Skip to main content
McAfee Enterprise MVISION Cloud

API to manage CSPM policies

The API to manage CNAPP policies allows automated access to features like editing policies, enabling and disabling these policies and importing new policies. This section covers the details to work with CSPM policies.

Authentication: Get an Access Token

See section Authenticate to MVISION Cloud CNAPP API for details on how to acquire an access token for the following API calls

CSPM Policy Management

List CSPM Policies

Verb: POST 

Path: /neo/config-audit/v1/getPolicies

Request Headers: x-access-token: <<JWT access token>>
                                  Content-Type: application/json
Request Body:      

{
    "searchRequest": {
        "policyStatus": ["1"],
        "policyType": [],
        "policyIds": [],
        "policyCategory": [],
        "cisLevels": [],
        "cspIds": [],
        "start": 0,
        "limit": 500,
        "sortOrder": "desc",
        "sortBy": "edittime"
    }
}

Construction of the Request body:

The request body contains:

  1. policyStatus 1=enabled, 0=disabled
  2. cspIds optional list of CSP IDs
  3. sortBy field name to sort the response

Response:  

The response is a json array object with individual dict objects for each matching policy. Here is an example response:

[
    {
        "id": 1516498,
        "name": "TestPolicy Custom",
        "description": "",
        "content": ".....",
        "version": 1,
        "editorid": 6898,
        "edittime": 1635879066000,
        "statusId": 1,
        "status": "Active",
        "deleted": 0,
        "policyTypeId": 6,
        "policyType": "Config Audit",
        "category": "Others",
        "cisLevel": null,
        "missingPermissions": [],
        "requiredPermissions": [],
        "cspId": 2049,
        "cspName": "Amazon Web Services",
        "editorEmail": "..."
    }
]

Retrieve CSPM Policy

Verb: GET

Path: /neo/shndlpapi/v1/<<tenant-id>>/policies/details/<<policy-id>>

Request Headers: x-access-token: <<JWT access token>>
                                  Content-Type: application/json

Request Body:      -none-

Response:  

The response is a single json dict object representing the CSPM policy:

