This lab was developed with our partner, Palo Alto Networks. Your personal information may be shared with Palo Alto Networks, the lab sponsor, if you have opted in to receive product updates, announcements, and offers in your Account Profile.

GSP838

Overview

Prisma Cloud provides comprehensive visibility and threat detection for cloud workload. Prisma Cloud software consists of two components: Console and Defenders. There are a number of Defender types. For this lab we will focus on the Securing Compute Engine instances with the Prisma Cloud Host Defender. The Console is Prisma Cloud's management interface where you manage the Host Defenders you will be deploying in this lab. The Console also allows you to define security policies and monitor your environment. Host Defender is deployed to each Compute Engine instance to secure the cloud workload deployed. The Host Defender protects your environment according to the security policies configured in the Prisma Cloud Console.

In this lab, you will use Prisma Cloud Host Defender to protect your Compute Engine Instances.

What you'll do:

• Deploy Prisma Cloud Compute on a Google Kubernetes Engine (GKE) Cluster
• Deploy Host Defender to Compute Engine Instances.

Setup and and requirements

Before you click the Start Lab button

Read these instructions. Labs are timed and you cannot pause them. The timer, which starts when you click Start Lab, shows how long Google Cloud resources will be made available to you.

This hands-on lab lets you do the lab activities yourself in a real cloud environment, not in a simulation or demo environment. It does so by giving you new, temporary credentials that you use to sign in and access Google Cloud for the duration of the lab.

To complete this lab, you need:

• Access to a standard internet browser (Chrome browser recommended).

Note: Use an Incognito or private browser window to run this lab. This prevents any conflicts between your personal account and the Student account, which may cause extra charges incurred to your personal account.

• Time to complete the lab---remember, once you start, you cannot pause a lab.

Note: If you already have your own personal Google Cloud account or project, do not use it for this lab to avoid extra charges to your account.

How to start your lab and sign in to the Google Cloud Console

1. Click the Start Lab button. If you need to pay for the lab, a pop-up opens for you to select your payment method. On the left is the Lab Details panel with the following:

   • The Open Google Console button
   • Time remaining
   • The temporary credentials that you must use for this lab
   • Other information, if needed, to step through this lab

2. Click Open Google Console. The lab spins up resources, and then opens another tab that shows the Sign in page.

   Tip: Arrange the tabs in separate windows, side-by-side.

   Note: If you see the Choose an account dialog, click Use Another Account.

3. If necessary, copy the Username from the Lab Details panel and paste it into the Sign in dialog. Click Next.

4. Copy the Password from the Lab Details panel and paste it into the Welcome dialog. Click Next.

   Important: You must use the credentials from the left panel. Do not use your Google Cloud Skills Boost credentials. Note: Using your own Google Cloud account for this lab may incur extra charges.

5. Click through the subsequent pages:

   • Accept the terms and conditions.
   • Do not add recovery options or two-factor authentication (because this is a temporary account).
   • Do not sign up for free trials.

After a few moments, the Cloud Console opens in this tab.

Note: You can view the menu with a list of Google Cloud Products and Services by clicking the Navigation menu at the top-left.

Task 1. Connect to the Kubernetes Cluster

A Kubernetes cluster has been provisioned so you can get started with your lab.

1. From the Navigation menu, go to Kubernetes Engine > Clusters.

You may have to wait for your Kubernetes Cluster. You should see a green check mark next to the cluster named k8-cluster.

2. Click the Connect button which will launch an option to run Cloud Shell.

3. Click Run in Cloud Shell.

Cloud Shell will launch below the Cloud Console.

4. Click Continue.

This will take a few moments as this is a persistent image (container) giving full shell access to your project. It comes with a number of useful tools pre-installed, such as Terraform. In a production environment, the best reason to use Cloud Shell vs. your own laptop shell is that you do not have to worry about storing authentication tokens. Cloud Shell automatically inherits all permissions from your account.

5. Press Enter in Cloud Shell to run the pre-populated gcloud command.

6. Click Authorize.

Task 2. Install Prisma Cloud Compute

From Cloud Shell execute the following commands.

