Prisma Certified Cloud Security

Engineer
(PCCSE)
Study Guide
October 2022

Prisma Certified Cloud Security Engineer (PCCSE)

Table of Contents
How to Use This Study Guide 9

About the PCCSE Exam 9

Exam Format 9
How to Take This Exam 10
Disclaimer 10

Audience and Qualifications 10

Skills Required 10

Domain 1: Cloud Security Posture Management (CSPM) 11

1.1 Identify assets in a cloud account 11
1.1.1 Inventory of resources in a cloud account 11
1.1.2 Resource configuration history 12
1.1.3 Asset configuration changes 13
1.1.4 References 14
1.2 Configure policies 14
1.2.1 Custom policies 14
1.2.2 Policy types 14
1.2.3 Supported variables within configuration-run custom policies 15
1.2.4 References 15
1.3 Configure compliance standards 16
1.3.1 Standards 16
1.3.2 Reports 18
1.3.3 References 23
1.4 Configure alerting and notification 23
1.4.1 Alert states 23
1.4.2 Alert rules 24
1.4.3 Alert notifications and reports 29
1.4.4 Alert workflow 31
1.4.5 References 31
1.5 Use third-party integrations 32
1.5.1 Inbound and outbound notifications 32
1.5.2 References 34
1.6 Perform ad hoc investigations 35
1.6.1 Resource configuration with RQL 37
1.6.2 User activity using RQL 38
1.6.3 Network activity using RQL 38
1.6.4 Anomalous event(s) 39
1.6.5 Asset details using RQL 43
1.6.6 References 43
1.7 Remediate alerts 44

Prisma Certified Cloud Security Engineer (PCCSE) 2

 1.7.1 Autoremediation 44
1.7.2 Manual versus automation remediation 47
1.7.3 References 47
1.8 Use SecOps Dashboard 47
1.8.1 Internet-connected assets by source network traffic behavior 47
1.8.2 Components 49
1.8.3 References 50

Domain 2: Cloud Workload Protection (CWP) 51

2.1 Monitor and defend against image vulnerabilities 51
2.1.1 Options available in the Monitor section 51
2.1.2 Options available in the Policies section 57
2.1.3 References 58
2.2 Monitor and defend against host vulnerabilities 58
2.2.1 Options available in the Monitor section 59
2.2.2 Options available in the Policies section 60
2.2.3 Reference 60
2.3 Monitor and enforce image/container compliance 60
2.3.1 Options available in the Monitor section 60
2.3.2 Options available in the Policies section 61
2.3.3 References 63
2.4 Monitor and enforce host compliance 63
2.4.1 Options available in the Monitor section 64
2.4.2 Options available in the Policies section 64
2.4.3 References 65
2.5 Monitor and defend containers and hosts during runtime 65
2.5.1 Container models 66
2.5.2 Host observations 67
2.5.3 Runtime policies 67
2.5.4 Runtime audits 68
2.5.5 Incidents using Incident Explorer 68
2.5.6 References 70
2.6 Monitor and protect against serverless vulnerabilities 71
2.6.1 Monitor 71
2.6.2 Policy 72
2.6.3 Auto-protect 72
2.6.4 References 74
2.7 Configure WAAS 74
2.7.1 Application specifications 74
2.7.2 API methods 76
2.7.3 REST API endpoints 76
2.7.4 DoS protection 83
2.7.5 Access controls to limit inbound sources 85

Prisma Certified Cloud Security Engineer (PCCSE) 3

 2.7.6 Network lists 86
2.7.7 Access controls to enforce HTTP headers and file uploads 87
2.7.8 Bot protection 88
2.7.9 Rules 94
2.7.10 Audit logs 95
2.7.11 Reference 95
2.8 Monitor and protect registries 96
2.8.1 Scanning 96
2.8.2 CI 97
2.8.3 References: 97

Domain 3: Install, Upgrade, and Backup 98

3.1 Deploy and manage console for the compute edition 98
3.1.1. Prisma Cloud release software 98
3.1.2 Console in Onebox configuration 99
3.1.3 Upgrade on Console 100
3.1.4 Business use case to determine the Prisma Cloud version to use 101
3.1.5 Tenant versus Scale projects 102
3.1.6 References 103
3.2 Deploy and manage Defenders 103
3.2.1 Types 103
3.2.2 Networking for Defender-to-Console connectivity 107
3.2.3 Upgrade and compatibility 107
3.2.4 Reference 111
3.3 Configure Agentless Security 112
3.3.1 Agent versus Agentless 112
3.3.2 Cloud discovery 113
3.3.3 Reference 116
3.4 Backup and Restore console 116
3.4.1 Backup management 116
3.4.2 Disaster recovery 117
3.4.3 Reference 118
3.5 Manage authentication 118
3.5.1 Certificates 118
3.5.2 Secrets and credentials store 120
3.5.3 References 131
3.6 Onboard accounts 131
3.6.1 Onboard cloud accounts 131
3.6.2 Account groups 132
3.6.3 References 133
3.7 Configure access control 133
3.7.1 Users, roles, and permission groups 133
3.7.2 Access control troubleshooting 138

Prisma Certified Cloud Security Engineer (PCCSE) 4

 3.7.3 Service accounts and access keys 139
3.7.4 Single Sign On 146
3.7.5 Role-based access control for Docker Engine (CWP) 147
3.7.6 Admission control with Open Policy Agent (CWP) 153
3.7.7 Resource lists and collections 157
3.7.8 Reference 157
3.8 Configure logging 158
3.8.1 Audit logging 158
3.8.2 Defender logging 159
3.8.3 References 159
3.9 Manage enterprise settings 160
3.9.1 Anomaly settings 160
3.9.2 Idle timeout 163
3.9.3 Auto-enable policies 164
3.9.4 Alert-dismissal reason 164
3.9.5 User attribution 165
3.9.6 Licensing 166
3.9.7 Access key maximum validity 167
3.9.8 References 168
3.10 Configure third-party integrations 168
3.10.1 Inbound and outbound notifications 168
3.10.2 Supported capabilities 169
3.10.3 Reference 170
3.11 Leverage Cloud and Compute APIs 170
3.11.1 Authenticate with APIs 170
3.11.2 API documentation 171
3.11.3 Policies and custom queries by API 172
3.11.4 Alerts and Reports using APIs 176
3.11.5 Vulnerability results via API 180
3.11.6 Access keys 181
3.11.7 Data security and IAM APIs 183
3.11.8 References 183
3.12 Leverage Adoption Advisor and Alarm Center 184
3.12.1 Notification rule 184
3.12.2 Adoption Advisor guidance 190
3.12.3 Reference 192
3.13 Access Knowledge Center and Help Center 192
3.13.1 Knowledge Center 192
3.13.2 Help Center 192
3.13.3 Feature requests 192
3.13.4 PCCSE 192
3.13.5 Live Community 193

Prisma Certified Cloud Security Engineer (PCCSE) 5

 3.13.6 Product status updates 193
3.13.7 Docs, Prisma Cloud Privacy and Support options 193
3.13.8 References 193

Domain 4: Cloud Network Security and Identity-based Microsegmentation Enterprise

Edition 195
4.1 Configure Cloud network analyzer 195
4.1.1 Network exposure policy 195
4.1.2 RQL 197
4.1.3 References 197
4.2 Deploy and manage enforces 198
4.2.1 Processing units 198
4.2.2 Namespaces 198
4.2.3 Tags and identity 201
4.2.4 Network rulesets 203
4.2.5 Out-of-the box rules 209
4.2.6 Application profiling 211
4.2.7 References 212
4.3 Manage local changes in a remote repository (dev-prod) configuration 213
4.3.1 Types 213
4.3.2 Networking for Enforcers to Console connectivity 214
4.3.3 Reference 222
4.4 Use NetSecOps dashboard 223
4.4.1 flows 223
4.4.2 References 223

Domain 5: Prisma Cloud Code Security (PCCS) 225

5.1 Implement scanning for IAC templates 225
5.1.1 Terraform and Cloudformation scanning configurations 225
5.1.2 OOTB IAC scanning integrations 225
5.1.3 API scanning 226
5.1.4 IAC scanning integration 227
5.1.5 Supply-chain security 228
5.1.6 Handling scanned issues 231
5.1.7 Repository scanning 238
5.1.8 Reference 242
5.2 Configure policies in Console for IAC scanning 242
5.2.1 OOTB policies 242
5.2.2 Custom build policies 243
5.2.3 Types of config policies 249
5.2.4 Prisma configuration files 250
5.2.5 References 250
5.3 Configure CI policies for Computer scanning 250

Prisma Certified Cloud Security Engineer (PCCSE) 6

 5.3.1 Default CI policies 250
5.3.2 Custom CI policies 251
5.3.3 References 252
5.4 Manage configuration settings 252
5.4.1 Code reviews 252
5.4.2 Code repository settings 252
5.4.3 Notifications 255
5.4.4 Pull Request and Tagging bots 259
5.4.5 References 263

Domain 6: Identity and Access Management (IAM)/Identity and Access Management

(IAM)/Prisma Cloud Data Security (PCDS) 265
6.1 Calculate net effective permissions 265
6.1.1 AWS calculation 265
6.1.2 Azure calculation 266
6.1.3 References 266
6.2 Investigate incidents and create IAM policies 266
6.2.1 RQL queries 266
6.2.2 IAM policies 266
6.2.3 References 267
6.3 Integrate IAM with IdP 268
6.3.1 Azure active directory 268
6.3.2 Okta 268
6.3.3 References 273
6.4 Remediate alerts 274
6.4.1 Manual versus automatic 274
6.4.2 AWS remediation 274
6.4.3 Azure remediation 281
6.4.4 References 286
6.5 Monitor Scan Results 286
6.5.1 Data dashboard 286
6.5.2 Data Inventory 290
6.5.3 Resource Explorer 294
6.5.4 Object Explorer 295
6.5.5 Exposure Evaluation 296
6.5.6 References 298
6.6 Assess Data Policies and Alerts 299
6.6.1 Data policy vs data pattern 299
6.6.2 Alerts 299
6.6.3 References 300
6.7 Define data security scan settings 301
6.7.1 Scan configuration 301
6.7.2 Data profile and pattern 303

Prisma Certified Cloud Security Engineer (PCCSE) 7

 6.7.3 File extensions 304
6.7.4 Snippet masking 308
6.7.5 References 309

Appendix A: Sample Questions with Answers 311

Appendix B: Answers to the Sample Test 319

Continuing Your Learning Journey with Palo Alto Networks 327

Prisma Certified Cloud Security Engineer (PCCSE) 8

How to Use This Study Guide
Welcome to the Palo Alto Networks Prisma Certified Cloud Security Engineer (PCCSE) Study Guide.
The purpose of this guide is to help you prepare for your PCCSE exam and achieve your PCCSE
credential.

You can read through this study guide from start to finish, or you may jump straight to topics you
would like to study. Hyperlinked cross-references will help you locate important definitions and
background information from earlier sections.

About the PCCSE Exam

The Prisma Certified Cloud Security Engineer certification validates the knowledge, skills, and
abilities required to onboard, deploy, and administer all aspects of Prisma Cloud. PCCSE-certified
individuals have demonstrated in-depth knowledge of Palo Alto Networks Prisma Cloud technology
and resources.

More information is available from the Palo Alto Networks public page at:
https://www.paloaltonetworks.com/services/education

Technical documentation is located at:

https://beacon.paloaltonetworks.com/student/collection/710725-prisma-certified-cloud-security-eng
ineer-pccse?sid=77de5d28-6423-4603-8d52-3487a52c45c3&sid_i=0

Exam Format

The test format is 75-85 items. Candidates will have five minutes to review the NDA, 70-80 minutes
to complete the exam questions, and five minutes to complete a survey at the end of the exam.

The approximate distribution of items by topic (Exam Domain) and topic weightings are shown in
the following table.

This exam is based on Product version Prisma Cloud 22.9.2. (Compute 22.06.)

Exam Domain Weight (%)

Cloud Security Posture Management (CSPM) 21%

Cloud Workload Protection (CWP) 21%

Install, Upgrade, and Backup / Prisma Cloud 19%

Administration

Cloud Network Security and 11%

Identity-Based Microsegmentation
Enterprise Edition

Prisma Cloud Code Security (PCCS) 12%

Prisma Certified Cloud Security Engineer (PCCSE) 9

 Identity and Access Management (IAM)/ 16%
Prisma Cloud Data Security (PCDS)

TOTAL 100%

How to Take This Exam

The exam is available through the third-party Pearson VUE testing platform. To register for the
exam, visit: https://home.pearsonvue.com/paloaltonetworks

Disclaimer

This study guide is intended to provide information about the objectives covered by this exam,
related resources, and recommended courses. The material contained within this study guide is not
intended to guarantee that a passing score will be achieved on the exam. Palo Alto Networks
recommends that candidates thoroughly understand the objectives indicated in this guide and use
the resources and courses recommended in this guide where needed to gain that understanding.

Audience and Qualifications

The PCCSE Certification is designed for users interested in demonstrating knowledge, skills, and
abilities with Prisma Cloud, including cloud security, customer success, and cybersecurity
architects.

Skills Required

● You can design, develop, and maintain detection checks for cloud security policies and
compliance standards
● You can research on cloud attack techniques, tactics, and detections based on events and
network flow logs
● You can participate in the public outreach forums and represent the recommendations
adhering to Palo Alto Networks standards
● You have 0-3 years of experience working on public cloud, experience in Python, knowledge
of containers, Kubernetes, Terraform, and cloud technologies

Recommended Training:

Palo Alto Networks strongly recommends that you attend the following instructor-led training
courses or equivalent digital-learning courses:

● Prisma Cloud: Cloud Security Posture Management

● Prisma Cloud: Cloud Network Security
● Prisma Cloud: Cloud Workload Protection
● Prisma Cloud: Cloud Code Security

Prisma Certified Cloud Security Engineer (PCCSE) 10

Domain 1: Cloud Security Posture Management (CSPM)
This domain describes Cloud Security Posture Management (CSPM). Prisma Cloud is a cloud native
security platform that enables you to secure your cloud native infrastructure and cloud native
applications using a single dashboard. It offers comprehensive visibility and threat detection across
your organization’s hybrid, multicloud infrastructure.

1.1 Identify assets in a cloud account

To know the state of your cloud infrastructure, you need visibility into all the assets and
infrastructure that make up your cloud environment and a pulse on your security posture.

Whether you want to detect a misconfiguration or you want to continually assess your security
posture and adherence to specific compliance standards Prisma Cloud provides out-of-the-box
policies (auditable controls) for ongoing reporting and measurement.

1.1.1 Inventory of resources in a cloud account

The Asset Inventory dashboard (on the Inventory tab) provides a snapshot of the current state of all
cloud resources or assets that you are monitoring and securing using Prisma Cloud. From the
dashboard, you gain operational insight over all the Palo Alto Networks cloud infrastructure,

Prisma Certified Cloud Security Engineer (PCCSE) 11

including assets and services such as Compute Engine instances, virtual machines, Cloud Storage
buckets, accounts, subnets, gateways, and load balancers.
Assets are displayed by default for all account groups, which the service monitors, for the most
recent time range (last full hour). Resources that belong to cloud accounts that are disabled on
Prisma Cloud are not included in the Asset Inventory. The interactive dashboard provides filters to
change the scope of data displayed, so that you can analyze information you want to view in greater
detail.

1.1.2 Resource configuration history

● Resource Summary—Shows the count of the Total Unique Resources monitored by Prisma
Cloud. Click the link to view all the assets on the Asset Explorer.

Prisma Certified Cloud Security Engineer (PCCSE) 12

For all these assets, you can toggle to view the following details as a numeric value or a percentage:

o Pass—Displays the resources without any open alerts. Click the link for the passed resources
and you will be redirected to the Asset Explorer that is filtered to display all the resources
that have Scan Status set to Pass.

o Low/Medium/High—Displays the resources that have generated low-, medium-, or

high-severity alerts. On the asset inventory, when a resource triggers multiple alerts, the
asset severity assigned to it matches the highest risk to which it is exposed. When you click
the link, you will be redirected to the Asset Explorer that is filtered to display all the resources
that match the corresponding Asset Severity level.

o The View Alerts link enables you to view a list of all resources that have open alerts sorted
by severity. Click each link to view the Alerts Overview sorted for low-, medium-, or
high-severity alerts. You can review the policies that triggered the alerts along with a count
of the total number of alerts for each policy.

o Fail—Displays the total number of resources that have generated at least one open alert
when the hourly snapshot was generated. Click the link and you will be redirected to the
Asset Explorer that is filtered to display all resources that have Scan Status set to Failed.

1.1.3 Asset configuration changes

At a glance, the Asset Inventory dashboard has four sections:

● Resource Summary—See description in Section 1.1.2.

Prisma Certified Cloud Security Engineer (PCCSE) 13

 ● Asset Trend—Trend line to help you monitor the overall health of your cloud resources
starting when you added the first cloud account to Prisma Cloud through the time when
the hourly snapshot was generated. The green, blue, and red trend lines are overlaid to
visually display the passed and failed resources against the total resource count. The trends
depict the overall security posture of your resources and how they are performing over time
so you can identify sudden surges with failed policy checks or sustained improvements with
passed policy checks.

● Asset Classification—Bar graph for each cloud type (default), region name, account name,
or service name that depicts the ratio of passed to failed resources for policy checks.

● Tabular data—The table enables you to group the results by account name, cloud region, or
service name (default) and then drill down to view granular information on the resource
types within your cloud accounts. All global resources for each cloud are grouped under
AWS Global, Alibaba Cloud Global, Azure Global, and GCP Global.

Each row displays the service name with details on the cloud type (which you can filter on), and the
percentage of resources that pass policy checks to which you want to adhere. The links in each
column help you explore and gain the additional context you may need to take action.

1.1.4 References
● Asset Inventory,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-
dashboards/asset-inventory

1.2 Configure policies

1.2.1 Custom policies

Create a custom policy with remediation rules that are tailored to meet the requirements of your
organization. When creating a new policy, you can either build the query using RQL or use a saved
search to automatically populate the query you need to match on your cloud resources. For Cloud
Code Security, you can also create configuration policies to scan your infrastructure-as-code (IaC)
templates that are used to deploy cloud resources. The policies used for scanning IaC templates use
a JSON query instead of RQL.

If you want to enable autoremediation, Prisma Cloud requires write access to the cloud platform to
successfully execute the remediation commands.

