Get Runtime App-embedded Policy
GET/api/v33.02/policies/runtime/app-embedded
x-prisma-cloud-target-env: {"permission":"policyRuntimeServerless"}
Retrieves the runtime policy for apps protected by App-Embedded Defenders. A policy consists of ordered rules.
This endpoint maps to Defend > Runtime > App-Embedded policy in the Console UI.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
'https://<CONSOLE>/api/v<VERSION>/policies/runtime/app-embedded'
A successful response returns a list of runtime rules in the policy.
Responses
- 200
- default
AppEmbeddedPolicy represents a runtime policy enforced for a given running resource
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- ]
Internal identifier.
rules object[]
Rules in the policy.
Indicates whether advanced protection (e.g., custom or premium feeds for container, added whitelist rules for serverless) is enabled (true) or not (false).
collections object[]
List of collections. Used to scope the rule.
List of account IDs.
List of application IDs.
List of Kubernetes cluster names.
Color is a hexadecimal representation of color code value
List of containers.
Free-form text.
List of functions.
List of hosts.
List of images.
List of labels.
Datetime when the collection was last modified.
Collection name. Must be unique.
List of Kubernetes namespaces.
User who created or last modified the collection.
Indicates whether this collection originates from Prisma Cloud.
Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).
customRules object[]
List of custom runtime rules.
Custom rule ID.
Possible values: [audit,incident
]
Action is the action to perform if the custom rule applies
Possible values: [block,prevent,alert,allow,ban,disable
]
Effect is the effect that will be used for custom rule
Indicates whether the rule is currently disabled. Values: true (disabled) or false (enabled).
dns object
DNSRule is the DNS runtime rule
List of deny-listed domain names (e.g., www.bad-url.com, *.bad-url.com).
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
List of allow-listed domain names (e.g., *.gmail.com, .s3..amazon.com).
filesystem object
FilesystemRule represents restrictions/suppression for filesystem changes
Monitors files that can create and/or persist backdoors (currently SSH and admin account config files) (true).
List of denied file system path.
Detects changes to binaries and certificates (true).
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Indicates that encrypted binaries check should be skipped.
Indicates whether malware detection based on suspicious ELF headers is enabled.
List of allowed file system path.
Specifies the date and time when the rule was last modified.
Name of the rule.
network object
NetworkRule represents the restrictions/suppression for networking
Deny-listed IP addresses.
blacklistListeningPorts object[]
Deny-listed listening ports.
Deny indicates whether the connection is denied.
.
.
blacklistOutboundPorts object[]
Deny-listed outbound ports.
Deny indicates whether the connection is denied.
.
.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Allow-listed IP addresses.
whitelistListeningPorts object[]
Allow-listed listening ports.
Deny indicates whether the connection is denied.
.
.
whitelistOutboundPorts object[]
Allow-listed outbound ports.
Deny indicates whether the connection is denied.
.
.
Describes any noteworthy points for a rule. You can include any text.
User who created or last modified the rule.
Previous name of the rule. Required for rule renaming.
processes object
ProcessesRule represents restrictions/suppression for running processes
List of processes to deny.
Indicates that all processes are blocked except the main process.
Detect crypto miners.
Indicates whether dectection of processes that can be used for lateral movement exploits is enabled.
Indicates whether binaries which do not belong to the original image are allowed to run.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Indicates whether to trigger audits/incidents when a modified proc is spawned.
List of processes to allow.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
{
"_id": "string",
"rules": [
{
"advancedProtection": true,
"collections": [
{
"accountIDs": [
"string"
],
"appIDs": [
"string"
],
"clusters": [
"string"
],
"color": "string",
"containers": [
"string"
],
"description": "string",
"functions": [
"string"
],
"hosts": [
"string"
],
"images": [
"string"
],
"labels": [
"string"
],
"modified": "2024-07-29T15:51:28.071Z",
"name": "string",
"namespaces": [
"string"
],
"owner": "string",
"prisma": true,
"system": true
}
],
"customRules": [
{
"_id": 0,
"action": [
"audit",
"incident"
],
"effect": [
"block",
"prevent",
"alert",
"allow",
"ban",
"disable"
]
}
],
"disabled": true,
"dns": {
"blacklist": [
"string"
],
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"whitelist": [
"string"
]
},
"filesystem": {
"backdoorFiles": true,
"blacklist": [
"string"
],
"checkNewFiles": true,
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"skipEncryptedBinaries": true,
"suspiciousELFHeaders": true,
"whitelist": [
"string"
]
},
"modified": "2024-07-29T15:51:28.071Z",
"name": "string",
"network": {
"blacklistIPs": [
"string"
],
"blacklistListeningPorts": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"blacklistOutboundPorts": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"whitelistIPs": [
"string"
],
"whitelistListeningPorts": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"whitelistOutboundPorts": [
{
"deny": true,
"end": 0,
"start": 0
}
]
},
"notes": "string",
"owner": "string",
"previousName": "string",
"processes": {
"blacklist": [
"string"
],
"blockAllBinaries": true,
"checkCryptoMiners": true,
"checkLateralMovement": true,
"checkNewBinaries": true,
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"skipModified": true,
"whitelist": [
"string"
]
},
"wildFireAnalysis": [
"block",
"prevent",
"alert",
"disable"
]
}
]
}