Skip to main content

Get Docker Access Audit Events



x-prisma-cloud-target-env: {"permission":"monitorAccessDocker","saas":true,"self-hosted":true}
x-public: true

Retrieves all docker access audit events that are logged and aggregated for any container resource protected by a Defender in Prisma Cloud Compute.

You can configure Prisma Cloud Compute to log and aggregate events such as sudo and SSH access on hosts protected by Defender. These events create an audit trail that tracks system components accessed by individual users.

Note: Access events can also be viewed in Console under Monitor > Events > Docker audits.

cURL Request

Refer to the following example cURL command that gives a list of all access audit events:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \

cURL response

"containerName": "/compliance_block_container_photon_fua",
"imageName": "alpine:latest",
"user": "",
"time": "2022-11-08T18:24:09.249Z",
"hostname": "jen-photon-v3-0811t165215-cont-def-pre-lngcon230",
"fqdn": "",
"sourceIP": "",
"allow": false,
"ruleName": "compliance_block_container_rule_svn",
"api": "create",
"msg": "[Twistlock] Container operation blocked by policy: compliance_block_container_rule_svn, has 1 compliance issues ",
"collections": [
"accountID": "twistlock-test-123456",
"cluster": "",
"namespace": ""


Query Parameters

    offset integer

    Offsets the result to a specific report count. Offset starts from 0.

    limit integer

    Limit is the amount to fix.

    sort string

    Sorts the result using a key.

    reverse boolean

    Sorts the result in reverse order.

    from date-time

    From is an optional minimum time constraints for the audit.

    to date-time

    To is an optional maximum time constraints for the audit.

    type string

    Type is the audit type.

    ruleName string[]

    RuleNames are the rules names to filter by.

    api string[]

    APIs are apis to filter by.

    hostname string[]

    Hosts are hosts to filter by.

    user string[]

    Users are users to filter by.

    allow string

    Allow indicated whether allowed requests should be shown.

    cluster string[]

    Clusters is the cluster filter.


  • Array [
  • accountID string

    AccountID is the cloud account ID where the audit was created.

    allow boolean

    Allow indicates whether the command was allowe or denied.

    api string

    API is the api that is being audited.

    cluster string

    Cluster is the cluster from which the audit originated.

    collections string (string)[]

    Collections are collections to which this audit applies.

    containerName string

    ContainerName is the name of the container.

    fqdn string

    FQDN is the fully qualified domain name from which the audit originated.

    hostname string

    Hostname is the hostname from which the audit originated.

    imageName string

    ImageName is the name of the image.

    labels object

    Labels are the labels associated with the target audit (for containers/images).

    property name* string (string)
    msg string

    Msg is the message explaining the audit.

    namespace string

    Namespace is the container namespace.

    ruleName string

    RulesName is contains the name of the rule that was applied, when blocked.

    sourceIP string

    SourceIP is the remote agent's source IP.

    time date-time

    Time is the UTC time of the audit event.

    type string

    Type is the audit type.

    user string

    User is the user that run the command.

  • ]