Get Runtime Container Audit Events for a Timeframe
GET/api/v32.04/audits/runtime/container/timeslice
x-prisma-cloud-target-env: {"permission":"monitorRuntimeContainers","saas":true,"self-hosted":true}
x-public: true
Retrieves the container audit events when a runtime sensor such as process, network, file system, or system call detects an activity that deviates from the predictive model for a specific time frame.
Note: In Console, you can view the same under Monitor > Events > Container Audits.
Use the following mandatory query parameters to fetch results:
- from: Specifies the start time in UTC standard of the time period for which the audit events are returned.
- to: Specifies the end time in UTC standard of the time period for which the audit events are returned.
- buckets: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Query within the range of 1-100.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/runtime/container/timeslice?from=2022-11-15T15:23:57Z&to=2022-11-16T15:23:57Z&buckets=5"
cURL Response
{
"start": "2022-11-16T10:35:57Z",
"end": "2022-11-16T15:23:57Z",
"count": 87
}
Response Parameters:
- start: Specifies the start time of the bucket in date-time UTC format.
- end: Specifies the end time of the bucket in date-time UTC format.
- count: Specifies the number of audit occurrences.
Request
Query Parameters
Offsets the result to a specific report count. Offset starts from 0.
Limit is the amount to fix.
Sorts the result using a key.
Sorts the result in reverse order.
IDs are the audit IDs to filter.
ProfileIDs are the profile IDs to filter.
From is an optional minimum time constraints for the audit.
To is an optional maximum time constraints for the audit.
Time is used to filter by audit time.
ImageNames is the image name filter.
Containers is the container name filter.
ContainerID is used to filter by container ID.
RuleNames is used to filter by rule name.
Types is used to filter by runtime audit type.
Effect is used to filter by runtime audit effect (e.g., block/alert).
Users is used to filter by host users.
OS is the image OS distro filter.
Namespaces is the namespaces filter.
Fields is used to fetch specific runtime audit fields.
Clusters is the cluster filter.
AttackTypes is used to filter by runtime audit attack type.
Hostname is the hostname filter.
Message is the audit message text filter.
Interactive is the audit interactive filter.
Function is used to filter by function name.
Runtime is used to filter by runtime.
AttackTechniques are the MITRE attack techniques.
App is the name constraint of the service that triggered the audit.
ProcessPath is the path constraint of the process that triggered the audit.
RequestID is used to filter by request ID.
FunctionID is used to filter by function ID.
Aggregate indicates whether the result audits should be aggregated according to the Select field.
AppID is used to filter by embedded app or Fargate task that triggered the audit.
Buckets is the number of buckets to return.
Responses
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
Count is the number of audit occurrences.
End is the end time of the bucket.
Start is the start time of the bucket.
[
{
"count": 0,
"end": "2024-04-19T17:07:15.090Z",
"start": "2024-04-19T17:07:15.090Z"
}
]