Skip to main content

Add Runtime App-embedded Policy

POST 

/api/v32.04/policies/runtime/app-embedded

x-prisma-cloud-target-env: {"permission":"policyRuntimeServerless","saas":true,"self-hosted":true}
x-public: true

Adds a runtime policy for app-embedded deployments.

This endpoint maps to the Add rule button in Defend > Runtime > App-Embedded policy in the Console UI.

cURL Request

The following cURL command adds a single rule to your policy.

$ curl 'https://<CONSOLE>/api/v<VERSION>/policies/runtime/app-embedded' \
-k \
-X POST \
-u <USER> \
-H 'Content-Type: application/json' \
-d \
'{
"name":"my-rule",
"collections":[
{
"name":"All"
}
],
"processes":{
"effect":"alert"
},
"network":{
"effect":"alert",
"blacklistIPs":[
],
"blacklistListeningPorts":[
],
"whitelistListeningPorts":[
],
"blacklistOutboundPorts":[
],
"whitelistOutboundPorts":[
{
"start":4312,
"end":4555,
"deny":false
}
],
"whitelistIPs":[
]
},
"dns":{
"effect":"prevent",
"whitelist":[
],
"blacklist":[
]
}
}'

Note: No response will be returned upon successful execution.

Request

Body

    advancedProtection boolean

    Indicates whether advanced protection (e.g., custom or premium feeds for container, added whitelist rules for serverless) is enabled (true) or not (false).

    collections object[]

    List of collections. Used to scope the rule.

  • Array [
  • accountIDs string (string)[]

    List of account IDs.

    appIDs string (string)[]

    List of application IDs.

    clusters string (string)[]

    List of Kubernetes cluster names.

    color common.Color (string)

    Color is a hexadecimal representation of color code value

    containers string (string)[]

    List of containers.

    description string

    Free-form text.

    functions string (string)[]

    List of functions.

    hosts string (string)[]

    List of hosts.

    images string (string)[]

    List of images.

    labels string (string)[]

    List of labels.

    modified date-time

    Datetime when the collection was last modified.

    name string

    Collection name. Must be unique.

    namespaces string (string)[]

    List of Kubernetes namespaces.

    owner string

    User who created or last modified the collection.

    prisma boolean

    Indicates whether this collection originates from Prisma Cloud.

    system boolean

    Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).

  • ]
  • customRules object[]

    List of custom runtime rules.

  • Array [
  • _id integer

    Custom rule ID.

    action customrules.Action (string)

    Possible values: [audit,incident]

    Action is the action to perform if the custom rule applies

    effect customrules.Effect (string)

    Possible values: [block,prevent,alert,allow,ban,disable]

    Effect is the effect that will be used for custom rule

  • ]
  • disabled boolean

    Indicates if the rule is currently disabled (true) or not (false).

    dns object

    DNSRule is the DNS runtime rule

    blacklist string (string)[]

    List of deny-listed domain names (e.g., www.bad-url.com, *.bad-url.com).

    effect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    whitelist string (string)[]

    List of allow-listed domain names (e.g., *.gmail.com, .s3..amazon.com).

    filesystem object

    FilesystemRule represents restrictions/suppression for filesystem changes

    backdoorFiles boolean

    Monitors files that can create and/or persist backdoors (currently SSH and admin account config files) (true).

    blacklist string (string)[]

    List of denied file system path.

    checkNewFiles boolean

    Detects changes to binaries and certificates (true).

    effect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    skipEncryptedBinaries boolean

    Indicates that encrypted binaries check should be skipped.

    suspiciousELFHeaders boolean

    Indicates whether malware detection based on suspicious ELF headers is enabled.

    whitelist string (string)[]

    List of allowed file system path.

    modified date-time

    Datetime when the rule was last modified.

    name string

    Name of the rule.

    network object

    NetworkRule represents the restrictions/suppression for networking

    blacklistIPs string (string)[]

    Deny-listed IP addresses.

    blacklistListeningPorts object[]

    Deny-listed listening ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
  • blacklistOutboundPorts object[]

    Deny-listed outbound ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
  • effect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    whitelistIPs string (string)[]

    Allow-listed IP addresses.

    whitelistListeningPorts object[]

    Allow-listed listening ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
  • whitelistOutboundPorts object[]

    Allow-listed outbound ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
  • notes string

    Free-form text.

    owner string

    User who created or last modified the rule.

    previousName string

    Previous name of the rule. Required for rule renaming.

    processes object

    ProcessesRule represents restrictions/suppression for running processes

    blacklist string (string)[]

    List of processes to deny.

    blockAllBinaries boolean

    Indicates that all processes are blocked except the main process.

    checkCryptoMiners boolean

    Detect crypto miners.

    checkLateralMovement boolean

    Indicates whether dectection of processes that can be used for lateral movement exploits is enabled.

    checkNewBinaries boolean

    Indicates whether binaries which do not belong to the original image are allowed to run.

    effect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    skipModified boolean

    Indicates whether to trigger audits/incidents when a modified proc is spawned.

    whitelist string (string)[]

    List of processes to allow.

    wildFireAnalysis runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

Responses

OK

Loading...