1. Home
    2. Prisma
    3. Prisma Cloud
    4. Prisma Cloud Microsegmentation Administrator's Guide
    5. Microsegmentation Console API
    6. Policy resources

    Policy resources

    policy/access

    AccessReport

    Represents any access made by the user.

    Example

    {
  "action": "Accept",
  "enforcerID": "xxx-xxx-xxx",
  "enforcerNamespace": "/my/namespace",
  "processingUnitID": "xxx-xxx-xxx-xxx",
  "processingUnitName": "pu1",
  "processingUnitNamespace": "/my/ns",
  "type": "SSHLogin"
}

    Relations

    Create an access report.

    Attributes

    Type: string
    Identifier of the object.
    Action applied to the access.
    Type: string
    Hash of the claims used to communicate.
    Type: string
    Identifier of the enforcer.
    Type: string
    Namespace of the enforcer.
    Type: string
    ID of the processing unit of the report.
    Type: string
    Name of the processing unit of the report.
    Type: string
    Namespace of the processing unit of the report.
    Type: string
    This field is only set if action is set to Reject. It specifies the reason for the rejection.
    Type: time
    Date of the report.
    Type of the report.

    UserAccessPolicy

    The enforcer policy that controls user access.

    Example

    {
  "disabled": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

    Relations

    Retrieves the list of user access policies.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new enforcer policy.
    Deletes the policy with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the policy with the given ID.
    Parameters:
    Updates the policy with the given ID.

    Attributes

    Type: string
    Identifier of the object.
    Type: string
    Defines for how long the policy will be active according to the activeSchedule.
    Type: string
    Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
    Type: []string
    Indicates the list of user who can use sudo commands.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: boolean
    Defines if the property is disabled.
    Type: time
    If set the policy will be automatically deleted after the given time.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Contains the tag expression matching the enforcers the subject is allowed to connect to.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    Contains the tag expression the tags need to match for the policy to apply.
    Type: time
    Last update date of the object.

    policy/audit

    AuditProfile

    A set of audit rules that determine the types of events that must be captured in the kernel.

    Example

    {
  "name": "the name",
  "propagate": false,
  "protected": false
}

    Relations

    Retrieves the list of audit profiles.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new audit profile.
    Deletes the profile with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the object with the given ID.
    Parameters:
    Updates the profile with the given ID.
    Returns the list of audit profiles that are referred to by this mapping.
    Returns a list of the audit profiles that must be applied to this enforcer.

    Attributes

    Type: string
    Identifier of the object.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    List of audit rules associated with this profile.
    Type: time
    Last update date of the object.

    AuditProfileMappingPolicy

    Use an audit profile mapping to define the set of enforcers that must implement a specific audit profile.

    Example

    {
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

    Relations

    Retrieves the list of audit profile mapping policies.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new audit profile mapping policy.
    Deletes the mapping with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the mapping with the given ID.
    Parameters:
    Updates the mapping with the given ID.
    Returns the list of audit profiles that are referred to by this mapping.
    Returns the list of enforcers that are affected by this mapping.

    Attributes

    Type: string
    Identifier of the object.
    Type: string
    Defines for how long the policy will be active according to the activeSchedule.
    Type: string
    Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: boolean
    Defines if the property is disabled.
    Type: boolean
    Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    The tag or tag expression that identifies the audit profile to be mapped.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    The tag or tag expression that identifies the enforcer(s) to implement the audit profile.
    Type: time
    Last update date of the object.

    AuditReport

    Post a new audit report.

    Example

    {
  "AUID": "xxx-xxx",
  "CWD": "/etc",
  "EXE": "/bin/ls",
  "a0": "xxx-xxx",
  "a1": "xxx-xxx",
  "a2": "xxx-xxx",
  "a3": "xxx-xxx",
  "arch": "x86_64",
  "auditProfileID": "xxx-xxx-xxx-xxx",
  "auditProfileNamespace": "/my/ns",
  "command": "ls",
  "enforcerID": "xxx-xxx-xxx-xxx",
  "enforcerNamespace": "/my/ns",
  "processingUnitID": "xxx-xxx-xxx-xxx",
  "processingUnitNamespace": "/my/ns",
  "recordType": "Syscall",
  "success": false,
  "syscall": "execve",
  "timestamp": "2018-06-14T23:10:46.420397985Z"
}

    Relations

    Create a audit statistics report.

    Attributes

    Type: string
    The login ID of the user who started the audited process.
    Type: string
    Command working directory.
    Type: integer
    Effective group ID of the user who started the audited process.
    Type: integer
    Effective user ID of the user who started the audited process.
    Type: string
    Path to the executable.
    Type: integer
    File system group ID of the user who started the audited process.
    Type: integer
    File system user ID of the user who started the audited process.
    Type: string
    Full path of the file that was passed to the system call.
    Type: integer
    Group ID of the user who started the analyzed process.
    Type: string
    Identifier of the object.
    Type: integer
    File or directory permissions.
    Type: integer
    Process ID of the executable.
    Type: integer
    Process ID of the parent executable.
    Type: integer
    Set group ID of the user who started the audited process.
    Type: integer
    Set user ID of the user who started the audited process.
    Type: integer
    User ID.
    Type: string
    First argument of the executed system call.
    Type: string
    Second argument of the executed system call.
    Type: string
    Third argument of the executed system call.
    Type: string
    Fourth argument of the executed system call.
    Type: string
    Architecture of the system of the monitored process.
    Type: []string
    Arguments passed to the command.
    Type: string
    ID of the audit profile that triggered the report.
    Type: string
    Namespace of the audit profile that triggered the report.
    Type: string
    Command issued.
    Type: string
    ID of the enforcer reporting.
    Type: string
    Namespace of the enforcer reporting.
    Type: integer
    Exit code of the executed system call.
    Type: string
    ID of the processing unit originating the report.
    Type: string
    Namespace of the processing unit originating the report.
    Type: string
    Type of audit record.
    Type: integer
    Needs documentation.
    Type: boolean
    Tells if the operation has been a success or a failure.
    Type: string
    System call executed.
    Type: time
    Date of the report.

    policy/authorization

    APIAuthorizationPolicy

    An API authorization defines the operations a user can perform in a namespace: GET, POST, PUT, DELETE, PATCH, and/or HEAD. It is also possible to restrict the user to a subset of the APIs in the namespace by setting authorizedIdentities. An API authorization always propagates down to all the children of the current namespace.

    Example

    {
  "authorizedIdentities": [
    "@auth:role=namespace.administrator"
  ],
  "authorizedNamespace": "/namespace",
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagationHidden": false,
  "protected": false
}

    Relations

    Retrieves the list of API authorizations.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new API authorization.
    Deletes the authorization with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the authorization with the given ID.
    Updates the authorization with the given ID.

