Get Kubernetes Audit Events
GET/api/v31.02/audits/kubernetes
x-prisma-cloud-target-env: {"permission":"monitorAccessKubernetes","saas":true,"self-hosted":true}
x-public: true
Retrieves events that occur in an integrated Kubernetes cluster that you configured for Prisma Cloud Compute under Defend > Access > Kubernetes.
Note: This endpoint relates to the Monitor > Events > Kubernetes audits in Prisma Cloud Compute.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/kubernetes"
cURL Response
{
"time": "2022-11-23T16:20:20.383Z",
"verb": "io.k8s.core.v1.pods.exec.create",
"user": {
"username": "johndoe@paloaltonetworks.com"
},
"authorizationInfo": {
"authorization.k8s.io/decision": "allow",
"authorization.k8s.io/reason": "access granted by IAM permissions.",
"failed-open.validating.webhook.admission.k8s.io/round_0_index_0": "validating-webhook.twistlock.com"
},
"message": "Exec or attach to a pod detected on GKE",
"sourceIPs": [
"private"
],
"resources": "core/v1/namespaces/default/pods/test-pd/exec",
...
...
...,
"attackTechniques": [
"execIntoContainer"
],
"cluster": "johndoe-gke-9916911d51921853",
"accountID": "twistlock-test-247119",
"provider": "gcp",
"collections": [
"All",
"user1",
"tv test",
"tv test2"
]
}
Request
Query Parameters
Offsets the result to a specific report count. Offset starts from 0.
Limit is the amount to fix.
Sorts the result using a key.
Sorts the result in reverse order.
From is an optional minimum time constraints for the activity.
To is an optional maximum time constraints for the activity.
Users is the list of users to use for filtering.
AttackTechniques are the MITRE attack techniques.
Clusters is the list of clusters for filtering.
Responses
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
AccountID is the account ID the Kubernetes audit belongs to.
Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]
AttackTechniques are the MITRE attack techniques.
authorizationInfo object
AuthorizationInfo holds the original event authorization info.
Cluster is the cluster the Kubernetes audit belongs to.
Collections that apply to the Kubernetes audit.
EventBlob is the original event that caused this audit.
Message is the user defined message which appears on audit.
Possible values: [aws,azure,gcp,alibaba,oci,others]
CloudProvider specifies the cloud provider name
RequestURI is the request URI as sent by the client to a server.
Resource represents the resource that is impacted by this event.
Source IPs, from where the request originated and intermediate proxies (optional).
Time is the time at which the request was generated.
user object
EventUserInfo holds the information about the user that authenticated to Kubernentes
The names of groups this user is a part of (optional).
A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs (optional).
The name that uniquely identifies this user among all active users (optional).
Verb is the kubernetes verb associated with the request.
[
{
"accountID": "string",
"attackTechniques": [
[
"exploitationForPrivilegeEscalation",
"exploitPublicFacingApplication",
"applicationExploitRCE",
"networkServiceScanning",
"endpointDenialOfService",
"exfiltrationGeneral",
"systemNetworkConfigurationDiscovery",
"unsecuredCredentials",
"credentialDumping",
"systemInformationDiscovery",
"systemNetworkConnectionDiscovery",
"systemUserDiscovery",
"accountDiscovery",
"cloudInstanceMetadataAPI",
"accessKubeletMainAPI",
"queryKubeletReadonlyAPI",
"accessKubernetesAPIServer",
"softwareDeploymentTools",
"ingressToolTransfer",
"lateralToolTransfer",
"commandAndControlGeneral",
"resourceHijacking",
"manInTheMiddle",
"nativeBinaryExecution",
"foreignBinaryExecution",
"createAccount",
"accountManipulation",
"abuseElevationControlMechanisms",
"supplyChainCompromise",
"obfuscatedFiles",
"hijackExecutionFlow",
"impairDefences",
"scheduledTaskJob",
"exploitationOfRemoteServices",
"eventTriggeredExecution",
"accountAccessRemoval",
"privilegedContainer",
"writableVolumes",
"execIntoContainer",
"softwareDiscovery",
"createContainer",
"kubernetesSecrets",
"fileAndDirectoryDiscovery",
"masquerading",
"webShell",
"compileAfterDelivery"
]
],
"authorizationInfo": {},
"cluster": "string",
"collections": [
"string"
],
"eventBlob": "string",
"message": "string",
"provider": [
"aws",
"azure",
"gcp",
"alibaba",
"oci",
"others"
],
"requestURI": "string",
"resources": "string",
"sourceIPs": [
"string"
],
"time": "2023-12-06T03:40:01.734Z",
"user": {
"groups": [
"string"
],
"uid": "string",
"username": "string"
},
"verb": "string"
}
]