Get CNNS Container Audit Events
x-prisma-cloud-target-env: {"permission":"monitorCNNF","saas":true,"self-hosted":true}
x-public: true
Retrieves all Cloud Native Network Segmentation (CNNS) container audit events.
For more information, see the Cloud Native Network Segmentation (CNNS)
For containers, rules are defined between:
- Image to image.
- Image to an external network not protected by Prisma Cloud.
- Image to DNS domain.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/firewall/network/container"
cURL Response
{
"_id": "localhost",
"time": "2022-11-14T11:02:43.151Z",
"total": 1,
"resource": {
"images": [
""
]
},
"collections": [
"All",
"user123"
],
"audits": {
"unexpectedConnection": {
"count": 1,
"audits": [
{
"ruleID": 4,
"time": "2022-11-14T11:02:43.151Z",
"type": "unexpectedConnection",
"srcProfileID": "sha256:8d5df41c547bd107c14368ad302efc46760940ae188df451cabc23e10f7f161b_user_tkgi-users",
"dstProfileID": "20",
"srcProfileHash": 228,
"srcContainerName": "users-ubuntu",
"dstContainerName": "",
"dstSubnet": "localhost",
"srcImageName": "docker.io/library/ubuntu:18.04",
"dstImageName": "",
"dstPort": 8000,
"block": false,
"count": 1,
"msg": "Unexpected connection to ip 127.0.0.1"
}
]
}
}
}
Query Parameters
- offset integer
Offsets the result to a specific report count. Offset starts from 0.
- limit integer
Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.
- search string
Retrieves the result for a search term.
- sort string
Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.
- reverse boolean
Sorts the result in reverse order.
- collections string[]
Filters the result based on collection names that you have defined in Prisma Cloud Compute.
- provider string[]
Scopes the query by cloud provider.
- accountIDs string[]
Filters the result based on cloud account IDs.
- resourceIDs string[]
Scopes the query by resource ID.
- region string[]
Scopes the query by cloud region.
- fields string[]
Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.
- from date-time
From is an optional minimum time constraints for the audits.
- to date-time
To is an optional maximum time constraints for the audits.
- srcImageName string[]
SrcImages are the source images filter.
- dstImageName string[]
DstImages are the destination images filter.
- block string
Block is the block/audit filter.
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- _id string
ProfileID is the runtime profile ID.
audits object
Audits is a map from the audit sub-type to the audit events list.
property name* object (shared.ContainerNetworkFirewallSubtypeAudits)
ContainerNetworkFirewallSubtypeAudits represents the container network firewall sub type audits per profile
audits object[]
Audits are the container network firewall audits associated with the sub-type, limited to the determined capacity.
Array [block booleanBlock indicates whether the connection was blocked.
count integerCount is the event occurrences count.
dstContainerName stringDstContainerName is the destination container name.
dstDomain stringDstDomain is the destination domain that was queried.
dstImageName stringDstImage is the destination image name.
dstPort integerDstPort is the connection destination port.
dstProfileHash int64ProfileHash represents the profile hash It is allowed to contain up to uint32 numbers, and represented by int64 since mongodb does not support unsigned data types
dstProfileID stringDstProfileID is the destination profile ID.
dstSubnet stringDstSubnet is the destination subnet.
labels object
Labels are the custom labels associated with the target container.
property name*
stringmsg stringMessage is the event message.
ruleID cnnf.RuleIDRuleID represents the ID of each container network firewall policy rule
srcContainerName stringSrcContainerName is the source container name.
srcImageName stringSrcImage is the source image name.
srcProfileHash int64ProfileHash represents the profile hash It is allowed to contain up to uint32 numbers, and represented by int64 since mongodb does not support unsigned data types
srcProfileID stringSrcProfileID is the source profile ID.
time date-timeTime is the UTC time of the audit event.
type cnnf.NetworkFirewallAttackTypePossible values: [
unexpectedConnection
]NetworkFirewallAttackType is the network firewall type of attack
]count integerCount is the total count of the sub-type audits.
- cluster string
Cluster is the cluster from which the audit originated.
- collections string[]
Collections are collections to which this audit applies.
- imageName string
ImageName is the container image name.
- label string
Label represents the container deployment label.
- os string
OS is the operating system distribution.
resource object
RuntimeResource represents on which resource in the system a rule applies (e.g., specific host or image) Empty resource or wildcard (*) represents all resources of a given type
accountIDs string[]List of account IDs.
appIDs string[]List of application IDs.
clusters string[]List of Kubernetes cluster names.
codeRepos string[]List of code repositories.
containers string[]List of containers.
functions string[]List of functions.
hosts string[]List of hosts.
images string[]List of images.
labels string[]List of labels.
namespaces string[]List of Kubernetes namespaces.
- time date-time
Time is the UTC time of the last audit event.
- total integer
Total is the total count of audits per runtime profile.
- ]
[
{
"_id": "string",
"audits": {},
"cluster": "string",
"collections": [
"string"
],
"imageName": "string",
"label": "string",
"os": "string",
"resource": {
"accountIDs": [
"string"
],
"appIDs": [
"string"
],
"clusters": [
"string"
],
"codeRepos": [
"string"
],
"containers": [
"string"
],
"functions": [
"string"
],
"hosts": [
"string"
],
"images": [
"string"
],
"labels": [
"string"
],
"namespaces": [
"string"
]
},
"time": "2023-06-07T22:06:28.940Z",
"total": 0
}
]