Skip to main content

Update Runtime Container Policy

POST 

/api/v32.07/policies/runtime/container

x-prisma-cloud-target-env: {"permission":"policyRuntimeContainer"}

Updates the runtime policy for containers. All rules in the policy are updated in a single shot.

Prisma Cloud automatically builds allow-list security models for each container image in your environment. Use runtime container rules to augment the rules in those models. Manually defined rules augment learned models as follows:

Policy (allowed) = Manual rules (explicitly allowed) + Model (all learned behavior) - Manual rules (explicitly denied)

This endpoint maps to the Add rule button in Defend > Runtime > Container policy in the Console UI.

cURL Request

Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule:

$ curl 'https://<CONSOLE>/api/v<VERSION>/policies/runtime/container' \
-k \
-X PUT \
-u <USER> \
-H 'Content-Type: application/json' \
-d \
'{
"rules":[
{
"name":"my-rule",
"collections":[
{
"name":"All"
}
],
"processes":{
"effect":"alert"
},
"network":{
"effect":"alert"
},
"dns":{
"effect":"alert"
},
"filesystem":{
"effect":"alert"
}
}
]
}'

Note: No response will be returned upon successful execution.

Request

Body

    advancedProtectionEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    cloudMetadataEnforcementEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    collections object[]

    List of collections. Used to scope the rule.

  • Array [
  • accountIDs string (string)[]

    List of account IDs.

    appIDs string (string)[]

    List of application IDs.

    clusters string (string)[]

    List of Kubernetes cluster names.

    color common.Color (string)

    Color is a hexadecimal representation of color code value

    containers string (string)[]

    List of containers.

    description string

    Free-form text.

    functions string (string)[]

    List of functions.

    hosts string (string)[]

    List of hosts.

    images string (string)[]

    List of images.

    labels string (string)[]

    List of labels.

    modified date-time

    Datetime when the collection was last modified.

    name string

    Collection name. Must be unique.

    namespaces string (string)[]

    List of Kubernetes namespaces.

    owner string

    User who created or last modified the collection.

    prisma boolean

    Indicates whether this collection originates from Prisma Cloud.

    system boolean

    Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).

  • ]
  • customRules object[]

    List of custom runtime rules.

  • Array [
  • _id integer

    Custom rule ID.

    action customrules.Action (string)

    Possible values: [audit,incident]

    Action is the action to perform if the custom rule applies

    effect customrules.Effect (string)

    Possible values: [block,prevent,alert,allow,ban,disable]

    Effect is the effect that will be used for custom rule

  • ]
  • disabled boolean

    Indicates whether the rule is currently disabled. Values: true (disabled) or false (enabled).

    dns object

    ContainerDNSRule is the DNS runtime rule for container

    defaultEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    disabled boolean

    Disabled a global disable for the DNS rule.

    domainList object

    DNSListRule represents an explicitly allowed/denied domains list rule

    allowed string (string)[]

    Allowed the allow-listed domain names.

    denied string (string)[]

    Denied the deny-listed domain names.

    effect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    filesystem object

    ContainerFilesystemRule represents restrictions/suppression for filesystem changes

    allowedList string (string)[]

    AllowedList is the list of allowed file system path.

    backdoorFilesEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    defaultEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    deniedList object

    DenyListRule represents a rule containing paths of files and processes to alert/prevent and the required effect

    effect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    paths string (string)[]

    Paths are the paths to alert/prevent when an event with one of the paths is triggered.

    disabled boolean

    Disabled a global disable for the filesystem rule.

    encryptedBinariesEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    newFilesEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    suspiciousELFHeadersEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    kubernetesEnforcementEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    modified date-time

    Specifies the date and time when the rule was last modified.

    name string

    Name of the rule.

    network object

    ContainerNetworkRule represents the restrictions/suppression for networking

    allowedIPs string (string)[]

    AllowedIPs the allow-listed IP addresses.

    defaultEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    deniedIPs string (string)[]

    DeniedIPs the deny-listed IP addresses.

    deniedIPsEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    disabled boolean

    Disabled a global disable for the network rule.

    listeningPorts object

    PortListRule represents a rule containing ports to allowed/denied and the required effect

    allowed object[]

    Allowed the allow-listed listening ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
  • denied object[]

    Denied the deny-listed listening ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
  • effect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    modifiedProcEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    outboundPorts object

    PortListRule represents a rule containing ports to allowed/denied and the required effect

    allowed object[]

    Allowed the allow-listed listening ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
  • denied object[]

    Denied the deny-listed listening ports.

  • Array [
  • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
  • effect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    portScanEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    rawSocketsEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    notes string

    Describes any noteworthy points for a rule. You can include any text.

    owner string

    User who created or last modified the rule.

    previousName string

    Previous name of the rule. Required for rule renaming.

    processes object

    ContainerProcessesRule represents restrictions/suppression for running processes

    allowedList string (string)[]

    AllowedList is the list of processes to allow.

    checkParentChild boolean

    Indicates whether checking for parent child relationship when comparing spawned processes in the model is enabled.

    cryptoMinersEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    defaultEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    deniedList object

    DenyListRule represents a rule containing paths of files and processes to alert/prevent and the required effect

    effect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    paths string (string)[]

    Paths are the paths to alert/prevent when an event with one of the paths is triggered.

    disabled boolean

    Disabled a global disable for the processes rule.

    lateralMovementEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    modifiedProcessEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    reverseShellEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    suidBinariesEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    skipExecSessions boolean

    Indicates whether to skip runtime validation for events triggered by docker/kubectl exec.

    wildFireAnalysis runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

Responses

OK

Loading...