Skip to main content

Get WAAS Host Audit Events

x-prisma-cloud-target-env: {"permission":"monitorWAAS","saas":true,"self-hosted":true}
x-public: true

Retrieves all host Web-Application and API Security (WAAS) audit events.

Note: These are based on violations of WAAS policies defined under Defend > WAAS > Host > Host WAAS Policy.

cURL Request

Refer to the following example cURL command that retrieves all host WAAS audit events:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/firewall/app/host"

cURL Response

{
   "_id": "636ab7190487e34d5461a141",
   "profileId": "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal",
   "time": "2022-11-08T20:07:53Z",
   "hostname": "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal",
   "fqdn": "",
   "effect": "alert",
   "ruleName": "rhe7-host_22_11_384_host",
   "ruleAppID": "cggseacq",
   "msg": "Detected Local File Inclusion attack in request body, match ../, value ../../",
   "host": true,
   "containerName": "",
   "containerId": "",
   "imageName": "",
   "appID": "",
   "type": "lfi",
   "count": 1,
   "region": "us-central1-a",
   "version": "22.11.384",
   "accountID": "twistlock-test-247119",
   "url": "10.181.239.16:2001/",
   "userAgentHeader": "python-requests/2.27.1",
   "method": "POST",
   "urlPath": "/",
   "subnet": "10.180.30.249",
   "requestHeaders": "POST / HTTP/1.1\r\nHost: 10.181.239.16:2001\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nContent-Length: 6\r\nUser-Agent: python-requests/2.27.1\r\n",
   "requestHost": "10.181.239.16:2001",
   "requestHeaderNames": [
     "Accept",
     "Accept-Encoding",
     "Connection",
     "Content-Length",
     "User-Agent"
   ],
   "responseHeaderNames": [
     "Content-Length",
     "Content-Type",
     "Date",
     "Server"
   ],
   "statusCode": 404,
   "collections": [
     "All",
     "rhe7-host_mhm",
     "compliance_rhe7_hhk",
     "waas_collection_host_rhe7-host_22_11_384_hpx"
   ],
   "resource": {
     "hosts": [
       "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal"
     ],
     "accountIDs": [
       "twistlock-test-247119"
     ]
   },
   "attackTechniques": [
     "exploitPublicFacingApplication",
     "applicationExploitRCE"
   ],
   "protection": "firewall",
   "attackField": {
     "value": "../../",
     "type": "rawBody"
   },
   "eventID": "306032c4-2175-6d95-7a2c-c9abacfc9cb6",
   "provider": "gcp"
 }

Query Parameters
  • offset integer

    Offsets the result to a specific report count. Offset starts from 0.

  • limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

  • search string

    Retrieves the result for a search term.

  • sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

  • reverse boolean

    Sorts the result in reverse order.

  • collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

  • provider string[]

    Scopes the query by cloud provider.

  • accountIDs string[]

    Filters the result based on cloud account IDs.

  • resourceIDs string[]

    Scopes the query by resource ID.

  • region string[]

    Scopes the query by cloud region.

  • fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

  • from date-time

    From is an optional minimum time constraints for the audit.

  • to date-time

    To is an optional maximum time constraints for the audit.

  • imageName string[]

    Images is the image names filter.

  • containerName string[]

    Containers is the container names filter.

  • hostname string[]

    Hosts is the hostnames filter.

  • ruleName string[]

    RuleNames is the rule names filter.

  • type string[]

    Types is the firewall audit type filter.

  • effect string

    Effect is used to filter by runtime audit effect.

  • ruleAppID string[]

    RuleAppIDs is the rule app IDs filter.

  • function string[]

    FunctionName is used to filter by function name.

  • runtime string[]

    Runtime is used to filter by runtime.

  • ns string[]

    Namespaces is the list of namespaces to use for filtering.

  • appID string[]

    AppIDs is the app embedded appID filter.

  • subnet string[]

    Subnets is the source IPs filter.

  • connectingIPs string[]

    ConnectingIPs is the connecting IPs filter.

  • country string[]

    Countries is the source IP country filter.

  • userAgentHeader string[]

    UserAgents is the user agent header filter.

  • url string[]

    URLs is the URL filter.

  • requestHost string[]

    RequestHosts is the request host filter.

  • urlPath string[]

    Paths is the URL path filter.

  • urlQuery string[]

    Queries is the URL query filter.

  • method string[]

    Methods is the request method filter.

  • requestHeaderNames string[]

    RequestHeaderNames is the request header names filter.

  • os string[]

    OS is the OS filter.

  • msg string[]

    Messages is the audit message text filter.

  • cluster string[]

    Cluster is the audit cluster filter.

  • attackTechniques string[]

    AttackTechniques are the MITRE attack techniques.

  • aggregate boolean

    Aggregate indicates whether the result audits should be aggregated according to the Select field.

  • protection string[]

    Protections is the firewall audit protection type filter.

  • eventID string[]

    EventID is the event IDs filter.

  • owaspTop10 string[]

    OWASPTop10 is the OWASP top 10 filter.

  • owaspAPITop10 string[]

    OWASPAPITop10 is the OWASP API top 10 filter.

Responses
Schema
  • Array [
  • _id string

    ID is internal id representation.

  • accountID string

    AccountID is the cloud account ID where the audit was generated.

  • appID string

    AppID is the application ID.

