Update Host Compliance Policy
PUT/api/v32.07/policies/compliance/host
x-prisma-cloud-target-env: {"permission":"policyHosts"}
Updates the compliance policy for hosts protected by Defender. All rules in the policy are updated in a single shot.
This endpoint maps to the policy table in Defend > Compliance > Hosts > Running hosts in the Console UI.
To construct an effective rule for this policy, specify at least one "check" and one effect
value.
See How to Construct a Compliance Policy for more info.
For a full list of checks, go to Defend > Compliance > Hosts > Running Hosts in the Console UI and create a new rule. All prebuilt checks and their IDs are shown under Compliance actions.
cURL Request
Refer tp the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule:
$ curl 'https://<CONSOLE>/api/v<VERSION>/policies/compliance/host' \
-k \
-X PUT \
-u <USER> \
-H 'Content-Type: application/json' \
-d \
'{
"rules":[
{
"name":"my-rule",
"effect":"alert",
"collections":[
{
"name":"All"
}
],
"condition":{
"vulnerabilities":[
{
"id":6151,
"block":false
}
]
}
}
],
"policyType":"hostCompliance"
}'
Note: No response will be returned upon successful execution.
Request
- application/json
Body
- Array [
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- ]
Internal identifier.
Possible values: [containerVulnerability,containerCompliance,ciImagesVulnerability,ciImagesCompliance,hostVulnerability,hostCompliance,vmVulnerability,vmCompliance,serverlessCompliance,ciServerlessCompliance,serverlessVulnerability,ciServerlessVulnerability,containerRuntime,appEmbeddedRuntime,containerAppFirewall,hostAppFirewall,outOfBandAppFirewall,agentlessAppFirewall,serverObserverAppFirewall,appEmbeddedAppFirewall,serverlessAppFirewall,networkFirewall,secrets,hostRuntime,serverlessRuntime,kubernetesAudit,trust,admission,codeRepoCompliance,ciCodeRepoCompliance,ciCodeRepoVulnerability,codeRepoVulnerability
]
PolicyType represents the type of the policy
rules object[]
Rules holds all policy rules.
Action to take.
alertThreshold object
AlertThreshold is the vulnerability policy alert threshold Threshold values typically vary between 0 and 10 (noninclusive)
Suppresses alerts for all vulnerabilities (true).
Minimum severity to trigger alerts. Supported values range from 0 to 9, where 0=off, 1=low, 4=medium, 7=high, and 9=critical.
Reports the results of all compliance checks (both passed and failed) (true).
Specifies if Prisma Cloud audits successful transactions.
PolicyBlockMsg represent the block message in a Policy
blockThreshold object
BlockThreshold is the vulnerability policy block threshold Threshold values typically vary between 0 and 10 (noninclusive)
Enables blocking (true).
Minimum severity to trigger blocking. Supported values range from 0 to 9, where 0=off, 1=low, 4=medium, 7=high, and 9=critical.
collections object[]
List of collections. Used to scope the rule.
List of account IDs.
List of application IDs.
List of Kubernetes cluster names.
Color is a hexadecimal representation of color code value
List of containers.
Free-form text.
List of functions.
List of hosts.
List of images.
List of labels.
Datetime when the collection was last modified.
Collection name. Must be unique.
List of Kubernetes namespaces.
User who created or last modified the collection.
Indicates whether this collection originates from Prisma Cloud.
Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).
condition object
Conditions contains rule conditions. Conditions apply only for their respective policy type
Allowed volume host device (wildcard). If a "container create" command specifies a non matching host device, th action is blocked. Only applies to rules in certain policy types.
Indicates if the condition applies only to read-only commands (i.e., HTTP GET requests) (true) or not (false).
vulnerabilities object[]
Block and scan severity-based vulnerabilities conditions.
Specifies the effect. If true, the effect is block.
Vulnerability ID.
CreatePR indicates whether to create a pull request for vulnerability fixes (relevant for code repos).
cveRules object[]
List of CVE IDs classified for special handling (also known as exceptions).
