Document:Prisma Cloud Administrator’s Guide (Compute)

WAAS custom rules

Search the Table of Contents

Welcome
- Getting started
- Compute SaaS maintenance updates
- NAT gateway IP addresses
- Product architecture
- Support lifecycle
- Security Assurance Policy on Prisma Cloud Compute
- Licensing
- Prisma Cloud Enterprise Edition vs Compute Edition
- Utilities and plugins
Install
- Getting started
- System Requirements
- Prisma Cloud container images
- Kubernetes
- OpenShift v4
- Amazon ECS
- Windows
- Defender types
- Cluster Context
- Install Defender
Upgrade
- Support lifecycle for connected components
- Upgrade process
- Kubernetes
- OpenShift
- Helm charts
- Amazon ECS
- Manually upgrade single Container Defenders
- Manually upgrade Defender DaemonSets
- Manually upgrade Defender DaemonSets (Helm)
Technology overviews
- Intelligence Stream
- Prisma Cloud Advanced Threat Protection
- App-specific network intelligence
- Container Runtimes
- Radar
- Serverless Radar
- Prisma Cloud Rules Guide - Docker
- Defender architecture
- Host Defender architecture
- TLS v1.2 cipher suites
- Telemetry
Configure
- Rule ordering and pattern matching
- Backup and restore
- Custom feeds
- Configuring Prisma Cloud proxy settings
- Prisma Cloud Compute certificates
- Configure Agentless Scanning
- Configure scanning
- User certificate validity period
- Enable HTTP access to Console
- Set different paths for Defender and Console (with DaemonSets)
- Authenticate to Console with certificates
- Customize terminal output
- Collections
- Tags
- WildFire settings
- Log Scrubbing
Authentication
- Access keys
- Prisma Cloud Compute User Roles
- Compute user roles
- Assign roles
- Credentials store
- Cloud accounts
Vulnerability management
- Prisma Cloud vulnerability feed
- Vulnerability Explorer
- Vulnerability management rules
- Search CVEs
- Scan reports
- Scanning procedure
- Customize image scanning
- Configure Registry Scans
- Registry scanning
  - Scan images in Alibaba Cloud Container Registry
  - Amazon EC2 Container Registry (ECR)
  - Azure Container Registry (ACR)
  - Docker Registry v2
  - Google Artifact Registry
  - Google Container Registry (GCR)
  - Harbor
  - IBM Cloud Container Registry
  - Scan images on Artifactory Docker Registry
  - Sonatype Nexus Registry
  - OpenShift integrated Docker registry
  - Trigger registry scans with webhooks
- Base images
- Configure VM image scanning
- Configure code repository scanning
- Agentless scanning
- Malware scanning
- Vulnerability risk tree
- Detect vulnerabilities in unpackaged software
- CVSS scoring
- Windows container image scanning
- Serverless function scanning
- VMware Tanzu blobstore scanning
- Scan App-Embedded workloads
- Troubleshoot vulnerability detection
Access control
- Role-based access control for Docker Engine
- Admission control with Open Policy Agent
Compliance
- Compliance Explorer
- Enforce compliance checks
- CIS Benchmarks
- Prisma Cloud Labs compliance checks
- Serverless functions compliance checks
- Windows compliance checks
- DISA STIG compliance checks
- Custom compliance checks
- Trusted images
- Host scanning
- VM image scanning
- App-Embedded scanning
- Detect secrets
- Cloud discovery
- OSS license management
Runtime defense
- Runtime defense for containers
- Runtime defense for hosts
- Runtime defense for serverless functions
- Runtime defense for App-Embedded
- Event Aggregation
- Custom runtime rules
- Import and export individual rules
- ATT&CK Explorer
- Runtime Audits
- Image analysis sandbox
- Incident Explorer
- Incident types
Continuous integration
- Jenkins plugin
- Jenkins Freestyle project
- Jenkins Maven project
- Jenkins Pipeline project
- Run Jenkins in a container
- Jenkins pipeline on Kubernetes
- CI plugin policy
- Code repo scanning
WAAS
- Deploy WAAS
- Web-Application and API Security (WAAS)
- WAAS Explorer
- App Firewall Settings
- API Protection
- DoS protection
- Bot Protection
- WAAS Access Controls
- Advanced Settings
- WAAS Analytics
- API observations
- API definition scan
- WAAS custom rules
- Detecting unprotected web apps
- WAAS Log Scrubbing
Firewalls
- Cloud Native Network Firewall (CNNF)
Secrets
- Secrets manager
- Integrate with secrets stores
- Secrets Stores
- Inject secrets into containers
- Injecting secrets: end-to-end example
Alerts
- Alert mechanism
- AWS Security Hub
- Cortex XDR alerts
- Cortex XSOAR alerts
- Email alerts
- Google Cloud Pub/Sub
- Google Cloud Security Command Center
- IBM Cloud Security Advisor
- JIRA Alerts
- PagerDuty alerts
- ServiceNow alerts
- ServiceNow alerts
- Slack Alerts
- Splunk alerts
- Webhook alerts
Audit
- Event viewer
- Host activity
- Administrative activity audit trail
- Annotate audit event records
- Delete audit logs
- Syslog and stdout integration
- Log rotation
- Throttling audits
- Prometheus
- Kubernetes auditing
Tools
- twistcli
- Scan images with twistcli
- Scan code repos with twistcli
- Scan Infrastructure as Code (IaC)
Deployment patterns
- Best practices for DNS and certificate management
- Storage limits for audits and reports
- Performance planning
API
Howto
- Disable automatic learning
- Debug data

