Skip to main content

Get WAAS Container Audit Events

GET 

/api/v30.00/audits/firewall/app/container

x-prisma-cloud-target-env: {"permission":"monitorWAAS","saas":true,"self-hosted":true}
x-public: true

Retrieves all container Web-Application and API Security (WAAS) audits.

Note: These audit events relate to violations of WAAS policies defined under Defend > WAAS > Container > Container WAAS Policy.

cURL Request

Refer to the following example cURL command that retrieves all container WAAS audit events:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/firewall/app/container"

cURL Response

{
"_id": "636aa20ca5eab1d485abc519",
"profileId": "sha256:a9301dac5a66b3f54a324b9ee737c64a1cc68d2186d8082df82755fb6d551a06_waas_k8s-v1-23-13-docker-20-10-21-kube-ssugandh-2b19f07bd1e31534",
"time": "2022-11-08T18:38:04Z",
"hostname": "kube-ssugandh-2b19f07bd1e31534-k8s-worker-1",
"fqdn": "",
"effect": "alert",
"ruleName": "k8s-7878_384_kubernetes",
"ruleAppID": "zhdmrlnr",
"msg": "Detected Local File Inclusion attack in request body, match ../, value ../../",
"host": false,
"containerName": "/k8s_mock-web-service-36666_mock-web-service-32001_waas_52d3dccd-44b4-48fa-b149-60835b47c614_0",
"containerId": "22c03ede91779978eb664c03189e3b69432e754b984dd9be203e7567fc6461ba",
"imageName": "doctwistlock/waas-mock-service:latest",
"appID": "",
"type": "lfi",
"count": 1,
"region": "us-central1-a",
"version": "22.11.384",
"accountID": "twistlock-test-247119",
"url": "10.180.31.40:32001/",
"userAgentHeader": "python-requests/2.27.1",
"method": "POST",
"urlPath": "/",
"subnet": "10.180.31.40",
"requestHeaders": "POST / HTTP/1.1\r\nHost: 10.180.31.40:32001\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nContent-Length: 6\r\nUser-Agent: python-requests/2.27.1\r\n",
"requestHost": "10.180.31.40:32001",
"requestHeaderNames": [
"Accept",
"Accept-Encoding",
"Connection",
"Content-Length",
"User-Agent"
],
"responseHeaderNames": [
"Content-Length",
"Content-Type",
"Date",
"Server"
],
"statusCode": 404,
"collections": [
"All",
"Prisma Cloud resources"
],
"os": "Ubuntu 20.04.5 LTS",
"ns": [
"waas"
],
"resource": {
"images": [
"doctwistlock/waas-mock-service:latest"
],
"namespaces": [
"waas"
],
"accountIDs": [
"twistlock-test-247119"
]
},
"cluster": "k8s-v1-23-13-docker-20-10-21-kube-ssugandh-2b19f07bd1e31534",
"attackTechniques": [
"exploitPublicFacingApplication",
"applicationExploitRCE"
],
"protection": "firewall",
"attackField": {
"value": "../../",
"type": "rawBody"
},
"eventID": "dc2fb804-27b1-40f4-6b73-ae54783c548a",
"provider": "gcp"
},
...
...
...

}

Request

Query Parameters

    offset integer

    Offsets the result to a specific report count. Offset starts from 0.

    limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

    search string

    Retrieves the result for a search term.

    sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

    reverse boolean

    Sorts the result in reverse order.

    collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

    provider string[]

    Scopes the query by cloud provider.

    accountIDs string[]

    Filters the result based on cloud account IDs.

    resourceIDs string[]

    Scopes the query by resource ID.

    region string[]

    Scopes the query by cloud region.

    fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

    from date-time

    From is an optional minimum time constraints for the audit.

    to date-time

    To is an optional maximum time constraints for the audit.

    imageName string[]

    Images is the image names filter.

    containerName string[]

    Containers is the container names filter.

    hostname string[]

    Hosts is the hostnames filter.

    ruleName string[]

    RuleNames is the rule names filter.

    type string[]

    Types is the firewall audit type filter.

    effect string

    Effect is used to filter by runtime audit effect.

    ruleAppID string[]

    RuleAppIDs is the rule app IDs filter.

    function string[]

    FunctionName is used to filter by function name.

    runtime string[]

    Runtime is used to filter by runtime.

    ns string[]

    Namespaces is the list of namespaces to use for filtering.

    appID string[]

    AppIDs is the app embedded appID filter.

    subnet string[]

    Subnets is the source IPs filter.

    connectingIPs string[]

    ConnectingIPs is the connecting IPs filter.

    country string[]

    Countries is the source IP country filter.

    userAgentHeader string[]

    UserAgents is the user agent header filter.

    url string[]

    URLs is the URL filter.

    requestHost string[]

    RequestHosts is the request host filter.

    urlPath string[]

    Paths is the URL path filter.

    urlQuery string[]

    Queries is the URL query filter.

    method string[]

    Methods is the request method filter.

    requestHeaderNames string[]

    RequestHeaderNames is the request header names filter.

    os string[]

    OS is the OS filter.

    msg string[]

    Messages is the audit message text filter.

    cluster string[]

    Cluster is the audit cluster filter.

    attackTechniques string[]

    AttackTechniques are the MITRE attack techniques.

    aggregate boolean

    Aggregate indicates whether the result audits should be aggregated according to the Select field.

    protection string[]

    Protections is the firewall audit protection type filter.

    eventID string[]

    EventID is the event IDs filter.

    owaspTop10 string[]

    OWASPTop10 is the OWASP top 10 filter.

    owaspAPITop10 string[]

    OWASPAPITop10 is the OWASP API top 10 filter.

