Get Admission Audit Events
GET/api/v32.04/audits/admission
x-prisma-cloud-target-env: {"permission":"monitorAccessKubernetes","saas":true,"self-hosted":true}
x-public: true
Returns all activities that were alerted or blocked by Defender functioning as Open Policy Agent admission controller.
cURL Request
Refer to the following example cURL command that gives a list of all admission audit events:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/admission"
cURL response
{
"time": "2022-11-24T13:46:37.057Z",
"ruleName": "Twistlock Labs - CIS - Pod created in host process ID namespace",
"message": "Pod created in host process ID namespace",
"operation": "CREATE",
"kind": "Pod",
"resource": "pods",
"username": "kubernetes-admin",
"userUid": "aws-iam-authenticator:496947949261:AIDAXHNDH53GRQMZMIOQT",
"userGroups": "system:masters, system:authenticated",
"namespace": "default",
"effect": "alert",
"rawRequest": "{\"uid\":\"78d11e35-14ab-4b19-b3d3-a97b4252b56f\",\"kind\":{\"group\":\"\",\"version\":\"v1\",\"kind\":\"Pod\"},\"resource\":{\"group\":\"\",\"version\":\"v1\",\"resource\":\"pods\"},\"requestKind\":{\"group\":\"\",\"version\":\"v1\",\"kind\":\"Pod\"},\"requestResource\":{\"group\":\"\",\"version\":\"v1\",\"resource\":\"pods\"},\"name\":\"nginx2\",\"namespace\":\"default\",\"operation\":\"CREATE\",\"userInfo\":{\"username\":\"kubernetes-admin\",\"uid\":...
...
...
...
}”,
"accountID": "496947949261",
"collections": [
"All"
],
"cluster": "johndoe-eks-123",
"attackTechniques": [
"privilegedContainer"
]
}
Request
Query Parameters
Offsets the result to a specific report count. Offset starts from 0.
Limit is the amount to fix.
Sorts the result using a key.
Sorts the result in reverse order.
From is an optional minimum time constraints for the activity.
To is an optional maximum time constraints for the activity.
Namespaces is the list of namespaces to use for filtering.
Operations is the list of operations to use for filtering.
Clusters is the cluster filter.
AttackTechniques are the MITRE attack techniques.
Responses
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
AccountID is the cloud account ID.
Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]
AttackTechniques are the MITRE attack techniques.
Cluster is the cluster where the audit took place.
Collections are collections to which this audit applies.
Effect is the rule effect which was applied to the review which led to this audit.
Kind is the type of object being manipulated. For example: Pod.
Message is the rule user defined message which appears on audit.
Namespace is the namespace associated with the request (if any).
Operation is the operation being performed.
RawRequest is the original review request that caused this audit.
Resource is the name of the resource being requested. This is not the kind. For example: pods.
RuleName is the name of the rule which issued this audit.
Time is the time at which the audit was generated.
UserGroups is the names of groups this user is a part of.
UserUID is a unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.
Username is the name that uniquely identifies this user among all active users.
[
{
"accountID": "string",
"attackTechniques": [
[
"exploitationForPrivilegeEscalation",
"exploitPublicFacingApplication",
"applicationExploitRCE",
"networkServiceScanning",
"endpointDenialOfService",
"exfiltrationGeneral",
"systemNetworkConfigurationDiscovery",
"unsecuredCredentials",
"credentialDumping",
"systemInformationDiscovery",
"systemNetworkConnectionDiscovery",
"systemUserDiscovery",
"accountDiscovery",
"cloudInstanceMetadataAPI",
"accessKubeletMainAPI",
"queryKubeletReadonlyAPI",
"accessKubernetesAPIServer",
"softwareDeploymentTools",
"ingressToolTransfer",
"lateralToolTransfer",
"commandAndControlGeneral",
"resourceHijacking",
"manInTheMiddle",
"nativeBinaryExecution",
"foreignBinaryExecution",
"createAccount",
"accountManipulation",
"abuseElevationControlMechanisms",
"supplyChainCompromise",
"obfuscatedFiles",
"hijackExecutionFlow",
"impairDefences",
"scheduledTaskJob",
"exploitationOfRemoteServices",
"eventTriggeredExecution",
"accountAccessRemoval",
"privilegedContainer",
"writableVolumes",
"execIntoContainer",
"softwareDiscovery",
"createContainer",
"kubernetesSecrets",
"fileAndDirectoryDiscovery",
"masquerading",
"webShell",
"compileAfterDelivery"
]
],
"cluster": "string",
"collections": [
"string"
],
"effect": "string",
"kind": "string",
"message": "string",
"namespace": "string",
"operation": "string",
"rawRequest": "string",
"resource": "string",
"ruleName": "string",
"time": "2024-04-19T21:44:44.315Z",
"userGroups": "string",
"userUid": "string",
"username": "string"
}
]