Skip to main content

Get Admission Audit Events

x-prisma-cloud-target-env: {"permission":"monitorAccessKubernetes","saas":true,"self-hosted":true}
x-public: true

Returns all activities that were alerted or blocked by Defender functioning as Open Policy Agent admission controller.

cURL Request

Refer to the following example cURL command that gives a list of all admission audit events:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \

cURL response

"time": "2022-11-24T13:46:37.057Z",
"ruleName": "Twistlock Labs - CIS - Pod created in host process ID namespace",
"message": "Pod created in host process ID namespace",
"operation": "CREATE",
"kind": "Pod",
"resource": "pods",
"username": "kubernetes-admin",
"userUid": "aws-iam-authenticator:496947949261:AIDAXHNDH53GRQMZMIOQT",
"userGroups": "system:masters, system:authenticated",
"namespace": "default",
"effect": "alert",
"rawRequest": "{\"uid\":\"78d11e35-14ab-4b19-b3d3-a97b4252b56f\",\"kind\":{\"group\":\"\",\"version\":\"v1\",\"kind\":\"Pod\"},\"resource\":{\"group\":\"\",\"version\":\"v1\",\"resource\":\"pods\"},\"requestKind\":{\"group\":\"\",\"version\":\"v1\",\"kind\":\"Pod\"},\"requestResource\":{\"group\":\"\",\"version\":\"v1\",\"resource\":\"pods\"},\"name\":\"nginx2\",\"namespace\":\"default\",\"operation\":\"CREATE\",\"userInfo\":{\"username\":\"kubernetes-admin\",\"uid\":...
"accountID": "496947949261",
"collections": [
"cluster": "johndoe-eks-123",
"attackTechniques": [

Query Parameters
  • offset integer

    Offsets the result to a specific report count. Offset starts from 0.

  • limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

  • search string

    Retrieves the result for a search term.

  • sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

  • reverse boolean

    Sorts the result in reverse order.

  • collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

  • provider string[]

    Scopes the query by cloud provider.

  • accountIDs string[]

    Filters the result based on cloud account IDs.

  • resourceIDs string[]

    Scopes the query by resource ID.

  • region string[]

    Scopes the query by cloud region.

  • fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

  • from date-time

    From is an optional minimum time constraints for the activity.

  • to date-time

    To is an optional maximum time constraints for the activity.

  • namespace string[]

    Namespaces is the list of namespaces to use for filtering.

  • operation string[]

    Operations is the list of operations to use for filtering.

  • cluster string[]

    Clusters is the cluster filter.

  • attackTechniques string[]

    AttackTechniques are the MITRE attack techniques.


  • Array [
  • accountID string

    AccountID is the cloud account ID.

  • attackTechniques mitre.Technique[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    AttackTechniques are the MITRE attack techniques.

  • cluster string

    Cluster is the cluster where the audit took place.

  • collections string[]

    Collections are collections to which this audit applies.

  • effect string

    Effect is the rule effect which was applied to the review which led to this audit.

  • kind string

    Kind is the type of object being manipulated. For example: Pod.

  • message string

    Message is the rule user defined message which appears on audit.

  • namespace string

    Namespace is the namespace associated with the request (if any).

  • operation string

    Operation is the operation being performed.

  • rawRequest string

    RawRequest is the original review request that caused this audit.

  • resource string

    Resource is the name of the resource being requested. This is not the kind. For example: pods.

  • ruleName string

    RuleName is the name of the rule which issued this audit.

  • time date-time

    Time is the time at which the audit was generated.

  • userGroups string

    UserGroups is the names of groups this user is a part of.

  • userUid string

    UserUID is a unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.

  • username string

    Username is the name that uniquely identifies this user among all active users.

  • ]