Skip to main content

Get Kubernetes Audit Events

x-prisma-cloud-target-env: {"permission":"monitorAccessKubernetes","saas":true,"self-hosted":true}
x-public: true

Retrieves events that occur in an integrated Kubernetes cluster that you configured for Prisma Cloud Compute under Defend > Access > Kubernetes.

Note: This endpoint relates to the Monitor > Events > Kubernetes audits in Prisma Cloud Compute.

cURL Request

Refer to the following example cURL command:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/kubernetes"

cURL Response

{
        "time": "2022-11-23T16:20:20.383Z",
        "verb": "io.k8s.core.v1.pods.exec.create",
        "user": {
            "username": "johndoe@paloaltonetworks.com"
        },
        "authorizationInfo": {
            "authorization.k8s.io/decision": "allow",
            "authorization.k8s.io/reason": "access granted by IAM permissions.",
            "failed-open.validating.webhook.admission.k8s.io/round_0_index_0": "validating-webhook.twistlock.com"
        },
        "message": "Exec or attach to a pod detected on GKE",
        "sourceIPs": [
            "private"
        ],
        "resources": "core/v1/namespaces/default/pods/test-pd/exec",
        ...
        ...
        ...,
        "attackTechniques": [
            "execIntoContainer"
        ],
        "cluster": "johndoe-gke-9916911d51921853",
        "accountID": "twistlock-test-247119",
        "provider": "gcp",
        "collections": [
            "All",
            "user1",
            "tv test",
            "tv test2"
        ]
    }


Query Parameters
  • offset integer

    Offsets the result to a specific report count. Offset starts from 0.

  • limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

  • search string

    Retrieves the result for a search term.

  • sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

  • reverse boolean

    Sorts the result in reverse order.

  • collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

  • provider string[]

    Scopes the query by cloud provider.

  • accountIDs string[]

    Filters the result based on cloud account IDs.

  • resourceIDs string[]

    Scopes the query by resource ID.

  • region string[]

    Scopes the query by cloud region.

  • fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

  • from date-time

    From is an optional minimum time constraints for the activity.

  • to date-time

    To is an optional maximum time constraints for the activity.

  • user string[]

    Users is the list of users to use for filtering.

  • attackTechniques string[]

    AttackTechniques are the MITRE attack techniques.

  • cluster string[]

    Clusters is the list of clusters for filtering.

Responses
Schema
  • Array [
  • accountID string

    AccountID is the account ID the Kubernetes audit belongs to.

  • attackTechniques mitre.Technique[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    AttackTechniques are the MITRE attack techniques.

  • authorizationInfo object

    AuthorizationInfo holds the original event authorization info.

  • property name* string
  • cluster string

    Cluster is the cluster the Kubernetes audit belongs to.

  • collections string[]

    Collections that apply to the Kubernetes audit.

  • eventBlob string

    EventBlob is the original event that caused this audit.

  • message string

    Message is the user defined message which appears on audit.

  • provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

  • requestURI string

    RequestURI is the request URI as sent by the client to a server.

  • resources string

    Resource represents the resource that is impacted by this event.

  • sourceIPs string[]

    Source IPs, from where the request originated and intermediate proxies (optional).

  • time date-time

    Time is the time at which the request was generated.

  • user object

    EventUserInfo holds the information about the user that authenticated to Kubernentes

  • groups string[]

    The names of groups this user is a part of (optional).

  • uid string

    A unique value that identifies this user across time. If this user is deleted and another user by the same name is added, they will have different UIDs (optional).

  • username string

    The name that uniquely identifies this user among all active users (optional).

  • verb string

    Verb is the kubernetes verb associated with the request.

  • ]
Loading...