Get Runtime Container Audit Events
x-prisma-cloud-target-env: {"permission":"monitorRuntimeContainers","saas":true,"self-hosted":true}
x-public: true
Retrieves all container audit events when a runtime sensor such as process, network, file system, or system call detects an activity that deviates from the predictive model.
Note: In Console, you can view the same under Monitor > Events > Container Audits.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/runtime/container"
cURL Response
{
"os": "Ubuntu 20.04.4 LTS",
"_id": "636a952a5a293a6ea06cbb87",
"time": "2022-11-08T17:43:06.68Z",
"hostname": "jen-sle15-dock-0811t165158-cont-def-pre-lngcon230.c.twistlock-test-247119.internal",
"fqdn": "",
"user": "root",
"type": "processes",
"containerId": "6d5b5401b0e406ad064e7020b663236d0df177fa7f4a060c2f21262c27a4a6b2",
"containerName": "/runtime-wf-base-alert",
"imageName": "usertwistlock/ubuntu:wf-base",
"imageId": "sha256:76913b92c0cbacbec7440a62d751c0a38aba1dde6aefe9e832d2a3aa0a3c3f9f",
"effect": "alert",
"ruleName": "sle15-container_alert_usertwistlock/ubuntu:wf-base_mqu",
"msg": "/usr/bin/dash launched but is not found in the runtime model. Full command: /bin/sh -c sleep 3; curl http://169.254.169.254:80",
"profileId": "sha256:76913b92c0cbacbec7440a62d751c0a38aba1dde6aefe9e832d2a3aa0a3c3f9f__",
"interactive": true,
"pid": 1955,
"processPath": "/usr/bin/dash",
"collections": [
"All",
"Prisma Cloud resources",
"registry_scan_container_sle15-container_22_11_384_ghf",
"sle15-container_alert_cnd"
],
"attackType": "unexpectedProcess",
"count": 1,
"container": true,
"severity": "high",
"region": "us-central1-a",
"accountID": "twistlock-test-247119",
"attackTechniques": [
"nativeBinaryExecution"
],
"command": "/bin/sh -c sleep 3; curl http://169.254.169.253:80",
"provider": "gcp"
}
...
...
...
Query Parameters
- offset integer
Offsets the result to a specific report count. Offset starts from 0.
- limit integer
Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.
- search string
Retrieves the result for a search term.
- sort string
Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.
- reverse boolean
Sorts the result in reverse order.
- collections string[]
Filters the result based on collection names that you have defined in Prisma Cloud Compute.
- provider string[]
Scopes the query by cloud provider.
- accountIDs string[]
Filters the result based on cloud account IDs.
- resourceIDs string[]
Scopes the query by resource ID.
- region string[]
Scopes the query by cloud region.
- fields string[]
Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.
- id string[]
IDs are the audit IDs to filter.
- profileID string[]
ProfileIDs are the profile IDs to filter.
- from date-time
From is an optional minimum time constraints for the audit.
- to date-time
To is an optional maximum time constraints for the audit.
- time date-time
Time is used to filter by audit time.
- imageName string[]
ImageNames is the image name filter.
- container string[]
Containers is the container name filter.
- containerID string[]
ContainerID is used to filter by container ID.
- ruleName string[]
RuleNames is used to filter by rule name.
- type string[]
Types is used to filter by runtime audit type.
- effect string[]
Effect is used to filter by runtime audit effect (e.g., block/alert).
- user string[]
Users is used to filter by host users.
- os string[]
OS is the image OS distro filter.
- namespace string[]
Namespaces is the namespaces filter.
- cluster string[]
Clusters is the cluster filter.
- attackType string[]
AttackTypes is used to filter by runtime audit attack type.
- hostname string[]
Hostname is the hostname filter.
- msg string[]
Message is the audit message text filter.
- interactive string[]
Interactive is the audit interactive filter.
- function string[]
Function is used to filter by function name.
- runtime string[]
Runtime is used to filter by runtime.
- attackTechniques string[]
AttackTechniques are the MITRE attack techniques.
- app string[]
App is the name constraint of the service that triggered the audit.
- processPath string[]
ProcessPath is the path constraint of the process that triggered the audit.
- requestID string[]
RequestID is used to filter by request ID.
- functionID string[]
FunctionID is used to filter by function ID.
- aggregate boolean
Aggregate indicates whether the result audits should be aggregated according to the Select field.
- appID string[]
AppID is used to filter by embedded app or Fargate task that triggered the audit.
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- _id string
Internal ID (used for in-place updates).
- accountID string
ID of the cloud account where the audit was generated.
- app string
Name of the service which violated the host policy.
- appID string
Application ID.
- attackTechniques mitre.Technique[]
Possible values: [
exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery
]MITRE attack techniques.
