number of distinct peers connecting to an
endpoint IP address and port) so that you can monitor your applications from the perspective of
your network. On the Investigate page, you can view the traffic flow between virtual machines in
different service-projects and/or host-projects that are using shared VPC network and firewall rules.

VPC flow logs are supported on VPC networks only and are not available for legacy networks on
GCP. To analyze these logs on Prisma Cloud, you must enable VPC flow logs for each VPC subnet
and export the logs to a sink that holds a copy of each log entry. Prisma Cloud requires you to
export the flow logs to a single cloud storage bucket, which functions as the sink destination that
holds all VPC flow logs in your environment.

When you then configure Prisma Cloud to ingest these logs, the service can analyze this data and
provide visibility into your network traffic and detect potential network threats such as crypto
mining, data exfiltration, and host compromises.

Prisma Cloud automates VPC flow log compression using the Google Cloud Dataflow service and
saves them to your storage bucket for ingestion. Consider enabling the Google Cloud Dataflow
service and enabling log compression because transferring raw GCP flow logs from your storage
bucket to Prisma Cloud can add to your data cost.

3.2.2 Identify the application program interface (API) that will be called and the permissions
required

Only Prisma Cloud users with the System Admin role can access Compute. By default, the Prisma
Cloud System Admin role is mapped to the Prisma Cloud Compute Administrator role.

Prisma Cloud provides API endpoints to monitor the health and availability of deployed
components.

PSE Prisma Cloud Professional by Palo Alto Networks 30

 ● Console Service Availability:
o Monitor the Prisma Cloud API and ensure the ping API returns "200 ok"
o API endpoint: GET /api/v1/_ping
o Example command: curl -u admin:Password 'https:\<console-ip\>:8083/api/v1/_ping

● Intelligence Stream Connectivity:

o The Intelligence Stream is used to pull down threat and CVE data.

API calls are essential in developing automation scripts for reporting, deployment, and
config-as-code scenarios.

Reporting Endpoints
● Reporting API calls are the ones used to download health or to scan data such as
vulnerabilities, compliance, and runtime. Access to the underlying data in JSON and CSV
formats allows customers to easily access and transform data into business intelligence in
forms that meet their needs. The output may be human-readable reports or, in other cases,
the reporting data may feed automated decisions and processes. These are mostly under
the Monitor section in Compute.

Config as Code
● "Configuration as code is the formal migration of config between environments, backed by a
version control system." Customers who want to programmatically store and manage the
configuration of infrastructure components can utilize these to automate such components
by using the same approaches they have used for production code and services.

Deployment and Config

● Deployment and config endpoints are essential for being able to properly automate the
installation of the console and defenders, as well as any configuration that deals with
integrations. These are useful to those who base their management of environments on
automation via tools such as Ansible, Puppet, Terraform, etc. to define desired
configurations.

3.2.3 Identify the types of available integrations

Prisma™ Cloud provides multiple out-of-the-box integration options that you can use to integrate
Prisma Cloud into your existing security workflows and with the technologies you already use.

Inbound or Pull-Based Integrations

The Amazon GuardDuty, AWS Inspector, Qualys, and Tenable integrations are inbound or
pull-based integrations where Prisma Cloud periodically polls for the data and retrieves it from the
external integration system.

Outbound or Push-Based
Outbound or push-based integrations are where Prisma Cloud sends data about an alert or error to
the external integration system. With the exception of PagerDuty and email, Prisma Cloud performs
periodic checks and background validation to identify exceptions or failures in processing
notifications. The status checks are displayed on the Prisma Cloud administrator console: red if the
integration fails validation checks for accessibility or credentials; yellow if one or more templates

PSE Prisma Cloud Professional by Palo Alto Networks 31

associated with the integration are invalid; or green when the integration is working and all
templates are valid. Any state transitions are also displayed on the Prisma Cloud administrator
console to help you find and fix potential issues.

3.2.4 Explain how to onboard accounts

Prisma Cloud is 100 percent API-based. Automation can be leveraged to utilize external processes
that automate tasks within Prisma Cloud. Examples of how this automation has been utilized
include the exporting of alerts into a data warehouse for custom dashboarding as well as
automating account onboarding into Prisma Cloud as part of organizational account provisioning.

Documentation for our APIs can be accessed only from within the console:

● Log in to the Prisma Cloud Portal.

● Click the ? in the bottom right.
● Click API Docs.

The documentation for installation of the CLI and its usage can be accessed only from within the
console and is co-located with the API documentation.

Follow the steps to access the API documentation.

In the top left of the screen, click API Reference.

● Select Guides.
● Below is the reference.
● Operationalizing Prisma Cloud for SecOps.
https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/Prisma_Cloud_Artic
les/23/10/SecOps%20Operationalization%20for%20Prisma%20Cloud.pdf

Or Prisma Cloud REST API doc

https://api.docs.prismacloud.io/reference#add-cloud-account

The specific API used is Add Cloud Account – Onboard to add a new cloud account onto the Prisma
Cloud platform.
The APIs can be executed with the respective options to execute.

PSE Prisma Cloud Professional by Palo Alto Networks 32

PSE Prisma Cloud Professional by Palo Alto Networks 33
3.2.5 Identify the different machine learning settings

Prisma Cloud allows you to define different thresholds for anomaly detection for Unusual Entity
Behavior Analysis (UEBA) that correspond to policies that analyze audit events, and for unusual
network activity that corresponds to policies that analyze network flow logs. You can also define
your preference for when you want to generate alert notifications based on the severity assigned to
the anomaly policy.

PSE Prisma Cloud Professional by Palo Alto Networks 34

The Training Model Threshold informs Prisma Cloud of the values to use for setting the baseline for
the machine learning (ML) models.

For unusual user activity:

● Low: The behavioral models are based on observing at least 25 events over 7 days.
● Medium: The behavioral models are based on observing at least 100 events over 30 days.
● High: The behavioral models are based on observing at least 300 events over 90 days.

For account hijacking:

● Low: The behavioral models are based on observing at least 10 events over 7 days.
● Medium: The behavioral models are based on observing at least 25 events over 15 days.
● High: The behavioral models are based on observing at least 50 events over 30 days.

3.2.6 Explain the threat lifecycle in staging and development environments

Threat Lifecycle in Staging

There are four Prisma Cloud systems to bring online and operationalize: vulnerability management,
compliance, runtime defense, and firewalls. Each system should be operationalized in these stages:

Stage 1. Configure the feature. Turn on what you need. All systems ship with sensible default rules.

PSE Prisma Cloud Professional by Palo Alto Networks 35

Stage 2. Observe the incoming data (audits, reports, etc.) and become familiar with the feature and
its capabilities.

Stage 3. Put your policy into place one step at a time. Tighten your rules in measured steps, giving
all teams time to acclimatize at each step.

Threat Lifecycle in Development Environment

Prisma Cloud is a comprehensive cloud-native security platform with the industry’s broadest
security and compliance coverage — for applications, data, and the entire cloud-native technology
stack — throughout the development lifecycle and across multi- and hybrid cloud deployments.

Below are key features that Prisma Cloud is capable of providing to secure the cloud.

Prisma Cloud protects cloud native applications, data, network, compute, storage, users, and
higher-level PaaS services across cloud platforms. It dynamically discovers resources as they are
deployed and correlates cloud service-provided data (resource configurations, flow logs, audit logs,
host and container logs, etc.) to provide security and compliance insights into your cloud
applications and workloads.

Prisma Cloud uses machine learning to profile users, workload, and app behaviors and prevent
advanced threats. It also integrates with developer IDE environments and any CI/CD tool to provide
full lifecycle vulnerability management, infrastructure-as-code scanning, runtime defense, and
cloud native firewalling.

Prisma Cloud vastly simplifies the task of maintaining compliance with the industry's most
complete library of compliance frameworks. It provides this through deep context sharing that
spans infrastructure, PaaS services, users, development platforms, data, and application workloads.

Prisma Cloud seamlessly integrates with security orchestration tools to ensure rapid remediation of
vulnerabilities.

PSE Prisma Cloud Professional by Palo Alto Networks 36

Prisma Cloud delivers each respective functionality that it provides with the capabilities to achieve
it.

3.2.7 Explain the benefits of Security by Design/Shift Left

During the build phase, Prisma™ Cloud enables developers to scan virtual machine images,
container images, Pivotal Application Service (PAS) droplets, and serverless functions for
vulnerabilities and unsecure configurations using native security plugins for integrated
development environments (IDEs), source code management (SCM), and continuous
integration/continuous development (CI/CD) that seamlessly integrate into existing tools.

Prisma Cloud also enables you to scan your infrastructure-as-code (IaC) templates to find unsecure
configurations used with Terraform®, CloudFormation, Kubernetes manifests, and similar
technologies. Additionally, Prisma Cloud gives security teams the control to fail a build based on
vulnerability or compliance issues, preventing unsecure software from progressing further in the
pipeline and instead forcing the developer to resolve the issues.

3.2.8 References

● Prisma Cloud Reference Architecture (Compute),

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-reference-architectur
e-compute/operational_concerns/monitoring.html
● Cloud Account Onboarding,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/connect-your-
cloud-platform-to-prisma-cloud/onboard-your-aws-account/set-up-your-prisma-cloud-role-f
or-aws-manual.html
● Prisma Cloud Integrations,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-exte
rnal-integrations-on-prisma-cloud/prisma-cloud-integrations.html
● Define Prisma Cloud Enterprise and Anomaly Settings,
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/dita/_graphics/uv/prisma/pri
sma-cloud/prisma-cloud-admin/anomaly-policies-network-settings.png
● Prisma Cloud REST API Doc, https://api.docs.prismacloud.io/reference#add-cloud-account

PSE Prisma Cloud Professional by Palo Alto Networks 37

Domain 4: Demonstration and Valuation

4.1 Design a customer-appropriate proof of concept (POC) for PCC

4.1.1 Integrate with the customer build pipeline

Prisma Cloud software consists of two components: Console and Defender. Install Prisma Cloud in
two steps: Install Console first, then install Defender.

● Console is the Prisma Cloud management interface. It lets you define policy and monitor
your environment. Console is delivered as a container image.
● Defender protects your environment according to the policies set in Console. There are a
number of Defender types, each designed to protect a specific resource type.

Install one Console per environment, as follows:

● A single instance of Console for the entire environment.

● Or run an instance of Console for each production, staging, and development environments.

Install Container Defender on every host that runs containers, as follows:

● Container orchestrators typically provide native capabilities for deploying an agent, such as
Defender, to every node in the cluster.
o Prisma Cloud Defender is deployed in Kubernetes and OpenShift clusters as a
DaemonSet.
● Deploy the Defender type that is best suited for the job.

PSE Prisma Cloud Professional by Palo Alto Networks 38

All Defenders, regardless of their type, report back to Console.

● Defender connects to Console via WebSocket to retrieve policies and send data.
o The Defender WebSocket connects to Console on port 8084 (configurable at install
time).
o Console may run in one Virtual Private Cloud (VPC) in AWS, and your containers may
run in another VPC. Each VPC may have a different RFC1918 address space, and
communication between VPCs might be limited to specific ports in a security group.
Use whichever address lets Defender connect to Console.

PSE Prisma Cloud Professional by Palo Alto Networks 39

4.1.2 Integrate PCC into the customer environment to scan registries

Prisma Cloud can scan container images in public and private repositories on public and private
registries. The registry is a system for storing and distributing container images. The most
well-known public registry is Docker Hub, although there are also registries from Amazon, Google,
and others. Organizations can also set up their own internal private registries. Prisma Cloud can
scan container images on all of these types of registries.

After repository scanning is configured, Prisma Cloud automatically scans images for vulnerabilities.
Periodic scans are run at an interval specified in Configure > System > Scan (by default, the interval
is once every 24 hours).

Deployment patterns
Registry scanning is handled by Defender. When you configure Prisma Cloud to scan a registry, you
can do one of the following:

● Let Prisma Cloud automatically distribute the scan job across a pool of available Defenders.
● Explicitly specify which Defender will do the job.

Any Container Defender running on a host with the Docker Engine container runtime or container
runtime interface (CRI) can scan a registry, and any number of Container Defenders can
simultaneously operate as registry scanners. This provides lots of options when you are trying to
determine how to cover disparate environments.

In general, you should configure Prisma Cloud to automatically distribute scan jobs because it
reduces operational complexity and improves resiliency. At scan time, Prisma Cloud enumerates
the available Defenders, manages the resource pool, and handles issues such as restarting partially
completed jobs. If you explicitly select a specific Defender to handle scanning, the host where
Defender runs is a single point of failure. If the host fails or gets destroyed, you must manually
reconfigure your scan configuration with a different Defender.

When selecting the automatic algorithm for registry scanning, you can specify the number of
Defenders in the resource pool. For large registries or aggressive scan intervals, increase the
number of Defenders to improve throughput and reduce scan time.

Registry scanning is scoped by OS type. Windows Defenders can only scan Windows images, and
Linux Defenders can only scan Linux images.

If you remove an image from the registry, or the registry becomes unavailable, Prisma Cloud
maintains the scan results for 30 days. After 30 days, the scan results are purged.

Configure Prisma Cloud to Scan a Registry

To scan images in a registry, create a new registry scan rule.
Prerequisites: At least one Defender must be deployed in your environment.

Step 1: Open Console.

Step 2: Go to Defend > Vulnerabilities > Registry.

Step 3: Click on Add registry settings.

PSE Prisma Cloud Professional by Palo Alto Networks 40

Registries on a large scale
When you have very large registries, you must optimize your scan configuration to maximize
throughput and minimize scan time. Follow the instructions below to improve your registry
scanning process:

● For large registries or aggressive scan intervals, increase the number of scanners in the
scope.
The number of scanning defenders should increase with regard to the registry size. As the
number of images in the registry increases, so should the number of defenders scanning
this registry.

● Use the default cap value (cap = 5) in your registry scan configuration.
The scanner makes many API calls to the registry to retrieve metadata for the registry, repos,
and images. All metadata must be collected, collated, and sorted before scanning can start.
Consider the normal flow for collecting metadata:

Get a list of all repos in the registry

For each repo:
Get a list of all image tags
For each image tag:
Get the image manifest (which contains the last modified date)

Sort, Cap, Scan

After fetching all metadata, the scanner sorts the images by last modified date, and caps the
list if a cap value is specified in the scan configuration. The default cap value is 5. With a cap
of 5, the scanner fetches the five most recently modified images from each repository in the
registry for scanning.

When setting a large number for cap, or setting cap to 0 (to scan all images in a repository),
the registry scan will be longer.

● Use a version matching pattern in your registry scan configuration.

Further to the previous section on cap, if you specify a version matching pattern, the scanner
looks to the image tag for sort order. Without a version matching pattern, the sort order is
based on the last modified date. With a version matching pattern, users customize how the
scanner interprets image tags for sorting. For example, if you utilize semantic versioning in
your image names, you could specify the following version pattern:

*-%d.%d.%d

The scanner parses each image tag, extracts the pattern from the tag, and splits it into its
constituent parts. After all tags are parsed, they are sorted and capped according to your
configuration. The optimized flow for collecting metadata eliminates the inner loop,
substantially reducing the number of requests to the registry so scanning can start sooner.