{
    "name": "Firewall Rules should not have unrestricted SSH access (1)",
    "policy_type": "Config Audit",
    "policy_sub_type": "PREDEFINED",
    "description": "If you are using SSH, ensure that access through port 22, used for SSH, is restricted to required entities only.",
    "status": {
        "name": "Inactive",
        "value": "0"
    },
    "cis_level": {
        "name": "NONE",
        "value": "NONE"
    },
    "services": [
        {
            "name": "Google Cloud Platform",
            "value": "13465"
        }
    ],
    "category": {
        "name": "Networking",
        "value": "Networking"
    },
    "available_rules": [
        {
            "rule_details_type": "query_rule_details",
            "type": "and",
            "rule_type": "QueryRule",
            "attribute_name": "Inbound Rules [To Port]",
            "operator": "<=",
            "values": [],
            "value_type": "SINGLE",
            "value_types": [],
            "editable": true,
            "removable": false
        },
        {
            "rule_details_type": "query_rule_details",
            "type": "and",
            "rule_type": "QueryRule",
            "attribute_name": "Inbound Rules [From Port]",
            "operator": ">=",
            "values": [],
            "value_type": "SINGLE",
            "value_types": [],
            "editable": true,
            "removable": false
        },
        {
            "rule_details_type": "query_rule_details",
            "type": "and",
            "rule_type": "QueryRule",
            "attribute_name": "Source Range",
            "operator": "IN",
            "values": [],
            "value_type": "MULTIPLE",
            "value_types": [],
            "editable": false,
            "removable": false
        },
        {
            "rule_details_type": "query_rule_details",
            "type": "and",
            "rule_type": "QueryRule",
            "attribute_name": "Disabled",
            "operator": "=",
            "values": [],
            "value_type": "SINGLE",
            "value_types": [],
            "editable": false,
            "removable": false
        },
        {
            "rule_details_type": "query_rule_details",
            "type": "and",
            "rule_type": "QueryRule",
            "attribute_name": "IP Protocol",
            "operator": "IN",
            "values": [],
            "value_type": "MULTIPLE",
            "value_types": [],
            "editable": false,
            "removable": false
        },
        {
            "rule_details_type": "query_rule_details",
            "type": "and",
            "rule_type": "QueryRule",
            "attribute_name": "Direction",
            "operator": "=",
            "values": [],
            "value_type": "SINGLE",
            "value_types": [],
            "editable": false,
            "removable": false
        }
    ],
    "available_exceptions": [
        {
            "rule_details_type": "query_rule_details",
            "rule_type": "QueryExceptionRule",
            "attribute_name": "Project Name",
            "operator": "=",
            "value_type": "MULTIPLE",
            "editable": true,
            "removable": true
        },
        {
            "rule_details_type": "query_rule_details",
            "rule_type": "QueryExceptionRule",
            "attribute_name": "Firewall Rule Name",
            "operator": "=",
            "value_type": "MULTIPLE",
            "editable": true,
            "removable": true
        }
    ],
    "possible_values": [],
    "rules": {
        "type": "OR",
        "rule_groups": [
            {
                "id": 1,
                "type": "AND",
                "rules": [
                    {
                        "rule_details_type": "query_rule_details",
                        "type": "and",
                        "rule_type": "QueryRule",
                        "attribute_name": "Direction",
                        "operator": "=",
                        "values": [
                            "INGRESS"
                        ],
                        "value_type": "SINGLE",
                        "value_types": [],
                        "editable": false,
                        "removable": false
                    },
                    {
                        "rule_details_type": "query_rule_details",
                        "type": "and",
                        "rule_type": "QueryRule",
                        "attribute_name": "Disabled",
                        "operator": "=",
                        "values": [
                            "No"
                        ],
                        "value_type": "SINGLE",
                        "value_types": [],
                        "editable": false,
                        "removable": false
                    },
                    {
                        "rule_details_type": "query_rule_details",
                        "type": "and",
                        "rule_type": "QueryRule",
                        "attribute_name": "Source Range",
                        "operator": "IN",
                        "values": [
                            "0.0.0.0/0"
                        ],
                        "value_type": "MULTIPLE",
                        "value_types": [],
                        "editable": false,
                        "removable": false
                    },
                    {
                        "rule_details_type": "query_rule_details",
                        "type": "and",
                        "rule_type": "QueryRule",
                        "attribute_name": "IP Protocol",
                        "operator": "IN",
                        "values": [
                            "tcp",
                            "udp",
                            "all"
                        ],
                        "value_type": "MULTIPLE",
                        "value_types": [],
                        "editable": false,
                        "removable": false
                    },
                    {
                        "rule_details_type": "query_rule_details",
                        "type": "and",
                        "rule_type": "QueryRule",
                        "attribute_name": "Inbound Rules [From Port]",
                        "operator": ">=",
                        "values": [
                            "22"
                        ],
                        "value_type": "SINGLE",
                        "value_types": [],
                        "editable": true,
                        "removable": false
                    },
                    {
                        "rule_details_type": "query_rule_details",
                        "type": "and",
                        "rule_type": "QueryRule",
                        "attribute_name": "Inbound Rules [To Port]",
                        "operator": "<=",
                        "values": [
                            "22"
                        ],
                        "value_type": "SINGLE",
                        "value_types": [],
                        "editable": true,
                        "removable": false
                    }
                ],
                "severity": "High"
            }
        ]
    },
    "exceptions": {
        "type": "OR",
        "exception_groups": [
            {
                "id": 1,
                "type": "AND",
                "rules": [],
                "severity": null
            }
        ]
    },
    "responses": [],
    "email_notification_metadata": {
        "users_list": [
            {
                "id": 0,
                "selected": false,
                "first_name": "Admin",
                "last_name": "User",
                "email_id": "admin@nothing.none",
                "role": null
            }
        ]
    },
    "possible_responses": [
        {
            "type": "generic_notification",
            "response_type": "REMOVE_UNRESTRICTED_ACCESS_FIREWALL",
            "response_label": "Remove unrestricted access from firewall rules"
        },
        {
            "type": "email_notification",
            "response_type": "EMAIL_NOTIFICATION",
            "response_label": "Email Notification",
            "selected_user_ids": null,
            "custom_email_ids": null
        }
    ]
}

Update CSPM Policy

Verb: PUT

Path: /neo/shndlpapi/v1/<<tenant-id>>/policies/details/<<policy-id>>

Request Headers: x-access-token: <<JWT access token>>
                                  Content-Type: application/json
Request Body:      A dict object reflecting the policy, below is an example

