Skip to main content

Get Admission Audit Events

GET 
/api/v30.03/audits/admission
x-prisma-cloud-target-env: {"permission":"monitorAccessKubernetes","saas":true,"self-hosted":true}
x-public: true

Returns all activities that were alerted or blocked by Defender functioning as Open Policy Agent admission controller.

cURL Request

Refer to the following example cURL command that gives a list of all admission audit events:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/admission"

cURL response

{
        "time": "2022-11-24T13:46:37.057Z",
        "ruleName": "Twistlock Labs - CIS - Pod created in host process ID namespace",
        "message": "Pod created in host process ID namespace",
        "operation": "CREATE",
        "kind": "Pod",
        "resource": "pods",
        "username": "kubernetes-admin",
        "userUid": "aws-iam-authenticator:496947949261:AIDAXHNDH53GRQMZMIOQT",
        "userGroups": "system:masters, system:authenticated",
        "namespace": "default",
        "effect": "alert",
        "rawRequest": "{\"uid\":\"78d11e35-14ab-4b19-b3d3-a97b4252b56f\",\"kind\":{\"group\":\"\",\"version\":\"v1\",\"kind\":\"Pod\"},\"resource\":{\"group\":\"\",\"version\":\"v1\",\"resource\":\"pods\"},\"requestKind\":{\"group\":\"\",\"version\":\"v1\",\"kind\":\"Pod\"},\"requestResource\":{\"group\":\"\",\"version\":\"v1\",\"resource\":\"pods\"},\"name\":\"nginx2\",\"namespace\":\"default\",\"operation\":\"CREATE\",\"userInfo\":{\"username\":\"kubernetes-admin\",\"uid\":...
    ...
    ...
    ...
}”,
        "accountID": "496947949261",
        "collections": [
            "All"
        ],
        "cluster": "johndoe-eks-123",
        "attackTechniques": [
            "privilegedContainer"
        ]
}

Request

Query Parameters

    offset integer

    Offsets the result to a specific report count. Offset starts from 0.

    limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

    search string

    Retrieves the result for a search term.

    sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

    reverse boolean

    Sorts the result in reverse order.

    collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

    provider string[]

    Scopes the query by cloud provider.

    accountIDs string[]

    Filters the result based on cloud account IDs.

    resourceIDs string[]

    Scopes the query by resource ID.

    region string[]

    Scopes the query by cloud region.

    fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

    from date-time

    From is an optional minimum time constraints for the activity.

    to date-time

    To is an optional maximum time constraints for the activity.

    namespace string[]

    Namespaces is the list of namespaces to use for filtering.

    operation string[]

    Operations is the list of operations to use for filtering.

    cluster string[]

    Clusters is the cluster filter.

    attackTechniques string[]

    AttackTechniques are the MITRE attack techniques.

Responses

Schema
  • Array [
    • accountID string

    AccountID is the cloud account ID.

    attackTechniques mitre.Technique (string)[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    AttackTechniques are the MITRE attack techniques.

    cluster string

    Cluster is the cluster where the audit took place.

    collections string (string)[]

    Collections are collections to which this audit applies.

    effect string

    Effect is the rule effect which was applied to the review which led to this audit.

    kind string

    Kind is the type of object being manipulated. For example: Pod.

    message string

    Message is the rule user defined message which appears on audit.

    namespace string

    Namespace is the namespace associated with the request (if any).

    operation string

    Operation is the operation being performed.

    rawRequest string

    RawRequest is the original review request that caused this audit.

    resource string

    Resource is the name of the resource being requested. This is not the kind. For example: pods.

    ruleName string

    RuleName is the name of the rule which issued this audit.

    time date-time

    Time is the time at which the audit was generated.

    userGroups string

    UserGroups is the names of groups this user is a part of.

    userUid string

    UserUID is a unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.

    username string

    Username is the name that uniquely identifies this user among all active users.

  • ]
Loading...