Get a list of all repos in the registry

PSE Prisma Cloud Professional by Palo Alto Networks 41

 For each repo:
Get a list of all images tags

Sort, Cap, Scan

If your repo had three images, and your scan configuration specified a cap of 2 and version
pattern of *-%d.%d.%d, you’d get the following result:

myimage-3.0.0 <<<--- Scan

myimage-2.0.1 <<<--- Scan
myimage-2.0.0 (Not scanned)

● Create multiple collections of Defender scanners when you have multiple registries.
Each registry should have dedicated Defenders to perform the scanning. If a 1:1 ratio of
Defender collections to registries is not feasible, create as many collections as possible to
split the load. Do not reuse the same Defender collection for all registries.
This setup prevents the scenario where a single IP (a single Defender) performs too many
queries to the registry provider API for repo/tag discovery, which might cause the Defender
to be throttled.

● Properly dimension the hardware where Defenders run.

Follow the hardware system requirements for Defenders that perform registry scanning.

● Colocate Defender scanners in the same region as the registry.

Minimize network latency by running Defenders in the same region as your registries.

Additional scan settings

Additional scan settings can be found under Manage > System > Scan, where you can set the
registry scan interval. The Manage > System > Scan page has an option called Only scan images
with running containers. This option does not apply to registry scanning; all images targeted by
your registry scanning rule will be scanned regardless of how the Only scan images with running
containers option is set.

4.1.3 Install PCC into the customer test environment

Prisma Cloud software consists of two components: Console and Defender. Palo Alto Networks
hosts Console for you. To secure your environment, deploy Defender to it.

Console is Prisma Cloud’s management interface. It allows you to define policy and monitor your
environment.
Defender protects your environment according to the policies set in Console. There are a number of
Defender types, each designed to protect a specific resource type.

The primary concern for most customers getting started with Prisma Cloud is securing their
container environment. To do this, install Container Defender on every host that runs containers.
Container orchestrators typically provide native capabilities for deploying an agent, such as
Defender, to every node in the cluster. Prisma Cloud leverages these capabilities to install Defender.

PSE Prisma Cloud Professional by Palo Alto Networks 42

For example, Kubernetes and OpenShift offer DaemonSets, which guarantee that an agent runs on
every node in the cluster. Prisma Cloud Defender is therefore deployed in Kubernetes and
OpenShift clusters as a DaemonSet.

In this section, you’ll find dedicated install guides for all popular container platforms. Each guide
shows how to install Prisma Cloud for that given platform.

As you adopt other cloud-native technologies, Prisma Cloud can be extended to protect those
environments too. Deploy the Defender type best suited for the job. For example, today you might
use Amazon EKS (Kubernetes) clusters to run your apps. This part of your environment would be
protected by Container Defender. Later you might adopt AWS Lambda functions. This part of your
environment would be secured by Serverless Defender. Extending Prisma Cloud to protect other
types of cloud-native technologies calls for deploying the right Defender type.

All Defenders, regardless of their type, report back to Console, which allows you to secure hybrid
environments with a single tool. The main criteria for installing Defender is that it can connect to
Console. Defender connects to Console via websocket to retrieve policies and send data. In Prisma
Cloud Enterprise Edition (SaaS platform for Compute), the Defender websocket connects to
Console on port 443 (not configurable).

INSTALL PROCEDURE DESCRIPTION

Prisma Cloud runs on any implementation of Kubernetes,
whether you build the cluster from scratch or use a managed
solution (also known as Kubernetes as a service). We've tested
and validated the install on:

● Amazon Elastic Kubernetes Service (Amazon EKS)

● Azure Container Service with Kubernetes
Kubernetes ● Azure Kubernetes Service (AKS)
● Google Kubemetes Engine (GKE)
● IBM Kubernetes Service (IKS)
● Alibaba Cloud Container Service for Kubernetes

In some cases, there is a dedicated section for installing on a

specific cloud provider's managed solution. When there is no
dedicated section, use the generic install method.

PSE Prisma Cloud Professional by Palo Alto Networks 43

 OpenShift 3.11 & OpenShift 4 Prisma Cloud offers native support for OpenShift.
VMware Tanzu Kubernetes Grid is built on the latest stable OSS
distribution of Kubernetes. Prisma Cloud always supports the
VMware Tanzu Kubernetes Grid
latest version of Kubernetes, so installing Prisma Cloud on TKG
is easy. Follow the standard Kubernetes install procedure.
Prisma Cloud supports Docker Swarm using Swarm-native
features. Deploy Defender as a global service, which
Docker Swarm
guarantees that Defender is automatically deployed to each
worker node in the cluster.
To install Prisma Cloud, configure the launch configuration for
Amazon ECS cluster members to download and run Defenders,
guaranteeing that every node is protected.
Install Defender on Windows hosts running containers.
Windows
Defender is installed using a PowerShell script.

Encryption
All network traffic is encrypted with TLS (https) for user to Console communication. Likewise, all
Defender to Console communication is encrypted with TLS (WSS).

The Prisma Cloud database is encrypted at rest with Google Cloud Storage with AES 256 bit
encryption.

4.1.4 Test runtime for containers and hosts

Runtime defense is the set of features that provide both predictive and threat-based active
protection for running containers. For example, predictive protection includes capabilities like
determining when a container runs a process that is not included in the original image or creates
an unexpected network socket. Threat-based protection includes capabilities like detecting when
malware is added to a container or when a container connects to a botnet.

Prisma Cloud has distinct sensors for file system, network, and process activity. Each sensor is
implemented individually, with its own set of rules and alerting. The runtime defense architecture is
unified to both simplify the admin experience and to show more detail about what Prisma Cloud
automatically learns from each image. Runtime defense has two principal object types: models and
rules.

Container Models
Models are the results of the autonomous learning that Prisma Cloud performs every time we see a
new image in an environment. A model is the allow list for what a given image should be doing
across all runtime sensors. Models are automatically created and maintained by Prisma Cloud and
provide an easy way for administrators to view and understand what Prisma Cloud has learned
about their images. For example, a model for an Apache image would detail the specific processes
that should run within containers derived from the image and which network sockets should be
exposed.

Navigate to Monitor > Runtime > Container Models. Click on the image to view its model.

There is a 1:1 relationship between models and images; every image has a model, and every model

PSE Prisma Cloud Professional by Palo Alto Networks 44

applies to a single unique image. For each image, a unique model is created and mapped to the
image digest. Therefore, even if there are multiple images with the same tags, Prisma Cloud will
create unique models for each.

Models are built from both static analysis (such as building a hashed process map based on parsing
an init script in a Dockerfile ENTRYPOINT) and dynamic behavioral analysis (such as observing
actual process activity during early runtime of the container). Models can be in one of three modes:
Active, Archived, or Learning.

Capabilities
Some containers are difficult to model. For example, Jenkins containers dynamically build and run
numerous processes, and the profile of those processes changes depending on what is being built.
Constructing accurate models to monitor processes in containers that build, run, test, and deploy
software is impractical, although other aspects of the model can still have utility. Prisma Cloud
automatically detects known containers and overrides one more aspect of the model with
capabilities.

Capabilities are discrete enhancements to the model that tune runtime behaviors for specific apps
and configurations. Rather than changing what is learned in the model, these enhancements
modify how Prisma Cloud acts on observed behaviors.
For example, the following model for the Jenkins container is enhanced with the capability for
writing and executing binaries.

PSE Prisma Cloud Professional by Palo Alto Networks 45

Runtime Defense for Hosts
Host machines are a critical component in the container environment, and they must be secured
with the same care as containers. Prisma Cloud Defender collects data about your hosts for
monitoring and analysis.
Runtime host protection is designed to continuously report an up-to-date context for your hosts.
You can set alerts for filesystem, process, network, log file events, and more. Some events, such as
process executions, can be blocked.

Enabling Host Runtime Protection

Runtime protection for hosts is enabled by default. When Defender is installed, it automatically
starts collecting data about the underlying host. Prisma Cloud ships with a default rule named
Default – alert on suspicious runtime behavior, which enables some basic monitoring. To see the
rule, open Console, then go to Defend > Runtime > Host Policy.
As part of the default rule, Prisma Cloud Advanced Threat Protection (TATP) is enabled. TATP
supplements runtime protection by alerting you in the following instances:

● Malware is found anywhere on the host file system.

● Connections are made to banned IP addresses.
● Attempts to hijack execution flow are detected on the host.

Process monitoring is also enabled in the default rule, with both crypto miner detection and SSH
session history enabled. To view the data collected, go to Monitor > Runtime > Host Observations,
then select a host from the table.

Host Runtime Policy

Create new rules to enhance host protection. Go to Defend > Runtime > Host Policy and click Add
Rule.

PSE Prisma Cloud Professional by Palo Alto Networks 46

Rules can be scoped by the following:

● Hostname
● Labels
● Cloud account

For labels, Prisma Cloud supports AWS tags as well as distro attributes. Distro attributes are
designed for central security teams that manage the policies in Console but have little influence
over the operational practices of the groups that run apps in the environments being secured. If the
central security team cannot rely on naming conventions or labels to apply policies that are
OS-specific (e.g., different compliance checks for different operating systems), they can leverage the
distro attributes. Supported distro attributes are as follows:

● Distro name — "osDistro:<value>" (e.g., "osDistro:Ubuntu")

● Distro version — "osVersion:<value>" (e.g., "osVersion:20.04")

Process Monitoring
Process monitoring lets you alert or block specific processes by explicit policy. The Processes tab in
the host runtime rule dialog has suggestions for processes known to aid exploits.

Additionally, SSH history tracking can be disabled in this tab, where the hosts in scope are set in the
General tab.

Log Inspection
Prisma Cloud lets you collect and analyze operating systems and application logs for security
events. For each inspection rule, specify the log file to parse and any number of inspection
expressions. Inspection expressions support the RE2 regular expression syntax.

Several predefined rules are provided for apps such as SSHD, MongoDB, and Nginx.

Networking

PSE Prisma Cloud Professional by Palo Alto Networks 47

Prisma Cloud enables you to secure host networking. You can filter DNS traffic and alert on inbound
and outbound connections.

DNS
When DNS monitoring is enabled, Prisma Cloud filters DNS lookups. By default, DNS monitoring is
disabled. Dangerous domains are detected as follows:

● Prisma Cloud Intelligence Stream: The Prisma Cloud threat feed contains a list of known bad
domains.
● Explicit allow and deny lists: Host runtime rules let you augment the Prisma Cloud
Intelligence Stream data with your own lists of known good and bad domains.

When DNS monitoring is enabled, configure how Defender handles DNS lookups in one of the
following ways:

● Alert: Anomalous activity generates audits.

● Prevent: Anomalous activity generates audits. Anomalous DNS lookups are dropped.

IP Connectivity
You can raise alerts when inbound or outbound connections are established. Specify inbound ports
and outbound IPs and ports.

Outbound connections are event-driven, which means you will be notified as soon as a process
attempts to establish a connection. Prisma Cloud polls inbound connections, which instead means
you will be notified periodically, and not necessarily the moment an inbound connection is
established.

Activities
Set up rules to audit host events.

File Integrity Management (FIM)

Changes to critical files can reduce your overall security posture and can be the first indicator of an
attack in progress. Prisma Cloud FIM continually watches the files and directories in your
monitoring profile for changes. You can configure FIM to detect the following:

● Reads or writes to sensitive files, such as certificates, secrets, and configuration files
● Binaries written to the file system
● Abnormally installed software (files written to a file system by programs other than apt-get)

A monitoring profile consists of rules, where each rule specifies the path to monitor, the file
operation, and exceptions.

PSE Prisma Cloud Professional by Palo Alto Networks 48

The file operations supported are as follows:

● Writes to files or directories: When you specify a directory, recursive monitoring is supported.
● Reads: When you specify a directory, recursive monitoring is not supported.
● Attribute changes: The attributes watched are permissions, ownership, timestamps, and
links. When you specify a directory, recursive monitoring is not supported.

Monitoring
To view the data collected about each host, go to Monitor > Runtime > Host Observations and
select a host from the table.

Apps
The Apps tab lists the running programs on the host. New apps are added to the list only on a
network event.

● Prisma Cloud automatically adds some important apps to the monitoring table even if they
do not have any network activity, including cron and systemd.

PSE Prisma Cloud Professional by Palo Alto Networks 49

For each app, Prisma Cloud records the following details:

● running processes (limited to 10)

● outgoing ports (limited to five)
● listening ports (limited to five)

Prisma Cloud keeps a sample of spawned processes and network activity for each monitored app,
as follows:

● Spawned processes: These processes are spawned by the app and include observation
timestamps, username, process (and parent process) paths, and the executed command
line (limited to 10 processes).

● Outgoing ports: These are ports used by the app for outgoing network activity, including
observation timestamps, the process that triggered the network activity, IP address, port,
and country resolution for public IPs (limited to five ports).

● Listening ports: These are ports used by the app for incoming network activity, including the
listening process and observation timestamps (limited to five ports).

Process events will add the process only to existing apps in the profile. Defender will cache the
runtime data, saving timestamps for the last spawn time for each of the 10 processes.

Limitations are as follows:

● Maximum of 100 apps

● Last 10 spawned processes for each app

PSE Prisma Cloud Professional by Palo Alto Networks 50

SSH Session History
The SSH Events tab shows SSH commands run in interactive sessions, limited to 100 events per
hour.

Security Updates
Prisma Cloud periodically checks for security updates. This is implemented as a compliance check.
The feature is supported only for Ubuntu/Debian distributions with the "apt-get" package installer.

Prisma Cloud probes for security updates every time the scanner runs (every 24 hours by default).
The check is enabled by default in Defend > Compliance > Hosts in the Default – alert on critical and
high rule.

The security updates tab shows pending security updates (based on a new compliance check that
was added for this purpose). This is supported for Ubuntu and Debian.

PSE Prisma Cloud Professional by Palo Alto Networks 51

On each host scan, Prisma Cloud checks for available package updates marked as security updates.
If such updates are found, they are listed under the security updates tab.

Audits
Audits can be viewed under Monitor > Events.

4.1.5 Test Web Application and API Security (WAAS) features

WAAS (Web-Application and API Security, formerly known as CNAF, Cloud Native Application
Firewall) is a web application firewall (WAF) designed for HTTP-based web applications deployed
directly on hosts, as containers, application embedded, or serverless functions. WAFs secure web
applications by inspecting and filtering layer 7 traffic to and from the application.

WAAS enhances the traditional WAF protection model by deploying closer to the application, easily
scaling up or down and allowing for inspection of "internal" traffic (east-to-west) from other
micro-services as well as inbound traffic (north-to-south).

For containerized web applications, WAAS binds to the application’s running containers, regardless
of the cloud, orchestrator, node, or IP address where it runs, and without the need to configure any
complicated routing. For non-containerized web applications, WAAS simply binds to the host
where the application runs.

Highlights of WAAS’s capabilities:

● OWASP Top-10 Coverage. protection against most critical security risks to web applications,
including injection flaws, broken authentication, broken access control, security
misconfigurations, etc.

● API Protection. WAAS is able to enforce API traffic security based on definitions/specs
provided in the form of Swagger or OpenAPI files.

● Access Control. WAAS controls access to protected applications using Geo-based, IP-based,
or HTTP Header-based user defined restrictions.

● File Upload Control. WAAS secures application file uploads by enforcing file extension rules.

● Detection of Unprotected Web Applications. WAAS detects unprotected web applications

and flags them in the radar view.

