Skip to main content

Get WAAS Host Audit Events

GET 
/api/v31.02/audits/firewall/app/host
x-prisma-cloud-target-env: {"permission":"monitorWAAS","saas":true,"self-hosted":true}
x-public: true

Retrieves all host Web-Application and API Security (WAAS) audit events.

Note: These are based on violations of WAAS policies defined under Defend > WAAS > Host > Host WAAS Policy.

cURL Request

Refer to the following example cURL command that retrieves all host WAAS audit events:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/firewall/app/host"

cURL Response

{
   "_id": "636ab7190487e34d5461a141",
   "profileId": "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal",
   "time": "2022-11-08T20:07:53Z",
   "hostname": "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal",
   "fqdn": "",
   "effect": "alert",
   "ruleName": "rhe7-host_22_11_384_host",
   "ruleAppID": "cggseacq",
   "msg": "Detected Local File Inclusion attack in request body, match ../, value ../../",
   "host": true,
   "containerName": "",
   "containerId": "",
   "imageName": "",
   "appID": "",
   "type": "lfi",
   "count": 1,
   "region": "us-central1-a",
   "version": "22.11.384",
   "accountID": "twistlock-test-247119",
   "url": "10.181.239.16:2001/",
   "userAgentHeader": "python-requests/2.27.1",
   "method": "POST",
   "urlPath": "/",
   "subnet": "10.180.30.249",
   "requestHeaders": "POST / HTTP/1.1\r\nHost: 10.181.239.16:2001\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nContent-Length: 6\r\nUser-Agent: python-requests/2.27.1\r\n",
   "requestHost": "10.181.239.16:2001",
   "requestHeaderNames": [
     "Accept",
     "Accept-Encoding",
     "Connection",
     "Content-Length",
     "User-Agent"
   ],
   "responseHeaderNames": [
     "Content-Length",
     "Content-Type",
     "Date",
     "Server"
   ],
   "statusCode": 404,
   "collections": [
     "All",
     "rhe7-host_mhm",
     "compliance_rhe7_hhk",
     "waas_collection_host_rhe7-host_22_11_384_hpx"
   ],
   "resource": {
     "hosts": [
       "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal"
     ],
     "accountIDs": [
       "twistlock-test-247119"
     ]
   },
   "attackTechniques": [
     "exploitPublicFacingApplication",
     "applicationExploitRCE"
   ],
   "protection": "firewall",
   "attackField": {
     "value": "../../",
     "type": "rawBody"
   },
   "eventID": "306032c4-2175-6d95-7a2c-c9abacfc9cb6",
   "provider": "gcp"
 }

Request

Query Parameters

    offset integer

    Offsets the result to a specific report count. Offset starts from 0.

    limit integer

    Limit is the amount to fix.

    sort string

    Sorts the result using a key.

    reverse boolean

    Sorts the result in reverse order.

    from date-time

    From is an optional minimum time constraints for the audit.

    to date-time

    To is an optional maximum time constraints for the audit.

    imageName string[]

    Images is the image names filter.

    containerName string[]

    Containers is the container names filter.

    hostname string[]

    Hosts is the hostnames filter.

    ruleName string[]

    RuleNames is the rule names filter.

    type string[]

    Types is the firewall audit type filter.

    effect string

    Effect is used to filter by runtime audit effect.

    ruleAppID string[]

    RuleAppIDs is the rule app IDs filter.

    function string[]

    FunctionName is used to filter by function name.

    runtime string[]

    Runtime is used to filter by runtime.

    ns string[]

    Namespaces is the list of namespaces to use for filtering.

    appID string[]

    AppIDs is the app embedded appID filter.

    subnet string[]

    Subnets is the source IPs filter.

    connectingIPs string[]

    ConnectingIPs is the connecting IPs filter.

    country string[]

    Countries is the source IP country filter.

    userAgentHeader string[]

    UserAgents is the user agent header filter.

    url string[]

    URLs is the URL filter.

    requestHost string[]