WAAS custom rules

WAAS custom rules offer an additional mechanism to protect your running web apps. Custom rules are expressions that give you a precise way to describe and detect discrete conditions in requests and responses. WAAS intercepts layer 7 traffic, passes it to Prisma Cloud for evaluation. Expressions let you inspect various facets of requests and responses in a programmatic way, then take action when they evaluate to true. Custom rules can be used in container, host, and app-embedded WAAS policies.

Besides your own custom rules, Prisma Labs ships and maintains rules for newly discovered threats. These systems rules are distributed via the Intelligence Stream. By default, they are shipped in a disabled state. You can review, and optionally activate them at any time. System rules cannot be modified. However, you can clone and customize them to fit your own specific needs.

Before using custom rules, ensure Console and Defender run the same version of Prisma Cloud Compute. The minimum required version for a Defender appears when you add a custom rule to a policy. For example, if a Console runs a newer version, but Defenders have not been upgraded, using functionality only available in the newer version will result in a WAAS error. If this occurs, upgrade Defenders to match their Console’s version.

Expression grammar

Expressions let you examine the contents of requests and responses. The grammar lets you inspect various properties in an event. For example, you could write an expression that determines if an IP address fall inside a specific CIDR block.

Expressions support the following types:

String.

String list.

String map.

Integer.

IP address (e.g. "192.168.0.1")

CIDR block (e.g. "192.168.0.0/16")

Expressions have the following grammar:

term (op term | in | )*

term
--

op
--

and | or | > | < | >= | ⇐ | = | !=

in
--

'(' integer | string (',' integer | string)*)?

Can also be used to determine if an IP address is in a CIDR block: For example:

req.ip in "192.168.0.0/16"

unaryOp
--

not

keyword (similar to wildcards)
--

startswith | contains

contains can be used for:

Equality. For example: req.header_names contains "X-Forwarded-For"

Regular expression match for string lists. For example: req.header_names contains /^X-Forwarded.*/

Regular expression match for strings. For example: req.body contains /^some-regex-text.*/

string
--

Strings must be enclosed in double quotes.

integer
--

int

event
--

req | resp

[ ]
--

Selector operator. Selects a specific value by key from a map. Headers, cookies, body params, and query params are maps. The selection operation template is as following:

req.<map>["<key>"]