    Attributes

    Type: string
    Identifier of the object.
    Type: string
    Defines for how long the policy will be active according to the activeSchedule.
    Type: string
    Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: []string
    A list of roles assigned to the user.
    Type: string
    Defines the namespace the user is authorized to access.
    Type: []string
    If set, the API authorization will only be valid if the request comes from one the declared subnets.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: boolean
    Defines if the property is disabled.
    Type: time
    If set, the policy will be automatically deleted after the given time.
    Type: boolean
    Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Type: boolean
    If set to true while the policy is propagating, it won’t be visible to children namespace, but still used for policy resolution.
    Type: boolean
    Defines if the object is protected.
    A tag or tag expression that identifies the authorized user(s).
    Type: time
    Last update date of the object.

    APICheck

    Allows you to verify if a client identified by his token is allowed to do some operations on some APIs.

    Example

    {
  "namespace": "/namespace",
  "operation": "Create",
  "targetIdentities": [
    "processingunit",
    "enforcer"
  ]
}

    Relations

    Verifies the authorizations on various identities for a given token.

    Attributes

    Contains the results of the check.
    Type: string
    The namespace to use to check the API authorization.
    The operation you want to check.
    Type: []string
    Contains the list of identities you want to check the authorization of.

    AppCredential

    Create an app credential.

    Example

    {
  "CSR": "-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDzANBgNV
BAcMBkxpbmRvbjEWMBQGA1UECgwNRGlnaUNlcnQgSW5jLjERMA8GA1UECwwIRGln
aUNlcnQxHTAbBgNVBAMMFGV4YW1wbGUuZGlnaWNlcnQuY29tMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8+To7d+2kPWeBv/orU3LVbJwDrSQbeKamCmo
wp5bqDxIwV20zqRb7APUOKYoVEFFOEQs6T6gImnIolhbiH6m4zgZ/CPvWBOkZc+c
1Po2EmvBz+AD5sBdT5kzGQA6NbWyZGldxRthNLOs1efOhdnWFuhI162qmcflgpiI
WDuwq4C9f+YkeJhNn9dF5+owm8cOQmDrV8NNdiTqin8q3qYAHHJRW28glJUCZkTZ
wIaSR6crBQ8TbYNE0dc+Caa3DOIkz1EOsHWzTx+n0zKfqcbgXi4DJx+C1bjptYPR
BPZL8DAeWuA8ebudVT44yEp82G96/Ggcf7F33xMxe0yc+Xa6owIDAQABoAAwDQYJ
KoZIhvcNAQEFBQADggEBAB0kcrFccSmFDmxox0Ne01UIqSsDqHgL+XmHTXJwre6D
hJSZwbvEtOK0G3+dr4Fs11WuUNt5qcLsx5a8uk4G6AKHMzuhLsJ7XZjgmQXGECpY
Q4mC3yT3ZoCGpIXbw+iP3lmEEXgaQL0Tx5LFl/okKbKYwIqNiyKWOMj7ZR/wxWg/
ZDGRs55xuoeLDJ/ZRFf9bI+IaCUd1YrfYcHIl3G87Av+r49YVwqRDT0VDV7uLgqn
29XI1PpVUNCPQGn9p/eX6Qo7vpDaPybRtA2R7XLKjQaF9oXWeCUqy1hvJac9QFO2
97Ob1alpHPoZ7mWiEuJwjBPii6a9M9G30nUo39lBi1w=
-----END CERTIFICATE REQUEST-----",
  "disabled": false,
  "name": "the name",
  "protected": false,
  "roles": [
    "@auth:role=enforcer",
    "@auth:role=kubesquall"
  ]
}

    Relations

    Retrieves the list of app credentials.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Creates a new app credential.
    Deletes the app credential with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the app credential with the given ID.
    Updates the app credential with the given ID.

    Attributes

    Type: string
    Contains a PEM-encoded certificate signing request (CSR). It can only be set during a renew.
    If you send anything else, the signing request will be rejected.
    Type: string
    Identifier of the object.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: []string
    If set, the app credential will only be valid if the request comes from one the declared subnets.
    Type: string
    The string representation of the certificate used by the app credential.
    Type: time
    Creation date of the object.
    The app credential data.
    Type: string
    Description of the object.
    Type: boolean
    Defines if the property is disabled.
    Type: string
    The email address that will receive a copy of the app credential.
    Type: string
    If set, this will limit the maximum validity of the token issued from this app credential. This information will be embedded into the delivered certificate and cannot be changed once set. In order to change it, you need to renew the certificate.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Type: []string
    Contains the ID of the parent app credential if this is a derived app credential.
    Type: boolean
    Defines if the object is protected.
    Type: []string
    List of roles to give the app credential.
    Type: time
    Last update date of the object.

    Credential

    Represents an app credential.

    Attributes

    Type: string
    The URL of the Microsegmentation Console API.
    Type: string
    The ID of the app credential.
    Type: string
    The base64-encoded certificate.
    Type: string
    The base64-encoded certificate authority.
    Type: string
    The base64-encoded certificate key.
    Type: string
    The name of the app credential.
    Type: string
    The namespace of the app credential.

    Role

    Returns the available roles that can be used with API authorizations.

    Relations

    Retrieves the list of existing roles.

    Attributes

    Authorizations of the role.
    Type: string
    Description of the role.
    Type: string
    Key of the role.
    Type: string
    Name of the role.
    Type: boolean
    Set to true to make the role private and hidden from the UI.

    policy/dns

    DNSLookupReport

    A DNS lookup report is used to report a DNS lookup that is happening on behalf of a processing unit. If the DNS server is on the standard UDP port 53 then the enforcer can proxy the DNS traffic and make a report. The report indicate whether or not the lookup was successful.

    Example

    {
  "action": "Accept",
  "enforcerNamespace": "/my/namespace",
  "processingUnitID": "xxx-xxx-xxx",
  "processingUnitNamespace": "/my/namespace",
  "resolvedName": "www.google.com",
  "sourceIP": "10.0.0.1",
  "value": 1
}

    Relations

    Create a DNS Lookup report.

    Attributes

    Type: string
    Identifier of the object.
    Action of the DNS request.
    Type: string
    ID of the enforcer.
    Type: string
    Namespace of the enforcer.
    Type: string
    Namespace tag attached to an entity.
    Type: string
    ID of the PU.
    Type: string
    Namespace of the PU. This is deprecated. Use namespace instead.
    Type: string
    This field is only set when the lookup fails. It specifies the reason for the failure.
    Type: string
    name used for DNS resolution.
    Type: string
    Type of the source.
    Type: time
    Time and date of the log.
    Type: integer
    Number of times the client saw this activity.

    policy/enforcerconfig

    EnforcerProfile

    Allows you to create reusable configuration profiles for your enforcers. Enforcer profiles contain various startup information that can (for some) be updated live. Enforcer profiles are assigned to enforcers using a enforcer profile mapping.

