Skip to main content

Get Incident Audit Events

x-prisma-cloud-target-env: {"permission":"monitorRuntimeIncidents","saas":true,"self-hosted":true}
x-public: true

Retrieves a list of incidents that are not acknowledged (i.e., not in archived state). Prisma Cloud Compute analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents.

This endpoint maps to the table in Monitor > Runtime > Incident explorer in the Console UI.

cURL Request

Refer to the following example cURL command that retrieves a list of unacknowledged incidents (not in the archived state):

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/incidents?acknowledged=false"

A successful response returns the incidents.

Query Parameters
  • offset integer

    Offsets the result to a specific report count. Offset starts from 0.

  • limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

  • search string

    Retrieves the result for a search term.

  • sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

  • reverse boolean

    Sorts the result in reverse order.

  • collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

  • provider string[]

    Scopes the query by cloud provider.

  • accountIDs string[]

    Filters the result based on cloud account IDs.

  • resourceIDs string[]

    Scopes the query by resource ID.

  • region string[]

    Scopes the query by cloud region.

  • fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

  • from date-time

    Filters results from a start datetime.

  • to date-time

    Filters results from an end datetime.

  • hostname string[]

    Filters results by hostname where the incident occurred.

  • category string[]

    Filters results by incident category.

  • type string[]

    Filters results by incident type.

  • profileID string[]

    Filters results by runtime profile ID.

  • acknowledged string

    Filters results by incidents that have been acknowledged.

  • cluster string[]

    Filters results by region (for functions) Filters results by cluster name.

  • id string[]

    Filters results by ID.

  • appID string[]

    Filters results by app IDs.

  • containerID string[]

    Filters results by container IDs.

  • functionID string[]

    Filters results by function IDs.

  • customRuleName string[]

    Filters results by custom rule names.

Responses
Schema
  • Array [
  • _id string

    Internal ID of the incident.

  • accountID string

    Cloud account ID.

  • acknowledged boolean

    Indicates if the incident has been acknowledged (true) or not (false).

  • app string

    Application that caused the incident.

  • appID string

    Application ID.

  • audits object[]

    All runtime audits of the incident.

  • Array [
  • _id string

    Internal ID (used for in-place updates).

  • accountID string

    ID of the cloud account where the audit was generated.

  • app string

    Name of the service which violated the host policy.

  • appID string

    Application ID.

  • attackTechniques mitre.Technique[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    MITRE attack techniques.

  • attackType shared.RuntimeAttackType

    Possible values: [,cloudMetadataProbing,kubeletAPIAccess,kubeletReadonlyAccess,kubectlSpawned,kubectlDownloaded,horizontalPortScanning,verticalPortScanning,explicitlyDeniedIP,customFeedIP,feedIP,unexpectedOutboundPort,suspiciousNetworkActivity,unexpectedListeningPort,explicitlyDeniedListeningPort,explicitlyDeniedOutboundPort,listeningPortModifiedProcess,outboundPortModifiedProcess,feedDNS,explicitlyDeniedDNS,dnsQuery,unexpectedProcess,portScanProcess,malwareProcessCustom,malwareProcessFeed,explicitlyDeniedProcess,modifiedProcess,cryptoMinerProcess,lateralMovementProcess,tmpfsProcess,policyHijacked,reverseShell,suidBinaries,unknownOriginBinary,webShell,administrativeAccount,encryptedBinary,sshAccess,explicitlyDeniedFile,malwareFileCustom,malwareFileFeed,execFileAccess,elfFileAccess,secretFileAccess,regFileAccess,wildfireMalware,unknownOriginBinary,webShell,fileIntegrity,alteredBinary,malwareDownloaded,suspiciousELFHeader,executionFlowHijackAttempt,customRule]

    RuntimeAttackType is the sub-category of the attack (e.g., malware process, process not in model, etc...)

  • cluster string

    Cluster name.

  • collections string[]

    Collections to which this audit applies.

  • command string

    ScrubbedCommand is the command executed by the process with scrubbed PII.

  • container boolean

    Indicates if this is a container audit (true) or host audit (false).

  • containerId string

    ID of the container that violates the rule.

