Update Runtime Container Policy
POST/api/v32.07/policies/runtime/container
x-prisma-cloud-target-env: {"permission":"policyRuntimeContainer"}
Updates the runtime policy for containers. All rules in the policy are updated in a single shot.
Prisma Cloud automatically builds allow-list security models for each container image in your environment. Use runtime container rules to augment the rules in those models. Manually defined rules augment learned models as follows:
Policy (allowed) = Manual rules (explicitly allowed) + Model (all learned behavior) - Manual rules (explicitly denied)
This endpoint maps to the Add rule button in Defend > Runtime > Container policy in the Console UI.
cURL Request
Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule:
$ curl 'https://<CONSOLE>/api/v<VERSION>/policies/runtime/container' \
-k \
-X PUT \
-u <USER> \
-H 'Content-Type: application/json' \
-d \
'{
"rules":[
{
"name":"my-rule",
"collections":[
{
"name":"All"
}
],
"processes":{
"effect":"alert"
},
"network":{
"effect":"alert"
},
"dns":{
"effect":"alert"
},
"filesystem":{
"effect":"alert"
}
}
]
}'
Note: No response will be returned upon successful execution.
Request
- application/json
Body
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
collections object[]
customRules object[]
Indicates whether the rule is currently disabled. Values: true (disabled) or false (enabled).
dns object
filesystem object
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
Specifies the date and time when the rule was last modified.
Name of the rule.
network object
Describes any noteworthy points for a rule. You can include any text.
User who created or last modified the rule.
Previous name of the rule. Required for rule renaming.
processes object
Indicates whether to skip runtime validation for events triggered by docker/kubectl exec.
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
Responses
- 200
- default
OK
- curl
- python
- go
- nodejs
- csharp
- php
- CURL
curl -L 'https://pan.dev/api/v32.07/policies/runtime/container' \
-H 'Content-Type: application/json' \
-d '{
"advancedProtectionEffect": [
"block",
"prevent",
"alert",
"disable"
],
"cloudMetadataEnforcementEffect": [
"block",
"prevent",
"alert",
"disable"
],
"collections": [
{
"accountIDs": [
"string"
],
"appIDs": [
"string"
],
"clusters": [
"string"
],
"color": "string",
"containers": [
"string"
],
"description": "string",
"functions": [
"string"
],
"hosts": [
"string"
],
"images": [
"string"
],
"labels": [
"string"
],
"modified": "2024-07-29T15:51:28.071Z",
"name": "string",
"namespaces": [
"string"
],
"owner": "string",
"prisma": true,
"system": true
}
],
"customRules": [
{
"_id": 0,
"action": [
"audit",
"incident"
],
"effect": [
"block",
"prevent",
"alert",
"allow",
"ban",
"disable"
]
}
],
"disabled": true,
"dns": {
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"disabled": true,
"domainList": {
"allowed": [
"string"
],
"denied": [
"string"
],
"effect": [
"block",
"prevent",
"alert",
"disable"
]
}
},
"filesystem": {
"allowedList": [
"string"
],
"backdoorFilesEffect": [
"block",
"prevent",
"alert",
"disable"
],
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"deniedList": {
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"paths": [
"string"
]
},
"disabled": true,
"encryptedBinariesEffect": [
"block",
"prevent",
"alert",
"disable"
],
"newFilesEffect": [
"block",
"prevent",
"alert",
"disable"
],
"suspiciousELFHeadersEffect": [
"block",
"prevent",
"alert",
"disable"
]
},
"kubernetesEnforcementEffect": [
"block",
"prevent",
"alert",
"disable"
],
"modified": "2024-07-29T15:51:28.071Z",
"name": "string",
"network": {
"allowedIPs": [
"string"
],
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"deniedIPs": [
"string"
],
"deniedIPsEffect": [
"block",
"prevent",
"alert",
"disable"
],
"disabled": true,
"listeningPorts": {
"allowed": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"denied": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"effect": [
"block",
"prevent",
"alert",
"disable"
]
},
"modifiedProcEffect": [
"block",
"prevent",
"alert",
"disable"
],
"outboundPorts": {
"allowed": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"denied": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"effect": [
"block",
"prevent",
"alert",
"disable"
]
},
"portScanEffect": [
"block",
"prevent",
"alert",
"disable"
],
"rawSocketsEffect": [
"block",
"prevent",
"alert",
"disable"
]
},
"notes": "string",
"owner": "string",
"previousName": "string",
"processes": {
"allowedList": [
"string"
],
"checkParentChild": true,
"cryptoMinersEffect": [
"block",
"prevent",
"alert",
"disable"
],
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"deniedList": {
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"paths": [
"string"
]
},
"disabled": true,
"lateralMovementEffect": [
"block",
"prevent",
"alert",
"disable"
],
"modifiedProcessEffect": [
"block",
"prevent",
"alert",
"disable"
],
"reverseShellEffect": [
"block",
"prevent",
"alert",
"disable"
],
"suidBinariesEffect": [
"block",
"prevent",
"alert",
"disable"
]
},
"skipExecSessions": true,
"wildFireAnalysis": [
"block",
"prevent",
"alert",
"disable"
]
}'