Get Runtime Container Policy
GET/api/v33.02/policies/runtime/container
x-prisma-cloud-target-env: {"permission":"policyRuntimeContainer"}
Retrieves the runtime policy for containers protected by Defender. A policy consists of ordered rules.
This endpoint maps to Defend > Runtime > Container policy in the Console UI.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
'https://<CONSOLE>/api/v<VERSION>/policies/runtime/container'
A successful response returns a list of runtime rules in the policy.
Responses
- 200
- default
ContainerPolicy represents a runtime policy enforced for a given running resource
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- Array [
- ]
- ]
Internal identifier.
Indicates whether automatic behavioural learning is enabled (true) or not (false).
rules object[]
Rules in the policy.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
collections object[]
List of collections. Used to scope the rule.
List of account IDs.
List of application IDs.
List of Kubernetes cluster names.
Color is a hexadecimal representation of color code value
List of containers.
Free-form text.
List of functions.
List of hosts.
List of images.
List of labels.
Datetime when the collection was last modified.
Collection name. Must be unique.
List of Kubernetes namespaces.
User who created or last modified the collection.
Indicates whether this collection originates from Prisma Cloud.
Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).
customRules object[]
List of custom runtime rules.
Custom rule ID.
Possible values: [audit,incident
]
Action is the action to perform if the custom rule applies
Possible values: [block,prevent,alert,allow,ban,disable
]
Effect is the effect that will be used for custom rule
Indicates whether the rule is currently disabled. Values: true (disabled) or false (enabled).
dns object
ContainerDNSRule is the DNS runtime rule for container
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Disabled a global disable for the DNS rule.
domainList object
DNSListRule represents an explicitly allowed/denied domains list rule
Allowed the allow-listed domain names.
Denied the deny-listed domain names.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
filesystem object
ContainerFilesystemRule represents restrictions/suppression for filesystem changes
AllowedList is the list of allowed file system path.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
deniedList object
DenyListRule represents a rule containing paths of files and processes to alert/prevent and the required effect
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Paths are the paths to alert/prevent when an event with one of the paths is triggered.
Disabled a global disable for the filesystem rule.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Specifies the date and time when the rule was last modified.
Name of the rule.
network object
ContainerNetworkRule represents the restrictions/suppression for networking
AllowedIPs the allow-listed IP addresses.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
DeniedIPs the deny-listed IP addresses.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Disabled a global disable for the network rule.
listeningPorts object
PortListRule represents a rule containing ports to allowed/denied and the required effect
allowed object[]
Allowed the allow-listed listening ports.
Deny indicates whether the connection is denied.
.
.
denied object[]
Denied the deny-listed listening ports.
Deny indicates whether the connection is denied.
.
.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
outboundPorts object
PortListRule represents a rule containing ports to allowed/denied and the required effect
allowed object[]
Allowed the allow-listed listening ports.
Deny indicates whether the connection is denied.
.
.
denied object[]
Denied the deny-listed listening ports.
Deny indicates whether the connection is denied.
.
.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Describes any noteworthy points for a rule. You can include any text.
User who created or last modified the rule.
Previous name of the rule. Required for rule renaming.
processes object
ContainerProcessesRule represents restrictions/suppression for running processes
AllowedList is the list of processes to allow.
Indicates whether checking for parent child relationship when comparing spawned processes in the model is enabled.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
deniedList object
DenyListRule represents a rule containing paths of files and processes to alert/prevent and the required effect
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Paths are the paths to alert/prevent when an event with one of the paths is triggered.
Disabled a global disable for the processes rule.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Indicates whether to skip runtime validation for events triggered by docker/kubectl exec.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
{
"_id": "string",
"learningDisabled": true,
"rules": [
{
"advancedProtectionEffect": [
"block",
"prevent",
"alert",
"disable"
],
"cloudMetadataEnforcementEffect": [
"block",
"prevent",
"alert",
"disable"
],
"collections": [
{
"accountIDs": [
"string"
],
"appIDs": [
"string"
],
"clusters": [
"string"
],
"color": "string",
"containers": [
"string"
],
"description": "string",
"functions": [
"string"
],
"hosts": [
"string"
],
"images": [
"string"
],
"labels": [
"string"
],
"modified": "2024-07-29T15:51:28.071Z",
"name": "string",
"namespaces": [
"string"
],
"owner": "string",
"prisma": true,
"system": true
}
],
"customRules": [
{
"_id": 0,
"action": [
"audit",
"incident"
],
"effect": [
"block",
"prevent",
"alert",
"allow",
"ban",
"disable"
]
}
],
"disabled": true,
"dns": {
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"disabled": true,
"domainList": {
"allowed": [
"string"
],
"denied": [
"string"
],
"effect": [
"block",
"prevent",
"alert",
"disable"
]
}
},
"filesystem": {
"allowedList": [
"string"
],
"backdoorFilesEffect": [
"block",
"prevent",
"alert",
"disable"
],
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"deniedList": {
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"paths": [
"string"
]
},
"disabled": true,
"encryptedBinariesEffect": [
"block",
"prevent",
"alert",
"disable"
],
"newFilesEffect": [
"block",
"prevent",
"alert",
"disable"
],
"suspiciousELFHeadersEffect": [
"block",
"prevent",
"alert",
"disable"
]
},
"kubernetesEnforcementEffect": [
"block",
"prevent",
"alert",
"disable"
],
"modified": "2024-07-29T15:51:28.071Z",
"name": "string",
"network": {
"allowedIPs": [
"string"
],
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"deniedIPs": [
"string"
],
"deniedIPsEffect": [
"block",
"prevent",
"alert",
"disable"
],
"disabled": true,
"listeningPorts": {
"allowed": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"denied": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"effect": [
"block",
"prevent",
"alert",
"disable"
]
},
"modifiedProcEffect": [
"block",
"prevent",
"alert",
"disable"
],
"outboundPorts": {
"allowed": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"denied": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"effect": [
"block",
"prevent",
"alert",
"disable"
]
},
"portScanEffect": [
"block",
"prevent",
"alert",
"disable"
],
"rawSocketsEffect": [
"block",
"prevent",
"alert",
"disable"
]
},
"notes": "string",
"owner": "string",
"previousName": "string",
"processes": {
"allowedList": [
"string"
],
"checkParentChild": true,
"cryptoMinersEffect": [
"block",
"prevent",
"alert",
"disable"
],
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"deniedList": {
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"paths": [
"string"
]
},
"disabled": true,
"lateralMovementEffect": [
"block",
"prevent",
"alert",
"disable"
],
"modifiedProcessEffect": [
"block",
"prevent",
"alert",
"disable"
],
"reverseShellEffect": [
"block",
"prevent",
"alert",
"disable"
],
"suidBinariesEffect": [
"block",
"prevent",
"alert",
"disable"
]
},
"skipExecSessions": true,
"wildFireAnalysis": [
"block",
"prevent",
"alert",
"disable"
]
}
]
}