Anti-Spyware Profile Configuration Object
Table of Contents
- Overview
- Core Methods
- Anti-Spyware Profile Model Attributes
- Exceptions
- Basic Configuration
- Usage Examples
- Managing Configuration Changes
- Error Handling
- Best Practices
- Full Script Examples
- Related Models
Overview
The AntiSpywareProfile class provides functionality to manage anti-spyware profiles in Palo Alto Networks' Strata
Cloud Manager. This class inherits from BaseObject and provides methods for creating, retrieving, updating, and
deleting profiles that define threat detection and prevention settings for spyware, command-and-control traffic, and
other malicious activities.
Core Methods
| Method | Description | Parameters | Return Type |
|---|---|---|---|
create() |
Creates a new profile | data: Dict[str, Any] |
AntiSpywareProfileResponseModel |
get() |
Retrieves a profile by ID | object_id: str |
AntiSpywareProfileResponseModel |
update() |
Updates an existing profile | profile: AntiSpywareProfileUpdateModel |
AntiSpywareProfileResponseModel |
delete() |
Deletes a profile | object_id: str |
None |
list() |
Lists profiles with filtering | folder: str, **filters |
List[AntiSpywareProfileResponseModel] |
fetch() |
Gets profile by name/container | name: str, folder: str |
AntiSpywareProfileResponseModel |
Anti-Spyware Profile Model Attributes
| Attribute | Type | Required | Description |
|---|---|---|---|
name |
str | Yes | Profile name (max 63 chars) |
id |
UUID | Yes* | Unique identifier (*response only) |
description |
str | No | Profile description |
cloud_inline_analysis |
bool | No | Enable cloud inline analysis |
rules |
List[Rule] | Yes | List of anti-spyware rules |
threat_exception |
List[ThreatException] | No | List of threat exceptions |
mica_engine_spyware_enabled |
List[MicaEngine] | No | MICA engine spyware settings |
inline_exception_edl_url |
List[str] | No | Inline exception EDL URLs |
folder |
str | Yes** | Folder location (**one container required) |
snippet |
str | Yes** | Snippet location (**one container required) |
device |
str | Yes** | Device location (**one container required) |
Exceptions
| Exception | HTTP Code | Description |
|---|---|---|
InvalidObjectError |
400 | Invalid profile data or format |
MissingQueryParameterError |
400 | Missing required parameters |
NameNotUniqueError |
409 | Profile name already exists |
ObjectNotPresentError |
404 | Profile not found |
ReferenceNotZeroError |
409 | Profile still referenced |
AuthenticationError |
401 | Authentication failed |
ServerError |
500 | Internal server error |
Basic Configuration
from scm.client import Scm
from scm.config.security import AntiSpywareProfile
# Initialize clientclient = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Initialize AntiSpywareProfile objectprofiles = AntiSpywareProfile(client)
from scm.config.security import AntiSpywareProfile
# Initialize clientclient = Scm(
client_id="your_client_id",
client_secret="your_client_secret",
tsg_id="your_tsg_id"
)
# Initialize AntiSpywareProfile objectprofiles = AntiSpywareProfile(client)
Usage Examples
Creating Anti-Spyware Profiles
# Basic profile configurationbasic_profile = {
"name": "basic-profile",
"description": "Basic anti-spyware profile",
"folder": "Texas",
"rules": [
{
"name": "block-critical",
"severity": ["critical"],
"category": "spyware",
"action": {
"block_ip": {
"track_by": "source",
"duration": 300
}
}
}
]
}
# Create basic profilebasic_profile_obj = profiles.create(basic_profile)
# Advanced profile with MICA engineadvanced_profile = {
"name": "advanced-profile",
"description": "Advanced anti-spyware profile",
"folder": "Texas",
"cloud_inline_analysis": True,
"mica_engine_spyware_enabled": [
{
"name": "HTTP Command and Control detector",
"inline_policy_action": "alert"
}
],
"rules": [
{
"name": "critical-threats",
"severity": ["critical", "high"],
"category": "command-and-control",
"action": {"reset_both": {}}
},
{
"name": "medium-threats",
"severity": ["medium"],
"category": "spyware",
"action": {"alert": {}}
}
]
}
