Download Runtime Container Audit Events
GET/api/v32.07/audits/runtime/container/download
x-prisma-cloud-target-env: {"permission":"monitorRuntimeContainers"}
Returns the container audit events data in CSV format when a runtime sensor such as process, network, file system, or system call detects an activity that deviates from the predictive model.
Note: In Console, you can view the same under Monitor > Events > Container Audits.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-X GET \
-o <runtime_container_audits.csv> \
"https://<CONSOLE>/api/v<VERSION>/audits/runtime/container/download"
Request
Query Parameters
Offsets the result to a specific report count. Offset starts from 0.
Limit is the amount to fix.
Sorts the result using a key.
Sorts the result in reverse order.
IDs are the audit IDs to filter.
ProfileIDs are the profile IDs to filter.
From is an optional minimum time constraints for the audit.
To is an optional maximum time constraints for the audit.
Time is used to filter by audit time.
ImageNames is the image name filter.
Containers is the container name filter.
ContainerID is used to filter by container ID.
RuleNames is used to filter by rule name.
Types is used to filter by runtime audit type.
Effect is used to filter by runtime audit effect (e.g., block/alert).
Users is used to filter by host users.
OS is the image OS distro filter.
Namespaces is the namespaces filter.
Fields is used to fetch specific runtime audit fields.
Clusters is the cluster filter.
AttackTypes is used to filter by runtime audit attack type.
Hostname is the hostname filter.
Message is the audit message text filter.
Interactive is the audit interactive filter.
Function is used to filter by function name.
Runtime is used to filter by runtime.
AttackTechniques are the MITRE attack techniques.
App is the name constraint of the service that triggered the audit.
ProcessPath is the path constraint of the process that triggered the audit.
RequestID is used to filter by request ID.
FunctionID is used to filter by function ID.
Aggregate indicates whether the result audits should be aggregated according to the Select field.
AppID is used to filter by embedded app or Fargate task that triggered the audit.
Responses
- 200
- default
OK