Scribd
Upload
58 views7 pages

PCCSE - Blueprint

Uploaded by

Ngọc Khánh Vũ
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
58 views7 pages

PCCSE - Blueprint

Uploaded by

Ngọc Khánh Vũ
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Prisma Certified Cloud Security Engineer (PCCSE)

Exam Blueprint

Domain Weight (%)


Cloud Security Posture Management (CSPM) 21%

Cloud Workload Protection (CWP) 21%

Install, Upgrade, and Backup / Prisma Cloud 19%

Cloud Network Security and Identity-Based Microsegmentation 11%


Enterprise Edition

Prisma Cloud Code Security (PCCS) 12%

Identity and Access Management (IAM) / Prisma Cloud Data


Security (PCDS) 16%

Domain 1 Cloud Security Posture Management (CSPM) 21%

Task 1.1 Identify assets in a Cloud account

1.1.1 Inventory of resources in a cloud account


1.1.2 Resource configuration history
1.1.3 Asset configuration changes

Task 1.2 Configure policies

1.2.1 Custom policies


1.2.2 Policy types
1.2.3 Supported variables within configuration-run custom policies

Task 1.3 Configure compliance standards

1.3.1 Standards
1.3.2 Reports

Task 1.4 Configure alerting and notifications

1.4.1 Alert states


1.4.2 Alert rules
1.4.3 Alert notifications and reports
1.4.4 Alert workflow

1
Task 1.5 Use third-party integrations

1.5.1 Inbound and outbound notifications

Task 1.6 Perform ad hoc investigations

1.6.1 Resource configuration with RQL


1.6.2 User activity using RQL
1.6.3 Network activity using RQL
1.6.4 Anomalous user events
1.6.5 Asset details using RQL

Task 1.7 Remediate alerts

1.7.1 Auto-remediation
1.7.2 Manual versus automated remediation

Task 1.8 Use SecOps Dashboard

1.8.1 Internet-connected assets by source network traffic behavior


1.8.2 Components

Domain 2 Cloud Workload Protection (CWP) 21%

Task 2.1 Monitor and defend against image vulnerabilities

2.1.1 Options available in the Monitor section


2.1.2 Options available in the Policies section

Task 2.2 Monitor and defend against host vulnerabilities

2.2.1 Options available in the Monitor section


2.2.2 Options available in the Policies section

Task 2.3 Monitor and enforce image/container compliance

2.3.1 Options available in the Monitor section


2.3.2 Options available in the Policies section

Task 2.4 Monitor and enforce host compliance

2.4.1 Options available in the Monitor section


2.4.2 Options available in the Policies section

© 2022 Palo Alto Networks | Palo Alto Networks Certified Cloud Security Engineer (PCCSE) Blueprint | v.
October 2022 |Confidential and Proprietary 2
Task 2.5 Monitor and defend containers and hosts during runtime

2.5.1 Container models


2.5.2 Host observations
2.5.3 Runtime policies
2.5.4 Runtime audits
2.5.5 Incidents using Incident Explorer

Task 2.6 Monitor and protect against serverless vulnerabilities

2.6.1 Monitor
2.6.2 Policy
2.6.3 Auto-protect

Task 2.7 Configure WAAS

2.7.1 Application specifications


2.7.2 API methods
2.7.3 Rest API endpoints
2.7.4 DoS protection
2.7.5 Access control to Limit inbound sources
2.7.6 Network lists
2.7.7 Access control to enforce HTTP headers and file uploads
2.7.8 Bot protection
2.7.9 Rules
2.7.10 Audit logs

Task 2.8 Monitor and protect registries

2.8.1 Scanning
2.8.2 CI

Domain 3 Install, Upgrade, and Backup / Prisma Cloud Administration 19%

Task 3.1 Deploy and manage Console for the Compute Edition

3.1.1 Prisma Cloud release software


3.1.2 Console in Onebox configuration
3.1.3 Upgrade on Console
3.1.4 Business use case to determine Prisma Cloud version to use
3.1.5 Tenant versus Scale projects

Task 3.2 Deploy and manage defenders

3.2.1 Types
3.2.2 Networking for Defender-To-Console connectivity
3.2.3 Upgrade and Compatibility

© 2022 Palo Alto Networks | Palo Alto Networks Certified Cloud Security Engineer (PCCSE) Blueprint | v.
October 2022 |Confidential and Proprietary 3
Task 3.3 Configure Agentless Security

3.3.1 Agent versus Agentless


3.3.2 Cloud discovery

Task 3.4 Backup and restore Console

3.4.1 Backup management


3.4.2 Disaster recovery

Task 3.5 Manage authentication

3.5.1 Certificates
3.5.2 Secrets and credentials store

Task 3.6 Onboard accounts

3.6.1 Onboard cloud accounts


3.6.2 Account Groups

Task 3.7 Configure access control

3.7.1 Users, roles, and permission groups


3.7.2 Access control troubleshooting
3.7.3 Service accounts and access keys
3.7.4 Single Sign On
3.7.5 Role-based access control for Docker Engine (CWP)
3.7.6 Admission control with Open Policy Agent (CWP
3.7.7 Resource lists and collections

