Get Runtime Serverless Policy

GET 
/api/v32.07/policies/runtime/serverless

x-prisma-cloud-target-env: {"permission":"policyRuntimeServerless"}

Retrieves the runtime policy for your serverless functions. A policy consists of ordered rules.

This endpoint maps to Defend > Runtime > Serverless policy in the Console UI.

cURL Request

Refer to the following example cURL command:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  'https://<CONSOLE>/api/v<VERSION>/policies/runtime/serverless'

A successful response returns a list of runtime rules in the policy.

Responses

200

ServerlessPolicy represents a serverless runtime policy enforced for a given running resource

application/json

Schema

Schema

_id string

Internal identifier.

learningDisabled boolean

Indicates whether automatic behavioural learning is enabled (true) or not (false).

rules object[]
Rules in the policy.
Array [
advancedProtection boolean
Indicates whether advanced protection (e.g., custom or premium feeds for container, added whitelist rules for serverless) is enabled (true) or not (false).
cloudMetadataEnforcement boolean
Catches containers that access the cloud provider metadata API.
collections object[]
List of collections. Used to scope the rule.
Array [
accountIDs string (string)[]
List of account IDs.
appIDs string (string)[]
List of application IDs.
clusters string (string)[]
List of Kubernetes cluster names.
color common.Color (string)
Color is a hexadecimal representation of color code value
containers string (string)[]
List of containers.
description string
Free-form text.
functions string (string)[]
List of functions.
hosts string (string)[]
List of hosts.
images string (string)[]
List of images.
labels string (string)[]
List of labels.
modified date-time
Datetime when the collection was last modified.
name string
Collection name. Must be unique.
namespaces string (string)[]
List of Kubernetes namespaces.
owner string
User who created or last modified the collection.
prisma boolean
Indicates whether this collection originates from Prisma Cloud.
system boolean
Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).
]
customRules object[]
List of custom runtime rules.
Array [
_id integer
Custom rule ID.
action customrules.Action (string)
Possible values: [audit,incident]
Action is the action to perform if the custom rule applies
effect customrules.Effect (string)
Possible values: [block,prevent,alert,allow,ban,disable]
Effect is the effect that will be used for custom rule
]
disabled boolean
Indicates whether the rule is currently disabled. Values: true (disabled) or false (enabled).
dns object
DNSRule is the DNS runtime rule
blacklist string (string)[]
List of deny-listed domain names (e.g., www.bad-url.com, *.bad-url.com).
effect runtime.RuleEffect (string)
Possible values: [block,prevent,alert,disable]
RuleEffect is the effect that will be used in the runtime rule
whitelist string (string)[]
List of allow-listed domain names (e.g., *.gmail.com, .s3..amazon.com).
filesystem object
FilesystemRule represents restrictions/suppression for filesystem changes
backdoorFiles boolean
Monitors files that can create and/or persist backdoors (currently SSH and admin account config files) (true).
blacklist string (string)[]
List of denied file system path.
checkNewFiles boolean
Detects changes to binaries and certificates (true).
effect runtime.RuleEffect (string)
Possible values: [block,prevent,alert,disable]
RuleEffect is the effect that will be used in the runtime rule
skipEncryptedBinaries boolean
Indicates that encrypted binaries check should be skipped.
suspiciousELFHeaders boolean
Indicates whether malware detection based on suspicious ELF headers is enabled.
whitelist string (string)[]
List of allowed file system path.
kubernetesEnforcement boolean
Detects containers that attempt to compromise the orchestrator.
modified date-time
Specifies the date and time when the rule was last modified.
name string
Name of the rule.
network object
NetworkRule represents the restrictions/suppression for networking
blacklistIPs string (string)[]
Deny-listed IP addresses.
blacklistListeningPorts object[]
Deny-listed listening ports.
Array [
deny boolean
Deny indicates whether the connection is denied.
end integer
.
start integer
.
]
blacklistOutboundPorts object[]
Deny-listed outbound ports.
Array [
deny boolean
Deny indicates whether the connection is denied.
end integer
.
start integer
.
]
effect runtime.RuleEffect (string)
Possible values: [block,prevent,alert,disable]
RuleEffect is the effect that will be used in the runtime rule
whitelistIPs string (string)[]
Allow-listed IP addresses.
whitelistListeningPorts object[]
Allow-listed listening ports.
Array [
deny boolean
Deny indicates whether the connection is denied.
end integer
.
start integer
.
]
whitelistOutboundPorts object[]
Allow-listed outbound ports.
Array [
deny boolean
Deny indicates whether the connection is denied.
end integer
.
start integer
.
]
notes string
Describes any noteworthy points for a rule. You can include any text.
owner string
User who created or last modified the rule.
previousName string
Previous name of the rule. Required for rule renaming.
processes object
ProcessesRule represents restrictions/suppression for running processes
blacklist string (string)[]
List of processes to deny.
blockAllBinaries boolean
Indicates that all processes are blocked except the main process.
checkCryptoMiners boolean
Detect crypto miners.
checkLateralMovement boolean
Indicates whether dectection of processes that can be used for lateral movement exploits is enabled.
checkNewBinaries boolean
Indicates whether binaries which do not belong to the original image are allowed to run.
effect runtime.RuleEffect (string)
Possible values: [block,prevent,alert,disable]
RuleEffect is the effect that will be used in the runtime rule
skipModified boolean
Indicates whether to trigger audits/incidents when a modified proc is spawned.
whitelist string (string)[]
List of processes to allow.
skipExecSessions boolean
Indicates whether to skip runtime validation for events triggered by docker/kubectl exec.
wildFireAnalysis runtime.RuleEffect (string)
Possible values: [block,prevent,alert,disable]
RuleEffect is the effect that will be used in the runtime rule
]

