Pre-validate Policy Rule

POST 
/policy/rule/validate

Pre-validates a policy rule without creating an actual policy.

The only request body parameters for this request are:

• policyType - Only the following are valid values for policyType:

  • "config"
  • "network"
  • "audit_event"
  • "iam"

• rule - The rule.criteria value is the RQL search query for the rule you want to validate. Validation of this rule implies validation of a policy you might create with this rule.

Only the parameters above apply to this request, and both of these parameters are required.

The JSON below is an example of valid request body parameters:

{
    "policyType": "config",
    "rule": {
        "criteria": "config from cloud.resource where cloud.type = '\''azure'\'' AND api.name = '\''azure-security-center-settings'\'' AND json.rule = '\''autoProvisioningSettings[*].name equals default and (autoProvisioningSettings[*].properties.autoProvision equals Off or autoProvisioningSettings[*] does not exist)'\''"
    }
}

Request

application/json; charset=UTF-8

Body

required

Model for Policy

cloudType string

Possible values: [ALL, AWS, AZURE, GCP, ALIBABA_CLOUD, OCI, IBM]

Cloud type (Required for config policies). Not case-sensitive. Default is ALL.

complianceMetadata object[]
List of compliance data. Each item has compliance standard, requirement, and/or section information.
Array [
complianceId string
Compliance Section UUID
customAssigned boolean
policyId string
Policy ID
requirementDescription string
Requirement description
requirementId string
Requirement ID
requirementName string
Requirement name
sectionDescription string
Section name
sectionId string
Section Id
sectionLabel string
Section Label
standardDescription string
Compliance standard description
standardId string
standardName string
Compliance standard name
]
description string

Policy description

enabled boolean

true=enabled. false=disabled.

findingTypes string[]

Finding Type

labels string[]

Labels

name stringrequired

Policy name

policyType stringrequired

Possible values: [config, network, audit_event, anomaly, data, iam, workload_vulnerability, workload_incident, api, attack_path, malware, grayware]

Policy type. Policy type anomaly is read-only.

recommendation string

Remediation recommendation

remediation object

Model for Remediation

actions object[]

Policy Action

Array [

operation string

payload string

]

cliScriptTemplate string

CLI Script Template

description string

Description

rule objectrequired

Model for Rule

criteria stringrequired

Saved search ID that defines the rule criteria.

dataCriteria object

Criteria for Rule

classificationResult string

Data policy. Required for DLP rule criteria.

exposure string

Possible values: [private, public, conditional]

File exposure

extension string[]

File extensions

name stringrequired

Name

parameters objectrequired

Parameters (e.g. {"savedSearch": "true"})

property name* string

type stringrequired

Possible values: [Config, Network, AuditEvent, DLP, IAM, NetworkConfig]

Type of rule or RQL query

severity stringrequired

Possible values: [high, medium, low]

Severity

Responses

200

successful operation

400

missing_required_parameter / saved_search_validation_not_supported / preprocessor_not_allowed_for_policy / invalid_search_type_for_policy / invalid_search_type_for_policy / insufficient_query_for_policy_creation /invalid_hostfinding_type_redlock_in_search_query / invalid_search_cloud_type_for_policy / invalid_azure_resource_group_in_search_query / json_not_supported_in_event_query / anomaly_search_not_supported_in_event_query / rql_validation_service_unavailable / invalid_json_rule

Loading...