Skip to main content

Update Host Vulnerability Policy

PUT 

/api/v30.00/policies/vulnerability/host

x-prisma-cloud-target-env: {"permission":"policyHosts","saas":true,"self-hosted":true}
x-public: true

Updates the vulnerability policy for your hosts protected by Defender. All rules in the policy are updated in a single shot.

This endpoint maps to the policy table in Defend > Vulnerabilities > Hosts > Running hosts in the Console UI.

cURL Request

Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule:

$ curl 'https://<CONSOLE>/api/v<VERSION>/policies/vulnerability/host' \
-X PUT \
-u <USER> \
-H 'Content-Type: application/json' \
-d \
'{
"rules":[
{
"name":"<RULE_NAME>",
"collections":[
{
"name":"<COLLECTION_NAME>"
}
],
"alertThreshold":{
"disabled":false,
"value":1
}
}
],
"policyType":"hostVulnerability",
"_id":"hostVulnerability"
}'

Note: No response will be returned upon successful execution.

Request

Body

    _id string

    Internal identifier.

    policyType common.PolicyType

    Possible values: [docker,containerVulnerability,containerCompliance,ciImagesVulnerability,ciImagesCompliance,hostVulnerability,hostCompliance,vmVulnerability,vmCompliance,serverlessCompliance,ciServerlessCompliance,serverlessVulnerability,ciServerlessVulnerability,containerRuntime,appEmbeddedRuntime,containerAppFirewall,hostAppFirewall,outOfBandAppFirewall,agentlessAppFirewall,appEmbeddedAppFirewall,serverlessAppFirewall,networkFirewall,secrets,hostRuntime,serverlessRuntime,kubernetesAudit,trust,admission,codeRepoVulnerability,ciCodeRepoVulnerability,codeRepoCompliance,ciCodeRepoCompliance]

    PolicyType represents the type of the policy

    rules object[]

    Rules holds all policy rules.

  • Array [
  • action string[]

    Action to take.

    alertThreshold object

    AlertThreshold is the vulnerability policy alert threshold Threshold values typically vary between 0 and 10 (noninclusive)

    disabled boolean

    Suppresses alerts for all vulnerabilities (true).

    value float

    Minimum severity to trigger alerts. Supported values range from 0 to 9, where 0=off, 1=low, 4=medium, 7=high, and 9=critical.

    allCompliance boolean

    Reports the results of all compliance checks (both passed and failed) (true).

    auditAllowed boolean

    Specifies if Prisma Cloud audits successful transactions.

    blockMsg common.PolicyBlockMsg

    PolicyBlockMsg represent the block message in a Policy

    blockThreshold object

    BlockThreshold is the vulnerability policy block threshold Threshold values typically vary between 0 and 10 (noninclusive)

    enabled boolean

    Enables blocking (true).

    value float

    Minimum severity to trigger blocking. Supported values range from 0 to 9, where 0=off, 1=low, 4=medium, 7=high, and 9=critical.

    collections object[]

    List of collections. Used to scope the rule.

  • Array [
  • accountIDs string[]

    List of account IDs.

    appIDs string[]

    List of application IDs.

    clusters string[]

    List of Kubernetes cluster names.

    codeRepos string[]

    List of code repositories.

    color common.Color

    Color is a hexadecimal representation of color code value

    containers string[]

    List of containers.

    description string

    Free-form text.

    functions string[]

    List of functions.

    hosts string[]

    List of hosts.

    images string[]

    List of images.

    labels string[]

    List of labels.

    modified date-time

    Datetime when the collection was last modified.

    name string

    Collection name. Must be unique.

    namespaces string[]

    List of Kubernetes namespaces.

    owner string

    User who created or last modified the collection.

    prisma boolean

    Indicates whether this collection originates from Prisma Cloud.

    system boolean

    Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).

  • ]
  • condition object

    Conditions contains rule conditions. Conditions apply only for their respective policy type

    device string

    Allowed volume host device (wildcard). If a "container create" command specifies a non matching host device, th action is blocked. Only applies to rules in certain policy types.

    readonly boolean

    Indicates if the condition applies only to read-only commands (i.e., HTTP GET requests) (true) or not (false).

    vulnerabilities object[]

    Block and scan severity-based vulnerabilities conditions.

