Anti-Spyware Profile Models
Overview
The Anti-Spyware Profile models provide a structured way to manage anti-spyware security profiles in Palo Alto Networks' Strata Cloud Manager. These models support configuring rules, threat exceptions, and MICA engine settings to detect and prevent spyware threats. Profiles can be defined in folders, snippets, or devices. The models handle validation of inputs and outputs when interacting with the SCM API.
Attributes
| Attribute | Type | Required | Default | Description |
|---|---|---|---|---|
| name | str | Yes | None | Name of the profile |
| description | str | No | None | Description of the profile |
| cloud_inline_analysis | bool | No | False | Enable/disable cloud inline analysis |
| inline_exception_edl_url | List[str] | No | None | List of inline exception EDL URLs |
| inline_exception_ip_address | List[str] | No | None | List of inline exception IP addresses |
| mica_engine_spyware_enabled | List[MicaEngineSpywareEnabledEntry] | No | None | List of MICA engine spyware enabled entries |
| folder | str | No* | None | Folder where profile is defined. Max length: 64 chars |
| snippet | str | No* | None | Snippet where profile is defined. Max length: 64 chars |
| device | str | No* | None | Device where profile is defined. Max length: 64 chars |
| rules | List[RuleRequest] | Yes | None | List of anti-spyware rules |
| threat_exception | List[ThreatExceptionRequest] | No | None | List of threat exceptions |
| id | UUID | Yes** | None | UUID of the profile (response only) |
* Exactly one container type (folder/snippet/device) must be provided ** Only required for response model
Model Validators
Container Type Validation
For create operations, exactly one container type must be specified:
# Using dictionaryfrom scm.config.security import AntiSpywareProfile
# Error: multiple containers specifiedtry:
profile_dict = {
"name": "invalid-profile",
"folder": "Shared",
"device": "fw01", # Can't specify both folder and device
"rules": [{
"name": "rule1",
"severity": ["critical"],
"category": "spyware",
"action": {"alert": {}}
}]
}
profile = AntiSpywareProfile(api_client)
response = profile.create(profile_dict)
except ValueError as e:
print(e) # "Exactly one of 'folder', 'snippet', or 'device' must be provided."
# Using model directlyfrom scm.models.security import AntiSpywareProfileRequestModel
# Error: no container specifiedtry:
profile = AntiSpywareProfileRequestModel(
name="invalid-profile",
rules=[{
"name": "rule1",
"severity": ["critical"],
"category": "spyware",
"action": {"alert": {}}
}]
)
except ValueError as e:
print(e) # "Exactly one of 'folder', 'snippet', or 'device' must be provided."
# Error: multiple containers specifiedtry:
profile_dict = {
"name": "invalid-profile",
"folder": "Shared",
"device": "fw01", # Can't specify both folder and device
"rules": [{
"name": "rule1",
"severity": ["critical"],
"category": "spyware",
"action": {"alert": {}}
}]
}
profile = AntiSpywareProfile(api_client)
response = profile.create(profile_dict)
except ValueError as e:
print(e) # "Exactly one of 'folder', 'snippet', or 'device' must be provided."
# Using model directlyfrom scm.models.security import AntiSpywareProfileRequestModel
# Error: no container specifiedtry:
profile = AntiSpywareProfileRequestModel(
name="invalid-profile",
rules=[{
"name": "rule1",
"severity": ["critical"],
"category": "spyware",
"action": {"alert": {}}
}]
)
except ValueError as e:
print(e) # "Exactly one of 'folder', 'snippet', or 'device' must be provided."
Action Validation
For rules and threat exceptions, exactly one action type must be specified:
# Using dictionarytry:
rule_dict = {
"name": "invalid-rule",
"severity": ["critical"],
"category": "spyware",
"action": {
"alert": {},
"drop": {} # Can't specify multiple actions
}
}
profile_dict = {
"name": "test-profile",
"folder": "Shared",
"rules": [rule_dict]
}
response = profile.create(profile_dict)
except ValueError as e:
print(e) # "Exactly one action must be provided in 'action' field."
# Using model directlyfrom scm.models.security import RuleRequest, ActionRequest
try:
action = ActionRequest(root={"alert": {}, "drop": {}})
rule = RuleRequest(
name="invalid-rule",
severity=["critical"],
category="spyware",
action=action
)
except ValueError as e:
print(e) # "Exactly one action must be provided in 'action' field."
rule_dict = {
"name": "invalid-rule",
"severity": ["critical"],
"category": "spyware",
"action": {
"alert": {},
"drop": {} # Can't specify multiple actions
}
}
profile_dict = {
"name": "test-profile",
"folder": "Shared",
"rules": [rule_dict]
}
response = profile.create(profile_dict)
except ValueError as e:
print(e) # "Exactly one action must be provided in 'action' field."
# Using model directlyfrom scm.models.security import RuleRequest, ActionRequest
try:
action = ActionRequest(root={"alert": {}, "drop": {}})
rule = RuleRequest(
name="invalid-rule",
severity=["critical"],
category="spyware",
action=action
)
except ValueError as e:
print(e) # "Exactly one action must be provided in 'action' field."
