Identity-Based Microsegmentation Guide
LAST UPDATED: June 23, 2021

PCN resources

pcn/infrastructure

CloudAccountCleaner

Used for garbage collection of all objects in an account that have not been updated since the provided time.

Example

{
  "date": "2021-03-16 09:30:04 -0700 PDT"
}

Relations

POST /cloudaccountcleaner

Initiates a cloud account clean up process for all stale objects.

Attributes

date [required]

Type: time

The date after which objects must be cleaned.

CloudAddress

Managed the list of IP addresses associated with an interface.

Example

{
  "IPVersion": "IPv4",
  "primary": true,
  "privateDNSName": "ip-172-20-53-29.us-west-2.compute.internal",
  "privateIP": "10.1.1.2",
  "publicDNSName": "ip-172-20-53-29.us-west-2.compute.internal",
  "publicIP": "10.1.1.2"
}

Attributes

IPVersion [required]

Type: enum(IPv4 | IPv6)

Designates IPv4 or IPv6.

primary

Type: boolean

Designates the IP address as the primary IP address.

privateDNSName

Type: string

The private DNS name associated with the address.

privateIP

Type: string

The private IP address value.

privateNetwork [autogenerated,read_only]

Type: network

Internal representation of the private IP to accelerate operations. Not exposed to users.

publicDNSName

Type: string

The private DNS name associated with the address.

publicIP

Type: string

The private IP address value.

publicNetwork [autogenerated,read_only]

Type: network

Internal representation of public IP addresses to accelerate operations. Not exposed to users.

CloudAlert

Creates a Prisma Cloud policy and corresponding alert rules.

Example

{
  "name": "the name",
  "protected": false
}

Relations

DELETE /cloudalerts/:id

Deletes the the Prisma Cloud policy with the given ID.

GET /cloudalerts/:id

Retrieves the Prisma Cloud policy with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
PUT /cloudalerts/:id

Updates the Prisma Cloud policy with the given ID.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

cloudpolicies

Type: []string

The list of policies that apply to this alert.

description [max_length=1024]

Type: string

Description of the object.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

notifications

Type: []string

Type of notifications.

protected

Type: boolean

Defines if the object is protected.

targetSelector

Type: [][]string

Selector of namespaces where this alert rule must apply. If empty it applies to current namespace.

CloudEndpoint

Manages the list of endpoints available in a cloud deployment.

Example

{
  "APIID": 12344555,
  "VPCID": "vpc-023419c5952374917",
  "accountID": 9123450055,
  "cloudType": "AWS",
  "customerID": 1234455,
  "name": "myobject",
  "nativeID": "subnet-0ae4a90153dfb642c",
  "policyReferences": [
    "sg-123"
  ],
  "protected": false,
  "regionName": "AWS Tokyo",
  "resourceID": 12344555
}

Relations

GET /cloudendpoints

List of endpoints associated with the deployment.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /cloudendpoints

Creates a cloud endpoint.

DELETE /cloudendpoints/:id

Deletes the object with the given ID.

GET /cloudendpoints/:id

Retrieves the endpoint with the given ID.

PUT /cloudendpoints/:id

Updates the endpoint with the given ID.

Attributes

APIID

Type: integer

Prisma Cloud API ID (matches Prisma Cloud API ID).

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

VPCID

Type: string

ID of the host VPC.

accountID

Type: string

Cloud account ID associated with the entity (matches Prisma Cloud accountID).

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

cloudTags

Type: []string

Internal representation of object tags retrieved from the cloud provider.

cloudType

Type: string

Cloud type of the entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

customerID

Type: integer

Customer ID as identified by Prisma Cloud.

ingestionTime

Type: time

The time that the object was first ingested.

name

Type: string

Name of the object (optional).

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

nativeID [required,max_length=256]

Type: string

ID of the cloud provider object.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

parameters

Type: cloudendpointdata

Endpoint related parameters.

policyReferences

Type: []string

A list of policy references associated with this cloud node.

protected

Type: boolean

Defines if the object is protected.

regionName [max_length=256]

Type: string

Region name associated with the entity.

resourceID

Type: integer

Prisma Cloud Resource ID.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

CloudEndpointData

Parameters associated with a cloud endpoint.