● Penalty Box for Attackers. WAAS supports a five minute ban of IPs triggering one of its
protections to slow down vulnerability scanners and other attackers probing the application.

● Bot Protection. WAAS detects known good bots as well as other bots, headless browsers,
and automation frameworks. WAAS is also able to fend off cookie droppers and other
primitive clients by mandating the use of cookies and javascript in order for the client to
reach the protected origin.

● DoS Protection. WAAS is able to enforce rate limitation on IPs or Prisma Sessions to protect
against high-rate and "low and slow" Layer 7 DoS attacks.

PSE Prisma Cloud Professional by Palo Alto Networks 52

Architecture
WAAS is deployed via Prisma Compute Defenders, which operate as a transparent HTTP proxy,
evaluating client requests against security policies before relaying the requests to your application.
Defenders are deployed into the environment in which the web applications run. WAAS’s
management console is independent of the Defenders and can be self-hosted or provided as a
service (SaaS):

When a firewall is deployed, Defender reroutes traffic bound for your web application to WAAS for
inspection. If a connection is secured with TLS, Defender decrypts the traffic, examines the content,
and then re-encrypts it.

PSE Prisma Cloud Professional by Palo Alto Networks 53

Legitimate requests are passed to the target container or host. Requests triggering one or more
WAAS protections generate a WAAS "event audit" and an action is taken based on the
preconfigured action (see "WAAS Actions" below).
WAAS’s event audits can be further explored in the "Monitor" section of Prisma Compute’s
management console (Monitor > Events). In addition, event audits are registered in the Defender’s
syslog, thus allowing for integration with third-party analytics engines or SIEM platforms of choice.

WAAS Actions
Requests that trigger a WAAS protection are subject to one of the following actions:

● Alert – The request is passed to the protected application and an audit is generated for
visibility.
● Prevent – The request is denied from reaching the protected application, an audit is
generated, and WAAS responds with an HTML page indicating the request was blocked.
● Ban – Can be applied on either IP or Prisma Session IDs. All requests originating from the
same IP/Prisma Session to the protected application are denied for the configured time
period (default is five minutes) following the last detected attack.

Supported Protocols

● HTTP 1.0, 1.1, 2.0 – full support of all HTTP methods

● TLS 1.0, 1.1, 1.2, 1.3
● WebSockets Passthrough

PSE Prisma Cloud Professional by Palo Alto Networks 54

4.1.6 Deploy Serverless Defender with auto-protect
Serverless Defender protects serverless functions at runtime. It monitors your functions to ensure
they execute as designed.

Per-function policies let you control:

● Process activity. Enables verification of launched subprocesses against policy.

● Network connections. Enables verification of inbound and outbound connections and
permits outbound connections to explicitly allowed domains.
● File system activity. Controls which parts of the file system functions can access.

Currently, Prisma Cloud supports AWS Lambda functions. The following runtimes are supported:

● C# (.NET Core) 2.1, 3.1

● Java 8, 11
● Node.js 10.x, 12.x, 14.x
● Python 2.7, 3.6, 3.7, 3.8
● Ruby 2.5, 2.7

Securing serverless functions

To secure an AWS Lambda function, embed the Prisma Cloud Serverless Defender into it. The steps
to do so include:

● If you are not using a deployment framework like SAM or Serverless Framework, download a
ZIP file that contains your function source code and dependencies. (This first step is
optional.)
● Embed the Serverless Defender into the function.
● Deploy the new function or upload the updated ZIP file to AWS.
● Define a serverless protection runtime policy.
● Define a serverless WAAS policy.

(Optional) Download your function as a ZIP file.

Download your function’s source code from AWS as a ZIP file.

Step 1: From Lambda’s code editor, click Actions > Export function.

Step 2: Click Download deployment package.

Your function is downloaded to your host as a ZIP file.

Step 3: Create a working directory and unpack the ZIP file there.
In the next step, you’ll download the Serverless Defender files to this working directory.

Embed Serverless Defender into C# functions

In your function code, import the Serverless Defender library and create a new protected handler
that wraps the original handler. The protected handler will be called by AWS when your function is
invoked. Update the project configuration file to add Prisma Cloud dependencies and package
references.

PSE Prisma Cloud Professional by Palo Alto Networks 55

Prisma Cloud supports .NET Core 2.1 and 3.1.
Step 1: Open Compute Console, and go to Manage > Defenders > Deploy > Single Defender.

Step 2: The DNS name Serverless Defender uses to connect to your Compute Console is
pre-populated for you.

Step 3: In Choose Defender type, select Serverless.

Step 4: In Runtime, select C#.

Step 5: Download the Serverless Defender package to your workstation.

Step 6: Unzip the Serverless Defender bundle into your working directory.

Step 7: Embed the serverless Defender into the function by importing the Prisma Cloud library and
wrapping the function’s handler.

Function input and output can be a struct or a stream. Functions can be synchronous or
asynchronous. The context parameter is optional in .NET, so it can be omitted.

Step 8: Add the Twistlock package as a dependency in your nuget.config file.

If a nuget.config file doesn’t exist, create one.

Step 9: Reference the Twistlock package in your csproj file.

PSE Prisma Cloud Professional by Palo Alto Networks 56

Step 10: Generate the value for the TW_POLICY environment variable by specifying your function’s
name and region.

Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve
policy and send audits.

Copy the value generated for TW_POLICY and set it aside.

Step 11: Upload the protected function to AWS and set the TW_POLICY environment variable.

Embed Serverless Defender into Java functions

To embed Serverless Defender, import the Twistlock package and update your code to start
Serverless Defender as soon as the function is invoked. Prisma Cloud supports both Maven and
Gradle projects. You’ll also need to update your project metadata to include Serverless Defender
dependencies.

Prisma Cloud supports both predefined interfaces in the AWS Lambda Java core library:
RequestStreamHandler (where input must be serialized JSON) and RequestHandler.

AWS lets you specify handlers as functions or classes. In both cases, Twistlock.Handler(), the entry
point to Serverless Defender, assumes the entry point to your code is named handleRequest. After
embedding Serverless Defender, update the name of the handler registered with AWS to be the
wrapper method that calls Twistlock.Handler() (for example, protectedHandler).

Prisma Cloud supports both service struct and stream input (serialized struct). Even though the
Context parameter is optional for unprotected functions, it is mandatory when embedding
Serverless Defender.

Prisma Cloud supports Java 8 and Java 11.

Step 1: Open Compute Console, and go to Manage > Defenders > Deploy > Single Defender.

Step 2: The DNS name Serverless Defender uses to connect to your Compute Console is
pre-populated for you.

Step 3: In Choose Defender type, select Serverless.

PSE Prisma Cloud Professional by Palo Alto Networks 57

Step 4: In Runtime, select Java.

Step 5: In Package, select Maven or Gradle.

The steps for embedding Serverless Defender differ depending on the build tool.

Step 6: Download the Serverless Defender package to your workstation.

Step 7: Unzip the Serverless Defender bundle into your working directory.

Step 8: Embed Serverless Defender into your function by importing the Prisma Cloud package and
wrapping the function’s handler.

Step 9: Update your project configuration file.

1. Maven
Update your pom.xml file. Do not create new sections for the Prisma Cloud configurations;
simply update existing sections. For example, do not create a new <plugins> section if one
exists already. Just append a <plugin> section to it.

Add the assembly plugin to include the Twistlock package in the final function JAR. Usually,
the shade plugin is used in AWS to include packages to standalone JARs, but it does not
permit the inclusion of local system packages.

PSE Prisma Cloud Professional by Palo Alto Networks 58

PSE Prisma Cloud Professional by Palo Alto Networks 59
 2. Create an assembly.xml file, which packs all dependencies into a standalone JAR.

Step 10: Gradle

Update your build.gradle file.

1. Add Twistlock package reference in the project configuration file i.e build.gradle.

PSE Prisma Cloud Professional by Palo Alto Networks 60

Step 11: In AWS, set the name of the Lambda handler for your function to protectedHandler.

Step 12: Generate the value for the TW_POLICY environment variable by specifying your function’s
name and region.

Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve
policy and send audits.

Copy the value generated for TW_POLICY and set it aside.

Step 13: Upload the protected function to AWS and set the TW_POLICY environment variable.

Embed Serverless Defender into Node.js functions

Import the Serverless Defender module and configure your function to start it. Prisma Cloud
supports Node.js 10.x, 12.x, and 14.x.

Step 1: Open Compute Console, and go to Manage > Defenders > Deploy > Single Defender.

Step 2: The DNS name that the Serverless Defender uses to connect to your Compute Console is
pre-populated for you.

Step 3: In Choose Defender type, select Serverless.

Step 4: In Runtime, select Node.js.

Step 5: Download the Serverless Defender package to your workstation.

Step 6: Unzip the Serverless Defender bundle into your working directory.

PSE Prisma Cloud Professional by Palo Alto Networks 61

Step 7: Embed the serverless Defender into the function by importing the Prisma Cloud library and
wrapping the function’s handler.

1. For asynchronous handlers:

2. For synchronous handlers:

Step 8: Generate the value for the TW_POLICY environment variable by specifying your function’s
name and region.

Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve
policy and send audits.

Copy the value generated for TW_POLICY and set it aside.

Step 9: Upload the protected function to AWS and set the TW_POLICY environment variable.
● Prisma Cloud Serverless Defender includes native node.js libraries. If you are using webpack,
please refer to tools such as native-addon-loader to make sure these libraries are included in
the function ZIP file.

Embed Serverless Defender into Python functions

Import the Serverless Defender module, and configure your function to invoke it. Prisma Cloud
supports Python 2.7, 3.6, 3.7, and 3.8.

Step 1: Open Compute Console, and go to Manage > Defenders > Deploy > Single Defender.

Step 2: The DNS name that Serverless Defender uses to connect to your Compute Console is
pre-populated for you.

PSE Prisma Cloud Professional by Palo Alto Networks 62

Step 3: In Choose Defender type, select Serverless.

Step 4: In Runtime, select Python.

Step 5: Download the Serverless Defender package to your workstation.

Step 6: Unzip the Serverless Defender bundle into your working directory.

Step 7: Embed the serverless Defender into the function by importing the Prisma Cloud library and
wrapping the function’s handler.

1. Option 1:

2. Option 2:

Step 8: Generate the value for the TW_POLICY environment variable by specifying your function’s
name and region.

Serverless Defender uses TW_POLICY to determine how to connect to Compute Console to retrieve
policy and send audits.

PSE Prisma Cloud Professional by Palo Alto Networks 63

Copy the value generated for TW_POLICY and set it aside.

Step 9: Upload the protected function to AWS and set the TW_POLICY environment variable.

Upload the protected function to AWS

After embedding Serverless Defender into your function, upload it to AWS. If you are using a
deployment framework such as SAM or Serverless Framework, simply deploy the function with your
standard deployment procedure. If you are using AWS directly, follow the steps below:

Step 1: Upload the new ZIP file to AWS.

1. In Designer, select your function so that you can view the function code.
2. Under Code entry type, select Upload a .ZIP file.
3. Specify a runtime and the handler.
Validate that Runtime is a supported runtime and that Handler points to the function’s
entry point.
4. Click Upload.

5. Click Save.

Step 2: Set the TW_POLICY environment variable.

1. In Designer, open the environment variables panel.

2. For Key, enter TW_POLICY.
3. For Value, paste the rule you copied from the Compute Console.
4. Click Save.

Defining your runtime protection policy

By default, Prisma Cloud ships with an empty serverless runtime policy. An empty policy disables
runtime defense entirely.

You can enable runtime defense by creating a rule. By default, new rules:

● Apply to all functions (*), but you can target them to specific functions by function name.
● Block all processes from running except the main process. This protects against command
injection attacks.

When functions are invoked, they connect to Compute Console and retrieve the latest policy. To
ensure that functions start executing at time=0 with your custom policy, you must predefine the
policy. Predefined policy is embedded into your function along with the Serverless Defender by way
of the TW_POLICY environment variable.

PSE Prisma Cloud Professional by Palo Alto Networks 64

 1. Log into Prisma Cloud Console.
2. Go to Defend > Runtime > Serverless Policy.
3. Click Add rule.
4. In the General tab, enter a rule name.
5. (Optional) Target the rule to specific functions. In Functions, enter a function name.
Use pattern matching to refine how the rule is applied.
6. Set the rule parameters in the Processes, Networking, and File System tab.
7. Click Save.

Defining your serverless WAAS policy

Prisma Cloud lets you protect your serverless functions against application layer attacks by utilizing
the serverless Web Application and API Security (WAAS).

By default, the serverless WAAS is disabled. To enable it, add a new serverless WAAS rule.

1. Log into Prisma Cloud Console.

2. Go to Defend > WAAS > Serverless.
3. Click Add rule.
4. In the General tab, enter a rule name.
5. (Optional) Target the rule to specific functions.
In Functions, enter a function name. Use pattern matching to refine how the rule is applied.
6. Set the protections you want to apply (SQLi, CMDi, Code injection, XSS, LFI).
7. Click Save.

4.1.7 Scan functions with console API for vulnerabilities and compliance

Prisma Cloud can scan serverless functions for vulnerabilities. Prisma Cloud supports AWS Lambda,
Google Cloud Functions, and Azure Functions.

Serverless computing is an execution model in which a cloud provider dynamically manages the
allocation of machine resources and schedules the execution of functions provided by users.
Serverless architectures delegate the operational responsibilities, along with many security
concerns, to the cloud provider. Of particular concern is that your app is still prone to attack. The
vulnerabilities in your code and associated dependencies are the footholds that attackers use to
compromise an app. Prisma Cloud can reveal a function’s dependencies and surface the
vulnerabilities in those dependent components.

Capabilities
For serverless, Prisma Cloud can scan Node.js, Python, Java, C#, Ruby, and Go packages. For a list of
supported runtimes see system requirements.
Prisma Cloud scans are triggered by the following events:

● When the settings change, including when new functions are added for scanning.
● When you explicitly click the Scan button in the Monitor > Vulnerabilities > Functions >
Scanned Functions page.
● Default periodic triggers. Prisma Cloud automatically rescans serverless functions every 24
hours, but you can configure a custom interval in Manage > System > Scan.

PSE Prisma Cloud Professional by Palo Alto Networks 65

Scanning a serverless function
Configure Prisma Cloud to periodically scan your serverless functions. Unlike image scanning, all
function scanning is handled by Console.

STEP 1 >> Open Console.

STEP 2 >> Go to Defend > Vulnerabilities > Functions > Functions.

STEP 3 >> Click on Add scope. In the dialog, enter the following settings:

● Specify a cap for the number of functions to scan.

● (AWS only) Specify which regions to scan. By default, the scope is applied to Regular
regions. Other options include China regions or Government regions.
● (AWS only) Select Scan only latest versions to only scan the latest version of each function.
Otherwise, the scanning will cover all versions of each function up to the specified cap value.
● (AWS only) Select Scan Lambda Layers to enable scanning function layers as well.
● Select the accounts to scan by credential. If you wish to add an account, click on Add
credential.
● Click Add.

STEP 4 >> Click the green save button.

STEP 5 >> View the scan report.

Go to Monitor > Vulnerabilities > Functions > Scanned functions.

All vulnerabilities identified in the latest serverless scan report can be exported to a CSV file by
clicking on the CSV button in the top right of the table.

