Skip to main content

Update Runtime Container Policy

POST 

/api/v32.07/policies/runtime/container

x-prisma-cloud-target-env: {"permission":"policyRuntimeContainer"}

Updates the runtime policy for containers. All rules in the policy are updated in a single shot.

Prisma Cloud automatically builds allow-list security models for each container image in your environment. Use runtime container rules to augment the rules in those models. Manually defined rules augment learned models as follows:

Policy (allowed) = Manual rules (explicitly allowed) + Model (all learned behavior) - Manual rules (explicitly denied)

This endpoint maps to the Add rule button in Defend > Runtime > Container policy in the Console UI.

cURL Request

Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule:

$ curl 'https://<CONSOLE>/api/v<VERSION>/policies/runtime/container' \
-k \
-X PUT \
-u <USER> \
-H 'Content-Type: application/json' \
-d \
'{
"rules":[
{
"name":"my-rule",
"collections":[
{
"name":"All"
}
],
"processes":{
"effect":"alert"
},
"network":{
"effect":"alert"
},
"dns":{
"effect":"alert"
},
"filesystem":{
"effect":"alert"
}
}
]
}'

Note: No response will be returned upon successful execution.

Request

Body

    advancedProtectionEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    cloudMetadataEnforcementEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    collections object[]

    List of collections. Used to scope the rule.

  • Array [
  • accountIDsstring (string)[]

    List of account IDs.

    appIDsstring (string)[]

    List of application IDs.

    clustersstring (string)[]

    List of Kubernetes cluster names.

    colorcommon.Color (string)

    Color is a hexadecimal representation of color code value

    containersstring (string)[]

    List of containers.

    descriptionstring

    Free-form text.

    functionsstring (string)[]

    List of functions.

    hostsstring (string)[]

    List of hosts.

    imagesstring (string)[]

    List of images.

    labelsstring (string)[]

    List of labels.

    modifieddate-time

    Datetime when the collection was last modified.

    namestring

    Collection name. Must be unique.

    namespacesstring (string)[]

    List of Kubernetes namespaces.

    ownerstring

    User who created or last modified the collection.

    prismaboolean

    Indicates whether this collection originates from Prisma Cloud.

    systemboolean

    Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).

  • ]
  • customRules object[]

    List of custom runtime rules.

  • Array [
  • _idinteger

    Custom rule ID.

    actioncustomrules.Action (string)

    Action is the action to perform if the custom rule applies

    Possible values: [audit,incident]

    effectcustomrules.Effect (string)

    Effect is the effect that will be used for custom rule

    Possible values: [block,prevent,alert,allow,ban,disable]

  • ]
  • disabledboolean

    Indicates whether the rule is currently disabled. Values: true (disabled) or false (enabled).

    dns object

    ContainerDNSRule is the DNS runtime rule for container

    defaultEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    disabledboolean

    Disabled a global disable for the DNS rule.

    domainList object

    DNSListRule represents an explicitly allowed/denied domains list rule

    allowedstring (string)[]

    Allowed the allow-listed domain names.

    deniedstring (string)[]

    Denied the deny-listed domain names.

    effectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    filesystem object

    ContainerFilesystemRule represents restrictions/suppression for filesystem changes

    allowedListstring (string)[]

    AllowedList is the list of allowed file system path.

    backdoorFilesEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    defaultEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    deniedList object

    DenyListRule represents a rule containing paths of files and processes to alert/prevent and the required effect

    effectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    pathsstring (string)[]

    Paths are the paths to alert/prevent when an event with one of the paths is triggered.

    disabledboolean

    Disabled a global disable for the filesystem rule.

    encryptedBinariesEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    newFilesEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    suspiciousELFHeadersEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    kubernetesEnforcementEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    modifieddate-time

    Specifies the date and time when the rule was last modified.

    namestring

    Name of the rule.

    network object

    ContainerNetworkRule represents the restrictions/suppression for networking

    allowedIPsstring (string)[]

    AllowedIPs the allow-listed IP addresses.

    defaultEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    deniedIPsstring (string)[]

    DeniedIPs the deny-listed IP addresses.

    deniedIPsEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    disabledboolean

    Disabled a global disable for the network rule.

    listeningPorts object

    PortListRule represents a rule containing ports to allowed/denied and the required effect

    allowed object[]

    Allowed the allow-listed listening ports.

  • Array [
  • denyboolean

    Deny indicates whether the connection is denied.

    endinteger

    .

    startinteger

    .

