Download Runtime Container Audit Events
x-prisma-cloud-target-env: {"permission":"monitorRuntimeContainers","saas":true,"self-hosted":true}
x-public: true
Returns the container audit events data in CSV format when a runtime sensor such as process, network, file system, or system call detects an activity that deviates from the predictive model.
Note: In Console, you can view the same under Monitor > Events > Container Audits.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-X GET \
-o <runtime_container_audits.csv> \
"https://<CONSOLE>/api/v<VERSION>/audits/runtime/container/download"
Query Parameters
- offset integer
Offsets the result to a specific report count. Offset starts from 0.
- limit integer
Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.
- search string
Retrieves the result for a search term.
- sort string
Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.
- reverse boolean
Sorts the result in reverse order.
- collections string[]
Filters the result based on collection names that you have defined in Prisma Cloud Compute.
- provider string[]
Scopes the query by cloud provider.
- accountIDs string[]
Filters the result based on cloud account IDs.
- resourceIDs string[]
Scopes the query by resource ID.
- region string[]
Scopes the query by cloud region.
- fields string[]
Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.
- id string[]
IDs are the audit IDs to filter.
- profileID string[]
ProfileIDs are the profile IDs to filter.
- from date-time
From is an optional minimum time constraints for the audit.
- to date-time
To is an optional maximum time constraints for the audit.
- time date-time
Time is used to filter by audit time.
- imageName string[]
ImageNames is the image name filter.
- container string[]
Containers is the container name filter.
- containerID string[]
ContainerID is used to filter by container ID.
- ruleName string[]
RuleNames is used to filter by rule name.
- type string[]
Types is used to filter by runtime audit type.
- effect string[]
Effect is used to filter by runtime audit effect (e.g., block/alert).
- user string[]
Users is used to filter by host users.
- os string[]
OS is the image OS distro filter.
- namespace string[]
Namespaces is the namespaces filter.
- cluster string[]
Clusters is the cluster filter.
- attackType string[]
AttackTypes is used to filter by runtime audit attack type.
- hostname string[]
Hostname is the hostname filter.
- msg string[]
Message is the audit message text filter.
- interactive string[]
Interactive is the audit interactive filter.
- function string[]
Function is used to filter by function name.
- runtime string[]
Runtime is used to filter by runtime.
- attackTechniques string[]
AttackTechniques are the MITRE attack techniques.
- app string[]
App is the name constraint of the service that triggered the audit.
- processPath string[]
ProcessPath is the path constraint of the process that triggered the audit.
- requestID string[]
RequestID is used to filter by request ID.
- functionID string[]
FunctionID is used to filter by function ID.
- aggregate boolean
Aggregate indicates whether the result audits should be aggregated according to the Select field.
- appID string[]
AppID is used to filter by embedded app or Fargate task that triggered the audit.
- 200
- default
OK