Download Incident Audit Events
Downloads a list of incidents which are not acknowledged (i.e., not in archived state) in CSV format. Prisma Cloud Compute analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents.
This endpoint maps to the CSV hyperlink in Monitor > Runtime > Incident explorer in the Console UI.
The following cURL command downloads all incidents and saves the result in a CSV file called
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o incidents.csv \
A successful response displays the status of the download.
Offsets the result to a specific report count. Offset starts from 0.
Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.
Retrieves the result for a search term.
Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.
Sorts the result in reverse order.
Filters the result based on collection names that you have defined in Prisma Cloud Compute.
Scopes the query by cloud provider.
Filters the result based on cloud account IDs.
Scopes the query by resource ID.
Scopes the query by cloud region.
Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.
Filters results from a start datetime.
Filters results from an end datetime.
Filters results by hostname where the incident occurred.
Filters results by incident category.
Filters results by incident type.
Filters results by runtime profile ID.
Filters results by incidents that have been acknowledged.
Filters results by cluster name.
Filters results by ID.
Filters results by app IDs.
Filters results by container IDs.
Filters results by function IDs.
Filters results by custom rule names.