Example

{
  "VPCAttached": false,
  "attachedInterfaces": [
    "eni-12344",
    "eni-33333"
  ],
  "forwardingEnabled": false,
  "hasPublicIP": false,
  "serviceType": "NotApplicable",
  "type": "Instance"
}

Attributes

VPCAttached

Type: boolean

Indicates that the endpoint is directly attached to the VPC. In this case the attachedInterfaces is empty. In general this is only valid for endpoint type Gateway and Peering Connection.

VPCAttachments

Type: []string

The list of VPCs that this endpoint is directly attached to.

associatedRouteTables

Type: []string

List of route tables associated with this endpoint. Depending on cloud provider it can apply in some gateways.

attachedInterfaces

Type: []string

A list of interfaces attached with the endpoint. In some cases endpoints can have more than one interface.

forwardingEnabled

Type: boolean

If the endpoint has multiple connections and forwarding can be enabled between them.

hasPublicIP

Type: boolean

Indicates if the endpoint has a public IP address.

imageID

Type: string

The imageID of running in the endpoint. Available for instances and potentially other 3rd parties. This can be the AMI ID in AWS or corresponding instance imageID in other clouds.

productInfo

Type: []cloudendpointdataproductinfo

Product related metadata associated with this endpoint.

serviceName

Type: string

Identifies the name of the service for service endpoints.

serviceType

Type: enum(Interface | Gateway | GatewayLoadBalancer | NotApplicable)

Identifies the service type that this endpoint represents (example Gateway Load Balancer).

Default value:

"NotApplicable"
type [required]

Type: enum(Instance | LoadBalancer | PeeringConnection | Service | Gateway | TransitGateway | NATGateway)

Type of the endpoint.

CloudEndpointDataProductInfo

Parameters associated with a cloud endpoint data product.

Attributes

productID

Type: string

The ID of the corresponding product.

type

Type: string

The type of the product.

CloudGraph

Returns a data structure representing the graph of all cloud nodes and their connections in a particular namespace.

Relations

POST /cloudgraphs

Creates a cloud dependency graph based on ingested data and the required parameters.

GET /cloudnetworkqueries/:id/cloudgraphs

Initiates a calculation of the query and retrieves the results in CloudGraph.

Attributes

internalEdges [autogenerated,read_only]

Type: map[string]cloudgraphedge

The edges of the map.

nodes [autogenerated,read_only]

Type: map[string]cloudgraphnode

Refers to the nodes of the map.

publicEdges [autogenerated,read_only]

Type: map[string]cloudgraphedge

The edges of the map.

query

Type: cloudnetworkquery

The cloud network query that should be used. This requires a POST operation on the object.

sourceDestinationMap [autogenerated,read_only]

Type: map[string]map[string]cloudnetworkquerydestination

The set of destinations that have been discovered based on the query and their associated verdicts.

CloudGraphNode

Returns a data structure representing the graph of all cloud nodes and their connections in a particular namespace.

Attributes

nativeID

Type: string

The native ID of the node.

nodeData

Type: cloudnode

Details about the node if the query type requests full details.

policies

Type: map[string]cloudgraphnodeaction

The policies that were applied to this node for each destination.

routeTableIDs

Type: map[string]string

The list of route tables IDs that forwarding was based on for the internal path, if routing was performed.

type

Type: string

The type of the node as a string.

CloudGraphNodeAction

Describes the action and corresponding policy that resulted in this decision.

Attributes

action

Type: string

The action that is been applied for the particular destination.

policyID

Type: string

The ID of the policies that were used in the path.

CloudInterfaceData

Parameters associated with a cloud interface.

Example

{
  "attachmentType": "Instance",
  "routeTableID": [
    "rt1233"
  ],
  "subnets": [
    "subnet-074c152ae45ea0c73"
  ]
}

Attributes

addresses

Type: []cloudaddress

List of IP addresses/subnets (IPv4 or IPv6) associated with the interface.

attachmentType [required]

Type: enum(Instance | LoadBalancer | Gateway | Service | TransitGatewayVPCAttachment | NetworkLoadBalancer | Lambda | GatewayLoadBalancer | GatewayLoadBalancerEndpoint | VPCEndpoint | APIGatewayManaged | EFA)

Attachment type describes where this interface is attached to (Instance, Load Balancer, Gateway, etc).

relatedObjectID

Type: string

If the interface is of type or external, the relatedObjectID identifies the related service or gateway.

routeTableID

Type: string

The route table that must be used for this interface. Applies to Transit Gateways and other special types.

securityTags

Type: []string

Security tags associated with the instance.

subnets

Type: []string

ID of subnet associated with this interface.

