Get WAAS Serverless Audit Events for a Timeframe
Retrieves all serverless Web-Application and API Security (WAAS) audit buckets based on a specified query time frame in UTC.
Note: These are based on violations of WAAS policies defined under Defend > WAAS > Serverless > Serverless WAAS Policy.
Use the following mandatory query parameters to fetch results:
- from: Specifies the start time in UTC standard of the time period for which the audit events are returned.
- to: Specifies the end time in UTC standard of the time period for which the audit events are returned.
- buckets: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Values in the range 1-100 are accepted.
Refer to the following example cURL command that retrieves the serverless WAAS audit events for a :
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
- start: Specifies the start time of the bucket in date-time UTC format.
- end: Specifies the start time of the bucket in date-time UTC format.
- count: Specifies the number of audit occurrences.
- offset integer
Offsets the result to a specific report count. Offset starts from 0.
- limit integer
Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.
- search string
Retrieves the result for a search term.
- sort string
Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.
- reverse boolean
Sorts the result in reverse order.
- collections string
Filters the result based on collection names that you have defined in Prisma Cloud Compute.
- provider string
Scopes the query by cloud provider.
- accountIDs string
Filters the result based on cloud account IDs.
- resourceIDs string
Scopes the query by resource ID.
- region string
Scopes the query by cloud region.
- fields string
Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.
- from date-time
From is an optional minimum time constraints for the audit.
- to date-time
To is an optional maximum time constraints for the audit.
- imageName string
Images is the image names filter.
- containerName string
Containers is the container names filter.
- hostname string
Hosts is the hostnames filter.
- ruleName string
RuleNames is the rule names filter.
- type string
Types is the firewall audit type filter.
- effect string
Effect is used to filter by runtime audit effect.
- ruleAppID string
RuleAppIDs is the rule app IDs filter.
- function string
FunctionName is used to filter by function name.
- runtime string
Runtime is used to filter by runtime.
- ns string
Namespaces is the list of namespaces to use for filtering.
- appID string
AppIDs is the app embedded appID filter.
- subnet string
Subnets is the source IPs filter.
- connectingIPs string
ConnectingIPs is the connecting IPs filter.
- country string
Countries is the source IP country filter.
- userAgentHeader string
UserAgents is the user agent header filter.
- url string
URLs is the URL filter.
- requestHost string
RequestHosts is the request host filter.
- urlPath string
Paths is the URL path filter.
- urlQuery string
Queries is the URL query filter.
- method string
Methods is the request method filter.
- requestHeaderNames string
RequestHeaderNames is the request header names filter.
- os string
OS is the OS filter.
- msg string
Messages is the audit message text filter.
- cluster string
Cluster is the audit cluster filter.
- attackTechniques string
AttackTechniques are the MITRE attack techniques.
- aggregate boolean
Aggregate indicates whether the result audits should be aggregated according to the Select field.
- protection string
Protections is the firewall audit protection type filter.
- eventID string
EventID is the event IDs filter.
- owaspTop10 string
OWASPTop10 is the OWASP top 10 filter.
- owaspAPITop10 string
OWASPAPITop10 is the OWASP API top 10 filter.
- buckets integer
Buckets is the number of buckets to return.
- Example (from schema)
- Array [
- count integer
Count is the number of audit occurrences.
- end date-time
End is the end time of the bucket.
- start date-time
Start is the start time of the bucket.