1.2.2 Policy types

You can create any of the following types of policies:

● Config—Configuration policies monitor your resource configurations for potential policy

violations. Configuration policies on Prisma Cloud can be of two subtypes—Build or Run—to
enable a layered approach. Build policies enable you to check for security misconfigurations
in the IaC templates and ensure that these issues do not make their way into production.

Prisma Certified Cloud Security Engineer (PCCSE) 14

 Run policies monitor resources and check for potential issues once these cloud resources
are deployed. See Create a Configuration Policy.

● Data—Data policies protect against malware and enable data classification. To identify
sensitive data in cloud storage buckets, they use machine learning and pattern matching.
See Use Data Policies to Scan for Data Exposure or Malware.

● Network—Network policies monitor network activities in your environment. See Create a

Network or Audit Event Policy.

● Audit Event—Event policies monitor audit events in your environment for potential policy
violations. Create audit policies to flag sensitive events such as root activities or configuration
changes that may potentially put your cloud environment at risk. See Create a Network or
Audit Event Policy.

● IAM—IAM policies monitor the identities in your cloud environment for excess or unused
permissions. See Create an IAM Policy.

1.2.3 Supported variables within configuration-run custom policies

CLI remediation is available for config from queries only. You can add up to five CLI commands and
use a semicolon to separate the commands in the sequence. The sequence is executed in the order
defined in policy; if a CLI command fails, the execution stops at that command. The parameters that
you can use to create remediation commands are displayed on the interface as CLI variables. A
syntax example is: gcloud -q compute --project=${account} firewall-rules delete ${resourceName};
gsutil versioning set off gs://${resourceName};:

● $account—Account is the Account ID of your account in Prisma Cloud.

● $azurescope—(Azure only) Allows you to specify the node in the Azure resource hierarchy
where the resource is deployed.
● $gcpzoneid—(GCP only) Allows you to specify the zone in the GCP project, folder, or
organization where the resource is deployed.
● $region—Region is the name of the cloud region to which the resource belongs.
● resourcegroup—(Azure only) Allows you to specify the name of the Azure Resource Group
that triggered the alert.
● $resourceid—Resource ID is the identification of the resource that triggered the alert.
● $resourcename—Resource name is the name of the resource that triggered the alert.

1.2.4 References
● Create a Custom Policy on Prisma Cloud,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-
policies/create-a-policy
● Policy types,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-
policies/create-a-policy

Prisma Certified Cloud Security Engineer (PCCSE) 15

 ● Create a Custom Policy on Prisma Cloud,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-
policies/create-a-policy

1.3 Configure compliance standards

1.3.1 Standards
You can create your own custom compliance standards that are tailored to your own business
needs, standards, and organizational policies. When defining a custom compliance standard, you
can add requirements and sections. A custom compliance standard that has a minimum of one
requirement and one section can be associated with policies that check for adherence to your
standards.

You can create an all-new standard or clone an existing compliance standard and edit it.

● Clone an existing compliance standard to customize.

1. On Prisma Cloud, select Compliance Standards.

2. Hover over the standard you want to clone, and click Clone.
When you clone, Prisma Cloud creates a new standard with the same name with “Copy”
in the prefix. You can then edit the cloned compliance standard to include the
requirements, sections, and policies you need.

● Create a compliance standard from scratch.

3. On Prisma Cloud, select Compliance > Standards > + Add New.

Prisma Certified Cloud Security Engineer (PCCSE) 16

4. Enter a name and description for the new standard and click Save .

sargets

5. Add requirements to your custom compliance standard.

○ Select the custom compliance standard you just added and click + Add New.

○ Enter a requirement, name, and a description and click Save .

6. Add sections to your custom compliance standard after adding the requirement.
○ Select the requirement for which you are adding the section and click +Add New.

Prisma Certified Cloud Security Engineer (PCCSE) 17

 ○ Enter a name for the Section a Description and click Save .
Although you have added the custom standard to Prisma Cloud, it is not listed on
the Compliance Standards table on Compliance > Overview until you add at
least one policy to it.

7. Add policies to your custom compliance standard.

You must associate Prisma Cloud Default policies or your custom policies to the
compliance standard to monitor your cloud resources for adherence to the internal
guidelines or benchmarks that matter to you. The RQL in the policy specifies the check
for the resource configuration, anomaly, or event.

○ Select Policies.
○ Filter the policies you want to associate with the standard. You can filter by cloud
type, policy type, and policy severity to find the rules you want to attach.
○ Select the policy rule to edit, on 3 Compliance Standards click + and associate
the policy with the custom compliance standard.

○ Confirm your changes.

1.3.2 Reports
Creating compliance reports is the best way to monitor your cloud accounts across all cloud
types—AWS, Azure, and GCP—and ensure that you are adhering to all compliance standards. You
can create compliance reports based on a cloud compliance standard for immediate online viewing
or download, or schedule recurring reports so you can monitor compliance to the standard over
time. From a single report, you have a consolidated view of how well all of your cloud accounts are
adhering to the selected standard. Each report details how many resources and accounts are being
monitored against the standard, and how many of those resources passed or failed the compliance
check. In addition, the report provides detailed findings for each section of the standard, including a

Prisma Certified Cloud Security Engineer (PCCSE) 18

description of the requirements in each section, which resources failed the compliance check, and
recommendations for fixing the issues, so that you can prioritize what you need to do to become
compliant. From the Compliance Reports dashboard, you can also view or download historic
reports so that you can see your compliance trend.

Step 1: Log in to Prisma Cloud.

Step 2: Create a new report.

1. Select Compliance > Overview and select the standard for which you want to create a new
compliance report.

2. On the page for the compliance standard you selected, click Create Report.

Prisma Certified Cloud Security Engineer (PCCSE) 19

 3. Enter the following information and Save the report.

● Enter a descriptive Name for the report.

● Enter the Email address to which to send report when scheduled.
● Select whether you want to run the report One Time or Recurring.
If you select Recurring, you must also specify how often you want to run the report, the
interval, day of the week, and the time when you want the recurring report to run.

Step 3: View your compliance reports.

After you create a compliance report, it will automatically run at the time you specified. You can
then view and manage your reports as follows:

● To see the list of all compliance reports that have run, select Compliance > Reports. You can
use the filters to narrow the list of compliance reports shown, or you can search for the
report.

● To view a compliance report, click the report name.

A graphical view of the report displays, showing the number of unique cloud resources, how
many of them passed, the number and severity of those that failed (you can toggle this to
show percentages instead), and a graphical representation of how well your cloud accounts
are doing against all sections of the standard. If this report has run before, you can also see
the compliance trend over time. Finally, the report summarizes compliance against each

Prisma Certified Cloud Security Engineer (PCCSE) 20

 requirement of the standard. To drill down into details on a particular requirement of the
standard, click the requirement name.

● If you want to refine the report so that it only shows the details you are interested, clone it.
You can then use the Compliance filters to customize the report to show only the
information you are interested in. You can use the Compliance filters to set the report
timeframe and narrow the report to only show compliance information for specific cloud
accounts, cloud regions, or cloud types. As you add or remove filters, the report updates so
that you can see your changes reflected in the report. When the cloned report shows the
information you want it to, click Create Report to save it as a new report instance.

Prisma Certified Cloud Security Engineer (PCCSE) 21

● You can Download Report as a PDF. If the Download button is grayed out, the report has
already been scheduled for download. You can also download the details about compliance
with each requirement of the standard to a CSV file by clicking the download icon.

● You can also download the compliance reports from Compliance > Reports using the
Download icon that corresponds to the specific report you want to download. Note that for
recurring reports, this downloads the most recent report generated.

● For recurring reports, use the corresponding History icon to view the report history. You can
then view individual instances of the compliance report, or download them.

● To edit the recurrence settings of a report you added, or to add or remove email addresses of
report recipients, click the corresponding Edit icon.

Prisma Certified Cloud Security Engineer (PCCSE) 22

 ● For recurring reports, you can toggle Enable Scheduling to indicate whether you want to
automatically include a PDF of the report to the recipients you defined, or whether you want
administrators to be able to download the report on demand rather than emailing it. With
this setting enabled, the report will automatically be emailed according to the recurrence
schedule you defined. With it disabled, the report will not be emailed but can be
downloaded on demand.

1.3.3 References
● Create a Custom Compliance Standard,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-
compliance/create-a-custom-compliance-standard
● Add a New Compliance Report,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-
compliance/add-a-new-compliance-report

1.4 Configure alerting and notification

Prisma Cloud alerts can trigger a notification to a manual and/or automatic remediation:

1.4.1 Alert states

Prisma Cloud lets you surface critical policy breaches by sending alerts to any number of channels.
Alerts ensure that significant events are put in front of the right audience at the right time. See the
links for more details.

● Alert mechanism
● AWS Security Hub
● Cortex XDR alerts
● Cortex XSOAR alerts

Prisma Certified Cloud Security Engineer (PCCSE) 23

 ● Email alerts
● Google Cloud Pub/Sub
● Google Cloud Security Command Center
● IBM Cloud Security Advisor
● JIRA Alerts
● PagerDuty alerts
● ServiceNow alerts
● Slack Alerts
● Splunk alerts
● Webhook alerts

1.4.2 Alert rules

After you have deployed your resources on the cloud platform of your choice, alert rules (for
run-time checks) enable you to define the policy violations in a selected set of cloud accounts for
which you want to trigger alerts.

When you create an alert rule for run-time checks, you select the account groups to which the rule
applies and the corresponding set of policies for which you want to trigger alerts. You can add more
granularity to the rule by excluding some cloud accounts from the selected account groups, by
specifying specific regions for which to send alerts, and even by narrowing down the rule to specific
cloud resources identified by resource tags. This provides you with flexibility in how you manage
alerts and ensures that you can adhere to the administrative boundaries you defined. You can
create a single alert rule that alerts on all policy rules, or you can define granular alert rules that
send very specific sets of alerts for specific cloud accounts, regions, and even resources to specific
destinations.

When you create an alert rule, you can Configure Prisma Cloud to Automatically Remediate Alerts,
which enables Prisma Cloud to automatically run the CLI command required to remediate the
policy violation directly in your cloud environments. Automated remediation is only available for
default policies (Config policies only) that are designated as Remediable ( ) on the Policies page.

In addition, if you Configure External Integrations on Prisma Cloud with third-party tools, defining
granular alert rules enables you to send only the alerts you need to enhance your existing
operational, ticketing, notification, and escalation workflows with the addition of Prisma Cloud
alerts on policy violations in all your cloud environments. To see any existing integrations, go
to Settings > Integrations.

Step 1: Select Alert > Alert Rules and Add Alert Rule.

Step 2: In Add Details, enter a Name for the alert rule and, optionally, a Description to
communicate the purpose of the rule.

● You can enable the optional Auto-Actions, Alert Notifications, and Auto-Remediation
settings up front. If you enable any of these options, they are displayed as additional steps in

Prisma Certified Cloud Security Engineer (PCCSE) 24

 the alert rule creation process. For example, if you enable Alert Notifications, the Configure
Notifications step is displayed.

● Click Next.

Step 3: Assign Targets to add more granularity for which cloud resources trigger alerts for this alert
rule, and then provide more criteria as needed:

● Select the Account Groups to which you want this alert rule to apply.

● Exclude Cloud Accounts and Regions from your selected account group—If there are some
cloud accounts and regions in the selected account groups for which you do not want to
trigger alerts, select the accounts and regions from the list.

● Select Include Tag Resource Lists to easily manage or identify the type of your
resources—To trigger alerts only for specific resources in the selected cloud accounts, enter
the Key and Value of the resource tag you created for the resource in your cloud
environment. Tags apply only to Config and Network policies. When you add multiple
resource tags, it uses the Boolean logical OR operator.

● After defining the target cloud resources, click Next.

Prisma Certified Cloud Security Engineer (PCCSE) 25

Step 4: Select the policies for which you want this alert rule to trigger alerts and,
optionally, Configure Prisma Cloud to Automatically Remediate Alerts.

● Either Select All Policies or select the specific policies that match the filter criteria for which
you want to trigger alerts on this alert rule. Selecting All Policies will create a large volume
of alerts. It is recommended that you use a granular filtered selection for more relevant and
high-fidelity alerts.
To help you find the specific group of policies for which you want this rule to alert:

○ Filter Results—Enter a Search term to filter the list of policies to those with
specific keywords.
○ Column Picker—Click Edit ( ) to modify which columns to display.
○ Sort—Click the corresponding Sort icon ( ) to sort on a specific column.

● Click Next.

Prisma Certified Cloud Security Engineer (PCCSE) 26

Step 5: You can automatically dismiss alerts that have specific tags as defined on the resource and
added to the Resource Lists on Prisma Cloud. The details of the reason for dismissal is included in
the alert rule L2 view. If you enabled Limited GA Auto-Actions in the Add Details screen, when you
update an alert rule, all existing alerts with matching tags are autodismissed. When an alert has
been dismissed and you update the alert rule, the alert will continue to stay dismissed.

Add a Reason, Requestor, and Approver for the automatic dismissal and click Next.

Step 6: (Optional) Send Prisma Cloud Alert Notifications to Third-Party Tools.

By default, all alerts triggered by the alert rule display on the Alerts page. If you Configure External
Integrations on Prisma Cloud, you can also send Prisma Cloud alerts triggered by this alert rule to
third-party tools. For example, you can Send Alert Notifications to Amazon SQS or Send Alert
Notifications to Jira. For Prisma Cloud Data Security, see Generate Alerts for Data Policies. In
addition, you can configure the alert rule to Send Alert Notifications Through Email.
If you want to delay the alert notifications for Config alerts, you can configure Prisma Cloud
to Trigger notification for config alert only after the alert is open for a specific number of
minutes.

Step 7: (Optional) Configure Notifications to enable alert notifications for all states.
If you want to receive external notifications for when an existing alert status has changed, you can
configure Prisma Cloud to generate alerts when an existing alert is Dismissed, Snoozed,
or Ignored. The options for configuring the notification settings are:

Prisma Certified Cloud Security Engineer (PCCSE) 27

 ● Notify when alert is—Select this dialog box to configure the alert states; the Open state is
enabled by default. After selecting the alert states, select the integration services for which
you want to generate alerts.

● Trigger notification for config alert only after the alert is open for—Specify the length of
time (in minutes) you want to wait after an alert is generated before sending notifications.
This value does not apply for recurring (or scheduled) notifications.

Step 8: View the Summary of all the alert rule. Edit if you want to change any setting and Save the
alert rule.

Prisma Certified Cloud Security Engineer (PCCSE) 28

Step 9: To verify that the alert rule triggers the expected alerts, select Alerts Overview and ensure
that you see the alerts that you expect to see there.

If you configured the rule to Send Prisma Cloud Alert Notifications to Third-Party Tools, make sure
you also see the alert notifications in those tools.

1.4.3 Alert notifications and reports

Prisma Cloud continually monitors all of your cloud environments to detect misconfigurations (such
as exposed cloud storage instances), advanced network threats (such as cryptojacking and data
exfiltration), potentially compromised accounts (such as stolen access keys), and vulnerable hosts.
Prisma Cloud then correlates configuration data with user behavior and network traffic to provide
context around misconfigurations and threats in the form of actionable alerts.
Although Prisma Cloud begins monitoring and correlating data as soon as you onboard the cloud
account, there are tasks you need to perform before you see alerts generated by policy violations in
your cloud environments. The first task to Enable Prisma Cloud Alerts is to add the cloud account to
an account group during onboarding. Next, create an alert rule that associates all of the cloud
accounts in an account group with the set of policies for which you want Prisma Cloud to generate
alerts. You can view the alerts for all of your cloud environments directly from Prisma Cloud and drill
down into each to view specific policy violations. If you have internal networks that you want to
exclude from being flagged in an alert, you can add Trusted IP Addresses on Prisma Cloud.

Prisma Certified Cloud Security Engineer (PCCSE) 29

From the Alerts Overview page, you can see the alert coverage, based on percentage as well as
severity, and also investigate more closely based on policies. You can easily access the policy that
triggered the alert and view the details on the resources and the policy recommendations in
separate tabs.

In addition, Prisma Cloud provides the out-of-the-box ability to Configure External Integrations on
Prisma Cloud with third-party technologies, such as SIEM platforms, ticketing systems, messaging
systems, and automation frameworks, so that you can continue using your existing operational,
escalation, and notification tools. To monitor your cloud infrastructures more efficiently and provide
visibility into actionable events across all your cloud workloads, you can also:

● Generate Reports on Prisma Cloud Alerts on demand or schedule reports on open alerts and
email them to your stakeholders
● Send the Alert Payload to a third-party tool

Generate Reports on Prisma Cloud Alerts

You can generate two reports on alerts—the Cloud Security Assessment report and the Business
Unit report. These reports enable you to inform your stakeholders of the status of the cloud assets
and how they are doing against Prisma Cloud security and compliance policy checks. Sharing the
reports on a regular basis enables stakeholders to monitor progress without requiring access to the
Prisma Cloud administrator console.

The Cloud Security Assessment report is a PDF report that summarizes the risks from open alerts in
the monitored cloud accounts for a specific cloud type. The report includes an executive summary
and a list of policy violations, including a page with details for each policy that includes the
description and the compliance standards that are associated with it, as well as the number of
resources that passed and failed the check within the specified time period.

The Business Unit report is a .csv file that includes the total number of resources that have open
alerts against policies for any compliance standard, and you can generate the report on demand or

Prisma Certified Cloud Security Engineer (PCCSE) 30

on a recurring schedule. You can opt to create an overview report that shows you how you are
doing across all your business units, or get a little more granular about each of the cloud accounts
you want to monitor. You can also generate the Business Unit report to review policy violations that
are associated with specific compliance standards.

The overview report lists cloud resources by account group and aggregates information about the
number of resources failing and the failure percentage against each policy. In contrast, the detailed
Business Unit report lists cloud resources by account group, account name, and account ID, and it
includes information about the number of resources failing against each policy and the status of
cloud resources that have been scanned against that policy. The status can be pass or fail; a status
of “pass” means that the count of resources that failed the policy check is zero.

To create a new report:

Step 1: Select Alerts > Reports > +Add New.

Step 2: Enter a Name and select a Report Type.

1.4.4 Alert workflow

Prisma Cloud lets you surface critical policy breaches by sending alerts to any number of channels.
Alerts ensure that significant events are put in front of the right audience at the right time.

Alerts are built on the following constructs:

● Alert profile – Specifies which events should be sent to which channel. You can create any
number of alert profiles, where each profile gives you granular control over which audience
should receive which notifications.

