{ "$schema": "https://json-structure.org/meta/core/v0/#", "$id": "https://raw.githubusercontent.com/api-evangelist/palo-alto-networks/refs/heads/main/json-structure/prisma-cloud-policy-structure.json", "name": "Prisma Cloud Policy", "description": "Schema for a Prisma Cloud Cloud Security Posture Management (CSPM) security policy. Policies define the security and compliance checks that Prisma Cloud evaluates against cloud resource configurations, network flow logs, audit events, and behavioral data. Each policy contains a rule with an RQL (Resource Query Language) query or detection criteria, along with severity classification, cloud scope, remediation guidance, and compliance framework mappings. Policies can be system-default (maintained by Palo Alto Networks) or custom-created by administrators to enforce organization-specific security requirements.", "type": "object", "properties": { "policyId": { "type": "uuid", "description": "Unique UUID identifier for the policy, assigned by Prisma Cloud upon creation. This field is read-only and cannot be set by API clients. Used to reference the policy in alert rules, compliance report configurations, and API operations." }, "name": { "type": "string", "description": "Human-readable display name of the policy. Must be unique within the Prisma Cloud tenant. Typically follows the pattern 'Cloud Provider - Resource Type - Condition' (e.g., 'AWS S3 bucket is publicly accessible') to provide immediate context about the security check being performed.", "maxLength": 256 }, "policyType": { "type": "string", "description": "Classification of the policy type that determines which evaluation engine and data source is used. 'config' evaluates cloud resource configurations via RQL config queries. 'network' analyzes VPC flow logs and network topology. 'audit_event' monitors cloud provider audit trails (CloudTrail, Azure Activity Log). 'anomaly' uses machine learning for behavioral threat detection. 'data' scans data stores for sensitive information exposure.", "enum": [ "config", "network", "audit_event", "anomaly", "data" ] }, "description": { "type": "string", "description": "Detailed description of the policy explaining what misconfiguration or security risk it detects, why the risk matters, and the potential impact of a violation. Displayed in the policy library and within alert detail views in the Prisma Cloud console." }, "severity": { "type": "string", "description": "Severity level assigned to the policy indicating the potential risk and impact of a detected violation. 'critical' indicates an actively exploitable or high-impact misconfiguration. 'high' indicates a serious security gap. 'medium' indicates a moderate risk. 'low' indicates a minor configuration concern. 'informational' indicates a best-practice recommendation.", "enum": [ "informational", "low", "medium", "high", "critical" ] }, "rule": { "description": "The evaluation rule containing the detection logic for this policy. For RQL-based policies this contains the query string executed against cloud resource data to identify violations.", "$ref": "#/$defs/PolicyRule" }, "labels": { "type": "array", "description": "List of administrative labels applied to the policy for organizational grouping, filtering, and bulk management. Labels are user-defined strings supporting operational workflows such as team ownership tagging, project association, or regulatory scope identification.", "items": { "type": "string", "description": "A label string used to categorize or tag the policy." } }, "enabled": { "type": "boolean", "description": "Whether the policy is currently active and generating alerts. Disabled policies are not evaluated during scheduled or real-time scans. Useful for temporarily suppressing a policy during maintenance windows or phased compliance rollouts.", "default": true }, "systemDefault": { "type": "boolean", "description": "Whether the policy is a system-default policy provided and maintained by Palo Alto Networks. System-default policies are updated by the Prisma Cloud research team and cannot be deleted, though they can be disabled or cloned to create customized variants.", "default": false }, "cloudType": { "type": "string", "description": "Cloud service provider scope for the policy. Provider-specific policies contain RQL queries and remediation steps tailored to that provider's APIs and resource model. 'all' indicates a cross-cloud policy applicable to multiple providers.", "enum": [ "aws", "azure", "gcp", "oci", "alibaba_cloud", "all" ] }, "recommendation": { "type": "string", "description": "Step-by-step remediation guidance for resolving policy violations. Should include specific instructions for the relevant cloud provider console, CLI, or API. Supports markdown formatting for structured remediation documentation." }, "remediable": { "type": "boolean", "description": "Whether automated remediation is available for this policy via the configured CLI script template. When true, analysts can trigger one-click remediation from the Prisma Cloud alert interface.", "default": false }, "remediation": { "description": "Automated and manual remediation configuration for resolving violations detected by this policy. Includes CLI script templates for automated remediation and descriptive steps for manual resolution.", "$ref": "#/$defs/Remediation" }, "complianceMetadata": { "type": "array", "description": "List of compliance standard mappings