  • Array [
  • block boolean

    Specifies the effect. If true, the effect is block.

    id integer

    Vulnerability ID.

  • ]
  • createPR boolean

    CreatePR indicates whether to create a pull request for vulnerability fixes (relevant for code repos).

    cveRules object[]

    List of CVE IDs classified for special handling (also known as exceptions).

  • Array [
  • description string

    Free-form text for documenting the exception.

    effect vuln.Effect

    Possible values: [ignore,alert,block]

    Effect specifies relevant action for a vulnerability

    expiration object

    ExpirationDate is the vulnerability expiration date

    date date-time

    Date is the vulnerability expiration date.

    enabled boolean

    Enabled indicates that the grace period is enabled.

    id string

    CVE ID.

  • ]
  • disabled boolean

    Indicates if the rule is currently disabled (true) or not (false).

    effect common.PolicyEffect

    Possible values: [allow,deny,block,alert]

    PolicyEffect state the effect of evaluating the given policy

    excludeBaseImageVulns boolean

    ExcludeBaseImageVulns indicates whether to exclude vulnerabilities coming from the base image.

    graceDays integer

    Number of days to suppress the rule's block effect. Measured from date the vuln was fixed. If there's no fix, measured from the date the vuln was published.

    graceDaysPolicy object

    GraceDaysPolicy indicates the grace days policy by severity

    critical integer

    .

    enabled boolean

    Enabled is an indication whether the the grace days by severity is enabled.

    high integer

    .

    low integer

    .

    medium integer

    .

    group string[]

    Applicable groups.

    license object

    LicenseConfig is the compliance policy license configuration

    alertThreshold object

    LicenseThreshold is the license severity threshold to indicate whether to perform an action (alert/block) Threshold values typically vary between 0 and 10 (noninclusive)

    enabled boolean

    Enabled indicates that the action is enabled.

    value float

    Value is the minimum severity score for which the action is enabled.

    blockThreshold object

    LicenseThreshold is the license severity threshold to indicate whether to perform an action (alert/block) Threshold values typically vary between 0 and 10 (noninclusive)

    enabled boolean

    Enabled indicates that the action is enabled.

    value float

    Value is the minimum severity score for which the action is enabled.

    critical string[]

    Critical is the list of licenses with critical severity.

    high string[]

    High is the list of licenses with high severity.

    low string[]

    Low is the list of licenses with low severity.

    medium string[]

    Medium is the list of licenses with medium severity.

    modified date-time

    Datetime when the rule was last modified.

    name string

    Name of the rule.

    notes string

    Free-form text.

    onlyFixed boolean

    Applies rule only when vendor fixes are available (true).

    owner string

    User who created or last modified the rule.

    previousName string

    Previous name of the rule. Required for rule renaming.

    principal string[]

    Applicable users.

    riskFactorsEffects object[]

    RiskFactorsEffects indicates the effect (alert/block) of each risk factor.

  • Array [
  • effect vuln.Effect

    Possible values: [ignore,alert,block]

    Effect specifies relevant action for a vulnerability

    riskFactor vuln.RiskFactor

    Possible values: [Critical severity,High severity,Medium severity,Has fix,Remote execution,DoS - Low,DoS - High,Recent vulnerability,Exploit exists - in the wild,Exploit exists - POC,Attack complexity: low,Attack vector: network,Reachable from the internet,Listening ports,Container is running as root,No mandatory security profile applied,Running as privileged container,Package in use,Sensitive information,Root mount,Runtime socket,Host access]

    RiskFactor represents a vulnerability risk factor, used in determining a vulnerability risk score

  • ]
  • tags object[]

    List of tags classified for special handling (also known as exceptions).

  • Array [
  • description string

    Free-form text for documenting the exception.

    effect vuln.Effect

    Possible values: [ignore,alert,block]

    Effect specifies relevant action for a vulnerability

    expiration object

    ExpirationDate is the vulnerability expiration date

    date date-time

    Date is the vulnerability expiration date.

    enabled boolean

    Enabled indicates that the grace period is enabled.

    name string

    Tag name.

  • ]
  • verbose boolean

    Displays a detailed message when an operation is blocked (true).

  • ]

Responses

OK

Loading...