Get Incident Audit Events
GET/api/v33.01/audits/incidents
x-prisma-cloud-target-env: {"permission":"monitorRuntimeIncidents"}
Retrieves a list of incidents that are not acknowledged (i.e., not in archived state). Prisma Cloud Compute analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents.
This endpoint maps to the table in Monitor > Runtime > Incident explorer in the Console UI.
cURL Request
Refer to the following example cURL command that retrieves a list of unacknowledged incidents (not in the archived state):
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/incidents?acknowledged=false"
A successful response returns the incidents.
Request
Query Parameters
Offsets the result to a specific report count. Offset starts from 0.
Limit is the amount to fix.
Sorts the result using a key.
Sorts the result in reverse order.
Filters results from a start datetime.
Filters results from an end datetime.
Filters results by hostname where the incident occurred.
Filters results by incident category.
Filters results by incident type.
Filters results by runtime profile ID.
Filters results by incidents that have been acknowledged.
Filters results by region (for functions) Filters results by cluster name.
Filters results by ID.
Filters results by app IDs.
Filters results by container IDs.
Filters results by function IDs.
Filters results by custom rule names.
Responses
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- Array [
- ]
- ]
Internal ID of the incident.
Cloud account ID.
Indicates if the incident has been acknowledged (true) or not (false).
Application that caused the incident.
Application ID.
audits object[]
All runtime audits of the incident.
Internal ID (used for in-place updates).
ID of the cloud account where the audit was generated.
Name of the service which violated the host policy.
Application ID.
Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery
]
MITRE attack techniques.
Possible values: [,cloudMetadataProbing,kubeletAPIAccess,kubeletReadonlyAccess,kubectlSpawned,kubectlDownloaded,horizontalPortScanning,verticalPortScanning,explicitlyDeniedIP,customFeedIP,feedIP,unexpectedOutboundPort,suspiciousNetworkActivity,unexpectedListeningPort,explicitlyDeniedListeningPort,explicitlyDeniedOutboundPort,listeningPortModifiedProcess,outboundPortModifiedProcess,feedDNS,explicitlyDeniedDNS,dnsQuery,unexpectedProcess,portScanProcess,malwareProcessCustom,malwareProcessFeed,explicitlyDeniedProcess,modifiedProcess,cryptoMinerProcess,lateralMovementProcess,tmpfsProcess,policyHijacked,reverseShell,suidBinaries,unknownOriginBinary,webShell,administrativeAccount,encryptedBinary,sshAccess,explicitlyDeniedFile,malwareFileCustom,malwareFileFeed,execFileAccess,elfFileAccess,secretFileAccess,regFileAccess,wildfireMalware,unknownOriginBinary,webShell,fileIntegrity,alteredBinary,malwareDownloaded,suspiciousELFHeader,executionFlowHijackAttempt,customRule
]
RuntimeAttackType is the sub-category of the attack (e.g., malware process, process not in model, etc...)
Cluster name.
Collections to which this audit applies.
ScrubbedCommand is the command executed by the process with scrubbed PII.
Indicates if this is a container audit (true) or host audit (false).
ID of the container that violates the rule.
Container name.
Attack type audits count.
Outbound country for outgoing network audits.
Domain is the requested domain.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Unknown error in the audit process.
Filepath is the path of the modified file.
Current full domain name used in audit alerts.
Name of the serverless function that caused the audit.
ID of the function invoked.
Current hostname.
Container image ID.
Container image name.
Indicates if the audit was triggered from a process that was spawned in interactive mode (e.g., docker exec ...) (true) or not (false).
IP is the connection destination IP address.
Container deployment label.
labels object
Custom labels which augment the audit data.
MD5 is the MD5 of the modified file (only for executables.
Blocking message text.
K8s deployment namespace.
Operating system distribution.
ID of the process that caused the audit event.
Port is the connection destination port.
Path of the process that caused the audit event.
Profile ID of the audit.
Possible values: [aws,azure,gcp,alibaba,oci,others
]
CloudProvider specifies the cloud provider name
Unparsed function handler event input.
