Skip to main content

Get CNNS Host Audit Events

x-prisma-cloud-target-env: {"permission":"monitorCNNF","saas":true,"self-hosted":true}
x-public: true

Retrieves all Cloud Native Network Segmentation (CNNS) host audits.

For hosts, rules are defined between:

  • Host to host.
  • Host to an external network not protected by Prisma Cloud

cURL Request

Refer to the following example cURL command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/firewall/network/host"

cURL Response

{
"_id": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
"time": "2022-11-08T20:22:52.207Z",
"total": 4,
"resource": {
"hosts": [
"john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
"john-photon-v3-0811t165011-host-def-pre-lngcon230"
],
"accountIDs": [
"twistlock-test-247119"
]
},
"collections": [
"All",
"registry_scan_container_cen8-container_22_11_384_piu",
"photon-v3-host_crn",
"compliance_photon_etz",
"cnnf_cen8_client_itu",
"cnnf_photon_server_fsr"
],
"audits": {
"unexpectedConnection": {
"count": 4,
"audits": [
{
"ruleID": 15,
"time": "2022-11-08T20:22:52.207Z",
"type": "unexpectedConnection",
"srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
"dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
"dstPort": 80,
"block": false,
"count": 1,
"accountID": "twistlock-test-247119"
},
{
"ruleID": 15,
"time": "2022-11-08T20:22:48.175Z",
"type": "unexpectedConnection",
"srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
"dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
"dstPort": 80,
"block": false,
"count": 1,
"accountID": "twistlock-test-247119"
},
{
"ruleID": 15,
"time": "2022-11-08T20:22:46.127Z",
"type": "unexpectedConnection",
"srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
"dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
"dstPort": 80,
"block": false,
"count": 1,
"accountID": "twistlock-test-247119"
},
{
"ruleID": 15,
"time": "2022-11-08T20:22:45.122Z",
"type": "unexpectedConnection",
"srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal",
"dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230",
"dstPort": 80,
"block": false,
"count": 1,
"accountID": "twistlock-test-247119"
}
]
}
}
}

Query Parameters
  • offset integer

    Offsets the result to a specific report count. Offset starts from 0.

  • limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

  • search string

    Retrieves the result for a search term.

  • sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

  • reverse boolean

    Sorts the result in reverse order.

  • collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

  • provider string[]

    Scopes the query by cloud provider.

  • accountIDs string[]

    Filters the result based on cloud account IDs.

  • resourceIDs string[]

    Scopes the query by resource ID.

  • region string[]

    Scopes the query by cloud region.

  • fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

  • from date-time

    From is an optional minimum time constraints for the audits.

  • to date-time

    To is an optional maximum time constraints for the audits.

  • srcHostnames string[]

    SrcHostname are the source hostnames filter.

  • dstHostnames string[]

    DstHostname are the destination hostnames filter.

Responses


Schema
  • Array [
  • _id string

    ProfileID is the runtime profile ID.

  • audits object

    Audits is a map from the audit sub-type to the audit events list.

  • property name* object (shared.HostNetworkFirewallSubtypeAudits)

    HostNetworkFirewallSubtypeAudits represents the host network firewall sub type audits per profile

  • audits object[]

    Audits are the host network firewall audits associated with the sub-type, limited to the determined capacity.

  • Array [
  • accountID string

    AccountID is the host account ID.

  • block boolean

    Block indicates whether the connection was blocked.

  • cluster string

    Cluster is the cluster from which the audit originated.

  • count integer

    Count is the event occurrences count.

  • dstHostname string

    DstHostname is the destination hostname.

  • dstPort integer

    DstPort is the connection destination port.

  • dstSubnet string

    DstSubnet is the destination subnet.

  • msg string

    Message is the event message.

  • ruleID cnnf.RuleID

    RuleID represents the ID of each container network firewall policy rule

  • srcHash int64

    ProfileHash represents the profile hash It is allowed to contain up to uint32 numbers, and represented by int64 since mongodb does not support unsigned data types

  • srcHostname string

    SrcHostname is the source hostname.

  • srcSubnet string

    SrcSubnet is the source subnet.

  • time date-time

    Time is the UTC time of the audit event.

  • type cnnf.NetworkFirewallAttackType

    Possible values: [unexpectedConnection]

    NetworkFirewallAttackType is the network firewall type of attack

  • ]
  • count integer

    Count is the total count of the sub-type audits.

  • cluster string

    Cluster is the cluster from which the audit originated.

  • collections string[]

    Collections are collections to which this audit applies.

  • imageName string

    ImageName is the container image name.

  • label string

    Label represents the container deployment label.

  • os string

    OS is the operating system distribution.

  • resource object

    RuntimeResource represents on which resource in the system a rule applies (e.g., specific host or image) Empty resource or wildcard (*) represents all resources of a given type

  • accountIDs string[]

    List of account IDs.

  • appIDs string[]

    List of application IDs.

  • clusters string[]

    List of Kubernetes cluster names.

  • codeRepos string[]

    List of code repositories.

  • containers string[]

    List of containers.

  • functions string[]

    List of functions.

  • hosts string[]

    List of hosts.

  • images string[]

    List of images.

  • labels string[]

    List of labels.

  • namespaces string[]

    List of Kubernetes namespaces.

  • time date-time

    Time is the UTC time of the last audit event.

  • total integer

    Total is the total count of audits per runtime profile.

  • ]
Loading...