CloudManagedNetwork

A cloud managed network represents a set of enterprise subnets that can be used in policies.

Example

{
  "APIID": 12344555,
  "VPCID": "vpc-023419c5952374917",
  "accountID": 9123450055,
  "cloudType": "AWS",
  "customerID": 1234455,
  "name": "myobject",
  "nativeID": "subnet-0ae4a90153dfb642c",
  "policyReferences": [
    "sg-123"
  ],
  "protected": false,
  "regionName": "AWS Tokyo",
  "resourceID": 12344555,
  "type": "Enterprise"
}

Relations

GET /cloudmanagednetworks

Retrieves the list of cloud attachments.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /cloudmanagednetworks

Creates a cloud managed network.

DELETE /cloudmanagednetworks/:id

Deletes the object with the given ID.

GET /cloudmanagednetworks/:id

Retrieves the object with the given ID.

Parameters:

  • archived (boolean): Also retrieve the objects that have been archived.
  • propagated (boolean): Also retrieve the objects that propagate down.
PUT /cloudmanagednetworks/:id

Updates the object with the given ID.

Attributes

APIID

Type: integer

Prisma Cloud API ID (matches Prisma Cloud API ID).

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

VPCID

Type: string

ID of the host VPC.

accountID

Type: string

Cloud account ID associated with the entity (matches Prisma Cloud accountID).

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

cloudTags

Type: []string

Internal representation of object tags retrieved from the cloud provider.

cloudType

Type: string

Cloud type of the entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

customerID

Type: integer

Customer ID as identified by Prisma Cloud.

entries

Type: []string

List of CIDRs.

ingestionTime

Type: time

The time that the object was first ingested.

name

Type: string

Name of the object (optional).

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

nativeID [required,max_length=256]

Type: string

ID of the cloud provider object.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

policyReferences

Type: []string

A list of policy references associated with this cloud node.

protected

Type: boolean

Defines if the object is protected.

regionName [max_length=256]

Type: string

Region name associated with the entity.

resourceID

Type: integer

Prisma Cloud Resource ID.

type [required]

Type: enum(Enterprise | AWSPrefixLists | AWSElasticIPs | GCP | Custom)

The type of cloud managed network.

Default value:

"Enterprise"
updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

CloudNetworkInterface

Manages the set of network interfaces that are associated with endpoints.

Example

{
  "APIID": 12344555,
  "VPCID": "vpc-023419c5952374917",
  "accountID": 9123450055,
  "cloudType": "AWS",
  "customerID": 1234455,
  "name": "myobject",
  "nativeID": "subnet-0ae4a90153dfb642c",
  "policyReferences": [
    "sg-123"
  ],
  "protected": false,
  "regionName": "AWS Tokyo",
  "resourceID": 12344555
}

Relations

GET /cloudnetworkinterfaces

Retrieve the list of network interfaces associated with the deployment.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /cloudnetworkinterfaces

Creates a cloud network interface.

DELETE /cloudnetworkinterfaces/:id

Deletes the network interface with the given ID.

GET /cloudnetworkinterfaces/:id

Retrieves the network interface with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
PUT /cloudnetworkinterfaces/:id

Updates the network interface with the given ID.

Attributes

APIID

Type: integer

Prisma Cloud API ID (matches Prisma Cloud API ID).

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

VPCID

Type: string

ID of the host VPC.

accountID

Type: string

Cloud account ID associated with the entity (matches Prisma Cloud accountID).

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

cloudTags

Type: []string

Internal representation of object tags retrieved from the cloud provider.

cloudType

Type: string

Cloud type of the entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

customerID

Type: integer

Customer ID as identified by Prisma Cloud.

ingestionTime

Type: time

The time that the object was first ingested.

name

Type: string

Name of the object (optional).

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

nativeID [required,max_length=256]

Type: string

ID of the cloud provider object.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

parameters

Type: cloudinterfacedata

Cloud network interface related parameters.

policyReferences

Type: []string

A list of policy references associated with this cloud node.

protected

Type: boolean

Defines if the object is protected.

regionName [max_length=256]

Type: string

Region name associated with the entity.

resourceID

Type: integer

Prisma Cloud Resource ID.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

CloudNetworkQuery

Provides the parameters for an effective network permissions query.