● Alert channel – Messaging medium over which alerts are sent. Prisma Cloud supports
email, JIRA, Slack, PagerDuty, and others.

● Alert trigger – Events that require further scrutiny. Alerts are raised when the rules that
make up your policy are violated. When something in your environment violates a rule, an
audit is logged, and an alert is sent to any matching alert profile (channel, audience). You
can configure Prisma Cloud to notify the appropriate party when an entire policy, or even a
specific rule, is violated.
You can also set up alerts for Defender health events. These events tell you when Defender
unexpectedly disconnects from the Console. Alerts are sent when a Defender has been
disconnected for more than six hours.

Not all triggers are available for all channels. For example, new JIRA issues can only be opened
when vulnerability rules are triggered.

1.4.5 References
● Alerts,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/alert
s

Prisma Certified Cloud Security Engineer (PCCSE) 31

 ● Create an Alert Rule for Run-Time Checks,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prism
a-cloud-alerts/create-an-alert-rule
● Prisma Cloud Alerts and Notifications,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prism
a-cloud-alerts/prisma-cloud-alert-notifications
● Generate Reports on Prisma Cloud Alerts,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prism
a-cloud-alerts/generate-reports-on-prisma-cloud-alerts
● Alert mechanism,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/alert
s/alert_mechanism

1.5 Use third-party integrations

Prisma Cloud provides multiple out-of-the-box integration options that you can use to integrate
Prisma Cloud into your existing security workflows and with the technologies you already use. The
Amazon GuardDuty, AWS Inspector, Qualys, and Tenable integrations are inbound or pull-based
integrations where Prisma Cloud periodically polls for the data and retrieves it from the external
integration system; all other integrations are outbound or push-based integrations where Prisma
Cloud sends data about an alert or error to the external integration system.

1.5.1 Inbound and outbound notifications

● Amazon GuardDuty—Amazon GuardDuty is a threat detection service that continuously
monitors for malicious activity and unauthorized behavior to protect your AWS accounts
and workloads. Prisma Cloud integrates with Amazon GuardDuty and ingests vulnerability
data to provide you with additional context on risks in the cloud.

● AWS Inspector—AWS Inspector assesses applications for exposure, vulnerabilities, and

deviations from best practices. It also produces a detailed list of security findings prioritized
by level of severity. Prisma Cloud integrates with AWS inspector and ingests vulnerability
data and Security best-practice deviations to provide you with additional context about risks
in the cloud.

● Amazon S3—Amazon Simple Storage Service (Amazon S3) is designed to make web-scale
computing easier. You can use Amazon S3 to store and retrieve any amount of data using
highly scalable, reliable, fast, and inexpensive data storage. Prisma Cloud can send alerts to
an Amazon S3 bucket/folder.

● AWS Security Hub—AWS Security Hub is a central console where you can view and monitor
the security posture of your cloud assets directly from the Amazon console. Because the
Prisma Cloud application monitors your assets on the AWS cloud and sends alerts on
resource misconfigurations, compliance violations, network security risks, and anomalous
user activities, you have a comprehensive view of all your cloud assets across all your AWS
accounts directly from the Security Hub console.

Prisma Certified Cloud Security Engineer (PCCSE) 32

● Amazon SQS—Amazon Simple Queue Service (SQS) helps you send, receive, and store
messages that pass between software components at any volume without losing messages
and without requiring other services to be always available. Prisma Cloud can send alerts to
Amazon SQS, and you can set up the AWS CloudFormation service to enable custom
workflows.

● Azure Sentinel—Azure Sentinel is a scalable, cloud native, Security Information Event

Management (SIEM), and security orchestration, automatation, and response (SOAR)
solution. You can configure Prisma Cloud to send alerts to Azure Sentinel by creating a Logic
Apps workflow and Webhook integration.

● Azure Service Bus queue—Azure Service Bus is a managed messaging infrastructure

designed to transfer data between applications as messages. With the Prisma Cloud and
Azure Service Bus queue integration, you can send alerts to the queue and set up custom
workflows to process the alert payload.

● Cortex XSOAR—Cortex XSOAR (formerly Demisto) is a security orchestration, automation,

and response (SOAR) platform that enables you to streamline your incident management
workflows. With the Prisma Cloud and Cortex XSOAR integration, you can automate the
process of managing Prisma Cloud alerts and the incident lifecycle with playbook-driven
response actions.

● Email—Configure Prisma Cloud to send alerts as emails to your email account.

● Google Cloud SCC—Google Cloud Security Command Center (SCC) is the security and data
risk database for Google Cloud Platform. Google Cloud SCC enables you to understand your
security and data attack surface by providing inventory, discovery, search, and management
of your assets. Prisma Cloud integrates with Google Cloud SCC and sends alerts to the
Google Cloud SCC console to provide centralized visibility into security and compliance risks
of your cloud assets.

● Jira—Jira is an issue tracking, ticketing, and project-management tool. Prisma Cloud

integrates with Jira and sends notifications of Prisma Cloud alerts to your Jira accounts.

● Microsoft Teams—Microsoft Teams is cloud-based team collaboration software that is part

of the Office 365 suite of applications and is used for workplace chat, video meetings, file
storage, and application integration. The Prisma Cloud integration with Microsoft Teams
enables you to monitor your assets and send alerts on resource misconfigurations,
compliance violations, network security risks, and anomalous user activities—either as they
happen or as consolidated summary cards.

● PagerDuty—PagerDuty enables alerting, on-call scheduling, escalation policies, and

incident tracking to increase the uptime of your apps, servers, websites, and databases. The
PagerDuty integration enables you to send Prisma Cloud alert information to PagerDuty
service. The incident response teams can investigate and remediate the security incidents.

Prisma Certified Cloud Security Engineer (PCCSE) 33

 ● Qualys—Qualys specializes in vulnerability-management security software that scans hosts
for potential vulnerabilities. Prisma Cloud integrates with the Qualys platform and ingests
vulnerability data to provide you with additional context about risks in the cloud.

● ServiceNow—ServiceNow is an incident, asset, and ticket management tool. Prisma Cloud

integrates with ServiceNow and sends notifications of Prisma Cloud alerts as ServiceNow
tickets.

● Slack—Slack is an online instant messaging and collaboration system that enables you to
centralize all your notifications. You can configure Prisma Cloud to send notifications of
Prisma Cloud alerts through your Slack channels.

● Splunk—Splunk is a software platform that searches, analyzes, and visualizes

machine-generated data gathered from websites, applications, sensors, and devices. Prisma
Cloud integrates with cloud-based Splunk deployments and enables you to view Prisma
Cloud alerts through the Splunk event collector. Prisma Cloud can integrate with
on-premises Splunk instances through the AWS SQS integration.

● Tenable—Tenable.io is a cloud-hosted vulnerability-management solution that provides

visibility and insight into dynamic assets and vulnerabilities. Prisma Cloud integrates with
Tenable and ingests vulnerability data to provide you with additional context about risks in
the cloud.

● Webhooks—The webhooks integration enables you to pass information in JSON format to

any third-party integrations that are not natively supported on Prisma Cloud. With a
webhook integration, you can configure Prisma Cloud to send alerts to the webhook URL as
an HTTP POST request so that any services or applications that subscribe to the webhook
URL receive alert notifications as soon as Prisma Cloud detects an issue.

For outbound integrations:

● You can check status updates on demand in Settings Integrations by clicking the Get
Status icon for the relevant integration. The status check displays red if the integration fails
validation checks for accessibility or credentials; it displays green when the integration is
working and all templates are valid. To review the list of integrations that do not support the
status checks, see Prisma Cloud Integrations—Supported Capabilities. Status errors are
displayed to help you find and fix potential issues.

● When you Send Prisma Cloud Alert Notifications to Third-Party Tools, the value of the cloud
service provider in the cloudType field for the resource that generated the alert the values is
in lowercase letters—for example, “aws” or “alibaba_cloud”.

1.5.2 References
● Third-party integration,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-exte
rnal-integrations-on-prisma-cloud/prisma-cloud-integrations

Prisma Certified Cloud Security Engineer (PCCSE) 34

 ● Inbound and outbound notifications,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/configure-exte
rnal-integrations-on-prisma-cloud/prisma-cloud-integrations

1.6 Perform ad hoc investigations

Ad hoc investigations happen when an administrator sees a vulnerability or suspicious activity and
decides to investigate further. This investigation has two purposes:

1. Identify whether the relevant entity (virtual machine instance, Docker container, etc.) really
has been broken into. For example, a vulnerability could exist but never have been exploited.
2. If the entity has been broken into, identify the harm done and whether the entity itself was
used as a conduit for attacking other entities.

An investigation typically starts with an RQL query that shows details about what is happening.

For example, here is the result of a query asking which APIs were used and when:

Prisma Certified Cloud Security Engineer (PCCSE) 35

Next, you can drill down for additional information about a specific data point, which in this case is
the query for the cloudresourcemanager.googleapis.com in June 2020. This query returns a list of
the items that were aggregated. In this case, it is a list of events.

Prisma Certified Cloud Security Engineer (PCCSE) 36

You can then click the eye icon on any line in the list for its full details.

1.6.1 Resource configuration with RQL

Prisma Cloud Resource Query Language (RQL) is a powerful and flexible tool that helps you gain
security and operational insights about your deployments in public cloud environments. You can
use RQL to perform configuration checks on resources deployed on different cloud platforms and to
gain visibility and insights into user and network events. You can use these security insights to
create policy guardrails that secure your cloud environments.

RQL is a structured query language that resembles Structured Query Language (SQL). RQL
supports the following types of queries:

● Config—Use Config Query to search for the configuration of the cloud resources.

Prisma Certified Cloud Security Engineer (PCCSE) 37

 ● Event—Use Event Query to search and audit all the console and API access events in your
cloud environment.
● Network—Use Network Query to search real-time network events in your environment.

Use RQL to find answers to fundamental questions that help you understand what is happening on
your network. For example, you can find answers to the following questions:

● Do I have S3 buckets with encryption disabled?

● Do I have databases that are directly accessible from the internet?
● Who uses a root account to manage day-to-day administrative activities on my network?
● Which cloud resources are missing critical patches, making them exploitable?

1.6.2 User activity using RQL

Event queries help you to detect and investigate console and API access events, monitor privileged
activities, detect account compromise, and detect unusual user behavior in your cloud
environments.

To investigate events, use “event from cloud.audit_logs where” queries in the search box on
the Investigate tab of the Prisma Cloud administrative console. The query uses the event data that
Prisma Cloud ingested from the audit logs to help you learn who did what and when on your cloud
assets.

● Event Query Attributes

● Event Query Examples

1.6.3 Network activity using RQL

When you onboard your cloud accounts to Prisma Cloud, it monitors network configuration and
traffic logs to and from your assets deployed on the cloud environment. You can then use this data
to find previously unidentified network security risks:

● Flow Log-based Network Query: Query for incidents and threats that are based on flow logs.
● Configuration-based Network Query: Query for true exposures that are based on
configuration.

Flow Log-based Network Query

Prisma Cloud provides the “network from vpc.flow_record” network query, which is based on
networking logs, such as virtual private cloud (VPC) flow logs. You can use this query to detect when
services, applications, or databases are exposed to the internet and fix risky configuration issues, or
to search for assets that are receiving traffic and connections from suspicious IP addresses to
prevent data exfiltration attempts before it is too late.

Configuration-based Network Query

Prisma Cloud also provides the “config from network where” network query, which is based on
network configuration you can use this query to identify overly exposed resources by providing
end-to-end network path visibility from any source, such as AWS EC2 virtual machine, DB instance,
or Lambda application to any destination, such as the internet, another VPC, or on-premises
networks. This visibility into the associations between security groups and compute instances helps

Prisma Certified Cloud Security Engineer (PCCSE) 38

you identify network security risks before they become incidents. Prisma Cloud does not send
traffic or read network logs for performing network path analysis.

1.6.4 Anomalous event(s)

Review your options when using “event from cloud.audit_logs where” on the Investigate tab of the
Prisma Cloud administrative console:

Each attribute allows you to narrow your search criteria. As you use these attributes, the
autosuggestion feature shows the available expressions and the Operators that are applicable for
each attribute.

● alert.id
Use the alert.id attribute to view alert details on the Investigate tab.

For example, you can visualize the alert details for a set of alerts such as P-8444, P-8421, and
P-8420.

event from cloud.audit_logs where alert.id IN (‘P-8444’, ‘P-8421’, ‘P-8420’)

● anomaly.type
Use the anomaly.type to view details on specific anomaly policies. The autosuggestion
displays the different anomaly policies that are supported with this attribute.

event from cloud.audit_logs where anomaly.type = 'Excessive Login Failures'

Prisma Certified Cloud Security Engineer (PCCSE) 39

● cloud.account
Use the cloud.account attribute to narrow the audit search to one or more cloud accounts
that you connected to Prisma Cloud.

For example, you can list entities or users who deleted security groups from a given cloud
account:

event from cloud.audit_logs where cloud.account = 'Developer Sandbox' AND operation

IN ( 'DeleteSecurityGroup' )

● cloud.account.group
Use the cloud.account.group attribute to narrow your search to only the cloud accounts in
your cloud account group.

For example, you can list entities or users who deleted virtual private clouds in all your AWS
accounts:

event from cloud.audit_logs where operation = 'DeleteVpc' AND cloud.account.group =

'All my AWS accounts'

event from cloud.audit_logs where cloud.account.group = 'All my AWS accounts' AND

cloud.service = 'autoscaling.amazonaws.com' AND user = 'maxusertest__gahp1Tho'

● Cloud.type
Use the cloud.type attribute to narrow your search to a specific cloud platform. Supported
options are AWS, Azure, and GCP.

Prisma Certified Cloud Security Engineer (PCCSE) 40

 For example, you can list all users who deleted S3 buckets:

event from cloud.audit_logs where cloud.type = 'aws' AND cloud.service =

's3.amazonaws.com' AND operation = 'DeleteBucket'

● cloud.region
Use the cloud.region attribute to narrow the audit search to one or more cloud regions.

For example, you can list entities or users who deleted access keys from a given cloud
account:

event from cloud.audit_logs where cloud.account = 'Developer Sandbox' AND

cloud.region = 'AWS Canada' AND operation IN ( 'DeleteAccessKey' )

● cloud.service
Use the cloud.service attribute to search for information using a specific service name in
your cloud accounts.

For example, you can review details for users who performed operations, such as deleting
cloud trail logs or disabling or stopping logging events:

event from cloud.audit_logs where cloud.service = 'cloudtrail.amazonaws.com' AND

operation IN ( 'DeleteTrail' , 'DisableLogging' , 'StopLogging' )

● crud
Use the crud attribute to search for information on users or entities who performed create,
read, update, or delete operations.

Prisma Certified Cloud Security Engineer (PCCSE) 41

 For example, you can list all Azure resources that were deleted:

event from cloud.audit_logs where cloud.account in ( 'Azure - Microsoft Azure

Sponsorship' ) and crud = 'delete'

● Has.anomaly
Use the has.anomaly attribute to search for information on events that include anomalies.

For example, you can list all events that have identified anomalies for a cloud type:

event from cloud.audit_logs where cloud.type = 'azure' AND has.anomaly

● operation
An operation is an action that users perform on resources in a cloud account. Use
the operation attribute to start typing the name of the operation in which you are interested,
and Prisma Cloud autocompletes a list of operations that match your search criteria.

For example, you can list details of delete operations on VPCs, VPC endpoints, and VPC
peering connections:

event from cloud.audit_logs where operation in ( 'DeleteVpc' , 'DeleteVpcEndpoints'

'DeleteVpcPeeringConnection' )

● Subject
Use this attribute to search for actions that a specific user or an instance performed on your
cloud account.

For example, you can list console login operations by Ben:

event from cloud.audit_logs where operation = 'ConsoleLogin' AND subject = 'ben'

● Role
Use this attribute to filter the search results by role.

For example, you can look for events performed by the Okta role:

event from cloud.audit_logs where role = ’OktaDevReadWriteRole’

● json.rule
Use this attribute to filter specific elements included in the JSON configuration related to a
cloud resource. The json.rule attribute enables you to look for specific configurations—parse
JSON-encoded values, extract data from JSON, or search for a value within any configuration
policy for cloud accounts that you are monitoring using Prisma Cloud.

Prisma Certified Cloud Security Engineer (PCCSE) 42

 Use the automatic suggest feature to see the available values for json.rule.

For example, you can check for login failures on the console:

event from cloud.audit_logs where cloud.account = 'Sandbox' AND json.rule =

$.responseElements.ConsoleLogin != 'Success'

1.6.5 Asset details using RQL

For details of the Asset Inventory dashboard, see Section 1.1.1.

1.6.6 References
● Prisma Cloud Resource Query Language,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer
ence/rql#idde117f54-0bc9-497a-a8d3-fe6cac849b65
● Event Query,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer
ence/event-query#id7f21ba55-c711-4996-be59-3e6ce80ea9e4
● Network Query,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer
ence/network-query
● Network Flow Log Query Attributes,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer
ence/network-query/network-flow-log-query-attributes#id96c19819-a48e-40a6-843c-2ad88d
8a7fb3
● Network Flow Log Query Examples,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer
ence/network-query/network-flow-log-query-examples#id76bff997-dacb-4a4c-94f9-485070
35b498

Prisma Certified Cloud Security Engineer (PCCSE) 43

 ● Network Exposure Query Attributes,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer
ence/network-query/network-query-attributes#id192IH0E0GW5
● Network Exposure Query Examples,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer
ence/network-query/network-query-examples#id192IH0G0XVC
● Event Query Attributes,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-rql-reference/rql-refer
ence/event-query/event-query-attributes

1.7 Remediate alerts

1.7.1 Autoremediation
If you want Prisma Cloud to automatically resolve policy violations, such as misconfigured security
groups, you can configure Prisma Cloud for automated remediation. To automatically resolve a
policy violation, Prisma Cloud runs the CLI command associated with the policy in the cloud
environments where it discovered the violation. On Prisma Cloud, you can enable automated
remediation for default policies (Config policies only) that are designated as remediable (indicated
by in the Remediable column) and for any cloned or custom policies that you add.

To enable automated remediation, identify the set of policies that you want to remediate
automatically and verify that Prisma Cloud has the required permissions in the associated cloud
environments. Then Create an Alert Rule for Run-Time Checks that enables automated remediation
for the set of policies you identified.

