Skip to main content

Update Runtime Host Policy

PUT 
/api/v32.04/policies/runtime/host
x-prisma-cloud-target-env: {"permission":"policyRuntimeHosts","saas":true,"self-hosted":true}
x-public: true

Updates the runtime policy for hosts protected by Defender. All rules in the policy are updated in a single shot.

This endpoint maps to the Add rule button in Defend > Runtime > Host policy in the Console UI.

cURL Request

Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule:

$ curl 'https://<CONSOLE>/api/v<VERSION>/policies/runtime/host' \
  -k \
  -X PUT \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -d \
'{
   "rules":[
      {
         "name":"my-rule",
         "collections":[
            {
               "name":"All"       
            }
         ],
         "advancedProtection":"alert",
         "processes":{
            "effect":"alert"
         },
         "network":{
            "effect":"disable"
         },
         "dns":{
            "effect":"disable"
         }
      }
   ]
}'

Note: No response will be returned upon successful execution.

Request

Body

    _id string

    ID is the host runtime policy internal id.

    owner string

    Owner is the host runtime policy owner.

    rules object[]

    Rules is the list of host runtime rules.

  • Array [
    • antiMalware object

    AntiMalwareRule represents restrictions/suppression for suspected anti-malware

    allowedProcesses string (string)[]

    AllowedProcesses contains paths of files and processes for which we skip anti-malware checks.

    cryptoMiner runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    customFeed runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    deniedProcesses object

    DenyListRule represents a rule containing paths of files and processes to alert/prevent and the required effect

    effect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    paths string (string)[]

    Paths are the paths to alert/prevent when an event with one of the paths is triggered.

    detectCompilerGeneratedBinary boolean

    DetectCompilerGeneratedBinary represents what happens when a compiler service writes a binary.

    encryptedBinaries runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    executionFlowHijack runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    intelligenceFeed runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    reverseShell runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    serviceUnknownOriginBinary runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    skipSSHTracking boolean

    SkipSSHTracking indicates whether host SSH tracking should be skipped.

    suspiciousELFHeaders runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    tempFSProc runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    userUnknownOriginBinary runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    webShell runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    wildFireAnalysis runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    collections object[]

    Collections is a list of collections the rule applies to.

  • Array [
    • accountIDs string (string)[]

    List of account IDs.

    appIDs string (string)[]

    List of application IDs.

    clusters string (string)[]

    List of Kubernetes cluster names.

    color common.Color (string)

    Color is a hexadecimal representation of color code value

    containers string (string)[]

    List of containers.

    description string

    Free-form text.

    functions string (string)[]

    List of functions.

    hosts string (string)[]

    List of hosts.

    images string (string)[]

    List of images.

    labels string (string)[]

    List of labels.

    modified date-time

    Datetime when the collection was last modified.

    name string

    Collection name. Must be unique.

    namespaces string (string)[]

    List of Kubernetes namespaces.

    owner string

    User who created or last modified the collection.

    prisma boolean

    Indicates whether this collection originates from Prisma Cloud.

    system boolean

    Indicates whether this collection was created by the system (i.e., a non user) (true) or a real user (false).

  • ]
    • customRules object[]

    CustomRules is a list of custom rules associated with the container runtime policy.

  • Array [
    • _id integer

    Custom rule ID.

    action customrules.Action (string)

    Possible values: [audit,incident]

    Action is the action to perform if the custom rule applies

    effect customrules.Effect (string)

    Possible values: [block,prevent,alert,allow,ban,disable]

    Effect is the effect that will be used for custom rule

  • ]
    • disabled boolean

    Indicates if the rule is currently disabled (true) or not (false).

    dns object

    HostDNSRule represents a host DNS runtime rule

    allow string (string)[]

    Allow is a list of user-defined domains to skip checks for.

    deny string (string)[]

    Deny is a list of user-defined domains to deny.

    denyListEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    intelligenceFeed runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    fileIntegrityRules object[]

    FileIntegrityRules are the file integrity monitoring rules.

  • Array [
    • dir boolean

    Dir indicates that the path is a directory.

    exclusions string (string)[]

    Exclusions are filenames that should be ignored while generating audits These filenames may contain a wildcard regex pattern, e.g. foo*.log, *.cache.

    metadata boolean

    Metadata indicates that metadata changes should be monitored (e.g. chmod, chown).

    path string

    Path is the path to monitor.

    procWhitelist string (string)[]

    ProcWhitelist are the processes to ignore Filesystem events caused by these processes DO NOT generate file integrity events.

    read boolean

    Read indicates that reads operations should be monitored.

    recursive boolean

    Recursive indicates that monitoring should be recursive.

    write boolean

    Write indicates that write operations should be monitored.

  • ]
    • forensic object

    HostForensicSettings indicates how to perform host forensic

    activitiesDisabled boolean

    ActivitiesDisabled indicates if the host activity collection is enabled/disabled.

    dockerEnabled boolean

    DockerEnabled indicates whether docker commands are collected.

    readonlyDockerEnabled boolean

    ReadonlyDockerEnabled indicates whether docker readonly commands are collected.

    serviceActivitiesEnabled boolean

    ServiceActivitiesEnabled indicates whether activities from services are collected.

    sshdEnabled boolean

    SshdEnabled indicates whether ssh commands are collected.

    sudoEnabled boolean

    SudoEnabled indicates whether sudo commands are collected.

    logInspectionRules object[]

    LogInspectionRules is a list of log inspection rules.

  • Array [
    • path string

    Path is the log path.

    regex string (string)[]

    Regex are the regular expressions associated with the rule if it is a custom one.

  • ]
    • modified date-time

    Datetime when the rule was last modified.

    name string

    Name of the rule.

    network object

    HostNetworkRule represents the restrictions/suppression for host networking

    allowedOutboundIPs string (string)[]

    AllowedOutboundIPs is a list of IPs to skip checks for.

    customFeed runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    deniedListeningPorts object[]

    DeniedListeningPorts is a list of listening ports to deny.

  • Array [
    • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
    • deniedOutboundIPs string (string)[]

    DeniedOutboundIPs is a list of outbound IPs to deny.

    deniedOutboundPorts object[]

    DeniedOutboundPorts is a list of outbound ports to deny.

  • Array [
    • deny boolean

    Deny indicates whether the connection is denied.

    end integer

    .

    start integer

    .

  • ]
    • denyListEffect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    intelligenceFeed runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    notes string

    Free-form text.

    owner string

    User who created or last modified the rule.

    previousName string

    Previous name of the rule. Required for rule renaming.

  • ]

Responses

OK

Loading...