Document:Prisma Cloud Compute Edition Administrator’s Guide

WAAS custom rules

Search the Table of Contents

Welcome
- Releases
- Getting started
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System requirements
- Prisma Cloud container images
- Onebox
- Kubernetes
- OpenShift
- OpenShift
- Console on Fargate
- Docker Swarm
- Amazon ECS
- Windows
- Defender types
- Install Defender
Upgrade
- Support lifecycle for connected components
- Prisma Cloud’s backward compatibility and upgrade process
- Upgrade Onebox
- Kubernetes
- OpenShift
- Helm charts
- Docker Swarm
- Amazon ECS
- Manually upgrade single Container Defenders
- Manually upgrade Defender DaemonSets
- Manually upgrade Defender DaemonSets (Helm)
- Manually upgrade Docker Swarm Defenders
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Custom certs for Console access
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Configure custom certs from a predefined directory
- Customize terminal output
- Collections
- Tags
- Logon settings
- Reconfigure Prisma Cloud
- Subject Alternative Names
- WildFire settings
Authentication
- Logging into Prisma Cloud
- Integrate with Active Directory
- Integrate with OpenLDAP
- Integrate Prisma Cloud with Open ID Connect
- Integrate with Okta via SAML 2.0 federation
- Integrate Google G Suite via SAML 2.0 federation
- Integrate with Azure Active Directory via SAML 2.0 federation
- Integrate with PingFederate via SAML 2.0 federation
- Integrate with Windows Server 2016 & 2012r2 Active Directory Federation Services (ADFS) via SAML 2.0 federation
- Integrate Prisma Cloud with GitHub
- Integrate Prisma Cloud with OpenShift
- Non-default UPN suffixes
- Compute user roles
- Assign roles
- Use custom certificates for authorization
- Credentials store
Vulnerability management
- Prisma Cloud vulnerability feed
- Vulnerability Explorer
- Vulnerability management rules
- Search CVEs
- Scan reports
- Scanning procedure
- Customize image scanning
- Configure registry scans
- Registry scanning
  - Scan images in Alibaba Cloud Container Registry
  - Amazon EC2 Container Registry (ECR)
  - Azure Container Registry (ACR)
  - Docker Registry v2
  - Google Container Registry (GCR)
  - Harbor
  - IBM Cloud Container Registry
  - Scan images on Artifactory Docker Registry
  - OpenShift integrated Docker registry
  - Trigger registry scans with webhooks
- Base images
- Configure VM image scanning
- Configure code repository scanning
- Malware scanning
- Vulnerability risk tree
- Detect vulnerabilities in unpackaged software
- CVSS scoring
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu blobstore scanning
- Scan Fargate tasks
- Troubleshoot vulnerability detection
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- Docker Enterprise DISA STIG
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- Fargate scanning
- Detect secrets
- Cloud discovery
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for App-Embedded
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Event Aggregation
- Image analysis sandbox
- Incident Explorer
- Incident types
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Web-Application and API Security (WAAS)
- Deploying WAAS
- Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API observations
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Log Scrubbing
- WAAS Troubleshooting
Firewalls
- Cloud Native Network Firewall (CNNF)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts
- ServiceNow alerts
- Slack Alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan images with twistcli
- Scan code repos with twistcli
- Install Console with twistcli
- Update the Intelligence Stream in offline environments
Deployment patterns
- Projects
- Migration options for scale projects
- Best practices for DNS and certificate management
- Disk capacity
- Migrating to a SaaS Console
- Performance planning
- Automated deployment
- High Availability and Disaster Recovery guidelines
API
Howto
- Configure an AWS Classic Load Balancer for ECS
- Configure the load balancer type for AWS EKS
- Configure Prisma Cloud Console’s listening ports
- Provision tenant projects in OpenShift
- Disable automatic learning
- Debug data

WAAS custom rules

WAAS custom rules offer an additional mechanism to protect your running web apps. Custom rules are expressions that give you a precise way to describe and detect discrete conditions in requests and responses. WAAS intercepts layer 7 traffic, passes it to Prisma Cloud for evaluation. Expressions let you inspect various facets of requests and responses in a programmatic way, then take action when they evaluate to true. Custom rules can be used in container, host, and app-embedded WAAS policies.

Besides your own custom rules, Prisma Labs ships and maintains rules for newly discovered threats. These systems rules are distributed via the Intelligence Stream. By default, they are shipped in a disabled state. You can review, and optionally activate them at any time. System rules cannot be modified. However, you can clone and customize them to fit your own specific needs.

Before using custom rules, ensure Console and Defender run the same version of Prisma Cloud Compute. For example, if a Console runs a newer version, but Defenders have not been upgraded, using functionality only available in the newer version will result in a WAAS error. If this occurs, upgrade Defenders to match their Console’s version.