1. Download and install the latest Prisma Cloud Compute Console software image:

curl -O https://cdn.twistlock.com/releases/f7371a8b/prisma_cloud_compute_edition_20_09_345.tar.gz

2. Make a directory to decompress the file to:

mkdir prisma_cloud_compute_edition

3. Then decompress the file:

tar xvzf prisma_cloud_compute_edition_20_09_345.tar.gz -C prisma_cloud_compute_edition/

4. Change directory to the prisma_cloud_compute_edition folder and use the Linux twistcli to generate a YAML file for the Prisma Cloud Compute console:

cd prisma_cloud_compute_edition

5. Retrieve the Prisma Cloud Token.

gsutil cat gs://pcc01/token.txt

After executing the following command in the next step you will be asked for the Token you just retrieved.

6. Execute the following Linux twistcli command to generate the YAML file for the Prisma Cloud Compute console:

./linux/twistcli console export kubernetes --service-type LoadBalancer

7. Paste the Prisma Cloud Token into Cloud Shell.

Note: You will not see the token when you paste it into Cloud Shell.

8. Press ENTER after the paste and the command will complete. Your output should resemble the following:

The script is adding the token to the yaml file for initial authentication.

9. Now use kubectl to create the twistlock_console:

kubectl create -f twistlock_console.yaml

Output:

10. Run the following command to check and see if the service has come up fully. The command uses a -w flag which means wait. This flag will auto refresh the screen:

kubectl get service -w -n twistlock

The External IP will show once the service is available.

The public IP under the EXTERNAL-IP heading will be used to gain access to the Prisma Cloud Compute Console.

7. Once you see the EXTERNAL-IP use Ctrl-C to stop the wait flag and return to the command line.

8. Copy the External IP address for the console. You will use it for testing the connectivity from the hosts.

Click Check my progress to verify the objective. Install prisma Cloud Compute

Task 3. Connect to the console of the lab instances

There are 3 Linux Compute Engine instances pre-deployed in the lab named, jenkins-vm, juice-shop and kali. You are going to deploy the Prisma Cloud Host Defender on these instances.

To find these instances, in the Cloud Console navigate to Compute Engine > Virtual machines > VM instances.

1. Connect to the instances through the following procedures:

• SSH to jenkins-vm server by clicking on SSH
• SSH to juice-shop by clicking on SSH
• SSH to kali from Cloud Shell with the following command, replacing [external IP of kali]with your external IP.

ssh kali@[external IP of kali]

When asked if you want to connect, type "yes", then use the password: kali.

2. Verify that the instances where you will be installing Host Defender can connect to the Prisma Cloud Console. Execute the following curl command from kali, juice-shop and jenkins-vm, replacing [CONSOLE_IP_ADDRESS|HOSTNAME]with the External IP address of the twistlock-console from the previous step:

curl -sk -D - https://[CONSOLE_IP_ADDRESS|HOSTNAME]:8083/api/v1/_ping

The curl will return an HTTP response status code of 200 indicating you have connectivity to the Console.

3. Log in to the Prisma Cloud Console by opening a browser window, and browsing to https://[YOUR-EXTERNAL-IP]:8083. By default, the Console uses HTTPS on port 8083.
4. At the certificate warning, click Advanced, the Proceed to .... link.

5. Log in with the following credentials:

User:

admin

Password:

Pal0Alt0@123

6. Then click Create Account.

7. In Cloud Shell, retrieve the Prisma Cloud license key.

gsutil cat gs://pcc01/key.txt

8. Paste the license key in the update field and click Register.

9. Once the key has been registered a first use menu will become available, select the X in the upper right hand corner to exit out.

Task 4. Deploy the Host Defender

Now you will install the Prisma Cloud Compute Host Defender. Host Defender communicates with the Prisma Cloud Compute Console using Transport Layer Security (TLS). You will update the list of identifiers in Console's certificate that the Host Defenders will use to validate the Console's identity.

1. Install Prisma Cloud Compute Single Defender. From the Prisma Cloud Compute Console go to Manage > Defenders > Deploy

2. Adding Subject Alternative Names (SAN):

Add the public Console IPaddress to SAN list if you see a banner:

Or you can add a SAN to Console's certificate directly from Console's web interface.

• Go to Manage > Defenders > Names.
• Click Add SAN.
• Enter a DNS name or Console External IP address.
• Click Add.

3. Deploy the Single Defender. In the Console Step 1 the client defender name should be the External IP address of the Prisma Cloud Console. On the same page scroll down the page to Step 2. Select the Defender Type and choose Host Defender - Linux. Then on Step 3 click the Copy button for the Install script.

