Get Runtime Container Policy
x-prisma-cloud-target-env: {"permission":"policyRuntimeContainer","saas":true,"self-hosted":true}
x-public: true
Retrieves the runtime policy for containers protected by Defender. A policy consists of ordered rules.
This endpoint maps to Defend > Runtime > Container policy in the Console UI.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
'https://<CONSOLE>/api/v<VERSION>/policies/runtime/container'
A successful response returns a list of runtime rules in the policy.
- 200
- default
ContainerPolicy represents a runtime policy enforced for a given running resource
- application/json
- Schema
- Example (from schema)
Schema
- _id string
Internal identifier.
- learningDisabled boolean
Indicates whether automatic behavioural learning is enabled (true) or not (false).
rules object[]
Rules in the policy.
Array [advancedProtectionEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
cloudMetadataEnforcementEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
collections object[]
List of collections. Used to scope the rule.
Array [accountIDs string[]List of account IDs.
appIDs string[]List of application IDs.
clusters string[]List of Kubernetes cluster names.
codeRepos string[]List of code repositories.
color common.ColorColor is a hexadecimal representation of color code value
containers string[]List of containers.
description stringFree-form text.
functions string[]List of functions.
hosts string[]List of hosts.
images string[]List of images.
labels string[]List of labels.
modified date-timeDatetime when the collection was last modified.
name stringCollection name. Must be unique.
namespaces string[]List of Kubernetes namespaces.
owner stringUser who created or last modified the collection.
prisma booleanIndicates whether this collection originates from Prisma Cloud.
system booleanIndicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).
]customRules object[]
List of custom runtime rules.
Array [_id integerCustom rule ID.
action customrules.ActionPossible values: [
audit,incident
]Action is the action to perform if the custom rule applies
effect customrules.EffectPossible values: [
block,prevent,alert,allow,ban,disable
]Effect is the effect that will be used for custom rule
]disabled booleanIndicates if the rule is currently disabled (true) or not (false).
dns object
ContainerDNSRule is the DNS runtime rule for container
defaultEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
disabled booleanDisabled a global disable for the DNS rule.
domainList object
DNSListRule represents an explicitly allowed/denied domains list rule
allowed string[]Allowed the allow-listed domain names.
denied string[]Denied the deny-listed domain names.
effect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
filesystem object
ContainerFilesystemRule represents restrictions/suppression for filesystem changes
allowedList string[]AllowedList is the list of allowed file system path.
backdoorFilesEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
defaultEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
deniedList object
DenyListRule represents a rule containing paths of files and processes to alert/prevent and the required effect
effect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
paths string[]Paths are the paths to alert/prevent when an event with one of the paths is triggered.
disabled booleanDisabled a global disable for the filesystem rule.
encryptedBinariesEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
newFilesEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
suspiciousELFHeadersEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
kubernetesEnforcementEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
modified date-timeDatetime when the rule was last modified.
name stringName of the rule.
network object
ContainerNetworkRule represents the restrictions/suppression for networking
allowedIPs string[]AllowedIPs the allow-listed IP addresses.
defaultEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
deniedIPs string[]DeniedIPs the deny-listed IP addresses.
deniedIPsEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
disabled booleanDisabled a global disable for the network rule.
listeningPorts object
PortListRule represents a rule containing ports to allowed/denied and the required effect
allowed object[]
Allowed the allow-listed listening ports.
Array [deny booleanDeny indicates whether the connection is denied.
end integer.
start integer.
]denied object[]
Denied the deny-listed listening ports.
Array [deny booleanDeny indicates whether the connection is denied.
end integer.
start integer.
]effect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
modifiedProcEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
outboundPorts object
PortListRule represents a rule containing ports to allowed/denied and the required effect
allowed object[]
Allowed the allow-listed listening ports.
Array [deny booleanDeny indicates whether the connection is denied.
end integer.
start integer.
]denied object[]
Denied the deny-listed listening ports.
Array [deny booleanDeny indicates whether the connection is denied.
end integer.
start integer.
