Get Runtime Container Audit Events for a Timeframe
Retrieves the container audit events when a runtime sensor such as process, network, file system, or system call detects an activity that deviates from the predictive model for a specific time frame.
Note: In Console, you can view the same under Monitor > Events > Container Audits.
Use the following mandatory query parameters to fetch results:
- from: Specifies the start time in UTC standard of the time period for which the audit events are returned.
- to: Specifies the end time in UTC standard of the time period for which the audit events are returned.
- buckets: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Query within the range of 1-100.
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
- start: Specifies the start time of the bucket in date-time UTC format.
- end: Specifies the end time of the bucket in date-time UTC format.
- count: Specifies the number of audit occurrences.
Offsets the result to a specific report count. Offset starts from 0.
Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.
Retrieves the result for a search term.
Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.
Sorts the result in reverse order.
Filters the result based on collection names that you have defined in Prisma Cloud Compute.
Scopes the query by cloud provider.
Filters the result based on cloud account IDs.
Scopes the query by resource ID.
Scopes the query by cloud region.
Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.
IDs are the audit IDs to filter.
ProfileIDs are the profile IDs to filter.
From is an optional minimum time constraints for the audit.
To is an optional maximum time constraints for the audit.
Time is used to filter by audit time.
ImageNames is the image name filter.
Containers is the container name filter.
ContainerID is used to filter by container ID.
RuleNames is used to filter by rule name.
Types is used to filter by runtime audit type.
Effect is used to filter by runtime audit effect (e.g., block/alert).
Users is used to filter by host users.
OS is the image OS distro filter.
Namespaces is the namespaces filter.
Clusters is the cluster filter.
AttackTypes is used to filter by runtime audit attack type.
Hostname is the hostname filter.
Message is the audit message text filter.
Interactive is the audit interactive filter.
Function is used to filter by function name.
Runtime is used to filter by runtime.
AttackTechniques are the MITRE attack techniques.
App is the name constraint of the service that triggered the audit.
ProcessPath is the path constraint of the process that triggered the audit.
RequestID is used to filter by request ID.
FunctionID is used to filter by function ID.
Aggregate indicates whether the result audits should be aggregated according to the Select field.
AppID is used to filter by embedded app or Fargate task that triggered the audit.
Buckets is the number of buckets to return.
- Example (from schema)
- Array [
Count is the number of audit occurrences.
End is the end time of the bucket.
Start is the start time of the bucket.