WAAS custom rules

WAAS custom rules offer an additional mechanism to protect your running web apps. Custom rules are expressions that give you a precise way to describe and detect discrete conditions in requests and responses. WAAS intercepts layer 7 traffic, passes it to Prisma Cloud for evaluation. Expressions let you inspect various facets of requests and responses in a programmatic way, then take action when they evaluate to true. Custom rules can be used in container, host, and app-embedded WAAS policies.
Besides your own custom rules, Prisma Labs ships and maintains rules for newly discovered threats. These systems rules are distributed via the Intelligence Stream. By default, they are shipped in a disabled state. You can review, and optionally activate them at any time. System rules cannot be modified. However, you can clone and customize them to fit your own specific needs.
Before using custom rules, ensure Console and Defender run the same version of Prisma Cloud Compute. For example, if a Console runs a newer version, but Defenders have not been upgraded, using functionality only available in the newer version will result in a WAAS error. If this occurs, upgrade Defenders to match their Console’s version.

Expression grammar

Expressions let you examine the contents of requests and responses. The grammar lets you inspect various properties in an event. For example, you could write an expression that determines if an IP address fall inside a specific CIDR block.
Expressions support the following types:
  • String.
  • String list.
  • String map.
  • Integer.
  • IP address (e.g. "192.168.0.1")
  • CIDR block (e.g. "192.168.0.0/16")
Expressions have the following grammar:

Request events

Expressions can examine the following attributes of a request:
Attribute
Type
Example
req.headers
Map of String
req.header_names
String List
req.header_values
String List
req.cookies
Map of String
req.cookie_names
String List
req.cookie_values
String List
req.query_params
Map of String
req.query_param_names
String List
req.query_param_values
String List
req.body_param_values
String List
req.http_method
String
req.file_extension
String
req.path
String
req.ip
IP (written as string, parsed as IP if IP is valid)
req.country_code
String
req.body
String
req.http_version
String
req.http_scheme
String

Response events

Expressions can examine the following attributes of a response.
To examine server responses in custom rules, the rule type must be set to waas-response
Attribute
Type
Example
resp.status_code
Integer
resp.content_type
String
resp.body
String
resp.headers
Map of String
resp.header_names
String List
resp.header_values
String List

Example expressions

The following examples show how to use the expression grammar:
Special expression to determine if an IP address falls within a CIDR block:
Example of using a regular expression:
Determine if the request method matches a method in the array. Currently, you can only create custom arrays as part of the in operator.
Example of using contains:
Example using a selector:
Example of an expression with three conditions. All conditions must evaluate to true for there to be a match.

Write a WAAS custom rule

Expression syntax is validated when you save a custom rule.
  1. Open Console, and go to
    Defend > Custom configs > WAAS
    .
  2. Click
    Add rule
    .
  3. Enter a name for the rule.
  4. In
    Message
    , enter a audit message to be emitted when an event matches the condition logic in this custom rule.
  5. Select the rule type.
    You can write expressions for requests or responses. What you select here scopes the vocabulary available for your expression.