Get CNNS Host Audit Events
GET/api/v32.07/audits/firewall/network/host
x-prisma-cloud-target-env: {"permission":"monitorCNNF"}
Retrieves all Cloud Native Network Segmentation (CNNS) host audits.
For hosts, rules are defined between:
- Host to host.
- Host to an external network not protected by Prisma Cloud
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/firewall/network/host"
cURL Response
{
"_id": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
"time": "2022-11-08T20:22:52.207Z",
"total": 4,
"resource": {
"hosts": [
"john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
"john-photon-v3-0811t165011-host-def-pre-lngcon230"
],
"accountIDs": [
"twistlock-test-247119"
]
},
"collections": [
"All",
"registry_scan_container_cen8-container_22_11_384_piu",
"photon-v3-host_crn",
"compliance_photon_etz",
"cnnf_cen8_client_itu",
"cnnf_photon_server_fsr"
],
"audits": {
"unexpectedConnection": {
"count": 4,
"audits": [
{
"ruleID": 15,
"time": "2022-11-08T20:22:52.207Z",
"type": "unexpectedConnection",
"srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
"dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
"dstPort": 80,
"block": false,
"count": 1,
"accountID": "twistlock-test-247119"
},
{
"ruleID": 15,
"time": "2022-11-08T20:22:48.175Z",
"type": "unexpectedConnection",
"srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
"dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
"dstPort": 80,
"block": false,
"count": 1,
"accountID": "twistlock-test-247119"
},
{
"ruleID": 15,
"time": "2022-11-08T20:22:46.127Z",
"type": "unexpectedConnection",
"srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
"dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
"dstPort": 80,
"block": false,
"count": 1,
"accountID": "twistlock-test-247119"
},
{
"ruleID": 15,
"time": "2022-11-08T20:22:45.122Z",
"type": "unexpectedConnection",
"srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
"dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
"dstPort": 80,
"block": false,
"count": 1,
"accountID": "twistlock-test-247119"
}
]
}
}
}
Request
Query Parameters
Offsets the result to a specific report count. Offset starts from 0.
Limit is the amount to fix.
Sorts the result using a key.
Sorts the result in reverse order.
From is an optional minimum time constraints for the audits.
To is an optional maximum time constraints for the audits.
SrcHostname are the source hostnames filter.
DstHostname are the destination hostnames filter.
Responses
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- Array [
- ]
- ]
ProfileID is the runtime profile ID.
audits object
Audits is a map from the audit sub-type to the audit events list.
property name* shared.HostNetworkFirewallSubtypeAudits
HostNetworkFirewallSubtypeAudits represents the host network firewall sub type audits per profile
audits object[]
Audits are the host network firewall audits associated with the sub-type, limited to the determined capacity.
AccountID is the host account ID.
Block indicates whether the connection was blocked.
Cluster is the cluster from which the audit originated.
Count is the event occurrences count.
DstHostname is the destination hostname.
DstPort is the connection destination port.
DstSubnet is the destination subnet.
Message is the event message.
RuleID represents the ID of each container network firewall policy rule
ProfileHash represents the profile hash It is allowed to contain up to uint32 numbers, and represented by int64 since mongodb does not support unsigned data types
SrcHostname is the source hostname.
SrcSubnet is the source subnet.
Time is the UTC time of the audit event.
Possible values: [unexpectedConnection]
NetworkFirewallAttackType is the network firewall type of attack
Count is the total count of the sub-type audits.
Cluster is the cluster from which the audit originated.
Collections are collections to which this audit applies.
ImageName is the container image name.
Label represents the container deployment label.
OS is the operating system distribution.
resource object
RuntimeResource represents on which resource in the system a rule applies (e.g., specific host or image) Empty resource or wildcard (*) represents all resources of a given type
List of account IDs.
List of application IDs.
List of Kubernetes cluster names.
List of containers.
List of functions.
List of hosts.
List of images.
List of labels.
List of Kubernetes namespaces.
Time is the UTC time of the last audit event.
Total is the total count of audits per runtime profile.
[
{
"_id": "string",
"audits": {},
"cluster": "string",
"collections": [
"string"
],
"imageName": "string",
"label": "string",
"os": "string",
"resource": {
"accountIDs": [
"string"
],
"appIDs": [
"string"
],
"clusters": [
"string"
],
"containers": [
"string"
],
"functions": [
"string"
],
"hosts": [
"string"
],
"images": [
"string"
],
"labels": [
"string"
],
"namespaces": [
"string"
]
},
"time": "2024-07-29T15:51:28.071Z",
"total": 0
}
]