Example (from schema)

{
  "_id": "string",
  "learningDisabled": true,
  "rules": [
    {
      "advancedProtection": true,
      "cloudMetadataEnforcement": true,
      "collections": [
        {
          "accountIDs": [
            "string"
          ],
          "appIDs": [
            "string"
          ],
          "clusters": [
            "string"
          ],
          "color": "string",
          "containers": [
            "string"
          ],
          "description": "string",
          "functions": [
            "string"
          ],
          "hosts": [
            "string"
          ],
          "images": [
            "string"
          ],
          "labels": [
            "string"
          ],
          "modified": "2024-07-29T15:51:28.071Z",
          "name": "string",
          "namespaces": [
            "string"
          ],
          "owner": "string",
          "prisma": true,
          "system": true
        }
      ],
      "customRules": [
        {
          "_id": 0,
          "action": [
            "audit",
            "incident"
          ],
          "effect": [
            "block",
            "prevent",
            "alert",
            "allow",
            "ban",
            "disable"
          ]
        }
      ],
      "disabled": true,
      "dns": {
        "blacklist": [
          "string"
        ],
        "effect": [
          "block",
          "prevent",
          "alert",
          "disable"
        ],
        "whitelist": [
          "string"
        ]
      },
      "filesystem": {
        "backdoorFiles": true,
        "blacklist": [
          "string"
        ],
        "checkNewFiles": true,
        "effect": [
          "block",
          "prevent",
          "alert",
          "disable"
        ],
        "skipEncryptedBinaries": true,
        "suspiciousELFHeaders": true,
        "whitelist": [
          "string"
        ]
      },
      "kubernetesEnforcement": true,
      "modified": "2024-07-29T15:51:28.071Z",
      "name": "string",
      "network": {
        "blacklistIPs": [
          "string"
        ],
        "blacklistListeningPorts": [
          {
            "deny": true,
            "end": 0,
            "start": 0
          }
        ],
        "blacklistOutboundPorts": [
          {
            "deny": true,
            "end": 0,
            "start": 0
          }
        ],
        "effect": [
          "block",
          "prevent",
          "alert",
          "disable"
        ],
        "whitelistIPs": [
          "string"
        ],
        "whitelistListeningPorts": [
          {
            "deny": true,
            "end": 0,
            "start": 0
          }
        ],
        "whitelistOutboundPorts": [
          {
            "deny": true,
            "end": 0,
            "start": 0
          }
        ]
      },
      "notes": "string",
      "owner": "string",
      "previousName": "string",
      "processes": {
        "blacklist": [
          "string"
        ],
        "blockAllBinaries": true,
        "checkCryptoMiners": true,
        "checkLateralMovement": true,
        "checkNewBinaries": true,
        "effect": [
          "block",
          "prevent",
          "alert",
          "disable"
        ],
        "skipModified": true,
        "whitelist": [
          "string"
        ]
      },
      "skipExecSessions": true,
      "wildFireAnalysis": [
        "block",
        "prevent",
        "alert",
        "disable"
      ]
    }
  ]
}

default

Loading...