Task 3.8 Configure logging

3.8.1 Audit logging


3.8.2 Defender logging

Task 3.9 Manage enterprise settings

3.9.1 Anomaly settings


3.9.2 Idle timeout
3.9.3 Auto-enable policies
3.9.4 Alert dismissal reason
3.9.5 User attribution
3.9.6 Licensing
3.9.7 Access key maximum validity

Task 3.10 Configure third-party integrations

3.10.1 Inbound and outbound notifications


3.10.2 Supported capabilities

© 2022 Palo Alto Networks | Palo Alto Networks Certified Cloud Security Engineer (PCCSE) Blueprint | v.
October 2022 |Confidential and Proprietary 4
Task 3.11 Leverage Cloud and Compute APIs

3.11.1 Authenticate with APIs


3.11.2 API documentation
3.11.3 Policies and custom queries by API
3.11.4 Alerts and Reports using APIs
3.11.5 Vulnerability results via API
3.11.6 Access keys
3.11.7 Data security and IAM APIs

Task 3.12 Leverage Adoption Advisor and Alarm Center

3.12.1 Notification rule


3.12.2 Adoption Advisor guidance

Task 3.13 Access Knowledge Center and Help Center

3.13.1 Knowledge Center


3.13.2 Help Center
3.13.3 Feature requests
3.13.4 PCCSE
3.13.5 Live Community
3.13.6 Product status updates
3.13.7 Docs, Prisma Cloud Privacy and Support options

Domain 4 Cloud Network Security and Identity-Based


Microsegmentation Enterprise Edition 11%

Task 4.1 Configure Cloud network analyzer

4.1.1 Network exposure policy


4.1.2 RQL

Task 4.2 Deploy and manage Enforcers

4.2.1 Processing units


4.2.2 Namespaces
4.2.3 Tags and identity
4.2.4 Network rulesets
4.2.5 Out-of-the-box rules
4.2.6 Application profiling

Task 4.3 Manage local changes in a remote repository (dev-prod)


Configuration

4.3.1 Types
4.3.2 Networking for Enforcers-to-Console connectivity

© 2022 Palo Alto Networks | Palo Alto Networks Certified Cloud Security Engineer (PCCSE) Blueprint | v.
October 2022 |Confidential and Proprietary 5
Task 4.4 Use NetSecOps dashboard

4.4.1 Flows

Domain 5 Prisma Cloud Code Security (PCCS) 12%

Task 5.1 Implement scanning for IAC templates

5.1.1 Terraform and Cloudformation scanning configurations


5.1.2 OOTB IAC scanning integrations
5.1.3 API scanning
5.1.4 IAC scanning integration
5.1.5 Supply-chain security
5.1.6 Handling scanned issues
5.1.7 Repository scanning

Task 5.2 Configure policies in Console for IAC scanning

5.2.1 OOTB policies


5.2.2 Custom build policies
5.2.3 Types of config policies
5.2.4 Prisma configuration files

Task 5.3 Configure CI policies for Compute scanning

5.3.1 Default CI policies


5.3.2 Custom CI policies

Task 5.4 Manage configuration settings

5.4.1 Code reviews


5.4.2 Code repository settings
5.4.3 Notifications
5.4.4 Pull requests and tagging bots

Domain 6 Identity and Access Management (IAM)/Prisma Cloud


Data Security (PCDS) 16%

Task 6.1 Calculate net effective permissions

6.1.1 AWS calculation


6.1.2 Azure calculation

Task 6.2 Investigate incidents and create IAM policies

6.2.1 RQL queries


6.2.2 IAM policies

© 2022 Palo Alto Networks | Palo Alto Networks Certified Cloud Security Engineer (PCCSE) Blueprint | v.
October 2022 |Confidential and Proprietary 6
Task 6.3 Integrate IAM with IdP

6.3.1 Azure active directory


6.3.2 Okta

Task 6.4 Remediate alerts

6.4.1 Manual versus automatic


6.4.2 AWS remediation
6.4.3 Azure remediation

Task 6.5 Monitor Scan Results

6.5.1 Monitor Scan Results


6.5.2 Data Inventory
6.5.3 Resource Explorer
6.5.4 Object Explorer
6.5.5 Exposure Evaluation

Task 6.6 Assess Data Policies and Alerts

6.6.1 Data policy vs data pattern


6.6.2 Alerts

Task 6.7 Define data security scan settings

6.7.1 Scan configuration


6.7.2 Data profile and pattern
6.7.3 File extensions
6.7.4 Snippet masking

© 2022 Palo Alto Networks | Palo Alto Networks Certified Cloud Security Engineer (PCCSE) Blueprint | v.
October 2022 |Confidential and Proprietary 7

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy