Get Runtime App-embedded Audit Events

GET 
/api/v32.07/audits/runtime/app-embedded

x-prisma-cloud-target-env: {"permission":"monitorRuntimeServerless"}

Retrieves all app-embedded runtime audit events.

cURL Request

Refer to the following example cURL command:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/runtime/app-embedded"

cURL Response

{
   "_id": "636be11d2408ed63b48ebd44",
   "time": "2022-11-09T17:19:25.12Z",
   "hostname": "automation_azure_presetup-prevent-tvzwx:aa9f944f-0456-004d-7c69-fd444591fefd",
   "fqdn": "",
   "user": "root",
   "type": "network",
   "imageName": "automation_azure_presetup-prevent-tvzwx",
   "imageId": "b446aac9-6ee0-f254-ff75-cb21755cebdb",
   "effect": "prevent",
   "ruleName": "automation_azure_presetup-prevent-tvzwx_wul",
   "msg": "DNS resolution of domain name SandboxHost-638036111205626034 triggered by /usr/local/bin/python3.9 explicitly denied by a runtime rule",
   "profileId": "automation_azure_presetup-prevent-tvzwx:aa9f944f-0456-004d-7c69-fd444591fefd_",
   "pid": 28,
   "processPath": "/usr/local/bin/python3.9",
   "collections": [
     "All",
     "automation_azure_presetup-prevent-tvzwx_dde"
   ],
   "attackType": "explicitlyDeniedDNS",
   "count": 1,
   "severity": "high",
   "appID": "automation_azure_presetup-prevent-tvzwx:aa9f944f-0456-004d-7c69-fd444591fefd",
   "version": "22.11.384",
   "accountID": "Non-onboarded cloud accounts"
}
...
...
...

Request

Query Parameters

offset integer

Offsets the result to a specific report count. Offset starts from 0.

limit integer

Limit is the amount to fix.

sort string

Sorts the result using a key.

reverse boolean

Sorts the result in reverse order.

id string[]

IDs are the audit IDs to filter.

profileID string[]

ProfileIDs are the profile IDs to filter.

from date-time

From is an optional minimum time constraints for the audit.

to date-time

To is an optional maximum time constraints for the audit.

time date-time

Time is used to filter by audit time.

imageName string[]

ImageNames is the image name filter.

container string[]

Containers is the container name filter.

containerID string[]

ContainerID is used to filter by container ID.

ruleName string[]

RuleNames is used to filter by rule name.

type string[]

Types is used to filter by runtime audit type.

effect string[]

Effect is used to filter by runtime audit effect (e.g., block/alert).

user string[]

Users is used to filter by host users.

os string[]

OS is the image OS distro filter.

namespace string[]

Namespaces is the namespaces filter.

fields string[]

Fields is used to fetch specific runtime audit fields.

cluster string[]

Clusters is the cluster filter.

attackType string[]

AttackTypes is used to filter by runtime audit attack type.

hostname string[]

Hostname is the hostname filter.

msg string[]

Message is the audit message text filter.

interactive string[]

Interactive is the audit interactive filter.

function string[]

Function is used to filter by function name.

runtime string[]

Runtime is used to filter by runtime.

attackTechniques string[]

AttackTechniques are the MITRE attack techniques.

app string[]

App is the name constraint of the service that triggered the audit.

processPath string[]

ProcessPath is the path constraint of the process that triggered the audit.

requestID string[]

RequestID is used to filter by request ID.

functionID string[]

FunctionID is used to filter by function ID.

aggregate boolean

Aggregate indicates whether the result audits should be aggregated according to the Select field.

appID string[]

AppID is used to filter by embedded app or Fargate task that triggered the audit.

Responses

200

application/json

Schema

Schema

• Array [
_id string

Internal ID (used for in-place updates).

accountID string

ID of the cloud account where the audit was generated.

app string

Name of the service which violated the host policy.

appID string

Application ID.

attackTechniques mitre.Technique (string)[]

Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

MITRE attack techniques.

attackType shared.RuntimeAttackType (string)

Possible values: [,cloudMetadataProbing,kubeletAPIAccess,kubeletReadonlyAccess,kubectlSpawned,kubectlDownloaded,horizontalPortScanning,verticalPortScanning,explicitlyDeniedIP,customFeedIP,feedIP,unexpectedOutboundPort,suspiciousNetworkActivity,unexpectedListeningPort,explicitlyDeniedListeningPort,explicitlyDeniedOutboundPort,listeningPortModifiedProcess,outboundPortModifiedProcess,feedDNS,explicitlyDeniedDNS,dnsQuery,unexpectedProcess,portScanProcess,malwareProcessCustom,malwareProcessFeed,explicitlyDeniedProcess,modifiedProcess,cryptoMinerProcess,lateralMovementProcess,tmpfsProcess,policyHijacked,reverseShell,suidBinaries,unknownOriginBinary,webShell,administrativeAccount,encryptedBinary,sshAccess,explicitlyDeniedFile,malwareFileCustom,malwareFileFeed,execFileAccess,elfFileAccess,secretFileAccess,regFileAccess,wildfireMalware,unknownOriginBinary,webShell,fileIntegrity,alteredBinary,malwareDownloaded,suspiciousELFHeader,executionFlowHijackAttempt,customRule]

RuntimeAttackType is the sub-category of the attack (e.g., malware process, process not in model, etc...)

cluster string

Cluster name.

collections string (string)[]

Collections to which this audit applies.

command string

ScrubbedCommand is the command executed by the process with scrubbed PII.

container boolean

Indicates if this is a container audit (true) or host audit (false).

containerId string

ID of the container that violates the rule.

containerName string

Container name.

count integer

Attack type audits count.

country string

Outbound country for outgoing network audits.

domain string

Domain is the requested domain.

effect runtime.RuleEffect (string)

Possible values: [block,prevent,alert,disable]

RuleEffect is the effect that will be used in the runtime rule

err string

Unknown error in the audit process.

filepath string

Filepath is the path of the modified file.

fqdn string

Current full domain name used in audit alerts.

function string

Name of the serverless function that caused the audit.

functionID string

ID of the function invoked.

hostname string

Current hostname.

imageId string

Container image ID.

imageName string

Container image name.

interactive boolean

Indicates if the audit was triggered from a process that was spawned in interactive mode (e.g., docker exec ...) (true) or not (false).

ip string

IP is the connection destination IP address.

label string

Container deployment label.

labels object
Custom labels which augment the audit data.
property name* string (string)
md5 string

MD5 is the MD5 of the modified file (only for executables.

msg string

Blocking message text.

namespace string

K8s deployment namespace.

os string

Operating system distribution.

pid integer

ID of the process that caused the audit event.

port integer

Port is the connection destination port.

processPath string

Path of the process that caused the audit event.

profileId string

Profile ID of the audit.

provider common.CloudProvider (string)

Possible values: [aws,azure,gcp,alibaba,oci,others]

CloudProvider specifies the cloud provider name

rawEvent string

Unparsed function handler event input.

region string

Region of the resource where the audit was generated.

requestID string

ID of the lambda function invocation request.

resourceID string

Unique ID of the resource where the audit was generated.

ruleName string

Name of the rule that was applied, if blocked.

runtime shared.LambdaRuntimeType (string)

Possible values: [python,python3.6,python3.7,python3.8,python3.9,python3.10,python3.11,python3.12,nodejs,nodejs12.x,nodejs14.x,nodejs16.x,nodejs18.x,nodejs20.x,dotnet,dotnetcore2.1,dotnetcore3.1,dotnet6,java,java8,java11,java17,java21,ruby,ruby2.7]

LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime

severity shared.RuntimeSeverity (string)

Possible values: [low,medium,high]

RuntimeSeverity represents the runtime severity

time date-time

Time of the audit event (in UTC time).

type shared.RuntimeType (string)

Possible values: [processes,network,kubernetes,filesystem]

RuntimeType represents the runtime protection type

user string

Service user.

version string

Defender version.

vmID string

Azure unique VM ID where the audit was generated.

wildFireReportURL string

WildFireReportURL is a URL link of the report generated by wildFire.

• ]

Example (from schema)

[
  {
    "_id": "string",
    "accountID": "string",
    "app": "string",
    "appID": "string",
    "attackTechniques": [
      [
        "exploitationForPrivilegeEscalation",
        "exploitPublicFacingApplication",
        "applicationExploitRCE",
        "networkServiceScanning",
        "endpointDenialOfService",
        "exfiltrationGeneral",
        "systemNetworkConfigurationDiscovery",
        "unsecuredCredentials",
        "credentialDumping",
        "systemInformationDiscovery",
        "systemNetworkConnectionDiscovery",
        "systemUserDiscovery",
        "accountDiscovery",
        "cloudInstanceMetadataAPI",
        "accessKubeletMainAPI",
        "queryKubeletReadonlyAPI",
        "accessKubernetesAPIServer",
        "softwareDeploymentTools",
        "ingressToolTransfer",
        "lateralToolTransfer",
        "commandAndControlGeneral",
        "resourceHijacking",
        "manInTheMiddle",
        "nativeBinaryExecution",
        "foreignBinaryExecution",
        "createAccount",
        "accountManipulation",
        "abuseElevationControlMechanisms",
        "supplyChainCompromise",
        "obfuscatedFiles",
        "hijackExecutionFlow",
        "impairDefences",
        "scheduledTaskJob",
        "exploitationOfRemoteServices",
        "eventTriggeredExecution",
        "accountAccessRemoval",
        "privilegedContainer",
        "writableVolumes",
        "execIntoContainer",
        "softwareDiscovery",
        "createContainer",
        "kubernetesSecrets",
        "fileAndDirectoryDiscovery",
        "masquerading",
        "webShell",
        "compileAfterDelivery"
      ]
    ],
    "attackType": [
      "",
      "cloudMetadataProbing",
      "kubeletAPIAccess",
      "kubeletReadonlyAccess",
      "kubectlSpawned",
      "kubectlDownloaded",
      "horizontalPortScanning",
      "verticalPortScanning",
      "explicitlyDeniedIP",
      "customFeedIP",
      "feedIP",
      "unexpectedOutboundPort",
      "suspiciousNetworkActivity",
      "unexpectedListeningPort",
      "explicitlyDeniedListeningPort",
      "explicitlyDeniedOutboundPort",
      "listeningPortModifiedProcess",
      "outboundPortModifiedProcess",
      "feedDNS",
      "explicitlyDeniedDNS",
      "dnsQuery",
      "unexpectedProcess",
      "portScanProcess",
      "malwareProcessCustom",
      "malwareProcessFeed",
      "explicitlyDeniedProcess",
      "modifiedProcess",
      "cryptoMinerProcess",
      "lateralMovementProcess",
      "tmpfsProcess",
      "policyHijacked",
      "reverseShell",
      "suidBinaries",
      "unknownOriginBinary",
      "webShell",
      "administrativeAccount",
      "encryptedBinary",
      "sshAccess",
      "explicitlyDeniedFile",
      "malwareFileCustom",
      "malwareFileFeed",
      "execFileAccess",
      "elfFileAccess",
      "secretFileAccess",
      "regFileAccess",
      "wildfireMalware",
      "unknownOriginBinary",
      "webShell",
      "fileIntegrity",
      "alteredBinary",
      "malwareDownloaded",
      "suspiciousELFHeader",
      "executionFlowHijackAttempt",
      "customRule"
    ],
    "cluster": "string",
    "collections": [
      "string"
    ],
    "command": "string",
    "container": true,
    "containerId": "string",
    "containerName": "string",
    "count": 0,
    "country": "string",
    "domain": "string",
    "effect": [
      "block",
      "prevent",
      "alert",
      "disable"
    ],
    "err": "string",
    "filepath": "string",
    "fqdn": "string",
    "function": "string",
    "functionID": "string",
    "hostname": "string",
    "imageId": "string",
    "imageName": "string",
    "interactive": true,
    "ip": "string",
    "label": "string",
    "labels": {},
    "md5": "string",
    "msg": "string",
    "namespace": "string",
    "os": "string",
    "pid": 0,
    "port": 0,
    "processPath": "string",
    "profileId": "string",
    "provider": [
      "aws",
      "azure",
      "gcp",
      "alibaba",
      "oci",
      "others"
    ],
    "rawEvent": "string",
    "region": "string",
    "requestID": "string",
    "resourceID": "string",
    "ruleName": "string",
    "runtime": [
      "python",
      "python3.6",
      "python3.7",
      "python3.8",
      "python3.9",
      "python3.10",
      "python3.11",
      "python3.12",
      "nodejs",
      "nodejs12.x",
      "nodejs14.x",
      "nodejs16.x",
      "nodejs18.x",
      "nodejs20.x",
      "dotnet",
      "dotnetcore2.1",
      "dotnetcore3.1",
      "dotnet6",
      "java",
      "java8",
      "java11",
      "java17",
      "java21",
      "ruby",
      "ruby2.7"
    ],
    "severity": [
      "low",
      "medium",
      "high"
    ],
    "time": "2024-07-29T15:51:28.071Z",
    "type": [
      "processes",
      "network",
      "kubernetes",
      "filesystem"
    ],
    "user": "string",
    "version": "string",
    "vmID": "string",
    "wildFireReportURL": "string"
  }
]

default

Loading...