Skip to main content

Get WAAS Host Audit Events

GET 
/api/v34.00/audits/firewall/app/host
x-prisma-cloud-target-env: {"permission":"monitorWAAS"}

Retrieves all host Web-Application and API Security (WAAS) audit events.

Note: These are based on violations of WAAS policies defined under Defend > WAAS > Host > Host WAAS Policy.

cURL Request

Refer to the following example cURL command that retrieves all host WAAS audit events:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/firewall/app/host"

cURL Response

{
   "_id": "636ab7190487e34d5461a141",
   "profileId": "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal",
   "time": "2022-11-08T20:07:53Z",
   "hostname": "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal",
   "fqdn": "",
   "effect": "alert",
   "ruleName": "rhe7-host_22_11_384_host",
   "ruleAppID": "cggseacq",
   "msg": "Detected Local File Inclusion attack in request body, match ../, value ../../",
   "host": true,
   "containerName": "",
   "containerId": "",
   "imageName": "",
   "appID": "",
   "type": "lfi",
   "count": 1,
   "region": "us-central1-a",
   "version": "22.11.384",
   "accountID": "twistlock-test-247119",
   "url": "10.181.239.16:2001/",
   "userAgentHeader": "python-requests/2.27.1",
   "method": "POST",
   "urlPath": "/",
   "subnet": "10.180.30.249",
   "requestHeaders": "POST / HTTP/1.1\r\nHost: 10.181.239.16:2001\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nContent-Length: 6\r\nUser-Agent: python-requests/2.27.1\r\n",
   "requestHost": "10.181.239.16:2001",
   "requestHeaderNames": [
     "Accept",
     "Accept-Encoding",
     "Connection",
     "Content-Length",
     "User-Agent"
   ],
   "responseHeaderNames": [
     "Content-Length",
     "Content-Type",
     "Date",
     "Server"
   ],
   "statusCode": 404,
   "collections": [
     "All",
     "rhe7-host_mhm",
     "compliance_rhe7_hhk",
     "waas_collection_host_rhe7-host_22_11_384_hpx"
   ],
   "resource": {
     "hosts": [
       "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal"
     ],
     "accountIDs": [
       "twistlock-test-247119"
     ]
   },
   "attackTechniques": [
     "exploitPublicFacingApplication",
     "applicationExploitRCE"
   ],
   "protection": "firewall",
   "attackField": {
     "value": "../../",
     "type": "rawBody"
   },
   "eventID": "306032c4-2175-6d95-7a2c-c9abacfc9cb6",
   "provider": "gcp"
 }

Request

Responses