View AWS Lambda Layers scan report

Prisma Cloud can scan the AWS Lambda Layers code as part of the Lambda function’s code
scanning. This capability can help you determine whether the vulnerability issues are associated
with the function or function Layers. Follow the steps below to view the Lambda Layers scan results:

STEP 1 >> Open Console.

STEP 2 >> Make sure you selected the Scan Lambda layers in the Defend > Vulnerabilities >
Functions > Functions > Serverless Accounts > Function scan scope.

PSE Prisma Cloud Professional by Palo Alto Networks 66

STEP 3 >> Go to Monitor > Vulnerabilities > Functions > Scanned functions.

STEP 4 >> Filter the table to include functions with the desired Layer by adding the Layers filter.
You can also filter the results by a specific layer name or postfix wildcards. Example: Layers:* OR
Layers:arn:aws:lambda:*.

PSE Prisma Cloud Professional by Palo Alto Networks 67

STEP 5 >> Open the Function details dialog to view the details about the Layers and the
vulnerabilities associated with them:

● Click on a specific function.

● See the Function’s vulnerabilities, compliance issues and package info in the related tabs.
Use the Found in column to determine if the component is associated with the Function or
with the Function’s Layers.

● Use the Layers info tab to see the full list of the Function’s Layers, and aggregated
information about the Layers vulnerabilities. In case that there are vulnerabilities associated
with the layer you will be able to expand the layer raw to list all the vulnerabilities.

PSE Prisma Cloud Professional by Palo Alto Networks 68

Authenticating with AWS
The serverless scanner is implemented as part of Console. The scanner requires the
AWSLambda_ReadOnlyAccess permissions policy.

IAM User
If authenticating with an IAM user, use the Security Token Service (STS) to temporarily issue security
credentials to Prisma Cloud to scan your Lambda functions. AWS STS is considered a best practice
for IAM users per the AWS Well-Architected Framework. For more on how to use AWS STS, see here.

When authenticating with an IAM user, Console can access and scan functions across multiple
regions.

IAM Role
IAM roles cannot be used in Prisma Cloud serverless scanning because the Console is not hosted
within AWS for Enterprise Edition.

Scanning Azure Functions

Azure Functions are architected differently than AWS Lambda and Google Cloud Functions. Azure
function apps can hold multiple functions. The functions are not segregated from each other. They
share the same file system. Rather than separately scanning each function in a function app,
download the root directory of the function app, which contains all its functions, and scan them as
a bundle.

To do this, you must know the Region, Name (of the function), and Service Key. To get the Service
Key, download and install the Azure CLI, then:

STEP 1 >> Log into your account with a user that has the User Account Administrator role.

PSE Prisma Cloud Professional by Palo Alto Networks 69

STEP 2 >> Get the service key.

Sample output from the previous command:

STEP 3 >> Copy the JSON output, which is your secret key, and paste it into the Service Key field for
your Azure credentials in Prisma Cloud Console.

Scanning functions at build time with twistcli

You can also use the twistcli command line utility to scan your serverless functions. First download
your serverless function as a ZIP file, then run:

To view scan reports in Console, go to Monitor > Vulnerabilities > Functions > CI or Monitor >
Compliance > Functions> CI.

Twistcli Options
● --address URI
Required. Complete URI for Console, including the protocol and port. Only the HTTPS
protocol is supported.
To get the address for your Console, go to Compute > Manage > System > Utilities and copy
the string under Path to Console.

● -u, --user Access Key ID

Access Key ID to access Prisma Cloud. If not provided, the TWISTLOCK_USER environment
variable is used, if defined. Otherwise, "admin" is used as the default.

● -p, --password Secret Key —

PSE Prisma Cloud Professional by Palo Alto Networks 70

 Secret Key for the above Access Key ID is specified with -u, --user. If not specified on the
command-line, the TWISTLOCK_PASSWORD environment variable is used, if defined.
Otherwise, you will be prompted for the user’s password before the scan runs.
Access Key ID and Secret Key are generated from the Prisma Cloud user interface. For more
information, see access keys.

● --details –
Show all vulnerability details.

● --tlscacert PATH –
Path to Prisma Cloud CA certificate file. If no CA certificate is specified, the connection to
Console is insecure.

● --include-js-dependencies—
Include javascript package dependencies.

● --token TOKEN—
Token to use for Prisma Cloud Console authentication. Tokens can be retrieved from the API
endpoint api/v1/authenticate or from the Manage > Authenticate > User Certificates
page.

● cloudformation-template PATH –
Path to the CloudFormation template file in JSON or YAML format. Prisma Cloud scans the
function source code for AWS service APIs being used, compares the APIs being used to the
function permissions, and reports when functions have permissions for APIs they do not
need.

● function NAME—
Function name to be used in policy detection and Console results. When creating policy
rules in Console, you can target specific rules to specific functions by function name. If this
field is left unspecified, the function zip file name is used.

● --output-used-apis—
Report APIs used by the function.

● --publish—
Publish the scan result to the Console. True by default.

4.1.8 References

● Test Web Application and API Security (WAAS) features,

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas
/waas-intro.html
● Deploy Serverless Defender with auto-protect,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/insta
ll/install_defender/install_serverless_defender

4.2 Design a customer-appropriate POC for Prisma Cloud

PSE Prisma Cloud Professional by Palo Alto Networks 71

4.2.1 Assess the asset inventory and monitor the cloud resources

The Asset Inventory dashboard (on the Inventory tab) provides a snapshot of the current state of all
cloud resources or assets that Prisma Cloud is monitoring and securing for your organization. From
the dashboard, you gain operational insight over all cloud infrastructure, including assets and
services such as compute engine instances, virtual machines, cloud storage buckets, accounts,
subnets, gateways, and load balancers.
Assets are displayed by default for all monitored account groups for the most recent time range
(last full hour). The interactive dashboard provides filters to change the scope of data displayed in
order to analyze information in greater detail.

Here are the four sections of the Asset Inventory dashboard:

Resource Summary — This section shows the count of the Total Unique Resources monitored by
Prisma Cloud. Click the link to view all the assets on the Asset Explorer. For these assets, you can
toggle to view the following details as numeric value or a percentage.

PSE Prisma Cloud Professional by Palo Alto Networks 72

Asset Trend — This section shows a trend line to help monitor the overall health of your cloud
resources from the time that the first cloud account on Prisma Cloud was established through to
the time when the latest hourly snapshot was generated. The green, blue, and red trend lines are
overlaid to illustrate the passed and failed resources against the total resource count. The trends
display the overall security posture of your resources and how that posture is performing over time
so you can identify sudden surges with failed policy checks or sustained improvements with
passing policy checks.

Asset Classification — This section shows a bar graph for each cloud type (default), region name, or
account name that depicts the ratio of passed-to-failed resources. This interactive graph allows you
to drill into the passed and failed resources for details on the corresponding services that passed or
failed policy checks; you can click and drag a section of the chart to zoom in further.

PSE Prisma Cloud Professional by Palo Alto Networks 73

Tabular data — This section shows a table that enables results to be grouped by account name,
cloud region, or service name (default). You can then drill down to view granular information on the
resource types within your cloud accounts. All global resources for each cloud are grouped under
AWS Global, Alibaba Cloud Global, Azure Global, and GCP Global.

Each row displays the service name with details on the cloud type (which you can use to filter), and
the percentage of resources that pass policy checks to which you want to adhere. The links in each
column help you explore and gain the additional context you may need to take action.
Note: You may see more failed resources on the Compliance dashboard compared to the Asset
Inventory dashboard. This is because the Asset Inventory dashboard only counts assets that belong
to your cloud account, and the Compliance dashboard includes foreign entities such as SSO or
Federated Users that are not resources ingested directly from the monitored cloud accounts.

Monitor the cloud resources.

Pass — This displays the resources without any open alerts. Click the link for the passed resources
and you will be redirected to the Asset Explorer that is filtered to display all the resources that have
Scan Status set to Pass.

PSE Prisma Cloud Professional by Palo Alto Networks 74

Low/Medium/High — This displays the resources that have generated low, medium, or high
severity alerts. In Asset Inventory, when a resource triggers multiple alerts, the asset severity
assigned to it matches the highest risk to which it is exposed. After clicking the link, you will be
redirected to the Asset Explorer that is filtered to display all resources that match the corresponding
Asset Severity level.

The View Alerts link provides a viewable list of all resources with open alerts sorted by severity. Click
each link to view the Alerts Overview sorted for low, medium, or high severity alerts. You can review
the policies that triggered the alerts alongside a count of the total number of alerts for each policy.

Fail — This displays the total number of resources that have generated at least one open alert when
the hourly snapshot was generated. Click the link to be redirected to the Asset Explorer, which is
filtered to display all resources that have their Scan Status set to Failed.

4.2.2 Conduct compliance reporting and use out-of-the-box policies

To know the state of your cloud infrastructure, you need visibility into all the assets and
infrastructure that make up your cloud environment; you also need a pulse on your security
posture.

Whether you want to detect a misconfiguration or to continually assess your security posture and
adherence to specific compliance standards, Prisma Cloud provides out-of-the-box policies
(auditable controls) for ongoing reporting and measurement.

PSE Prisma Cloud Professional by Palo Alto Networks 75

Policies are for risk assessment; they help to reduce the risk of business disruptions. Prisma Cloud
provides policies that map to compliance standards and as well as a larger set of policies that
enables the prevention or detection of security risks to which your cloud assets are exposed.
Anomaly policies are an example of policies that are typically not a part of compliance standards.
These policies inform you of actions performed on your cloud assets by entities that are users,
services, or IAM roles with authorization to access and modify your cloud assets, but the entities are
not cloud assets.

Prisma Cloud supports the need to keep track of potential risks and threats to your cloud
infrastructure with dashboards for your asset inventory, compliance posture, and out-of-the-box
policies that generate alerts for cloud assets that are in violation. When a policy is violated, an alert
is triggered in real time.

While alerts help detect policy violations in real time and enable you to investigate what happened,
the Asset Inventory and Compliance dashboards provide hourly snapshots of your assets and
compliance posture for the last full hour.

PSE Prisma Cloud Professional by Palo Alto Networks 76

From the Asset Inventory and the Compliance dashboards, you can directly access all open alerts by
severity and view asset details from the Asset Explorer as of the last hour.

PSE Prisma Cloud Professional by Palo Alto Networks 77

Use out-of-the-box policies.
To enable global settings for Prisma Cloud default policies, click Settings and select Enterprise
Settings.

While some high-severity policies are enabled to provide the best security outcomes, by default,
policies of medium or low severity are in a disabled state. To enable policies based on severity, select
Auto enable new default policies of the type — High, Medium, or Low. Based on what you enable,
Prisma Cloud will scan your resources in the onboarded cloud accounts against policies that match
the severity and generate alerts.

Create a custom policy with remediation rules that are tailored to meet the requirements of your
organization. When creating a new policy, you can either build the query using RQL or use a saved
search to automatically populate the query you need to match on your cloud resources.

When you saving changes, choose one of the following options:

● Enable and Save — With Enable and Save, you are enabling all existing policies that match
your selection criteria as well as new Prisma Cloud default policies that are periodically
added to the service. This option allows you to enable and scan your resources against all
existing and new policies to help you stay ahead of threats and misconfigurations.

PSE Prisma Cloud Professional by Palo Alto Networks 78

 ● Save — With Save, you are saving your selection criteria and enabling new Prisma Cloud
default policies only as they are periodically added to the service. New policies that match
your selection are automatically enabled, and your resources are scanned against them after
you make the change.

● If you enable policies of a specific severity, when you then clear the checkbox, the policies
that were previously enabled are not disabled. Going forward, policies that match the
severity you cleared are no longer enabled to scan your cloud resources and generate alerts.

● If you want to disable the policies that are currently active, you must disable the status of
each policy on the Policies page.

The audit logs include a record of all activities performed in Prisma Cloud. To view the audit logs,
click Settings and select Audit Logs.
To view policies, select Policies.

PSE Prisma Cloud Professional by Palo Alto Networks 79

4.2.3 Demonstrate understanding of integration of alerts with downstream tools

Prisma Cloud lets you surface critical policy breaches by sending alerts to any number of channels.
Alerts ensure that significant events are put in front of the right audience at the right time.

● Cortex XSOAR alerts

o Cortex XSOAR is a security orchestration, automation, and response (SOAR) platform.
Prisma Cloud can send alerts, vulnerabilities, and compliance issues to XSOAR when
your policies are violated. Prisma Cloud can be configured to send data when an
entire policy, or even specific rules, are violated.

● AWS Security Hub

o AWS Security Hub aggregates, organizes, and prioritizes security alerts from multiple
AWS services and AWS Partner Network solutions, including Prisma Cloud, to give
you a comprehensive view of security across your environment.

● Email
o Prisma Cloud can send email alerts when your policies are violated. Audits in Monitor
> Events are the result of a policy violation. Prisma Cloud can be configured to notify
the appropriate party by email when an entire policy, or even specific rules, are
violated.

● Google Cloud Pub/Sub

o Google Cloud Pub/Sub is a durable, scalable event ingestion and delivery system. It
provides asynchronous messaging that decouples senders from receivers and
enables highly available communication between independently written
applications. Prisma Cloud can send alerts to Google Cloud Pub/Sub topics, where
topics are presented in a message feed.

● Google Cloud Security Command Center

PSE Prisma Cloud Professional by Palo Alto Networks 80

 o Prisma Cloud can be configured as a security source that provides security findings
to Google Cloud Security Command Center (SCC). This lets you see all security tool
findings in a single place. Prisma Cloud is a registered Google Cloud Platform
Marketplace partner.

● IBM Cloud Security Advisor

o IBM Cloud Security Advisor is a centralized security dashboard. Prisma Cloud can be
configured to send security findings to your service dashboard.

● JIRA alerts
o Prisma Cloud continually scans your environment for vulnerabilities using the threat
data in the Intelligence Stream.
o Prisma Cloud can open JIRA issues when new vulnerabilities are detected in your
environment. This mechanism allows the implementation of continuous vulnerability
assessment and remediation by hooking directly into the developer’s workflow.

● PagerDuty alerts
o You can configure Prisma Cloud to route alerts to PagerDuty. When Prisma Cloud
generates alerts when it detects anomalies. Alerts are raised when the rules that
encompass your policy are violated.

● ServiceNow Security Incident Response

o ServiceNow is a workflow management platform that offers a number of security
operations applications. You can configure Prisma Cloud to route alerts to
ServiceNow’s Security Incident Response application.
o Prisma Cloud audits are mapped to a ServiceNow security incident as follows:
▪ Audits and incidents are mapped to individual ServiceNow security incidents.

▪ Vulnerabilities are aggregated by resource (currently image) and mapped to

individual ServiceNow security incidents. The ServiceNow short description
field lists the resource, and the larger ServiceNow description field lists the
details of each finding.
▪ Compliance issues are aggregated by resource (image/container/host) and
mapped to individual ServiceNow security incidents. The ServiceNow short
description field lists the resource, while the larger ServiceNow description
field lists the details of each finding.

● ServiceNow Vulnerability Response

o ServiceNow is a workflow management platform. It offers a number of security
operations applications. You can configure Prisma Cloud to route alerts to
ServiceNow’s Vulnerability Response application.
o To integrate Prisma Cloud with ServiceNow, you will need to create a ServiceNow
endpoint to consume findings from the Prisma Cloud scanner. The endpoint is
created using ServiceNow’s Scripted REST API mechanism.

