Get Docker Access Audit Events
GET/api/v33.01/audits/access
x-prisma-cloud-target-env: {"permission":"monitorAccessDocker"}
Retrieves all docker access audit events that are logged and aggregated for any container resource protected by a Defender in Prisma Cloud Compute.
You can configure Prisma Cloud Compute to log and aggregate events such as sudo and SSH access on hosts protected by Defender. These events create an audit trail that tracks system components accessed by individual users.
Note: Access events can also be viewed in Console under Monitor > Events > Docker audits.
cURL Request
Refer to the following example cURL command that gives a list of all access audit events:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/access"
cURL response
[
{
"containerName": "/compliance_block_container_photon_fua",
"imageName": "alpine:latest",
"user": "",
"time": "2022-11-08T18:24:09.249Z",
"hostname": "jen-photon-v3-0811t165215-cont-def-pre-lngcon230",
"fqdn": "",
"sourceIP": "",
"allow": false,
"ruleName": "compliance_block_container_rule_svn",
"api": "create",
"msg": "[Twistlock] Container operation blocked by policy: compliance_block_container_rule_svn, has 1 compliance issues ",
"collections": [
"All",
"compliance_block_container_yue"
],
"accountID": "twistlock-test-123456",
"cluster": "",
"namespace": ""
}
...
]
Request
Query Parameters
Offsets the result to a specific report count. Offset starts from 0.
Limit is the amount to fix.
Sorts the result using a key.
Sorts the result in reverse order.
From is an optional minimum time constraints for the audit.
To is an optional maximum time constraints for the audit.
Type is the audit type.
RuleNames are the rules names to filter by.
APIs are apis to filter by.
Hosts are hosts to filter by.
Users are users to filter by.
Allow indicated whether allowed requests should be shown.
Clusters is the cluster filter.
Responses
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
AccountID is the cloud account ID where the audit was created.
Allow indicates whether the command was allowe or denied.
API is the api that is being audited.
Cluster is the cluster from which the audit originated.
Collections are collections to which this audit applies.
ContainerName is the name of the container.
FQDN is the fully qualified domain name from which the audit originated.
Hostname is the hostname from which the audit originated.
ImageName is the name of the image.
labels object
Labels are the labels associated with the target audit (for containers/images).
Msg is the message explaining the audit.
Namespace is the container namespace.
RulesName is contains the name of the rule that was applied, when blocked.
SourceIP is the remote agent's source IP.
Time is the UTC time of the audit event.
Type is the audit type.
User is the user that run the command.
[
{
"accountID": "string",
"allow": true,
"api": "string",
"cluster": "string",
"collections": [
"string"
],
"containerName": "string",
"fqdn": "string",
"hostname": "string",
"imageName": "string",
"labels": {},
"msg": "string",
"namespace": "string",
"ruleName": "string",
"sourceIP": "string",
"time": "2024-07-29T15:51:28.071Z",
"type": "string",
"user": "string"
}
]