Skip to main content

Get Admission Audit Events

x-prisma-cloud-target-env: {"permission":"monitorAccessKubernetes","saas":true,"self-hosted":true}
x-public: true

Returns all activities that were alerted or blocked by Defender functioning as Open Policy Agent admission controller.

cURL Request

Refer to the following example cURL command that gives a list of all admission audit events:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/admission"

cURL response

{
        "time": "2022-11-24T13:46:37.057Z",
        "ruleName": "Twistlock Labs - CIS - Pod created in host process ID namespace",
        "message": "Pod created in host process ID namespace",
        "operation": "CREATE",
        "kind": "Pod",
        "resource": "pods",
        "username": "kubernetes-admin",
        "userUid": "aws-iam-authenticator:496947949261:AIDAXHNDH53GRQMZMIOQT",
        "userGroups": "system:masters, system:authenticated",
        "namespace": "default",
        "effect": "alert",
        "rawRequest": "{\"uid\":\"78d11e35-14ab-4b19-b3d3-a97b4252b56f\",\"kind\":{\"group\":\"\",\"version\":\"v1\",\"kind\":\"Pod\"},\"resource\":{\"group\":\"\",\"version\":\"v1\",\"resource\":\"pods\"},\"requestKind\":{\"group\":\"\",\"version\":\"v1\",\"kind\":\"Pod\"},\"requestResource\":{\"group\":\"\",\"version\":\"v1\",\"resource\":\"pods\"},\"name\":\"nginx2\",\"namespace\":\"default\",\"operation\":\"CREATE\",\"userInfo\":{\"username\":\"kubernetes-admin\",\"uid\":...
    ...
    ...
    ...
}”,
        "accountID": "496947949261",
        "collections": [
            "All"
        ],
        "cluster": "johndoe-eks-123",
        "attackTechniques": [
            "privilegedContainer"
        ]
}

Query Parameters
    offset integer

    Offsets the result to a specific report count. Offset starts from 0.

    limit integer

    Limit is the amount to fix.

    sort string

    Sorts the result using a key.

    reverse boolean

    Sorts the result in reverse order.

    from date-time

    From is an optional minimum time constraints for the activity.

    to date-time

    To is an optional maximum time constraints for the activity.

    namespace string[]

    Namespaces is the list of namespaces to use for filtering.

    operation string[]

    Operations is the list of operations to use for filtering.

    cluster string[]

    Clusters is the cluster filter.

    attackTechniques string[]

    AttackTechniques are the MITRE attack techniques.

Responses
Schema
  • Array [
    • accountID string

    AccountID is the cloud account ID.

    attackTechniques mitre.Technique[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    AttackTechniques are the MITRE attack techniques.

    cluster string

    Cluster is the cluster where the audit took place.

    collections string[]

    Collections are collections to which this audit applies.

    effect string

    Effect is the rule effect which was applied to the review which led to this audit.

    kind string

    Kind is the type of object being manipulated. For example: Pod.

    message string

    Message is the rule user defined message which appears on audit.

    namespace string

    Namespace is the namespace associated with the request (if any).

    operation string

    Operation is the operation being performed.

    rawRequest string

    RawRequest is the original review request that caused this audit.

    resource string

    Resource is the name of the resource being requested. This is not the kind. For example: pods.

    ruleName string

    RuleName is the name of the rule which issued this audit.

    time date-time

    Time is the time at which the audit was generated.

    userGroups string

    UserGroups is the names of groups this user is a part of.

    userUid string

    UserUID is a unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.

    username string

    Username is the name that uniquely identifies this user among all active users.

  • ]
Loading...