Get Admission Audit Events
x-prisma-cloud-target-env: {"permission":"monitorAccessKubernetes","saas":true,"self-hosted":true}
x-public: true
Returns all activities that were alerted or blocked by Defender functioning as Open Policy Agent admission controller.
cURL Request
Refer to the following example cURL command that gives a list of all admission audit events:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/admission"
cURL response
{
"time": "2022-11-24T13:46:37.057Z",
"ruleName": "Twistlock Labs - CIS - Pod created in host process ID namespace",
"message": "Pod created in host process ID namespace",
"operation": "CREATE",
"kind": "Pod",
"resource": "pods",
"username": "kubernetes-admin",
"userUid": "aws-iam-authenticator:496947949261:AIDAXHNDH53GRQMZMIOQT",
"userGroups": "system:masters, system:authenticated",
"namespace": "default",
"effect": "alert",
"rawRequest": "{\"uid\":\"78d11e35-14ab-4b19-b3d3-a97b4252b56f\",\"kind\":{\"group\":\"\",\"version\":\"v1\",\"kind\":\"Pod\"},\"resource\":{\"group\":\"\",\"version\":\"v1\",\"resource\":\"pods\"},\"requestKind\":{\"group\":\"\",\"version\":\"v1\",\"kind\":\"Pod\"},\"requestResource\":{\"group\":\"\",\"version\":\"v1\",\"resource\":\"pods\"},\"name\":\"nginx2\",\"namespace\":\"default\",\"operation\":\"CREATE\",\"userInfo\":{\"username\":\"kubernetes-admin\",\"uid\":...
...
...
...
}”,
"accountID": "496947949261",
"collections": [
"All"
],
"cluster": "johndoe-eks-123",
"attackTechniques": [
"privilegedContainer"
]
}
Query Parameters
- offset integer
Offsets the result to a specific report count. Offset starts from 0.
- limit integer
Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.
- search string
Retrieves the result for a search term.
- sort string
Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.
- reverse boolean
Sorts the result in reverse order.
- collections string[]
Filters the result based on collection names that you have defined in Prisma Cloud Compute.
- provider string[]
Scopes the query by cloud provider.
- accountIDs string[]
Filters the result based on cloud account IDs.
- resourceIDs string[]
Scopes the query by resource ID.
- region string[]
Scopes the query by cloud region.
- fields string[]
Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.
- from date-time
From is an optional minimum time constraints for the activity.
- to date-time
To is an optional maximum time constraints for the activity.
- namespace string[]
Namespaces is the list of namespaces to use for filtering.
- operation string[]
Operations is the list of operations to use for filtering.
- cluster string[]
Clusters is the cluster filter.
- attackTechniques string[]
AttackTechniques are the MITRE attack techniques.
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- accountID string
AccountID is the cloud account ID.
- attackTechniques mitre.Technique[]
Possible values: [
exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery
]AttackTechniques are the MITRE attack techniques.
- cluster string
Cluster is the cluster where the audit took place.
- collections string[]
Collections are collections to which this audit applies.
- effect string
Effect is the rule effect which was applied to the review which led to this audit.
- kind string
Kind is the type of object being manipulated. For example: Pod.
- message string
Message is the rule user defined message which appears on audit.
- namespace string
Namespace is the namespace associated with the request (if any).
- operation string
Operation is the operation being performed.
- rawRequest string
RawRequest is the original review request that caused this audit.
- resource string
Resource is the name of the resource being requested. This is not the kind. For example: pods.
- ruleName string
RuleName is the name of the rule which issued this audit.
- time date-time
Time is the time at which the audit was generated.
- userGroups string
UserGroups is the names of groups this user is a part of.
- userUid string
UserUID is a unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs.
- username string
Username is the name that uniquely identifies this user among all active users.
- ]
[
{
"accountID": "string",
"attackTechniques": [
[
"exploitationForPrivilegeEscalation",
"exploitPublicFacingApplication",
"applicationExploitRCE",
"networkServiceScanning",
"endpointDenialOfService",
"exfiltrationGeneral",
"systemNetworkConfigurationDiscovery",
"unsecuredCredentials",
"credentialDumping",
"systemInformationDiscovery",
"systemNetworkConnectionDiscovery",
"systemUserDiscovery",
"accountDiscovery",
"cloudInstanceMetadataAPI",
"accessKubeletMainAPI",
"queryKubeletReadonlyAPI",
"accessKubernetesAPIServer",
"softwareDeploymentTools",
"ingressToolTransfer",
"lateralToolTransfer",
"commandAndControlGeneral",
"resourceHijacking",
"manInTheMiddle",
"nativeBinaryExecution",
"foreignBinaryExecution",
"createAccount",
"accountManipulation",
"abuseElevationControlMechanisms",
"supplyChainCompromise",
"obfuscatedFiles",
"hijackExecutionFlow",
"impairDefences",
"scheduledTaskJob",
"exploitationOfRemoteServices",
"eventTriggeredExecution",
"accountAccessRemoval",
"privilegedContainer",
"writableVolumes",
"execIntoContainer",
"softwareDiscovery",
"createContainer",
"kubernetesSecrets",
"fileAndDirectoryDiscovery",
"masquerading",
"webShell",
"compileAfterDelivery"
]
],
"cluster": "string",
"collections": [
"string"
],
"effect": "string",
"kind": "string",
"message": "string",
"namespace": "string",
"operation": "string",
"rawRequest": "string",
"resource": "string",
"ruleName": "string",
"time": "2023-06-07T22:06:28.926Z",
"userGroups": "string",
"userUid": "string",
"username": "string"
}
]