  • ]
  • denied object[]

    Denied the deny-listed listening ports.

  • Array [
  • denyboolean

    Deny indicates whether the connection is denied.

    endinteger

    .

    startinteger

    .

  • ]
  • effectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    modifiedProcEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    outboundPorts object

    PortListRule represents a rule containing ports to allowed/denied and the required effect

    allowed object[]

    Allowed the allow-listed listening ports.

  • Array [
  • denyboolean

    Deny indicates whether the connection is denied.

    endinteger

    .

    startinteger

    .

  • ]
  • denied object[]

    Denied the deny-listed listening ports.

  • Array [
  • denyboolean

    Deny indicates whether the connection is denied.

    endinteger

    .

    startinteger

    .

  • ]
  • effectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    portScanEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    rawSocketsEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    notesstring

    Describes any noteworthy points for a rule. You can include any text.

    ownerstring

    User who created or last modified the rule.

    previousNamestring

    Previous name of the rule. Required for rule renaming.

    processes object

    ContainerProcessesRule represents restrictions/suppression for running processes

    allowedListstring (string)[]

    AllowedList is the list of processes to allow.

    checkParentChildboolean

    Indicates whether checking for parent child relationship when comparing spawned processes in the model is enabled.

    cryptoMinersEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    defaultEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    deniedList object

    DenyListRule represents a rule containing paths of files and processes to alert/prevent and the required effect

    effectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    pathsstring (string)[]

    Paths are the paths to alert/prevent when an event with one of the paths is triggered.

    disabledboolean

    Disabled a global disable for the processes rule.

    lateralMovementEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    modifiedProcessEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    reverseShellEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    suidBinariesEffectruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

    skipExecSessionsboolean

    Indicates whether to skip runtime validation for events triggered by docker/kubectl exec.

    wildFireAnalysisruntime.RuleEffect (string)

    RuleEffect is the effect that will be used in the runtime rule

    Possible values: [block,prevent,alert,disable]