Free-form text for documenting the exception.
Possible values: [ignore,alert,block
]
Effect specifies relevant action for a vulnerability
expiration object
ExpirationDate is the vulnerability expiration date
Date is the vulnerability expiration date.
Enabled indicates that the grace period is enabled.
CVE ID.
Indicates whether the rule is currently disabled. Values: true (disabled) or false (enabled).
Possible values: [allow,deny,block,alert
]
PolicyEffect state the effect of evaluating the given policy
ExcludeBaseImageVulns indicates whether to exclude vulnerabilities coming from the base image.
Number of days to suppress the rule's block effect. Measured from date the vuln was fixed. If there's no fix, measured from the date the vuln was published.
graceDaysPolicy object
GraceDaysPolicy indicates the grace days policy by severity
.
Enabled is an indication whether the the grace days by severity is enabled.
.
.
.
Applicable groups.
license object
LicenseConfig is the compliance policy license configuration
alertThreshold object
LicenseThreshold is the license severity threshold to indicate whether to perform an action (alert/block) Threshold values typically vary between 0 and 10 (noninclusive)
Enabled indicates that the action is enabled.
Value is the minimum severity score for which the action is enabled.
blockThreshold object
LicenseThreshold is the license severity threshold to indicate whether to perform an action (alert/block) Threshold values typically vary between 0 and 10 (noninclusive)
Enabled indicates that the action is enabled.
Value is the minimum severity score for which the action is enabled.
Critical is the list of licenses with critical severity.
High is the list of licenses with high severity.
Low is the list of licenses with low severity.
Medium is the list of licenses with medium severity.
Specifies the date and time when the rule was last modified.
Name of the rule.
Describes any noteworthy points for a rule. You can include any text.
Applies rule only when vendor fixes are available (true).
User who created or last modified the rule.
pkgTypesThresholds object[]
PkgTypesThresholds holds package type specific alert and block thresholds.
alertThreshold object
AlertThreshold is the vulnerability policy alert threshold Threshold values typically vary between 0 and 10 (noninclusive)
Suppresses alerts for all vulnerabilities (true).
Minimum severity to trigger alerts. Supported values range from 0 to 9, where 0=off, 1=low, 4=medium, 7=high, and 9=critical.
blockThreshold object
BlockThreshold is the vulnerability policy block threshold Threshold values typically vary between 0 and 10 (noninclusive)
Enables blocking (true).
Minimum severity to trigger blocking. Supported values range from 0 to 9, where 0=off, 1=low, 4=medium, 7=high, and 9=critical.
Possible values: [nodejs,gem,python,jar,package,windows,binary,nuget,go,app,unknown
]
Type describes the package type
Previous name of the rule. Required for rule renaming.
Applicable users.
riskFactorsEffects object[]
RiskFactorsEffects indicates the effect (alert/block) of each risk factor.
Possible values: [ignore,alert,block
]
Effect specifies relevant action for a vulnerability
Possible values: [Critical severity,High severity,Medium severity,Has fix,Remote execution,DoS - Low,DoS - High,Recent vulnerability,Exploit exists - in the wild,Exploit exists - POC,Attack complexity: low,Attack vector: network,Reachable from the internet,Listening ports,Container is running as root,No mandatory security profile applied,Running as privileged container,Package in use,Sensitive information,Root mount,Runtime socket,Host access
]
RiskFactor represents a vulnerability risk factor, used in determining a vulnerability risk score
tags object[]
List of tags classified for special handling (also known as exceptions).
Free-form text for documenting the exception.
Possible values: [ignore,alert,block
]
Effect specifies relevant action for a vulnerability
expiration object
ExpirationDate is the vulnerability expiration date
Date is the vulnerability expiration date.
Enabled indicates that the grace period is enabled.
Tag name.
Displays a detailed message when an operation is blocked (true).
Responses
- 200
- default
OK