Region of the resource where the audit was generated.
ID of the lambda function invocation request.
Unique ID of the resource where the audit was generated.
Name of the rule that was applied, if blocked.
Possible values: [python,python3.6,python3.7,python3.8,python3.9,python3.10,python3.11,python3.12,nodejs,nodejs12.x,nodejs14.x,nodejs16.x,nodejs18.x,nodejs20.x,dotnet,dotnetcore2.1,dotnetcore3.1,dotnet6,java,java8,java11,java17,java21,ruby,ruby2.7
]
LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime
Possible values: [low,medium,high
]
RuntimeSeverity represents the runtime severity
Time of the audit event (in UTC time).
Possible values: [processes,network,kubernetes,filesystem
]
RuntimeType represents the runtime protection type
Service user.
Defender version.
Azure unique VM ID where the audit was generated.
WildFireReportURL is a URL link of the report generated by wildFire.
Possible values: [portScanning,hijackedProcess,dataExfiltration,kubernetes,backdoorAdministrativeAccount,backdoorSSHAccess,cryptoMiner,lateralMovement,bruteForce,customRule,alteredBinary,suspiciousBinary,executionFlowHijackAttempt,reverseShell,malware,cloudProvider
]
IncidentCategory is the incident category
Cluster on which the incident was found.
Collections to which this incident applies.
ID of the container that triggered the incident.
Unique container name.
Name of the custom runtime rule that triggered the incident.
Current hostname's full domain name.
Name of the serverless function.
ID of the function that triggered the incident.
Current hostname.
Container image ID.
Container image name.
labels object
Custom labels associated with the container.
k8s deployment namespace.
Runtime profile ID.
Possible values: [aws,azure,gcp,alibaba,oci,others
]
CloudProvider specifies the cloud provider name
Region of the resource on which the incident was found.
Unique ID of the resource on which the incident was found.
Runtime of the serverless function.
Serial number of the incident.
Indicates if this incident should be collected (true) or not (false).
Time of the incident (in UTC time).
Possible values: [host,container,function,appEmbedded,fargate
]
IncidentType is the type of the incident
Azure unique VM ID on which the incident was found.
Windows indicates if defender OS type is Windows.
[
{
"_id": "string",
"accountID": "string",
"acknowledged": true,
"app": "string",
"appID": "string",
"audits": [
{
"_id": "string",
"accountID": "string",
"app": "string",
"appID": "string",
"attackTechniques": [
[
"exploitationForPrivilegeEscalation",
"exploitPublicFacingApplication",
"applicationExploitRCE",
"networkServiceScanning",
"endpointDenialOfService",
"exfiltrationGeneral",
"systemNetworkConfigurationDiscovery",
"unsecuredCredentials",
"credentialDumping",
"systemInformationDiscovery",
"systemNetworkConnectionDiscovery",
"systemUserDiscovery",
"accountDiscovery",
"cloudInstanceMetadataAPI",
"accessKubeletMainAPI",
"queryKubeletReadonlyAPI",
"accessKubernetesAPIServer",
"softwareDeploymentTools",
"ingressToolTransfer",
"lateralToolTransfer",
"commandAndControlGeneral",
"resourceHijacking",
"manInTheMiddle",
"nativeBinaryExecution",
"foreignBinaryExecution",
"createAccount",
"accountManipulation",
"abuseElevationControlMechanisms",
"supplyChainCompromise",
"obfuscatedFiles",
"hijackExecutionFlow",
"impairDefences",
"scheduledTaskJob",
"exploitationOfRemoteServices",
"eventTriggeredExecution",
"accountAccessRemoval",
"privilegedContainer",
"writableVolumes",
"execIntoContainer",
"softwareDiscovery",
"createContainer",