Expression grammar

Expressions let you examine the contents of requests and responses. The grammar lets you inspect various properties in an event. For example, you could write an expression that determines if an IP address fall inside a specific CIDR block.

Expressions support the following types:

String.

String list.

String map.

Integer.

IP address (e.g. "192.168.0.1")

CIDR block (e.g. "192.168.0.0/16")

Expressions have the following grammar:

term (op term | in | )*

term
--

op
--

and | or | > | < | >= | ⇐ | = | !=

in
--

'(' integer | string (',' integer | string)*)?

Can also be used to determine if an IP address is in a CIDR block: For example:

req.ip in "192.168.0.0/16"

unaryOp
--

not

keyword (similar to wildcards)
--

startswith | contains

contains can be used for:

Equality. For example: req.header_names contains "X-Forwarded-For"

Regular expression match for string lists. For example: req.header_names contains /^X-Forwarded.*/

Regular expression match for strings. For example: req.body contains /^some-regex-text.*/

string
--

Strings must be enclosed in double quotes.

integer
--

int

event
--

req | resp

[ ]
--

Selector operator. Selects a specific value by key from a map. Headers, cookies, body params, and query params are maps. The selection operation template is as following:

req.<map>["<key>"]

For example:

req.headers["Content-Type"] contains "text/html"

Request events

Expressions can examine the following attributes of a request:

Attribute	Type	Example
req.headers	Map of String	req.headers["User-Agent"] contains /^.*ACME[1-9]{1,6}$/
req.header_names	String List	req.header_names contains /^X-Forwarded.*/
req.header_values	String List	req.header_values contains "secretkey"
req.cookies	Map of String	req.cookies["yummy-cookie"] contains "flour"
req.cookie_names	String List	req.cookie_names contains "ga"
req.cookie_values	String List	req.cookie_values contains "admin"
req.query_params	Map of String	req.query_params["id"] contains "admin"
req.query_param_names	String List	req.query_param_names contains "ssn"
req.query_param_values	String List	req.query_param_values contains /\d{3}-?\d{2}-?\d{4}/
req.body_param_values	String List	req.body_param_values contains "username"
req.http_method	String	req.http_method = "POST"
req.file_extension	String	req.file_extension contains /pdf$/
req.path	String	req.path startswith "/admin/"
req.ip	IP (written as string, parsed as IP if IP is valid)	req.ip in "2.2.2.0/24" or req.ip = "8.8.8.8"
req.country_code	String	req.country_code = "US"
req.body	String	req.body contains /password/
req.http_version	String	req.http_version = "1.0"
req.http_scheme	String	req.http_scheme = "HTTPS"

Response events

Expressions can examine the following attributes of a response.

To examine server responses in custom rules, the rule type must be set to waas-response

Attribute	Type	Example
resp.status_code	Integer	resp.status_code = 200
resp.content_type	String	resp.content_type = "application/json"
resp.body	String	resp.body contains /^somesecret$/
resp.headers	Map of String	resp.headers["Set-Cookie"] contains /SESSIONID/
resp.header_names	String List	resp.header_names contains "Set-Cookie"
resp.header_values	String List	resp.header_values contains "ERROR"

Example expressions

The following examples show how to use the expression grammar:

Special expression to determine if an IP address falls within a CIDR block:

req.ip in "192.168.0.0/16"

Example of using a regular expression:

req.header_names contains /^X-Forwarded.*/

Determine if the request method matches a method in the array. Currently, you can only create custom arrays as part of the in operator.

req.http_method in ("POST", "PUT")

Example of using contains:

req.header_values contains "text/html"

Example using a selector:

req.cookies["yummy-cookie"] contains "flour"

Example of an expression with three conditions. All conditions must evaluate to true for there to be a match.

req.http_method = "POST" and resp.status_code >= 400 and resp.status_code ⇐ 599

Write a WAAS custom rule

Expression syntax is validated when you save a custom rule.

Open Console, and go to Defend > Custom configs > WAAS
.

Click Add rule
.

Enter a name for the rule.

In Message
, enter a audit message to be emitted when an event matches the condition logic in this custom rule.

Select the rule type.

You can write expressions for requests or responses. What you select here scopes the vocabulary available for your expression.

Enter your expression logic.

Press OPTION + SPACE to get a list of valid terms, expressions, operators, etc, for the given position.

Use the example expressions here as a starting point for your own expression.

Click Save
.

Your expression logic is validate before it’s save to Console’s database.

Activate WAAS custom rules

A custom rule is made up of one or more conditions. Attach a custom rule to a WAAS policy rule to activate it.

Custom rules are defined in Defend > Custom configs > WAAS
. WAAS policy rules are defined in Defend > WAAS > {Container | Host | App-Embedded}
.

When attaching a custom rule to a WAAS policy rule, you specify the action to take when the expression evaluates to true (i.e. the expression matches). Sup