Get Custom Rules
x-prisma-cloud-target-env: {"permission":"policyCustomRules","saas":true,"self-hosted":true}
x-public: true
Retrieves a list of all custom rules.
This endpoint maps to the policy table in Defend > Custom rules in the Console UI.
cURL Request
Refer to the following example cURL command that retrieves all rules in the policy.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
'https://<CONSOLE>/api/v<VERSION>/custom-rules'
A successful response returns a list of custom rules in the policy.
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- _id integer
Rule ID. Must be unique.
- attackTechniques mitre.Technique[]
Possible values: [
exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]List of attack techniques.
- description string
Description of the rule.
- message string
Macro that is printed as part of the audit/incident message.
- minVersion string
Minimum version required to support the rule.
- modified int64
Datetime when the rule was created or last modified.
- name string
Name of the rule.
- owner string
User who created or modified the rule.
- script string
Custom script.
- type customrules.Type
Possible values: [
processes,filesystem,network-outgoing,kubernetes-audit,waas-request,waas-response]Type is the type of the custom rule
- vulnIDs string[]
VulnIDs is the list of vulnerability IDs
- ]
[
{
"_id": 0,
"attackTechniques": [
[
"exploitationForPrivilegeEscalation",
"exploitPublicFacingApplication",
"applicationExploitRCE",
"networkServiceScanning",
"endpointDenialOfService",
"exfiltrationGeneral",
"systemNetworkConfigurationDiscovery",
"unsecuredCredentials",
"credentialDumping",
"systemInformationDiscovery",
"systemNetworkConnectionDiscovery",
"systemUserDiscovery",
"accountDiscovery",
"cloudInstanceMetadataAPI",
"accessKubeletMainAPI",
"queryKubeletReadonlyAPI",
"accessKubernetesAPIServer",
"softwareDeploymentTools",
"ingressToolTransfer",
"lateralToolTransfer",
"commandAndControlGeneral",
"resourceHijacking",
"manInTheMiddle",
"nativeBinaryExecution",
"foreignBinaryExecution",
"createAccount",
"accountManipulation",
"abuseElevationControlMechanisms",
"supplyChainCompromise",
"obfuscatedFiles",
"hijackExecutionFlow",
"impairDefences",
"scheduledTaskJob",
"exploitationOfRemoteServices",
"eventTriggeredExecution",
"accountAccessRemoval",
"privilegedContainer",
"writableVolumes",
"execIntoContainer",
"softwareDiscovery",
"createContainer",
"kubernetesSecrets",
"fileAndDirectoryDiscovery",
"masquerading",
"webShell",
"compileAfterDelivery"
]
],
"description": "string",
"message": "string",
"minVersion": "string",
"modified": 0,
"name": "string",
"owner": "string",
"script": "string",
"type": [
"processes",
"filesystem",
"network-outgoing",
"kubernetes-audit",
"waas-request",
"waas-response"
],
"vulnIDs": [
"string"
]
}
]