Custom runtime rules
Prisma Cloud’s approach to scaling runtime defense in big, fluid environments is to model runtime behavior with machine learning. Machine learning reduces the effort required to manually create and maintain loads of rules to secure running software. When machine learning doesn’t fully capture the range of acceptable runtime behaviors, rules provide a way to declaratively augment models with exceptions and additions.
Custom rules offer another, additional mechanism to protect running software. Custom rules are expressions that give you a precise way to describe and detect discrete runtime behaviors. Runtime sensors in your environment already detect process, file system, and network activity, then pass those events to Prisma Cloud for processing. Expressions let you examine various facets of an event in a programmatic way, then take action when they evaluate to true. Custom rules can be applied to both hosts and containers.
For example, the expression grammar supports the following logic:
"If user Jake runs binary netcat with parameter -l, log an alert"
Custom rules are stored in a central library, where they can be reused. Besides your own rules, Prisma Cloud Labs also distributes rules via the Intelligence Stream. These rules are shipped in a disabled state by default. You can review, and optionally apply them at any time.
Custom rules are written and managed in Console under
Defend > Custom Rules > Runtime. Click
Add ruleto bring up the online editor. The compiler checks for syntax errors when you save the rule.
There are four types of rules, but only three are relevant to runtime:
Expressions let you examine the contents of process, file system, and network events.
For example, any time a process is forked on a host protected by Container Defender or Host Defender, a process event fires. The following very simple expression looks for processes named netcat:
proc.name = "netcat"
Expressions have the following grammar:
- term--integer | string | keyword | event | '(' expression ')' | unaryOp
- op--and | or | > | < | >= | ⇐ | = | !=
- in--'(' integer | string (',' integer | string)*)?
- keyword (similar to wildcards)--startswith | contains
- string--strings must be enclosed in double quotes
- event--process, file system, or network
net.outgoing_ip = "169.254.169.254" or net.outgoing_ip = "169.254.170.2"
proc.pname in ("mysql", "sqlplus", "postgres") and proc.pname != proc.name
file.path startswith "/etc"
Process events fire when new processes are forked. Expressions can examine the following attributes of a new process.
Parent process name.
Full path to the program.
User to whom the process belongs.
Not supported in App-Embedded runtime
Only for host rules.
File system events
Filesystem events fire when there are writes to disk. All properties of the process doing the writes are accessible from this context. Expressions can examine the following attributes of file system write activity.
File system custom rules are not supported in App-Embedded Defenders
Path of the file being written.
Directory of the file being written.
File type. Supported types are: elf, secret, regular, and folder.
MD5 hash of the file. Supported only for ELF files. For other types of files, this property will be empty.
Network events fire when a process tries to establish an outbound connection. Expressions can examine the following attributes when network events fire: