Skip to main content
McAfee Enterprise MVISION Cloud

API to manage CWPP policies

The API to manage CNAPP policies allows automated access to features like editing policies, enabling and disabling these policies and importing new policies. This section covers the details to work with CWPP related policies.

Authentication: Get an Access Token

See section Authenticate to MVISION Cloud CNAPP API for details on how to acquire an access token for the following API calls

CWPP Objects and Policy types

CWPP consists out of multiple policy types, based on the use case, e.g. Workload Hardening, Application Control, Vulnerability Scanning. While the API endpoints are identical for the policy types the policy object has different structures. Here are the details for some of the objects:

Policy Types enumaration

0 = API DLP
1 = PROXY DLP
5 = Lightning Link
6 = Config Audit
8 = Malware
9 = Vulnerability
11 = FileIntegrity
10 = Application Control
12 = Workload Hardening
13 = Container Image Control 

CWPP Policy Management

List CWPP Policies

Verb: POST 

Path: /neo/shndlpapi/v1/<<tenant-id>>/policies/search

Request Headers: x-access-token: <<JWT access token>>
                                  Content-Type: application/json
Request Body:      

{
    "type_id": null,
    "search_param": null,
    "search_request": {
        "policy_statuses": [],
        "policy_types": [7,11],
        "policy_ids": [],
        "csp_ids": [],
        "instance_ids": [],
        "start": 0,
        "limit": 500,
        "sort_order": "desc",
        "sort_by": "name",
        "enabled": true
    }
}

Construction of the Request body:

The request body contains:

policy_types:

0 = API DLP
1 = PROXY DLP
5 = Lightning Link
6 = Config Audit
8 = Malware
9 = Vulnerability
11 = FileIntegrity
10 = Application Control
12 = Workload Hardening
13 = Container Image Control 

Response:  

The response is a json array object with individual dict objects for each matching policy. Here is an example response:

[
    {
        "id": 1372404,
        "tenant_id": 12344,
        "name": "Monitor critical system files in a VM",
        "description": "As a Cloud Compliance Officer, I need the ability to log changes for critical files in Linux VMs.\n   These are list of files that need to be monitored.\n     /bin ,/etc ,/lib ,/lib64 ,/opt ,/sbin ,/srv ,/usr ,/var/lib.",
        "content": "{\"rule\":{\"type\":\"file_integrity\",\"rules\":[{\"type\":\"group\",\"description\":\"VM_FILE\",\"rule\":{\"type\":\"file_path\",\"file_path_values\":[\"/bin\",\"/etc\",\"/lib\",\"/lib64\",\"/opt\",\"/sbin\",\"/srv\",\"/usr\",\"/var/lib\"],\"file_path_dictionary_specification\":{\"type\":\"memory\",\"terms\":[\"/bin\",\"/etc\",\"/lib\",\"/lib64\",\"/opt\",\"/sbin\",\"/srv\",\"/usr\",\"/var/lib\"]}}}],\"severity\":null},\"policy_response_spec\":{\"severity_response_list\":[{\"severity\":\"ANY\",\"response\":\"INCIDENT\",\"response_payload\":null}]},\"user_filter\":null,\"content_rule_type\":\"MVISION_CLOUD\"}",
        "version": 2,
        "editor_id": 6898,
        "editor_email": "redacted",
        "edit_time": 1624866447000,
        "active": true,
        "deleted": false,
        "policy_type_id": 11,
        "policy_type_name": "FileIntegrity",
        "services": [],
        "dlp_dictionaries": [],
        "user_groups": [],
        "category": "File Integrity",
        "cis_level": "LEVEL1",
        "violation_desc": "null",
        "linked_scans": [],
        "linked_edlp_policies": [],
        "system": false,
        "cwpp_policy_metadata": [
            {
                "id": 6361,
                "policy_id": 1372404,
                "property": "containerType",
                "value": "1"
            },
            {
                "id": 6358,
                "policy_id": 1372404,
                "property": "include_account_list",
                "value": "[]"
            },
            {
                "id": 6360,
                "policy_id": 1372404,
                "property": "is_available_for_continous_evaluation",
                "value": "Linux"
            },
            {
                "id": 6359,
                "policy_id": 1372404,
                "property": "platform",
                "value": "Linux"
            },
            {
                "id": 6352,
                "policy_id": 1372404,
                "property": "policy_mode",
                "value": "Observe"
            },
            {
                "id": 6362,
                "policy_id": 1372404,
                "property": "tags",
                "value": "[]"
            }
        ]
    }
]