Responses

OK

curl -L 'https://pan.dev/api/v32.07/policies/runtime/container' \
-H 'Content-Type: application/json' \
-d '{
"advancedProtectionEffect": [
"block",
"prevent",
"alert",
"disable"
],
"cloudMetadataEnforcementEffect": [
"block",
"prevent",
"alert",
"disable"
],
"collections": [
{
"accountIDs": [
"string"
],
"appIDs": [
"string"
],
"clusters": [
"string"
],
"color": "string",
"containers": [
"string"
],
"description": "string",
"functions": [
"string"
],
"hosts": [
"string"
],
"images": [
"string"
],
"labels": [
"string"
],
"modified": "2024-07-29T15:51:28.071Z",
"name": "string",
"namespaces": [
"string"
],
"owner": "string",
"prisma": true,
"system": true
}
],
"customRules": [
{
"_id": 0,
"action": [
"audit",
"incident"
],
"effect": [
"block",
"prevent",
"alert",
"allow",
"ban",
"disable"
]
}
],
"disabled": true,
"dns": {
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"disabled": true,
"domainList": {
"allowed": [
"string"
],
"denied": [
"string"
],
"effect": [
"block",
"prevent",
"alert",
"disable"
]
}
},
"filesystem": {
"allowedList": [
"string"
],
"backdoorFilesEffect": [
"block",
"prevent",
"alert",
"disable"
],
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"deniedList": {
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"paths": [
"string"
]
},
"disabled": true,
"encryptedBinariesEffect": [
"block",
"prevent",
"alert",
"disable"
],
"newFilesEffect": [
"block",
"prevent",
"alert",
"disable"
],
"suspiciousELFHeadersEffect": [
"block",
"prevent",
"alert",
"disable"
]
},
"kubernetesEnforcementEffect": [
"block",
"prevent",
"alert",
"disable"
],
"modified": "2024-07-29T15:51:28.071Z",
"name": "string",
"network": {
"allowedIPs": [
"string"
],
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"deniedIPs": [
"string"
],
"deniedIPsEffect": [
"block",
"prevent",
"alert",
"disable"
],
"disabled": true,
"listeningPorts": {
"allowed": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"denied": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"effect": [
"block",
"prevent",
"alert",
"disable"
]
},
"modifiedProcEffect": [
"block",
"prevent",
"alert",
"disable"
],
"outboundPorts": {
"allowed": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"denied": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"effect": [
"block",
"prevent",
"alert",
"disable"
]
},
"portScanEffect": [
"block",
"prevent",
"alert",
"disable"
],
"rawSocketsEffect": [
"block",
"prevent",
"alert",
"disable"
]
},
"notes": "string",
"owner": "string",
"previousName": "string",
"processes": {
"allowedList": [
"string"
],
"checkParentChild": true,
"cryptoMinersEffect": [
"block",
"prevent",
"alert",
"disable"
],
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"deniedList": {
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"paths": [
"string"
]
},
"disabled": true,
"lateralMovementEffect": [
"block",
"prevent",
"alert",
"disable"
],
"modifiedProcessEffect": [
"block",
"prevent",
"alert",
"disable"
],
"reverseShellEffect": [
"block",
"prevent",
"alert",
"disable"
],
"suidBinariesEffect": [
"block",
"prevent",
"alert",
"disable"
]
},
"skipExecSessions": true,
"wildFireAnalysis": [
"block",
"prevent",
"alert",
"disable"
]
}'
Request Collapse all
Body
{
  "advancedProtectionEffect": [
    "block",
    "prevent",
    "alert",
    "disable"
  ],
  "cloudMetadataEnforcementEffect": [
    "block",
    "prevent",
    "alert",
    "disable"
  ],
  "collections": [
    {
      "accountIDs": [
        "string"
      ],
      "appIDs": [
        "string"
      ],
      "clusters": [
        "string"
      ],
      "color": "string",
      "containers": [
        "string"
      ],
      "description": "string",
      "functions": [
        "string"
      ],
      "hosts": [
        "string"
      ],
      "images": [
        "string"
      ],
      "labels": [
        "string"
      ],
      "modified": "2024-07-29T15:51:28.071Z",
      "name": "string",
      "namespaces": [
        "string"
      ],
      "owner": "string",
      "prisma": true,
      "system": true
    }
  ],
  "customRules": [
    {
      "_id": 0,
      "action": [
        "audit",
        "incident"
      ],
      "effect": [
        "block",
        "prevent",
        "alert",
        "allow",
        "ban",
        "disable"
      ]
    }
  ],
  "disabled": true,
  "dns": {
    "defaultEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "disabled": true,
    "domainList": {
      "allowed": [
        "string"
      ],
      "denied": [
        "string"
      ],
      "effect": [
        "block",
        "prevent",
        "alert",
        "disable"
      ]
    }
  },
  "filesystem": {
    "allowedList": [
      "string"
    ],
    "backdoorFilesEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "defaultEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "deniedList": {
      "effect": [
        "block",
        "prevent",
        "alert",
        "disable"
      ],
      "paths": [
        "string"
      ]
    },
    "disabled": true,
    "encryptedBinariesEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "newFilesEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "suspiciousELFHeadersEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ]
  },
  "kubernetesEnforcementEffect": [
    "block",
    "prevent",
    "alert",
    "disable"
  ],
  "modified": "2024-07-29T15:51:28.071Z",
  "name": "string",
  "network": {
    "allowedIPs": [
      "string"
    ],
    "defaultEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "deniedIPs": [
      "string"
    ],
    "deniedIPsEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "disabled": true,
    "listeningPorts": {
      "allowed": [
        {
          "deny": true,
          "end": 0,
          "start": 0
        }
      ],
      "denied": [
        {
          "deny": true,
          "end": 0,
          "start": 0
        }
      ],
      "effect": [
        "block",
        "prevent",
        "alert",
        "disable"
      ]
    },
    "modifiedProcEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "outboundPorts": {
      "allowed": [
        {
          "deny": true,
          "end": 0,
          "start": 0
        }
      ],
      "denied": [
        {
          "deny": true,
          "end": 0,
          "start": 0
        }
      ],
      "effect": [
        "block",
        "prevent",
        "alert",
        "disable"
      ]
    },
    "portScanEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "rawSocketsEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ]
  },
  "notes": "string",
  "owner": "string",
  "previousName": "string",
  "processes": {
    "allowedList": [
      "string"
    ],
    "checkParentChild": true,
    "cryptoMinersEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "defaultEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "deniedList": {
      "effect": [
        "block",
        "prevent",
        "alert",
        "disable"
      ],
      "paths": [
        "string"
      ]
    },
    "disabled": true,
    "lateralMovementEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "modifiedProcessEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "reverseShellEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "suidBinariesEffect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ]
  },
  "skipExecSessions": true,
  "wildFireAnalysis": [
    "block",
    "prevent",
    "alert",
    "disable"
  ]
}