Skip to main content

Get Runtime Container Policy

GET 

/api/v32.02/policies/runtime/container

x-prisma-cloud-target-env: {"permission":"policyRuntimeContainer","saas":true,"self-hosted":true}
x-public: true

Retrieves the runtime policy for containers protected by Defender. A policy consists of ordered rules.

This endpoint maps to Defend > Runtime > Container policy in the Console UI.

cURL Request

Refer to the following example cURL command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
'https://<CONSOLE>/api/v<VERSION>/policies/runtime/container'

A successful response returns a list of runtime rules in the policy.

Request

Responses

ContainerPolicy represents a runtime policy enforced for a given running resource

Schema
    _id string

    Internal identifier.

    learningDisabled boolean

    Indicates whether automatic behavioural learning is enabled (true) or not (false).

    rules object[]

    Rules in the policy.

  • Array [
  • advancedProtectionEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    cloudMetadataEnforcementEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    collections object[]

    List of collections. Used to scope the rule.

  • Array [
  • accountIDs string[]

    List of account IDs.

    appIDs string[]

    List of application IDs.

    clusters string[]

    List of Kubernetes cluster names.

    color common.Color

    Color is a hexadecimal representation of color code value

    containers string[]

    List of containers.

    description string

    Free-form text.

    functions string[]

    List of functions.

    hosts string[]

    List of hosts.

    images string[]

    List of images.

    labels string[]

    List of labels.

    modified date-time

    Datetime when the collection was last modified.

    name string

    Collection name. Must be unique.

    namespaces string[]

    List of Kubernetes namespaces.

    owner string

    User who created or last modified the collection.

    prisma boolean

    Indicates whether this collection originates from Prisma Cloud.

    system boolean

    Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).

  • ]
  • customRules object[]

    List of custom runtime rules.

  • Array [
  • _id integer

    Custom rule ID.

    action customrules.Action

    Possible values: [audit,incident]

    Action is the action to perform if the custom rule applies

    effect customrules.Effect

    Possible values: [block,prevent,alert,allow,ban,disable]

    Effect is the effect that will be used for custom rule

  • ]
  • disabled boolean

    Indicates if the rule is currently disabled (true) or not (false).

    dns object

    ContainerDNSRule is the DNS runtime rule for container

    defaultEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    disabled boolean

    Disabled a global disable for the DNS rule.

    domainList object

    DNSListRule represents an explicitly allowed/denied domains list rule

    allowed string[]

    Allowed the allow-listed domain names.

    denied string[]

    Denied the deny-listed domain names.

    effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    filesystem object

    ContainerFilesystemRule represents restrictions/suppression for filesystem changes

    allowedList string[]

    AllowedList is the list of allowed file system path.

    backdoorFilesEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    defaultEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    deniedList object

    DenyListRule represents a rule containing paths of files and processes to alert/prevent and the required effect

    effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    paths string[]

    Paths are the paths to alert/prevent when an event with one of the paths is triggered.

    disabled boolean

    Disabled a global disable for the filesystem rule.

    encryptedBinariesEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    newFilesEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    suspiciousELFHeadersEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    kubernetesEnforcementEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    modified date-time

    Datetime when the rule was last modified.

    name string

    Name of the rule.

    network object

    ContainerNetworkRule represents the restrictions/suppression for networking

    allowedIPs string[]

    AllowedIPs the allow-listed IP addresses.

    defaultEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    deniedIPs string[]

    DeniedIPs the deny-listed IP addresses.

    deniedIPsEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    disabled boolean

    Disabled a global disable for the network rule.

    listeningPorts object

    PortListRule represents a rule containing ports to allowed/denied and the required effect

    allowed object[]

    Allowed the allow-listed listening ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
  • denied object[]

    Denied the deny-listed listening ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
  • effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    modifiedProcEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    outboundPorts object

    PortListRule represents a rule containing ports to allowed/denied and the required effect

    allowed object[]

    Allowed the allow-listed listening ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
  • denied object[]

    Denied the deny-listed listening ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
  • effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    portScanEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    rawSocketsEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    notes string

    Free-form text.

    owner string

    User who created or last modified the rule.

    previousName string

    Previous name of the rule. Required for rule renaming.

    processes object

    ContainerProcessesRule represents restrictions/suppression for running processes

    allowedList string[]

    AllowedList is the list of processes to allow.

    checkParentChild boolean

    Indicates whether checking for parent child relationship when comparing spawned processes in the model is enabled.

    cryptoMinersEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    defaultEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    deniedList object

    DenyListRule represents a rule containing paths of files and processes to alert/prevent and the required effect

    effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    paths string[]

    Paths are the paths to alert/prevent when an event with one of the paths is triggered.

    disabled boolean

    Disabled a global disable for the processes rule.

    lateralMovementEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    modifiedProcessEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    reverseShellEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    suidBinariesEffect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    skipExecSessions boolean

    Indicates whether to skip runtime validation for events triggered by docker/kubectl exec.

    wildFireAnalysis runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • ]
Loading...