    Example

    {
  "kubernetesMetadataExtractor": "PodAtomic",
  "kubernetesSupportEnabled": false,
  "metadataExtractor": "Docker",
  "name": "the name",
  "propagate": false,
  "protected": false
}

    Relations

    Retrieves the list of enforcer profiles.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new enforcer profile.
    Deletes the enforcer profile with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the enforcer profile with the given ID.
    Parameters:
    Updates the enforcer profile with the given ID.
    Returns the list of enforcer profiles that an enforcer profile mapping matches.
    Returns the enforcer profile that must be used by a enforcer.

    Attributes

    Type: string
    Identifier of the object.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: []string
    Ignore traffic with a source or destination matching the specified interfaces.
    Type: []string
    Ignore any networks specified here and do not even report any flows. This can be useful for excluding localhost loopback traffic, ignoring traffic to the Kubernetes API, and using Microsegmentation for SSH only.
    A tag expression that identifies processing units to ignore. This can be useful to exclude kube-system pods, AWS EC2 agent pods, and third-party agents.
    This field is kept for backward compatibility for enforcers <= 3.5.
    Default value:
    "PodAtomic"
    Type: boolean
    This field is kept for backward compatibility for enforcers <= 3.5.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    This field is kept for backward compatibility for enforcers <= 3.5.
    Default value:
    "Docker"
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    Type: []string
    If empty, the enforcer auto-discovers the TCP networks. Auto-discovery works best in Kubernetes and OpenShift deployments. You may need to manually specify the TCP networks if middle boxes exist that do not comply with TCP Fast Open RFC 7413.
    Type: []string
    If empty, the enforcer enforces all UDP networks. This works best when all UDP networks have enforcers. If some UDP networks do not have enforcers, you may need to manually specify the UDP networks that should be enforced.
    Type: []string
    List of trusted certificate authorities. If empty, the main chain of trust will be used.
    Type: time
    Last update date of the object.

    EnforcerProfileMappingPolicy

    Allows you to map an enforcer profile to one or more enforcers. The mapping can also be propagated down to the child namespace.

    Example

    {
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "object": [
    [
      "a=a",
      "b=b"
    ],
    [
      "c=c"
    ]
  ],
  "propagate": false,
  "protected": false,
  "subject": [
    [
      "a=a",
      "b=b"
    ],
    [
      "c=c"
    ]
  ]
}

    Relations

    Retrieves the list of enforcer profile mappings.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new enforcer profile mappings.
    Deletes the mapping with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the mapping with the given ID.
    Updates the mapping with the given ID.
    Returns the list of enforcer profiles that an enforcer profile mapping matches.
    Returns the list of enforcers affected by an enforcer profile mapping.

    Attributes

    Type: string
    Identifier of the object.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: boolean
    Defines if the property is disabled.
    Type: boolean
    Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    The tag or tag expression that identifies the enforcer profile to be mapped.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    The tag or tag expression that identifies the enforcers that should implement the mapped profile.
    Type: time
    Last update date of the object.

    TrustedCA

    Represents a trusted certificate authority (CA).

    Relations

    Retrieves the trusted CAs of a namespace.
    Parameters:
    Returns the list of certificate authorities that should be trusted by this enforcer.
    Parameters:
    Returns the list of trusted CAs for this namespace.
    Parameters:

    Attributes

    Type: string
    The private certificate of the corresponding type associated with this namespace.
    Type: string
    The controller that this certificate or CA was issued from.
    Type: string
    The namespace that this certificate or CA was defined at.
    Type: string
    The ID of namespace that this certificate or CA was defined at.
    Type: string
    SerialNumber is the serial number of the certificate.
    Type of the certificate.

    TrustedNamespace

    This object allows you to declare trust between namespaces that are cryptographically isolated. The namespaces can be local or served by different Microsegmentation Console controllers.

    Example

    {
  "certificateAuthority": "-----BEGIN CERTIFICATE-----
MIIBbjCCARSgAwIBAgIRANRbvVzTzBZOvMCb8BiKCLowCgYIKoZIzj0EAwIwJjEN
MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNTE4
NDgwN1oXDTI3MTEyNDE4NDgwN1owJjENMAsGA1UEChMEQWNtZTEVMBMGA1UEAxMM
QWNtZSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ/80HR51+vau
7XH7zS7b8ABA0e/TdBOg1NznbnXdXil1tDvWloWuH5+/bbaiEg54wksJHFXaukw8
jhTLU7zT56MjMCEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wCgYI
KoZIzj0EAwIDSAAwRQIhALwAZh2KLFFC1qfb5CqFHExlXS0PUltax9PvQCN9P0vl
AiBl7/st9u/JpERjJgirxJxOgKNlV6pq9ti75EfQtZZcQA==
-----END CERTIFICATE-----",
  "name": "the name",
  "protected": false
}

    Relations

    Retrieves the list of trusted namespaces.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new trusted namespace.
    Delete the trusted namespace with the given ID.
    Retrieve the trusted namespace with the given ID.
    Update the trusted namespace with the given ID.

    Attributes

    Type: string
    Identifier of the object.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: string
    Contains the PEM block of the certificate authority trusted namespace.
    Type: time
    Creation date of the object.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Type: boolean
    Propagates the object to all of its children.
    Default value:
    true
    Type: boolean
    Defines if the object is protected.
    Type: string
    The controller declared in the certificate authority.
    Type: string
    The namespace declared in the certificate authority.
    Type: string
    The serial number of the CA.
    Type: time
    Last update date of the object.

    policy/files

    FileAccessPolicy

    A file access policy allows processing units to access various folder and files. It will use the tags of a file path to know what is the path of the file or folder to allow access to. You can allow the processing unit to have any combination of read, write, or execute.
    When a processing unit is a Docker container, then it will police the volumes. Mount and execute won’t have any effect.
    File paths are not supported yet for standard Linux processes.

    Example

    {
  "allowsExecute": false,
  "allowsRead": false,
  "allowsWrite": false,
  "disabled": false,
  "encryptionEnabled": false,
  "fallback": false,
  "logsEnabled": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

    Relations

    Retrieves the list of file access policies.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new file access policies.
    Deletes the policy with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the policy with the given ID.
    Updates the policy with the given ID.
    Returns the list of file paths that match the policy.
    Returns the list of processing units that match the policy.

    Attributes

    Type: string
    Identifier of the object.
    Type: string
    Defines for how long the policy will be active according to the activeSchedule.
    Type: string
    Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
    Type: boolean
    Allows files to be executed.
    Type: boolean
    Allows files to be read.
    Type: boolean
    Allows files to be written.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: boolean
    Defines if the property is disabled.
    Type: boolean
    Set to true to enable automatic encryption.
    Type: time
    If set the policy will be automatically deleted after the given time.
    Type: boolean
    Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
    Type: boolean
    A value of true enables logging.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    The object of the policy.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    The subject of the policy.
    Type: time
    Last update date of the object.

    FileAccessReport

    Post a new file access report.