]effect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
portScanEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
rawSocketsEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
notes stringFree-form text.
owner stringUser who created or last modified the rule.
previousName stringPrevious name of the rule. Required for rule renaming.
processes object
ContainerProcessesRule represents restrictions/suppression for running processes
allowedList string[]AllowedList is the list of processes to allow.
checkParentChild booleanIndicates whether checking for parent child relationship when comparing spawned processes in the model is enabled.
cryptoMinersEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
defaultEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
deniedList object
DenyListRule represents a rule containing paths of files and processes to alert/prevent and the required effect
effect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
paths string[]Paths are the paths to alert/prevent when an event with one of the paths is triggered.
disabled booleanDisabled a global disable for the processes rule.
lateralMovementEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
modifiedProcessEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
reverseShellEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
suidBinariesEffect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
skipExecSessions booleanIndicates whether to skip runtime validation for events triggered by docker/kubectl exec.
wildFireAnalysis runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
]
{
"_id": "string",
"learningDisabled": true,
"rules": [
{
"advancedProtectionEffect": [
"block",
"prevent",
"alert",
"disable"
],
"cloudMetadataEnforcementEffect": [
"block",
"prevent",
"alert",
"disable"
],
"collections": [
{
"accountIDs": [
"string"
],
"appIDs": [
"string"
],
"clusters": [
"string"
],
"codeRepos": [
"string"
],
"color": "string",
"containers": [
"string"
],
"description": "string",
"functions": [
"string"
],
"hosts": [
"string"
],
"images": [
"string"
],
"labels": [
"string"
],
"modified": "2023-05-27T04:01:51.289Z",
"name": "string",
"namespaces": [
"string"
],
"owner": "string",
"prisma": true,
"system": true
}
],
"customRules": [
{
"_id": 0,
"action": [
"audit",
"incident"
],
"effect": [
"block",
"prevent",
"alert",
"allow",
"ban",
"disable"
]
}
],
"disabled": true,
"dns": {
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"disabled": true,
"domainList": {
"allowed": [
"string"
],
"denied": [
"string"
],
"effect": [
"block",
"prevent",
"alert",
"disable"
]
}
},
"filesystem": {
"allowedList": [
"string"
],
"backdoorFilesEffect": [
"block",
"prevent",
"alert",
"disable"
],
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"deniedList": {
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"paths": [
"string"
]
},
"disabled": true,
"encryptedBinariesEffect": [
"block",
"prevent",
"alert",
"disable"
],
"newFilesEffect": [
"block",
"prevent",
"alert",
"disable"
],
"suspiciousELFHeadersEffect": [
"block",
"prevent",
"alert",
"disable"
]
},
"kubernetesEnforcementEffect": [
"block",
"prevent",
"alert",
"disable"
],
"modified": "2023-05-27T04:01:51.289Z",
"name": "string",
"network": {
"allowedIPs": [
"string"
],
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"deniedIPs": [
"string"
],
"deniedIPsEffect": [
"block",
"prevent",
"alert",
"disable"
],
"disabled": true,
"listeningPorts": {
"allowed": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"denied": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"effect": [
"block",
"prevent",
"alert",
"disable"
]
},
"modifiedProcEffect": [
"block",
"prevent",
"alert",
"disable"
],
"outboundPorts": {
"allowed": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"denied": [
{
"deny": true,
"end": 0,
"start": 0
}
],
"effect": [
"block",
"prevent",
"alert",
"disable"
]
},
"portScanEffect": [
"block",
"prevent",
"alert",
"disable"
],
"rawSocketsEffect": [
"block",
"prevent",
"alert",
"disable"
]
},
"notes": "string",
"owner": "string",
"previousName": "string",
"processes": {
"allowedList": [
"string"
],
"checkParentChild": true,
"cryptoMinersEffect": [
"block",
"prevent",
"alert",
"disable"
],
"defaultEffect": [
"block",
"prevent",
"alert",
"disable"
],
"deniedList": {
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"paths": [
"string"
]
},
"disabled": true,
"lateralMovementEffect": [
"block",
"prevent",
"alert",
"disable"
],
"modifiedProcessEffect": [
"block",
"prevent",
"alert",
"disable"
],
"reverseShellEffect": [
"block",
"prevent",
"alert",
"disable"
],
"suidBinariesEffect": [
"block",
"prevent",
"alert",
"disable"
]
},
"skipExecSessions": true,
"wildFireAnalysis": [
"block",
"prevent",
"alert",
"disable"
]
}
]
}