● Slack alerts

PSE Prisma Cloud Professional by Palo Alto Networks 81

 o Prisma Cloud lets you send alerts to Slack channels and users.

● Webhook
o Prisma Cloud offers native integration with a number of services, including email,
JIRA, and Slack. When no native integration is available, webhooks provide a
mechanism to interface the Prisma Cloud alert system with virtually any third-party
service.
o A webhook is an HTTP callback. When an event occurs, Prisma Cloud notifies your
web service with an HTTP POST request. The request contains a JSON body that you
configure when you set up the webhook. A webhook configuration consists of the
following:
▪ URL

▪ Custom JSON body

▪ Username

▪ Password

▪ CA certificate

Alert Mechanism
Alerts are built on the following constructs:

● Alert profile — This specifies which events should be sent to which channel. You can create
any number of alert profiles; each profile gives you granular control over which audience
should receive which notifications.

● Alert channel — This is a messaging medium over which alerts are sent. Prisma Cloud
supports email, JIRA, Slack, PagerDuty, and others.

● Alert trigger — This identifies events that require further scrutiny. Alerts are raised when the
rules that make up your policy are violated. When something in your environment violates a
rule, an audit is logged and an alert is sent to any matching alert profile (channel, audience).

Prisma Cloud can be configured to notify the appropriate party when an entire policy or a specific
rule is violated.

You can also set up alerts for Defender health events. These events tell you when Defender
unexpectedly disconnects from Console. Alerts are sent when a Defender has been disconnected
for more than six hours.

Not all triggers are available for all channels. For example, new JIRA issues can only be opened
when vulnerability rules are triggered.

Triggers:

Most alerts trigger on a policy violation. When policy is the trigger, you can optionally choose to
trigger on specific rules rather than the entire policy. Vulnerability, compliance, and cloud discovery
alerts work differently.

PSE Prisma Cloud Professional by Palo Alto Networks 82

Vulnerability alerts that arise from registry scans only trigger for the 50 most recent images, as
sorted by last modified date. The limit is designed to contain Console resource consumption in
large environments.

Vulnerability Alerts:

● The number of known vulnerabilities in a resource is not static over time.

o As the Prisma Cloud Intelligence Stream is updated with new data, new
vulnerabilities might be uncovered in resources that were previously considered
clean.
o The first time a resource (e.g., image, container, host, etc.) enters the environment,
Prisma Cloud assesses it for vulnerabilities.
o If a vulnerability violates a rule in the policy, and the rule has been configured to
trigger an alert, an alert is dispatched.
o Thereafter, every resource is periodically rescanned. Additional alerts are dispatched
only when new vulnerabilities that match your alert profile settings are detected.
With vulnerability alerts, you get one, and only one, alert for each vulnerability
detected (aggregated by scan).

Compliance Alerts:

● Alerts for compliance issues work a little differently.

o The resources in your system are either compliant or non-compliant.
▪ When your system is non-compliant, Prisma Cloud sends an alert.

▪ As long as there are non-compliant resources, Prisma Cloud sends an alert at

every scan interval (default is 24 hours).
▪ Compliance alerts list each failed check, and the number of resources that
failed the check in the latest scan and the previous scan.

PSE Prisma Cloud Professional by Palo Alto Networks 83

For example:

● Scan period 1: You have a non-compliant container named crusty_pigeon. You will be alerted
about the container compliance issues.
● Scan period 2: Container crusty_pigeon is still running. It is still non-compliant. You will be
alerted about the same container compliance issues.

Cloud Discovery Alerts:

Cloud discovery alerts warn you when new cloud native resources are discovered in your
environment so you can inspect and secure them with Prisma Cloud. Cloud discovery alerts are
available on the email channel only. For each new resource discovered in a scan, Prisma Cloud lists
the cloud provider, region, project, service type (i.e., AWS Lambda, Azure AKS) and resource name
(my-aks-cluster).

Limitations:

For runtime audits, there is a limit of 50 runtime audits per aggregation period (seconds, minutes,
hours, and days) for all alert providers.

4.2.4 Create custom policies with Resource Query Language (RQL)

With Prisma Cloud, customers can create their own custom policies to generate alerts. These
policies are written with RQL.

● Queries Supported by RQL

o RQL resembles the Structured Query Language (SQL). The following queries are
supported by RQL:

PSE Prisma Cloud Professional by Palo Alto Networks 84

 ▪ Config Query
Use Config Query to search for the configuration of the cloud resources.

▪ Event Query
Use Event Query to search and audit all the console and API access events in
your cloud environment.

▪ Network Query
Use Network Query to search real-time network events in your environment.

Prisma Cloud and Anomaly Policies

● Prisma Cloud uses RQL statements to create custom anomaly policies. Anomaly policies use
audit logs and network flow logs to help you identify unusual network and user activity for
all users and are especially critical for privileged users and assumed roles where detecting
unusual activity may indicate the first steps in a potential misuse or account compromise.

● Perform User Entity Behavior Analysis

o Anomaly policies rely on threat feeds to resolve IP addresses to geo-locations and
perform user and entity behavior analysis (UEBA). When Prisma Cloud identifies a
suspicious IP address, the threat feed enables you to classify and view more
information about the malicious IP addresses with which the former IP address is
communicating so you can quickly determine which alerts to pay attention to and
act on.

● Predefined Settings
o Before the service can detect unusual activity for your enterprise, you must define
Prisma Cloud enterprise settings to specify a training threshold and set the baseline
for normal trends in your network.

● Set the Baseline

o To set a baseline, Prisma Cloud gathers information about the user or identities used
to access the monitored cloud accounts, the devices used for access, the IP
addresses and locations they come from, the ports and protocols typically used, the
cloud services they use and the frequency, the hours within which they access these
applications, and the activities they perform within the cloud services.

4.2.5 Demonstrate understanding of entitlement permissions with Identity and Access

Management (IAM)

Prisma Cloud IAM security capabilities help you evaluate the effective permissions assigned to
users, workloads, and data (also called entitlements) on your cloud provider so that you can
properly administer identity and access management (IAM) policies as well as enforce access using
the principle of least privilege.

PSE Prisma Cloud Professional by Palo Alto Networks 85

IAM Security gives you:

● Visibility. Improve the visibility of effective permissions to various resources in the cloud
accounts. It has the ability to query all relevant IAM entities, including all the relationships
between the different entities and the entities’ effective permissions across multiple cloud
environments.
● Governance. Monitor excess and unused privileges, provide out-of-the-box security best
practices policies, and review cloud identity compliance posture.
● Response. Enables you to automatically adjust effective IAM permissions to take action and
reduce risk.

The IAM Security module runs a proprietary algorithm to calculate effective permissions of the
users across your cloud service providers. For example, in this AWS example, the algorithm
combines various cloud sources such as AWS IAM roles, AWS IAM policies, AWS IAM groups, AWS
resource based policies, and AWS service control policies (SCPs) to compute the net effective
permissions of cloud resources. It extends the Config query in RQL (config from iam where) to help
you gain visibility into the entities in your cloud environment.

PSE Prisma Cloud Professional by Palo Alto Networks 86

For example, with the net effective permissions calculation you can now discover the permissions
for a specific user in your AWS account or Azure tenant, or which users have access to a S3 bucket
or an Azure storage account.

4.2.6 References

● Demonstrate understanding of entitlement permissions with Identity and Access

Management (IAM),
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-i
am-security/what-is-prisma-cloud-iam-security

4.3 Design a customer-appropriate POC for code security

4.3.1 Integrate with the customer repositories

The Code Security capabilities support a wide range of Cloud DevSecOps and Integrated
Development Environments (IDEs), and CI/CD pipelines used to build and deploy code and
infrastructure for your organization.

Before you begin adding your development environments and pipelines for scanning, you must
first generate access keys to allow permissions for specific users. You must also add the Prisma
Cloud IP addresses and hostname for Code Security to an allow list in order to enable access to the
Prisma Cloud Console.

Add Repositories and CI/CD Pipelines

PSE Prisma Cloud Professional by Palo Alto Networks 87

To add the environments that host your templates and source code, begin at Settings >
Repositories.

The Repositories page is blank before you add an environment. This page enables you to view the
catalog of the different environments where you can scan for security and compliance violations
using Code Security and add your integrations for monitoring with Prisma Cloud.

After you add one or more environments, you can view details of the repositories, sort, search, or
delete within the list.

STEP 1 >> Select Settings > Repositories > Add Repository.

You can view the catalog and select from the list of supported Version Control Systems (VCS), CI/CD
systems, or IDEs.

For instructions on how to connect a repository to Prisma Cloud, use the link in the table.

PSE Prisma Cloud Professional by Palo Alto Networks 88

4.3.2 Integrate Checkov with customer integrated development environment (IDE) /
command-line interface (CLI)

Integrating Prisma Cloud with Checkov makes it possible for Prisma Cloud Code Security to scan
your infrastructure as code files (Terraform and CloudFormation), display Incidents on the Console
and, optionally, cause a build to fail. For more details, see Checkov.

STEP 1 >> Select Settings > Repositories > Add repository > Checkov.

STEP 2 >> Install Checkov by choosing Python (pip) or Python3 (pip3) and copy the corresponding
command to your command line, then select Next.

STEP 3 >> Enter details of Directory, and Repository ID to scan, and select Next.

You can optionally choose to add the Branch details. If a target branch is not specified, the Code
Security scans the master branch.

You can use the wizard to generate a command to run in your CLI tool for Checkov’s most common
use-case.

STEP 4 >> Copy the provided command to your command line and trigger Checkov, then
select Done.

4.3.3 Create a custom Infrastructure as Code (IaC) build policy

Create a custom policy with remediation rules that are tailored to meet the requirements of your
organization. When creating a new policy, you can either build the query using RQL or you use a
saved search to automatically populate the query you need to match on your cloud resources.
For Prisma Cloud DevOps Security, you can also create configuration policies to scan your

PSE Prisma Cloud Professional by Palo Alto Networks 89

Infrastructure as Code (IaC) templates that are used to deploy cloud resources. The policies used for
scanning IaC templates use a JSON query instead of RQL. If you want to enable auto-remediation,
Prisma Cloud requires writing access to the cloud platform to successfully execute the remediation
commands.

You can create any of the following types of policies:

● Config — Configuration policies monitor your resource configurations for potential policy
violations. Configuration policies on Prisma Cloud can be one of two subtypes — Build and
Run — to enable a layered approach. Build policies allow you to check for security
misconfigurations in the IaC templates and ensure that these issues do not make their way
into production. The Run policies monitor resources and check for potential issues once
these cloud resources are deployed. See Create a Configuration Policy for more information.

● Network — Network policies monitor network activities in your environment. See Create a
Network or Audit Event Policy for more information.

● Audit Event — Event policies monitor audit events in your environment for potential policy
violations. Create audit policies to flag sensitive events, such as root activities or
configuration changes, that may potentially put your cloud environment at risk. See Create a
Network or Audit Event Policy for more information.

Create a Configuration Policy

Use these instructions to add a custom configuration policy for checking resources in the build or
run phase of your application lifecycle. Because building the rules takes practice, look at a few
Prisma Cloud default policies on the administrative console before you begin, and review the query
format within the rules.

1. Select Policies and click New Policy > Config.

2. Enter a Policy Name.

o You can optionally add a Description and Labels.

3. Select the policy subtype and click Next.

o You can choose one or both policy subtypes options:
i. The Run subtype enables you to scan cloud resources that are already
deployed on a supported cloud platform.

PSE Prisma Cloud Professional by Palo Alto Networks 90

 ii. The Build subtype enables you to scan IaC templates — Terraform,
CloudFormation, and Kubernetes manifest — that are used to deploy
cloud resources.

4. Select the Severity for the policy and click Next.

o For a Run policy, an alert will be generated on a policy violation.

5. Build the query to define the match criteria for your policy.
o Add a rule for the Run phase.
The Configuration — Run policies use RQL. If you are using a Saved Search, you can
select from predefined options to auto-populate the query. For building a New
Search, enter config from and use the auto-suggestion to select the available
attributes and complete the query.

PSE Prisma Cloud Professional by Palo Alto Networks 91

Config queries require some mandatory attributes. It should at a minimum have iam in conjunction
with where followed by a resource, operator, and another resource. The other option is to have
cloud.resource in conjunction with where followed by resource = state; the state can be Active or
Deleted.

config from iam where action.lastaccess.days

config from cloud.resource where resource.status = Active

If your policy will include both Run and Build checks, and you have added the RQL query, your
cloud type for the build rule is automatically selected. It is based on the cloud type referenced in the
RQL query.

● Select the Template Type you want to scan — CloudFormation, Kubernetes, or Terraform.
You can add one or more types. For scanning Terraform templates, you must select the
Cloud Type and the Terraform version. See which versions of Terraform are supported.

PSE Prisma Cloud Professional by Palo Alto Networks 92

 ● Add the JSON query that specifies the properties or objects for which you want to apply
policy checks. For more information, see Add a JSON Query for Build Policy Subtype and
Prisma Cloud IAC Scan Policy Operators.

If you choose to upload a template in the next step, the query you entered above is validated
against the template. Each time you modify the query or upload a new template, the JSON query is
re-validated.

● (Optional) Upload a file to validate the JSON query.

The JSON Template Validation is optional. You can upload a single file or a .zip file. The
supported file formats are HCL, YAML, and JSON. The uploaded file is converted to JSON and
displayed on screen.
Additionally, you can include a variable name and value to pass to the sample file and verify
that the build rule works before you save the policy. For example, if you want to check
whether EC2 instances include tags to identify the owner, the variables enable you to
quickly validate against the sample template you attached.

6. Add the compliance standards too your policy.

● Choose the compliance Standard, Requirement, and Section.
● Click + to add more standards as required and click Next.

7. Enter details in the remediation section if you want to automatically remediate alerts on a
policy violation.

● Select Run or Build.

Build phase policies do not support remediation CLI. You can, however, add the
instructions for manually fixing the issue in the Recommendation for Remediation.
● (Configuration — Run policies only) Enter Command Line remediation commands in
CLI Remediation.

CLI remediation is available for config from queries only. You can add up to five CLI
commands and use a semicolon to separate the commands in the sequence. The
sequence is executed in the order defined in policy, and if a CLI command fails, the
execution stops at that command. The parameters that you can use to create
remediation commands are displayed on the interface as CLI variables, and a syntax

PSE Prisma Cloud Professional by Palo Alto Networks 93

 example is: gcloud -q compute --project=${account} firewall-rules delete
${resourceName}; gsutil versioning set off gs://${resourceName};:

o $account — Account is the Account ID of your account in Prisma Cloud.

o $azurescope — (Azure only) Allows you to specify the node in the Azure
resource hierarchy where the resource is deployed.
o $gcpzoneid — (GCP only) Allows you to specify the zone in the GCP project,
folder, or organization where the resource is deployed.
o $region — Region is the name of the cloud region to which the resource
belongs.
o resourcegroup — (Azure only) Allows you to specify the name of the Azure
Resource Group that triggered the alert.
o $resourceid — Resource ID is the identification of the resource that triggered
the alert.
o $resourcename — Resource name is the name of the resource that triggered
the alert.
● Click Validate syntax to validate the syntax of your code. If you would like to see an
example of the CLI syntax in the default remediable policies on Prisma Cloud, clone
any existing policy and edit it.
● Click Save. All your system administrators and account administrators are notified
when there is a change to the CLI commands.
Serverless auto remediation is an option (for AWS only, for now). For more complex or
customizable remediation solutions, visit serverless-autoremediation:
https://github.com/PaloAltoNetworks/Prisma-Enhanced-Remediation

4.3.4 Compare and contrast fix/suppress options

When you connect the Prisma Cloud Code Security plugins with your Version Control Systems and
CI/CD platforms, every scan generates a fully contextualized Code Review scan result. The Code
Security page shows the results of these scans. The display highlights the section of the code with
the error (policy violation) and the associated metadata such as Run time and ID. Depending on the
type of scan (VCS scan or CI/CD run) and the status of a PR (latest commit/not latest/commit and
PR-open/PR-closed), you will be able to perform functions such as: Suppress, Fix, Search for a
specific Run, or view Resource Explorer data.