# Create advanced profileadvanced_profile_obj = profiles.create(advanced_profile)
"name": "basic-profile",
"description": "Basic anti-spyware profile",
"folder": "Texas",
"rules": [
{
"name": "block-critical",
"severity": ["critical"],
"category": "spyware",
"action": {
"block_ip": {
"track_by": "source",
"duration": 300
}
}
}
]
}
# Create basic profilebasic_profile_obj = profiles.create(basic_profile)
# Advanced profile with MICA engineadvanced_profile = {
"name": "advanced-profile",
"description": "Advanced anti-spyware profile",
"folder": "Texas",
"cloud_inline_analysis": True,
"mica_engine_spyware_enabled": [
{
"name": "HTTP Command and Control detector",
"inline_policy_action": "alert"
}
],
"rules": [
{
"name": "critical-threats",
"severity": ["critical", "high"],
"category": "command-and-control",
"action": {"reset_both": {}}
},
{
"name": "medium-threats",
"severity": ["medium"],
"category": "spyware",
"action": {"alert": {}}
}
]
}
# Create advanced profileadvanced_profile_obj = profiles.create(advanced_profile)
Retrieving Profiles
# Fetch by name and folderprofile = profiles.fetch(name="basic-profile", folder="Texas")
print(f"Found profile: {profile.name}")
# Get by IDprofile_by_id = profiles.get(profile.id)
print(f"Retrieved profile: {profile_by_id.name}")
print(f"Number of rules: {len(profile_by_id.rules)}")
print(f"Found profile: {profile.name}")
# Get by IDprofile_by_id = profiles.get(profile.id)
print(f"Retrieved profile: {profile_by_id.name}")
print(f"Number of rules: {len(profile_by_id.rules)}")
Updating Profiles
# Fetch existing profileexisting_profile = profiles.fetch(name="basic-profile", folder="Texas")
# Update attributesexisting_profile.description = "Updated basic profile"
existing_profile.cloud_inline_analysis = True
# Add new ruleexisting_profile.rules.append({
"name": "new-rule",
"severity": ["high"],
"category": "spyware",
"action": {"alert": {}}
})
# Perform updateupdated_profile = profiles.update(existing_profile)
# Update attributesexisting_profile.description = "Updated basic profile"
existing_profile.cloud_inline_analysis = True
# Add new ruleexisting_profile.rules.append({
"name": "new-rule",
"severity": ["high"],
"category": "spyware",
"action": {"alert": {}}
})
# Perform updateupdated_profile = profiles.update(existing_profile)
Listing Profiles
# List with direct filter parametersfiltered_profiles = profiles.list(
folder='Texas',
rules=['block-critical']
)
# Process resultsfor profile in filtered_profiles:
print(f"Name: {profile.name}")
print(f"Rules: {len(profile.rules)}")
for rule in profile.rules:
print(f" - {rule.name}: {rule.category}")
# Define filter parameters as dictionarylist_params = {
"folder": "Texas",
"rules": ["critical-threats", "medium-threats"]
}
# List with filters as kwargsfiltered_profiles = profiles.list(**list_params)
folder='Texas',
rules=['block-critical']
)
# Process resultsfor profile in filtered_profiles:
print(f"Name: {profile.name}")
print(f"Rules: {len(profile.rules)}")
for rule in profile.rules:
print(f" - {rule.name}: {rule.category}")
# Define filter parameters as dictionarylist_params = {
"folder": "Texas",
"rules": ["critical-threats", "medium-threats"]
}
# List with filters as kwargsfiltered_profiles = profiles.list(**list_params)
Filtering Responses
The list() method supports additional parameters to refine your query results even further. Alongside basic filters
(like types, values, and tags), you can leverage the exact_match, exclude_folders, exclude_snippets, and
exclude_devices parameters to control which objects are included or excluded after the initial API response is fetched.
Parameters:
exact_match (bool): WhenTrue, only objects defined exactly in the specified container (folder,snippet, ordevice) are returned. Inherited or propagated objects are filtered out.exclude_folders (List[str]): Provide a list of folder names that you do not want included in the results.exclude_snippets (List[str]): Provide a list of snippet values to exclude from the results.exclude_devices (List[str]): Provide a list of device values to exclude from the results.
