Skip to main content

Get CNNS Container Audit Events



x-prisma-cloud-target-env: {"permission":"monitorCNNF","saas":true,"self-hosted":true}
x-public: true

Retrieves all Cloud Native Network Segmentation (CNNS) container audit events.

For more information, see the Cloud Native Network Segmentation (CNNS)

For containers, rules are defined between:

  • Image to image.
  • Image to an external network not protected by Prisma Cloud.
  • Image to DNS domain.

cURL Request

Refer to the following example cURL command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \

cURL Response

"_id": "localhost",
"time": "2022-11-14T11:02:43.151Z",
"total": 1,
"resource": {
"images": [
"collections": [
"audits": {
"unexpectedConnection": {
"count": 1,
"audits": [
"ruleID": 4,
"time": "2022-11-14T11:02:43.151Z",
"type": "unexpectedConnection",
"srcProfileID": "sha256:8d5df41c547bd107c14368ad302efc46760940ae188df451cabc23e10f7f161b_user_tkgi-users",
"dstProfileID": "20",
"srcProfileHash": 228,
"srcContainerName": "users-ubuntu",
"dstContainerName": "",
"dstSubnet": "localhost",
"srcImageName": "",
"dstImageName": "",
"dstPort": 8000,
"block": false,
"count": 1,
"msg": "Unexpected connection to ip"


Query Parameters

    offset integer

    Offsets the result to a specific report count. Offset starts from 0.

    limit integer

    Limit is the amount to fix.

    sort string

    Sorts the result using a key.

    reverse boolean

    Sorts the result in reverse order.

    from date-time

    From is an optional minimum time constraints for the audits.

    to date-time

    To is an optional maximum time constraints for the audits.

    srcImageName string[]

    SrcImages are the source images filter.

    dstImageName string[]

    DstImages are the destination images filter.

    block string

    Block is the block/audit filter.


  • Array [
  • _id string

    ProfileID is the runtime profile ID.

    audits object

    Audits is a map from the audit sub-type to the audit events list.

    property name* shared.ContainerNetworkFirewallSubtypeAudits

    ContainerNetworkFirewallSubtypeAudits represents the container network firewall sub type audits per profile

    audits object[]

    Audits are the container network firewall audits associated with the sub-type, limited to the determined capacity.

  • Array [
  • block boolean

    Block indicates whether the connection was blocked.

    count integer

    Count is the event occurrences count.

    dstContainerName string

    DstContainerName is the destination container name.

    dstDomain string

    DstDomain is the destination domain that was queried.

    dstImageName string

    DstImage is the destination image name.

    dstPort integer

    DstPort is the connection destination port.

    dstProfileHash int64

    ProfileHash represents the profile hash It is allowed to contain up to uint32 numbers, and represented by int64 since mongodb does not support unsigned data types

    dstProfileID string

    DstProfileID is the destination profile ID.

    dstSubnet string

    DstSubnet is the destination subnet.

    labels object

    Labels are the custom labels associated with the target container.

    property name* string (string)
    msg string

    Message is the event message.

    ruleID cnnf.RuleID (integer)

    RuleID represents the ID of each container network firewall policy rule

    srcContainerName string

    SrcContainerName is the source container name.

    srcImageName string

    SrcImage is the source image name.

    srcProfileHash int64

    ProfileHash represents the profile hash It is allowed to contain up to uint32 numbers, and represented by int64 since mongodb does not support unsigned data types

    srcProfileID string

    SrcProfileID is the source profile ID.

    time date-time

    Time is the UTC time of the audit event.

    type cnnf.NetworkFirewallAttackType (string)

    Possible values: [unexpectedConnection]

    NetworkFirewallAttackType is the network firewall type of attack

  • ]
  • count integer

    Count is the total count of the sub-type audits.

    cluster string

    Cluster is the cluster from which the audit originated.

    collections string (string)[]

    Collections are collections to which this audit applies.

    imageName string

    ImageName is the container image name.

    label string

    Label represents the container deployment label.

    os string

    OS is the operating system distribution.

    resource object

    RuntimeResource represents on which resource in the system a rule applies (e.g., specific host or image) Empty resource or wildcard (*) represents all resources of a given type

    accountIDs string (string)[]

    List of account IDs.

    appIDs string (string)[]

    List of application IDs.

    clusters string (string)[]

    List of Kubernetes cluster names.

    containers string (string)[]

    List of containers.

    functions string (string)[]

    List of functions.

    hosts string (string)[]

    List of hosts.

    images string (string)[]

    List of images.

    labels string (string)[]

    List of labels.

    namespaces string (string)[]

    List of Kubernetes namespaces.

    time date-time

    Time is the UTC time of the last audit event.

    total integer

    Total is the total count of audits per runtime profile.

  • ]