pcpolicy is a command line utility that allows for bulk updating of Prisma Cloud policies. It supports applying enable/disable actions, changing policy severities, and filtering policies based on various criteria.
This script currently uses environment variables to authenticate against Prisma Cloud. In the future this may be changed to another method, but currently it is required to have the following 3 settings added as environment variables on the machine where you run the script. Alternatively you can edit the contents of config.py.
| name | setting | type | description |
|---|---|---|---|
| PRISMA_CLOUD_URL | Prisma Cloud Base URL | string |
Your Prisma Cloud app stack URL in the format: https://app.prismacloud.io |
| PRISMA_CLOUD_IDENTITY | Prisma Cloud Identity | string |
Username or access key with the ability to view and modify policy. |
| PRISMA_CLOUD_SECRET | Prisma Cloud Secret | string |
Password for username or access key above |
To install pcpolicy, you need to have Python 3 and pip installed on your machine. You can install pcpolicy using the following commands:
# Install build tools
python3 -m pip install --upgrade build
# Build the package
python3 -m build
# Install the package
pip install .After installing the package, you can use the pcpolicy command line tool to manage your Prisma Cloud policies.
pcpolicy [OPTIONS]--apply: Apply selected changes.--cloud: Filter policies by cloud provider (['aws', 'azure', 'gcp', 'alibaba', 'oci']).--compliance: Find policies associated with a compliance standard.--disable: Disable the selected policies (mutually exclusive with--enable).--enable: Enable the selected policies (mutually exclusive with--disable).--exclude-label: Exclude policies with matching label name.--exclude: Exclude policies by name (multiple values allowed).--export: Export results as a CSV.--include-label: Include policies with matching label name.--include: Include policies by name (multiple values allowed).--list-compliance: List all compliance standard names.--match: Change match criteria to any match or all match for include/exclude searches (['any', 'all']).--new-label: Add a label to matched policies.--new-severity: Change the selected policy severity to one of['critical', 'high', 'medium', 'low', 'informational'].--policy-disabled: Find disabled policies.--policy-enabled: Find enabled policies.--policy-subtype: Filter policies by subtype (['run', 'build', 'run_and_build', 'audit', 'data_classification', 'dns', 'malware', 'network_event', 'network', 'ueba', 'permissions', 'identity']).--remove-label: Remove label to matched policies.--severity: Specify the policy severity (required) to one of[c: critical, h: high, m: medium, l: low, i: informational].
Important
All options that make changes to policy require --apply to be added to the command.
This is done to prevent accidental modification of policies.
pcpolicy --severity high --policy-disabledpcpolicy --severity medium --policy-subtype build --enable --applypcpolicy --cloud aws --severity high --new-severity medium --applypcpolicy --severity critical --cloud azure --policy-subtype runpcpolicy --severity m --policy-disabled --policy-subtype run --include publicpcpolicy --list-compliance --include PCIpcpolicy --compliance 'PCI DSS v4.0' --policy-disabledpcpolicy --compliance 'PCI DSS v4.0' --policy-disabled --enable --cloud aws --applyLabel all matching run policies in Azure with nsg, public, network, private, ipv4, and firewall with the label Azure_Public
pcpolicy --cloud azure --policy-subtype run --include nsg --include public --include network --include private --include ipv4 --include firewall --new-label Azure_Public --applypcpolicy --include-label Azure_Public --remove-label Azure_Public --applyContributions are welcome! Please feel free to submit a pull request or open an issue to discuss any changes.
This project is licensed under the MIT License - see the LICENSE file for details.