If you want to use automated remediation using serverless functions for your cloud resources on
AWS, use the runbooks on GitHub. The Prisma Cloud platform sends alert messages to an AWS SQS
queue, which in turn invokes a Lambda function, index_prisma.py. The function then calls the
appropriate runbook script to remediate the alert(s). To use AWS Lambda for automatic
remediation, you do not need to give Prisma Cloud read-write access to your AWS accounts; it is an
alternative way for you to try remediation for violating resources.

Step 1: Verify that Prisma Cloud has the required privileges to remediate the policies you plan to
configure for automated remediation.
● To view remediable policies, select Policies and set the filter to Remediable > True.

Prisma Certified Cloud Security Engineer (PCCSE) 44

● Select a policy for which you want to enable remediation.
● On the Alerts Overview page, click Alerts.

● You can edit the policy that triggered the alert and view the details on the resources and the
policy recommendations in separate tabs. Select the Alert ID and the slide-out panel
provides a better view of the alert details.

Prisma Certified Cloud Security Engineer (PCCSE) 45

 ● You will see the list of resources that triggered the alert under Violating Resources.

Review the required privileges in the CLI Command Description to identify which
permissions Prisma Cloud requires in the associated cloud environments to be able to
remediate violations of the policy.

● Click Edit Policy to access the policy directly from the alert.
● Click the Recommendation tab to view the policy that triggered the alert.

Step 2: Create an Alert Rule for Run-Time Checks or modify an existing alert rule.

Prisma Certified Cloud Security Engineer (PCCSE) 46

Step 3: On the Select Policies page, enable Automated Remediation and then Continue to
acknowledge the impact of automated remediation on your application.
The list of available policies updates to show only those policies that are remediable (as indicated
by in the Remediable column).

Step 4: Finish configuring and Save the new alert rule or Confirm your changes to an existing alert
rule.
When you save the alert rule, Prisma Cloud automatically runs the remediation CLI to resolve policy
violations for all open alerts, regardless of when they were generated, and updates the alert status
to Resolved.

1.7.2 Manual versus automation remediation

The IAM Security module provides two options for remediating alerts so that you can enforce the
principle of least privilege across your AWS and Azure environments. You can manually remediate
the alerts by copying the AWS or Azure CLI commands and then running them in your cloud
environment, or you can configure a custom Python script to automate the remediation steps.

● Manually Remediate IAM Security Alerts—Copy and paste the CLI commands for your
AWS or Azure environments and then execute them to manually remove excess
permissions.

● Custom Python scripts—Copy, paste, and configure the custom Python scripts so that you
can automate the steps of executing the CLI commands to remediate excess permissions in
your AWS or Azure environments.

1.7.3 References
● Configure Prisma Cloud to Automatically Remediate Alerts,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/manage-prism
a-cloud-alerts/configure-prisma-cloud-to-automatically-remediate-alerts
● Remediate Alerts for IAM Security,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-i
am-security/remediate-alerts-for-iam-security

1.8 Use SecOps Dashboard

1.8.1 Internet-connected assets by source network traffic behavior

Top Internet-Connected Resources
This graph displays top internet connected workloads by role, so you know which workloads are
connecting to the internet most of the time and are prone to malicious attacks. For this report, ELB
& NAT Gateway data are filtered out, but the graph includes data from other roles. The data in this
chart is based on the account and the time filter.

Connections from the Internet

On a world map, you can see the inbound and outbound connections to different workloads across
the globe so that you can visualize where the connections are originating from and see whether

Prisma Certified Cloud Security Engineer (PCCSE) 47

the traffic is regular internet traffic or suspicious traffic and you can see all accepted traffic from
suspicious IP addresses.

By default, the map shows aggregated numbers by specific regions in the map, but you can zoom
in on any of the regions in the map to get more granular detail on the specific location.

You can use the multiselect filter option available on the map to only present information for the
type of workload(s) you are interested in viewing traffic for. By default, the map filters out traffic to
destination resources that are allowed to accept inbound connections such as NAT gateways, ELB,
web servers, and HTTP traffic.

To see the network graph representing connections, click any of the connections from a specific
region and you will be redirected to the Investigate page to see the network graph. The network
query will carry forward the IP address, destination resources, and time filters so you can pinpoint a
specific incident.

Prisma Certified Cloud Security Engineer (PCCSE) 48

1.8.2 Components
The Dashboard > SecOps page provides a graphical view of the performance of resources that are
connected to the internet, the risk rating for all accounts that Prisma Cloud is monitoring, the policy
violations over time, and a list of the policies that have generated the maximum number of alerts
across your cloud resources. You can filter by time range, account groups, and cloud accounts to dig
in and review a quick summary of your security challenges.

Monitored Accounts
This graph shows the number of accounts Prisma Cloud is monitoring.

Prisma Certified Cloud Security Engineer (PCCSE) 49

Monitored Resources
Prisma Cloud considers any cloud entity that you work with to be a resource. Examples of resources
include AWS Elastic Compute Cloud, relational databases, AWS RedShift, load balancers, security
groups, and NAT gateways. The Resources graph shows the total number of resources that you
currently manage. It gives you a view into the potential growth in the number of resources in your
enterprise over a period of time. Hover over the graph to see data at different points in the timeline.

Open Alerts
Whenever a resource violates a policy, Prisma Cloud generates an alert to inform you of the policy
violation. The Open Alerts graph displays the number of alerts that were opened within the
selected time period and helps you visualize the trend across five equal time slices. The first point in
the timeline represents all open alerts since the cloud account was onboarded or up to the
preceding three years of the selected time range.
In each slice, the count includes alerts that are opened or have remained open through the period
using the last updated status. When you close or dismiss an alert, the last updated status is reset,
and this change determines whether or not the alert is counted within a time slice.

Top Instances by Role

This graph summarizes top open ports in your cloud environments and the percentage of the traffic
directed at each type of port. The purpose of this graph is to show what types of applications (web
server, database) the top workloads are running.

Alerts by Severity
Alerts are graphically displayed and classified based on their severity into High, Medium, and Low.
By clicking the graph, you can directly reach the alerts section.

Policy Violations by Type over Time

This graph displays the type of policy violations—network, configuration, audit event—over a period
of time. The redirections of Counts to Alerts page may not match this graph because this chart
shows only the newly created (open) alerts in a time period, whereas after redirection, you may only
see those alerts that have not changed status to resolved/dismissed and are still open.

Top Policy Violations

This graph displays the alerts generated by each type of policy over a period of time.

1.8.3 References
● SecOps Dashboard,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin/prisma-cloud-
dashboards/secops

Prisma Certified Cloud Security Engineer (PCCSE) 50

Domain 2: Cloud Workload Protection (CWP)
In this domain, you can validate your knowledge of how to use Prisma Cloud to protect your
workloads, whether they are running as virtual machines, Docker containers, or serverless
functions. This protection involves three different areas:

1. Protecting against known vulnerabilities by scanning, updating, and removing libraries

known to contain those vulnerabilities.
2. Monitoring for compliance with standards that improve security.
3. Reducing the attack surface by deploying the Cloud Native Application Firewall (CNAF).

2.1 Monitor and defend against image vulnerabilities

This task shows you how Prisma Cloud Compute can scan the Docker images you intend to use to
identify any vulnerabilities so you can take steps to remove those vulnerabilities before they can be
abused and put the integrity of the container at risk.

2.1.1 Options available in the Monitor section

In this task, you learn to secure the hosts that run your application by removing vulnerable code.
Even if you use Docker, a chain is only as strong as its weakest link, and a Docker container running
inside an insecure host is vulnerable if that host is successfully attacked.

Prisma Certified Cloud Security Engineer (PCCSE) 51

Vulnerability Explorer
Most scanners find and list vulnerabilities, but Vulnerability Explorer takes it a step further by
analyzing the data within the context of your environment. Because Prisma Cloud can see how the
containers run in your environment, it can identify the biggest risks and prioritize them for
remediation.

To view Vulnerability Explorer, open Console, then go to Monitor > Vulnerabilities > Vulnerability
Explorer.

Roll-ups
The charts at the top of the Vulnerability Explorer help you answer two questions:
1. How many common vulnerabilities and exposures (CVEs) do you have?

For each object type (image, host, function), the chart reports a count of vulnerabilities in each
object class in your environment as a function of time. Consider an environment that has just a
single image, where that image has three vulnerabilities: one high, one medium, and one low. Then
at time=today on the Images vulnerabilities chart, you could read the following values:

● Critical - 0
● High - 1
● Medium - 1
● Low - 1

2. How many images do you need to fix?

Prisma Certified Cloud Security Engineer (PCCSE) 52

For each object type (image, host, function), the chart reports a count of the highest severity
vulnerability in each object class in your environment as a function of time. Consider an
environment that has just a single image, where that image has three vulnerabilities: one high, one
medium, and one low. Then at time=today on the Impacted images chart, you could read the
following values:

● Critical - 0
● High - 1
● Medium - 0
● Low - 0

Let’s look at it another way with a different set of data. Assume the reading at t=today reports the
following values, where t is some point on the x-axis of the chart:

● Critical - 1
● High - 1
● Medium - 0
● Low - 2

If your policy calls for addressing all critical vulnerabilities, then the chart tells you that there is
precisely one image in your environment that has at least one critical vulnerability. Therefore, your
work for today is to fix one image. That image might also have two high vulnerabilities and 20 low
vulnerabilities, which you will see when you open the image’s scan report, but this chart is not
designed to give you the total number of vulnerabilities.

Search tool
The search tool at the top of the page lets you determine if any image or host in your environment
is impacted by a specific vulnerability (whether it is in the top ten list or not).

Top ten lists

Vulnerability Explorer gives you a ranked list of the most critical vulnerabilities in your environment
based on a scoring system. There are separate top ten lists for the container images, hosts, and
functions in your environment.

The top ten table is driven by a risk score. The most important factor in the risk score is the
vulnerability’s severity. But additional factors are taken into account, such as:

● Is a fix available from the vendor?

● Is the container exposed to the internet?
● Are ingress ports open?

Prisma Certified Cloud Security Engineer (PCCSE) 53

 ● Is the container privileged?
● Is an exploit available?

The underlying goal of the risk score is to make it actionable so you know whether you should
address the vulnerability, and with what urgency. Factors that contribute to the risk score are
shown in the Risk Factors column.

Running containers can introduce additional environmental factors that increase the calculated
score for a vulnerability. For example, when the container runs as root, it could exacerbate the
problem. A list of container traits that heighten the risk are listed in the detailed information dialog
when you click a row in the top ten table.

Prisma Certified Cloud Security Engineer (PCCSE) 54

Risk factors
Risk factors are combined to determine a vulnerability’s risk score. Vulnerabilities with the highest
risk scores appear in the top ten lists.

Risk factors can also be used to prioritize individual vulnerabilities for mitigation. For example, if
your cluster runs containers from disparate business groups, a major concern might be container
breakouts. DoS vulnerabilities would likely be much less important than remote code execution
vulnerabilities, particularly if exploit code were available, you were running as root, and you didn’t
have AppArmor or SELinux applied.

To filter vulnerabilities based on risk factors: open the image, host, or function scan report; open
the Vulnerabilities tab; and select one or more risk factors.

Prisma Cloud supports the following risk factors:

● {Critical | High | Medium} severity—Vulnerability severity.

● Has fix—Fix is available from the distributor, vendor, or package maintainer.
● Remote execution—Vulnerability can be exploited to run arbitrary code.
● DoS—Component is vulnerable to denial-of-service attacks, such as buffer overflow attacks,
ICMP floods, and so on.
● Recent vulnerability—Vulnerability was reported in the current or previous year.
● Exploit exists—Code and procedures to exploit the vulnerability are publicly available.
● Attack complexity: low—Vulnerability is easily exploited.

Prisma Certified Cloud Security Engineer (PCCSE) 55

 ● Attack vector: network—Vulnerability is remotely exploitable. The vulnerable component is
bound to the network, and the attacker’s path is through the network.
● Reachable from the internet—Vulnerability exists in a container exposed to the internet. To
detect this risk factor, CNNF must be enabled and network objects must be defined for
external sources under Radar > Settings. Then, if a connection is established between the
defined external source and the container, the container is identified as reachable from the
internet.
● Listening ports—Vulnerability exists in a container that is listening on network ports.
● Container is running as roo —Vulnerability exists in a container running with elevated
privileges.
● No mandatory security profile applied—Vulnerability exists in a container running with no
Security profile.
● Running as privileged container —Vulnerability exists in a container running with
--privileged flag.
● Package in use—Vulnerability exists in a component that is actually running. For example, if
Redis is running in a container or on a host as a service, then all the following (hypothetical)
vulnerabilities could be surfaced by filtering on this risk factor:
redis (main process) CVE-XXX, CVE-XXX
|- libssl (dependent package) CVE-XXX, CVE-XXX
|- libzip (dependent package) CVE-XXX, CVE-XXX

Risk trees
Risk trees list all the images, namespaces, containers, and hosts that are vulnerable to a specific
CVE. Risk trees are useful because they show you how you are exposed to a given vulnerability.
Because Prisma Cloud already knows which vulnerabilities impact which packages, which
packages are in which images, which containers are derived from which images, which containers
run in which namespaces, and which hosts run which containers, it can show you the full scope of
your exposure to a vulnerability across all objects in your environment.

For each top ten vulnerability, Prisma Cloud shows you a vulnerability risk tree. To see the
vulnerability tree for a given CVE, click the corresponding row in the top ten table to open a detailed
CVE assessment dialog.

Prisma Certified Cloud Security Engineer (PCCSE) 56

You can also generate a risk tree for any arbitrary CVE in your environment by entering the CVE ID
into the search bar at the top of the page, then clicking the result in the table to open a detailed
CVE assessment dialog.

Recalculating statistics
Statistical data is calculated every 24 hours. You can force Console to recalculate the statistics for
the current day with the current data by clicking the Refresh button in the top left of Vulnerability
Explorer. The Refresh button has a red marker when new data is available to be crunched.

2.1.2 Options available in the Policies section

Prisma Certified Cloud Security Engineer (PCCSE) 57

Vulnerability policies are composed of discrete rules. Rules declare the actions to take when
vulnerabilities are found in the resources in your environment. They also control the data surfaced
in Prisma Cloud Console, including scan reports and Radar visualizations.

Rules let you target segments of your environment and specify actions to take when vulnerabilities
of a given type are found. For example:
Block images with critical severity vulnerabilities from being deployed to prod environment hosts

There are separate vulnerability policies for containers, hosts, and serverless functions. Host and
serverless rules offer a subset of the capabilities of container rules, the big difference being that
container rules support blocking.

Creating vulnerability rules

Prisma Cloud ships with simple default vulnerability policies for containers, hosts, and serverless
functions. These policies have a rule named Default - alert all components, which sets the alert
threshold to low. With this rule, all vulnerabilities in images, hosts, and functions are reported.

As you build out your policy, you will create rules that filter out insignificant information, such as
low-severity vulnerabilities, and surface vital information, such as critical vulnerabilities.

Rule order is important. Prisma Cloud evaluates the rule list from top to bottom until it finds a
match based on the object filters.

By default, Prisma Cloud optimizes resource usage by only scanning images with running
containers. Therefore, you might not see a scan report for an image when it is first pulled into your
environment unless it has been run. To scan all images on the hosts in your environment, go
to Manage > System > Scan, set Only scan images with running containers to Off, and click Save.

To create a vulnerability rule:

Step 1: Open Console.
Step 2: Go to Defend > Vulnerabilities > {Images | Hosts | Functions}.
Step 3: Click Add rule.
Step 4: Enter a rule name and configure the rule. Configuration options are discussed in the
following sections.
Step 5: Click Save.
Step 6: View the impact of your rule. Go to Monitor > Vulnerabilities to view the scan reports.

2.1.3 References
● Vulnerability Explorer,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/vuln
erability_management/vuln_explorer
● Vulnerability management rules,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/vuln
erability_management/vuln_management_rules

2.2 Monitor and defend against host vulnerabilities

Prisma Certified Cloud Security Engineer (PCCSE) 58

2.2.1 Options available in the Monitor section
Prisma Cloud scans all hosts where Defender is installed.

Defender scans hosts for the following types of vulnerabilities:

● Host configuration: Vulnerabilities in the host setup.

● Docker daemon configuration: Vulnerabilities that stem from misconfiguring your Docker
daemons. A Docker daemon derives its configuration from various files, including
/etc/sysconfig/docker or /etc/default/docker. Misconfigured daemons affect all container
instances on a host.
● Docker daemon configuration files: Vulnerabilities that arise from improperly securing
critical configuration files with the correct permissions.
● Docker security operations: Recommendations and reminders for extending your current
security best practices to include containers.

Prisma Cloud implements the checks from:

● CIS Distribution Independent Linux v2.0.0

● CIS Amazon Linux 2 Benchmark v1.0.0 (for AL 2)
● CIS Amazon Linux Benchmark v2.1.0 (for AL 1)

Reviewing host scan reports

Prisma Cloud lets you filter the displayed hosts by searching for specific hosts or by collection.
Collections support AWS tags. When creating new collections, specify the tags you want to use for
filtering in the Labels field.

Step 1: Open Console, then go to Monitor > Compliance > Hosts > Running Hosts.
Step 2: Click a host in the list.
A report for the compliance issues on the host is shown.

Prisma Certified Cloud Security Engineer (PCCSE) 59

All vulnerabilities identified in the latest host scan can be exported to a CSV file by clicking
the CSV button in the top right of the table.

2.2.2 Options available in the Policies section

For discussion of vulnerability policies see Section 2.1.2.

2.2.3 Reference
● Host scanning,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com
pliance/host_scanning

2.3 Monitor and enforce image/container compliance

2.3.1 Options available in the Monitor section

Compliance Explorer is a reporting tool for compliance rate. Metrics present the compliance rate for
resources in your environment on a per-check, per-rule, and per-regulation basis. Report data can
be exported to CSV files for further investigation.

The key pivot for Compliance Explorer is failed compliance checks. Compliance Explorer tracks each
failed check and the resources impacted by each failed check. From there, you can further slice and
dice the data by secondary categories, such as collection, benchmark, and issue severity.

Compliance Explorer helps you answer these types of questions:

● What is the compliance rate for the entire estate?

Prisma Certified Cloud Security Engineer (PCCSE) 60

 ● What is the compliance rate for some segment of the estate?
● What is the compliance rate relative to the checks that you consider important?
○ Segment by benchmark.
○ Segment by specific compliance policy rules. Prisma Cloud supports compliance
policies for containers, images, hosts, and serverless functions.