For example:

req.headers["Content-Type"] contains "text/html"

Request events

Expressions can examine the following attributes of a request:

Attribute	Minimum Defender version	Type	Example
req.host	22.06	Map of String	req.host contains /^.*ACME[1-9]{1,6}$/
(for matching on "Host" header use req.host)	21.04	Map of String	req.headers["User-Agent"] contains /^.*ACME[1-9]{1,6}$/
req.header_names	21.04	String List	req.header_names contains /^X-Forwarded.*/
req.header_values	21.04	String List	req.header_values contains "secretkey"
req.cookies	21.04	Map of String	req.cookies["yummy-cookie"] contains "flour"
req.cookie_names	21.04	String List	req.cookie_names contains "ga"
req.cookie_values	21.04	String List	req.cookie_values contains "admin"
req.query_params	21.04	Map of String	req.query_params["id"] contains "admin"
req.query_param_names	21.04	String List	req.query_param_names contains "ssn"
req.query_param_values	21.04	String List	req.query_param_values contains /\d{3}-?\d{2}-?\d{4}/
req.body_param_values	21.04	String List	req.body_param_values contains "username"
req.http_method	21.04	String	req.http_method = "POST"
req.file_extension	21.04	String	req.file_extension contains /pdf$/
req.path	21.04	String	req.path startswith "/admin/"
req.ip	21.04	(written as string, parsed as IP if IP is valid)	req.ip in "2.2.2.0/24" or req.ip = "8.8.8.8"
req.country_code	21.04	String	req.country_code = "US"
req.body	21.04	String	req.body contains /password/
req.http_version	21.04	String	req.http_version = "1.0"
req.http_scheme	21.04	String	req.http_scheme = "HTTPS"

When gRPC is enabled, the req.body attribute may not be able to properly match on the body content if it is sent in binary form.

Response events

Expressions can examine the following attributes of a response.

To examine server responses in custom rules, the rule type must be set to waas-response

Attribute	Minimum Defender version	Type	Example
resp.status_code	21.04	Integer	resp.status_code = 200
resp.content_type	21.08	String	resp.content_type = "application/json"
resp.body	21.08	String	resp.body contains /^somesecret$/
resp.headers	21.08	Map of String	resp.headers["Set-Cookie"] contains /SESSIONID/
resp.header_names	21.08	String List	resp.header_names contains "Set-Cookie"
resp.header_values	21.08	String List	resp.header_values contains "ERROR"

When gRPC is enabled, the resp.body attribute may not be able to properly match on the body content if it is sent in binary form.

Trasformation functions

The following transformations are available to users creating custom rules:

lowercase
- converts all charactes to lowercase.

compressWhitespace
- converts whitespace characters (32, \f, \t, \n, \r, \v, 160) to spaces (32) and then compresses multiple space characters into only one.

removeWhitespace
- removes all whitespace characters.

urlQueryDecode
- decodes URL query string.

urlPathDecode
- decodes URL path string (identical to urlQueryDecode
except that it does not unescape + to space).

unicodeDecode
- normalizes unicode characters to their closest resemblance in ASCII format.

htmlEntityDecode
- decodes HTML components in a given string.

base64Decode
- decoes a base64-encoded string.

replaceComments
- replaces each occurence of a C-style comments (/* … */) with a single space (multiple consecutive occurences of a space will not be compressed).

removeCommentSymbols
- removes each comment symbol (/*, */) from a string.

removeTags
- replaces encoded tag entities (<, >) with a single whitespace.

Effects

The following effects may be applied on HTTP requests/responses that match a WAAS custom rule:

Allow
- The request is passed to the protected application, all other detections are not applied (e.g app firewall, bot protection, API protection, etc.). No audit is generated.

Alert
- The request is passed to the protected application and an audit is generated for visibility.

Prevent
- The request is denied from reaching the protected application, an audit is generated and WAAS responds with an HTML page indicating the request was blocked.

