Get WAAS Host Audit Events
x-prisma-cloud-target-env: {"permission":"monitorWAAS","saas":true,"self-hosted":true}
x-public: true
Retrieves all host Web-Application and API Security (WAAS) audit events.
Note: These are based on violations of WAAS policies defined under Defend > WAAS > Host > Host WAAS Policy.
cURL Request
Refer to the following example cURL command that retrieves all host WAAS audit events:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/firewall/app/host"
cURL Response
{
"_id": "636ab7190487e34d5461a141",
"profileId": "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal",
"time": "2022-11-08T20:07:53Z",
"hostname": "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal",
"fqdn": "",
"effect": "alert",
"ruleName": "rhe7-host_22_11_384_host",
"ruleAppID": "cggseacq",
"msg": "Detected Local File Inclusion attack in request body, match ../, value ../../",
"host": true,
"containerName": "",
"containerId": "",
"imageName": "",
"appID": "",
"type": "lfi",
"count": 1,
"region": "us-central1-a",
"version": "22.11.384",
"accountID": "twistlock-test-247119",
"url": "10.181.239.16:2001/",
"userAgentHeader": "python-requests/2.27.1",
"method": "POST",
"urlPath": "/",
"subnet": "10.180.30.249",
"requestHeaders": "POST / HTTP/1.1\r\nHost: 10.181.239.16:2001\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nContent-Length: 6\r\nUser-Agent: python-requests/2.27.1\r\n",
"requestHost": "10.181.239.16:2001",
"requestHeaderNames": [
"Accept",
"Accept-Encoding",
"Connection",
"Content-Length",
"User-Agent"
],
"responseHeaderNames": [
"Content-Length",
"Content-Type",
"Date",
"Server"
],
"statusCode": 404,
"collections": [
"All",
"rhe7-host_mhm",
"compliance_rhe7_hhk",
"waas_collection_host_rhe7-host_22_11_384_hpx"
],
"resource": {
"hosts": [
"jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal"
],
"accountIDs": [
"twistlock-test-247119"
]
},
"attackTechniques": [
"exploitPublicFacingApplication",
"applicationExploitRCE"
],
"protection": "firewall",
"attackField": {
"value": "../../",
"type": "rawBody"
},
"eventID": "306032c4-2175-6d95-7a2c-c9abacfc9cb6",
"provider": "gcp"
}
Query Parameters
- offset integer
Offsets the result to a specific report count. Offset starts from 0.
- limit integer
Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.
- search string
Retrieves the result for a search term.
- sort string
Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.
- reverse boolean
Sorts the result in reverse order.
- collections string[]
Filters the result based on collection names that you have defined in Prisma Cloud Compute.
- provider string[]
Scopes the query by cloud provider.
- accountIDs string[]
Filters the result based on cloud account IDs.
- resourceIDs string[]
Scopes the query by resource ID.
- region string[]
Scopes the query by cloud region.
- fields string[]
Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.
- from date-time
From is an optional minimum time constraints for the audit.
- to date-time
To is an optional maximum time constraints for the audit.
- imageName string[]
Images is the image names filter.
- containerName string[]
Containers is the container names filter.
- hostname string[]
Hosts is the hostnames filter.
- ruleName string[]
RuleNames is the rule names filter.
- type string[]
Types is the firewall audit type filter.
- effect string
Effect is used to filter by runtime audit effect.
- ruleAppID string[]
RuleAppIDs is the rule app IDs filter.
- function string[]
FunctionName is used to filter by function name.
- runtime string[]
Runtime is used to filter by runtime.
- ns string[]
Namespaces is the list of namespaces to use for filtering.
- appID string[]
AppIDs is the app embedded appID filter.
- subnet string[]
Subnets is the source IPs filter.
- connectingIPs string[]
ConnectingIPs is the connecting IPs filter.
- country string[]
Countries is the source IP country filter.
- userAgentHeader string[]
UserAgents is the user agent header filter.
- url string[]
URLs is the URL filter.
- requestHost string[]
RequestHosts is the request host filter.
- urlPath string[]
Paths is the URL path filter.
- urlQuery string[]
Queries is the URL query filter.
- method string[]
Methods is the request method filter.
- requestHeaderNames string[]
RequestHeaderNames is the request header names filter.
- os string[]
OS is the OS filter.
- msg string[]
Messages is the audit message text filter.
- cluster string[]
Cluster is the audit cluster filter.
- attackTechniques string[]
AttackTechniques are the MITRE attack techniques.
- aggregate boolean
Aggregate indicates whether the result audits should be aggregated according to the Select field.
- protection string[]
Protections is the firewall audit protection type filter.
- eventID string[]
EventID is the event IDs filter.
- owaspTop10 string[]
OWASPTop10 is the OWASP top 10 filter.
- owaspAPITop10 string[]
OWASPAPITop10 is the OWASP API top 10 filter.
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- _id string
ID is internal id representation.
- accountID string
AccountID is the cloud account ID where the audit was generated.
