Get CNNS Host Audit Events

x-prisma-cloud-target-env: {"permission":"monitorCNNF","saas":true,"self-hosted":true}
x-public: true

Retrieves all Cloud Native Network Segmentation (CNNS) host audits.

For hosts, rules are defined between:

• Host to host.
• Host to an external network not protected by Prisma Cloud

cURL Request

Refer to the following example cURL command:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/firewall/network/host"

cURL Response

{
   "_id": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
   "time": "2022-11-08T20:22:52.207Z",
   "total": 4,
   "resource": {
     "hosts": [
       "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
       "john-photon-v3-0811t165011-host-def-pre-lngcon230"
     ],
     "accountIDs": [
       "twistlock-test-247119"
     ]
   },
   "collections": [
     "All",
     "registry_scan_container_cen8-container_22_11_384_piu",
     "photon-v3-host_crn",
     "compliance_photon_etz",
     "cnnf_cen8_client_itu",
     "cnnf_photon_server_fsr"
   ],
   "audits": {
     "unexpectedConnection": {
       "count": 4,
       "audits": [
         {
           "ruleID": 15,
           "time": "2022-11-08T20:22:52.207Z",
           "type": "unexpectedConnection",
           "srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
           "dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
           "dstPort": 80,
           "block": false,
           "count": 1,
           "accountID": "twistlock-test-247119"
         },
         {
           "ruleID": 15,
           "time": "2022-11-08T20:22:48.175Z",
           "type": "unexpectedConnection",
           "srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
           "dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
           "dstPort": 80,
           "block": false,
           "count": 1,
           "accountID": "twistlock-test-247119"
         },
         {
           "ruleID": 15,
           "time": "2022-11-08T20:22:46.127Z",
           "type": "unexpectedConnection",
           "srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
           "dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
           "dstPort": 80,
           "block": false,
           "count": 1,
           "accountID": "twistlock-test-247119"
         },
         {
           "ruleID": 15,
           "time": "2022-11-08T20:22:45.122Z",
           "type": "unexpectedConnection",
           "srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
           "dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
           "dstPort": 80,
           "block": false,
           "count": 1,
           "accountID": "twistlock-test-247119"
         }
       ]
     }
   }
 }

Query Parameters

• offset integer

  Offsets the result to a specific report count. Offset starts from 0.

• limit integer

  Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

• search string

  Retrieves the result for a search term.

• sort string

  Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

• reverse boolean

  Sorts the result in reverse order.

• collections string[]

  Filters the result based on collection names that you have defined in Prisma Cloud Compute.

• provider string[]

  Scopes the query by cloud provider.

• accountIDs string[]

  Filters the result based on cloud account IDs.

• resourceIDs string[]

  Scopes the query by resource ID.

• region string[]

  Scopes the query by cloud region.

• fields string[]

  Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

• from date-time

  From is an optional minimum time constraints for the audits.

• to date-time

  To is an optional maximum time constraints for the audits.

• srcHostnames string[]

  SrcHostname are the source hostnames filter.

• dstHostnames string[]

  DstHostname are the destination hostnames filter.

Responses

• 200
• default

---

application/json

• Schema
• Example (from schema)

---

Schema

• Array [
• _id string

  ProfileID is the runtime profile ID.

• audits object

  Audits is a map from the audit sub-type to the audit events list.

  property name* object (shared.HostNetworkFirewallSubtypeAudits)

  HostNetworkFirewallSubtypeAudits represents the host network firewall sub type audits per profile

  audits object[]

  Audits are the host network firewall audits associated with the sub-type, limited to the determined capacity.

  Array [

  accountID string

  AccountID is the host account ID.

  block boolean

  Block indicates whether the connection was blocked.

  cluster string

  Cluster is the cluster from which the audit originated.

  count integer

  Count is the event occurrences count.

  dstHostname string

  DstHostname is the destination hostname.

  dstPort integer

  DstPort is the connection destination port.

  dstSubnet string

  DstSubnet is the destination subnet.

  msg string

  Message is the event message.

  ruleID cnnf.RuleID

  RuleID represents the ID of each container network firewall policy rule

  srcHash int64

  ProfileHash represents the profile hash It is allowed to contain up to uint32 numbers, and represented by int64 since mongodb does not support unsigned data types

  srcHostname string

  SrcHostname is the source hostname.

  srcSubnet string

  SrcSubnet is the source subnet.

  time date-time

  Time is the UTC time of the audit event.

  type cnnf.NetworkFirewallAttackType

  Possible values: [unexpectedConnection]

  NetworkFirewallAttackType is the network firewall type of attack

  ]

  count integer

  Count is the total count of the sub-type audits.

• cluster string

  Cluster is the cluster from which the audit originated.

• collections string[]

  Collections are collections to which this audit applies.

• imageName string

  ImageName is the container image name.

• label string

  Label represents the container deployment label.

• os string

  OS is the operating system distribution.

• resource object

  RuntimeResource represents on which resource in the system a rule applies (e.g., specific host or image) Empty resource or wildcard (*) represents all resources of a given type

  accountIDs string[]

  List of account IDs.

  appIDs string[]

  List of application IDs.

  clusters string[]

  List of Kubernetes cluster names.

  codeRepos string[]

  List of code repositories.

  containers string[]

  List of containers.

  functions string[]

  List of functions.

  hosts string[]

  List of hosts.

  images string[]

  List of images.

  labels string[]

  List of labels.

  namespaces string[]

  List of Kubernetes namespaces.

• time date-time

  Time is the UTC time of the last audit event.

• total integer

  Total is the total count of audits per runtime profile.

• ]

[
  {
    "_id": "string",
    "audits": {},
    "cluster": "string",
    "collections": [
      "string"
    ],
    "imageName": "string",
    "label": "string",
    "os": "string",
    "resource": {
      "accountIDs": [
        "string"
      ],
      "appIDs": [
        "string"
      ],
      "clusters": [
        "string"
      ],
      "codeRepos": [
        "string"
      ],
      "containers": [
        "string"
      ],
      "functions": [
        "string"
      ],
      "hosts": [
        "string"
      ],
      "images": [
        "string"
      ],
      "labels": [
        "string"
      ],
      "namespaces": [
        "string"
      ]
    },
    "time": "2023-06-07T22:06:28.941Z",
    "total": 0
  }
]

Loading...