● Which resources (containers, images, hosts, serverless functions) are failing the compliance
checks you care about?

To view Compliance Explorer, go to Monitor > Compliance > Compliance Explorer.

2.3.2 Options available in the Policies section

The CIS Benchmarks provide consensus-oriented best practices for securely configuring systems.
Prisma Cloud provides checks that validate the recommendations in the following CIS Benchmarks:

● Docker Benchmark
● Kubernetes Benchmark
● Openshift Benchmark (note: part of Kubernetes CIS benchmarks)
● Distribution Independent Linux
● Amazon Web Services Foundations

We have graded each check using a system of four possible scores: critical, high, medium, and low.
This scoring system lets you create compliance rules that take action, depending on the severity of
the violation. If you want to be reasonably certain that your environment is secure, address all
critical and high checks. By default, all critical and high checks are set to alert, and all medium and
low checks are set to ignore. We expect customers to review, but probably never fix, medium and
low checks.

There are just a handful of checks that are graded as critical. “Critical” is reserved for situations
where your container environment is exposed to the internet, where they are vulnerable to a direct
attack by somebody on the outside. They should be addressed immediately.

Prisma Cloud has not implemented CIS checks marked as Not Scored. These checks are hard to
define in a strict way. Other checks might not be implemented because the logic is resource-heavy,
results depend on user input, or files cannot be parsed reliably.

Additional details about Prisma Cloud’s implementation of the CIS benchmarks

The compliance-rule dialog provides some useful information. Compliance rules for containers can
be created under Defend > Compliance > Containers and Images, while compliance rules for
hosts can be created under Defend > Compliance > Hosts.

Benchmark versions—To see which version of the CIS benchmark is supported in the product, click
the All types drop-down list.

Prisma Certified Cloud Security Engineer (PCCSE) 61

Grades—To see Prisma Cloud’s grade for a check, see the corresponding Severity column.

Built-in policy library —To enable the checks for the PCI DSS, HIPAA, NIST SP 800-190, and GDPR
standards, select the appropriate template.

Prisma Certified Cloud Security Engineer (PCCSE) 62

Compliance checks
Prisma Cloud Labs compliance checks are designed by our research team. They fill gaps that are
not offered by other benchmarks. Like all compliance checks, Prisma Cloud’s supplementary checks
monitor and enforce a baseline configuration across your environment.

Prisma Cloud Labs compliance checks can be enabled or disabled in custom rules. New rules can
be created under Defend > Compliance > Policy.

Container checks
● 596—Potentially dangerous NET_RAW capability enabled – Checks if a running container
has the NET_RAW capability enabled. This capability grants an application the ability to craft
raw packets. In the hands of an attacker, NET_RAW can enable a wide variety of networking
exploits, such as ARP-spoofing and hijacking a cluster’s DNS traffic.

● 597—Secrets in clear text environment variables (container and serverless function

check) – Checks if a running container (instantiated from an image) or serverless function
contains sensitive information in its environment variables. These environment variables can
be easily exposed with docker inspect, and thus compromise privacy.

● 598—Container app is running with weak settings – Weak settings incidents indicate that
a well-known service is running with a nonoptimal configuration. This check covers settings
for common applications, specifically: Mongo, Postgres, Wordpress, Redis, Kibana, Elasitc
Search, RabbitMQ, Tomcat, Haproxy, KubeProxy, Httpd, Nginx, MySql, and registries. These
settings check for such things as the use of default passwords, requiring SSL, etc. The output
for a failed compliance check will contain a Cause field that gives specifics on the exact
settings detected that caused a failure.

● 599—Container is running as root (container check) – Checks if the user value in the
container configuration is root. If the user value is 0, root, or “” (empty string), the container is
running as a root user, and the policy’s configured effect (ignore, alert, or block) is actuated.

2.3.3 References
● Compliance Explorer,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com
pliance/compliance_explorer
● CIS Benchmarks,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com
pliance/cis_benchmarks
● Compliance checks,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com
pliance/prisma_cloud_compliance_checks

2.4 Monitor and enforce host compliance

Prisma Certified Cloud Security Engineer (PCCSE) 63

2.4.1 Options available in the Monitor section
Prisma Cloud helps enterprises monitor and enforce compliance for hosts, containers, and
serverless environments. Use the compliance-management system to enforce standard
configurations and security best practices.

● Compliance Explorer
● Enforce compliance checks
● CIS Benchmarks
● Prisma Cloud Labs compliance checks
● Serverless functions compliance checks
● Windows compliance checks
● DISA STIG compliance checks
● Custom compliance checks
● Trusted images
● Host scanning
● VM image scanning
● Fargate scanning
● Detect secrets
● Cloud discovery
● OSS license management

2.4.2 Options available in the Policies section

Prisma Cloud can monitor and enforce compliance settings across your environment. Out of the
box, Prisma Cloud supports hundreds of discrete checks that cover images, containers, hosts,
clusters, and clouds.
Applications are typically built with numerous components. Many components have established
best practices for securing them against attack. Not everyone has the bandwidth to painstakingly
work through the details of every best practice to determine which ones are the most important.
Prisma Cloud lets your security team centrally review all best practices, enable the ones that align
with your organization’s security mandate, and then evenly enforce them across your environment.
Prisma Cloud’s predefined checks are based on industry standards, such as the CIS benchmarks, as
well as research and recommendations from Prisma Cloud Labs. Additionally, you can implement
your own compliance checks with scripts.

Enforcement
Compliance rules are defined and applied in the same way as vulnerability rules. Checks that can be
performed on static images are performed as images that are scanned (either in the registry or on
local hosts). Results are then displayed in the compliance reports under Monitor > Compliance on
the Console.

When compliance rules are configured with block actions, they are enforced when a container is
created. If the instantiated container violates your policy, Prisma Cloud prevents the container from
being created.

Note that compliance enforcement is only one part of a defense in depth approach. Because
compliance enforcement is applied at creation, it is possible that a user with appropriate access

Prisma Certified Cloud Security Engineer (PCCSE) 64

could later change the configuration of a container, making it noncompliant after deployment. In
these cases, the runtime layers of the defense-in-depth model provide protection by detecting
anomalous activity, such as unauthorized processes.

Assume that you want to block any container that runs as root. The flow for blocking such a
container is:

1. Prisma Cloud admin creates a new compliance rule that blocks containers from running as
root.

2. The admin optionally targets the rule to specific resources, such as a set of hosts, images, or
containers.

3. Someone with rights to create containers attempts to deploy a container to the

environment.

4. Prisma Cloud compares the image being deployed to the compliance state that it detected
when it scanned the image. For deploy-time parameters, the specific Docker client
commands that are sent are also analyzed.

● If the comparison determines that the image is compliant with the policy, the
“docker run” command is allowed to proceed as normal, and the return message
from Docker Engine is sent back to the user.

● If the comparison determines that the image is not compliant, the container_create
command is blocked and Prisma Cloud returns an error message back to the user
describing the violation.

5. All activities are centrally logged in Console and (optionally) syslog in both success and
failure cases.

2.4.3 References
● Compliance,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com
pliance
● Manage compliance,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com
pliance/manage_compliance

2.5 Monitor and defend containers and hosts during runtime

Runtime defense is the set of features that provide both predictive and threat-based active
protection for running containers. For example, predictive protection includes capabilities like
determining when a container runs a process not included in the origin image or creates an
unexpected network socket. Threat-based protection includes capabilities such as detecting when
malware is added to a container or when a container connects to a botnet.

Prisma Cloud Compute has distinct sensors for file system, network, and process activity. Each
sensor is implemented individually, with its own set of rules and alerts. The runtime defense

Prisma Certified Cloud Security Engineer (PCCSE) 65

architecture is unified to simplify the administrator experience and to show more detail about what
Prisma Cloud automatically learns from each image. Runtime defense has two principle object
types: models and rules.

2.5.1 Container models

Models are the results of the autonomous learning that Prisma Cloud performs every time we see a
new image in an environment. A model is the allow list for what a given container image should be
doing, across all runtime sensors. Prisma Cloud automatically creates and maintains models. They
provide an easy way for administrators to view and understand what Prisma Cloud has learned
about their images. For example, a model for an Apache image would detail the specific processes
that should run within containers derived from the image and which network sockets should be
exposed.

Navigate to Monitor > Runtime > Container Models. Click the image to view the model.

There is a 1:1 relationship between models and images: Every image has a model and every model
applies to a single unique image. For each image, a unique model is created and mapped to the
image digest. So, even if there are multiple images with the same tags, Prisma Cloud creates
unique models for each image.

Models are built from both static analysis (such as building a hashed process map based on parsing
an init script in a Dockerfile ENTRYPOINT) and dynamic behavioral analysis (such as observing
actual process activity during early runtime of the container). Models can be in one of three modes:
Active, Archived, or Learning.

For containers in Kubernetes clusters, Prisma Cloud considers the image, namespace, cluster, and
deployment (YAML) file when it creates models.

● When the same image runs in multiple different clusters, Prisma Cloud creates separate
models for each image in each cluster.
● When the same image runs in multiple different namespaces, Prisma Cloud creates
separate models for each image in each namespace.

Prisma Certified Cloud Security Engineer (PCCSE) 66

 ● When there are multiple running instances of an image in the same namespace, Prisma
Cloud creates a single model.
● When there are multiple running instances of an image in the same namespace, but started
from different deployment (YAML) files, Prisma Cloud creates multiple container models,
one for each deployment.

Prisma Cloud shows you how models map to specific images. Go to Monitor > Runtime >
Container Models, click a model in the table, and click the General tab.

2.5.2 Host observations

Host observations
● Track SSH events—As part of the host observation capability, we are also full tracking all
SSH activities, which is enabled by default in new rules. Tracking can be disabled via this
toggle.

2.5.3 Runtime policies

Host runtime policy
By default, Prisma Cloud ships with an empty host runtime policy. An empty policy disables
runtime defense entirely.

Creating a new rule enables runtime defense. When Defender is installed, it automatically starts
collecting data about the underlying host. To create a rule, open Console, go to Defend > Runtime
> Host Policy, and click Add rule. Create new rules to enhance host protection.

Prisma Certified Cloud Security Engineer (PCCSE) 67

 ● Rules are assigned with names to provide an indication of the target of each rule.
● The scope of each rule is determined by the collection assigned to that rule.
● Prisma Cloud uses rule order and pattern matching to determine which rule to apply for
each workload.

Anti-malware provides a set of capabilities that lets you alert or prevent malware activity and exploit
attempts.

2.5.4 Runtime audits

The document summarizes all the runtime audits (detections) that are available in Prisma Cloud
Compute. For each detection, you can learn more about what it actually detects, how to enable or
disable it, avoid false positives, relevant workloads (Containers, Hosts, Serverless and
App-embedded), and if the audit also generates an incident.

2.5.5 Incidents using Incident Explorer

Incident Explorer elevates raw audit data to actionable security intelligence, which enables a more
rapid and effective response to incidents. You do not have to manually sift through reams of audit
data because Incident Explorer automatically correlates individual events that are generated by the
firewall and runtime sensors to identify unfolding attacks.

Audit events that are generated as a byproduct of an attack rarely occur in isolation. Attackers
might modify a configuration file to open a backdoor, establish a new listener to shovel data out of
the environment, run a port scan to map the environment, or download a rootkit to hijack a node.

Prisma Certified Cloud Security Engineer (PCCSE) 68

Each of these attacks is made up of a sequence of process, file system, and network events. Prisma
Cloud’s runtime sensors generate an audit each time an anomalous event outside the allow-list
security model is detected. Incident Explorer sews these discrete events together to show the
progression of a potential attack.

To learn more about the challenges of incident response in cloud native environments, and how
Prisma Cloud can help, see this webinar recording.

Viewing incidents
To view incidents, go to Monitor > Runtime > Incident Explorer. Click an incident to examine the
events in the kill chain. Clicking on individual events shows more information about what triggered
the audit. After you have examined the incident, and have taken any necessary action, you can
declutter your workspace by archiving the incident.

All the raw audit events that comprise the incident can be found in the Audit Data tab. To see the
individual events and export the data to a CSV file, go to Monitor > Events > Container audits /
Host audits / App-Embedded audits.

Incident Explorer is organized to let you quickly access the data you need to investigate an incident.
The following diagram shows the contextual data presented with each incident:

Prisma Certified Cloud Security Engineer (PCCSE) 69

 ● (1) Story—Sequence of audits that triggered the incident.
● (2) Image, container, and host reports—Scan reports for each resource type. Scan reports
list vulnerabilities, compliance issues, and so on.
● (3) Connections—Incident-specific radar that shows all connections to and from the
container involved in the incident. Its purpose is to help you assess risk by showing you a
connection graph for the compromised asset.
● (4) Documentation—Detailed steps for investigating and mitigating every incident type.
● (5) Forensics—Supplemental data collected and stored by Defender to paint a better
picture of the events that led to an incident.

2.5.6 References

● Runtime defense for containers,

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/runti
me_defense/runtime_defense_containers
● Host Observations,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/runti
me_defense/runtime_defense_hosts
● Host runtime policy,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/runti
me_defense/runtime_defense_hosts
● Runtime audits,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/runti
me_defense/runtime_audits

Prisma Certified Cloud Security Engineer (PCCSE) 70

 ● Incident Explorer,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/runti
me_defense/incident_explorer

2.6 Monitor and protect against serverless vulnerabilities

This task shows you how to identify and protect against vulnerabilities in serverless apps. The term
“serverless” does not mean that there is no server. It means that for most purposes you can ignore
the server because it is managed by the service provider. However, it still is implemented on a
virtual machine, possibly on a Docker container, that runs an application runtime environment
such as Node.js or Tomcat. This environment, and any libraries you import into your serverless app,
still can contain vulnerabilities.

2.6.1 Monitor
Prisma Cloud can scan serverless functions for vulnerabilities. Prisma Cloud supports AWS Lambda,
Google Cloud Functions, and Azure Functions.
Serverless computing is an execution model in which a cloud provider dynamically manages the
allocation of machine resources and schedules the execution of functions that users provide.
Serverless architectures delegate the operational responsibilities, along with many security
concerns, to the cloud provider. In particular, your app itself is still prone to attack. The
vulnerabilities in your code and associated dependencies are the footholds attackers use to
compromise an app. Prisma Cloud can show you a function’s dependencies, and surface the
vulnerabilities in those dependent components.

Capabilities
For serverless, Prisma Cloud can scan Node.js, Python, Java, C#, Ruby, and Go packages. For a list of
supported runtimes, see system requirements.

Prisma Cloud scans are triggered by the following events:

● When the settings change, including when new functions are added for scanning.
● When you explicitly click the Scan button in the Monitor > Vulnerabilities > Functions >
Scanned Functions page.
● Periodically. By default, Prisma Cloud rescans serverless functions every 24 hours, but you
can configure a custom interval in Manage > System > Scan.

Scan a serverless function

Configure Prisma Cloud to periodically scan your serverless functions. Unlike image scans, all
function scans are handled by Console.

Step 1: Open Console.

Step 2: Go to Defend > Vulnerabilities > Functions > Functions.

Step 3: Click Add scope. In the dialog, enter these settings:

● (AWS only) Select Scan only latest versions to just scan the latest version of each function.
Otherwise, the scan will cover all versions of each function up to the specified Limit value.

Prisma Certified Cloud Security Engineer (PCCSE) 71

 ● (AWS only) Select Scan Lambda Layers to enable function layer scans as well.
● (AWS only) Specify which regions to scan in AWS Scanning scope. By default, the scope is
applied to Regular regions. Other options include China regions or Government regions.
● Specify a Limit for the number of functions to scan.
● Select the accounts to scan by credential. If you wish to add an account, click Add
credential.
● Click Add.

Step 5: Click the green Save button.

Step 6: View the scan report.

Go to Monitor > Vulnerabilities > Functions > Scanned functions.

All vulnerabilities identified in the latest serverless scan report can be exported to a CSV file by
clicking on the CSV button in the top right of the table.

2.6.2 Policy
Prisma Cloud Labs has developed compliance checks for serverless functions. Currently, only AWS
Lambda is supported.

In AWS Lambda, every function has an execution role. Execution roles are identities with permission
policies that control what functions can and cannot do in AWS. When you create a function, you
specify an execution role. When the function is invoked, it assumes this role.
When Prisma Cloud scans the functions in your environment, it inspects the execution role for
overly permissive access to AWS services and resources.
Two fields are inspected: resource and action.

Resource
Specifies the objects to which the permission policy applies. Resources are specified with ARNs.
ARNs let you unambiguously specify a resource across all of AWS. ARNs have the following format:
arn:partition:service:region:account-id:resource

Where:
● service—Identifies the AWS product, such as Amazon S3, IAM, or CloudWatch Logs.
● resource—Identifies the objects in the service. It often includes the resource type, followed
by the resource name itself. For example, the following ARN uniquely identifies the user
Francis in the IAM service:
arn:aws:iam::586975633310:user/Francis

Action
Describes the tasks that can be performed on the service. For example, ec2:StartInstances,
iam:ChangePassword, and s3:GetObject. Wildcards can be used to grant access to all the actions of
a given AWS service. For example, s3:* applies to all S3 actions.

2.6.3 Auto-protect

Prisma Certified Cloud Security Engineer (PCCSE) 72

Serverless auto-defend lets you automatically add the Serverless Defender to the AWS Lambda
functions deployed in your account. Prisma Cloud uses the AWS API to deploy the Serverless
Defender as a Lambda layer based on the auto-defend rules.

Auto-defend is an additional option for deploying the Serverless Defender, in addition to manually
adding it as a dependency or adding it as a Lambda layer.

Serverless auto-defend supports the following runtimes:

● Node.js 12.x, 14.x

● Python 3.6, 3.7, 3.8
● Ruby 2.7

Limitations
Auto-protect is implemented with a layer. AWS Lambda has a limit of five layers per function. If your
functions have multiple layers, and they might exceed the layer limit with auto-defend, consider
protecting them with the embedded option.