    RequestHosts is the request host filter.

    urlPath string[]

    Paths is the URL path filter.

    urlQuery string[]

    Queries is the URL query filter.

    method string[]

    Methods is the request method filter.

    requestHeaderNames string[]

    RequestHeaderNames is the request header names filter.

    os string[]

    OS is the OS filter.

    msg string[]

    Messages is the audit message text filter.

    cluster string[]

    Cluster is the audit cluster filter.

    attackTechniques string[]

    AttackTechniques are the MITRE attack techniques.

    aggregate boolean

    Aggregate indicates whether the result audits should be aggregated according to the Select field.

    protection string[]

    Protections is the firewall audit protection type filter.

    eventID string[]

    EventID is the event IDs filter.

    owaspTop10 string[]

    OWASPTop10 is the OWASP top 10 filter.

    owaspAPITop10 string[]

    OWASPAPITop10 is the OWASP API top 10 filter.

Responses

Schema
  • Array [
    • _id string

    ID is internal id representation.

    accountID string

    AccountID is the cloud account ID where the audit was generated.

    appID string

    AppID is the application ID.

    attackField object

    HTTPField is used to perform checks on flags and fields

    key string

    Key is the key of the field, if exists (e.g. header and cookie).

    type waas.HTTPFieldType

    Possible values: [method,xmlBody,jsonBody,formBody,multipartBody,rawBody,protobufBody,query,queryParamName,cookie,header,url]

    HTTPFieldType indicates type of http field

    value string

    Value is the value of the field, if exists.

    attackTechniques mitre.Technique[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    AttackTechniques are the MITRE attack techniques.

    cloudProviderName prisma.ServiceProvider

    Possible values: [aws,azure,gcp,alibaba_cloud,oci,other]

    ServiceProvider represents service provider id or "other" in case it is non cloud.

    cluster string

    Cluster is the cluster on which the audit was originated.

    collections string[]

    Collections are collections to which this audit applies.

    connectingIPs string[]

    ConnectingIPs are the requests connecting IPs such as proxy and load-balancer.

    containerId string

    ContainerID is the firewall container ID.

    containerName string

    ContainerName is the firewall container name.

    count integer

    Count is the number of audit occurrences.

    country string

    Country is the source IP country.

    effect waas.Effect

    Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA]

    Effect is the effect that will be used in the rule

    eventID string

    EventID is the event identifier of the audit relevant request.

    firewallType waas.FirewallType

    Possible values: [host-proxy,host-out-of-band,container-proxy,container-out-of-band,app-embedded,agentless]

    FirewallType represents the firewall type

    fqdn string

    FQDN is the current hostname's FQDN.

    function string

    Function is the name of the serverless function that caused the audit.

    functionID string

    FunctionID is the id of the function called.

    host boolean

    Host indicates this audit is either for host firewall or out of band firewall or agentless firewall.

    hostname string

    Hostname is the current hostname.

    imageID string

    ImageID is the firewall image ID.

    imageName string

    ImageName is the firewall image name.

    labels object

    Labels are the custom labels associated with the container.

    property name* string
    method string

    HTTPMethod is the request HTTP method.

    msg string

    Message is the blocking message text.

    ns string[]

    Namespaces are the k8s namespaces.

    os string

    OS is the operating system distribution.

    owaspAPITop10 waas.OWASPAPITop10

    Possible values: [excessiveDataExposure,lackOfResources&RateLimiting,brokenFunctionLevelAuthorization,securityMisconfiguration,injection]

    OWASPAPITop10 represents OWASP API top 10 attacks

    owaspTop10 waas.OWASPTop10

    Possible values: [brokenAccessControl,cryptographicFailures,injection,insecureDesign]

    OWASPTop10 represents OWASP top 10 attacks

    prismaAccountID string

    PrismaAccountID is the Prisma format account ID.

    prismaCloudProvider prisma.CloudType

    Possible values: [1,2,3,4,5,6]

