Get Docker Access Audit Events

GET 
/api/v31.02/audits/access

x-prisma-cloud-target-env: {"permission":"monitorAccessDocker","saas":true,"self-hosted":true}
x-public: true

Retrieves all docker access audit events that are logged and aggregated for any container resource protected by a Defender in Prisma Cloud Compute.

You can configure Prisma Cloud Compute to log and aggregate events such as sudo and SSH access on hosts protected by Defender. These events create an audit trail that tracks system components accessed by individual users.

Note: Access events can also be viewed in Console under Monitor > Events > Docker audits.

cURL Request

Refer to the following example cURL command that gives a list of all access audit events:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/access"

cURL response

[
 {
   "containerName": "/compliance_block_container_photon_fua",
   "imageName": "alpine:latest",
   "user": "",
   "time": "2022-11-08T18:24:09.249Z",
   "hostname": "jen-photon-v3-0811t165215-cont-def-pre-lngcon230",
   "fqdn": "",
   "sourceIP": "",
   "allow": false,
   "ruleName": "compliance_block_container_rule_svn",
   "api": "create",
   "msg": "[Twistlock] Container operation blocked by policy: compliance_block_container_rule_svn, has 1 compliance issues ",
   "collections": [
     "All",
     "compliance_block_container_yue"
   ],
   "accountID": "twistlock-test-123456",
   "cluster": "",
   "namespace": ""
 }
...
]

Request

Query Parameters

offset integer

Offsets the result to a specific report count. Offset starts from 0.

limit integer

Limit is the amount to fix.

sort string

Sorts the result using a key.

reverse boolean

Sorts the result in reverse order.

from date-time

From is an optional minimum time constraints for the audit.

to date-time

To is an optional maximum time constraints for the audit.

type string

Type is the audit type.

ruleName string[]

RuleNames are the rules names to filter by.

api string[]

APIs are apis to filter by.

hostname string[]

Hosts are hosts to filter by.

user string[]

Users are users to filter by.

allow string

Allow indicated whether allowed requests should be shown.

cluster string[]

Clusters is the cluster filter.

Responses

200

application/json

Schema

Schema

• Array [
accountID string

AccountID is the cloud account ID where the audit was created.

allow boolean

Allow indicates whether the command was allowe or denied.

api string

API is the api that is being audited.

cluster string

Cluster is the cluster from which the audit originated.

collections string[]

Collections are collections to which this audit applies.

containerName string

ContainerName is the name of the container.

fqdn string

FQDN is the fully qualified domain name from which the audit originated.

hostname string

Hostname is the hostname from which the audit originated.

imageName string

ImageName is the name of the image.

labels object
Labels are the labels associated with the target audit (for containers/images).
property name* string
msg string

Msg is the message explaining the audit.

namespace string

Namespace is the container namespace.

ruleName string

RulesName is contains the name of the rule that was applied, when blocked.

sourceIP string

SourceIP is the remote agent's source IP.

time date-time

Time is the UTC time of the audit event.

type string

Type is the audit type.

user string

User is the user that run the command.

• ]

Example (from schema)

[
  {
    "accountID": "string",
    "allow": true,
    "api": "string",
    "cluster": "string",
    "collections": [
      "string"
    ],
    "containerName": "string",
    "fqdn": "string",
    "hostname": "string",
    "imageName": "string",
    "labels": {},
    "msg": "string",
    "namespace": "string",
    "ruleName": "string",
    "sourceIP": "string",
    "time": "2023-12-06T03:40:01.704Z",
    "type": "string",
    "user": "string"
  }
]

default

Loading...