04-24-2025 06:22 PM - edited 04-28-2025 09:40 AM
Prisma Cloud models the runtime behavior with a machine learning model to scale runtime defense in large and complex environments. Runtime defense provides both Predictive and threat-based active protection for running containers. Predictive protection capabilities include determining when a container runs a process that is not included in the original image or when it creates an unexpected network socket. Threat-based protection capabilities include detecting when malware is added to a container or when a container connects to a botnet.
Here, Custom rules provide an additional mechanism to protect running software. Custom rules are expressions which can be created based on your specific use-case and are stored in a central library, where they can be reused and can be added to your runtime policies at any time.
There are four types of rules available while creating a custom rule, but only three are relevant to runtime:
This document describes the process and step-by-step instructions on how to create a custom rule and apply for the Container Runtime Policy.
You can also use the same process in creating the custom rule and apply to the Host Runtime Policy.
Use this guide to create a custom rule when there is a scenario where you want to either Allow / Alert / Prevent / Block any of the Processes, File System, or Network-outgoing triggered by a Runtime.
Choose the type (processes, filesystem, network-outgoing) from the drop-down as shown in the Figure 1
Figure 1: Add Custom Rule_PaloAltoNetworks
Figure 2: Processes Custom Rule_PaloAltoNetworks
This can be done for an already existing Container runtime policy or can be applied by creating a new Container runtime policy.
Below steps shows how to apply a Custom rule for a new container runtime policy.
Navigate to Defend -> Runtime -> Container Policy -> Container runtime policy -> Add rule -> Create new runtime rule -> Custom rules -> select rules
Figure 3: Select rules_PaloAltoNetworks
Select the Custom rule which was created in step 2, apply the Effect (Allow, Alert, Prevent, Block) and Save. Custom rule is applied successfully to the Container Runtime policy.
Figure 4: Custom Runtime Container Policy Rule_PaloAltoNetworks
This article has guided you through the high level step-by-step process of how to create a Custom Rule and assign it to the Container Runtime Policy. Custom rules are the expressions which can be created based on your specific use-case and are stored in a central library, where they can be reused and can be added to your runtime policies at any time.
Sugathri Tumiki is a Customer Success Engineer on the Prisma™ Cloud CWP team, specializing in supporting all non-compute solutions for Prisma™ Cloud AWS, Azure, GCP, OCI, and Alibaba.
Sugathri’s expertise spans from Prisma Cloud, to specializing in Cortex Cloud, Next-Generation Firewall, Cortex Xpanse, to securing compute workloads including containers and Kubernetes on public and private clouds. She uses collaborative approaches to break down complex problems into solutions for global enterprise customers and leverage their multi-industry knowledge to inspire success.
