Skip to main content

Update a Custom Rule

PUT 
/api/v32.07/custom-rules/:id
x-prisma-cloud-target-env: {"permission":"policyCustomRules"}

Creates or updates a custom rule.

To invoke this endpoint in the Console UI:

  1. Navigate to Defend > Custom rules.
  2. Click + Add rule or the dotted icon under the Actions column and choose to the Manage cog icon to open the update window.
  3. Configure the custom rule's parameters.
  4. Click the Add or Update button to save the changes.

cURL Request

Refer to the following example cURL command that updates a custom rule.

$ curl 'https://<CONSOLE>/api/v<VERSION>/custom-rules/{id}' \
  -k \
  -X PUT \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -d \
'{
   "_id":{id},
   "type":"processes",
   "message":"unexpected %proc.name was spawned",
   "name":"<CUSTOM_RULE_NAME>",
   "script":"proc.interactive"
}'

Note: No response will be returned upon successful execution.

Request

Path Parameters

    id stringrequired

Body

    _id integer

    Rule ID. Must be unique.

    attackTechniques mitre.Technique (string)[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    List of attack techniques.

    description string

    Description of the rule.

    message string

    Macro that is printed as part of the audit/incident message.

    minVersion string

    Minimum version required to support the rule.

    modified int64

    Datetime when the rule was created or last modified.

    name string

    Name of the rule.

    owner string

    User who created or modified the rule.

    script string

    Custom script.

    type customrules.Type (string)

    Possible values: [processes,filesystem,network-outgoing,kubernetes-audit,waas-request,waas-response]

    Type is the type of the custom rule

    vulnIDs string (string)[]

    VulnIDs is the list of vulnerability IDs

Responses

OK

Loading...