Skip to main content

Download Incident Audit Events



x-prisma-cloud-target-env: {"permission":"monitorRuntimeIncidents","saas":true,"self-hosted":true}
x-public: true

Downloads a list of incidents which are not acknowledged (i.e., not in archived state) in CSV format. Prisma Cloud Compute analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents.

This endpoint maps to the CSV hyperlink in Monitor > Runtime > Incident explorer in the Console UI.

cURL Request

The following cURL command downloads all incidents and saves the result in a CSV file called incidents.csv:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o incidents.csv \

A successful response displays the status of the download.


Query Parameters

    offset integer

    Offsets the result to a specific report count. Offset starts from 0.

    limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

    search string

    Retrieves the result for a search term.

    sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

    reverse boolean

    Sorts the result in reverse order.

    collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

    provider string[]

    Scopes the query by cloud provider.

    accountIDs string[]

    Filters the result based on cloud account IDs.

    resourceIDs string[]

    Scopes the query by resource ID.

    region string[]

    Scopes the query by cloud region.

    fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

    from date-time

    Filters results from a start datetime.

    to date-time

    Filters results from an end datetime.

    hostname string[]

    Filters results by hostname where the incident occurred.

    category string[]

    Filters results by incident category.

    type string[]

    Filters results by incident type.

    profileID string[]

    Filters results by runtime profile ID.

    acknowledged string

    Filters results by incidents that have been acknowledged.

    cluster string[]

    Filters results by cluster name.

    id string[]

    Filters results by ID.

    appID string[]

    Filters results by app IDs.

    containerID string[]

    Filters results by container IDs.

    functionID string[]

    Filters results by function IDs.

    customRuleName string[]

    Filters results by custom rule names.