Ban
- Can be applied on either IP or Prisma Session IDs. All requests originating from the same IP/Prisma Session to the protected application are denied for the configured time period (default is 5 minutes) following the last detected attack.

For custom rules defined in Out-of-band
, only Allow
and Alert
effects are allowed.

Example expressions

The following examples show how to use the expression grammar:

Special expression to determine if an IP address falls within a CIDR block:

req.ip in "192.168.0.0/16"

Example of using a regular expression:

req.header_names contains /^X-Forwarded.*/

Determine if the request method matches a method in the array. Currently, you can only create custom arrays as part of the in operator.

req.http_method in ("POST", "PUT")

Example of using contains:

req.header_values contains "text/html"

Example using a selector:

req.cookies["yummy-cookie"] contains "flour"

Example of an expression with three conditions. All conditions must evaluate to true for there to be a match.

req.http_method = "POST" and resp.status_code >= 400 and resp.status_code ⇐ 599

Example for detecting HTTP 1.0 requests sent to a path starting with /api/control/ with an "admin" cookie whose Base64 decoded value is set to "True".

req.http_version = "1.0" and lowercase(req.path) startswith "/api/control/" and base64Decode(req.cookies["admin"]) contains /^True$/`

Example for detecting successful login requests by checking the Set-Cookie header value using chained tranformation functions.

req.http_method = "POST" and resp.status_code = 200 and compressWhitespace(base64Decode(resp.headers["Set-Cookie"])) contains /SESSIONID/`

Write a WAAS custom rule

Expression syntax is validated when you save a custom rule.

Open Console, and go to Defend > WAAS
> {Container | Host | App-Embedded | Out-of-band}
.

Click Add rule
.

Enter a name for the rule.

In Message
, enter a audit message to be emitted when an event matches the condition logic in this custom rule.

Use the following syntax to view the matched groups: <Your text>: %regexMatches

Refer to the following screenshot:

Select the rule type.

You can write expressions for requests or responses. What you select here scopes the vocabulary available for your expression.

Enter your expression logic.

Press OPTION + SPACE to get a list of valid terms, expressions, operators, etc, for the given position.

Use the example expressions here as a starting point for your own expression.

Click Save
.

Your expression logic is validate before it’s save to Console’s database.

Activate WAAS custom rules

A custom rule is made up of one or more conditions. Attach a custom rule to a WAAS policy rule to activate it.

Custom rules are defined in Defend > Custom rules > WAAS
. WAAS policy rules are defined in Defend > WAAS > {Container | Host | App-Embedded | Out-of-band}
.

When attaching a custom rule to a WAAS policy rule, you specify the action to take when the expression evaluates to true (i.e. the expression matches). Supported actions are disable, alert, prevent, and ban.

Custom rules have priority over all other enabled WAAS protections. WAAS evaluates all custom rules that are attached, so you can get more than one audit if more than one custom rule matches.

Prerequisites:
You have already set up WAAS to protect an app, and there’s a rule for it under Defend > WAAS > {Container | Host | App-Embedded | Out-of-band}
. For more information about setting up an app, see Deploy WAAS.

Open Console, and go to Defend > WAAS > {Container | Host | App-Embedded | Out-of-band}
.

In the table, expand a rule.

Under App list
, click Actions > Edit
for an app in the table.

In the edit rule dialog, click the Custom rules
tab.

Click Select rules
.

A list of available WAAS custom rules is displayed. Whenever a user creates a rule, the owner
column is populated with the username. The owner column of virtual patches provided by Unit-42 researchers will have the value system.

Alternatively, you can click Add rule
to author a new custom rule in place.

Select one or more rules.

Click Apply
.

The minimum supported Defender version appears when you add the custom rule to a policy.

Configure the effect for each custom rule.

By default, the effect is set to Alert
.

Click Save
.

Document:Prisma Cloud Administrator’s Guide (Compute)

WAAS custom rules

Table of Contents

WAAS custom rules