Filter Scanned Results

You can filter the scanned results using Status, Category, Severity, Tags, and Code Status.

Status
A status for each scanned repository is created based on the non-conformance to a policy. The
repository status can be further filtered as Errors, Suppressed, and Passed.

● Errors: A resource appears with an error status when it is non-conformant to a policy.

● Suppressed: A resource that has previously appeared with a non-conformant policy, but is
suppressed with a Suppress action. To suppress a non-conformant policy in a resource is to
absolve the scanned result with a definitive explanation, indicating the non-conformance to
be not problematic.

PSE Prisma Cloud Professional by Palo Alto Networks 94

 ● Passed: A resource that has conformant policies or may have a history of fixed errors.

Your scanned resources appear on Code Security with an active Error filter by default. You can
choose to add more filters or to remove the Error filter.

Category
A Category filters resources according to Elasticsearch, General, IAM, Kubernetes, Logging,
Monitoring, Networking, Public, Secrets, Serverless, Storage, and Vulnerabilities. During the time of
repositories integration with Prisma Cloud Code Security, your defined Categories associated with
the repositories also help with filtering.

Severity
A Severity is an indicator of an impact on a non-conformant resource in your repository. Resources
can be filtered as High, Medium, and Low severity.

Tags
A Tag helps you filter resources as defined individual tagged key value pairs.

Code Tags
A Code Tag appears for resources with an option to fix the scanned result. These fixes help to
resolve the non-conformance.

Browse and Fix Scanned Results

Integration of the Prisma Cloud Code Security with your repositories across Version Control
Systems, CI/CD platforms, and IDEs generate contextualized scanned results of each resource. Each
scanned result for a resource provides extensive information on the type of non-conformance of
policy, repository configuration, type of scan, status of the PR (if the resource is a part of a version
control system), and the actions you can use to mitigate each resource with Suppress and Fix
action.

Browse across Resources and Repositories

● You can browse across multiple repositories on Code Security. Icons associated with each of
the repositories assist in easy browsing.

This is an example of multiple repositories listed on Code Security.

PSE Prisma Cloud Professional by Palo Alto Networks 95

● Scanned resources are grouped by the path of a folder. You can browse across multiple
paths within the repository.
This is an example of multiple paths within a repository. The numbers corresponding to each
path are errors identified by Prisma Cloud Code Security.

PSE Prisma Cloud Professional by Palo Alto Networks 96

● Each scanned result appears with resource path information, the severity of the error, code
block with the error, and actions to Suppress or Fix the error.
This is an example of a scanned result on GitHub Actions.

PSE Prisma Cloud Professional by Palo Alto Networks 97

As an additional resource, Users can also filter results.
This is an example of a resource result with a user’s filter.

PSE Prisma Cloud Professional by Palo Alto Networks 98

Fix Scanned Resources

Each scanned result can either be Suppressed or Fixed.

Accessing the source code and fixing the non-conformant error within the code leads to a Fix.

STEP 1 >> Access a scanned result of a repository in Code Security.

STEP 2 >> Select Fix.

PSE Prisma Cloud Professional by Palo Alto Networks 99

STEP 3>> Select Submit. This will create a PR in the repository.

Make edits within the source code and commit your changes.
Your changes will be marked as Fixed on Code Security.

Suppress Scanned Resources

Suppress is an action that occurs when users absolve the scanned result with a definitive
explanation indicating the non-conformance to be not problematic.

STEP 1 >> Access a scanned result of a repository in Code Security.

STEP 2 >> Select Suppress and enter the reason to suppress the error, then select Suppress.

PSE Prisma Cloud Professional by Palo Alto Networks 100

STEP 3 >> Select Submit to save the changes in the repository.

STEP 4 >> The suppressed result appears with the Suppress filter.

Resource detail and history

You can view the resource details like repository name, policy misconfiguration, and tags associated
with the scanned result. Resource History gives you details over the actions performed on the
resource scanned result; e.g., if the result was Suppressed, and the date it was suppressed.

4.3.5 Describe code security application within customer repositories

Code Security on Prisma Cloud enables you to add security checks to your existing IaC
(Infrastructure-as-Code) model, ensuring security throughout the build lifecycle.

The Code Security capabilities include creating custom build policies, integrating a wide variety of
code repositories, and continuous integration and continuous delivery (CI/CD) workflows to secure
cloud infrastructure and applications.

Prisma Cloud Code Security helps address cloud infrastructure misconfigurations in code before
they become alerts or incidents that security teams then need to triage. It enables users to embed
existing DevOps resources and operations within the DevSecOps model to provide
developer-friendly feedback so that they can fix configuration issues before the code is released to
be deployed into your environments. You have additional options to create custom policies or
include multiple out-of-the-box security policies in your existing IaC environment. Code Security on
Prisma Cloud provides instant feedback and options for immediate resolutions to your scanned
misconfigurations.

The Code Security will be available for Prisma Cloud tenants in the following environments:

● app.prismacloud.io
● app2.prismacloud.io
● app3.prismacloud.io
● app4.prismacloud.io
● app.anz.prismacloud.io
● app.ca.prismacloud.io
● app.eu.prismacloud.io
● app2.eu.prismacloud.io
● app.sg.prismacloud.io
● app.uk.prismacloud.io

4.3.6 References

● Integrate with the customer repositories,

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-code-security/
get-started/connect-your-repositories
● Integrate checkov,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-code-security/
get-started/connect-your-repositories/add-checkov

PSE Prisma Cloud Professional by Palo Alto Networks 101

● Suppress options,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-code-security/
scan-monitor/monitor-fix-issues-in-scan.html#_monitor_and_fix_issues_in_your_scans__bro
wse-and-fix-scanned-results
● Code security application,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-code-security
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-code-security/
get-started/what-is-code-security

PSE Prisma Cloud Professional by Palo Alto Networks 102

Domain 5 Deployment / Implementation Best Practices

5.1 Describe best practice deployment strategies for PCC

5.1.1 Differentiate between software as a service (SaaS) and self_host console

Prisma™ Cloud offers cloud workload protection, as either a SaaS option or a self-hosted solution
that you deploy and manage (review your options).
The SaaS option, available with the Prisma Cloud Enterprise Edition, offers a single management
console for threat detection, prevention, and response for your heterogeneous environment for
teams to leverage public cloud platforms as well as a rich set of microservices to rapidly build and
deliver applications. The Compute tab on the Prisma Cloud administrative console enables you to
define policy and to monitor and protect the hosts, containers, and serverless functions within your
environment.
To monitor the workloads, you must deploy Prisma Cloud Defenders – the agents. All Defenders,
regardless of type, connect back to the console using WebSocket over port 8084. This allows them
to retrieve policies and enforce vulnerability and compliance blocking rules in the environments
where they are deployed, and to send data back to the Compute tab within the Prisma Cloud
administrative console. For documentation on how to get started with deploying Defenders,
configuring policies, viewing alerts, and interpreting the data on Radar, see the Prisma Cloud
Administrator’s Guide (Compute). For administrative user management, such as integrating single
sign-on, setting up custom roles, and creating access keys, use the Settings tab on the Prisma
Cloud administrative console outlined in this document.

Compute is delivered in one of two packages:

● Prisma Cloud Enterprise Edition (SaaS)

PSE Prisma Cloud Professional by Palo Alto Networks 103

 Single pane of glass for both CSPM (Cloud Security Posture Management) and CWPP (Cloud
Workload Protection Platform). Compute (formerly Twistlock, a CWPP solution) is delivered
as part of the larger Prisma Cloud system. Palo Alto Networks runs, manages, and updates
Compute Console for you, while you deploy and manage Defenders in your environment.
The Compute Console is accessible from a tab within the Prisma Cloud user interface.

● Prisma Cloud Compute Edition (self-hosted)

Stand-alone, self-operated version of Compute (formerly Twistlock). Download the entire
software suite and run it in any environment. You deploy and manage both the Console and
Defenders.
Upgrades work a little differently in each edition.

● Prisma Cloud Enterprise Edition (SaaS)

Consoles are automatically upgraded by PANW with a notification regarding the automatic
upgrade posted in the status page at least two weeks in advance. For more details, please
refer to this article:
https://docs.twistlock.com/docs/enterprise_edition/upgrade/upgrade_process_saas.html
The automatic upgrade function for Defenders is always turned ON, thereby ensuring that
Defenders remain compatible with Console with each release.

● Prisma Cloud Compute Edition (self-hosted)

You fully control the upgrade process. When an upgrade is available, customers are notified
via the bell icon in Console. Clicking on the bell icon directs you to the latest software
download; deploy the new version of Console first, then manually upgrade all of your
deployed Defenders.

The following table summarizes the key differences between Enterprise Edition (SaaS) and
Compute Edition (self-hosted). For gaps between the two, Palo Alto Networks will provide a date on
which we intend to deliver a solution.

CAPABILITY COMPUTE SAAS SUPPORT

Projects If you need Projects, use Compute
Edition. Projects will not be ported to
Prisma Cloud Enterprise Edition.
Syslog Supported for Defenders only.
User management Available centrally in the platform for
Prisma Cloud Enterprise Edition.
Assigned collections Available via Resource Lists
Defender backward compatibility Yes
Compute Edition to Enterprise Edition migration Available – Must go through the
Customer Success team.

5.1.2 Describe how WAAS routes traffic

WAAS (Web-Application and API Security, formerly known as CNAF, Cloud Native Application
Firewall) is a web application firewall (WAF) designed for HTTP-based web applications deployed
directly on hosts, as containers, as an embedded application, or as serverless functions. WAFs
secure web applications by inspecting and filtering layer 7 traffic to and from the application.

PSE Prisma Cloud Professional by Palo Alto Networks 104

WAAS enhances the traditional WAF protection model by deploying closer to the application, easily
scaling up or down and allowing for inspection of "internal" traffic (east-to-west) from other
microservices as well as inbound traffic (north-to-south).
For containerized web applications, WAAS binds to the application’s running containers, regardless
of the cloud, orchestrator, node, or IP address where it runs, and without the need to configure any
complicated routing. For non-containerized web applications, WAAS simply binds to the host
where the application runs.

Highlights of WAAS’s capabilities:

● OWASP Top-10 Coverage

Protection against most critical security risks to web applications, including injection flaws,
broken authentication, broken access control, security misconfigurations, etc.

● API Protection
WAAS is able to enforce API traffic security based on definitions/specs provided in the form
of Swagger or OpenAPI files.

● Access Control
WAAS controls access to protected applications using Geo-based, IP-based, or HTTP
Header-based user defined restrictions.

● File Upload Control

WAAS secures application file uploads by enforcing file extension rules.

● Detection of Unprotected Web Applications

WAAS detects unprotected web applications and flags them in the radar view.

● Penalty Box for Attackers

WAAS supports a five-minute ban of IPs that have triggered its protections in order to slow
down vulnerability scanners and other attackers probing the application.

● Bot Protection
WAAS detects “good” known bots as well as other bots, headless browsers, and automation
frameworks. WAAS can also fend off cookie droppers and other primitive clients by
mandating the use of cookies and javascript in order for the client to reach the protected
origin.

● DoS Protection
WAAS can enforce rate limitations on IPs or Prisma Sessions to protect against high-rate and
"low and slow" Layer 7 DoS attacks.

Architecture
WAAS is deployed via Prisma Compute Defenders, which operate as a transparent HTTP proxy by
evaluating client requests against security policies before relaying the requests to your application.
Defenders are deployed into the environment in which the web applications run. WAAS’s
management console is independent of the Defenders and can be self-hosted or provided as a
service (SaaS).

PSE Prisma Cloud Professional by Palo Alto Networks 105

When a firewall is deployed, Defender reroutes traffic bound for your web application to WAAS for
inspection. If a connection is secured with TLS, Defender decrypts the traffic, examines the content,
and then re-encrypts it.

Legitimate requests are passed to the target container or host. Requests triggering one or more
WAAS protections generate a WAAS "event audit" and an action is taken based on the
preconfigured action (see "WAAS Actions" below).

WAAS’s event audits can be further explored in the "Monitor" section of Prisma Compute’s
management console (Monitor > Events). In addition, event audits are registered in the

PSE Prisma Cloud Professional by Palo Alto Networks 106

Defender’s syslog, thus allowing for integration with third-party analytics engines or SIEM platforms
of choice.

WAAS Actions
Requests that trigger a WAAS protection are subject to one of the following actions:

● Alert
The request is passed to the protected application and an audit is generated for visibility.
● Prevent
The request is denied from reaching the protected application, an audit is generated, and
WAAS responds with an HTML page indicating the request was blocked.
● Ban
A ban can be applied on either IP or Prisma Session IDs. All requests originating from the
same IP/Prisma Session to the protected application are denied for the configured time
period (the default is five minutes) following the last detected attack.

Operation

Deploying WAAS
WAAS is enabled by adding a new WAAS rule. Whenever new policies are created or existing
policies are updated, Prisma Cloud immediately pushes them to all resources to which they apply.
To deploy WAAS, create a new WAAS rule, select the resources on which to apply the rule, define
your web application, and select the protections to enable. For containerized web applications,
Prisma Cloud creates a firewall instance for each container instance. For legacy (non-containerized
web applications), Prisma Cloud creates a firewall for each host specified in the configuration.

Supported Protocols, Message Parsers, and Decoders

Supported Protocols

● HTTP 1.0, 1.1, 2.0 – full support of all HTTP methods

● TLS 1.0, 1.1, 1.2, 1.3
● WebSockets Passthrough

Supported Message Parsers and Decoders

● GZip, deflate content encoding

● HTTP Multipart content type
● URL Query, x-www-form-urlencoded, JSON, and XML parameter parsing
● URL, HTML Entity, JS, BASE64 decoding
● Overlong UTF-8

5.1.3 Describe Defender traffic through proxy

Prisma Cloud supports setting custom proxy settings for each Defender deployment. This way,
users can set multiple proxies for Defenders, which are then deployed in different environments.

STEP 1= Open Console, and go to Manage > Defenders > Deploy.

STEP 2= Choose your preferred deployment method.

PSE Prisma Cloud Professional by Palo Alto Networks 107

STEP 3= Click on Specify a proxy for the defender (optional) and enter your proxy details.

In some environments, access to the Internet must go through a proxy. Prisma Cloud can be
configured to route requests through your proxy. Proxy settings can either be applied to both
Console and Defender containers or separately for each Defender deployment.
The global proxy settings are configured in the UI after Console is installed. Console immediately
starts using these settings after saving them. Any Defenders deployed after saving your settings will
use the proxy settings unless you explicitly choose a different proxy when deploying the Defenders.
Any Defenders that were deployed before saving your settings must be redeployed.

