Skip to main content

Get CNNS Container Audit Events

x-prisma-cloud-target-env: {"permission":"monitorCNNF","saas":true,"self-hosted":true}
x-public: true

Retrieves all Cloud Native Network Segmentation (CNNS) container audit events.

For more information, see the Cloud Native Network Segmentation (CNNS)

For containers, rules are defined between:

  • Image to image.
  • Image to an external network not protected by Prisma Cloud.
  • Image to DNS domain.

cURL Request

Refer to the following example cURL command:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/firewall/network/container"

cURL Response

{
   "_id": "localhost",
   "time": "2022-11-14T11:02:43.151Z",
   "total": 1,
   "resource": {
     "images": [
       ""
     ]
   },
   "collections": [
     "All",
     "user123"
   ],
   "audits": {
     "unexpectedConnection": {
       "count": 1,
       "audits": [
         {
           "ruleID": 4,
           "time": "2022-11-14T11:02:43.151Z",
           "type": "unexpectedConnection",
           "srcProfileID": "sha256:8d5df41c547bd107c14368ad302efc46760940ae188df451cabc23e10f7f161b_user_tkgi-users",
           "dstProfileID": "20",
           "srcProfileHash": 228,
           "srcContainerName": "users-ubuntu",
           "dstContainerName": "",
           "dstSubnet": "localhost",
           "srcImageName": "docker.io/library/ubuntu:18.04",
           "dstImageName": "",
           "dstPort": 8000,
           "block": false,
           "count": 1,
           "msg": "Unexpected connection to ip 127.0.0.1"
         }
       ]
     }
   }
 }

Query Parameters
  • offset integer

    Offsets the result to a specific report count. Offset starts from 0.

  • limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

  • search string

    Retrieves the result for a search term.

  • sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

  • reverse boolean

    Sorts the result in reverse order.

  • collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

  • provider string[]

    Scopes the query by cloud provider.

  • accountIDs string[]

    Filters the result based on cloud account IDs.

  • resourceIDs string[]

    Scopes the query by resource ID.

  • region string[]

    Scopes the query by cloud region.

  • fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

  • from date-time

    From is an optional minimum time constraints for the audits.

  • to date-time

    To is an optional maximum time constraints for the audits.

  • srcImageName string[]

    SrcImages are the source images filter.

  • dstImageName string[]

    DstImages are the destination images filter.

  • block string

    Block is the block/audit filter.

Responses
Schema
  • Array [
  • _id string

    ProfileID is the runtime profile ID.

  • audits object

    Audits is a map from the audit sub-type to the audit events list.

  • property name* object (shared.ContainerNetworkFirewallSubtypeAudits)

    ContainerNetworkFirewallSubtypeAudits represents the container network firewall sub type audits per profile

  • audits object[]

    Audits are the container network firewall audits associated with the sub-type, limited to the determined capacity.

  • Array [
  • block boolean

    Block indicates whether the connection was blocked.

  • count integer

    Count is the event occurrences count.

  • dstContainerName string

    DstContainerName is the destination container name.

  • dstDomain string

    DstDomain is the destination domain that was queried.

  • dstImageName string

    DstImage is the destination image name.

  • dstPort integer

    DstPort is the connection destination port.

  • dstProfileHash int64

    ProfileHash represents the profile hash It is allowed to contain up to uint32 numbers, and represented by int64 since mongodb does not support unsigned data types

  • dstProfileID string

    DstProfileID is the destination profile ID.

  • dstSubnet string

    DstSubnet is the destination subnet.

  • labels object

    Labels are the custom labels associated with the target container.

  • property name* string
  • msg string

    Message is the event message.

  • ruleID cnnf.RuleID

    RuleID represents the ID of each container network firewall policy rule

  • srcContainerName string

    SrcContainerName is the source container name.

  • srcImageName string

    SrcImage is the source image name.

  • srcProfileHash int64

    ProfileHash represents the profile hash It is allowed to contain up to uint32 numbers, and represented by int64 since mongodb does not support unsigned data types

  • srcProfileID string

    SrcProfileID is the source profile ID.

  • time date-time

    Time is the UTC time of the audit event.

  • type cnnf.NetworkFirewallAttackType

    Possible values: [unexpectedConnection]

    NetworkFirewallAttackType is the network firewall type of attack

  • ]
  • count integer

    Count is the total count of the sub-type audits.

  • cluster string

    Cluster is the cluster from which the audit originated.

  • collections string[]

    Collections are collections to which this audit applies.

  • imageName string

    ImageName is the container image name.

  • label string

    Label represents the container deployment label.

  • os string

    OS is the operating system distribution.

  • resource object

    RuntimeResource represents on which resource in the system a rule applies (e.g., specific host or image) Empty resource or wildcard (*) represents all resources of a given type

  • accountIDs string[]

    List of account IDs.

  • appIDs string[]

    List of application IDs.

  • clusters string[]

    List of Kubernetes cluster names.

  • codeRepos string[]

    List of code repositories.

  • containers string[]

    List of containers.

  • functions string[]

    List of functions.

  • hosts string[]

    List of hosts.

  • images string[]

    List of images.

  • labels string[]

    List of labels.

  • namespaces string[]

    List of Kubernetes namespaces.

  • time date-time

    Time is the UTC time of the last audit event.

  • total integer

    Total is the total count of audits per runtime profile.

  • ]
Loading...