    Example

    {
  "action": "Accepted",
  "host": "localhost",
  "mode": "rxw",
  "path": "/etc/passwd",
  "processingUnitID": "xxx-xxx-xxx-xxx",
  "processingUnitNamespace": "/my/ns",
  "timestamp": "2018-06-14T23:10:46.420397985Z"
}

    Relations

    Create a file access statistics report.

    Attributes

    Type: string
    Identifier of the object.
    Action taken.
    Type: string
    Host storing the file.
    Default value:
    "localhost"
    Type: string
    Mode of file access.
    Default value:
    "rxw"
    Type: string
    Path of the file.
    Default value:
    "/etc/passwd"
    Type: string
    ID of the processing unit.
    Type: string
    Namespace of the processing unit.
    Type: time
    Date of the report.

    FilePath

    A file path represents a random path to a file or a folder. They can be used in file access policies to allow processing units to access them, using various modes (read, write, execute). You will need to use the file paths tags to set some policies. A good example would be volume=web or file=/etc/passwd.

    Example

    {
  "filepath": "/etc/passwd",
  "name": "the name",
  "propagate": false,
  "protected": false
}

    Relations

    Retrieves the list of file paths.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • archived (boolean): Also retrieve the objects that have been archived.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Create a new file path.
    Deletes the object with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the object with the given ID.
    Parameters:
    Updates the object with the given ID.
    Returns the list of file paths that match the policy.

    Attributes

    Type: string
    Identifier of the object.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: string
    FilePath refer to the file mount path.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    Type: string
    server is the server name/ID/IP associated with the file path.
    Type: time
    Last update date of the object.

    policy/hooks

    HookPolicy

    Allows you to define hooks to the write operations in squall. Hooks are sent to an external Rufus server that will do the processing and eventually return a modified version of the object before we save it.

    Example

    {
  "certificateAuthority": "-----BEGIN CERTIFICATE-----
MIIBbjCCARSgAwIBAgIRANRbvVzTzBZOvMCb8BiKCLowCgYIKoZIzj0EAwIwJjEN
MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNTE4
NDgwN1oXDTI3MTEyNDE4NDgwN1owJjENMAsGA1UEChMEQWNtZTEVMBMGA1UEAxMM
QWNtZSBSb290IENBMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJ/80HR51+vau
7XH7zS7b8ABA0e/TdBOg1NznbnXdXil1tDvWloWuH5+/bbaiEg54wksJHFXaukw8
jhTLU7zT56MjMCEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wCgYI
KoZIzj0EAwIDSAAwRQIhALwAZh2KLFFC1qfb5CqFHExlXS0PUltax9PvQCN9P0vl
AiBl7/st9u/JpERjJgirxJxOgKNlV6pq9ti75EfQtZZcQA==
-----END CERTIFICATE-----",
  "clientCertificate": "-----BEGIN CERTIFICATE-----
MIIBczCCARigAwIBAgIRALD3Vz81Pq10g7n4eAkOsCYwCgYIKoZIzj0EAwIwJjEN
MAsGA1UEChMEQWNtZTEVMBMGA1UEAxMMQWNtZSBSb290IENBMB4XDTE4MDExNzA2
NTM1MloXDTI3MTEyNjA2NTM1MlowGDEWMBQGA1UEAxMNY2xhaXJlLWNsaWVudDBZ
MBMGByqGSM49AgEGCCqGSM49AwEHA0IABOmzPJj+t25T148eQH5gVrZ7nHwckF5O
evJQ3CjSEMesjZ/u7cW8IBfXlxZKHxl91IEbbB3svci4c8pycUNZ2kujNTAzMA4G
A1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MAoGCCqGSM49BAMCA0kAMEYCIQCjAAmkQpTua0HR4q6jnePaFBp/JMXwTXTxzbV6
peGbBQIhAP+1OR8GFnn2PlacwHqWXHwkvy6CLPVikvgtwEdB6jH8
-----END CERTIFICATE-----",
  "clientCertificateKey": "-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIGOXJI/123456789oamOu4tQAIKFdbyvkIJg9GME0mHzoAoGCCqGSM49
AwEHoUQDQgAE6bM8mP123456789AfmBWtnucfByQXk568lDcKNIQx6yNn+7txbwg
F9eXFkofGX3UgRtsHe123456789xQ1naSw==
-----END EC PRIVATE KEY-----",
  "continueOnError": false,
  "disabled": false,
  "endpoint": "https://hooks.hookserver.com/remoteprocessors",
  "endpointType": "URL",
  "fallback": false,
  "mode": "Pre",
  "name": "the name",
  "propagate": false,
  "propagationHidden": false,
  "protected": false,
  "selectors": [
    [
      "automation:name=myautomation"
    ]
  ],
  "subject": [
    [
      "$identity=processingunit"
    ]
  ]
}

    Relations

    Retrieves the list of hooks.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new hook.
    Deletes the hook with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the hook with the given ID.
    Updates the hook with the given ID.

    Attributes

    Type: string
    Identifier of the object.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: string
    Contains the PEM block of the certificate authority used by the remote endpoint.
    Type: string
    Contains the client certificate that will be used to connect to the remote endpoint. If provided, the private key associated with this certificate must also be configured.
    Type: string
    Contains the key associated with the clientCertificate. It must be provided only when clientCertificate has been configured.
    Type: boolean
    If set to true and mode is in Pre, the request will be honored even if calling the hook fails.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: boolean
    Defines if the property is disabled.
    Type: string
    Contains the full address of the remote processor endpoint.
    Defines the type of endpoint for the hook.
    Default value:
    "URL"
    Type: time
    If set the hook will be automatically deleted after the given time.
    Type: boolean
    Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Defines the type of hook.
    Default value:
    "Pre"
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    If set to true while the policy is propagating, it won’t be visible to children namespace, but still used for policy resolution.
    Type: boolean
    Defines if the object is protected.
    A tag or tag expression that identifies the automation that must be run in case no endpoint is provided.
    Contains the tag expression that an object must match in order to trigger the hook.
    Type: []string
    Select on which operation(s) you want to the hook to trigger. An empty list. Only means all operations. You can only set any combination of create, update or delete. Any other value will trigger a validation error.
    Type: time
    Last update date of the object.

    RemoteProcessor

    Hook to integrate a Microsegmentation service.

    Example

    {
  "claims": [
    "@auth:realm=certificate",
    "@auth:commonname=john"
  ],
  "input": "{
  \"name\": \"hello\",
  \"description\": \"hello\",
}",
  "mode": "Pre",
  "namespace": "/my/namespace",
  "operation": "create",
  "targetIdentity": "processingunit"
}

    Relations

    This should be be here.

    Attributes

    Type: []string
    Represents the claims of the currently managed object.
    Represents data received from the service.
    Defines the hook’s type.
    Type: string
    Represents the current namespace.
    Defines the operation that is currently handled by the service.
    Returns OutputData filled with the processor information.
    Type: string
    Gives the ID of the request coming from the main server.
    Type: string
    Represents the identity name of the managed object.

    policy/hosts

    HostService

    Represents services that a host must expose and protect.