● Connecting to Console. If you deploy Defenders in a remote region, they might need to
connect to Console through a proxy.
● Connecting to external systems, such as Docker Hub or Google Container Registry, for
scanning.
● Connecting to your secrets store to retrieve secrets for injection into your containers.

5.1.4 Describe Defender connectivity to console

By default, Defender connects to Console with a websocket on TCP port 443. All traffic between
Defender and Console is TLS encrypted.
Defender has no privileged access to Console or the underlying host where Console is installed. By
design, Console and Defender do not trust each other and Defender mutual certificate-based
authentication is required to connect. Prior to authentication, connections are blocked. After
authentication has been established, Defender’s capabilities are limited to retrieving policies from
Console and sending event data to Console.
If Defender were to be compromised, the risk would be local to the system where it is deployed, the
privilege it has on the local system, and the possibility of it sending garbage data to Console.
Console communication channels are separated, with no ability to jump channels.
Defender has no ability to interact with Console beyond the websocket. Both Console’s API and web
interfaces, served on port 443 (HTTPS), require authentication over different channels with different
credentials (e.g. username and password, access key, and so on), none of which Defender holds.

PSE Prisma Cloud Professional by Palo Alto Networks 108

As with most cloud-native software, Prisma Cloud relies on core infrastructure services, such as x509
cryptography and DNS name resolution. Defenders use these services to find and securely connect
back to Console, and administrators use them to connect to Console and the API endpoints. When
Console’s name cannot be resolved, or its certificate does not include the name that Defenders use
to connect to it, set up might fail and/or Defenders might not be able to successfully connect to
Console. Consider a deployment where Console exists in one cloud service but protects hosts
distributed across other cloud services in different regions. In this model, Console’s hostname is
likely unresolvable by remote Defenders. And since Defenders likely connect through some reverse
NAT or load balancer rather than connecting directly to Console, the details of the underlying
connectivity are probably obscured.

Mapping Your Topology

● Mapping out your topology is a fairly obvious step that is often overlooked, but it is the single
best way to avoid connectivity problems.

● First, document Console’s local hostname and IP. Try to determine whether this name is the
actual name that Defenders will use to connect or if there is another entity in between, such
as a load balancer or reverse NAT service.

● Then, map out all the potential connection paths from Defenders to Console. For example,
there might be some Defenders deployed in the same cloud service as Console that can
connect to Console directly. Other Defenders might connect from another routed network
or over the internet using different names.

● Documenting all of these paths and names at the beginning of the planning process saves
significant time later during troubleshooting. Because naming is so critical to connectivity,
you should use durable, Prisma Cloud-specific names for accessing Console.

● Using CNAMEs are preferable to directly mapping an A record because many cloud services
automate DNS resolution within their fabrics and offer limited options for overriding this
behavior. In a complex, multi network environment, the CNAME can be used to reference
Console both from the local network and from other networks, including the internet,
through simple and well-established DNS configurations.

● A good approach would be to create a CNAME, such as console.customer.com.

Internet-facing DNS servers would answer queries for Console with lb1.cloudprovider.com. In
this case, internal-facing DNS servers would answer queries for Console with ip-10-1-27-12.

Implement the Topology

● When deploying a Defender, you must specify how it connects to Console with either an IP
address or, preferably, a DNS name. The Prisma Cloud dashboard lets you specify these
names and provides some preconfigured names in the Subject Alternative Names table on
the Manage > Defenders > Deploy page. Any name in the table is added to Console’s
certificate and becomes available as a configuration parameter in the Defender deployment
pages.

PSE Prisma Cloud Professional by Palo Alto Networks 109

 ● Using our example scenario described in the previous section, the Subject Alternative Name
table should contain the chosen CNAME (console.customer.com). If you have multiple
names that you want to use to address Console, add them to the Subject Alternative Name
table. For example, if Defenders in the same cloud network should access Console using
cs1-console, you should have the following entries:
o console.customer.com
o cs1-console

● After Prisma Cloud is set up with these values, they will appear as a configuration parameter
in the drop-down menu on the Defender deployment pages. When you set up a new
Defender, select its connection to Console from the same list of names in the Subject
Alternative Names table.

5.1.5 References

● Saas and Self-host, Prisma Cloud Enterprise Edition vs Compute Edition

(paloaltonetworks.com)
● WAAS, Overview (paloaltonetworks.com)
● Defender Connectivity to Console,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/depl
oyment_patterns.html
● Proxy, Proxy configuration (paloaltonetworks.com)

5.2 Describe best practice for deploying/operationalizing for Prisma Cloud

5.2.1 Differentiate between single account and org onboarding

Single Account

PSE Prisma Cloud Professional by Palo Alto Networks 110

On Prisma Cloud, you can enable single sign-on (SSO) using an Identity Provider (IdP) that supports
Security Assertion Markup Language (SAML), such as Okta, Azure Active Directory, or PingID. You
can configure only one IdP for all cloud accounts that Prisma Cloud monitors.

1. Determine whether first you want to add administrative users on Prisma Cloud or whether
you would prefer to add users on the fly with JIT Provisioning when configuring SSO on
Prisma Cloud.

2. Copy the Audience URI for Prisma Cloud, which users need to access from the IdP.
a. Log in to Prisma Cloud and select Setting > SSO.
b. Copy the Audience URI (SP Entity ID) value. This is a read-only field in the format
https://app.prismacloud.io?customer=<string> to uniquely identify your instance of
Prisma Cloud. This value is required to configure SAML on your IdP.

3. Set up the Identity Provider for SSO.

a. This workflow uses Okta as the IdP. Before you begin setting up the Okta
configuration, log in to your Prisma Cloud instance and copy the Audience URI (SP
Entity ID) from Prisma Cloud. See the following for an example:
https://app.prismacloud.io/settings/sso.
b. Log in to Okta as an Administrator and click Admin.

c. Click Add Application.

d. Click + Add Apps to create a new app.

PSE Prisma Cloud Professional by Palo Alto Networks 111

 e. Under Create a New Application Integration, select Web for Platform and SAML 2.0
for Sign on method.

f. Click Create.
g. On General Settings, use these values and click Next.
App Name – Prisma Cloud SSO app
App Logo – Use the Prisma Cloud logo
App Visibility – Do not check these options

Org Onboarding
Prisma Cloud is 100 percent API-based. Automation can be leveraged to utilize external processes to
automate tasks within Prisma Cloud. Examples of how this automation has been utilized include
the exportation of alerts into a data warehouse for custom dashboarding and the automation of
account onboarding into Prisma Cloud as part of organizational account provisioning.
To get the most out of your investment in Prisma™ Cloud, you first need to add your cloud
accounts to Prisma Cloud. This process requires that you have the correct permissions to
authenticate and authorize the connection and retrieval of data.
Prisma Cloud administrators with the System Administrator and Cloud Provisioning Administrator
roles can use the cloud account onboarding guided tour for a good first-run experience with all
supported cloud platforms — Alibaba Cloud, AWS, Azure, Google Cloud, and Oracle Cloud
Infrastructure. The workflow provides the context you need to make decisions based on your own
security and compliance requirements and it uses automation scripts — Cloud Formation
templates for AWS or Terraform templates for Azure and GCP — to create the custom roles and
enable the permissions required to add a cloud account.
When you log in to Prisma Cloud for the first-time, a welcome tour is followed by a guided tour,
which prompts you to pick a cloud platform to add to Prisma Cloud.

PSE Prisma Cloud Professional by Palo Alto Networks 112

You will be asked to make a few choices and provide basic account details to retrieve configuration
logs and get started with Prisma Cloud for monitoring and visibility. If you want to ingest data from
event logs and flow logs, you need to perform additional tasks:

● Onboard your AWS Account

● Onboard your Azure Account
● Onboard your Google Cloud Platform (GCP) Account
● Onboard your Oracle Cloud Infrastructure Account
● Onboard your Alibaba Cloud Account

5.2.2 Explain how to map users to roles with permission and account groups

Mapping roles and permissions are a critical part of the SAML-enabled authorization process.
Before you can access the Prisma SD-WAN web interface as an authorized user, your role must be
mapped to a Palo Alto Networks role within the system. Through role mapping as defined in the
IdP system, user group memberships are mapped to Palo Alto Networks authorized roles.
Your IdP administrator must include the following information in the SAML response:

● Name ID — The Name ID of the end user. This attribute is required.

● Role — The end user role or group membership. This attribute is required.
● First Name or Last Name — The first name is required but the last name is optional.

The format of the SAML response can be transient, persistent, email, or unspecified. Ensure that the
SAML assertions sent to Palo Alto Networks contain either the cloudgenix_groups or memberOf
attributes that Palo Alto Networks uses to map users to Palo Alto Networks roles.
After a user is authenticated, assertions containing either cloudgenix_groups or memberOf is
automatically sent to Palo Alto Networks along with various attributes such as the email ID and the

PSE Prisma Cloud Professional by Palo Alto Networks 113

first and last name of the end user. Palo Alto Networks uses these assertions to map the end user to
the corresponding Palo Alto Networks role within the Palo Alto Networks system.
The SAML response shows the assertions that include cloudgenix_groups,
and memberOf attributes, and a custom role.

Sample SAML Response with cloudgenix_groups

</Attribute><Attribute
Name="cloudgenix_groups"><AttributeValue>cloudgenix_tenant_network_admin</AttributeValue>
<AttributeValue>cloudgenix_tenant_viewonly</AttributeValue></Attribute>

Sample SAML Response with memberOf

<Attribute Name="memberOf"
NameFormatt="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:-type="xs:anyType">cloudgenix_tenant_super</AttributeValue></Attribute>

Sample SAML Response with a Custom Role

<Attribute Name="memberOf"
NameFormatt="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:-type="xs:anyType">admin</AttributeValue></Attribute>

After successful authentication, the end user is authorized to access the Prisma SD-WAN web
interface.

Map Roles for Identity Provider Administrators

Map your IdP roles to Palo Alto Networks roles using the Active Directory Federation Services
(ADFS) as an identity provider (IdP). This process varies for each IdP. For example, an administrator
is mapped to a Palo Alto Networks role called cloudgenix_tenant_super, while another is mapped
to a customer-specific role called network-admin.

The outgoing claim from the IdP must be in the following format:

● The User-Principal-Name should be mapped to Name ID. Palo Alto Networks requires this
name to be the person’s email ID.
● The given name should be mapped to firstname and the surname to lastname.
● The Outgoing Claim Type should be CloudGenix groups.
● The Outgoing Claim Value can be either a Palo Alto Networks role defined.
as cloudgenix_tenant_<role> or a customer specific role.

If the Outgoing Claim Value is a customer specific role, make sure to map that role with a Palo Alto
Networks role in the AAA Configuration screen.
Use roles to define the permissions for a specific account group.

STEP 1: To view roles, select Settings Roles.

STEP 2: To edit the details of a role, click the record and change any details.

PSE Prisma Cloud Professional by Palo Alto Networks 114

STEP 3: To clone a role, hover over the role and click Clone.

Cloning a role entails creating a copy of an existing role and then updating it to quickly meet your
requirements. Only the System Admin role can clone a role.

5.2.3 Demonstrate understanding of alert rules and integrations

Although Prisma™ Cloud begins monitoring your cloud environments as soon as you onboard a
cloud account, you must first enable alerting for each cloud account you onboard before you can
receive alerts. Prisma Cloud gives you the flexibility to combine your cloud accounts into account
groups to restrict access to information regarding specific cloud accounts to only those
administrators who need that information. Then you must assign each account group to an alert
rule that allows you to select a group of policies and designate where you want to display
the Prisma Cloud Alerts and Notifications that are associated with those policies. This enables you
to define different alert rules and notification flows for different cloud environments, such as for
both a production and a development cloud environment. In addition, you can set up different alert
rules to send specific alerts to your existing SOC visibility tools. For example, you could send one set
of alerts to your security information and event management (SIEM) system and another set of
alerts to Jira for automated ticketing.

1. Make sure you have associated all onboarded cloud accounts to an account group.

If you did not associate a cloud account with an account group during the onboarding process, do
so now in order to see alerts associated with the cloud account.

STEP 1: Click Settings ( ) and then select Cloud Accounts.

STEP 2: For each cloud account, verify that there is a value in the Account Groups column.

PSE Prisma Cloud Professional by Palo Alto Networks 115

STEP 3: For any cloud account that is not yet assigned to an account group, select the cloud
account to edit it and to select an Account Group for which to add it.

STEP 4: Create an Alert Rule for Run-Time Checks.

Alert rules define what policy violations trigger alerts for cloud accounts within the selected
account group and where to send the alert notifications.

STEP 5: Verify that the alert rule you created is triggering alert notifications.

As soon as you save your alert rule, any violation of a policy for which you enabled alerts results in an
alert notification on the Alerts page and any third-party integrations you designated in the alert
rule. Make sure you can identify all expected alerts on the Alerts page as well as in your third-party
tools. Prisma™ Cloud provides multiple out-of-the-box integration options that you can use to
integrate Prisma Cloud into your existing security workflows and with the technologies you already
use. The Amazon GuardDuty, AWS Inspector, Qualys, and Tenable integrations are inbound, or
pull-based, integrations where Prisma Cloud periodically polls for the data, thereby retrieving it
from the external integration system; all other integrations are outbound, or push-based,
integrations where Prisma Cloud sends data regarding an alert or error to the external integration
system.

● Amazon GuardDuty
Amazon GuardDuty is a threat detection service that continuously monitors for malicious
activity and unauthorized behavior to protect your AWS accounts and workloads. Prisma
Cloud integrates with Amazon GuardDuty and ingests vulnerability data to provide you with
additional context on risks in the cloud.

● AWS Inspector
AWS Inspector assesses applications for exposure, vulnerabilities, and deviations from best
practices. It also produces a detailed list of security findings prioritized by level of severity.
Prisma Cloud integrates with AWS inspector and ingests vulnerability data and deviations
from best security practices deviations to provide you with additional context regarding risks
in the cloud.

● Amazon S3
Amazon Simple Storage Service (Amazon S3) is designed to make web-scale computing
easier. Amazon S3 can be used to store and retrieve any amount of data via highly scalable,

PSE Prisma Cloud Professional by Palo Alto Networks 116

 reliable, fast, and inexpensive data storage. Prisma Cloud can send alerts to an Amazon S3
bucket/folder.

● AWS Security Hub

AWS Security Hub is a central console where you can view and monitor the security posture
of your cloud assets directly from the Amazon console. As the Prisma Cloud application
monitors your assets on the AWS cloud and sends alerts on resource misconfigurations,
compliance violations, network security risks, and anomalous user activities, you gain a
comprehensive view of all your cloud assets across all your AWS accounts directly from the
Security Hub console.

● Amazon SQS
Amazon Simple Queue Service (SQS) helps you send, receive, and store messages that pass
between software components at any volume without losing messages and without
requiring other services to be continuously available. Prisma Cloud can send alerts to
Amazon SQS, so you can set up the AWS CloudFormation service to enable custom
workflows.

● Azure Sentinel
Azure Sentinel is a scalable, cloud-native, Security Information Event Management (SIEM),
and Security Orchestration Automated Response (SOAR) solution. You can configure Prisma
Cloud to send alerts to Azure Sentinel by creating a Logic Apps workflow with Webhook
integration.

