| policyId |
string |
Unique UUID identifier for the policy, assigned by Prisma Cloud upon creation. This field is read-only and cannot be set by API clients. Used to reference the policy in alert rules, compliance report |
| name |
string |
Human-readable display name of the policy. Must be unique within the Prisma Cloud tenant. Typically follows the pattern 'Cloud Provider - Resource Type - Condition' (e.g., 'AWS S3 bucket is publicly a |
| policyType |
string |
Classification of the policy type that determines which evaluation engine and data source is used. 'config' evaluates cloud resource configurations via RQL config queries. 'network' analyzes VPC flow |
| description |
string |
Detailed description of the policy explaining what misconfiguration or security risk it detects, why the risk matters, and the potential impact of a violation. Displayed in the policy library and with |
| severity |
string |
Severity level assigned to the policy indicating the potential risk and impact of a detected violation. 'critical' indicates an actively exploitable or high-impact misconfiguration. 'high' indicates a |
| rule |
object |
The evaluation rule containing the detection logic for this policy. For RQL-based policies this contains the query string executed against cloud resource data to identify violations. |
| labels |
array |
List of administrative labels applied to the policy for organizational grouping, filtering, and bulk management. Labels are user-defined strings supporting operational workflows such as team ownership |
| enabled |
boolean |
Whether the policy is currently active and generating alerts. Disabled policies are not evaluated during scheduled or real-time scans. Useful for temporarily suppressing a policy during maintenance wi |
| systemDefault |
boolean |
Whether the policy is a system-default policy provided and maintained by Palo Alto Networks. System-default policies are updated by the Prisma Cloud research team and cannot be deleted, though they ca |
| cloudType |
string |
Cloud service provider scope for the policy. Provider-specific policies contain RQL queries and remediation steps tailored to that provider's APIs and resource model. 'all' indicates a cross-cloud pol |
| recommendation |
string |
Step-by-step remediation guidance for resolving policy violations. Should include specific instructions for the relevant cloud provider console, CLI, or API. Supports markdown formatting for structure |
| remediable |
boolean |
Whether automated remediation is available for this policy via the configured CLI script template. When true, analysts can trigger one-click remediation from the Prisma Cloud alert interface. |
| remediation |
object |
Automated and manual remediation configuration for resolving violations detected by this policy. Includes CLI script templates for automated remediation and descriptive steps for manual resolution. |
| complianceMetadata |
array |
List of compliance standard mappings associating this policy with specific regulatory or organizational compliance requirements. Each entry links the policy to a named compliance framework, requiremen |
| createdOn |
integer |
Timestamp when the policy was first created, expressed as Unix epoch time in milliseconds. |
| createdBy |
string |
Email address or username of the administrator who created the policy. Set to 'Prisma Cloud' for system-default policies. |
| lastModifiedOn |
integer |
Timestamp of the most recent modification to the policy configuration, expressed as Unix epoch time in milliseconds. |
| lastModifiedBy |
string |
Email address or username of the administrator who last modified the policy. |