{
    "name": "Firewall Rules should not have unrestricted SSH access (1)",
    "policy_type": "Config Audit",
    "policy_sub_type": "PREDEFINED",
    "description": "If you are using SSH, ensure that access through port 22, used for SSH, is restricted to required entities only.",
    "status": {
        "name": "Active",
        "value": "1"
    },
    "services": [{
            "name": "Google Cloud Platform",
            "value": "13465"
        }
    ],
    "category": {
        "name": "Networking",
        "value": "Networking"
    },
    "available_rules": [{
            "rule_details_type": "query_rule_details",
            "type": "and",
            "rule_type": "QueryRule",
            "attribute_name": "Inbound Rules [To Port]",
            "operator": "<=",
            "values": [],
            "value_type": "SINGLE",
            "value_types": [],
            "editable": true,
            "removable": false
        }
    ],
    "available_exceptions": [{
            "rule_details_type": "query_rule_details",
            "rule_type": "QueryExceptionRule",
            "attribute_name": "Project Name",
            "operator": "=",
            "value_type": "MULTIPLE",
            "editable": true,
            "removable": true
        }
    ],
    "possible_values": [],
    "rules": {
        "type": "OR",
        "rule_groups": [{
                "id": 1,
                "type": "AND",
                "rules": [{
                        "rule_details_type": "query_rule_details",
                        "type": "and",
                        "rule_type": "QueryRule",
                        "attribute_name": "Direction",
                        "operator": "=",
                        "values": ["INGRESS"],
                        "value_type": "SINGLE",
                        "value_types": [],
                        "editable": false,
                        "removable": false
                    }, {
                        "rule_details_type": "query_rule_details",
                        "type": "and",
                        "rule_type": "QueryRule",
                        "attribute_name": "Disabled",
                        "operator": "=",
                        "values": ["No"],
                        "value_type": "SINGLE",
                        "value_types": [],
                        "editable": false,
                        "removable": false
                    }
                ],
                "severity": "High"
            }
        ]
    },
    "exceptions": {
        "type": "OR",
        "exception_groups": [{
                "id": 1,
                "type": "AND",
                "rules": [],
                "severity": null
            }
        ]
    },
    "responses": [],
    "email_notification_metadata": {
        "users_list": [{
                "id": 0,
                "selected": false,
                "first_name": "Admin",
                "last_name": "User",
                "email_id": "admin@none.null",
                "role": null
            }
        ]
    },
    "possible_responses": [{
            "type": "generic_notification",
            "response_type": "REMOVE_UNRESTRICTED_ACCESS_FIREWALL",
            "response_label": "Remove unrestricted access from firewall rules"
        }, {
            "type": "email_notification",
            "response_type": "EMAIL_NOTIFICATION",
            "response_label": "Email Notification",
            "selected_user_ids": null,
            "custom_email_ids": null
        }
    ]
}

Construction of the Request body:

The request body contains the updated policy object

Response:  

The response is a status message.

    {"status":true,"error_message":null}

Create CSPM Policy

Verb: POST

Path: https://www.myshn.net/neo/config-aud.../v1/savePolicy

Request Headers: x-access-token: <<JWT access token>>
                                  Content-Type: application/json
Request Body:      A dict object reflecting the policy. Set the policyId to -1. Below is an example

{
    "policyId": -1,
    "name": "MyNewPol",
    "description": "",
    "csp": 2049,
    "active": true,
    "ruleGroups": [{
            "type": "ruleGroup",
            "auditRules": {
                "type": "auditRule",
                "services": ["AMI"],
                "generateFor": ["AMI"],
                "rules": {
                    "type": "condition",
                    "rule": {
                        "type": "property",
                        "property": "account_id",
                        "propertyType": "string",
                        "isArray": false,
                        "isLinkedProperty": false,
                        "operator": "STARTS_WITH",
                        "values": ["hello"]
                    }
                },
                "exceptions": null
            },
            "severity": "MEDIUM"
        }
    ],
    "response": null,
    "type": 6
}

Response:  

The response is a status message.

    {
    "message": "OK",
    "content": {
        "statusMessage": null,
        "status": "SUCCESS",
        "templateCount": null,
        "policyCount": null,
        "genericApiConfig": null,
        "apiConfig": null,
        "tenantInstance": null
    }
}

 

 

  • Was this article helpful?