associating this policy with specific regulatory or organizational compliance requirements. Each entry links the policy to a named compliance framework, requirement identifier, and section for compliance gap analysis and reporting.", "items": { "$ref": "#/$defs/ComplianceMetadata" } }, "createdOn": { "type": "int32", "description": "Timestamp when the policy was first created, expressed as Unix epoch time in milliseconds." }, "createdBy": { "type": "string", "description": "Email address or username of the administrator who created the policy. Set to 'Prisma Cloud' for system-default policies." }, "lastModifiedOn": { "type": "int32", "description": "Timestamp of the most recent modification to the policy configuration, expressed as Unix epoch time in milliseconds." }, "lastModifiedBy": { "type": "string", "description": "Email address or username of the administrator who last modified the policy." } }, "required": [ "name", "policyType", "severity", "rule" ], "definitions": { "PolicyRule": { "type": "object", "description": "The detection rule defining the evaluation logic for a Prisma Cloud policy. Contains the RQL query string executed against indexed cloud resource data, network flow logs, or audit events to identify security violations and compliance gaps.", "properties": { "name": { "type": "string", "description": "Name of the rule, typically matching or derived from the parent policy name for traceability." }, "type": { "type": "string", "description": "The rule evaluation type determining which Prisma Cloud engine processes the detection logic. Must align with the parent policy's policyType field.", "enum": [ "Config", "Network", "AuditEvent", "Anomaly", "Data" ] }, "criteria": { "type": "string", "description": "The RQL (Resource Query Language) query string defining the detection logic. For config policies this is a 'config from cloud.resource' query. For network policies this is a 'network from vpc.flow_record' query. For audit_event policies this is an 'event from cloud.audit_logs' query." }, "parameters": { "type": "object", "description": "Additional key-value parameters modifying rule evaluation behavior. Configures thresholds, time windows, or provider-specific evaluation settings for the detection engine.", "properties": { "savedSearch": { "type": "boolean", "description": "Whether the criteria field references a saved RQL search by name rather than containing an inline query string." }, "withIac": { "type": "boolean", "description": "Whether this policy supports Infrastructure as Code scanning for shift-left security evaluation during CI/CD pipelines." } }, "additionalProperties": { "type": "string" } } }, "required": [ "name", "type" ], "name": "PolicyRule" }, "Remediation": { "type": "object", "description": "Remediation configuration for a Prisma Cloud policy. Provides both automated CLI-based remediation through script templates and descriptive guidance for manual resolution of detected violations.", "properties": { "description": { "type": "string", "description": "Human-readable description of the remediation procedure providing step-by-step instructions for manually resolving the policy violation." }, "cliScriptTemplate": { "type": "string", "description": "CLI command template for automated one-click remediation. Supports Prisma Cloud variable substitution syntax (e.g., ${resourceId}, ${region}, ${accountId}) for cloud provider CLI commands (aws, az, gcloud) that apply the remediation fix." }, "rollbackCLIScriptTemplate": { "type": "string", "description": "CLI command template for rolling back the automated remediation if the fix causes unintended side effects. Uses the same variable substitution syntax as cliScriptTemplate." } }, "name": "Remediation" }, "ComplianceMetadata": { "type": "object", "description": "Maps a Prisma Cloud policy to a specific compliance standard requirement. Establishes the relationship between security policies and regulatory or organizational compliance frameworks for compliance reporting, gap analysis, and audit evidence generation.", "properties": { "standardName": { "type": "string", "description": "Full name of the compliance standard or framework this policy maps to (e.g., 'CIS v1.4.0 (AWS)', 'PCI DSS v3.2.1', 'HIPAA', 'SOC 2', 'NIST 800-53 Rev5', 'GDPR', 'ISO 27001')." }, "requirementId": { "type": "string", "description": "Identifier of the specific requirement within the compliance standard (e.g., '1.1', '3.4', 'A.12.6.1', 'CC6.1')." }, "requirementName": { "type": "string", "description": "Human-readable name or title of the compliance requirement as defined in the standard." }, "sectionId": { "type": "string", "description": "Identifier of the section within the requirement that this policy maps to, providing granular mapping to specific control objectives." }, "sectionDescription": { "type": "string", "description": "Description of the compliance section explaining the specific control objective or security requirement the policy addresses." }, "policyId": { "type": "string", "description": "Reference to the parent policy identifier for this compliance mapping entry." }, "severity": { "type": "string", "description": "Severity level of this compliance mapping, which may differ from the parent policy severity when the same policy maps to requirements of varying criticality.", "enum": [ "informational", "low", "medium", "high", "critical" ] } }, "name": "ComplianceMetadata" } } }