    Example

    {
  "hostModeEnabled": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

    Relations

    Retrieves the list of host services.
    Parameters:
    Creates a new host service.
    Deletes the host service with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the host service with the given ID.
    Parameters:
    Updates the host service with the given ID.
    Returns a list of the host services policies that apply to this enforcer.
    Parameters:
    • appliedServices (boolean): Valid when retrieved for a given enforcer and returns the applied services.
    • setServices (boolean): Instructs Microsegmentation Console to cache the services that were resolved.
    Returns the list of host services that are referenced by this mapping.

    Attributes

    Type: string
    Identifier of the object.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: boolean
    Forces the corresponding enforcers to enable host protection. When true, all incoming and outgoing flows will be monitored. Flows will be allowed if and only if a network policy has been created to allow the flow. The option applies to all enforcers to which the host service is mapped.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    Type: []string
    Lists all protocols and ports a service is running. A service entry can be defined by a protocol and port (tcp/80), or range of protocol/port pairs (udp/80:100). If no protocol is provided, it is assumed to be TCP. Only tcp and udp protocols are allowed.
    Type: time
    Last update date of the object.

    HostServiceMappingPolicy

    Host service mapping allows you to map host services to the enforcers that should implement them. You must map host services to one or more enforcers for the host services to have any effect.

    Example

    {
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

    Relations

    Retrieves the list of host service mappings.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new host service mapping.
    Deletes the mapping with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the mapping with the given ID.
    Parameters:
    Updates the mapping with the given ID.
    Returns the list of enforcers that are affected by this mapping.
    Returns the list of host services that are referenced by this mapping.

    Attributes

    Type: string
    Identifier of the object.
    Type: string
    Defines for how long the policy will be active according to the activeSchedule.
    Type: string
    Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: boolean
    Defines if the property is disabled.
    Type: boolean
    Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    A tag or tag expression identifying the host service(s) to be mapped.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    A tag or tag expression identifying the enforcer(s) that should implement the specified host service(s).
    Type: time
    Last update date of the object.

    policy/networking

    CachedFlowReport

    Post a new cached flow report.

    Example

    {
  "action": "Accept",
  "destinationController": "api.east.acme.com",
  "destinationID": "xxx-xxx-xxx",
  "destinationNamespace": "/my/namespace",
  "destinationPlatform": "api.east.acme.com",
  "destinationType": "ProcessingUnit",
  "encrypted": false,
  "enforcerID": "5c6cce207ddf1fc159a104bf",
  "isLocalDestinationID": false,
  "isLocalSourceID": false,
  "namespace": "/my/namespace",
  "observed": false,
  "observedAction": "NotApplicable",
  "observedEncrypted": false,
  "observedPolicyID": "xxx-xxx-xxx",
  "observedPolicyNamespace": "/my/namespace",
  "policyID": "xxx-xxx-xxx",
  "policyNamespace": "/my/namespace",
  "protocol": 6,
  "serviceType": "NotApplicable",
  "sourceController": "api.west.acme.com",
  "sourceID": "xxx-xxx-xxx",
  "sourceNamespace": "/my/namespace",
  "sourcePlatform": "api.west.acme.com",
  "sourceType": "ProcessingUnit",
  "value": 1
}

    Relations

    Create a cached flow statistics report.

    Attributes

    Type: string
    Identifier of the object.
    Action applied to the flow.
    Type: string
    Identifier of the destination controller.
    Type: string
    ID of the destination.
    Type: string
    Destination IP address.
    Type: string
    Namespace of the destination. This is deprecated. Use remoteNamespace. This property does nothing.
    Type: string
    Identifier of the destination platform.
    Type: integer
    Port of the destination.
    Destination type.
    Type: string
    This field is only set if action is set to Reject. It specifies the reason for the rejection.
    Type: boolean
    If true, the flow was encrypted.
    Type: string
    ID of the enforcer where the report was collected.
    Type: boolean
    Indicates if the destination endpoint is an enforcer-local processing unit.
    Type: boolean
    Indicates if the source endpoint is an enforcer-local processing unit.
    Type: string
    This is here for backward compatibility.
    Type: boolean
    If true, design mode is on.
    Action observed on the flow.
    Default value:
    "NotApplicable"
    Type: string
    Specifies the reason for a rejection. Only set if observedAction is set to Reject.
    Type: boolean
    Value of the encryption of the network policy that observed the flow.
    Type: string
    ID of the network policy that observed the flow.
    Type: string
    Namespace of the network policy that observed the flow.
    Type: string
    ID of the network policy that accepted the flow.
    Type: string
    Namespace of the network policy that accepted the flow.
    Type: integer
    Protocol number.
    Type: string
    Namespace of the object at the other end of the flow.
    Type: string
    Contains the eventual name assigned to the particular rule in the NetworkRuleSetPolicy that acted on the flow.
    Type: string
    Hash of the claims used to communicate.
    Type: string
    ID of the service.
    Type: string
    Namespace of Service accessed.
    ID of the service.
    Default value:
    "NotApplicable"
    Type: string
    Service URL accessed.
    Type: string
    Identifier of the source controller.
    Type: string
    ID of the source.
    Type: string
    Type of the source.
    Type: string
    Namespace of the source. This is deprecated. Use remoteNamespace. This property does nothing.
    Type: string
    Identifier of the source platform.
    Type of the source.
    Type: time
    Time and date of the log.
    Type: integer
    Number of flows in the log.

    Claims

    Represents the claims in the token used to access a service.

    Example

    {
  "content": {
    "exp": 1553899021,
    "iat": 1553888221,
    "iss": "https://accounts.acme.com",
    "sub": "alice@acme.com"
  },
  "hash": "1134423925458173049"
}

    Relations

    Retrieves the list of claims.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Creates a new claims record.
    Retrieves the object with the given ID.

    Attributes

    Type: string
    Identifier of the object.
    Contains the raw JSON web token (JWT) claims.
    Type: string
    XXH64 hash of the claims content. It will be used as ID. To compute a correct hash, you must first clob content as an string array in the form key=value, sort it then apply the XXH64 function.
    Type: string
    Namespace tag attached to an entity.

    ConnectionExceptionReport

    Post a new flow log.

    Example

    {
  "destinationController": "api.west.acme.com",
  "destinationProcessingUnitID": "xxx-xxx-xxx",
  "enforcerID": "xxx-xxx-xxx",
  "enforcerNamespace": "/my/namespace",
  "namespace": "/my/namespace",
  "processingUnitID": "xxx-xxx-xxx",
  "processingUnitNamespace": "/my/namespace",
  "protocol": 6,
  "serviceType": "L3",
  "state": [
    "Unknown"
  ],
  "value": 1
}

    Relations

    Create a connection exception report.