Usage Examples
Creating a Basic Profile
# Using dictionarybasic_dict = {
"name": "basic-profile",
"description": "Basic anti-spyware profile",
"folder": "Shared",
"rules": [{
"name": "basic-rule",
"severity": ["critical", "high"],
"category": "spyware",
"action": {"alert": {}}
}]
}
profile = AntiSpywareProfile(api_client)
response = profile.create(basic_dict)
# Using model directlyfrom scm.models.security import (
AntiSpywareProfileRequestModel,
RuleRequest,
ActionRequest,
Severity,
Category
)
basic_profile = AntiSpywareProfileRequestModel(
name="basic-profile",
description="Basic anti-spyware profile",
folder="Shared",
rules=[
RuleRequest(
name="basic-rule",
severity=[Severity.critical, Severity.high],
category=Category.spyware,
action=ActionRequest(root={"alert": {}})
)
]
)
payload = basic_profile.model_dump(exclude_unset=True)
response = profile.create(payload)
"name": "basic-profile",
"description": "Basic anti-spyware profile",
"folder": "Shared",
"rules": [{
"name": "basic-rule",
"severity": ["critical", "high"],
"category": "spyware",
"action": {"alert": {}}
}]
}
profile = AntiSpywareProfile(api_client)
response = profile.create(basic_dict)
# Using model directlyfrom scm.models.security import (
AntiSpywareProfileRequestModel,
RuleRequest,
ActionRequest,
Severity,
Category
)
basic_profile = AntiSpywareProfileRequestModel(
name="basic-profile",
description="Basic anti-spyware profile",
folder="Shared",
rules=[
RuleRequest(
name="basic-rule",
severity=[Severity.critical, Severity.high],
category=Category.spyware,
action=ActionRequest(root={"alert": {}})
)
]
)
payload = basic_profile.model_dump(exclude_unset=True)
response = profile.create(payload)
Creating a Profile with Threat Exceptions
# Using dictionaryadvanced_dict = {
"name": "advanced-profile",
"folder": "Security",
"cloud_inline_analysis": True,
"rules": [{
"name": "strict-rule",
"severity": ["critical"],
"category": "spyware",
"action": {"block_ip": {"track_by": "source", "duration": 300}}
}],
"threat_exception": [{
"name": "exception1",
"packet_capture": "single-packet",
"action": {"allow": {}},
"exempt_ip": [{"name": "10.0.0.1"}]
}]
}
response = profile.create(advanced_dict)
# Using model directlyfrom scm.models.security import (
ThreatExceptionRequest,
ExemptIpEntry,
PacketCapture
)
advanced_profile = AntiSpywareProfileRequestModel(
name="advanced-profile",
folder="Security",
cloud_inline_analysis=True,
rules=[
RuleRequest(
name="strict-rule",
severity=[Severity.critical],
category=Category.spyware,
action=ActionRequest(root={
"block_ip": {
"track_by": "source",
"duration": 300
}
})
)
],
threat_exception=[
ThreatExceptionRequest(
name="exception1",
packet_capture=PacketCapture.single_packet,
action=ActionRequest(root={"allow": {}}),
exempt_ip=[ExemptIpEntry(name="10.0.0.1")]
)
]
)
payload = advanced_profile.model_dump(exclude_unset=True)
response = profile.create(payload)
"name": "advanced-profile",
"folder": "Security",
"cloud_inline_analysis": True,
"rules": [{
"name": "strict-rule",
"severity": ["critical"],
"category": "spyware",
"action": {"block_ip": {"track_by": "source", "duration": 300}}
}],
"threat_exception": [{
"name": "exception1",
"packet_capture": "single-packet",
"action": {"allow": {}},
"exempt_ip": [{"name": "10.0.0.1"}]
}]
}
response = profile.create(advanced_dict)
# Using model directlyfrom scm.models.security import (
ThreatExceptionRequest,
ExemptIpEntry,
PacketCapture
)
advanced_profile = AntiSpywareProfileRequestModel(
name="advanced-profile",
folder="Security",
cloud_inline_analysis=True,
rules=[
RuleRequest(
name="strict-rule",
severity=[Severity.critical],
category=Category.spyware,
action=ActionRequest(root={
"block_ip": {
"track_by": "source",
"duration": 300
}
})
)
],
threat_exception=[
ThreatExceptionRequest(
name="exception1",
packet_capture=PacketCapture.single_packet,
action=ActionRequest(root={"allow": {}}),
exempt_ip=[ExemptIpEntry(name="10.0.0.1")]
)
]
)
payload = advanced_profile.model_dump(exclude_unset=True)
response = profile.create(payload)
Updating a Profile
# Using dictionaryupdate_dict = {
"id": "123e4567-e89b-12d3-a456-426655440000",
"name": "updated-profile",
"description": "Updated profile",
"rules": [{
"name": "updated-rule",
"severity": ["high"],
"category": "dns-security",
"action": {"drop": {}}
}]
}
response = profile.update(update_dict)
# Using model directlyfrom scm.models.security import AntiSpywareProfileUpdateModel
update_profile = AntiSpywareProfileUpdateModel(
id="123e4567-e89b-12d3-a456-426655440000",
name="updated-profile",
description="Updated profile",
rules=[
RuleRequest(
name="updated-rule",
severity=[Severity.high],
category=Category.dns_security,
action=ActionRequest(root={"drop": {}})
)
]
)
payload = update_profile.model_dump(exclude_unset=True)
response = profile.update(payload)
"id": "123e4567-e89b-12d3-a456-426655440000",
"name": "updated-profile",
"description": "Updated profile",
"rules": [{
"name": "updated-rule",
"severity": ["high"],
"category": "dns-security",
"action": {"drop": {}}
}]
}
response = profile.update(update_dict)
# Using model directlyfrom scm.models.security import AntiSpywareProfileUpdateModel
update_profile = AntiSpywareProfileUpdateModel(
id="123e4567-e89b-12d3-a456-426655440000",
name="updated-profile",
description="Updated profile",
rules=[
RuleRequest(
name="updated-rule",
severity=[Severity.high],
category=Category.dns_security,
action=ActionRequest(root={"drop": {}})
)
]
)
payload = update_profile.model_dump(exclude_unset=True)
response = profile.update(payload)