Retrieve CWPP Policy

Verb: GET

Path: /neo/shndlpapi/v1/<<tenant-id>>/policies/<<policy-id>>

Request Headers: x-access-token: <<JWT access token>>
                                  Content-Type: application/json

Request Body:      -none-

Response:  

The response is a single json dict object representing the CWPP policy:

{
    "id": 1372404,
    "tenant_id": 77231,
    "name": "Monitor critical system files in a VM",
    "description": "As a Cloud Compliance Officer, I need the ability to log changes for critical files in Linux VMs.\n   These are list of files that need to be monitored.\n     /bin ,/etc ,/lib ,/lib64 ,/opt ,/sbin ,/srv ,/usr ,/var/lib.",
    "content": "{\"rule\":{\"type\":\"file_integrity\",\"rules\":[{\"type\":\"group\",\"description\":\"VM_FILE\",\"rule\":{\"type\":\"file_path\",\"file_path_values\":[\"/bin\",\"/etc\",\"/lib\",\"/lib64\",\"/opt\",\"/sbin\",\"/srv\",\"/usr\",\"/var/lib\"],\"file_path_dictionary_specification\":{\"type\":\"memory\",\"terms\":[\"/bin\",\"/etc\",\"/lib\",\"/lib64\",\"/opt\",\"/sbin\",\"/srv\",\"/usr\",\"/var/lib\"]}}}],\"severity\":null},\"policy_response_spec\":{\"severity_response_list\":[{\"severity\":\"ANY\",\"response\":\"INCIDENT\",\"response_payload\":null,\"workflow_payload\":null}]},\"user_filter\":null,\"content_rule_type\":\"MVISION_CLOUD\"}",
    "version": 2,
    "editor_id": 6898,
    "editor_email": "admin@none.null",
    "edit_time": 1624866447000,
    "active": true,
    "deleted": false,
    "policy_type_id": 11,
    "policy_type_name": "FileIntegrity",
    "services": [],
    "dlp_dictionaries": [],
    "user_groups": [],
    "category": "File Integrity",
    "cis_level": "LEVEL1",
    "violation_desc": "null",
    "linked_scans": [],
    "linked_edlp_policies": [],
    "system": false,
    "cwpp_policy_metadata": [
        {
            "id": 6361,
            "policy_id": 1372404,
            "property": "containerType",
            "value": "1"
        },
        {
            "id": 6358,
            "policy_id": 1372404,
            "property": "include_account_list",
            "value": "[]"
        },
        {
            "id": 6360,
            "policy_id": 1372404,
            "property": "is_available_for_continous_evaluation",
            "value": "Linux"
        },
        {
            "id": 6359,
            "policy_id": 1372404,
            "property": "platform",
            "value": "Linux"
        },
        {
            "id": 6352,
            "policy_id": 1372404,
            "property": "policy_mode",
            "value": "Observe"
        },
        {
            "id": 6362,
            "policy_id": 1372404,
            "property": "tags",
            "value": "[]"
        }
    ]
}

Update CWPP Policy

Verb: POST

Path: /neo/config-audit/cwpp/ui/v1/savePolicy

Request Headers: x-access-token: <<JWT access token>>
                                  Content-Type: application/json
Request Body:      A dict object reflecting the policy, below is an example