Example

{
  "destinationProtocol": -1,
  "excludeEnterpriseIPs": false,
  "includeUnreachable": false,
  "name": "the name",
  "protected": false,
  "type": "Summary"
}

Relations

GET /cloudnetworkqueries

Retrieves the list of cloud network queries.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /cloudnetworkqueries

Creates a cloud network query.

DELETE /cloudnetworkqueries/:id

Deletes the the cloud query with the given ID.

GET /cloudnetworkqueries/:id

Retrieves the cloud query with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
PUT /cloudnetworkqueries/:id

Updates the cloud query with the given ID.

GET /cloudnetworkqueries/:id/cloudgraphs

Initiates a calculation of the query and retrieves the results in CloudGraph.

GET /cloudnetworkqueries/:id/cloudpolicies

Retrieves the policies associated with this query.

POST /cloudnetworkqueries/:id/cloudpolicies

Creates a policy associated with this query.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

description [max_length=1024]

Type: string

Description of the object.

destinationIP

Type: string

The destination IP of a trace route request. Might not always be an endpoint.

destinationPorts

Type: _portlist

The destination port or ports that should be used for the trace route command.

destinationProtocol [max_value=255.000000]

Type: integer

The destination protocol that should be used for the trace route commands.

Default value:

-1
destinationSelector

Type: cloudnetworkqueryfilter

A filter for selecting destinations for the query.

excludeEnterpriseIPs

Type: boolean

If set, the evaluation will exclude enterprise IPs from the effective permissions.

includeUnreachable

Type: boolean

If set, the query result will return all destinations including the unreachable ones.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

protected

Type: boolean

Defines if the object is protected.

sourceIP

Type: string

The source IP of a trace route request. Might not be always and endpoint.

sourceSelector

Type: cloudnetworkqueryfilter

A filter for selecting the sources of the request.

type

Type: enum(Summary | CompressedGraph | FullGraph)

Indicates the type of results that should be provided by the query.

Default value:

"Summary"

CloudNetworkQueryDestination

Returns the set of discovered destinations and the associated verdicts.

Attributes

indirectNodeID [autogenerated,read_only]

Type: string

Returns the native ID of the indirect node.

isIndirect [autogenerated,read_only]

Type: boolean

Returns true if this is an indirect path through an forwarding entities.

reachable [autogenerated,read_only]

Type: boolean

Returns true if the destination is reachable through routing.

type [autogenerated,read_only]

Type: enum(Interface | Instance | LoadBalancer | PublicIP)

Returns the type of the destination.

verdict [autogenerated,read_only]

Type: string

Returns the network security verdict for the destination.

CloudNetworkQueryFilter

Captures the parameters allowed in a query filter for a net effective permissions request.

Example

{
  "accountIDs": [
    "account1"
  ],
  "cloudTypes": [
    "AWS"
  ],
  "regions": [
    "us-west-1"
  ],
  "resourceType": "Instance"
}

Attributes

VPCIDs

Type: []string

The VPC ID of the target resources.

accountIDs

Type: []string

The accounts that the search must apply to. These are the actually IDs of the account as provided by the cloud provider. One or more IDs can be included.

cloudTypes

Type: []string

The cloud types that the search must apply to.

imageIDs

Type: []string

A list of imageIDs that endpoints can be filtered with. Applies only to resourceType Endpoint.

objectIDs

Type: []string

The exact object that the search applies. If ObjectIDs are defined, the rest of the fields are ignored. An object ID can refer to an instance, VPC endpoint, or network interface.

productInfoType

Type: string

Restricts the query on only endpoints with the given productInfoType.

productInfoValue

Type: string

Restricts the query to only endpoints with the provided productInfoValue. Does not apply to other resource types.

regions

Type: []string

The region that the search must apply to.

resourceType [required]

Type: enum(Instance | Interface | Service | ProcessingUnit)

The type of endpoint resource. The resource type is a mandatory field and a query cannot span multiple resource types.

