Skip to main content

Get WAAS App-embedded Audit Events for a Timeframe

x-prisma-cloud-target-env: {"permission":"monitorWAAS","saas":true,"self-hosted":true}
x-public: true

Returns the app-embedded WAAS audit buckets based on the query time frame. Use the UTC time of an audit event to query for a time frame.

Note: These audit events relate to violations of WAAS policies defined under Defend > WAAS > App-Embedded > App-Embedded WAAS Policy.

Use the following mandatory query parameters to fetch results:

  • from: Specifies the start time in UTC standard of the time period for which the audit events are returned.
  • to: Specifies the end time in UTC standard of the time period for which the audit events are returned.
  • buckets: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Values in the range 1-100 are accepted.

cURL Request

Refer to the following example cURL command that retrieves the app-embedded WAAS audit buckets of five between 15 Nov. 2022 (15h:23m:57s) and 16 Nov. 2022 (15h:23m:57s):

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/firewall/app/app-embedded/timeslice?from=2022-11-15T15:23:57Z&to=2022-11-16T15:23:57Z&buckets=5"

cURL Response

{
"start":"2022-11-12T20:11:57Z",
"end":"2022-11-13T10:35:57Z",
"count":44
}

Response Parameters:

  • start: Specifies the start time of the bucket in date-time UTC format.
  • end: Specifies the end time of the bucket in date-time UTC format.
  • count: Specifies the number of audit occurrences.
Query Parameters
  • offset integer

    Offsets the result to a specific report count. Offset starts from 0.

  • limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

  • search string

    Retrieves the result for a search term.

  • sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

  • reverse boolean

    Sorts the result in reverse order.

  • collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

  • provider string[]

    Scopes the query by cloud provider.

  • accountIDs string[]

    Filters the result based on cloud account IDs.

  • resourceIDs string[]

    Scopes the query by resource ID.

  • region string[]

    Scopes the query by cloud region.

  • fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

  • from date-time

    From is an optional minimum time constraints for the audit.

  • to date-time

    To is an optional maximum time constraints for the audit.

  • imageName string[]

    Images is the image names filter.

  • containerName string[]

    Containers is the container names filter.

  • hostname string[]

    Hosts is the hostnames filter.

  • ruleName string[]

    RuleNames is the rule names filter.

  • type string[]

    Types is the firewall audit type filter.

  • effect string

    Effect is used to filter by runtime audit effect.

  • ruleAppID string[]

    RuleAppIDs is the rule app IDs filter.

  • function string[]

    FunctionName is used to filter by function name.

  • runtime string[]

    Runtime is used to filter by runtime.

  • ns string[]

    Namespaces is the list of namespaces to use for filtering.

  • appID string[]

    AppIDs is the app embedded appID filter.

  • subnet string[]

    Subnets is the source IPs filter.

  • connectingIPs string[]

    ConnectingIPs is the connecting IPs filter.

  • country string[]

    Countries is the source IP country filter.

  • userAgentHeader string[]

    UserAgents is the user agent header filter.

  • url string[]

    URLs is the URL filter.

  • requestHost string[]

    RequestHosts is the request host filter.

  • urlPath string[]

    Paths is the URL path filter.

  • urlQuery string[]

    Queries is the URL query filter.

  • method string[]

    Methods is the request method filter.

  • requestHeaderNames string[]

    RequestHeaderNames is the request header names filter.

  • os string[]

    OS is the OS filter.

  • msg string[]

    Messages is the audit message text filter.

  • cluster string[]

    Cluster is the audit cluster filter.

  • attackTechniques string[]

    AttackTechniques are the MITRE attack techniques.

  • aggregate boolean

    Aggregate indicates whether the result audits should be aggregated according to the Select field.

  • protection string[]

    Protections is the firewall audit protection type filter.

  • eventID string[]

    EventID is the event IDs filter.

  • owaspTop10 string[]

    OWASPTop10 is the OWASP top 10 filter.

  • owaspAPITop10 string[]

    OWASPAPITop10 is the OWASP API top 10 filter.

  • buckets integer

    Buckets is the number of buckets to return.

Responses


Schema
  • Array [
  • count integer

    Count is the number of audit occurrences.

  • end date-time

    End is the end time of the bucket.

  • start date-time

    Start is the start time of the bucket.

  • ]
Loading...