Get Docker Access Audit Events

x-prisma-cloud-target-env: {"permission":"monitorAccessDocker","saas":true,"self-hosted":true}
x-public: true

Retrieves all docker access audit events that are logged and aggregated for any container resource protected by a Defender in Prisma Cloud Compute.

You can configure Prisma Cloud Compute to log and aggregate events such as sudo and SSH access on hosts protected by Defender. These events create an audit trail that tracks system components accessed by individual users.

Note: Access events can also be viewed in Console under Monitor > Events > Docker audits.

cURL Request

Refer to the following example cURL command that gives a list of all access audit events:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/access"

cURL response

[
 {
   "containerName": "/compliance_block_container_photon_fua",
   "imageName": "alpine:latest",
   "user": "",
   "type": "docker",
   "time": "2022-11-08T18:24:09.249Z",
   "hostname": "jen-photon-v3-0811t165215-cont-def-pre-lngcon230",
   "fqdn": "",
   "sourceIP": "",
   "allow": false,
   "ruleName": "compliance_block_container_rule_svn",
   "api": "create",
   "msg": "[Twistlock] Container operation blocked by policy: compliance_block_container_rule_svn, has 1 compliance issues ",
   "collections": [
     "All",
     "compliance_block_container_yue"
   ],
   "accountID": "twistlock-test-123456",
   "cluster": "",
   "namespace": ""
 }
 ...
]

Refer to the following example cURL command that gives a list of only docker type access audit events:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  https://<CONSOLE>/api/v<VERSION>/audits/access?type=docker

Query Parameters

• offset integer

  Offsets the result to a specific report count. Offset starts from 0.

• limit integer

  Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

• search string

  Retrieves the result for a search term.

• sort string

  Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

• reverse boolean

  Sorts the result in reverse order.

• collections string[]

  Filters the result based on collection names that you have defined in Prisma Cloud Compute.

• provider string[]

  Scopes the query by cloud provider.

• accountIDs string[]

  Filters the result based on cloud account IDs.

• resourceIDs string[]

  Scopes the query by resource ID.

• region string[]

  Scopes the query by cloud region.

• fields string[]

  Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

• from date-time

  From is an optional minimum time constraints for the audit.

• to date-time

  To is an optional maximum time constraints for the audit.

• type string

  Type is the audit type.

• ruleName string[]

  RuleNames are the rules names to filter by.

• api string[]

  APIs are apis to filter by.

• hostname string[]

  Hosts are hosts to filter by.

• user string[]

  Users are users to filter by.

• allow string

  Allow indicated whether allowed requests should be shown.

• cluster string[]

  Clusters is the cluster filter.

Responses

• 200
• default

---

application/json

• Schema
• Example (from schema)

---

Schema

• Array [
• accountID string

  AccountID is the cloud account ID where the audit was created.

• allow boolean

  Allow indicates whether the command was allowe or denied.

• api string

  API is the api that is being audited.

• cluster string

  Cluster is the cluster from which the audit originated.

• collections string[]

  Collections are collections to which this audit applies.

• containerName string

  ContainerName is the name of the container.

• fqdn string

  FQDN is the fully qualified domain name from which the audit originated.

• hostname string

  Hostname is the hostname from which the audit originated.

• imageName string

  ImageName is the name of the image.

• labels object

  Labels are the labels associated with the target audit (for containers/images).

  property name* string
• msg string

  Msg is the message explaining the audit.

• namespace string

  Namespace is the container namespace.

• ruleName string

  RulesName is contains the name of the rule that was applied, when blocked.

• sourceIP string

  SourceIP is the remote agent's source IP.

• time date-time

  Time is the UTC time of the audit event.

• type string

  Type is the audit type.

• user string

  User is the user that run the command.

• ]

[
  {
    "accountID": "string",
    "allow": true,
    "api": "string",
    "cluster": "string",
    "collections": [
      "string"
    ],
    "containerName": "string",
    "fqdn": "string",
    "hostname": "string",
    "imageName": "string",
    "labels": {},
    "msg": "string",
    "namespace": "string",
    "ruleName": "string",
    "sourceIP": "string",
    "time": "2023-06-07T22:06:28.926Z",
    "type": "string",
    "user": "string"
  }
]

Loading...