Get Runtime Container Audit Events for a Timeframe
Retrieves the container audit events when a runtime sensor such as process, network, file system, or system call detects an activity that deviates from the predictive model for a specific time frame.
Note: In Console, you can view the same under Monitor > Events > Container Audits.
Use the following mandatory query parameters to fetch results:
- from: Specifies the start time in UTC standard of the time period for which the audit events are returned.
- to: Specifies the end time in UTC standard of the time period for which the audit events are returned.
- buckets: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Query within the range of 1-100.
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
- start: Specifies the start time of the bucket in date-time UTC format.
- end: Specifies the end time of the bucket in date-time UTC format.
- count: Specifies the number of audit occurrences.
- offset integer
Offsets the result to a specific report count. Offset starts from 0.
- limit integer
Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.
- search string
Retrieves the result for a search term.
- sort string
Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.
- reverse boolean
Sorts the result in reverse order.
- collections string
Filters the result based on collection names that you have defined in Prisma Cloud Compute.
- provider string
Scopes the query by cloud provider.
- accountIDs string
Filters the result based on cloud account IDs.
- resourceIDs string
Scopes the query by resource ID.
- region string
Scopes the query by cloud region.
- fields string
Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.
- id string
IDs are the audit IDs to filter.
- profileID string
ProfileIDs are the profile IDs to filter.
- from date-time
From is an optional minimum time constraints for the audit.
- to date-time
To is an optional maximum time constraints for the audit.
- time date-time
Time is used to filter by audit time.
- imageName string
ImageNames is the image name filter.
- container string
Containers is the container name filter.
- containerID string
ContainerID is used to filter by container ID.
- ruleName string
RuleNames is used to filter by rule name.
- type string
Types is used to filter by runtime audit type.
- effect string
Effect is used to filter by runtime audit effect (e.g., block/alert).
- user string
Users is used to filter by host users.
- os string
OS is the image OS distro filter.
- namespace string
Namespaces is the namespaces filter.
- cluster string
Clusters is the cluster filter.
- attackType string
AttackTypes is used to filter by runtime audit attack type.
- hostname string
Hostname is the hostname filter.
- msg string
Message is the audit message text filter.
- interactive string
Interactive is the audit interactive filter.
- function string
Function is used to filter by function name.
- runtime string
Runtime is used to filter by runtime.
- attackTechniques string
AttackTechniques are the MITRE attack techniques.
- app string
App is the name constraint of the service that triggered the audit.
- processPath string
ProcessPath is the path constraint of the process that triggered the audit.
- requestID string
RequestID is used to filter by request ID.
- functionID string
FunctionID is used to filter by function ID.
- aggregate boolean
Aggregate indicates whether the result audits should be aggregated according to the Select field.
- appID string
AppID is used to filter by embedded app or Fargate task that triggered the audit.
- buckets integer
Buckets is the number of buckets to return.
- Example (from schema)
- Array [
- count integer
Count is the number of audit occurrences.
- end date-time
End is the end time of the bucket.
- start date-time
Start is the start time of the bucket.