"kubernetesSecrets",
"fileAndDirectoryDiscovery",
"masquerading",
"webShell",
"compileAfterDelivery"
]
],
"attackType": [
"",
"cloudMetadataProbing",
"kubeletAPIAccess",
"kubeletReadonlyAccess",
"kubectlSpawned",
"kubectlDownloaded",
"horizontalPortScanning",
"verticalPortScanning",
"explicitlyDeniedIP",
"customFeedIP",
"feedIP",
"unexpectedOutboundPort",
"suspiciousNetworkActivity",
"unexpectedListeningPort",
"explicitlyDeniedListeningPort",
"explicitlyDeniedOutboundPort",
"listeningPortModifiedProcess",
"outboundPortModifiedProcess",
"feedDNS",
"explicitlyDeniedDNS",
"dnsQuery",
"unexpectedProcess",
"portScanProcess",
"malwareProcessCustom",
"malwareProcessFeed",
"explicitlyDeniedProcess",
"modifiedProcess",
"cryptoMinerProcess",
"lateralMovementProcess",
"tmpfsProcess",
"policyHijacked",
"reverseShell",
"suidBinaries",
"unknownOriginBinary",
"webShell",
"administrativeAccount",
"encryptedBinary",
"sshAccess",
"explicitlyDeniedFile",
"malwareFileCustom",
"malwareFileFeed",
"execFileAccess",
"elfFileAccess",
"secretFileAccess",
"regFileAccess",
"wildfireMalware",
"unknownOriginBinary",
"webShell",
"fileIntegrity",
"alteredBinary",
"malwareDownloaded",
"suspiciousELFHeader",
"executionFlowHijackAttempt",
"customRule"
],
"cluster": "string",
"collections": [
"string"
],
"command": "string",
"container": true,
"containerId": "string",
"containerName": "string",
"count": 0,
"country": "string",
"domain": "string",
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"err": "string",
"filepath": "string",
"fqdn": "string",
"function": "string",
"functionID": "string",
"hostname": "string",
"imageId": "string",
"imageName": "string",
"interactive": true,
"ip": "string",
"label": "string",
"labels": {},
"md5": "string",
"msg": "string",
"namespace": "string",
"os": "string",
"pid": 0,
"port": 0,
"processPath": "string",
"profileId": "string",
"provider": [
"aws",
"azure",
"gcp",
"alibaba",
"oci",
"others"
],
"rawEvent": "string",
"region": "string",
"requestID": "string",
"resourceID": "string",
"ruleName": "string",
"runtime": [
"python",
"python3.6",
"python3.7",
"python3.8",
"python3.9",
"python3.10",
"python3.11",
"python3.12",
"nodejs",
"nodejs12.x",
"nodejs14.x",
"nodejs16.x",
"nodejs18.x",
"nodejs20.x",
"dotnet",
"dotnetcore2.1",
"dotnetcore3.1",
"dotnet6",
"java",
"java8",
"java11",
"java17",
"java21",
"ruby",
"ruby2.7"
],
"severity": [
"low",
"medium",
"high"
],
"time": "2024-07-29T15:51:28.071Z",
"type": [
"processes",
"network",
"kubernetes",
"filesystem"
],
"user": "string",
"version": "string",
"vmID": "string",
"wildFireReportURL": "string"
}
],
"category": [
"portScanning",
"hijackedProcess",
"dataExfiltration",
"kubernetes",
"backdoorAdministrativeAccount",
"backdoorSSHAccess",
"cryptoMiner",
"lateralMovement",
"bruteForce",
"customRule",
"alteredBinary",
"suspiciousBinary",
"executionFlowHijackAttempt",
"reverseShell",
"malware",
"cloudProvider"
],
"cluster": "string",
"collections": [
"string"
],
"containerID": "string",
"containerName": "string",
"customRuleName": "string",
"fqdn": "string",
"function": "string",
"functionID": "string",
"hostname": "string",
"imageID": "string",
"imageName": "string",
"labels": {},
"namespace": "string",
"profileID": "string",
"provider": [
"aws",
"azure",
"gcp",
"alibaba",
"oci",
"others"
],
"region": "string",
"resourceID": "string",
"runtime": "string",
"serialNum": 0,
"shouldCollect": true,
"time": "2024-07-29T15:51:28.071Z",
"type": [
"host",
"container",
"function",
"appEmbedded",
"fargate"
],
"vmID": "string",
"windows": true
}
]