API to manage CSPM policies
The API to manage CNAPP policies allows automated access to features like editing policies, enabling and disabling these policies and importing new policies. This section covers the details to work with CSPM policies.
Authentication: Get an Access Token
See section Authenticate to CNAPP API for details on how to acquire an access token for the following API calls
CSPM Policy Management
List CSPM Policies
Verb: POST
Path: /neo/config-audit/v1/getPolicies
Request Headers: x-access-token: <<JWT access token>>
Content-Type: application/json
Request Body:
{
"searchRequest": {
"policyStatus": ["1"],
"policyType": [],
"policyIds": [],
"policyCategory": [],
"cisLevels": [],
"cspIds": [],
"start": 0,
"limit": 500,
"sortOrder": "desc",
"sortBy": "edittime"
}
}
Construction of the Request body:
The request body contains:
- policyStatus 1=enabled, 0=disabled
- cspIds optional list of CSP IDs
- sortBy field name to sort the response
Response:
The response is a json array object with individual dict objects for each matching policy. Here is an example response:
[
{
"id": 1516498,
"name": "TestPolicy Custom",
"description": "",
"content": ".....",
"version": 1,
"editorid": 6898,
"edittime": 1635879066000,
"statusId": 1,
"status": "Active",
"deleted": 0,
"policyTypeId": 6,
"policyType": "Config Audit",
"category": "Others",
"cisLevel": null,
"missingPermissions": [],
"requiredPermissions": [],
"cspId": 2049,
"cspName": "Amazon Web Services",
"editorEmail": "..."
}
]
Retrieve CSPM Policy
Verb: GET
Path: /neo/shndlpapi/v1/<<tenant-id>>/policies/details/<<policy-id>>
Request Headers: x-access-token: <<JWT access token>>
Content-Type: application/json
Request Body: -none-
Response:
The response is a single json dict object representing the CSPM policy:
{
"name": "Firewall Rules should not have unrestricted SSH access (1)",
"policy_type": "Config Audit",
"policy_sub_type": "PREDEFINED",
"description": "If you are using SSH, ensure that access through port 22, used for SSH, is restricted to required entities only.",
"status": {
"name": "Inactive",
"value": "0"
},
"cis_level": {
"name": "NONE",
"value": "NONE"
},
"services": [
{
"name": "Google Cloud Platform",
"value": "13465"
}
],
"category": {
"name": "Networking",
"value": "Networking"
},
"available_rules": [
{
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "Inbound Rules [To Port]",
"operator": "<=",
"values": [],
"value_type": "SINGLE",
"value_types": [],
"editable": true,
"removable": false
},
{
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "Inbound Rules [From Port]",
"operator": ">=",
"values": [],
"value_type": "SINGLE",
"value_types": [],
"editable": true,
"removable": false
},
{
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "Source Range",
"operator": "IN",
"values": [],
"value_type": "MULTIPLE",
"value_types": [],
"editable": false,
"removable": false
},
{
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "Disabled",
"operator": "=",
"values": [],
"value_type": "SINGLE",
"value_types": [],
"editable": false,
"removable": false
},
{
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "IP Protocol",
"operator": "IN",
"values": [],
"value_type": "MULTIPLE",
"value_types": [],
"editable": false,
"removable": false
},
{
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "Direction",
"operator": "=",
"values": [],
"value_type": "SINGLE",
"value_types": [],
"editable": false,
"removable": false
}
],
"available_exceptions": [
{
"rule_details_type": "query_rule_details",
"rule_type": "QueryExceptionRule",
"attribute_name": "Project Name",
"operator": "=",
"value_type": "MULTIPLE",
"editable": true,
"removable": true
},
{
"rule_details_type": "query_rule_details",
"rule_type": "QueryExceptionRule",
"attribute_name": "Firewall Rule Name",
"operator": "=",
"value_type": "MULTIPLE",
"editable": true,
"removable": true
}
],
"possible_values": [],
"rules": {
"type": "OR",
"rule_groups": [
{
"id": 1,
"type": "AND",
"rules": [
{
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "Direction",
"operator": "=",
"values": [
"INGRESS"
],
"value_type": "SINGLE",
"value_types": [],
"editable": false,
"removable": false
},
{
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "Disabled",
"operator": "=",
"values": [
"No"
],
"value_type": "SINGLE",
"value_types": [],
"editable": false,
"removable": false
},
{
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "Source Range",
"operator": "IN",
"values": [
"0.0.0.0/0"
],
"value_type": "MULTIPLE",
"value_types": [],
"editable": false,
"removable": false
},
{
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "IP Protocol",
"operator": "IN",
"values": [
"tcp",
"udp",
"all"
],