4. You will paste the install script into Cloud Shell to install the Host Defender to all three linux instances.

Please keep these command shell connections to the three linux instances open, you will issue commands in each of them in later exercises.

5. In the Prisma Cloud Console, navigate to Manage > Defenders > Manage to see a list of deployed defenders, you will see something similar to the following:

6. Navigate to the Radar View on the left menu and select Hosts from the menu. You will see the defender has begun to scan the existing environment and populate the Console with information.

Click Check my progress to verify the objective. Deploy the Host Defender

Task 5. Gain visibility into all applications running on a host

1. Navigate to Monitor > Runtime > Host Observations, then select jenkins to review the application with multiple processes.

2. Scroll down to click on twistlock-defender-server to review all of the following information:

• Enriched information on the application for known applications.
• Listening ports.
• Outgoing ports.
• All processes used including full path, the command used, parent path, user, and when the process was first observed.

Task 6. Gain visibility to hosts exposed to known vulnerabilities

1. Navigate to Radars > Hosts and click on Jenkins then click on Vulnerabilities to review the Vulnerabilities details.

2. Click on Package Info.

3. Review the details of the Packages.

Close this view.

4. Review a list of missing security updates via Monitor > Runtime > Host Observations. Open juice-shop and navigate to the Security Updates tab.

Close this view when you're finished reviewing.

Task 7. Protect Host with Runtime Defense

Prisma Cloud secures hosts with file integrity monitoring (FIM); log inspection; application, capability, and activity rules; custom runtime rules; and more, to ensure running workloads are secure. Quickly view all audit or security events with automated, secure forensic data captures. Prisma Cloud provides out of the box easy protection against a large range of attacking tools including crypto miners, exploitation tools, C2 infrastructure, password attacks, sniffing and spoofing tools. The Runtime rules are customizable to protect against any emerging threats or organization specific requirements.

Protect hosts against specific command or domain

In addition to the out of the box protection, you can create a Runtime rule to block execution of a specific command and accessing a domain name.

Create a runtime rule to prevent a process to run

1. In the Prisma Cloud console, select Defend > Runtime, select the Host Policy tab, click Add rule.

2. Add the Rule name "prevent ls", and select all of the Hosts you want to protect.

3. On the Processes tab, switch Effect from Alert to Prevent.

4. Add the ls command to Prevent processes.

5. On the Networking tab:

• Enable DNS
• Turn Effect to Prevent
• Add *.google.com to the Prevented domains list

6. Click Save.

Execute the command and lookup the domain

You may have to re-log in to kali.

1. If so, use the following command:

ssh kali@[external IP of kali]

password: kali

2. From kali shell, issue ls command:

ls

the command will be blocked.

3. Now try a dns lookup:

nslookup www.google.com

The operation will fail.

4. Try lookup for a known good domain:

nslookup www.paloaltonetworks.com

This lookup will succeed.

Task 8. Gain visibility to attacks and conduct an investigation

With Host Audits you can see:

• All audits associated with the incident in the incident explorer page.
• Forensics data for the incident and explain how everything that occurred during the incident is presented in a timeline view.

1. In the Prisma Cloud console select Monitor > Events.

Hosts can be filtered by Collections, Hostname, Last Audit.

2. At the top, select Host Audits.

3. Find the events for kali.

4. Then click Forensic in the Network row.

5. Uncheck Process spawned and SSH event. To only review Runtime audits, find the alerts for blocking ls command and nslookup for www.google.com.

6. Remove the process rule that is blocking ls command and the domain rule that is blocking www.google.com, repeat the test.

Close this view when you're finished. Both ls and nslookup should be allowed.

<! ## Review Host Activity

In the Prisma Cloud console, select Monitor > Event, then select Host Activities.

Click Check my progress to verify the objective. Protect Host with Runtime Defense

Monitor Hosts for SSH Access

1. In the Prisma Cloud console, select Monitor > Runtime, select Host Observations tab, then select kali from the host list.

2. Click on the SSH Events tab to review the SSH activities.

Monitor Application Logs for Suspicious Activities

Review predefined templates for log inspection policy

1. In the Prisma Cloud console, select Defend > Runtime on the Host Policy tab.

2. Then click Add Rule and add the rule name "ql-nov-10".

3. Select the Log Inspections tab and click on Create from Template.

4. Review the log inspection template, then click cancel.

Create log inspection policy

1. Add log path:

/var/log/nginx/access.log

2. Add inspection expression:

Mozilla

3. Click Add Rule:

4. Click Save.

Generate Log Inspection Events

1. Use a web browser to access http://<external IP__ of juice-shop>

Reminder: To obtain the external IP of juice-shop, in the Cloud Console go to Navigation menu > Compute Instance.

