Skip to main content

Get Runtime File Integrity Audit Events



x-prisma-cloud-target-env: {"permission":"monitorRuntimeHosts","saas":true,"self-hosted":true}
x-public: true

Retrieves all audit events for file-integrity checks that are configured under host runtime rules.

cURL Request

Refer to the following example cURL command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \

cURL Response

"_id": "63762bc3b2a8e98a1c36a9e6",
"eventType": "read",
"path": "/etc/user/user",
"fileType": 2,
"processName": "cat",
"user": "ubuntu",
"time": "2022-11-17T12:40:35.046Z",
"description": "Process cat read from path (user: ubuntu)",
"hostname": "ip-172-31-9-109.ec2.internal",
"fqdn": "",
"ruleName": "user-host-arm",
"accountID": "496947949261",
"collections": [
"cluster": ""


Query Parameters

    offset integer

    Offsets the result to a specific report count. Offset starts from 0.

    limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

    search string

    Retrieves the result for a search term.

    sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

    reverse boolean

    Sorts the result in reverse order.

    collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

    provider string[]

    Scopes the query by cloud provider.

    accountIDs string[]

    Filters the result based on cloud account IDs.

    resourceIDs string[]

    Scopes the query by resource ID.

    region string[]

    Scopes the query by cloud region.

    fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

    id string[]

    IDs is the list of IDs to use for filtering.

    from date-time

    From is an optional minimum time constraints for the event.

    to date-time

    To is an optional maximum time constraints for the event.

    hostname string[]

    Hosts is the list of hosts to use for filtering.

    path string[]

    Paths is the list of paths to use for filtering.

    eventType string[]

    EventTypes is the list of file intergrity events to use for filtering.

    cluster string[]

    Clusters is the cluster filter.


  • Array [
  • _id string

    ID is activity's unique identifier.

    accountID string

    AccountID is the cloud account ID.

    cluster string

    Cluster is the cluster on which the event was found.

    collections string[]

    Collections are collections to which this event applies.

    description string

    Description is a human readable description of the action performed on the path.

    eventType shared.FileIntegrityEventType

    Possible values: [metadata,read,write]

    FileIntegrityEventType represents the type of the file integrity event

    fileType runtime.FSFileType

    FSFileType represents the file type

    fqdn string

    FQDN is the current fully qualified domain name used in audit alerts.

    hostname string

    Hostname is the hostname on which the event was found.

    metadata object

    FileMetadata represents the metadata of a single file/directory

    gid integer

    GID is the ID of the group that owns the file/directory.

    permissions integer

    Permissions are the file/directory permission bits.

    uid integer

    UID is the ID of the user that owns the file/directory.

    path string

    Path is the absolute path of the event.

    processName string

    ProcessName is the name of the process initiated the event.

    ruleName string

    RuleName is the name of the applied rule for auditing file integrity rules.

    time date-time

    Time is the time of the event.

    user string

    User is the user initiated the event.

  • ]