Responses

Schema
  • Array [
  • _id string

    ID is internal id representation.

    accountID string

    AccountID is the cloud account ID where the audit was generated.

    appID string

    AppID is the application ID.

    attackField object

    HTTPField is used to perform checks on flags and fields

    key string

    Key is the key of the field, if exists (e.g. header and cookie).

    type waas.HTTPFieldType

    Possible values: [method,xmlBody,jsonBody,formBody,multipartBody,rawBody,protobufBody,query,queryParamName,cookie,header,url]

    HTTPFieldType indicates type of http field

    value string

    Value is the value of the field, if exists.

    attackTechniques mitre.Technique[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    AttackTechniques are the MITRE attack techniques.

    cluster string

    Cluster is the cluster on which the audit was originated.

    collections string[]

    Collections are collections to which this audit applies.

    connectingIPs string[]

    ConnectingIPs are the requests connecting IPs such as proxy and load-balancer.

    containerId string

    ContainerID is the firewall container ID.

    containerName string

    ContainerName is the firewall container name.

    count integer

    Count is the number of audit occurrences.

    country string

    Country is the source IP country.

    effect waas.Effect

    Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA]

    Effect is the effect that will be used in the rule

    eventID string

    EventID is the event identifier of the audit relevant request.

    fqdn string

    FQDN is the current hostname's FQDN.

    function string

    Function is the name of the serverless function that caused the audit.

    functionID string

    FunctionID is the id of the function called.

    host boolean

    Host indicates this audit is either for host firewall or out of band firewall or agentless firewall.

    hostname string

    Hostname is the current hostname.

    imageName string

    ImageName is the firewall image name.

    labels object

    Labels are the custom labels associated with the container.

    property name* string
    method string

    HTTPMethod is the request HTTP method.

    msg string

    Message is the blocking message text.

    ns string[]

    Namespaces are the k8s namespaces.

    os string

    OS is the operating system distribution.

    owaspAPITop10 waas.OWASPAPITop10

    Possible values: [excessiveDataExposure,lackOfResources&RateLimiting,brokenFunctionLevelAuthorization,securityMisconfiguration,injection]

    OWASPAPITop10 represents OWASP API top 10 attacks

    owaspTop10 waas.OWASPTop10

    Possible values: [brokenAccessControl,cryptographicFailures,injection,insecureDesign]

    OWASPTop10 represents OWASP top 10 attacks

    profileId string

    ProfileID is the profile of the audit.

    protection waas.Protection

    Possible values: [firewall,dos,bot,custom,accessControl]

    Protection is the type of protection

    provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider represents the cloud provider

    rawEvent string

    RawEvent contains unparsed function handler event input.

    region string

    Region is the name of the region in which the serverless function is located.

    requestHeaderNames string[]

    RequestHeaderNames are the request header names.

    requestHeaders string

    RequestHeaders represent the request headers.

    requestHost string

    RequestHost is the request host.

    requestID string

    RequestID is lambda function invocation request id.

    resource object

    RuntimeResource represents on which resource in the system a rule applies (e.g., specific host or image) Empty resource or wildcard (*) represents all resources of a given type

    accountIDs string[]

    List of account IDs.

    appIDs string[]

    List of application IDs.

    clusters string[]

    List of Kubernetes cluster names.

    codeRepos string[]

    List of code repositories.

    containers string[]

    List of containers.

    functions string[]

    List of functions.

    hosts string[]

    List of hosts.

    images string[]

    List of images.

    labels string[]

    List of labels.

    namespaces string[]

    List of Kubernetes namespaces.

    responseHeaderNames string[]

    ResponseHeaderNames are the response header names.

    ruleAppID string

    RuleAppID is the ID of the rule's app that was applied.

    ruleName string

    RuleName is the name of the rule that was applied.

    runtime shared.LambdaRuntimeType

    Possible values: [python,python3.6,python3.7,python3.8,python3.9,nodejs12.x,nodejs14.x,dotnetcore2.1,dotnetcore3.1,dotnet6,java8,java11,ruby2.7]

    LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime

    statusCode integer

    StatusCode is the response status code.

    subnet string

    Subnet is the source IP subnet.

    time date-time

    Time is the UTC time of the audit event.

    type waas.AttackType

    Possible values: [xss,sqli,cmdi,lfi,codeInjection,deniedIP,deniedCountry,header,violationsExceeded,attackTools,shellshock,disallowedFile,malformedRequest,inspectionLimitExceeded,informationLeak,unexpectedAPI,dos,searchEngineCrawler,businessAnalyticsBot,educationalBot,newsBot,financialBot,contentFeedClient,archivingBot,careerSearchBot,mediaSearchBot,genericBot,webAutomationTool,webScraper,apiLibrary,httpLibrary,sessionValidation,javascriptTimeout,missingCookie,browserImpersonation,botImpersonation,requestAnomalies,userDefinedBot,recaptchaRequired,recaptchaVerificationFailed,customRule]

    AttackType is the type of the attack

    url string

    URL is the requests full URL (partial on server side - path and query only).

    urlPath string

    URLPath is the requests url path.

    urlQuery string

    URLQuery is the requests url query.

    userAgentHeader string

    UserAgentHeader is the requests User-Agent header.

    version string

    Version is the defender version.

  • ]
Loading...