2. Create a juice-shop account,

3. Then buy some juice to generate traffic to the juice-shop web application.

4. Now check the access log.

5. In the juice-shop shell, issue the following command:

sudo tail /var/log/nginx/access.log

Output:

Note there are multiple matches to the inspection expression "Mozilla".

6. In Prisma Cloud Console go to Monitor > Events, select Host Log Inspection and review the Host Log Inspection.

7. Confirm that the inspection expression matches have triggered Host Log Inspection events.

Monitor suspicious activity on the host based on expected usage

Create rules to monitor Host activities

Prisma Cloud lets you audit security-related activity on hosts protected by Defender. The default host runtime rule alerts on the host activities including user, access, and application activities.

You can create additional runtime rules to control which type of events are captured on which hosts. You will create a rule to monitor Docker commands that alter state: create, run, exec, commit, save, push, login, export, kill, start, stop, and tag.

1. In Prisma Cloud Console, select Defend > Runtime select Host Policy tab Add Rule, then give the rule name docker.

2. Select the Activities tab, then turn On the switch at Docker commands.

3. Click Save.

Create an Host Activity event

• Navigate to the jenkins shell and issue the following commands to create a container:

sudo systemctl start docker docker container create 3ac75179d901

Review Host Activity log

1. In the Prisma Cloud console Monitor > Events.

2. Click on Host Activities, and note the Docker activity entry.

Monitor sensitive files

Create a Host Defend Runtime File Integrity Rule

1. In Prisma Cloud console, select Defend > Runtime.

2. Select the Host Policy tab, click add rule, and give a rule name "etc".

3. Select the File Integrity tab, leave Effect to Alert selected, then click on Add Rule.

Add a new file integrity rule with the followings:

• Path: /etc
• Write: checked
• Read: checked
• Metadata: checked
• scroll down and click Add File Integrity Rule

4. Click Save to save the file integrity rule.

Create an Host File Integrity event

1. Navigate to the jenkins host shell and issue the following command to create a container:

sudo nano /etc/resolv.conf

2. Change the nameserver to 8.8.8.8.

3. Save the changes and exit nano: Ctrl-X > Y.

4. Press Enter to save the file.

Review Host Activity log

1. In the Prisma Cloud console select Monitor > Events.

2. Click on Host File Integrity.

Click Check my progress to verify the objective. Gain visibility to attacks and conduct an investigation

Congratulations!

You have successfully deployed Palo Alto Networks Prisma Cloud Compute and Host Defender. Through the exercises, you have experienced how Prisma Cloud secures hosts with file integrity monitoring (FIM); log inspection; application, capability, and activity rules; custom runtime rules; and more, to ensure running workloads are secure. Quickly view all audit or security events with automated, secure forensic data captures.

Finish Your Quest

This self-paced lab is part of the Securing Cloud with Palo Alto Networks quest. A quest is a series of related labs that form a learning path. Completing this quest earns you a badge to recognize your achievement. You can make your badge or badges public and link to them in your online resume or social media account. Enroll in this quest and get immediate completion credit. See the Google Cloud Skills Boost catalog to see all available quests.

Next steps / Learn more

• Palo Alto Networks on the Google Cloud Marketplace!

End your lab

When you have completed your lab, click End Lab. Your account and the resources you've used are removed from the lab platform.

You will be given an opportunity to rate the lab experience. Select the applicable number of stars, type a comment, and then click Submit.

The number of stars indicates the following:

• 1 star = Very dissatisfied
• 2 stars = Dissatisfied
• 3 stars = Neutral
• 4 stars = Satisfied
• 5 stars = Very satisfied

You can close the dialog box if you don't want to provide feedback.

For feedback, suggestions, or corrections, please use the Support tab.

Manual Last Updated: August 21, 2023

Lab Last Tested: December 20, 2021

Copyright 2023 Google LLC All rights reserved. Google and the Google logo are trademarks of Google LLC. All other company and product names may be trademarks of the respective companies with which they are associated.