- appID string
AppID is the application ID.
attackField object
HTTPField is used to perform checks on flags and fields
key stringKey is the key of the field, if exists (e.g. header and cookie).
type waas.HTTPFieldTypePossible values: [
method,xmlBody,jsonBody,formBody,multipartBody,rawBody,protobufBody,query,queryParamName,cookie,header,url
]HTTPFieldType indicates type of http field
value stringValue is the value of the field, if exists.
- attackTechniques mitre.Technique[]
Possible values: [
exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery
]AttackTechniques are the MITRE attack techniques.
- cluster string
Cluster is the cluster on which the audit was originated.
- collections string[]
Collections are collections to which this audit applies.
- connectingIPs string[]
ConnectingIPs are the requests connecting IPs such as proxy and load-balancer.
- containerId string
ContainerID is the firewall container ID.
- containerName string
ContainerName is the firewall container name.
- count integer
Count is the number of audit occurrences.
- country string
Country is the source IP country.
- effect waas.Effect
Possible values: [
ban,prevent,alert,allow,disable,reCAPTCHA
]Effect is the effect that will be used in the rule
- eventID string
EventID is the event identifier of the audit relevant request.
- firewallType waas.FirewallType
Possible values: [
host-proxy,host-out-of-band,container-proxy,container-out-of-band,app-embedded,agentless
]FirewallType represents the firewall type
- fqdn string
FQDN is the current hostname's FQDN.
- function string
Function is the name of the serverless function that caused the audit.
- functionID string
FunctionID is the id of the function called.
- host boolean
Host indicates this audit is either for host firewall or out of band firewall or agentless firewall.
- hostname string
Hostname is the current hostname.
- imageName string
ImageName is the firewall image name.
labels object
Labels are the custom labels associated with the container.
property name*
string- method string
HTTPMethod is the request HTTP method.
- msg string
Message is the blocking message text.
- ns string[]
Namespaces are the k8s namespaces.
- os string
OS is the operating system distribution.
- owaspAPITop10 waas.OWASPAPITop10
Possible values: [
excessiveDataExposure,lackOfResources&RateLimiting,brokenFunctionLevelAuthorization,securityMisconfiguration,injection
]OWASPAPITop10 represents OWASP API top 10 attacks
- owaspTop10 waas.OWASPTop10
Possible values: [
brokenAccessControl,cryptographicFailures,injection,insecureDesign
]OWASPTop10 represents OWASP top 10 attacks
- profileId string
ProfileID is the profile of the audit.
- protection waas.Protection
Possible values: [
firewall,dos,bot,custom,accessControl
]Protection is the type of protection
- provider common.CloudProvider
Possible values: [
aws,azure,gcp,alibaba,oci,others
]CloudProvider specifies the cloud provider name
- rawEvent string
RawEvent contains unparsed function handler event input.
- region string
Region is the name of the region in which the serverless function is located.
- requestHeaderNames string[]
RequestHeaderNames are the request header names.
- requestHeaders string
RequestHeaders represent the request headers.
- requestHost string
RequestHost is the request host.
- requestID string
RequestID is lambda function invocation request id.
resource object
RuntimeResource represents on which resource in the system a rule applies (e.g., specific host or image) Empty resource or wildcard (*) represents all resources of a given type
accountIDs string[]List of account IDs.
appIDs string[]List of application IDs.
clusters string[]List of Kubernetes cluster names.
codeRepos string[]List of code repositories.
containers string[]List of containers.
functions string[]List of functions.
hosts string[]List of hosts.
images string[]List of images.
labels string[]List of labels.
namespaces string[]List of Kubernetes namespaces.
- responseHeaderNames string[]
ResponseHeaderNames are the response header names.
- ruleAppID string
RuleAppID is the ID of the rule's app that was applied.
- ruleName string
RuleName is the name of the rule that was applied.
- runtime shared.LambdaRuntimeType
Possible values: [
python,python3.6,python3.7,python3.8,python3.9,nodejs12.x,nodejs14.x,dotnetcore2.1,dotnetcore3.1,dotnet6,java8,java11,ruby2.7
]LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime
- statusCode integer
StatusCode is the response status code.
- subnet string
Subnet is the source IP subnet.
- time date-time
Time is the UTC time of the audit event.
- type waas.AttackType
Possible values: [
xss,sqli,cmdi,lfi,codeInjection,deniedIP,deniedCountry,header,violationsExceeded,attackTools,shellshock,disallowedFile,malformedRequest,inspectionLimitExceeded,informationLeak,unexpectedAPI,dos,searchEngineCrawler,businessAnalyticsBot,educationalBot,newsBot,financialBot,contentFeedClient,archivingBot,careerSearchBot,mediaSearchBot,genericBot,webAutomationTool,webScraper,apiLibrary,httpLibrary,sessionValidation,javascriptTimeout,missingCookie,browserImpersonation,botImpersonation,requestAnomalies,userDefinedBot,recaptchaRequired,recaptchaVerificationFailed,customRule
]AttackType is the type of the attack
- url string
URL is the requests full URL (partial on server side - path and query only).
- urlPath string
URLPath is the requests url path.
- urlQuery string
URLQuery is the requests url query.
- userAgentHeader string
UserAgentHeader is the requests User-Agent header.
