Skip to main content

Get Runtime Container Policy

x-prisma-cloud-target-env: {"permission":"policyRuntimeContainer","saas":true,"self-hosted":true}
x-public: true

Retrieves the runtime policy for containers protected by Defender. A policy consists of ordered rules.

This endpoint maps to Defend > Runtime > Container policy in the Console UI.

cURL Request

Refer to the following example cURL command:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  'https://<CONSOLE>/api/v<VERSION>/policies/runtime/container'

A successful response returns a list of runtime rules in the policy.

Responses

ContainerPolicy represents a runtime policy enforced for a given running resource

Schema
  • _id string

    Internal identifier.

  • learningDisabled boolean

    Indicates whether automatic behavioural learning is enabled (true) or not (false).

  • rules object[]

    Rules in the policy.

  • Array [
  • advancedProtectionEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • cloudMetadataEnforcementEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • collections object[]

    List of collections. Used to scope the rule.

  • Array [
  • accountIDs string[]

    List of account IDs.

  • appIDs string[]

    List of application IDs.

  • clusters string[]

    List of Kubernetes cluster names.

  • codeRepos string[]

    List of code repositories.

  • color common.Color

    Color is a hexadecimal representation of color code value

  • containers string[]

    List of containers.

  • description string

    Free-form text.

  • functions string[]

    List of functions.

  • hosts string[]

    List of hosts.

  • images string[]

    List of images.

  • labels string[]

    List of labels.

  • modified date-time

    Datetime when the collection was last modified.

  • name string

    Collection name. Must be unique.

  • namespaces string[]

    List of Kubernetes namespaces.

  • owner string

    User who created or last modified the collection.

  • prisma boolean

    Indicates whether this collection originates from Prisma Cloud.

  • system boolean

    Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).

  • ]
  • customRules object[]

    List of custom runtime rules.

  • Array [
  • _id integer

    Custom rule ID.

  • action customrules.Action

    Possible values: [audit,incident]

    Action is the action to perform if the custom rule applies

  • effect customrules.Effect

    Possible values: [block,prevent,alert,allow,ban,disable]

    Effect is the effect that will be used for custom rule

  • ]
  • disabled boolean

    Indicates if the rule is currently disabled (true) or not (false).

  • dns object

    ContainerDNSRule is the DNS runtime rule for container

  • defaultEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • disabled boolean

    Disabled a global disable for the DNS rule.

  • domainList object

    DNSListRule represents an explicitly allowed/denied domains list rule

  • allowed string[]

    Allowed the allow-listed domain names.

  • denied string[]

    Denied the deny-listed domain names.

  • effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • filesystem object

    ContainerFilesystemRule represents restrictions/suppression for filesystem changes

  • allowedList string[]

    AllowedList is the list of allowed file system path.

  • backdoorFilesEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • defaultEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • deniedList object

    DenyListRule represents a rule containing paths of files and processes to alert/prevent and the required effect

  • effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • paths string[]

    Paths are the paths to alert/prevent when an event with one of the paths is triggered.

  • disabled boolean

    Disabled a global disable for the filesystem rule.

  • encryptedBinariesEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • newFilesEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • suspiciousELFHeadersEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • kubernetesEnforcementEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • modified date-time

    Datetime when the rule was last modified.

  • name string

    Name of the rule.

  • network object

    ContainerNetworkRule represents the restrictions/suppression for networking

  • allowedIPs string[]

    AllowedIPs the allow-listed IP addresses.

  • defaultEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • deniedIPs string[]

    DeniedIPs the deny-listed IP addresses.

  • deniedIPsEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • disabled boolean

    Disabled a global disable for the network rule.

  • listeningPorts object

    PortListRule represents a rule containing ports to allowed/denied and the required effect

  • allowed object[]

    Allowed the allow-listed listening ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

  • end integer

    .

  • start integer

    .

  • ]
  • denied object[]

    Denied the deny-listed listening ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

  • end integer

    .

  • start integer

    .

  • ]
  • effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • modifiedProcEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • outboundPorts object

    PortListRule represents a rule containing ports to allowed/denied and the required effect

  • allowed object[]

    Allowed the allow-listed listening ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

  • end integer

    .

  • start integer

    .

  • ]
  • denied object[]

    Denied the deny-listed listening ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

  • end integer

    .

  • start integer

    .

  • ]
  • effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • portScanEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • rawSocketsEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • notes string

    Free-form text.

  • owner string

    User who created or last modified the rule.

  • previousName string

    Previous name of the rule. Required for rule renaming.

  • processes object

    ContainerProcessesRule represents restrictions/suppression for running processes

  • allowedList string[]

    AllowedList is the list of processes to allow.

  • checkParentChild boolean

    Indicates whether checking for parent child relationship when comparing spawned processes in the model is enabled.

  • cryptoMinersEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • defaultEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • deniedList object

    DenyListRule represents a rule containing paths of files and processes to alert/prevent and the required effect

  • effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • paths string[]

    Paths are the paths to alert/prevent when an event with one of the paths is triggered.

  • disabled boolean

    Disabled a global disable for the processes rule.

  • lateralMovementEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • modifiedProcessEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • reverseShellEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • suidBinariesEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • skipExecSessions boolean

    Indicates whether to skip runtime validation for events triggered by docker/kubectl exec.

  • wildFireAnalysis runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • ]
Loading...