Required permissions
Prisma Cloud needs the following permissions to automatically protect Lambda functions in your
AWS account. Add the following policy to an IAM user or role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PrismaCloudComputeServerlessAutoProtect",
"Effect": "Allow",
"Action": [
"lambda:PublishLayerVersion",
"lambda:UpdateFunctionConfiguration",
"lambda:GetLayerVersion",
"lambda:GetFunctionConfiguration",
"iam:SimulatePrincipalPolicy",
"lambda:GetFunction",
"lambda:ListFunctions",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies",
"iam:GetRolePolicy",
"iam:GetPolicy",
"lambda:ListLayerVersions",
"lambda:ListLayers",
"lambda:DeleteLayerVersion",
"kms:Decrypt",
"kms:Encrypt",
"kms:CreateGrant"
],

Prisma Certified Cloud Security Engineer (PCCSE) 73

 "Resource": "*"
}
]
}

Serverless auto-defend rules

To secure one or multiple AWS Lambda functions using serverless auto-defend:

1. Define a serverless protection runtime policy.

2. Define a serverless WAAS policy.
3. Add a serverless auto-defend rule.

2.6.4 References
● Serverless function scanning,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/vuln
erability_management/serverless_functions
● Serverless functions compliance checks,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com
pliance/serverless
● Auto-defend serverless functions,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/insta
ll/install_defender/auto_defend_serverless

2.7 Configure WAAS

2.7.1 Application specifications

WAAS (Web-Application and API Security, formerly known as CNAF, Cloud Native Application
Firewall) is a web application firewall (WAF) designed for HTTP-based web applications deployed
directly on hosts, as containers, application embedded or serverless functions. WAFs secure web
applications by inspecting and filtering Layer 7 traffic to and from the application.

WAAS enhances the traditional WAF protection model by deploying closer to the application, easily
scaling up or down and allowing for inspection of “internal” traffic (east-to-west) from other
microservices, as well as inbound traffic (north-to-south).

For containerized web applications, WAAS binds to the application’s running containers, regardless
of the cloud, orchestrator, node, or IP address where it runs, and without the need to configure any
complicated routing. For noncontainerized web applications, WAAS simply binds to the host where
the application runs.

Highlights of WAAS capabilities:

● OWASP Top-10 Coverage—Protection against most critical security risks to web

applications, including injection flaws, broken authentication, broken access control, security
misconfigurations, etc.

Prisma Certified Cloud Security Engineer (PCCSE) 74

 ● API Protection—WAAS is able to enforce API traffic security based on definitions and specs
provided in the form of Swagger or OpenAPI files.

● Access Control—WAAS controls access to protected applications using Geo-based, IP-based

or HTTP Header-based user-defined restrictions.

● File Upload Control—WAAS secures application file uploads by enforcing file extension
rules.

● Detection of Unprotected Web Applications—WAAS detects unprotected web

applications and flags them in the radar view.

● Penalty Box for Attackers—WAAS supports a five-minute ban of IPs triggering one of its
protections to slow down vulnerability scanners and other attackers probing the application.

● Bot Protection—WAAS detects good known bots as well as other bots, headless browsers,
and automation frameworks. WAAS is also able to fend off cookie droppers and other
primitive clients by mandating the use of cookies and JavaScript in order for the client to
reach the protected origin.

● DoS Protection—WAAS is able to enforce rate limitation on IPs or Prisma Sessions to protect
against high-rate and “low and slow” layer-7 DoS attacks.

Architecture
WAAS is deployed via Prisma Cloud Compute Defenders that operate as a transparent HTTP proxy,
evaluating client requests against Security policies before relaying the requests to your application.
Defenders are deployed into the environment in which the web applications run. The WAAS
management console is independent of the Defenders and can be self-hosted or provided as a
service (SaaS):

When a firewall is deployed, Defender reroutes traffic bound for your web application to WAAS for
inspection. If a connection is secured with TLS, Defender decrypts the traffic, examines the content,
and then re-encrypts it.

Prisma Certified Cloud Security Engineer (PCCSE) 75

Legitimate requests are passed to the target container or host. Requests triggering one or more
WAAS protections generate a WAAS “event audit” and an action is taken based on the
preconfigured action (see “WAAS Actions” below).

WAAS event audits can be further explored in the Monitor section of Prisma Cloud Compute’s
management console (Monitor > Events). In addition, event audits are registered in the
Defender’s syslog thus allowing for integration with third-party analytics engines or SIEM platforms
of choice.

2.7.2 API methods

WAAS Actions
Requests that trigger a WAAS protection are subject to one of the following actions:

● Alert - The request is passed to the protected application and an audit is generated for
visibility.
● Prevent - The request is denied from reaching the protected application, an audit is
generated and WAAS responds with an HTML page indicating the request was blocked.
● Ban - Can be applied on either IP or Prisma Session IDs. All requests originating from the
same IP/Prisma Session to the protected application are denied for the configured time
period (default is 5 minutes) following the last detected attack.

2.7.3 REST API endpoints

WAAS can enforce API security based on specifications provided in the form of
Swagger or OpenAPI files. Alternatively, you can manually define your API (e.g., paths, allowed HTTP

Prisma Certified Cloud Security Engineer (PCCSE) 76

methods, parameter names, input types, value ranges, and so on). Once defined, you can configure
the actions WAAS applies to requests that do not comply with the API’s expected behavior.

Import API definition from Swagger or OpenAPI files

1. Click the App definition tab.

2. Click Import.

3. Select a file to load.

4. Click the API protection tab.

Prisma Certified Cloud Security Engineer (PCCSE) 77

5. Review path and parameter definitions listed under API Resources.

6. Click the Endpoint setup tab.

7. Review protected endpoints listed under Protected Endpoints and verify configured base
paths all end with a trailing *.

8. Go back to the API protection tab.

Prisma Certified Cloud Security Engineer (PCCSE) 78

 9. Configure an API protection action for the resources defined under API resources, and
an action for all other resources.

Define an API manually

1. Click the App definition tab.

Prisma Certified Cloud Security Engineer (PCCSE) 79

2. Click the Endpoint setup tab.

3. Add protected endpoints under Protection endpoints and verify configured base paths all
end with a trailing *.

4. Click the API protection tab.

Prisma Certified Cloud Security Engineer (PCCSE) 80

5. Click Add path.
6. Enter Resource path(e.g. /product - resource paths should not end with a trailing ”/”).

Paths entered in this section are additional subpaths to the base path defined in the
previous endpoint section. For example, if in the endpoint definition hostname was set
to www.example.com and base path was set to /api/v2/*, and in the API Protection tab
resource path was set to /product, the full protected resource would
be www.example.com/api/v2/product.

7. Select allowed methods.

Prisma Certified Cloud Security Engineer (PCCSE) 81

8. For each allowed HTTP method, define parameters by selecting the method
from Parameters for drop-down list.

1. Select an HTTP method from the drop-down list.

2. Click Add parameter.
3. Enter parameter definition.

9. Configure an API protection action for the resources defined under API resources, and
an action for all other resources.

Prisma Certified Cloud Security Engineer (PCCSE) 82

 o Parameter violation—Action to be taken when a request sent to one of the specified
paths in the API resource list does not comply with the parameter provided
definitions.
o Unspecified path(s)/method(s)—Action to be taken in one of the following cases:
■ Request sent to a resource path that is not specified in the API resources list.
■ Request sent using an unsupported HTTP method for a resource path in the
API list.

2.7.4 DoS protection

WAAS is able to enforce a rate limit on IPs or sessions to protect against high-rate and “low and
slow” application-layer DoS attacks.

DoS protection overview

WAAS is able to limit the rate of requests to the protected endpoints within each app based on two
configurable request rates:

● Burst Rate - Average rate of requests per second is calculated over a five-second period.
● Average Rate - Average rate of requests per second is calculated over a 120-second period.

Users are able to specify match conditions for qualifying requests to be included in the count.
Match conditions are based on HTTP methods, File Extensions, and HTTP response codes.

Users are also able to specify Network lists to be excluded from the DoS protection-rate accounting.

Enabling DoS protection

Step 1: Enter DoS Protection tab and set the DoS Protection toggle to On.

Prisma Certified Cloud Security Engineer (PCCSE) 83

Step 2: Set the effect with the action to apply once a threshold is reached.

Step 3: Apply rate-limitation thresholds (requests per second) for Burst rate (calculated over five
seconds) and for Average rate (calculated over 120 seconds).

Step 4: To apply the rate limitation on a subset of requests, click the On button.

Conditions can be specified as a combination (AND) of the following:

● HTTP Methods
● File Extensions - multiple extensions are allowed (e.g. .jpg, .jpeg, .png).
● HTTP Response Codes - specify either a single response code, a range or a combination of
them (e.g. 302, 400-410, 500-599).

Step 5: Multiple match conditions are allowed (OR relation between them).

In the above example the following request would be counted against the rate limitation
thresholds:

Prisma Certified Cloud Security Engineer (PCCSE) 84

 ● HEAD HTTP requests
● POST HTTP requests with file extension of .tar.gz
● GET or PUT HTTP requests with file extension of .jpg, .jpeg, .png to which the origin
responded with and HTTP response code of 302 or in the range of 400-410 or in the range
of 500-599

Step 6: Specify Network lists of IP addresses to be excluded from the rate accounting.

DoS actions
Requests that exceed the rate limitation thresholds are subject to one of the following actions:

● Alert—The request is passed to the protected application and an audit is generated for
visibility.

● Ban—Can be applied to either the IP or Prisma Session. All requests originating from the
same IP/Prisma Session to the protected application are denied for the configured time
period (default is five minutes) following the last detected attack.

2.7.5 Access controls to limit inbound sources

WAAS allows for control over how applications and end-users communicate with the protected
web application.

Network Controls

Prisma Certified Cloud Security Engineer (PCCSE) 85

IP-based access control
Network lists can be specified in:

● Denied inbound IP Sources - WAAS applies selected action (Alert or Prevent) for IP
addresses in network lists.

● IP Exception List - Traffic that originates from IP addresses listed in this category is not
inspected by any of the protections defined in this policy.

Country-Based Access Control

Specify country codes, ISO 3166-1 alpha-2 format, in one of the following categories (mutually
exclusive):

● Denied Inbound Source Countries - WAAS applies selected action (Alert or Prevent) for
requests originating from the specified countries.

● Allowed Inbound Source Countries - Requests originating from specified countries will be
forwarded to the application (pending inspection). WAAS will apply an action of choice (Alert
or Prevent) on all other requests that do not originate from the specified countries.

2.7.6 Network lists

Network Lists allow administrators to create and maintain named IP address lists—for example,
“Office Branches,” “Tor and VPN Exit Nodes,” “Business Partners,” etc. List entries are composed of
IPv4 addresses or IP CIDR blocks.

To access Network Lists, open Console, go to Defend > WAAS and select the Network List tab.

Prisma Certified Cloud Security Engineer (PCCSE) 86

You can update lists manually or via batch import of entries from a CSV file. Once defined,
Network Lists can be referenced and used in IP-based access control, user-defined bots and DoS
protection.

To export lists in CSV format, click export CSV.

2.7.7 Access controls to enforce HTTP headers and file uploads

HTTP Header Controls

WAAS lets you block or allow requests that contain specific strings in HTTP headers by specifying a
header name and a value to match. The value can be a full or partial string match. Standard pattern
matching is supported.

If the Required toggle is set to On, WAAS applies the defined action on HTTP requests in which the
specified HTTP header is missing. When the Required toggle is set to Off, no action will be applied
for HTTP requests missing the specified HTTP header.

HTTP Header fields consist of a name followed by a colon, and then the field value. When decoding
field values, WAAS treats all commas as delimiters. For example, the Accept-Encoding request
header advertises which compression algorithm the client supports.
Accept-Encoding: gzip, deflate, br

Prisma Certified Cloud Security Engineer (PCCSE) 87

WAAS rules do not support exact matching when the value in a multivalue string contains a
comma because WAAS treats all commas as delimiters. To match this type of value, use wildcards.
For example, consider the following header:
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/74.0.3729.108 Safari/537.36

To match it, specify the following wildcard expression in your WAAS rule:
Mozilla/5.0*

File Upload Controls

Attackers may try to upload malicious files, such as malware, to your systems. WAAS protects your
applications against malware by restricting uploads to just the files that match any allowed content
types. All other files will be blocked.

Files are validated both by their extension and their magic numbers. Built-in support is provided for
the following file types:

● Audio: aac, mp3, wav

● Compressed archives: 7zip, gzip, rar, zip
● Documents: odf, pdf, Microsoft Office (legacy, Ooxml)
● Images: bmp, gif, ico, jpeg, png
● Video: avi, mp4

WAAS rules let you explicitly allow additional file extensions. These lists provide a mechanism to
extend support to file types with no built-in support, and as a fallback in case Prisma Cloud’s built-in
inspectors fail to correctly identify a file of a given type. Any file with an allowed extension is
automatically permitted through the firewall, regardless of its magic number.

2.7.8 Bot protection

Prisma Certified Cloud Security Engineer (PCCSE) 88

Bot categories
WAAS detects known good bots as well as other bots, headless browsers and automation
frameworks. WAAS is also able to fend off cookie-dropping clients and other primitive clients by
mandating the use of cookies and JavaScript in order for the client to reach the protected origin.

Bots are sorted into the following categories:

● Search Engine Crawlers - Bots that systematically crawl and index the worldwide web to
index pages for online searches. These are also known as spider bots or web crawlers.
● Business Analytics Bots - Bots that crawl, extract, and index business-related information.
● Educational Bots - Bots that crawl, extract, and index information for educational purposes,
such as academic search engines.
● News Bots - Bots that crawl, extract, and index the latest news articles, usually for
news-aggregation services.
● Financial Bots - Bots that crawl, extract, and index financial data.
● Content Feed Clients - Automated tools, services, or end-user clients that fetch web
contents for feed readers.
● Archiving Bots - Bots that crawl, extract, and archive website information.
● Career Search Bots - Automated tools or online services that extract and index job-related
postings.
● Media Search Bots - Bots that crawl, extract, and index media contents for search engines.

This category contains various bots and other automation frameworks that cannot be classified by
their activity or origin:

● Generic Bots - Clients with attributes that indicate an automated bot.

Prisma Certified Cloud Security Engineer (PCCSE) 89

 ● Web Automation Tools - Scriptable headless web browsers and similar web-automation
tools.
● Web Scrapers - Automated tools or services that scrape website contents.
● API Libraries - Software code libraries for Web API communications.
● HTTP Libraries - Software code libraries for HTTP transactions.
● Request Anomalies - HTTP requests with anomalies that are not expected from common
web browsers.
● Bot Impersonators - Bots and automation tools that impersonate known good bots to
evade rate limitation and other restrictions.
● Browser Impersonators - Automated tools or services that impersonate common web
browser software.

Users can create custom signatures based on HTTP headers and source IPs. User-defined
signatures are useful for tracking customer-specific bots, self-developed automation clients, and
traffic that appears suspicious.

Detection methods
WAAS uses static and active methods for detecting bots.
Static detection examines each incoming HTTP request and analyzes it to determine whether it
was sent by a bot.

Active detections make use of JavaScript and Prisma Sessions Cookies to detect and classify bots.
Prisma Session Cookies set by WAAS are encrypted and signed to prevent cookie tampering. In
addition, cookies include advanced protections against cookie-replay attacks where cookies are
harvested and re-used in other clients.

When enabled, JavaScript is injected periodically in server responses to collect browser attributes
and flag anomalies typical to various bot frameworks. JavaScript fingerprint results are received and
processed asynchronously and are used to classify sessions for future requests.

Detection workflow

Prisma Certified Cloud Security Engineer (PCCSE) 90

Deploying Bot Protection
1. Click the Bot protection tab.

2. Click Known Bots.

Prisma Certified Cloud Security Engineer (PCCSE) 91

 3. Choose actions for each bot category.

Unknown bots
1. Click the Bot protection tab.

2. Click Unknown Bots.

3. Choose actions for each bot category.

● If Request anomalies are enabled, choose sensitivity threshold.

Prisma Certified Cloud Security Engineer (PCCSE) 92

 ● Strict enforcement—High sensitivity (a few anomalies suffice for classifying as bot)
● Moderate enforcement—Medium sensitivity
● Lax enforcement—Low sensitivity

User-defined bots
Click the Bot protection tab.

Click User-defined bots.

Click Define new bot button.

Create bot signature by using a combination of the following fields:

● HTTP Header name - Specify HTTP header name to include in the signature.
● Header Values - Comma-separated list of values to be matched on in the HTTP header
(wildcard is allowed).
● Inbound IP sources - Specify Network list of IP addresses from which the bot originates.

Choose an action to apply.

Enable active detections

1. Click the Bot protection tab.

Prisma Certified Cloud Security Engineer (PCCSE) 93

 2. Click Active bot detections.

3. Choose actions to apply.

Session Validation - Action to apply when WAAS is unable to validate the session, either due
to cookie tampering or cookie replay.
JavaScript-based detection - Enable periodic injection of JavaScript to collect browser
attributes and flag anomalies typical to various bot frameworks.
JavaScript injection timeout - Once JavaScript is enabled, choose an action to apply when
the browser does not send a response to the JavaScript injection in a timely manner.
reCAPTCHA v2 integration - Enable Google’s reCAPTCHA v2 integration by specifying the
site key, secret key and challenge type.

2.7.9 Rules
WAAS custom rules offer an additional mechanism to protect your running web apps. Custom rules
are expressions that give you a precise way to describe and detect discrete conditions in requests
and responses. WAAS intercepts Layer 7 traffic, passes it to Prisma Cloud for evaluation. Expressions
let you inspect various facets of requests and responses in a programmatic way, then take action
when they evaluate to true. Custom rules can be used in container, host, and app-embedded
WAAS policies.

Prisma Certified Cloud Security Engineer (PCCSE) 94

In addition to your own custom rules, Prisma Labs ships and maintains rules for newly discovered
threats. These system rules are distributed via the Intelligence Stream. By default, they are shipped
in a disabled state. You can review, and optionally activate them at any time. System rules cannot
be modified. However, you can clone and customize them to fit your own specific needs.

2.7.10 Audit logs

Audit logs are available through the Prisma SD-WAN web interface and provide records of
administrators' configuration changes in a system. You can use these logs for compliance and
troubleshooting purposes. They provide logs on changes made, owner of the change, time of
change, and the scope of the change at a site, system, or a subset of sites.

You may filter the audit logs by time range (with the ability to go back in time by at least six
months), by site, by device, and by type such as security, network policy, system administration, and
users. The Audit logs provide details on the number of attempted logins to an enterprise portal by a
specific user from a particular IP address with information on all successful and failed attempts.
Users will have a view of all system changes and access attempts.

Audit logs auto-expire after two years, although the last two actions carried out on any resource are
kept forever. They are accessible to the ROOT, SUPER, and IAM ADMIN user roles. Custom roles with
GET and POST permissions for the audit log resource may access these logs.

