Get WAAS App-embedded Audit Events for a Timeframe
Returns the app-embedded WAAS audit buckets based on the query time frame. Use the UTC time of an audit event to query for a time frame.
Note: These audit events relate to violations of WAAS policies defined under Defend > WAAS > App-Embedded > App-Embedded WAAS Policy.
Use the following mandatory query parameters to fetch results:
- from: Specifies the start time in UTC standard of the time period for which the audit events are returned.
- to: Specifies the end time in UTC standard of the time period for which the audit events are returned.
- buckets: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Values in the range 1-100 are accepted.
Refer to the following example cURL command that retrieves the app-embedded WAAS audit buckets of five between 15 Nov. 2022 (15h:23m:57s) and 16 Nov. 2022 (15h:23m:57s):
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
- start: Specifies the start time of the bucket in date-time UTC format.
- end: Specifies the end time of the bucket in date-time UTC format.
- count: Specifies the number of audit occurrences.
Offsets the result to a specific report count. Offset starts from 0.
Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.
Retrieves the result for a search term.
Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.
Sorts the result in reverse order.
Filters the result based on collection names that you have defined in Prisma Cloud Compute.
Scopes the query by cloud provider.
Filters the result based on cloud account IDs.
Scopes the query by resource ID.
Scopes the query by cloud region.
Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.
From is an optional minimum time constraints for the audit.
To is an optional maximum time constraints for the audit.
Images is the image names filter.
Containers is the container names filter.
Hosts is the hostnames filter.
RuleNames is the rule names filter.
Types is the firewall audit type filter.
Effect is used to filter by runtime audit effect.
RuleAppIDs is the rule app IDs filter.
FunctionName is used to filter by function name.
Runtime is used to filter by runtime.
Namespaces is the list of namespaces to use for filtering.
AppIDs is the app embedded appID filter.
Subnets is the source IPs filter.
ConnectingIPs is the connecting IPs filter.
Countries is the source IP country filter.
UserAgents is the user agent header filter.
URLs is the URL filter.
RequestHosts is the request host filter.
Paths is the URL path filter.
Queries is the URL query filter.
Methods is the request method filter.
RequestHeaderNames is the request header names filter.
OS is the OS filter.
Messages is the audit message text filter.
Cluster is the audit cluster filter.
AttackTechniques are the MITRE attack techniques.
Aggregate indicates whether the result audits should be aggregated according to the Select field.
Protections is the firewall audit protection type filter.
EventID is the event IDs filter.
OWASPTop10 is the OWASP top 10 filter.
OWASPAPITop10 is the OWASP API top 10 filter.
Buckets is the number of buckets to return.
- Example (from schema)
- Array [
Count is the number of audit occurrences.
End is the end time of the bucket.
Start is the start time of the bucket.