Default value:

"Instance"
securityTags

Type: []string

The list of security tags associated with the targets of the query. Security tags refer to security groups in AWS or network tags in GCP. So they can have different meaning depending on the target cloud.

serviceOwners

Type: []string

Identifies the owner of the service that the resource is attached to. Field is not valid if the resource type is not an interface.

serviceTypes

Type: []string

Identifies the type of service that the interface is attached to. Field is not valid if the resource type is not an interface.

subnets

Type: []string

The subnets where the resources must reside. A subnet parameter can only be provided for a network interface resource type.

tags

Type: []string

A list of tags that select the same of endpoints for the query. These tags refer to the tags attached to the resources in the cloud provider definitions.

CloudNetworkRule

Represents an ingress or egress network rule.

Example

{
  "action": "Allow"
}

Attributes

action [required]

Type: enum(Allow | Reject)

Defines the action to apply to a flow. - Allow: allows the defined traffic. - Reject: rejects the defined traffic; useful in conjunction with an allow all policy.

Default value:

"Allow"
networks [read_only]

Type: []string

A list of IP CIDRS that identify remote endpoints.

object

Type: [][]string

Identifies the set of remote workloads that the rule relates to. The selector will identify both processing units as well as external networks that match the selector.

priority

Type: integer

Priority of the rule. Available only for cloud ACLs.

protocolPorts

Type: []string

Represents the ports and protocols this policy applies to. Protocol/ports are defined as tcp/80, udp/22. For protocols that do not have ports, the port designation is not allowed.

storedNetworks [autogenerated,read_only]

Type: networklist

An internal representation of the networks to increase performance. Not visible to end users.

CloudNetworkRuleSet

A CloudNetworkRuleSet represents a set of cloud network security groups or firewall rules as they apply to the infrastructure.

Example

{
  "APIID": 12344555,
  "VPCID": "vpc-023419c5952374917",
  "accountID": 9123450055,
  "cloudType": "AWS",
  "customerID": 1234455,
  "name": "myobject",
  "nativeID": "subnet-0ae4a90153dfb642c",
  "policyReferences": [
    "sg-123"
  ],
  "protected": false,
  "regionName": "AWS Tokyo",
  "resourceID": 12344555
}

Relations

GET /cloudnetworkrulesets

Retrieves the list of cloud network rule set policies.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
  • propagated (boolean): Also retrieve the objects that propagate down.
POST /cloudnetworkrulesets

Creates a cloud network ruleset.

DELETE /cloudnetworkrulesets/:id

Deletes the object with the given ID.

GET /cloudnetworkrulesets/:id

Retrieves the object with the given ID.

PUT /cloudnetworkrulesets/:id

Updates the object with the given ID.

Attributes

APIID

Type: integer

Prisma Cloud API ID (matches Prisma Cloud API ID).

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

VPCID

Type: string

ID of the host VPC.

accountID

Type: string

Cloud account ID associated with the entity (matches Prisma Cloud accountID).

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

cloudTags

Type: []string

Internal representation of object tags retrieved from the cloud provider.

cloudType

Type: string

Cloud type of the entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

customerID

Type: integer

Customer ID as identified by Prisma Cloud.

ingestionTime

Type: time

The time that the object was first ingested.

name

Type: string

Name of the object (optional).

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

nativeID [required,max_length=256]

Type: string

ID of the cloud provider object.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

parameters

Type: cloudnetworkrulesetdata

Cloud network ruleset data.

policyReferences

Type: []string

A list of policy references associated with this cloud node.

protected

Type: boolean

Defines if the object is protected.

regionName [max_length=256]

Type: string

Region name associated with the entity.

resourceID

Type: integer

Prisma Cloud Resource ID.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

CloudNetworkRuleSetData

Parameters associated with a cloud network rule set.

Example

{
  "type": "SecurityGroup"
}

Attributes

incomingRules

Type: []cloudnetworkrule

The set of rules to apply to incoming traffic (traffic coming to the Processing Unit matching the subject).

outgoingRules

Type: []cloudnetworkrule

The set of rules to apply to outgoing traffic (traffic coming from the Processing Unit matching the subject).

subject

Type: [][]string

A tag expression identifying used to match processing units to which this policy applies to.

type [required]

Type: enum(SecurityGroup | ACL)

Type identifies if this is a security group rule set or ACL.

CloudNode

Manages the list of cloud nodes available in a cloud deployment.