{
    "policyId": 1372404,
    "name": "Monitor critical system files in a VM",
    "description": "As a Cloud Compliance Officer, I need the ability to log changes for critical files in Linux VMs.\n   These are list of files that need to be monitored.\n     /bin ,/etc ,/lib ,/lib64 ,/opt ,/sbin ,/srv ,/usr ,/var/lib.",
    "active": true,
    "policyType": 11,
    "type": "FIM",
    "cwppPolicyMetadata": [{
            "id": 6361,
            "policy_id": 1372404,
            "property": "containerType",
            "value": "1"
        }, {
            "id": 6358,
            "policy_id": 1372404,
            "property": "include_account_list",
            "value": "[]"
        }, {
            "id": 6360,
            "policy_id": 1372404,
            "property": "is_available_for_continous_evaluation",
            "value": "Linux"
        }, {
            "id": 6359,
            "policy_id": 1372404,
            "property": "platform",
            "value": "Linux"
        }, {
            "id": 6352,
            "policy_id": 1372404,
            "property": "policy_mode",
            "value": "Observe"
        }
    ],
    "rule": {
        "type": "file_integrity",
        "rules": [{
                "rule": {
                    "type": "file_path",
                    "file_path_dictionary_specification": {
                        "type": "memory",
                        "terms": ["/bin", "/etc", "/lib", "/lib64", "/opt", "/sbin", "/srv", "/usr", "/var/lib"]
                    },
                    "file_path_values": ["/bin", "/etc", "/lib", "/lib64", "/opt", "/sbin", "/srv", "/usr", "/var/lib"]
                },
                "type": "group"
            }
        ],
        "short_circuit": true,
        "severity": "HIGH"
    }
}

Construction of the Request body:

The request body contains the updated policy object

Response:  

The response is a status message.

   {"message": "OK","content": "Success"}

Update CWPP Policy

Verb: POST

Path: /neo/config-audit/cwpp/ui/v1/savePolicy

Request Headers: x-access-token: <<JWT access token>>
                                  Content-Type: application/json
Request Body:      A dict object reflecting the policy, below is an example for an application control policy. Please note that the endpoint is the same as for upadting the policy. Specify -1 as policyId to create a new policy. If an existing policyId is given, then the existing policy will be updated.

{
    "policyId": -1,
    "name": "App Control 1",
    "description": "",
    "active": true,
    "isContentModified": true,
    "isFilterModified": true,
    "policyType": 10,
    "type": "CAC",
    "cwppPolicyMetadata": [
        {
            "id": -1,
            "policy_id": -1,
            "property": "is_available_for_continous_evaluation",
            "value": "true"
        },
        {
            "id": -1,
            "policy_id": -1,
            "property": "policy_mode",
            "value": "OBSERVE"
        },
        {
            "id": -1,
            "policy_id": -1,
            "property": "workloadType",
            "value": "Container"
        },
        {
            "id": -1,
            "policy_id": -1,
            "property": "platform",
            "value": "linux"
        },
        {
            "id": -1,
            "policy_id": -1,
            "property": "include_account_list",
            "value": "[{\"displayName\":\"Amazon Web Services:Zengel\",\"csp\":2049,\"instance\":10709,\"accounts\":[],\"$$hashKey\":\"object:3050\"}]"
        },
        {
            "id": -1,
            "policy_id": -1,
            "property": "tags",
            "value": ""
        }
    ],
    "rule": {
        "type": "appControl",
        "workloadType": "Container",
        "rules": {
            "type": "condition",
            "rule": {
                "type": "property",
                "propertyType": "string",
                "isArray": true,
                "property": "allowed_apps",
                "operator": "IN",
                "values": [
                    "87ec0c9cc679404ae84d91965fcefe1a0aa2d53cf2ddd3745ad9cbc7f5527beb"
                ],
                "isLinkedProperty": false,
                "valueUnit": null
            }
        },
        "responseTypes": [
            "Allow All Applications",
            "Create an Event for Unselected Applications"
        ]
    }
}

Construction of the Request body:

The request body contains the updated policy object. Specify -1 as policyId to create a new policy

Response:  

The response is a status message.

   {"message": "OK","content": "Success"}

 

  • Was this article helpful?