Update Runtime Host Policy
POST/api/v32.07/policies/runtime/host
x-prisma-cloud-target-env: {"permission":"policyRuntimeHosts"}
Updates the runtime policy for hosts protected by Defender. All rules in the policy are updated in a single shot.
This endpoint maps to the Add rule button in Defend > Runtime > Host policy in the Console UI.
cURL Request
Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule:
$ curl 'https://<CONSOLE>/api/v<VERSION>/policies/runtime/host' \
-k \
-X PUT \
-u <USER> \
-H 'Content-Type: application/json' \
-d \
'{
"rules":[
{
"name":"my-rule",
"collections":[
{
"name":"All"
}
],
"advancedProtection":"alert",
"processes":{
"effect":"alert"
},
"network":{
"effect":"disable"
},
"dns":{
"effect":"disable"
}
}
]
}'
Note: No response will be returned upon successful execution.
Request
- application/json
Body
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
antiMalware object
AntiMalwareRule represents restrictions/suppression for suspected anti-malware
AllowedProcesses contains paths of files and processes for which we skip anti-malware checks.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
deniedProcesses object
DenyListRule represents a rule containing paths of files and processes to alert/prevent and the required effect
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Paths are the paths to alert/prevent when an event with one of the paths is triggered.
DetectCompilerGeneratedBinary represents what happens when a compiler service writes a binary.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
SkipSSHTracking indicates whether host SSH tracking should be skipped.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
collections object[]
Collections is a list of collections the rule applies to.
List of account IDs.
List of application IDs.
List of Kubernetes cluster names.
Color is a hexadecimal representation of color code value
List of containers.
Free-form text.
List of functions.
List of hosts.
List of images.
List of labels.
Datetime when the collection was last modified.
Collection name. Must be unique.
List of Kubernetes namespaces.
User who created or last modified the collection.
Indicates whether this collection originates from Prisma Cloud.
Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).
customRules object[]
CustomRules is a list of custom rules associated with the container runtime policy.
Custom rule ID.
Possible values: [audit,incident
]
Action is the action to perform if the custom rule applies
Possible values: [block,prevent,alert,allow,ban,disable
]
Effect is the effect that will be used for custom rule
Indicates whether the rule is currently disabled. Values: true (disabled) or false (enabled).
dns object
HostDNSRule represents a host DNS runtime rule
Allow is a list of user-defined domains to skip checks for.
Deny is a list of user-defined domains to deny.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
fileIntegrityRules object[]
FileIntegrityRules are the file integrity monitoring rules.
Dir indicates that the path is a directory.
Exclusions are filenames that should be ignored while generating audits These filenames may contain a wildcard regex pattern, e.g. foo*.log, *.cache.
Metadata indicates that metadata changes should be monitored (e.g. chmod, chown).
Path is the path to monitor.
ProcWhitelist are the processes to ignore Filesystem events caused by these processes DO NOT generate file integrity events.
Read indicates that reads operations should be monitored.
Recursive indicates that monitoring should be recursive.
Write indicates that write operations should be monitored.
forensic object
HostForensicSettings indicates how to perform host forensic
ActivitiesDisabled indicates if the host activity collection is enabled/disabled.
DockerEnabled indicates whether docker commands are collected.
ReadonlyDockerEnabled indicates whether docker readonly commands are collected.
ServiceActivitiesEnabled indicates whether activities from services are collected.
SshdEnabled indicates whether ssh commands are collected.
SudoEnabled indicates whether sudo commands are collected.
logInspectionRules object[]
LogInspectionRules is a list of log inspection rules.
Path is the log path.
Regex are the regular expressions associated with the rule if it is a custom one.
Specifies the date and time when the rule was last modified.
Name of the rule.
network object
HostNetworkRule represents the restrictions/suppression for host networking
AllowedOutboundIPs is a list of IPs to skip checks for.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
deniedListeningPorts object[]
DeniedListeningPorts is a list of listening ports to deny.
Deny indicates whether the connection is denied.
.
.
DeniedOutboundIPs is a list of outbound IPs to deny.
deniedOutboundPorts object[]
DeniedOutboundPorts is a list of outbound ports to deny.
Deny indicates whether the connection is denied.
.
.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Describes any noteworthy points for a rule. You can include any text.
User who created or last modified the rule.
Previous name of the rule. Required for rule renaming.
Responses
- 200
- default
OK