Example

{
  "APIID": 12344555,
  "VPCID": "vpc-023419c5952374917",
  "accountID": 9123450055,
  "cloudType": "AWS",
  "customerID": 1234455,
  "name": "myobject",
  "nativeID": "subnet-0ae4a90153dfb642c",
  "policyReferences": [
    "sg-123"
  ],
  "protected": false,
  "regionName": "AWS Tokyo",
  "resourceID": 12344555,
  "type": "Endpoint"
}

Relations

GET /cloudnodes

Retrieves the list of cloud nodes.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
DELETE /cloudnodes/:id

Deletes the cloud node with the given ID.

GET /cloudnodes/:id

Retrieves the cloud node with the given ID.

Attributes

APIID

Type: integer

Prisma Cloud API ID (matches Prisma Cloud API ID).

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

VPCID

Type: string

ID of the host VPC.

accountID

Type: string

Cloud account ID associated with the entity (matches Prisma Cloud accountID).

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

attachments

Type: []string

The list of attachments for this node.

cloudTags

Type: []string

Internal representation of object tags retrieved from the cloud provider.

cloudType

Type: string

Cloud type of the entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

customerID

Type: integer

Customer ID as identified by Prisma Cloud.

ingestionTime

Type: time

The time that the object was first ingested.

name

Type: string

Name of the object (optional).

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

nativeID [required,max_length=256]

Type: string

ID of the cloud provider object.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

parameters

Type: map[string]interface{}

The cloud attributes of the object.

policyReferences

Type: []string

A list of policy references associated with this cloud node.

protected

Type: boolean

Defines if the object is protected.

regionName [max_length=256]

Type: string

Region name associated with the entity.

relatedObjectID

Type: string

A reference to a related object.

resourceID

Type: integer

Prisma Cloud Resource ID.

securityTags

Type: []string

List of security tags associated with the node.

subType

Type: string

The sub-type of the object as found in the parameters. Used for indexing.

type [required]

Type: enum(Endpoint | Subnet | VPC | Interface | RouteTable | NetworkRuleSet)

Type of the endpoint.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

CloudPolicy

Creates a Prisma Cloud policy and corresponding alert rules.

Example

{
  "name": "the name",
  "protected": false,
  "severity": "Low"
}

Relations

DELETE /cloudpolicies/:id

Deletes the the Prisma Cloud policy with the given ID.

GET /cloudpolicies/:id

Retrieves the Prisma Cloud policy with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
PUT /cloudpolicies/:id

Updates the Prisma Cloud policy with the given ID.

GET /cloudnetworkqueries/:id/cloudpolicies

Retrieves the policies associated with this query.

POST /cloudnetworkqueries/:id/cloudpolicies

Creates a policy associated with this query.

Attributes

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

description [max_length=1024]

Type: string

Description of the object.

name [required,max_length=256]

Type: string

Name of the entity.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

prismaCloudPolicyID

Type: string

Reference to the corresponding Prisma Cloud Policy ID.

protected

Type: boolean

Defines if the object is protected.

queryID [read_only]

Type: string

The query ID that this policy refers to. This is auto-calculated since it is derived from the parent.

severity [required]

Type: enum(Low | Medium | High)

The severity of a policy violation.

CloudRoute

Describes a route in a route table.

Example

{
  "destinationIPv4CIDR": "10.1.1.32/24",
  "destinationIPv6CIDR": "2001:db8::/32",
  "destinationPrefixListID": "pl-1234",
  "nextHopID": "gw_123444444",
  "nextHopType": "LocalGateway"
}

Attributes

destinationIPv4CIDR

Type: string

The Destination CIDR for the route.

destinationIPv6CIDR

Type: string

The destination IPV6 CIDR for the route.

destinationPrefixListID

Type: string

The destination is identified as a prefix list ID.

nextHopID

Type: string

The ID of the next hop object.

nextHopType [required]

Type: enum(EgressOnlyGateway | Gateway | Instance | LocalGateway | NATGateway | NetworkInterface | TransitGateway | VPCPeeringConnection | TransitGatewayAttachment)

The type of the next hop.

storedDestinationIPv4CIDR [autogenerated,read_only]

Type: network

Internal representation of IPv4 networks.

storedDestinationIPv6CIDR [autogenerated,read_only]

Type: network

Internal representation of IPv6 networks.

CloudRouteData

Parameters associated with a cloud route table.