- version string
Version is the defender version.
- ]
[
{
"_id": "string",
"accountID": "string",
"appID": "string",
"attackField": {
"key": "string",
"type": [
"method",
"xmlBody",
"jsonBody",
"formBody",
"multipartBody",
"rawBody",
"protobufBody",
"query",
"queryParamName",
"cookie",
"header",
"url"
],
"value": "string"
},
"attackTechniques": [
[
"exploitationForPrivilegeEscalation",
"exploitPublicFacingApplication",
"applicationExploitRCE",
"networkServiceScanning",
"endpointDenialOfService",
"exfiltrationGeneral",
"systemNetworkConfigurationDiscovery",
"unsecuredCredentials",
"credentialDumping",
"systemInformationDiscovery",
"systemNetworkConnectionDiscovery",
"systemUserDiscovery",
"accountDiscovery",
"cloudInstanceMetadataAPI",
"accessKubeletMainAPI",
"queryKubeletReadonlyAPI",
"accessKubernetesAPIServer",
"softwareDeploymentTools",
"ingressToolTransfer",
"lateralToolTransfer",
"commandAndControlGeneral",
"resourceHijacking",
"manInTheMiddle",
"nativeBinaryExecution",
"foreignBinaryExecution",
"createAccount",
"accountManipulation",
"abuseElevationControlMechanisms",
"supplyChainCompromise",
"obfuscatedFiles",
"hijackExecutionFlow",
"impairDefences",
"scheduledTaskJob",
"exploitationOfRemoteServices",
"eventTriggeredExecution",
"accountAccessRemoval",
"privilegedContainer",
"writableVolumes",
"execIntoContainer",
"softwareDiscovery",
"createContainer",
"kubernetesSecrets",
"fileAndDirectoryDiscovery",
"masquerading",
"webShell",
"compileAfterDelivery"
]
],
"cluster": "string",
"collections": [
"string"
],
"connectingIPs": [
"string"
],
"containerId": "string",
"containerName": "string",
"count": 0,
"country": "string",
"effect": [
"ban",
"prevent",
"alert",
"allow",
"disable",
"reCAPTCHA"
],
"eventID": "string",
"firewallType": [
"host-proxy",
"host-out-of-band",
"container-proxy",
"container-out-of-band",
"app-embedded",
"agentless"
],
"fqdn": "string",
"function": "string",
"functionID": "string",
"host": true,
"hostname": "string",
"imageName": "string",
"labels": {},
"method": "string",
"msg": "string",
"ns": [
"string"
],
"os": "string",
"owaspAPITop10": [
"excessiveDataExposure",
"lackOfResources&RateLimiting",
"brokenFunctionLevelAuthorization",
"securityMisconfiguration",
"injection"
],
"owaspTop10": [
"brokenAccessControl",
"cryptographicFailures",
"injection",
"insecureDesign"
],
"profileId": "string",
"protection": [
"firewall",
"dos",
"bot",
"custom",
"accessControl"
],
"provider": [
"aws",
"azure",
"gcp",
"alibaba",
"oci",
"others"
],
"rawEvent": "string",
"region": "string",
"requestHeaderNames": [
"string"
],
"requestHeaders": "string",
"requestHost": "string",
"requestID": "string",
"resource": {
"accountIDs": [
"string"
],
"appIDs": [
"string"
],
"clusters": [
"string"
],
"codeRepos": [
"string"
],
"containers": [
"string"
],
"functions": [
"string"
],
"hosts": [
"string"
],
"images": [
"string"
],
"labels": [
"string"
],
"namespaces": [
"string"
]
},
"responseHeaderNames": [
"string"
],
"ruleAppID": "string",
"ruleName": "string",
"runtime": [
"python",
"python3.6",
"python3.7",
"python3.8",
"python3.9",
"nodejs12.x",
"nodejs14.x",
"dotnetcore2.1",
"dotnetcore3.1",
"dotnet6",
"java8",
"java11",
"ruby2.7"
],
"statusCode": 0,
"subnet": "string",
"time": "2023-06-07T22:06:28.935Z",
"type": [
"xss",
"sqli",
"cmdi",
"lfi",
"codeInjection",
"deniedIP",
"deniedCountry",
"header",
"violationsExceeded",
"attackTools",
"shellshock",
"disallowedFile",
"malformedRequest",
"inspectionLimitExceeded",
"informationLeak",
"unexpectedAPI",
"dos",
"searchEngineCrawler",
"businessAnalyticsBot",
"educationalBot",
"newsBot",
"financialBot",
"contentFeedClient",
"archivingBot",
"careerSearchBot",
"mediaSearchBot",
"genericBot",
"webAutomationTool",
"webScraper",
"apiLibrary",
"httpLibrary",
"sessionValidation",
"javascriptTimeout",
"missingCookie",
"browserImpersonation",
"botImpersonation",
"requestAnomalies",
"userDefinedBot",
"recaptchaRequired",
"recaptchaVerificationFailed",
"customRule"
],
"url": "string",
"urlPath": "string",
"urlQuery": "string",
"userAgentHeader": "string",
"version": "string"
}
]