Get Kubernetes Audit Events
x-prisma-cloud-target-env: {"permission":"monitorAccessKubernetes","saas":true,"self-hosted":true}
x-public: true
Retrieves events that occur in an integrated Kubernetes cluster that you configured for Prisma Cloud Compute under Defend > Access > Kubernetes.
Note: This endpoint relates to the Monitor > Events > Kubernetes audits in Prisma Cloud Compute.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/kubernetes"
cURL Response
{
"time": "2022-11-23T16:20:20.383Z",
"verb": "io.k8s.core.v1.pods.exec.create",
"user": {
"username": "johndoe@paloaltonetworks.com"
},
"authorizationInfo": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "access granted by IAM permissions.",
"failed-open.validating.webhook.admission.k8s.io/round_0_index_0": "validating-webhook.twistlock.com"
},
"message": "Exec or attach to a pod detected on GKE",
"sourceIPs": [
"private"
],
"resources": "core/v1/namespaces/default/pods/test-pd/exec",
...
...
...,
"attackTechniques": [
"execIntoContainer"
],
"cluster": "johndoe-gke-9916911d51921853",
"accountID": "twistlock-test-247119",
"provider": "gcp",
"collections": [
"All",
"user1",
"tv test",
"tv test2"
]
}
Query Parameters
- offset integer
Offsets the result to a specific report count. Offset starts from 0.
- limit integer
Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.
- search string
Retrieves the result for a search term.
- sort string
Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.
- reverse boolean
Sorts the result in reverse order.
- collections string[]
Filters the result based on collection names that you have defined in Prisma Cloud Compute.
- provider string[]
Scopes the query by cloud provider.
- accountIDs string[]
Filters the result based on cloud account IDs.
- resourceIDs string[]
Scopes the query by resource ID.
- region string[]
Scopes the query by cloud region.
- fields string[]
Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.
- from date-time
From is an optional minimum time constraints for the activity.
- to date-time
To is an optional maximum time constraints for the activity.
- user string[]
Users is the list of users to use for filtering.
- attackTechniques string[]
AttackTechniques are the MITRE attack techniques.
- cluster string[]
Clusters is the list of clusters for filtering.
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- accountID string
AccountID is the account ID the Kubernetes audit belongs to.
- attackTechniques mitre.Technique[]
Possible values: [
exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery
]AttackTechniques are the MITRE attack techniques.
authorizationInfo object
AuthorizationInfo holds the original event authorization info.
property name*
string- cluster string
Cluster is the cluster the Kubernetes audit belongs to.
- collections string[]
Collections that apply to the Kubernetes audit.
- eventBlob string
EventBlob is the original event that caused this audit.
- message string
Message is the user defined message which appears on audit.
- provider common.CloudProvider
Possible values: [
aws,azure,gcp,alibaba,oci,others
]CloudProvider specifies the cloud provider name
- requestURI string
RequestURI is the request URI as sent by the client to a server.
- resources string
Resource represents the resource that is impacted by this event.
- sourceIPs string[]
Source IPs, from where the request originated and intermediate proxies (optional).
- time date-time
Time is the time at which the request was generated.
user object
EventUserInfo holds the information about the user that authenticated to Kubernentes
groups string[]The names of groups this user is a part of (optional).
uid stringA unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs (optional).
username stringThe name that uniquely identifies this user among all active users (optional).
- verb string
Verb is the kubernetes verb associated with the request.
- ]
[
{
"accountID": "string",
"attackTechniques": [
[
"exploitationForPrivilegeEscalation",
"exploitPublicFacingApplication",
"applicationExploitRCE",
"networkServiceScanning",
"endpointDenialOfService",
"exfiltrationGeneral",
"systemNetworkConfigurationDiscovery",
"unsecuredCredentials",
"credentialDumping",
"systemInformationDiscovery",
"systemNetworkConnectionDiscovery",
"systemUserDiscovery",
"accountDiscovery",
"cloudInstanceMetadataAPI",
"accessKubeletMainAPI",
"queryKubeletReadonlyAPI",
"accessKubernetesAPIServer",
"softwareDeploymentTools",
"ingressToolTransfer",
"lateralToolTransfer",
"commandAndControlGeneral",
"resourceHijacking",
"manInTheMiddle",
"nativeBinaryExecution",
"foreignBinaryExecution",
"createAccount",
"accountManipulation",
"abuseElevationControlMechanisms",
"supplyChainCompromise",
"obfuscatedFiles",
"hijackExecutionFlow",
"impairDefences",
"scheduledTaskJob",
"exploitationOfRemoteServices",
"eventTriggeredExecution",
"accountAccessRemoval",
"privilegedContainer",
"writableVolumes",
"execIntoContainer",
"softwareDiscovery",
"createContainer",
"kubernetesSecrets",
"fileAndDirectoryDiscovery",
"masquerading",
"webShell",
"compileAfterDelivery"
]
],
"authorizationInfo": {},
"cluster": "string",
"collections": [
"string"
],
"eventBlob": "string",
"message": "string",
"provider": [
"aws",
"azure",
"gcp",
"alibaba",
"oci",
"others"
],
"requestURI": "string",
"resources": "string",
"sourceIPs": [
"string"
],
"time": "2023-06-07T22:06:28.945Z",
"user": {
"groups": [
"string"
],
"uid": "string",
"username": "string"
},
"verb": "string"
}
]