Example

{
  "gatewayID": "tgw-009251c49cf46d940",
  "mainTable": true,
  "subnetAssociations": [
    "subnet-096bb677ed112475d"
  ]
}

Attributes

gatewayID

Type: string

The gateway that this route table is associated with.

mainTable

Type: boolean

Indicates that this is the default route table for the VPC.

routelist

Type: []cloudroute

Routes associated with this route table.

subnetAssociations

Type: []string

The list of subnets that this route table is associated with.

CloudRouteTable

Manages the list of route tables available in a cloud deployment.

Example

{
  "APIID": 12344555,
  "VPCID": "vpc-023419c5952374917",
  "accountID": 9123450055,
  "cloudType": "AWS",
  "customerID": 1234455,
  "name": "myobject",
  "nativeID": "subnet-0ae4a90153dfb642c",
  "policyReferences": [
    "sg-123"
  ],
  "protected": false,
  "regionName": "AWS Tokyo",
  "resourceID": 12344555
}

Relations

GET /cloudroutetables

Retrieves the list of routing tables.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /cloudroutetables

Creates a new routing table.

DELETE /cloudroutetables/:id

Deletes the route table with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
GET /cloudroutetables/:id

Retrieves the route table with the given ID.

PUT /cloudroutetables/:id

Updates the route table with the given ID.

Attributes

APIID

Type: integer

Prisma Cloud API ID (matches Prisma Cloud API ID).

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

VPCID

Type: string

ID of the host VPC.

accountID

Type: string

Cloud account ID associated with the entity (matches Prisma Cloud accountID).

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

cloudTags

Type: []string

Internal representation of object tags retrieved from the cloud provider.

cloudType

Type: string

Cloud type of the entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

customerID

Type: integer

Customer ID as identified by Prisma Cloud.

ingestionTime

Type: time

The time that the object was first ingested.

name

Type: string

Name of the object (optional).

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

nativeID [required,max_length=256]

Type: string

ID of the cloud provider object.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

parameters

Type: cloudroutedata

Route table related parameters.

policyReferences

Type: []string

A list of policy references associated with this cloud node.

protected

Type: boolean

Defines if the object is protected.

regionName [max_length=256]

Type: string

Region name associated with the entity.

resourceID

Type: integer

Prisma Cloud Resource ID.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

CloudSnapshotAccount

Initiates a poll for a particular account. Data are stored in the current namespace.

Example

{
  "cloudType": "AWS",
  "name": "account-foo",
  "protected": false
}

Relations

POST /cloudsnapshotaccounts

Initiates a cloud account for snapshot data ingestion.

Attributes

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

cloudType

Type: enum(AWS | GCP)

The cloud type for the account.

Default value:

"AWS"
name

Type: string

The name of the account.

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

protected

Type: boolean

Defines if the object is protected.

CloudSubnet

Manages the list of subnets associated with a deployment.

Example

{
  "APIID": 12344555,
  "VPCID": "vpc-023419c5952374917",
  "accountID": 9123450055,
  "cloudType": "AWS",
  "customerID": 1234455,
  "name": "myobject",
  "nativeID": "subnet-0ae4a90153dfb642c",
  "policyReferences": [
    "sg-123"
  ],
  "protected": false,
  "regionName": "AWS Tokyo",
  "resourceID": 12344555
}

Relations

GET /cloudsubnets

Retrieves the list of subnets.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /cloudsubnets

Creates a cloud subnet.

DELETE /cloudsubnets/:id

Deletes the subnet with the given ID.

GET /cloudsubnets/:id

Retrieves the subnet with the given ID.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
PUT /cloudsubnets/:id

Updates the subnet with the given ID.

Attributes

APIID

Type: integer

Prisma Cloud API ID (matches Prisma Cloud API ID).

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

VPCID

Type: string

ID of the host VPC.

accountID

Type: string

Cloud account ID associated with the entity (matches Prisma Cloud accountID).

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

cloudTags

Type: []string

Internal representation of object tags retrieved from the cloud provider.

cloudType

Type: string

Cloud type of the entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

customerID

Type: integer

Customer ID as identified by Prisma Cloud.

ingestionTime

Type: time

The time that the object was first ingested.

name

Type: string

Name of the object (optional).

