API to manage CWPP policies
The API to manage CNAPP policies allows automated access to features like editing policies, enabling and disabling these policies and importing new policies. This section covers the details to work with CWPP related policies.
Authentication: Get an Access Token
See section Authenticate to CNAPP API for details on how to acquire an access token for the following API calls
CWPP Objects and Policy types
CWPP consists out of multiple policy types, based on the use case, e.g. Workload Hardening, Application Control, Vulnerability Scanning. While the API endpoints are identical for the policy types the policy object has different structures. Here are the details for some of the objects:
Policy Types enumaration
0 = API DLP
1 = PROXY DLP
5 = Lightning Link
6 = Config Audit
8 = Malware
9 = Vulnerability
11 = FileIntegrity
10 = Application Control
12 = Workload Hardening
13 = Container Image Control
CWPP Policy Management
List CWPP Policies
Verb: POST
Path: /neo/shndlpapi/v1/<<tenant-id>>/policies/search
Request Headers: x-access-token: <<JWT access token>>
Content-Type: application/json
Request Body:
{
"type_id": null,
"search_param": null,
"search_request": {
"policy_statuses": [],
"policy_types": [7,11],
"policy_ids": [],
"csp_ids": [],
"instance_ids": [],
"start": 0,
"limit": 500,
"sort_order": "desc",
"sort_by": "name",
"enabled": true
}
}
Construction of the Request body:
The request body contains:
policy_types:
0 = API DLP
1 = PROXY DLP
5 = Lightning Link
6 = Config Audit
8 = Malware
9 = Vulnerability
11 = FileIntegrity
10 = Application Control
12 = Workload Hardening
13 = Container Image Control
Response:
The response is a json array object with individual dict objects for each matching policy. Here is an example response:
[
{
"id": 1372404,
"tenant_id": 12344,
"name": "Monitor critical system files in a VM",
"description": "As a Cloud Compliance Officer, I need the ability to log changes for critical files in Linux VMs.\n These are list of files that need to be monitored.\n /bin ,/etc ,/lib ,/lib64 ,/opt ,/sbin ,/srv ,/usr ,/var/lib.",
"content": "{\"rule\":{\"type\":\"file_integrity\",\"rules\":[{\"type\":\"group\",\"description\":\"VM_FILE\",\"rule\":{\"type\":\"file_path\",\"file_path_values\":[\"/bin\",\"/etc\",\"/lib\",\"/lib64\",\"/opt\",\"/sbin\",\"/srv\",\"/usr\",\"/var/lib\"],\"file_path_dictionary_specification\":{\"type\":\"memory\",\"terms\":[\"/bin\",\"/etc\",\"/lib\",\"/lib64\",\"/opt\",\"/sbin\",\"/srv\",\"/usr\",\"/var/lib\"]}}}],\"severity\":null},\"policy_response_spec\":{\"severity_response_list\":[{\"severity\":\"ANY\",\"response\":\"INCIDENT\",\"response_payload\":null}]},\"user_filter\":null,\"content_rule_type\":\"Skyhigh_CASB\"}",
"version": 2,
"editor_id": 6898,
"editor_email": "redacted",
"edit_time": 1624866447000,
"active": true,
"deleted": false,
"policy_type_id": 11,
"policy_type_name": "FileIntegrity",
"services": [],
"dlp_dictionaries": [],
"user_groups": [],
"category": "File Integrity",
"cis_level": "LEVEL1",
"violation_desc": "null",
"linked_scans": [],
"linked_edlp_policies": [],
"system": false,
"cwpp_policy_metadata": [
{
"id": 6361,
"policy_id": 1372404,
"property": "containerType",
"value": "1"
},
{
"id": 6358,
"policy_id": 1372404,
"property": "include_account_list",
"value": "[]"
},
{
"id": 6360,
"policy_id": 1372404,
"property": "is_available_for_continous_evaluation",
"value": "Linux"
},
{
"id": 6359,
"policy_id": 1372404,
"property": "platform",
"value": "Linux"
},
{
"id": 6352,
"policy_id": 1372404,
"property": "policy_mode",
"value": "Observe"
},
{
"id": 6362,
"policy_id": 1372404,
"property": "tags",
"value": "[]"
}
]
}
]
Retrieve CWPP Policy
Verb: GET
Path: /neo/shndlpapi/v1/<<tenant-id>>/policies/<<policy-id>>
Request Headers: x-access-token: <<JWT access token>>
Content-Type: application/json
Request Body: -none-
Response:
The response is a single json dict object representing the CWPP policy:
{
"id": 1372404,
"tenant_id": 77231,
"name": "Monitor critical system files in a VM",
"description": "As a Cloud Compliance Officer, I need the ability to log changes for critical files in Linux VMs.\n These are list of files that need to be monitored.\n /bin ,/etc ,/lib ,/lib64 ,/opt ,/sbin ,/srv ,/usr ,/var/lib.",
"content": "{\"rule\":{\"type\":\"file_integrity\",\"rules\":[{\"type\":\"group\",\"description\":\"VM_FILE\",\"rule\":{\"type\":\"file_path\",\"file_path_values\":[\"/bin\",\"/etc\",\"/lib\",\"/lib64\",\"/opt\",\"/sbin\",\"/srv\",\"/usr\",\"/var/lib\"],\"file_path_dictionary_specification\":{\"type\":\"memory\",\"terms\":[\"/bin\",\"/etc\",\"/lib\",\"/lib64\",\"/opt\",\"/sbin\",\"/srv\",\"/usr\",\"/var/lib\"]}}}],\"severity\":null},\"policy_response_spec\":{\"severity_response_list\":[{\"severity\":\"ANY\",\"response\":\"INCIDENT\",\"response_payload\":null,\"workflow_payload\":null}]},\"user_filter\":null,\"content_rule_type\":\"Skyhigh_CASB\"}",