Examples:
# Only return anti_spyware_profiles defined exactly in 'Texas'exact_anti_spyware_profiles = profiles.list(
folder='Texas',
exact_match=True
)
for app in exact_anti_spyware_profiles:
print(f"Exact match: {app.name} in {app.folder}")
# Exclude all anti_spyware_profiles from the 'All' folderno_all_anti_spyware_profiles = profiles.list(
folder='Texas',
exclude_folders=['All']
)
for app in no_all_anti_spyware_profiles:
assert app.folder != 'All'
print(f"Filtered out 'All': {app.name}")
# Exclude anti_spyware_profiles that come from 'default' snippetno_default_snippet = profiles.list(
folder='Texas',
exclude_snippets=['default']
)
for app in no_default_snippet:
assert app.snippet != 'default'
print(f"Filtered out 'default' snippet: {app.name}")
# Exclude anti_spyware_profiles associated with 'DeviceA'no_deviceA = profiles.list(
folder='Texas',
exclude_devices=['DeviceA']
)
for app in no_deviceA:
assert app.device != 'DeviceA'
print(f"Filtered out 'DeviceA': {app.name}")
# Combine exact_match with multiple exclusionscombined_filters = profiles.list(
folder='Texas',
exact_match=True,
exclude_folders=['All'],
exclude_snippets=['default'],
exclude_devices=['DeviceA']
)
for app in combined_filters:
print(f"Combined filters result: {app.name} in {app.folder}")
folder='Texas',
exact_match=True
)
for app in exact_anti_spyware_profiles:
print(f"Exact match: {app.name} in {app.folder}")
# Exclude all anti_spyware_profiles from the 'All' folderno_all_anti_spyware_profiles = profiles.list(
folder='Texas',
exclude_folders=['All']
)
for app in no_all_anti_spyware_profiles:
assert app.folder != 'All'
print(f"Filtered out 'All': {app.name}")
# Exclude anti_spyware_profiles that come from 'default' snippetno_default_snippet = profiles.list(
folder='Texas',
exclude_snippets=['default']
)
for app in no_default_snippet:
assert app.snippet != 'default'
print(f"Filtered out 'default' snippet: {app.name}")
# Exclude anti_spyware_profiles associated with 'DeviceA'no_deviceA = profiles.list(
folder='Texas',
exclude_devices=['DeviceA']
)
for app in no_deviceA:
assert app.device != 'DeviceA'
print(f"Filtered out 'DeviceA': {app.name}")
# Combine exact_match with multiple exclusionscombined_filters = profiles.list(
folder='Texas',
exact_match=True,
exclude_folders=['All'],
exclude_snippets=['default'],
exclude_devices=['DeviceA']
)
for app in combined_filters:
print(f"Combined filters result: {app.name} in {app.folder}")
Controlling Pagination with max_limit
The SDK supports pagination through the max_limit parameter, which defines how many objects are retrieved per API call. By default, max_limit is set to 2500. The API itself imposes a maximum allowed value of 5000. If you set max_limit higher than 5000, it will be capped to the API's maximum. The list() method will continue to iterate through all objects until all results have been retrieved. Adjusting max_limit can help manage retrieval performance and memory usage when working with large datasets.
# Initialize the AntiSpywareProfile object with a custom max_limit# This will retrieve up to 4321 objects per API call, up to the API limit of 5000.profile_client = AntiSpywareProfile(api_client=client, max_limit=4321)
# Now when we call list(), it will use the specified max_limit for each request# while auto-paginating through all available objects.all_profiles = profile_client.list(folder='Texas')
# 'all_profiles' contains all objects from 'Texas', fetched in chunks of up to 4321 at a time.
# Now when we call list(), it will use the specified max_limit for each request# while auto-paginating through all available objects.all_profiles = profile_client.list(folder='Texas')