● Azure Service Bus Queue

Azure Service Bus is a managed messaging infrastructure designed to transfer data
between applications as messages. With the Prisma Cloud and Azure Service Bus queue
integration, you can send alerts to the queue and set up custom workflows to process the
alert payload.

● Cortex XSOAR
Cortex XSOAR (formerly Demisto) is a Security Orchestration Automation and Response
(SOAR) platform that enables you to streamline your incident management workflows. With
the Prisma Cloud and Cortex XSOAR integration you can automate the process of managing
Prisma Cloud alerts and the incident lifecycle with playbook-driven response actions.

● Email
Configure Prisma Cloud to send alerts as emails to your email account.

● Google Cloud SCC

Google Cloud Security Command Center (SCC) is the security and data risk database for
Google Cloud Platform. Google Cloud SCC enables you to understand your security and data
attack surface by providing inventory, discovery, search, and management of your assets.
Prisma Cloud integrates with Google Cloud SCC and sends alerts to the Google Cloud SCC
console to provide centralized visibility into security and compliance risks of your cloud
assets.

● Jira

PSE Prisma Cloud Professional by Palo Alto Networks 117

 Jira is an issue tracking, ticketing, and project management tool. Prisma Cloud integrates
with Jira and sends notifications of Prisma Cloud alerts to your Jira accounts.

● Microsoft Teams
Microsoft Teams is cloud-based team collaboration software that is part of the Office 365
suite of applications and is used for workplace chat, video meetings, file storage, and
application integration. The Prisma Cloud integration with Microsoft Teams enables you to
monitor your assets and send alerts on resource misconfigurations, compliance violations,
network security risks, and anomalous user activities, either as they happen or as
consolidated summary cards.

● PagerDuty
PagerDuty enables alerting, on-call scheduling, escalation policies, and incident tracking to
increase the uptime of your apps, servers, websites, and databases. The PagerDuty
integration enables you to send Prisma Cloud alert information to PagerDuty service. The
incident response teams can investigate and remediate the security incidents.

● Qualys
Qualys specializes in vulnerability management security software that scans hosts for
potential vulnerabilities. Prisma Cloud integrates with the Qualys platform and ingests
vulnerability data to provide you with additional context about risks in the cloud.

● ServiceNow
ServiceNow is an incident, asset, and ticket management tool. Prisma Cloud integrates with
ServiceNow and sends notifications of Prisma Cloud alerts as ServiceNow tickets.

● Slack
Slack is an online instant messaging and collaboration system that enables the
centralization of all your notifications. You can configure Prisma Cloud to send notifications
of Prisma Cloud alerts through your slack channels.

● Splunk
Splunk is a software platform that searches, analyzes, and visualizes machine-generated
data gathered from websites, applications, sensors, and devices. Prisma Cloud integrates
with cloud-based Splunk deployments and enables you to view Prisma Cloud alerts through
the Splunk event collector. Prisma Cloud can integrate with on-premises Splunk instances
through the AWS SQS integration.

● Tenable
Tenable.io is a cloud-hosted vulnerability management solution that provides visibility and
insight into dynamic assets and vulnerabilities. Prisma Cloud integrates with Tenable and
ingests vulnerability data to provide you with additional context regarding risks in the cloud.

● Webhooks
The webhooks integration enables you to pass information in JSON format to any third-party
integrations that are not natively supported on Prisma Cloud. With a webhook integration,
you can configure Prisma Cloud to send alerts to the webhook URL as an HTTP POST

PSE Prisma Cloud Professional by Palo Alto Networks 118

 request so that any services or applications subscribing to the webhook URL receive alert
notifications as soon as Prisma Cloud detects an issue.

For outbound integrations:

● For most integrations, Prisma Cloud performs periodic checks and background validation to
identify exceptions or failures in processing notifications. You can retrieve status updates on
demand on the Prisma Cloud administrator console. The status check displays red when the
integration fails validation checks for accessibility or credentials; it displays green when the
integration is working and all templates are valid. To review the list of integrations that do
not support the status checks see Prisma Cloud Integrations — Supported Capabilities.
Status errors are displayed on the Prisma Cloud administrator console to help you find and
fix potential issues.

● When you Send Prisma Cloud Alert Notifications to Third-Party Tools, the value of the cloud
service provider in the cloudType field for the resource that generated the alert the values is
in lowercase letters; for example, this could include aws or alibaba_cloud.

5.2.4 Differentiate between onboarding for Amazon Web Services (AWS), Google Cloud Platform
(GCP), and Azure

AWS
To connect your AWS Organizations (only supported on public AWS) or AWS accounts on the public
AWS, AWS China, or AWS GovCloud account to Prisma™ Cloud, you must complete several tasks on
the AWS management console and on Prisma Cloud. The onboarding workflow enables you to
create a Prisma Cloud role with either read-only access to your traffic flow logs or with limited
read-write access to remediate incidents. With the correct permissions, Prisma Cloud can
successfully connect to and access your AWS account(s).
In addition to scanning your AWS resources against Prisma Cloud policies for compliance and
governance issues, you can also scan objects in AWS S3 buckets for data security issues. The data
security capabilities include predefined data policies and associated data classification profiles such
as PII, Financial, or Healthcare & Intellectual Property that scan your objects stored in the S3 bucket
to identify exposure — how sensitive information is kept private, or exposed or shared externally, or
allows unauthorized access.

AGP
To enable Prisma™ Cloud to retrieve data on your Google Cloud Platform (GCP) resources and
identify potential security risks and compliance issues, you must connect your GCP accounts to
Prisma Cloud. In keeping with the GCP resource hierarchy, you can choose whether Prisma Cloud
will monitor one or more GCP Projects or all projects that are under your GCP Organization.
Regardless of which is chosen, the process of onboarding automates the process of creating a
service account, of creating and associating roles with the service account, and of enabling specific
APIs.

Azure
There are two main workflows your organization can use to onboard your Azure resources to Prisma
Cloud so you can monitor and identify compliance violations on your Azure environments. You have

PSE Prisma Cloud Professional by Palo Alto Networks 119

the option of securing your Azure Active Directory tenant or Azure subscriptions in your Azure
commercial, government, or China accounts. If you prefer to automate the creation of your Azure
resources so that Prisma Cloud can access the Azure APIs, use the provided Terraform script. This
workflow automates the process of setting up the Prisma Cloud application on Azure Active
Directory and enabling the permissions for read-only or read-write access to your Azure
subscription. If you are not familiar with Terraform, you can instead manually create your Azure
resources for Prisma Cloud to call the Azure APIs.
Onboarding your Azure Active Directory tenant gives you the flexibility to automatically onboard
your subscriptions, the ability to onboard just once and have subsequent resources ingested, and
the option to include or exclude the grouped subscription through management groups.

5.2.5 References

● Alert Rule, Enable Prisma Cloud Alerts (paloaltonetworks.com)

● Map roles with permission, Map Roles and Permissions (paloaltonetworks.com)

PSE Prisma Cloud Professional by Palo Alto Networks 120

Appendix A: Sample Questions
These questions are intended to simulate taking the Palo Alto Networks Systems Engineer: Prisma
Cloud Professional Certification Exam.

1. Which gives you instant feedback and options for immediate resolutions to your scanned
misconfigurations?
a. Cloud Code Security 1
b. Cloud Security Posture Management
c. Cloud Workload Protection
d. Cloud Network Security

2. Which offers holistic protection for hosts, containers, and serverless deployments in any
cloud and across the software lifecycle?
a. Cloud Identity Security
b. Cloud Workload Protection 1
c. Cloud Network Security
d. Cloud Code security

3. Which platform leverages data from public cloud service providers to deliver continuous
visibility, security policy compliance, and threat detection?
a. CWPP
b. CIEM
c. CNS
d. CSPM

4. What do users need to install to automatically start scanning images, containers, and hosts
for vulnerabilities?
a. Amazon Web Service
b. Console
c. Defender

5. What are the Deployment Options available in Prisma Cloud? (Choose two.)
a. IaaS Architecture in Prisma Cloud Compute Edition
b. SaaS Architecture in Prisma Cloud Enterprise Edition
c. Self-Hosted Architecture in Prisma Cloud Compute Edition
d. PaaS Architecture in Prisma Cloud Enterprise Edition

6. Select the three correct types of defenders. (Choose three.)

a. Host Defender
b. Container Defender
c. Serverless Defender
d. Agentless Defender

7. In which mode can a networking rule place a Defender?

a. Deny
b. Alarm
c. Block

PSE Prisma Cloud Professional by Palo Alto Networks 121

 d. Permit

8. What are two main types of integration available with Prisma Cloud? (Choose two.)
a. Egress
b. Inbound
c. Ingress
d. Outbound

9. Which statement describes how Prisma Cloud can help with DevSecOps enablement?
a. With Prisma Cloud, you can monitor compliance posture in real time and generate
audit- ready reports with a single click.
b. With Prisma Cloud, you can seamlessly implement security guardrails that provide
control and prevent vulnerabilities and insecure config issues from progressing
forward.
c. Prisma Cloud enforces least privilege microsegmentation policies based on
auto-learned network traffic flows.
d. Prisma Cloud dynamically discovers new resources as soon as they are deployed in
the cloud and tracks historical changes for auditing purposes.

10. What are two types of alert reports that can be generated to inform stakeholders about the
status of the cloud assets and how the assets are doing against Prisma Cloud security and
compliance policy checks? (Choose two.)
a. Cloud Security Assessment Report
b. Compliance Report
c. Business Unit Report
d. AWS
e. GCP

11. True or false? Prisma Cloud protects your containers by combining static analysis of an
image with runtime analysis of the container.
a. true
b. false

12. Which mode is the phase in which Prisma Cloud performs either static or dynamic analysis?
a. Archived
b. Active
c. Learning
d. Passive

13. Where are the global proxy settings configured after Console is installed?
a. UI
b. Server
c. Cloud
d. Console

14. What are three WAAS actions? (Choose three.)

a. Alert
b. Prevent

PSE Prisma Cloud Professional by Palo Alto Networks 122

 c. Ban
d. Deployment

15. Select the two cloud types for compliance supported by Prisma Cloud. (Choose two.)
a. GCP
b. Rackspace
c. Cisco
d. AWS

16. Which system from the following provides online instant messaging and collaboration that
enables you to centralize all your notifications?
a. Slack
b. Qualys
c. Tenable
d. Webhooks

PSE Prisma Cloud Professional by Palo Alto Networks 123

Appendix B: Answers to Sample Questions
Below are the answers to the sample questions from Appendix A.

1. Which gives you instant feedback and options for immediate resolutions to your scanned
misconfigurations?
a. Cloud Code Security 1
b. Cloud Security Posture Management
c. Cloud Workload Protection
d. Cloud Network Security

2. Which offers holistic protection for hosts, containers, and serverless deployments in any
cloud and across the software lifecycle?
a. Cloud Identity Security
b. Cloud Workload Protection 1
c. Cloud Network Security
d. Cloud Code security

3. Which platform leverages data from public cloud service providers to deliver continuous
visibility, security policy compliance, and threat detection?
a. CWPP
b. CIEM
c. CNS
d. CSPM

4. What do users need to install to automatically start scanning images, containers, and hosts
for vulnerabilities?
a. Amazon Web Service
b. Console
c. Defender

5. What are the Deployment Options available in Prisma Cloud? (Choose two.)
a. IaaS Architecture in Prisma Cloud Compute Edition
b. SaaS Architecture in Prisma Cloud Enterprise Edition
c. Self-Hosted Architecture in Prisma Cloud Compute Edition
d. PaaS Architecture in Prisma Cloud Enterprise Edition

6. Select the three correct types of defenders. (Choose three.)

a. Host Defender
b. Container Defender
c. Serverless Defender
d. Agentless Defender

7. In which mode can a networking rule place a Defender?

a. Deny
b. Alarm
c. Block
d. Permit

PSE Prisma Cloud Professional by Palo Alto Networks 124

8. What are two main types of integration available with Prisma Cloud? (Choose two.)
a. Egress
b. Inbound
c. Ingress
d. Outbound

9. Which statement describes how Prisma Cloud can help with DevSecOps enablement?
a. With Prisma Cloud, you can monitor compliance posture in real time and generate
audit- ready reports with a single click.
b. With Prisma Cloud, you can seamlessly implement security guardrails that
provide control and prevent vulnerabilities and insecure config issues from
progressing forward.
c. Prisma Cloud enforces least privilege microsegmentation policies based on
auto-learned network traffic flows.
d. Prisma Cloud dynamically discovers new resources as soon as they are deployed in
the cloud and tracks historical changes for auditing purposes.

10. What are two types of alert reports that can be generated to inform stakeholders about the
status of the cloud assets and how the assets are doing against Prisma Cloud security and
compliance policy checks? (Choose two.)
a. Cloud Security Assessment Report
b. Compliance Report
c. Business Unit Report
d. AWS
e. GCP

11. True or false? Prisma Cloud protects your containers by combining static analysis of an
image with runtime analysis of the container.
a. true
b. false

12. Which mode is the phase in which Prisma Cloud performs either static or dynamic analysis?
a. Archived
b. Active
c. Learning
d. Passive

13. Where are the global proxy settings configured after Console is installed?
a. UI
b. Server
c. Cloud
d. Console

14. What are three WAAS actions? (Choose three.)

a. Alert
b. Prevent
c. Ban
d. Deployment

PSE Prisma Cloud Professional by Palo Alto Networks 125

15. Select the two cloud types for compliance supported by Prisma Cloud. (Choose two.)
a. GCP
b. Rackspace
c. Cisco
d. AWS

16. Which system from the following provides online instant messaging and collaboration that
enables you to centralize all your notifications?
a. Slack
b. Qualys
c. Tenable
d. Webhooks

PSE Prisma Cloud Professional by Palo Alto Networks 126

Appendix C: What’s Different in This Study Guide

PSE Prisma Cloud Professional by Palo Alto Networks 127

Continuing Your Learning Journey with Palo Alto Networks
Training from Palo Alto Networks and our Authorized Training Partners delivers the knowledge and
expertise to prepare you to protect our way of life in the digital age. Our trusted security
certifications give you the Palo Alto Networks product portfolio knowledge necessary to prevent
successful cyberattacks and to safely enable applications.

Digital Learning
For those of you who want to keep up to date on our technology, a learning library of free digital
learning is available. These on-demand, self-paced digital-learning classes are a helpful way to
reinforce the key information for those who have been to the formal hands-on classes. They also
serve as a useful overview and introduction to working with our technology for those unable to
attend a hands-on, instructor-led class.

Simply register in Beacon and you will be given access to our digital-learning portfolio. These online
classes cover foundational material and contain narrated slides, knowledge checks, and, where
applicable, demos for you to access.

New courses are being added often, so check back to see new curriculum available.

Instructor-Led Training
Looking for a hands-on, instructor-led course in your area?

Palo Alto Networks Authorized Training Partners (ATPs) are located globally and offer a breadth of
solutions from onsite training to public, open-environment classes. About 42 authorized training
centers are delivering online courses in 14 languages and at convenient times for most major
markets worldwide. For class schedule, location, and training offerings, see
https://www.paloaltonetworks.com/services/education/atc-locations.

Learning Through the Community

You also can learn from peers and other experts in the field. Check out our communities site at
https://live.paloaltonetworks.com, where you can:

● Discover reference material

● Learn best practices
● Learn what is trending

PSE Prisma Cloud Professional by Palo Alto Networks 128