"version": 2,
"editor_id": 6898,
"editor_email": "admin@none.null",
"edit_time": 1624866447000,
"active": true,
"deleted": false,
"policy_type_id": 11,
"policy_type_name": "FileIntegrity",
"services": [],
"dlp_dictionaries": [],
"user_groups": [],
"category": "File Integrity",
"cis_level": "LEVEL1",
"violation_desc": "null",
"linked_scans": [],
"linked_edlp_policies": [],
"system": false,
"cwpp_policy_metadata": [
{
"id": 6361,
"policy_id": 1372404,
"property": "containerType",
"value": "1"
},
{
"id": 6358,
"policy_id": 1372404,
"property": "include_account_list",
"value": "[]"
},
{
"id": 6360,
"policy_id": 1372404,
"property": "is_available_for_continous_evaluation",
"value": "Linux"
},
{
"id": 6359,
"policy_id": 1372404,
"property": "platform",
"value": "Linux"
},
{
"id": 6352,
"policy_id": 1372404,
"property": "policy_mode",
"value": "Observe"
},
{
"id": 6362,
"policy_id": 1372404,
"property": "tags",
"value": "[]"
}
]
}
Update CWPP Policy
Verb: POST
Path: /neo/config-audit/cwpp/ui/v1/savePolicy
Request Headers: x-access-token: <<JWT access token>>
Content-Type: application/json
Request Body: A dict object reflecting the policy, below is an example
{
"policyId": 1372404,
"name": "Monitor critical system files in a VM",
"description": "As a Cloud Compliance Officer, I need the ability to log changes for critical files in Linux VMs.\n These are list of files that need to be monitored.\n /bin ,/etc ,/lib ,/lib64 ,/opt ,/sbin ,/srv ,/usr ,/var/lib.",
"active": true,
"policyType": 11,
"type": "FIM",
"cwppPolicyMetadata": [{
"id": 6361,
"policy_id": 1372404,
"property": "containerType",
"value": "1"
}, {
"id": 6358,
"policy_id": 1372404,
"property": "include_account_list",
"value": "[]"
}, {
"id": 6360,
"policy_id": 1372404,
"property": "is_available_for_continous_evaluation",
"value": "Linux"
}, {
"id": 6359,
"policy_id": 1372404,
"property": "platform",
"value": "Linux"
}, {
"id": 6352,
"policy_id": 1372404,
"property": "policy_mode",
"value": "Observe"
}
],
"rule": {
"type": "file_integrity",
"rules": [{
"rule": {
"type": "file_path",
"file_path_dictionary_specification": {
"type": "memory",
"terms": ["/bin", "/etc", "/lib", "/lib64", "/opt", "/sbin", "/srv", "/usr", "/var/lib"]
},
"file_path_values": ["/bin", "/etc", "/lib", "/lib64", "/opt", "/sbin", "/srv", "/usr", "/var/lib"]
},
"type": "group"
}
],
"short_circuit": true,
"severity": "HIGH"
}
}
Construction of the Request body:
The request body contains the updated policy object
Response:
The response is a status message.
{"message": "OK","content": "Success"}
Update CWPP Policy
Verb: POST
Path: /neo/config-audit/cwpp/ui/v1/savePolicy
Request Headers: x-access-token: <<JWT access token>>
Content-Type: application/json
Request Body: A dict object reflecting the policy, below is an example for an application control policy. Please note that the endpoint is the same as for upadting the policy. Specify -1 as policyId to create a new policy. If an existing policyId is given, then the existing policy will be updated.
{
"policyId": -1,
"name": "App Control 1",
"description": "",
"active": true,
"isContentModified": true,
"isFilterModified": true,
"policyType": 10,
"type": "CAC",
"cwppPolicyMetadata": [
{
"id": -1,
"policy_id": -1,
"property": "is_available_for_continous_evaluation",
"value": "true"
},
{
"id": -1,
"policy_id": -1,
"property": "policy_mode",
"value": "OBSERVE"
},
{
"id": -1,
"policy_id": -1,
"property": "workloadType",
"value": "Container"
},
{
"id": -1,
"policy_id": -1,
"property": "platform",
"value": "linux"
},
{
"id": -1,
"policy_id": -1,
"property": "include_account_list",
"value": "[{\"displayName\":\"Amazon Web Services:Zengel\",\"csp\":2049,\"instance\":10709,\"accounts\":[],\"$$hashKey\":\"object:3050\"}]"
},
{
"id": -1,
"policy_id": -1,
"property": "tags",
"value": ""
}
],
"rule": {
"type": "appControl",
"workloadType": "Container",
"rules": {
"type": "condition",
"rule": {
"type": "property",
"propertyType": "string",
"isArray": true,
"property": "allowed_apps",
"operator": "IN",
"values": [
"87ec0c9cc679404ae84d91965fcefe1a0aa2d53cf2ddd3745ad9cbc7f5527beb"
],
"isLinkedProperty": false,
"valueUnit": null
}
},
"responseTypes": [
"Allow All Applications",
"Create an Event for Unselected Applications"
]
}
}
Construction of the Request body:
The request body contains the updated policy object. Specify -1 as policyId to create a new policy
Response:
The response is a status message.
{"message": "OK","content": "Success"}