"value_type": "MULTIPLE",
"value_types": [],
"editable": false,
"removable": false
},
{
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "Inbound Rules [From Port]",
"operator": ">=",
"values": [
"22"
],
"value_type": "SINGLE",
"value_types": [],
"editable": true,
"removable": false
},
{
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "Inbound Rules [To Port]",
"operator": "<=",
"values": [
"22"
],
"value_type": "SINGLE",
"value_types": [],
"editable": true,
"removable": false
}
],
"severity": "High"
}
]
},
"exceptions": {
"type": "OR",
"exception_groups": [
{
"id": 1,
"type": "AND",
"rules": [],
"severity": null
}
]
},
"responses": [],
"email_notification_metadata": {
"users_list": [
{
"id": 0,
"selected": false,
"first_name": "Admin",
"last_name": "User",
"email_id": "admin@nothing.none",
"role": null
}
]
},
"possible_responses": [
{
"type": "generic_notification",
"response_type": "REMOVE_UNRESTRICTED_ACCESS_FIREWALL",
"response_label": "Remove unrestricted access from firewall rules"
},
{
"type": "email_notification",
"response_type": "EMAIL_NOTIFICATION",
"response_label": "Email Notification",
"selected_user_ids": null,
"custom_email_ids": null
}
]
}
Update CSPM Policy
Verb: PUT
Path: /neo/shndlpapi/v1/<<tenant-id>>/policies/details/<<policy-id>>
Request Headers: x-access-token: <<JWT access token>>
Content-Type: application/json
Request Body: A dict object reflecting the policy, below is an example
{
"name": "Firewall Rules should not have unrestricted SSH access (1)",
"policy_type": "Config Audit",
"policy_sub_type": "PREDEFINED",
"description": "If you are using SSH, ensure that access through port 22, used for SSH, is restricted to required entities only.",
"status": {
"name": "Active",
"value": "1"
},
"services": [{
"name": "Google Cloud Platform",
"value": "13465"
}
],
"category": {
"name": "Networking",
"value": "Networking"
},
"available_rules": [{
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "Inbound Rules [To Port]",
"operator": "<=",
"values": [],
"value_type": "SINGLE",
"value_types": [],
"editable": true,
"removable": false
}
],
"available_exceptions": [{
"rule_details_type": "query_rule_details",
"rule_type": "QueryExceptionRule",
"attribute_name": "Project Name",
"operator": "=",
"value_type": "MULTIPLE",
"editable": true,
"removable": true
}
],
"possible_values": [],
"rules": {
"type": "OR",
"rule_groups": [{
"id": 1,
"type": "AND",
"rules": [{
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "Direction",
"operator": "=",
"values": ["INGRESS"],
"value_type": "SINGLE",
"value_types": [],
"editable": false,
"removable": false
}, {
"rule_details_type": "query_rule_details",
"type": "and",
"rule_type": "QueryRule",
"attribute_name": "Disabled",
"operator": "=",
"values": ["No"],
"value_type": "SINGLE",
"value_types": [],
"editable": false,
"removable": false
}
],
"severity": "High"
}
]
},
"exceptions": {
"type": "OR",
"exception_groups": [{
"id": 1,
"type": "AND",
"rules": [],
"severity": null
}
]
},
"responses": [],
"email_notification_metadata": {
"users_list": [{
"id": 0,
"selected": false,
"first_name": "Admin",
"last_name": "User",
"email_id": "admin@none.null",
"role": null
}
]
},
"possible_responses": [{
"type": "generic_notification",
"response_type": "REMOVE_UNRESTRICTED_ACCESS_FIREWALL",
"response_label": "Remove unrestricted access from firewall rules"
}, {
"type": "email_notification",
"response_type": "EMAIL_NOTIFICATION",
"response_label": "Email Notification",
"selected_user_ids": null,
"custom_email_ids": null
}
]
}
Construction of the Request body:
The request body contains the updated policy object
Response:
The response is a status message.
{"status":true,"error_message":null}
Create CSPM Policy
Verb: POST
Path: https://www.myshn.net/neo/config-aud.../v1/savePolicy
Request Headers: x-access-token: <<JWT access token>>
Content-Type: application/json
Request Body: A dict object reflecting the policy. Set the policyId to -1. Below is an example
{
"policyId": -1,
"name": "MyNewPol",
"description": "",
"csp": 2049,
"active": true,
"ruleGroups": [{
"type": "ruleGroup",
"auditRules": {
"type": "auditRule",
"services": ["AMI"],
"generateFor": ["AMI"],
"rules": {
"type": "condition",
"rule": {
"type": "property",
"property": "account_id",
"propertyType": "string",
"isArray": false,
"isLinkedProperty": false,
"operator": "STARTS_WITH",
"values": ["hello"]
}
},
"exceptions": null
},
"severity": "MEDIUM"
}
],
"response": null,
"type": 6
}
Response:
The response is a status message.
{
"message": "OK",
"content": {
"statusMessage": null,
"status": "SUCCESS",
"templateCount": null,
"policyCount": null,
"genericApiConfig": null,
"apiConfig": null,
"tenantInstance": null
}
}