  • containerName string

    Container name.

  • count integer

    Attack type audits count.

  • country string

    Outbound country for outgoing network audits.

  • domain string

    Domain is the requested domain.

  • effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • err string

    Unknown error in the audit process.

  • filepath string

    Filepath is the path of the modified file.

  • fqdn string

    Current full domain name used in audit alerts.

  • function string

    Name of the serverless function that caused the audit.

  • functionID string

    ID of the function invoked.

  • hostname string

    Current hostname.

  • imageId string

    Container image ID.

  • imageName string

    Container image name.

  • interactive boolean

    Indicates if the audit was triggered from a process that was spawned in interactive mode (e.g., docker exec ...) (true) or not (false).

  • ip string

    IP is the connection destination IP address.

  • label string

    Container deployment label.

  • labels object

    Custom labels which augment the audit data.

  • property name* string
  • md5 string

    MD5 is the MD5 of the modified file (only for executables.

  • msg string

    Blocking message text.

  • namespace string

    K8s deployment namespace.

  • os string

    Operating system distribution.

  • pid integer

    ID of the process that caused the audit event.

  • port integer

    Port is the connection destination port.

  • processPath string

    Path of the process that caused the audit event.

  • profileId string

    Profile ID of the audit.

  • provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

  • rawEvent string

    Unparsed function handler event input.

  • region string

    Region of the resource where the audit was generated.

  • requestID string

    ID of the lambda function invocation request.

  • resourceID string

    Unique ID of the resource where the audit was generated.

  • ruleName string

    Name of the rule that was applied, if blocked.

  • runtime shared.LambdaRuntimeType

    Possible values: [python,python3.6,python3.7,python3.8,python3.9,nodejs12.x,nodejs14.x,dotnetcore2.1,dotnetcore3.1,dotnet6,java8,java11,ruby2.7]

    LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime

  • severity shared.RuntimeSeverity

    Possible values: [low,medium,high]

    RuntimeSeverity represents the runtime severity

  • time date-time

    Time of the audit event (in UTC time).

  • type shared.RuntimeType

    Possible values: [processes,network,kubernetes,filesystem]

    RuntimeType represents the runtime protection type

  • user string

    Service user.

  • version string

    Defender version.

  • vmID string

    Azure unique VM ID where the audit was generated.

  • wildFireReportURL string

    WildFireReportURL is a URL link of the report generated by wildFire.

  • ]
  • category shared.IncidentCategory

    Possible values: [portScanning,hijackedProcess,dataExfiltration,kubernetes,backdoorAdministrativeAccount,backdoorSSHAccess,cryptoMiner,lateralMovement,bruteForce,customRule,alteredBinary,suspiciousBinary,executionFlowHijackAttempt,reverseShell,malware,cloudProvider]

    IncidentCategory is the incident category

  • cluster string

    Cluster on which the incident was found.

  • collections string[]

    Collections to which this incident applies.

  • containerID string

    ID of the container that triggered the incident.

  • containerName string

    Unique container name.

  • customRuleName string

    Name of the custom runtime rule that triggered the incident.

  • fqdn string

    Current hostname's full domain name.

  • function string

    Name of the serverless function.

  • functionID string

    ID of the function that triggered the incident.

  • hostname string

    Current hostname.

  • imageID string

    Container image ID.

  • imageName string

    Container image name.

  • labels object

    Custom labels associated with the container.

  • property name* string
  • namespace string

    k8s deployment namespace.

  • profileID string

    Runtime profile ID.

  • provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

  • region string

    Region of the resource on which the incident was found.

  • resourceID string

    Unique ID of the resource on which the incident was found.

  • runtime string

    Runtime of the serverless function.

  • serialNum integer

    Serial number of the incident.

  • shouldCollect boolean

    Indicates if this incident should be collected (true) or not (false).

  • time date-time

    Time of the incident (in UTC time).

  • type shared.IncidentType

    Possible values: [host,container,function,appEmbedded,fargate]

    IncidentType is the type of the incident

  • vmID string

    Azure unique VM ID on which the incident was found.

  • windows boolean

    Windows indicates if defender OS type is Windows.

  • ]
Loading...