    Attributes

    Type: string
    Identifier of the object.
    Type: string
    Identifier of the destination controller. This should be set in SynAckTransmitted state.
    Type: string
    Destination IP address.
    Type: integer
    Port of the destination.
    Type: string
    ID of the destination processing unit. This should be set in SynAckTransmitted state.
    Type: string
    ID of the enforcer.
    Type: string
    Namespace of the enforcer.
    Type: string
    Namespace of the processing unit that encountered this exception.
    Type: string
    ID of the processing unit encountered this exception.
    Type: string
    Namespace of the processing unit encountered this exception.
    Type: integer
    Protocol number.
    Type: string
    It specifies the reason for the exception.
    Type of the service.
    Default value:
    "L3"
    Type: string
    Source IP address.
    Represents the current state this report was generated.
    Type: time
    Time and date of the report.
    Type: integer
    Number of packets hit.

    ExternalNetwork

    An external network represents a random network or IP address that is not managed by Microsegmentation. External networks can be used in network policies to allow traffic from or to the declared network or IP, using the provided protocol and port (or range of ports). If you want to describe the internet (i.e., anywhere), use 0.0.0.0/0 as the address and 1-65000 for the ports. You must assign the external network one or more tags. These allow you to reference the external network from your network policies.

    Example

    {
  "name": "the name",
  "propagate": false,
  "protected": false,
  "servicePorts": [
    "tcp/80",
    "udp/80:100"
  ],
  "type": "Subnet"
}

    Relations

    Retrieves the list of external networks.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • archived (boolean): Also retrieve the objects that have been archived.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new external network.
    Deletes the object with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the object with the given ID.
    Parameters:
    Updates the object with the given ID.
    Returns the list of external networks affected by an infrastructure policy.
    Parameters:
    Returns the list of external networks affected by a network policy.
    Parameters:
    Returns the list of external networks affected by a network rule set policy.
    Parameters:

    Attributes

    Type: string
    Identifier of the object.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: []string
    List of CIDRs or domain name.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    Type: []string
    List of protocol/ports (tcp/80) or (udp/80:100).
    The type of external network (default Subnet).
    Default value:
    "Subnet"
    Type: time
    Last update date of the object.

    FlowReport

    Post a new flow log.

    Example

    {
  "action": "Accept",
  "destinationController": "api.east.acme.com",
  "destinationID": "xxx-xxx-xxx",
  "destinationNamespace": "/my/namespace",
  "destinationPlatform": "api.east.acme.com",
  "destinationType": "ProcessingUnit",
  "encrypted": false,
  "enforcerID": "5c6cce207ddf1fc159a104bf",
  "namespace": "/my/namespace",
  "observed": false,
  "observedAction": "NotApplicable",
  "observedEncrypted": false,
  "observedPolicyID": "xxx-xxx-xxx",
  "observedPolicyNamespace": "/my/namespace",
  "policyID": "xxx-xxx-xxx",
  "policyNamespace": "/my/namespace",
  "protocol": 6,
  "serviceType": "NotApplicable",
  "sourceController": "api.west.acme.com",
  "sourceID": "xxx-xxx-xxx",
  "sourceNamespace": "/my/namespace",
  "sourcePlatform": "api.west.acme.com",
  "sourceType": "ProcessingUnit",
  "value": 1
}

    Relations

    Create a flow statistics report.

    Attributes

    Type: string
    Identifier of the object.
    Action applied to the flow.
    Type: string
    Identifier of the destination controller.
    Type: string
    ID of the destination.
    Type: string
    Destination IP address.
    Type: string
    Namespace of the destination. This is deprecated. Use remoteNamespace. This property does nothing.
    Type: string
    Identifier of the destination platform.
    Type: integer
    Port of the destination.
    Destination type.
    Type: string
    This field is only set if action is set to Reject. It specifies the reason for the rejection.
    Type: boolean
    If true, the flow was encrypted.
    Type: string
    ID of the enforcer where the report was collected.
    Type: string
    This is here for backward compatibility.
    Type: boolean
    If true, design mode is on.
    Action observed on the flow.
    Default value:
    "NotApplicable"
    Type: string
    Specifies the reason for a rejection. Only set if observedAction is set to Reject.
    Type: boolean
    Value of the encryption of the network policy that observed the flow.
    Type: string
    ID of the network policy that observed the flow.
    Type: string
    Namespace of the network policy that observed the flow.
    Type: string
    ID of the network policy that accepted the flow.
    Type: string
    Namespace of the network policy that accepted the flow.
    Type: integer
    Protocol number.
    Type: string
    Namespace of the object at the other end of the flow.
    Type: string
    Contains the eventual name assigned to the particular rule in the NetworkRuleSetPolicy that acted on the flow.
    Type: string
    Hash of the claims used to communicate.
    Type: string
    ID of the service.
    Type: string
    Namespace of Service accessed.
    ID of the service.
    Default value:
    "NotApplicable"
    Type: string
    Service URL accessed.
    Type: string
    Identifier of the source controller.
    Type: string
    ID of the source.
    Type: string
    Type of the source.
    Type: string
    Namespace of the source. This is deprecated. Use remoteNamespace. This property does nothing.
    Type: string
    Identifier of the source platform.
    Type of the source.
    Type: time
    Time and date of the log.
    Type: integer
    Number of flows in the log.

    InfrastructurePolicy

    Infrastructure policies represent the network access rules of the underlying infrastructure. They can assist you in analyzing how AWS security groups, firewalls, and other access control list (ACL) mechanisms may affect Microsegmentation network policies. Microsegmentation’s AWS integration app automatically populates AWS security groups.

    Example

    {
  "action": "Allow",
  "applyPolicyMode": "OutgoingTraffic",
  "disabled": false,
  "name": "the name",
  "protected": false
}

    Relations

    Retrieves the list of infrastructure policies.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Creates a new infrastructure policy.
    Deletes the infrastructure policy with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the infrastructure policy with the given ID.
    Updates the infrastructure policy with the given ID.
    Returns the list of external networks affected by an infrastructure policy.
    Parameters:
    Returns the list of processing units affected by an infrastructure policy.
    Parameters:
    Returns the list of services affected by an infrastructure policy.
    Parameters:

    Attributes

    Type: string
    Identifier of the object.
    Defines the action to apply to a flow.
    Default value:
    "Allow"
    Type: string
    Defines for how long the policy will be active according to the activeSchedule.
    Type: string
    Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
    Stores additional information about an entity.
    Determines if the policy applies to the outgoing traffic of the subject or the incoming traffic of the subject. OutgoingTraffic (default) or IncomingTraffic.
    Default value:
    "OutgoingTraffic"
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: boolean
    Defines if the property is disabled.
    Type: time
    If set the policy will be automatically deleted after the given time.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Object of the policy.
    Type: boolean
    Defines if the object is protected.
    Subject of the policy.
    Type: time
    Last update date of the object.

