Update a Custom Rule

PUT 
/api/v33.03/custom-rules/:id

x-prisma-cloud-target-env: {"permission":"policyCustomRules"}

Creates or updates a custom rule.

To invoke this endpoint in the Console UI:

1. Navigate to Defend > Custom rules.
2. Click + Add rule or the dotted icon under the Actions column and choose to the Manage cog icon to open the update window.
3. Configure the custom rule's parameters.
4. Click the Add or Update button to save the changes.

cURL Request

Refer to the following example cURL command that updates a custom rule.

$ curl 'https://<CONSOLE>/api/v<VERSION>/custom-rules/{id}' \
  -k \
  -X PUT \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -d \
'{
   "_id":{id},
   "type":"processes",
   "message":"unexpected %proc.name was spawned",
   "name":"<CUSTOM_RULE_NAME>",
   "script":"proc.interactive"
}'

Note: No response will be returned upon successful execution.

Request

Path Parameters

id stringrequired

application/json

Body

_idinteger

Rule ID. Must be unique.

attackTechniquesmitre.Technique (string)[]

List of attack techniques.

Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

descriptionstring

Description of the rule.

messagestring

Macro that is printed as part of the audit/incident message.

minVersionstring

Minimum version required to support the rule.

modifiedint64

Datetime when the rule was created or last modified.

namestring

Name of the rule.

ownerstring

User who created or modified the rule.

scriptstring

Custom script.

typecustomrules.Type (string)

Type is the type of the custom rule

Possible values: [processes,filesystem,network-outgoing,kubernetes-audit,waas-request,waas-response]

vulnIDsstring (string)[]

VulnIDs is the list of vulnerability IDs

Responses

200

OK

default

• curl
• python
• go
• nodejs
• csharp
• php

• CURL

curl -L -X PUT 'https://pan.dev/api/v33.03/custom-rules/:id' \
-H 'Content-Type: application/json'

Request Collapse all

Parameters

id — pathrequired

Body

{
  "_id": 0,
  "attackTechniques": [
    "exploitationForPrivilegeEscalation",
    "exploitPublicFacingApplication",
    "applicationExploitRCE",
    "networkServiceScanning",
    "endpointDenialOfService",
    "exfiltrationGeneral",
    "systemNetworkConfigurationDiscovery",
    "unsecuredCredentials",
    "credentialDumping",
    "systemInformationDiscovery",
    "systemNetworkConnectionDiscovery",
    "systemUserDiscovery",
    "accountDiscovery",
    "cloudInstanceMetadataAPI",
    "accessKubeletMainAPI",
    "queryKubeletReadonlyAPI",
    "accessKubernetesAPIServer",
    "softwareDeploymentTools",
    "ingressToolTransfer",
    "lateralToolTransfer",
    "commandAndControlGeneral",
    "resourceHijacking",
    "manInTheMiddle",
    "nativeBinaryExecution",
    "foreignBinaryExecution",
    "createAccount",
    "accountManipulation",
    "abuseElevationControlMechanisms",
    "supplyChainCompromise",
    "obfuscatedFiles",
    "hijackExecutionFlow",
    "impairDefences",
    "scheduledTaskJob",
    "exploitationOfRemoteServices",
    "eventTriggeredExecution",
    "accountAccessRemoval",
    "privilegedContainer",
    "writableVolumes",
    "execIntoContainer",
    "softwareDiscovery",
    "createContainer",
    "kubernetesSecrets",
    "fileAndDirectoryDiscovery",
    "masquerading",
    "webShell",
    "compileAfterDelivery"
  ],
  "description": "string",
  "message": "string",
  "minVersion": "string",
  "modified": 0,
  "name": "string",
  "owner": "string",
  "script": "string",
  "type": [
    "processes",
    "filesystem",
    "network-outgoing",
    "kubernetes-audit",
    "waas-request",
    "waas-response"
  ],
  "vulnIDs": [
    "string"
  ]
}