  • attackField object

    HTTPField is used to perform checks on flags and fields

  • key string

    Key is the key of the field, if exists (e.g. header and cookie).

  • type waas.HTTPFieldType

    Possible values: [method,xmlBody,jsonBody,formBody,multipartBody,rawBody,protobufBody,query,queryParamName,cookie,header,url]

    HTTPFieldType indicates type of http field

  • value string

    Value is the value of the field, if exists.

  • attackTechniques mitre.Technique[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    AttackTechniques are the MITRE attack techniques.

  • cluster string

    Cluster is the cluster on which the audit was originated.

  • collections string[]

    Collections are collections to which this audit applies.

  • connectingIPs string[]

    ConnectingIPs are the requests connecting IPs such as proxy and load-balancer.

  • containerId string

    ContainerID is the firewall container ID.

  • containerName string

    ContainerName is the firewall container name.

  • count integer

    Count is the number of audit occurrences.

  • country string

    Country is the source IP country.

  • effect waas.Effect

    Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA]

    Effect is the effect that will be used in the rule

  • eventID string

    EventID is the event identifier of the audit relevant request.

  • firewallType waas.FirewallType

    Possible values: [host-proxy,host-out-of-band,container-proxy,container-out-of-band,app-embedded,agentless]

    FirewallType represents the firewall type

  • fqdn string

    FQDN is the current hostname's FQDN.

  • function string

    Function is the name of the serverless function that caused the audit.

  • functionID string

    FunctionID is the id of the function called.

  • host boolean

    Host indicates this audit is either for host firewall or out of band firewall or agentless firewall.

  • hostname string

    Hostname is the current hostname.

  • imageName string

    ImageName is the firewall image name.

  • labels object

    Labels are the custom labels associated with the container.

  • property name* string
  • method string

    HTTPMethod is the request HTTP method.

  • msg string

    Message is the blocking message text.

  • ns string[]

    Namespaces are the k8s namespaces.

  • os string

    OS is the operating system distribution.

  • owaspAPITop10 waas.OWASPAPITop10

    Possible values: [excessiveDataExposure,lackOfResources&RateLimiting,brokenFunctionLevelAuthorization,securityMisconfiguration,injection]

    OWASPAPITop10 represents OWASP API top 10 attacks

  • owaspTop10 waas.OWASPTop10

    Possible values: [brokenAccessControl,cryptographicFailures,injection,insecureDesign]

    OWASPTop10 represents OWASP top 10 attacks

  • profileId string

    ProfileID is the profile of the audit.

  • protection waas.Protection

    Possible values: [firewall,dos,bot,custom,accessControl]

    Protection is the type of protection

  • provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

  • rawEvent string

    RawEvent contains unparsed function handler event input.

  • region string

    Region is the name of the region in which the serverless function is located.

  • requestHeaderNames string[]

    RequestHeaderNames are the request header names.

  • requestHeaders string

    RequestHeaders represent the request headers.

  • requestHost string

    RequestHost is the request host.

  • requestID string

    RequestID is lambda function invocation request id.

  • resource object

    RuntimeResource represents on which resource in the system a rule applies (e.g., specific host or image) Empty resource or wildcard (*) represents all resources of a given type

  • accountIDs string[]

    List of account IDs.

  • appIDs string[]

    List of application IDs.

  • clusters string[]

    List of Kubernetes cluster names.

  • codeRepos string[]

    List of code repositories.

  • containers string[]

    List of containers.

  • functions string[]

    List of functions.

  • hosts string[]

    List of hosts.

  • images string[]

    List of images.

  • labels string[]

    List of labels.

  • namespaces string[]

    List of Kubernetes namespaces.

  • responseHeaderNames string[]

    ResponseHeaderNames are the response header names.

  • ruleAppID string

    RuleAppID is the ID of the rule's app that was applied.

  • ruleName string

    RuleName is the name of the rule that was applied.

  • runtime shared.LambdaRuntimeType

    Possible values: [python,python3.6,python3.7,python3.8,python3.9,nodejs12.x,nodejs14.x,dotnetcore2.1,dotnetcore3.1,dotnet6,java8,java11,ruby2.7]

    LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime

  • statusCode integer

    StatusCode is the response status code.

  • subnet string

    Subnet is the source IP subnet.

  • time date-time

    Time is the UTC time of the audit event.

  • type waas.AttackType

    Possible values: [xss,sqli,cmdi,lfi,codeInjection,deniedIP,deniedCountry,header,violationsExceeded,attackTools,shellshock,disallowedFile,malformedRequest,inspectionLimitExceeded,informationLeak,unexpectedAPI,dos,searchEngineCrawler,businessAnalyticsBot,educationalBot,newsBot,financialBot,contentFeedClient,archivingBot,careerSearchBot,mediaSearchBot,genericBot,webAutomationTool,webScraper,apiLibrary,httpLibrary,sessionValidation,javascriptTimeout,missingCookie,browserImpersonation,botImpersonation,requestAnomalies,userDefinedBot,recaptchaRequired,recaptchaVerificationFailed,customRule]

    AttackType is the type of the attack

  • url string

    URL is the requests full URL (partial on server side - path and query only).

  • urlPath string

    URLPath is the requests url path.

  • urlQuery string

    URLQuery is the requests url query.

  • userAgentHeader string

    UserAgentHeader is the requests User-Agent header.

  • version string

    Version is the defender version.

  • ]
Loading...