    NetworkAccessPolicy

    Allows you to define network policies to allow or prevent processing units identified by their tags to talk to other processing units or external networks (also identified by their tags).

    Example

    {
  "action": "Allow",
  "applyPolicyMode": "Bidirectional",
  "disabled": false,
  "encryptionEnabled": false,
  "fallback": false,
  "logsEnabled": false,
  "name": "the name",
  "negateObject": false,
  "negateSubject": false,
  "observationEnabled": false,
  "observedTrafficAction": "Continue",
  "propagate": false,
  "protected": false
}

    Relations

    Retrieves the list of network policies.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new network policy. This is deprecated. in favor of NetworkRuleSetPolicy.
    Deletes the policy with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the policy with the given ID.
    Parameters:
    Updates the policy with the given ID.
    Returns the list of external networks affected by a network policy.
    Parameters:
    Returns the list of processing units affected by a network policy.
    Parameters:
    Returns the list of services affected by a network policy.
    Parameters:

    Attributes

    Type: string
    Identifier of the object.
    Defines the action to apply to a flow.
    • Allow: allows the defined traffic.
    • Reject: rejects the defined traffic; useful in conjunction with an allow all policy.
    • Continue: neither allows or rejects the traffic; useful for applying another property to the traffic.
    Default value:
    "Allow"
    Type: string
    Defines for how long the policy will be active according to the activeSchedule.
    Type: string
    Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
    Stores additional information about an entity.
    Sets three different types of policies. IncomingTraffic: applies the policy to all processing units that match the object and allows them to accept connections from processing units or external networks that match the subject. OutgoingTraffic: applies the policy to all processing units that match the subject and allows them to initiate connections with processing units or external networks that match the object. Bidirectional (default): applies the policy to all processing units that match the object and allows them to accept connections from processing units that match the subject. Also applies the policy to all processing units that match the subject and allows them to initiate connections with processing units that match the object.
    Default value:
    "Bidirectional"
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: boolean
    Defines if the property is disabled.
    Type: boolean
    Defines if the flow has to be encrypted. This property is deprecated and have no incidence.
    Type: time
    If set the policy will be automatically deleted after the given time.
    Type: boolean
    Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
    Type: boolean
    If true, the relevant flows are logged and available from Microsegmentation Console. Under some advanced scenarios you may wish to set this to false, such as to save space or improve performance.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: boolean
    Setting this to true will invert the object to find what is not matching.
    Type: boolean
    Setting this to true will invert the subject to find what is not matching.
    Type: []string
    Contains the list of normalized tags of the entities.
    A tag or tag expression identifying the object of the policy.
    Type: boolean
    If set to true, the flow will be in observation mode.
    If observationEnabled is set to true, this defines the final action taken on the packets: Apply or Continue (default).
    Default value:
    "Continue"
    Type: []string
    Represents the ports and protocols this policy applies to.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    A tag or tag expression identifying the subject of the policy.
    Type: time
    Last update date of the object.

    NetworkRuleSetPolicy

    Allows you to define network rule sets to allow or prevent processing units identified by their tags to talk to other processing units or external networks (also identified by their tags).

    Example

    {
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

    Relations

    Retrieves the list of network rule set policies.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new network rule set policy policy.
    Deletes the policy with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the policy with the given ID.
    Parameters:
    Updates the policy with the given ID.
    Returns the list of external networks affected by a network rule set policy.
    Parameters:
    Returns the list of processing units affected by a network rule set policy.
    Parameters:
    Returns the list of services affected by a network rule set policy.
    Parameters:

    Attributes

    Type: string
    Identifier of the object.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: boolean
    Defines if the property is disabled.
    Type: boolean
    Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
    The set of rules to apply to incoming traffic (traffic coming to the Processing Unit matching the subject).
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    The set of rules to apply to outgoing traffic (traffic coming from the Processing Unit matching the subject).
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    A tag expression identifying used to match processing units to which this policy applies to.
    Type: time
    Last update date of the object.

    policy/processingunits

    IsolationProfile

    Defines system call rules, system call actions, and other capabilities on a processing unit.

    Example

    {
  "name": "the name",
  "propagate": false,
  "protected": false
}

    Relations

    Retrieves the list of isolation profiles.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new isolation profile.
    Deletes the profile with the given ID.
    Retrieves the profile with the given ID.
    Parameters:
    Updates the profile with the given ID.
    Returns the list of isolation profiles associated with the mapping.

    Attributes

    Type: string
    Identifier of the object.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: _cap_map
    The capabilities that should be added to or removed from the processing unit.
    Type: time
    Creation date of the object.
    The default action applied to all system calls of this profile. Default is Allow.
    Type: string
    Description of the object.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    A list of system call rules that identify actions for particular system calls.
    The processor architectures that the profile supports. Default all.
    Type: time
    Last update date of the object.

    ProcessingUnitPolicy

    Processing unit policies allow you to define special behavior for processing units. For example you can associate an isolation profile with a set of processing units or select a specific datapath.

    Example

    {
  "action": "Default",
  "datapathType": "Default",
  "disabled": false,
  "fallback": false,
  "name": "the name",
  "propagate": false,
  "protected": false
}

    Relations

    Retrieves the list of processing unit policies.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new processing unit policy.
    Deletes the object with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the object with the given ID.
    Updates the object with the given ID.
    Returns the list of isolation profiles associated with the mapping.
    Returns the list of processing units referenced by the mapping.

    Attributes

    Type: string
    Identifier of the object.
    Action determines the action to take while enforcing the isolation profile. NOTE: Choose Default if your processing unit is not supposed to make a decision on isolation profiles at all.
    Default value:
    "Default"
    Type: string
    Defines for how long the policy will be active according to the activeSchedule.
    Type: string
    Defines when the policy should be active using the cron notation. The policy will be active for the given activeDuration.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    The datapath type that processing units selected by subject should implement:
    • Default: This policy is not making a decision for the datapath.
    • Aporeto: The enforcer is managing and handling the datapath.
    • EnvoyAuthorizer: The enforcer is serving Envoy-compatible gRPC APIs for every processing unit that for example can be used by an Envoy proxy to use the Microsegmentation PKI and implement Microsegmentation network policies. NOTE: The enforcer is not going to own the datapath in this example. It is merely providing an authorizer API.
    Default value:
    "Default"
    Type: string
    Description of the object.
    Type: boolean
    Defines if the property is disabled.
    Type: boolean
    Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
    The isolation profiles to be mapped. Only applies to Enforce and LogCompliance actions.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    Contains the tag expression the tags need to match for the policy to apply.
    Type: time
    Last update date of the object.

    ProcessingUnitService

    Represents a service attached to a processing unit.

    Attributes

    Type: string
    Contains the list of allowed ports and ranges.
    Type: integer
    Protocol used by the service.
    Type: []string
    List of single ports or range (xx:yy).

    policy/quota

    QuotaCheck

    Allows you to verify the quota for a given identity in a given namespace with the given tags.

