Skip to main content

Get Kubernetes Audit Events

GET 

/api/v32.05/audits/kubernetes

x-prisma-cloud-target-env: {"permission":"monitorAccessKubernetes","saas":true,"self-hosted":true}
x-public: true

Retrieves events that occur in an integrated Kubernetes cluster that you configured for Prisma Cloud Compute under Defend > Access > Kubernetes.

Note: This endpoint relates to the Monitor > Events > Kubernetes audits in Prisma Cloud Compute.

cURL Request

Refer to the following example cURL command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/kubernetes"

cURL Response

{
"time": "2022-11-23T16:20:20.383Z",
"verb": "io.k8s.core.v1.pods.exec.create",
"user": {
"username": "johndoe@paloaltonetworks.com"
},
"authorizationInfo": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "access granted by IAM permissions.",
"failed-open.validating.webhook.admission.k8s.io/round_0_index_0": "validating-webhook.twistlock.com"
},
"message": "Exec or attach to a pod detected on GKE",
"sourceIPs": [
"private"
],
"resources": "core/v1/namespaces/default/pods/test-pd/exec",
...
...
...,
"attackTechniques": [
"execIntoContainer"
],
"cluster": "johndoe-gke-9916911d51921853",
"accountID": "twistlock-test-247119",
"provider": "gcp",
"collections": [
"All",
"user1",
"tv test",
"tv test2"
]
}


Request

Query Parameters

    offset integer

    Offsets the result to a specific report count. Offset starts from 0.

    limit integer

    Limit is the amount to fix.

    sort string

    Sorts the result using a key.

    reverse boolean

    Sorts the result in reverse order.

    from date-time

    From is an optional minimum time constraints for the activity.

    to date-time

    To is an optional maximum time constraints for the activity.

    user string[]

    Users is the list of users to use for filtering.

    attackTechniques string[]

    AttackTechniques are the MITRE attack techniques.

    cluster string[]

    Clusters is the list of clusters for filtering.

Responses

Schema
  • Array [
  • accountID string

    AccountID is the account ID the Kubernetes audit belongs to.

    attackTechniques mitre.Technique (string)[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    AttackTechniques are the MITRE attack techniques.

    authorizationInfo object

    AuthorizationInfo holds the original event authorization info.

    property name* string (string)
    cluster string

    Cluster is the cluster the Kubernetes audit belongs to.

    collections string (string)[]

    Collections that apply to the Kubernetes audit.

    eventBlob string

    EventBlob is the original event that caused this audit.

    message string

    Message is the user defined message which appears on audit.

    provider common.CloudProvider (string)

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

    requestURI string

    RequestURI is the request URI as sent by the client to a server.

    resources string

    Resource represents the resource that is impacted by this event.

    sourceIPs string (string)[]

    Source IPs, from where the request originated and intermediate proxies (optional).

    time date-time

    Time is the time at which the request was generated.

    user object

    EventUserInfo holds the information about the user that authenticated to Kubernentes

    groups string (string)[]

    The names of groups this user is a part of (optional).

    uid string

    A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs (optional).

    username string

    The name that uniquely identifies this user among all active users (optional).

    verb string

    Verb is the kubernetes verb associated with the request.

  • ]
Loading...