Download Incident Audit Events
Downloads a list of incidents which are not acknowledged (i.e., not in archived state) in CSV format. Prisma Cloud Compute analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents.
This endpoint maps to the CSV hyperlink in Monitor > Runtime > Incident explorer in the Console UI.
The following cURL command downloads all incidents and saves the result in a CSV file called
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o incidents.csv \
A successful response displays the status of the download.
- offset integer
Offsets the result to a specific report count. Offset starts from 0.
- limit integer
Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.
- search string
Retrieves the result for a search term.
- sort string
Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.
- reverse boolean
Sorts the result in reverse order.
- collections string
Filters the result based on collection names that you have defined in Prisma Cloud Compute.
- provider string
Scopes the query by cloud provider.
- accountIDs string
Filters the result based on cloud account IDs.
- resourceIDs string
Scopes the query by resource ID.
- region string
Scopes the query by cloud region.
- fields string
Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.
- from date-time
Filters results from a start datetime.
- to date-time
Filters results from an end datetime.
- hostname string
Filters results by hostname where the incident occurred.
- category string
Filters results by incident category.
- type string
Filters results by incident type.
- profileID string
Filters results by runtime profile ID.
- acknowledged string
Filters results by incidents that have been acknowledged.
- cluster string
Filters results by region (for functions) Filters results by cluster name.
- id string
Filters results by ID.
- appID string
Filters results by app IDs.
- containerID string
Filters results by container IDs.
- functionID string
Filters results by function IDs.
- customRuleName string
Filters results by custom rule names.