# 'all_profiles' contains all objects from 'Texas', fetched in chunks of up to 4321 at a time.
Deleting Profiles
# Delete by IDprofile_id = "123e4567-e89b-12d3-a456-426655440000"
profiles.delete(profile_id)
profiles.delete(profile_id)
Managing Configuration Changes
Performing Commits
# Prepare commit parameterscommit_params = {
"folders": ["Texas"],
"description": "Updated anti-spyware profiles",
"sync": True,
"timeout": 300 # 5 minute timeout
}
# Commit the changesresult = profiles.commit(**commit_params)
print(f"Commit job ID: {result.job_id}")
"folders": ["Texas"],
"description": "Updated anti-spyware profiles",
"sync": True,
"timeout": 300 # 5 minute timeout
}
# Commit the changesresult = profiles.commit(**commit_params)
print(f"Commit job ID: {result.job_id}")
Monitoring Jobs
# Get status of specific jobjob_status = profiles.get_job_status(result.job_id)
print(f"Job status: {job_status.data[0].status_str}")
# List recent jobsrecent_jobs = profiles.list_jobs(limit=10)
for job in recent_jobs.data:
print(f"Job {job.id}: {job.type_str} - {job.status_str}")
print(f"Job status: {job_status.data[0].status_str}")
# List recent jobsrecent_jobs = profiles.list_jobs(limit=10)
for job in recent_jobs.data:
print(f"Job {job.id}: {job.type_str} - {job.status_str}")
Error Handling
from scm.exceptions import (
InvalidObjectError,
MissingQueryParameterError,
NameNotUniqueError,
ObjectNotPresentError,
ReferenceNotZeroError
)
try:
# Create profile configuration
profile_config = {
"name": "test-profile",
"description": "Test anti-spyware profile",
"folder": "Texas",
"rules": [
{
"name": "test-rule",
"severity": ["critical"],
"category": "spyware",
"action": {"alert": {}}
}
]
}
# Create the profile
new_profile = profiles.create(profile_config)
# Commit changes
result = profiles.commit(
folders=["Texas"],
description="Added test profile",
sync=True
)
# Check job status
status = profiles.get_job_status(result.job_id)
except InvalidObjectError as e:
print(f"Invalid profile data: {e.message}")
except NameNotUniqueError as e:
print(f"Profile name already exists: {e.message}")
except ObjectNotPresentError as e:
print(f"Profile not found: {e.message}")
except ReferenceNotZeroError as e:
print(f"Profile still in use: {e.message}")
except MissingQueryParameterError as e:
print(f"Missing parameter: {e.message}")
InvalidObjectError,
MissingQueryParameterError,
NameNotUniqueError,
ObjectNotPresentError,
ReferenceNotZeroError
)
try:
# Create profile configuration
profile_config = {
"name": "test-profile",
"description": "Test anti-spyware profile",
"folder": "Texas",
"rules": [
{
"name": "test-rule",
"severity": ["critical"],
"category": "spyware",
"action": {"alert": {}}
}
]
}
# Create the profile
new_profile = profiles.create(profile_config)
# Commit changes
result = profiles.commit(
folders=["Texas"],
description="Added test profile",
sync=True
)
# Check job status
status = profiles.get_job_status(result.job_id)
except InvalidObjectError as e:
print(f"Invalid profile data: {e.message}")
except NameNotUniqueError as e:
print(f"Profile name already exists: {e.message}")
except ObjectNotPresentError as e:
print(f"Profile not found: {e.message}")
except ReferenceNotZeroError as e:
print(f"Profile still in use: {e.message}")
except MissingQueryParameterError as e:
print(f"Missing parameter: {e.message}")
Best Practices
-
Rule Configuration
- Use descriptive rule names
- Set appropriate severity levels
- Configure actions based on threat level
- Document rule purposes
- Review rule effectiveness
-
Container Management
- Always specify exactly one container
- Use consistent container names
- Validate container existence
- Group related profiles
-
Exception Handling
- Document threat exceptions
- Review exception lists regularly
- Validate IP addresses
- Monitor exception usage
- Update as needed
-
Performance
- Use appropriate pagination
- Cache frequently accessed profiles
- Monitor cloud analysis impact
- Implement proper retry logic
- Track job completion
-
Security
- Follow least privilege principle
- Validate input data
- Monitor profile changes
- Review audit logs
- Document modifications
Full Script Examples
Refer to the anti_spyware_profile.py example.