    CloudType is the prisma cloud type of the resource that is used for policy verdict creation Cloud type values are documented here - https://docs.google.com/spreadsheets/d/1ZRlPl2IdEX22-7pSnqxeJGwwS0jyUbJJ16IkuPoiHMU

    prismaRegion string

    PrismaRegion is the Prisma format cloud region.

    profileId string

    ProfileID is the profile of the audit.

    protection waas.Protection

    Possible values: [firewall,dos,bot,custom,accessControl]

    Protection is the type of protection

    provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

    rawEvent string

    RawEvent contains unparsed function handler event input.

    region string

    Region is the name of the region in which the serverless function is located.

    requestHeaderNames string[]

    RequestHeaderNames are the request header names.

    requestHeaders string

    RequestHeaders represent the request headers.

    requestHost string

    RequestHost is the request host.

    requestID string

    RequestID is lambda function invocation request id.

    resource object

    RuntimeResource represents on which resource in the system a rule applies (e.g., specific host or image) Empty resource or wildcard (*) represents all resources of a given type

    accountIDs string[]

    List of account IDs.

    appIDs string[]

    List of application IDs.

    clusters string[]

    List of Kubernetes cluster names.

    codeRepos string[]

    List of code repositories.

    containers string[]

    List of containers.

    functions string[]

    List of functions.

    hosts string[]

    List of hosts.

    images string[]

    List of images.

    labels string[]

    List of labels.

    namespaces string[]

    List of Kubernetes namespaces.

    responseHeaderNames string[]

    ResponseHeaderNames are the response header names.

    ruleAppID string

    RuleAppID is the ID of the rule's app that was applied.

    ruleName string

    RuleName is the name of the rule that was applied.

    runtime shared.LambdaRuntimeType

    Possible values: [python,python3.6,python3.7,python3.8,python3.9,nodejs12.x,nodejs14.x,dotnetcore2.1,dotnetcore3.1,dotnet6,java8,java11,ruby2.7]

    LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime

    statusCode integer

    StatusCode is the response status code.

    subnet string

    Subnet is the source IP subnet.

    time date-time

    Time is the UTC time of the audit event.

    type waas.AttackType

    Possible values: [xss,sqli,cmdi,lfi,codeInjection,deniedIP,deniedCountry,header,violationsExceeded,attackTools,shellshock,disallowedFile,malformedRequest,inspectionLimitExceeded,informationLeak,unexpectedAPI,dos,searchEngineCrawler,businessAnalyticsBot,educationalBot,newsBot,financialBot,contentFeedClient,archivingBot,careerSearchBot,mediaSearchBot,genericBot,webAutomationTool,webScraper,apiLibrary,httpLibrary,sessionValidation,javascriptTimeout,missingCookie,browserImpersonation,botImpersonation,requestAnomalies,userDefinedBot,recaptchaRequired,recaptchaVerificationFailed,customRule]

    AttackType is the type of the attack

    url string

    URL is the requests full URL (partial on server side - path and query only).

    urlPath string

    URLPath is the requests url path.

    urlQuery string

    URLQuery is the requests url query.

    userAgentHeader string

    UserAgentHeader is the requests User-Agent header.

    version string

    Version is the defender version.

    workloadAssetType prisma.AssetType

    Possible values: [15,16,39,45,65,5051,5070,7075,7077,10523,10524,10562,15000,20028,20042,20125,20126,20127,25001,30012,30013,30014,30015,30016,30018,30020]

    AssetType is the integral value that we need to pass to PC in the UAI and Unified Alerts integrations to identify the asset type Mappings of the asset types agreed upon with PC can be found here - https://docs.google.com/spreadsheets/d/1M0Aj5U4vpFGEnpd0v_xK-CsxSH4lovE7p93hkzE4DTY Additional asset types can be found here - https://redlock.atlassian.net/browse/RLP-57240 This value will be identical to resource api id in case of Unified Alerts

    workloadExternalResourceID string

    WorkloadExternalResourceID is the workload external resource ID (Asset External ID).

  • ]
Loading...