Audit logs support Regex queries and compare versions by rewinding or fast-forwarding to earlier
or later versions and keeping a version static while changing the other version. Access the audit
logs from the System Administration tab on the Prisma SD-WAN web interface, as well as directly
from resources, such as sites, devices, SNMP traps, Syslog exports, NTP clients, server, BGP, static
route, interface configuration, policy rule, policy set, stacked policy prefix, custom application,
application override configuration, network contexts, circuit categories, IPSec profiles, Policies
(Original), zones, and prefix filters. You can export audit logs CSV files through the Audit log menu.

2.7.11 Reference
● Web-Application and API Security (WAAS),
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas
/waas-intro
● WAAS Actions,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas
/waas-intro
● API Protection,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas
/waas_api_protection
● DoS protection,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas
/waas_dos_protection
● Network lists,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas
/waas_access_control

Prisma Certified Cloud Security Engineer (PCCSE) 95

 ● Access controls to enforce HTTP headers and file uploads,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas
/waas_access_control
● Bot protection,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas
/waas_bot_protection
● WAAP custom rules,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/waas
/waas_custom_rules
● Audit logs,
https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/prisma-sd-wan-admin/prisma-sd-
wan-administrator-authorization-and-authentication/audit-log

2.8 Monitor and protect registries

2.8.1 Scanning
Prisma Cloud can scan container images in public and private repositories on both public and
private registries.

The registry is a system for storing and distributing container images. The most well-known public
registry is Docker Hub, although there are also registries from Amazon, Google, and others.
Organizations can also set up their own internal private registries. Prisma Cloud can scan container
images on all of these types of registries.

After repository scanning is configured, Prisma Cloud automatically scans images for vulnerabilities.
Periodic scans are run at an interval specified in Configure > System > Scan (by default, once every
24 hours).

Deployment patterns
Registry scanning is handled by Defenders. When you configure Prisma Cloud to scan a registry,
you can select the scope of Defenders that will be used for performing the scan job.

Any Container Defender running on a host with the Docker Engine container runtime or container
runtime interface (CRI) can scan a registry, and any number of them can simultaneously operate as
registry scanners. This gives you a lot of options when you are trying to determine how to cover
disparate environments.
Select a collection of Defenders that are defined by hostnames or AWS tags, and the scan job will
be distributed between them according to the “Number of scanners” setting. When selecting the
“All” collection, you let Prisma Cloud automatically distribute the scan job across all available
Defenders.

In general, you should configure Prisma Cloud with a large scope of Defenders, because it reduces
operational complexity and improves resiliency. At scan-time, Prisma Cloud enumerates the
available Defenders according to your scope, manages the resource pool, and handles issues such
as restarting partially completed jobs. If you explicitly select one or two Defenders to handle
scanning, the hosts where these Defenders run are a single point of failure. If the host fails, or gets
destroyed, you have to reconfigure your scan settings with different Defenders.

Prisma Certified Cloud Security Engineer (PCCSE) 96

Registry scanning is scoped by OS type. Windows Defenders can only scan Windows images, and
Linux Defenders can only scan Linux images.

If you remove an image from the registry, or the registry becomes unavailable, Prisma Cloud
maintains the scan results according to your setup under Manage > System > Scan > Registry
scan results. After the specified number of days, the scan results are purged.

2.8.2 CI
Continuous integration and continuous delivery (CI/CD) systems automatically identify when a
module, such as a container or a serverless function, is ready to be pushed into the pipeline. After a
module is pushed, it goes through multiple tests before it is actually deployed as part of an
application. Prisma Cloud allows one of those scans to be a compliance test. If you are using Jenkins
or CloudBees, you can use the plugin. For other systems you will need to add a call to the
executable, called twistcli.

2.8.3 References:
● Configure registry scans,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/vuln
erability_management/registry_scanning
● CI,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/conti
nuous_integration
● Integration with the CI Pipeline,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-reference-architectur
e-compute/ci_pipeline
● Other CI Tools,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-reference-architectur
e-compute/ci_pipeline/other_ci_tools

Prisma Certified Cloud Security Engineer (PCCSE) 97

Domain 3: Install, Upgrade, and Backup

3.1 Deploy and manage console for the compute edition

You can use a data-collection and user-interface platform hosted by Palo Alto Networks for Prisma
Cloud Compute. Or, you can host your own console with software that is provided to you as a
Docker image.

3.1.1. Prisma Cloud release software

Prisma Cloud images are built from the Red Hat Universal Base Image 8 Minimal (UBI8-minimal),
which is designed for applications that contain their own dependencies. With an active
subscription or a valid license key, you can retrieve the images from a cloud registry. This option
simplifies a lot of workflows, especially the install flow.
You can optionally manage Prisma Cloud images in your own registry. You can push the Prisma
Cloud images to your own private registry, and manage them from there as you see fit. The
Defender image can be downloaded from Console, under Manage > System > Utilities, or from the
Prisma Cloud API.

There are two different methods for accessing images in the cloud registry:

● Basic authorization
● URL authorization

Retrieving Prisma Cloud images using basic authorization

Authenticate using Docker login or Podman login, then retrieve the Prisma Cloud images using
docker pull or podman pull. For basic authorization, the registry is accessible at
registry.twistlock.com.

Prerequisites:

● You have your Prisma Cloud access token.

Step 1: Authenticate with the registry.

$ docker (or podman) login registry.twistlock.com
Username:

Password:

Where Username can be any string, and Password must be your access token.

Step 2: Pull the Defender image from the Prisma Cloud registry.
$docker(orpodman)pull
registry.twistlock.com/twistlock/defender:defender_<VERSION>

Retrieving Prisma Cloud images using URL auth

Retrieve Prisma Cloud images with a single command by embedding your access token into the
registry URL. For URL authorization, the registry is accessible at registry-auth.twistlock.com.

Prisma Certified Cloud Security Engineer (PCCSE) 98

By embedding your access token into the registry URL, you only need to run docker pull or podman
pull. The docker login or podman login command isn’t required.

The format for the registry URL is:

registry-auth.twistlock.com/tw_<ACCESS-TOKEN>/<IMAGE>:<TAG>

Prerequisites:

● You have a Prisma Cloud access token.

● The Docker or Podman client requires that repository names be lowercase. Therefore, all
characters in your access token must be lowercase. To convert your access token to
lowercase characters, use the following command:
$ echo <ACCESS-TOKEN> | tr '[:upper:]' '[:lower:]'

Step 1: Pull the Defender image from the Prisma Cloud registry.
$ docker (or podman) pull \
registry-auth.twistlock.com/tw_<ACCESS-TOKEN>/twistlock/defender:defender_<VERSION>

3.1.2 Console in Onebox configuration

Onebox provides a quick, simple way to install both Console and Defender onto a single host. It
provides a fully functional, self-contained environment that is suitable for evaluating Prisma Cloud.

Install Prisma Cloud

Install Onebox with the twistlock.sh install script.

Prerequisites:

● Your host meets the minimum system requirements.

● You have a license key.
● Port 8083 is open. Port 8083 (HTTPS) serves the Console UI. You can configure alternative
ports in twistlock.cfg before installing.
● Port 8084 is open. Console and Defender communicate with each other on this port.

Step 1: Download the latest Prisma Cloud release to the host where you’ll install Onebox.

Step 2: Extract the tarball. All files must be in the same directory when you run the install.
$ mkdir twistlock
$ tar -xzf prisma_cloud_compute_<VERSION>.tar.gz -C twistlock/

Step 3: Configure Prisma Cloud for your environment.

Open twistlock.cfg and review the default settings. The default settings are acceptable for most
environments.

Step 4: Install Prima Cloud.

$ sudo ./twistlock.sh -s onebox

● -s –
Agree to EULA.

Prisma Certified Cloud Security Engineer (PCCSE) 99

 ● -z –
(Optional) Print additional debug messages. Useful for troubleshooting install issues.
● Onebox –
Install both Console and Defender on the same host, which is the recommended
configuration. Specify console to install just Console.

Step 5: Verify that Prisma Cloud is installed and running:

$ docker ps --format "table {{.ID}}\t{{.Status}}\t{{.Names}}"

CONTAINER ID STATUS NAMES

764ecb72207e Up 5 minutes twistlock_defender_<VERSION>

be5e385fea32 Up 5 minutes twistlock_console

Configure Console
Create your first admin user and enter your license key.

Step 1: Open Prisma Cloud Console. In a browser window, navigate to 'https://<CONSOLE>:8083',

where <CONSOLE> is the IP address or DNS name of the host where Console runs.

Step 2: Create your first admin user.

Consider using admin as the username. It’s a convenient choice because admin is the default user
for many of Prisma Cloud’s utilities, including twistcli.

Step 3: Enter your license key.

Uninstall
Use the twistlock.sh script to uninstall Prisma Cloud from your host. The script stops and removes
all Prisma Cloud containers, removes all Prisma Cloud images, and deletes the /var/lib/twistlock
directly, which contains your logs, certificates, and database.

Step 1: Uninstall Prisma Cloud.

$ sudo ./twistlock.sh -u

Step 2: Verify that all Prisma Cloud containers have been stopped and removed from your host.
$ docker ps -a

Step 3: Verify that all Prisma Cloud images have been removed from your host.
$ docker images

3.1.3 Upgrade on Console

Upgrade Prisma Cloud Onebox. First upgrade Console. Console will then automatically upgrade all
deployed Defenders for you.

If Console fails to upgrade one or more Defenders, manually upgrade your Defenders.
Step 1: Download the latest recommended release.

Step 2: Unpack the downloaded tarball.

Optional: you may wish to unpack the tarball to a different folder than any previous tarballs.

Prisma Certified Cloud Security Engineer (PCCSE) 100

$ mkdir twistlock_<VERSION>
$ tar -xzf prisma_cloud_compute_edition_<VERSION>.tar.gz -C twistlock_<VERSION>/

The setup package contains updated versions of twistlock.sh and twistlock.cfg.

Step 3: Check the version of Prisma Cloud that will be installed:

$ grep DOCKER_TWISTLOCK_TAG twistlock.cfg

Step 4: Upgrade Prisma Cloud while retaining your current data and configs by using the -j option.
The -j option merges your current configuration with any new configuration settings in the new
version of the software.
You must use the same install target in your upgrade as your original installation. There are two
install targets: onebox and console, where onebox installs both Console and Defender onto a host
and console just installs Console.

To upgrade your onebox install, run:

$ sudo ./twistlock.sh -syj onebox

To upgrade your console install, run:

$ sudo ./twistlock.sh -syj console

Step 5: Go to Manage > Defenders > Manage and validate that Console has upgraded your
Defenders.

3.1.4 Business use case to determine the Prisma Cloud version to use
This article describes the key differences between Compute in Prisma Cloud Enterprise Edition and
Prisma Cloud Compute Edition. Use this guide to determine which option is right for you.

Prisma Certified Cloud Security Engineer (PCCSE) 101

3.1.5 Tenant versus Scale projects
Prisma Cloud supports two types of projects: Tenant projects and Scale projects. For more
information refer to the guide below or access our documentation on the feature, see here.
Multitenancy is a feature of on-premises Console deployment. If you are using a SaaS Console, you
may have multiple tenants provisioned through your SaaS subscription.

Multitenancy - Tenant Projects

Prisma Certified Cloud Security Engineer (PCCSE) 102

The Central Console has full visibility into the entire estate. You can then set up tenant projects that
act as a self-contained Console and Defender setup. Users can only see and administer their
subsection of the estate.

Tenant projects are like silos. They each have their own rules and settings that are created and
maintained separately from all other projects.

This is represented in the left-hand side of the above diagram.

Scale - Scale Projects

Each Console can support 5,000 Defenders. By utilizing Scale Projects, we can allocate Consoles to a
Central Console. This enables an unlimited number of Defenders.

Defenders communicate to the scale project Console (5,000 Defenders per scale project Console)
and the scale project Console aggregates and sends information to a Central Console.

Policies and rules are inherited by the scale project from the Central Console. Users and
administrators operate the Central Console which then pushes changes to the scale projects.
These are shown in the right-hand side of the above diagram.

3.1.6 References

● Prisma Cloud container images,

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/insta
ll/twistlock_container_images
● Onebox,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-01/prisma-cloud-compute-editio
n-admin/install/install_onebox
● Upgrade Onebox,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/22-01/prisma-cloud-compute-editio
n-admin/upgrade/upgrade_onebox
● Prisma Cloud Enterprise Edition vs Compute Edition,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/welc
ome/pcee_vs_pcce
● Tenant vs Scale projects:,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-reference-architectur
e-compute/multitenancy_and_scale/projects

3.2 Deploy and manage Defenders

3.2.1 Types
Defenders enforce the policies you set in Console. They come in a number of different flavors. Each
flavor is designed to protect specific types of cloud-native resources and for optimal deployment
into the environment, with full support for automated workflows. Use the following flowchart to
choose the best Defender for the job.

Prisma Certified Cloud Security Engineer (PCCSE) 103

In general, deploy Container Defender whenever you can. It offers the most features, it can
simultaneously protect both containers and host, and nothing needs to be embedded inside your
containers for Defender to be able to protect them.

Container Defender (Linux and Windows)

Install Container Defender on any host that runs a container workload. Container Defender protects
both your containers and the underlying host. Docker must be installed on the host because this
Defender type runs as a container.

Prisma Certified Cloud Security Engineer (PCCSE) 104

Container Defender offers the richest set of capabilities. The deployment is also the simplest. After
deploying Container Defender to a host, it can immediately protect and monitor your containers
and host. No additional steps are required to rebuild your containers with an agent inside.
Container Defender should always be your first choice whenever possible.
There are some minimum requirements to run Container Defender. You should have full control
over the host where Container Defender runs. It must be able to run alongside the other containers
on the host with select kernel capabilities. And it must be able to run in the host’s network and
process namespace.

Deploy one Container Defender per host. Container Defender can be deployed in several ways:

● With cluster constructs - Container orchestrators often provide native capabilities for
deploying agents, such as Defender, to every node in the cluster. Prisma Cloud leverages
these capabilities to install Defender. Kubernetes and OpenShift, for example, offer
DaemonSets As such, Container Defender is deployed as a DaemonSet on Kubernetes.

● As a stand-alone entity - Stand-alone Container Defenders are installed on hosts that are not
part of a cluster.

Host Defender (Linux and Windows)

● Host Defender utilizes Prisma Cloud’s model-based approach for protecting hosts that do
not run containers. This Defender type lets you extend Prisma Cloud to protect all the hosts
in your environment, regardless of their purpose. Defender runs as a systemd service on
Linux and a Windows service on Windows. If Docker Engine is detected on the host,
installation of this Defender type is blocked; install Container Defender instead.

● Deploy one Host Defender per host. Do not deploy Host Defender if you’ve already deployed
Container Defender to a host. Container Defender offers the same host protection
capabilities as Host Defender.

Serverless Defender
Serverless Defenders offer runtime protection for AWS Lambda functions. Serverless Defender
must be embedded inside your functions. Deploy one Serverless Defender per function.

App-Embedded Defender
App-Embedded Defenders offer runtime protection for containers.
Deploy App-Embedded Defender anywhere you can run a container, but you can’t run Container
Defender. Container-on-demand services are a typical use case for App-Embedded Defender. They
remove the underlying cluster, host, operating system, and software modules (such as Docker
Engine) and present them as a single black box. Hooks into the operating system that Container
Defender needs to monitor and protect resources aren’t available in these environments. Instead,
embed App-Embedded Defender directly inside the container to establish a point of control.
Prisma Cloud supports an automated workflow for embedding App-Embedded Defenders.

Deploy one App-Embedded Defender per container. Deploy one Defender per task for Fargate.

Fargate
If you have an AWS Fargate task, deploy App-Embedded Fargate Defender.

Prisma Certified Cloud Security Engineer (PCCSE) 105

A key attribute of the App-Embedded Fargate Defender is that you don’t need to change how the
container images in the task are built. The process of embedding the App-Embedded Defender
simply manipulates the task definition to inject a Prisma Cloud sidecar container, and start existing
task containers with a new entry point, where the entry-point binary is hosted by the Prisma Cloud
sidecar container. The transformation of an unprotected task to a protected task takes place at the
task-definition level only. The container images in the task don’t need to be manually modified. This
streamlined approach means that you don’t need to maintain two versions of an image (protected
and unprotected). You simply maintain the unprotected version, and when you protect a task,
Prisma Cloud dynamically injects App-Embedded Defender into it.

The Prisma Cloud sidecar container has several jobs:

● It hosts the Defender binary that gets injected into containers in the task.
● It proxies all communication to Console. Even if you have multiple containers in a task, it
appears as a single entity in Console’s dashboard.
● It synchronizes policy with Console and sends alerts to Console.

Dockerfile
The Docker image format, separate from the runtime, is becoming a universal runnable artifact. If
you are not using Fargate, but something else that runs a Docker image, such as Azure Container
Instances, use the App-Embedded Defender with the Dockerfile method.

Provide a Dockerfile, and Prisma Cloud returns a new version of the Dockerfile in a bundle. Rebuild
the new Dockerfile to embed Prisma Cloud into the container image. When the container starts,
Prisma Cloud App-Embedded Defender starts as the parent process in the container, and it
immediately invokes your program as its child.

There are two big differences between this approach and the Fargate approach:

● With the Fargate approach, you don’t change the actual image. With the Dockerfile
approach, you have the original image and a new protected image. You must modify the
way your containers are built to embed App-Embedded Defender into them. You need to
make sure you tag and deploy the right image.

● Each Defender binary makes its own connection to Console. In the Console dashboard, they
are each counted as unique applications.

Nothing prevents you from protecting a Fargate task using the Dockerfile approach, but it’s
inefficient.

Manual
Use the manual approach to protect almost any type of runtime. If you are not running a Docker
image, but you still want Prisma Cloud to protect it, deploy App-Embedded Defender with the
manual method. Download the App-Embedded Defender, set up the required environment
variables, then start your program as an argument to the App-Embedded Defender.

If you choose the manual approach, you have to figure out how to deploy, maintain, and upgrade
your app on your own. While the configuration is more complicated, it’s also the most universal
option because you can protect almost any executable.

Prisma Certified Cloud Security Engineer (PCCSE) 106

Tanzu Application Service Defender
Tanzu Application Service (TAS) Defenders run on your TAS infrastructure. TAS Defenders provide
nearly all the same capabilities as Container Defenders, as well as the ability to scan droplets in your
blobstores for vulnerabilities. For specific differences between TAS Defenders and Container
Defenders, see the TAS Defender install article.

