Custom runtime rules

Prisma Cloud models the runtime behavior with machine learning to scale runtime defense in big and fluid environments.
Machine learning reduces the effort required to manually create and maintain loads of rules to secure running software. When machine learning doesn’t fully capture the range of acceptable runtime behaviors, rules provide a way to declaratively augment models with exceptions and additions.
Custom rules offer an additional mechanism to protect running software. Custom rules are expressions that give you a precise way to describe and detect discrete runtime behaviors. Runtime sensors in your environment already detect processes, file systems, and network activity, then pass those events to Prisma Cloud for processing. Expressions let you examine various facets of an event programmatically, then take action when the expressions evaluate to true. Custom rules can be applied to both hosts and containers.
For example, the expression grammar supports the following logic:
"If user Jake runs binary `netcat` with parameter -l, log an alert".

Rule library

Custom rules are stored in a central library, where they can be reused. Besides your own rules, Prisma Cloud Labs also distributes rules via the Intelligence Stream. These rules are shipped in a disabled state by default. You can review, and optionally apply them at any time. To create and manage custom rules go to
Defend > Custom Rules > Runtime
. Select
Add rule
to create a new custom rule.
There are four types of rules, but only three are relevant to runtime:
  • Processes
  • Networking-outgoing
  • File system

Expression grammar

Expressions let you examine the contents of the processes, file system, and network events.
For example, any time a process is forked on a host protected by Container Defender or Host Defender, a process event fires. The following very simple expression looks for processes named netcat:
proc.name = "netcat"
Expressions have the following grammar:
  • term
    --
    integer | string | keyword | event | '(' expression ')' | unaryOp
  • op
    --
    and | or | > | < | >= | ⇐ | = | !=
  • in
    --
    '(' integer | string (',' integer | string)*)?
  • unaryOp
    --
    not
  • keyword (similar to wildcards)
    --
    startswith | contains
  • string
    --
    strings must be enclosed in double quotes
  • integer
    --
    int
  • event
    --
    process, file system, or network

Expressions examples:

net.outgoing_ip = "169.254.169.254" or net.outgoing_ip = "169.254.170.2"
proc.pname in ("mysql", "sqlplus", "postgres") and proc.pname != proc.name
file.path startswith "/etc"

Process events

Process events fire when new processes are forked. Expressions can examine the following attributes of a new process.
Attribute
Type
Description
proc.name
string
Process name.
proc.pname
string
Parent process name.
proc.path
string
Full path to the program.
proc.user
string
User to whom the process belongs.
proc.interactive
bool
Interactive process.
Not supported in App-Embedded runtime
proc.cmdline
string
Command line.
proc.service
string
Only for host rules.

File system events

Any write operation to a disk fires a file system event. All properties of the process with write operations are accessible from this context. Expressions can examine the following attributes of file system write activity.
Attribute
Type
Description