    Example

    {
  "targetIdentity": "processingunit",
  "targetNamespace": "/my/namespace"
}

    Relations

    Verifies if the quota is exceeded for a particular object.
    Parameters:
    • remaining (boolean): Makes the system count how many object are left available in the quota.

    Attributes

    Type: integer
    Contains the maximum number of matching entities that can be created.
    Type: integer
    If the parameter remaining=true is passed, this value will be populated with the number of remaining objects in the quota.
    Default value:
    -1
    Type: string
    The identity name of the object you want to check the quota on.
    Type: string
    The namespace from which you want to check the quota on.

    QuotaPolicy

    Allows you to set quotas on the number of objects that can be created in a namespace.

    Example

    {
  "disabled": false,
  "fallback": false,
  "identities": [
    "processingunit",
    "enforcer"
  ],
  "name": "the name",
  "propagate": false,
  "propagationHidden": false,
  "protected": false,
  "targetNamespace": "/my/namespace"
}

    Relations

    Retrieves the list of quotas.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new quota.
    Deletes the quota with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the quota with the given ID.
    Updates the quota with the given ID.

    Attributes

    Type: string
    Identifier of the object.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    Type: boolean
    Defines if the property is disabled.
    Type: time
    If set the quota will be automatically deleted after the given time.
    Type: boolean
    Indicates that this is fallback policy. It will only be applied if no other policies have been resolved. If the policy is also propagated it will become a fallback for children namespaces.
    Type: []string
    Contains the list of identity names where the quota will be applied.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    If set to true while the policy is propagating, it won’t be visible to children namespace, but still used for policy resolution.
    Type: boolean
    Defines if the object is protected.
    Type: integer
    Specifies the maximum number of objects matching the policy subject that can be created.
    Type: string
    Contains the base namespace from where the count will be done.
    Type: time
    Last update date of the object.

    policy/services

    ClaimMapping

    Allows you to map a claim in a token to an HTTP header. This can be useful when offloading authentication and authorization to Microsegmentation. Some applications may expect to receive information in the HTTP header.

    Example

    {
  "claimName": "email",
  "targetHTTPHeader": "X-Username"
}

    Attributes

    Type: string
    The name of the claim to map to the HTTP header. header.
    Type: string
    The HTTP header that will be the destination of the mapped claim.

    Endpoint

    Represents an HTTP endpoint.

    Example

    {
  "public": false
}

    Attributes

    Type: string
    URI of the exposed API.
    The scopes authorized to access the API.
    Type: []string
    Methods exposed to access the API.
    Type: boolean
    If true, the API is public.
    Type: []string

    HTTPResourceSpec

    Describes an HTTP resource exposed by one or more services.

    Example

    {
  "name": "the name",
  "propagate": false,
  "protected": false
}

    Relations

    Retrieves the list of HTTP resource specifications.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • propagated (boolean): Also retrieve the objects that propagate down.
    • archived (boolean): Also retrieve the objects that have been archived.
    Creates a new HTTP resource specification.
    Deletes the HTTP resource with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the HTTP resource with the given ID.
    Parameters:
    Updates the HTTP resource with the given ID.
    Retrieves the HTTP Resource exposed by this service.

    Attributes

    Type: string
    Identifier of the object.
    Stores additional information about an entity.
    Type: []string
    List of tags attached to an entity.
    Type: time
    Creation date of the object.
    Type: string
    Description of the object.
    A list of API endpoints that are exposed for the service.
    Type: []string
    Contains tags that can only be set during creation, must all start with the '@' prefix, and should only be used by external systems.
    Type: string
    Name of the entity.
    Type: string
    Namespace tag attached to an entity.
    Type: []string
    Contains the list of normalized tags of the entities.
    Type: boolean
    Propagates the policy to all of its children.
    Type: boolean
    Defines if the object is protected.
    Type: time
    Last update date of the object.

    Service

    Defines a generic service object at layer 4 or layer 7 that encapsulates the description of a microservice. A service exposes APIs and can be implemented through third-party entities (such as a cloud provider) or through processing units.

    Example

    {
  "OIDCProviderURL": "https://accounts.google.com",
  "OIDCScopes": [
    "email",
    "profile"
  ],
  "TLSType": "Aporeto",
  "authorizationType": "None",
  "disabled": false,
  "exposedAPIs": [
    [
      "package=p1"
    ]
  ],
  "exposedPort": 443,
  "exposedServiceIsTLS": false,
  "external": false,
  "name": "the name",
  "port": 443,
  "propagate": false,
  "protected": false,
  "publicApplicationPort": 443,
  "selectors": [
    [
      "$identity=processingunit"
    ]
  ],
  "type": "HTTP"
}

    Relations

    Retrieves the list of services.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    • archived (boolean): Also retrieve the objects that have been archived.
    • propagated (boolean): Also retrieve the objects that propagate down.
    Creates a new service.
    Deletes the service with the given ID.
    Parameters:
    • q (string): Filtering query. Consequent q parameters will form an or.
    Retrieves the service with the given ID.
    Parameters:
    Updates the service with the given ID.
    Returns the list of services affected by an infrastructure policy.
    Parameters:
    Returns the list of services affected by a network policy.
    Parameters:
    Returns the list of services affected by a network rule set policy.
    Parameters:
    Retrieves the services used by a processing unit.
    Returns the list of external services that are targets of service dependency.
    Retrieves the HTTP Resource exposed by this service.
    Retrieves the processing units that implement this service.

    Attributes

    Type: string
    Identifier of the object.
    Type: []string
    The list of IP addresses where the service can be accessed. This is an optional attribute and is only required if no host names are provided. The system will automatically resolve IP addresses from host names otherwise.
    Type: string
    PEM-encoded certificate that will be used to validate the user’s JSON web token (JWT) in HTTP requests. This is an optional field, needed only if the authorizationType is set to JWT.
    Type: string
    PEM-encoded certificate authority to use to verify client certificates. This only applies if authorizationType is set to MTLS. If it is not set, Microsegmentation Console’s public signing certificate authority will be used.
    Type: string
    This is an advanced setting. Optional OIDC callback URL. If you don’t set it, the enforcer will autodiscover it. It will be https://<hosts[0]|IPs[0]>/aporeto/oidc/callback.
    Type: string
    OIDC Client ID. Only has effect if the authorizationType is set to OIDC.
    Type: string
    OIDC Client Secret. Only has effect if the authorizationType is set to OIDC.
    Type: string
    OIDC discovery endpoint. Only has effect if the authorizationType is set to OIDC.
    Type: []string
    Configures the scopes you want to request from the OIDC provider. Only has effect if authorizationType is set to OIDC.
    Type: string
    PEM-encoded certificate to expose to the clients for TLS. Only has effect and required if TLSType is set to External.