The TAS Defender is delivered as a tile that can be installed from your TAS Ops Manager Installation
Dashboard.

3.2.2 Networking for Defender-to-Console connectivity

Connectivity
Defender must be able to communicate with Console over the network because it pulls policies
down and sends data (alerts, events, etc.) back to Console.

By default, Defender establishes a connection to the Console on TCP port 8084 but you can
customize the port to meet the needs of your environment. All traffic between the Defender and
the console is TLS encrypted.

3.2.3 Upgrade and compatibility

You can upgrade Prisma Cloud without losing any of your data or configurations. Upgrade the
Console first. After upgrading the Console, upgrade your Defenders, and other Prisma Cloud
components.

You can upgrade from an immediate previous major version only. If your installation is more than
one major release behind, you must upgrade in steps. For example, you cannot directly upgrade
from version 19.11 to 20.09.

You must upgrade from version 19.11 to 20.04, and then from 20.04 to 20.09.

Console notifies you when new versions of Prisma Cloud are available. Notifications are displayed in
the top-right corner of the dashboard.

When you upgrade the Console, the old Console container is completely replaced with a new
container. Because Prisma Cloud stores state information outside of the container, all your rules
and settings are immediately available to the upgraded Prisma Cloud containers.

Prisma Cloud state information is stored in a database in the location that is specified by
DATA_FOLDER, which is defined in twistlock.cfg. By default, the database is located
in /var/lib/twistlock.

Prisma Certified Cloud Security Engineer (PCCSE) 107

Overview of the upgrade process
First upgrade Console. Next, upgrade your Defenders. Finally, upgrade all other Prisma Cloud
components, such as the Jenkins plugin. The upgrade process is vastly simplified when automatic
Defender upgrades are enabled (enabled by default).
The steps in the upgrade process are:

1. Upgrade Console.

2. Upgrade all deployed Defenders.

● If Defender auto-upgrade is enabled— Console will upgrade deployed Defenders for

you. If Console fails to upgrade one or more Defenders, it displays a banner at the top
of the UI. If you’ve created an alert for Defender health events, Console emits a
message on the alert channel for any Defender it fails to upgrade. Manually upgrade
any Defenders that the Console could not auto-upgrade.
● If Defender auto-upgrade is disabled— Manually upgrade all deployed Defenders.

3. Validate that all deployed Defenders have been upgraded.

● Review deployed Defenders and DaemonSets under Manage > Defenders >
Manage.
● Filter the Status column by Upgrade.
● If any Defenders have the Upgrade status, manually upgrade them.

4. Manually upgrade all other Prisma Cloud Compute components, such as the Jenkins plugin,
so that their versions exactly match Console’s version.

Version numbers of installed components

The currently installed version of Console is displayed in the bell menu.

Prisma Certified Cloud Security Engineer (PCCSE) 108

The versions of your deployed Defenders are listed under Manage > Defenders > Manage:

Prisma Cloud Compute components

The versions of all deployed components should match exactly. To support the multistep upgrade
process, older versions of Prisma Cloud components can continue to interoperate with newer
versions of Console in a limited way. Plan to upgrade all Prisma Cloud components as soon as
possible.

After you upgrade the Console, upgrade the following components:

● Defenders - Console can automatically upgrade most Defender types for you.
App-embedded Defenders and PCF Defenders (also known as Twistlock for Pivotal
Platform) must be manually upgraded.
● Jenkins plugin
● twistcli
● If you are using projects, supervisor Consoles must match the Central Console version.

Version mismatches

Prisma Certified Cloud Security Engineer (PCCSE) 109

Console interoperates with older components on a best-effort basis. When older components
interact with Console, Console displays some indicators in the dashboard:

● In Monitor > Events, any audits generated by older Defenders are marked with an
out-of-date indicator. Links to the rules that triggered the audit are disabled (explanation
follows).

● In Monitor > Vulnerabilities and Monitor > Compliance, any scan reports that are
generated by older components (Defender registry scanners, Jenkins plugins, twistcli) are
marked with an out-of-date indicator.

Although older Defenders can interoperate with newer Consoles, their operation is restricted. Older
Defenders fully protect your nodes using the policies and settings that were most recently cached
before upgrading the Console. They can emit audits to Console and local logs, including syslog.
However, they cannot access any API endpoint other than the upgrade endpoint, and they cannot
share any new data with the Console. No new policies or settings can be pushed from Console to
older Defenders. When Defender is in this state, its status is shown as “Upgrade needed” in Manage
> Defenders > Manage. To restore older Defenders to a fully operational state, upgrade them so
that their versions match Console’s version.

Upgrading Console when using projects

When you have one or more tenant or scale Projects, upgrade all Supervisors before upgrading the
Central Console. During the upgrade process, there may be periods where the Supervisors appear
disconnected. This is normal because the Supervisors are disconnected while the upgrade is
occurring and the Central Console will recheck connectivity every 10 minutes. Within 10 minutes of
upgrading all Supervisors and the Central Console, all Supervisors should appear healthy.
Upgrade each Supervisor and then the Central Console using the appropriate procedure:

● Console - Onebox
● Console - Kubernetes
● Console - OpenShift
● Console - Helm
● Console - Docker Swarm
● Console - Amazon ECS

Defender auto-upgrade support

Most Defender types can be auto-upgraded. A handful must still be manually upgraded. The
following table summarizes the Defender types, and which ones can be auto-upgraded.

Prisma Certified Cloud Security Engineer (PCCSE) 110

Enabling Defender auto-upgrade
By default, Defender auto-upgrade is enabled. You can check and change the setting in the
Console.

Step 1: Open Prisma Cloud Compute Console.

Step 2: Go to Manage > Defenders > Manage.
Step 3: Click Advanced Settings.
Step 4: Set Automatically upgrade Defenders to On or Off.

3.2.4 Reference
● Defender types,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/insta
ll/defender_types

Prisma Certified Cloud Security Engineer (PCCSE) 111

 ● Prisma™ Cloud,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-reference-architectur
e-compute/platform_components/defender
● Upgrade Prisma Cloud,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/20-09/prisma-cloud-compute-editio
n-admin/upgrade/upgrade_process

3.3 Configure Agentless Security

3.3.1 Agent versus Agentless

In cybersecurity, agents represent specialized software components that are installed on devices for
performing security-related “actions.”

Those actions include, but are not necessarily limited to:

● Security scanning and reporting

● System restarting and rebooting
● Applying software patches
● Making changes to configurations
● General system monitoring

Due to their nature, it is crucial that the agents perform well in diverse environments, and they
must also be low impact and low maintenance.

Agent-based systems are modeled on the pull communication style. In this case, the client is the
central server that pulls the data from the agents on demand. Agents typically have to be installed
on each machine following an automated process. Once the agents are configured, they can
receive requests from the central server for the results of security-related actions and status
updates.

Agentless security, on the other hand, performs many of the same actions, just without the
agents. In practice, this means that we can inspect and review security scans and vulnerabilities on
a remote machine without having to install an agent on that system. You may have to install
software on a different layer of the system (like networking) to capture associated risk metrics, but
you won’t need to have direct access to the host to install any service.

Agentless systems, therefore, are based on the push communication style. In other words, the
associated software pushes data to a remote system on a periodic basis. Because of the flexibility of
this setup, agentless security solutions work well for baseline security monitoring. You can
configure them to scan the whole infrastructure without having to install them to each subsystem.
However, a central system still needs to be available to coordinate scanning and the deployment of
patches.

On the other hand, you may need to install agent-based systems to certain hosts that require
stricter controls. For example, if you have hosts that deal with financial data, you might want to
maximize your use of available security technology by installing agents that can carefully monitor
and protect those systems, as well as improve their overall security posture.

Prisma Certified Cloud Security Engineer (PCCSE) 112

Is Agentless or Agent-Based Security Better?
Since both agentless and agent-based security are widely used today, you may be wondering
which one you should choose. Actually, you should use both in order to achieve comprehensive
security. It is still important to understand the pros and cons of each one so that you know when to
use them effectively.

To summarize, agentless systems have a number of features that make them appealing, including:

● Quicker setup and deployment: You don’t need to have direct access to all hosts to perform
security scans.
● Less maintenance and lower provisioning costs.
● Wider initial visibility and greater scalability.
● Ideal for networks with large amounts of bandwidth.
● Need for a center host available to perform actions.

On the other hand, agent-based systems have the following benefits over agentless systems:

● Enable in-depth scanning and monitoring of hosts. Agents can perform more specialized
scanning of components and services.
● Can be used as a firewall because they can block network connections based on filtering
rules.
● Offer runtime protection per host or per application.
● Provide security controls, such as the ability to block attacks and patch live systems.
● Are ideal for networks with limited bandwidth, locations within DMZ zones, or laptops that
can be out of network reach. You can install the agent in systems without network
connectivity.
● Do not need a central host because they can perform tasks independently. Once installed,
the agent runs its set of actions on demand without needing to establish a connection to a
server beforehand – even when it is disconnected from the enterprise network.

3.3.2 Cloud discovery

It’s difficult to ensure that all your apps running on all the different types of cloud services are being
properly secured. If you are using multiple cloud platforms, you might have many separate
accounts per platform. You could easily have hundreds of combinations of providers, accounts, and
regions where cloud native services are being deployed.

Cloud Platforms discovery helps you find all cloud-native services being used in AWS, Azure, and
Google Cloud, across all regions, and across all accounts. Cloud Provider discovery continuously
monitors these accounts, detects when new services are added, and reports which services are
unprotected. It helps mitigate your exposure to rogue deployments, abandoned environments, and
sprawl.

Cloud Platforms discovery offers coverage for the following services.

Registries:
● AWS
● Azure

Prisma Certified Cloud Security Engineer (PCCSE) 113

Serverless functions:
● AWS
● Azure
● Google Cloud
● Azure

Managed platforms:
● AWS ECS
● AWS EKS
● Azure Kubernetes Service (AKS)
● Azure Container Instances (ACI)
● Google Kubernetes Engine (GKE)

Virtual machines:
● AWS EC2 instances
● Azure VMs
● Google Cloud Platform (GCP) Compute Engine VM instances

Auto-defend capabilities are available on these services. Auto-defend utilizes rule-based policies to
automatically deploy Prisma Cloud Defenders via Console to protect resources in your environment.

Prisma Cloud ingestion only provides information on the LATEST version of AWS serverless
functions and not other versions.

Ingestion Based Discovery

After onboarding a cloud account into the platform, you can reuse the same onboarded account in
Compute for Cloud Discovery without the need for additional permissions on cloud accounts. Cloud
Discovery uses this ingested data to discover unprotected workloads across your monitored
environment. By using the same ingested metadata from cloud providers for both CSPM and CWP,
the time to scan for unprotected resources is reduced substantially, providing instant visibility into
undefended workloads in your organization.
Prisma Cloud needs an additional set of permissions to enable protection for these workloads. For
example, to deploy Defenders automatically on undefended VM machines. Full feature-wise
permissions listing is available along with protection mode for the onboarding template.

Configuring cloud platforms discovery

Set up Prisma Cloud to scan your cloud platform accounts for cloud-native resources and services.
Then configure Prisma Cloud to protect them with a single click.

Prerequisites: You onboarded cloud accounts in Prisma Cloud as described here.

Step 1: Log in to Prisma Cloud.

Step 2: Select Compute > Manage > Cloud Accounts.

Step 3: Select the accounts to scan. If there are no accounts in the table, you can import Prisma
Cloud onboarded accounts, using the “Add account” workflow and selecting “Prisma Cloud” as the
provider.

Prisma Certified Cloud Security Engineer (PCCSE) 114

Step 4: Select Bulk actions > Discovery configuration.

Step 5: Enable Cloud discovery.

Step 6: Save your changes.

Step 7: Review the scan results.

1. Select Compute > Manage > Cloud Accounts to view the scan report in tabular format.
● Select the Show account details icon to see the discovery scan results for resources
within the cloud account.

2. Select Radar > Cloud to view the scan report in a visual format.

Prisma Certified Cloud Security Engineer (PCCSE) 115

 In the Radar you can see the details for the resources that are protected using Defenders
and agentless scanning across the services in each region.

3. Select Defend for the entities you want Prisma Cloud to scan for vulnerabilities.
A new auto-defend rule is proposed. Select the appropriate credential, tweak the scan rule
as desired, then click Add.

4. See the scan results on Compute > Monitor > Vulnerabilities > {Images >
Registry|Functions}.

3.3.3 Reference

● Agent-Based and Agentless Security,

https://www.paloaltonetworks.com/cyberpedia/what-is-the-difference-between-agent-base
d-and-agentless-security
● Cloud discovery,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/com
pliance/cloud_discovery_saas

3.4 Backup and Restore console

3.4.1 Backup management

Prisma Cloud automatically backs up all data and configuration files periodically. You can view all
backups, make new backups, and restore specific backups from the Console UI. You can also restore
specific backups using the twistcli command line utility.

Prisma Cloud is implemented with containers that cleanly separate the application from its state
and configuration data. To back up a Prisma Cloud installation, only the files in the data directory
need to be archived. Because Prisma Cloud containers read their state from the files in the data

Prisma Certified Cloud Security Engineer (PCCSE) 116

directory, Prisma Cloud containers do not need to be backed up, and they can be installed and
restarted from scratch.

When data recovery is enabled (default), Prisma Cloud archives its data files periodically and copies
the backup file to a location you specify. The default path to the data directory is /var/lib/twistlock.
You can specify a different path to the data directory in twistlock.cfg when you install Console.

3.4.2 Disaster recovery

Restoring backups from the Console UI
You can restore Console from a backup file directly from within the Console UI. The Console UI lists
all available backups.

Step 1: Open Console.

Step 2: Go to Manage > System > Backup & Restore.

Step 3: Click Restore on one of the system or manual backups.

Step 4: After the database is reloaded from the backup file, restart Console.

For a onebox installation, ssh to the host where Console runs, then run the following command:
$ docker restart twistlock_console

For a Kubernetes installation, delete the Console pod, and the replication controller will
automatically restart it:
// Get the name of Prisma Cloud Console pod:
$ kubectl get po -n twistlock | grep console

// Delete the Prisma Cloud Console pod:

$ kubectl delete po <TWISTLOCK_CONSOLE> -n twistlock

Restoring backups from twistcli

You can restore Console from a backup using twistcli. Use this restore flow when Console is
unresponsive and you cannot access the UI to force a restore to a known good state.

Prerequisites:
● Your host can access the volume where the Prisma Cloud backups are stored. By default,
backups are stored in /var/lib/twistlock-backup, although this path might have been
customized at install time.
● Your host can access the Prisma Cloud’s data volume. By default, the data volume is located
in /var/lib/twistlock, although this path might have been customized at install time.
● Your version of twistcli matches the version of the backup you want to restore.

Step 1: Go to the directory where you unpacked the Prisma Cloud release.

Step 2: Run the twistcli restore command. Run twistcli restore --help to see all arguments.

● List all available backups. To list all files in the default backup folder
(/var/lib/twistlock-backup), run twistcli restore without any arguments:

Prisma Certified Cloud Security Engineer (PCCSE) 117

 $ ./twistcli restore

To list all backup files in a specific location, run:

$ ./twistcli restore <PATH/TO/FOLDER>

● Choose a file to restore by entering the number that corresponds with the backup file.
For example:
aqsa@aqsa-faith: ./twistcli restore --data-recovery-folder
/var/lib/twistlock-backup/
Please select from the following:
0: backup1 2.5.91 2018-08-07 15:10:10 +0000 UTC
1: daily 2.5.91 2018-08-06 16:10:48 +0000 UTC
2: monthly 2.5.91 2018-08-06 16:10:48 +0000 UTC
3: weekly 2.5.91 2018-08-06 16:10:48 +0000 UTC
Please enter your selection:
0

Step 3: After the database is reloaded from the backup file, re-install/restart Console.
For a onebox installation, ssh to the host where Console runs, then rerun the installer:
$ sudo ./twistlock.sh -ys onebox

For a Kubernetes installation, delete the Console pod, and the replication controller will
automatically restart it:
// Get the name of Prisma Cloud Console pod:
$ kubectl get po -n twistlock | grep console

// Delete the Prisma Cloud Console pod:

$ kubectl delete po <TWISTLOCK_CONSOLE> -n twistlock

Downloading backup files

Prisma Cloud Compute lets you download backup files so that they can be copied to another
location. Backup files can be downloaded from the Console. Go to Manage > System > Backup &
Restore, and click Actions > Export to download a backup.

3.4.3 Reference
● Backup and restore,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/21-08/prisma-cloud-compute-editio
n-admin/configure/disaster_recovery
● Disaster Recovery,
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/confi
gure/disaster_recovery

3.5 Manage authentication

3.5.1 Certificates
To ensure trust between parties in a secure communication session, Prisma Access uses digital
certificates. Each certificate contains a cryptographic key to encrypt plaintext or decrypt ciphertext.

Prisma Certified Cloud Security Engineer (PCCSE) 118

Each certificate also includes a digital signature to authenticate the identity of the issuer. The issuer
must be in the list of trusted certificate authorities (CAs) of the authenticating party. Optionally, the
authenticating party verifies the issuer did not revoke the certificate.Prisma Access uses certificates
to secure features like decryption and authentication, and to secure communication between all
the clients, servers, users, and devices connecting to your network. Here are some of the keys and
certificates that Prisma Access uses.

● Authentication—You can use certificate-based authentication for mobile users connecting

to Prisma Access. Additionally, in deployments where Authentication policy identifies users
who access HTTPS resources, designate a server certificate for the authentication portal. If
you configure the authentication portal to use certificates for identifying users (instead of, or
in addition to, interactive authentication), deploy client certificates also.

● Decrypting Trusted Sites—For outbound SSL/TLS traffic, if a firewall acting as a forward proxy
trusts the CA that signed the certificate of the destination server, the firewall uses the
forward trust CA certificate to generate a copy of the destination server certificate to present
to the client. To set the private key size, see Configure the Key Size for SSL Forward Proxy
Server Certificates. For added security, store the key on a hardware-security module (for
details, see Secure Keys with a Hardware Security Module).

● Decrypting Untrusted Sites—For outbound SSL/TLS traffic, if a firewall acting as a forward

proxy does not trust the CA that signed the certificate of the destination server, the firewall
uses the forward untrust CA certificate to generate a copy of the destination server
certificate to present to the client.

Prisma Certified Cloud Security Engineer (PCCSE) 119