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

nativeID [required,max_length=256]

Type: string

ID of the cloud provider object.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

parameters

Type: cloudsubnetdata

Subnet related parameters.

policyReferences

Type: []string

A list of policy references associated with this cloud node.

protected

Type: boolean

Defines if the object is protected.

regionName [max_length=256]

Type: string

Region name associated with the entity.

resourceID

Type: integer

Prisma Cloud Resource ID.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

CloudSubnetData

Parameters associated with a subnet.

Example

{
  "address": "10.0.0.0/8",
  "zoneID": "aws-east",
  "zoneName": "aws-east"
}

Attributes

address [required]

Type: string

Address CIDR of the Subnet.

zoneID

Type: string

The availability zone ID of the subnet.

zoneName

Type: string

The availability zone of the subnet.

CloudVPC

A CloudVPC represents a VPC as defined in an cloud provider (AWS/Azure/GCP etc). The VPC is essentially an L3 routing domain with at least one subnet attached and it defines an isolated network.

Example

{
  "APIID": 12344555,
  "VPCID": "vpc-023419c5952374917",
  "accountID": 9123450055,
  "cloudType": "AWS",
  "customerID": 1234455,
  "name": "myobject",
  "nativeID": "subnet-0ae4a90153dfb642c",
  "policyReferences": [
    "sg-123"
  ],
  "protected": false,
  "regionName": "AWS Tokyo",
  "resourceID": 12344555
}

Relations

GET /cloudvpcs

Retrieves the list of VPCs.

Parameters:

  • q (string): Filtering query. Consequent q parameters will form an or.
POST /cloudvpcs

Creates a cloud VPC.

DELETE /cloudvpcs/:id

Deletes the object with the given ID.

GET /cloudvpcs/:id

Retrieves the object with the given ID.

PUT /cloudvpcs/:id

Updates the object with the given ID.

Attributes

APIID

Type: integer

Prisma Cloud API ID (matches Prisma Cloud API ID).

ID [identifier,autogenerated,read_only]

Type: string

Identifier of the object.

VPCID

Type: string

ID of the host VPC.

accountID

Type: string

Cloud account ID associated with the entity (matches Prisma Cloud accountID).

annotations

Type: map[string][]string

Stores additional information about an entity.

associatedTags

Type: []string

List of tags attached to an entity.

cloudTags

Type: []string

Internal representation of object tags retrieved from the cloud provider.

cloudType

Type: string

Cloud type of the entity.

createTime [autogenerated,read_only]

Type: time

Creation date of the object.

customerID

Type: integer

Customer ID as identified by Prisma Cloud.

ingestionTime

Type: time

The time that the object was first ingested.

name

Type: string

Name of the object (optional).

namespace [autogenerated,read_only]

Type: string

Namespace tag attached to an entity.

nativeID [required,max_length=256]

Type: string

ID of the cloud provider object.

normalizedTags [autogenerated,read_only]

Type: []string

Contains the list of normalized tags of the entities.

parameters

Type: cloudvpcdata

VPC related parameters.

policyReferences

Type: []string

A list of policy references associated with this cloud node.

protected

Type: boolean

Defines if the object is protected.

regionName [max_length=256]

Type: string

Region name associated with the entity.

resourceID

Type: integer

Prisma Cloud Resource ID.

updateTime [autogenerated,read_only]

Type: time

Last update date of the object.

CloudVPCData

Managed the list of IP addresses associated with an interface.

Example

{
  "address": "10.0.0.0/8"
}

Attributes

address [required]

Type: string

Address CIDR of the VPC.

PollAccount

Initiates a poll for a particular account. Data are stored in the current namespace.

Example

{
  "accountID": 912303033,
  "authorizationRegion": "us-east-1",
  "cloudType": "AWS",
  "name": "account-foo",
  "role": "ec2-read",
  "targetRegions": [
    "us-east-1",
    "us-east-2"
  ]
}

Relations

POST /pollaccounts

Initiates a poll to a new account.

Attributes

accountID [required]

Type: string

The ID of the account.

authorizationRegion [required]

Type: string

The region to use for authorization.

cloudType

Type: enum(AWS | GCP)

The cloud type for the account.

Default value:

"AWS"
name [required]

Type: string

The name of the account.

role [required]

Type: string

The role that it should use to poll the account.

targetRegions

Type: []string

Limit polling to these regions only. If empty, all regions will be polled.