- attackType shared.RuntimeAttackType
Possible values: [
,cloudMetadataProbing,kubeletAPIAccess,kubeletReadonlyAccess,kubectlSpawned,kubectlDownloaded,horizontalPortScanning,verticalPortScanning,explicitlyDeniedIP,customFeedIP,feedIP,unexpectedOutboundPort,suspiciousNetworkActivity,unexpectedListeningPort,explicitlyDeniedListeningPort,explicitlyDeniedOutboundPort,listeningPortModifiedProcess,outboundPortModifiedProcess,feedDNS,explicitlyDeniedDNS,dnsQuery,unexpectedProcess,portScanProcess,malwareProcessCustom,malwareProcessFeed,explicitlyDeniedProcess,modifiedProcess,cryptoMinerProcess,lateralMovementProcess,tmpfsProcess,policyHijacked,reverseShell,suidBinaries,unknownOriginBinary,webShell,administrativeAccount,encryptedBinary,sshAccess,explicitlyDeniedFile,malwareFileCustom,malwareFileFeed,execFileAccess,elfFileAccess,secretFileAccess,regFileAccess,wildfireMalware,unknownOriginBinary,webShell,fileIntegrity,alteredBinary,malwareDownloaded,suspiciousELFHeader,executionFlowHijackAttempt,customRule
]RuntimeAttackType is the sub-category of the attack (e.g., malware process, process not in model, etc...)
- cluster string
Cluster name.
- collections string[]
Collections to which this audit applies.
- command string
ScrubbedCommand is the command executed by the process with scrubbed PII.
- container boolean
Indicates if this is a container audit (true) or host audit (false).
- containerId string
ID of the container that violates the rule.
- containerName string
Container name.
- count integer
Attack type audits count.
- country string
Outbound country for outgoing network audits.
- domain string
Domain is the requested domain.
- effect runtime.RuleEffect
Possible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
- err string
Unknown error in the audit process.
- filepath string
Filepath is the path of the modified file.
- fqdn string
Current full domain name used in audit alerts.
- function string
Name of the serverless function that caused the audit.
- functionID string
ID of the function invoked.
- hostname string
Current hostname.
- imageId string
Container image ID.
- imageName string
Container image name.
- interactive boolean
Indicates if the audit was triggered from a process that was spawned in interactive mode (e.g., docker exec ...) (true) or not (false).
- ip string
IP is the connection destination IP address.
- label string
Container deployment label.
labels object
Custom labels which augment the audit data.
property name*
string- md5 string
MD5 is the MD5 of the modified file (only for executables.
- msg string
Blocking message text.
- namespace string
K8s deployment namespace.
- os string
Operating system distribution.
- pid integer
ID of the process that caused the audit event.
- port integer
Port is the connection destination port.
- processPath string
Path of the process that caused the audit event.
- profileId string
Profile ID of the audit.
- provider common.CloudProvider
Possible values: [
aws,azure,gcp,alibaba,oci,others
]CloudProvider specifies the cloud provider name
- rawEvent string
Unparsed function handler event input.
- region string
Region of the resource where the audit was generated.
- requestID string
ID of the lambda function invocation request.
- resourceID string
Unique ID of the resource where the audit was generated.
- ruleName string
Name of the rule that was applied, if blocked.
- runtime shared.LambdaRuntimeType
Possible values: [
python,python3.6,python3.7,python3.8,python3.9,nodejs12.x,nodejs14.x,dotnetcore2.1,dotnetcore3.1,dotnet6,java8,java11,ruby2.7
]LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime
- severity shared.RuntimeSeverity
Possible values: [
low,medium,high
]RuntimeSeverity represents the runtime severity
- time date-time
Time of the audit event (in UTC time).
- type shared.RuntimeType
Possible values: [
processes,network,kubernetes,filesystem
]RuntimeType represents the runtime protection type
- user string
Service user.
- version string
Defender version.
- vmID string
Azure unique VM ID where the audit was generated.
- wildFireReportURL string
WildFireReportURL is a URL link of the report generated by wildFire.
- ]
[
{
"_id": "string",
"accountID": "string",
"app": "string",
"appID": "string",
"attackTechniques": [
[
"exploitationForPrivilegeEscalation",
"exploitPublicFacingApplication",
"applicationExploitRCE",
"networkServiceScanning",
"endpointDenialOfService",
"exfiltrationGeneral",
"systemNetworkConfigurationDiscovery",
"unsecuredCredentials",
"credentialDumping",
"systemInformationDiscovery",
"systemNetworkConnectionDiscovery",
"systemUserDiscovery",
"accountDiscovery",
"cloudInstanceMetadataAPI",
"accessKubeletMainAPI",
"queryKubeletReadonlyAPI",
"accessKubernetesAPIServer",
"softwareDeploymentTools",
"ingressToolTransfer",
"lateralToolTransfer",
"commandAndControlGeneral",
"resourceHijacking",
"manInTheMiddle",
"nativeBinaryExecution",
"foreignBinaryExecution",
"createAccount",
"accountManipulation",
"abuseElevationControlMechanisms",
"supplyChainCompromise",
"obfuscatedFiles",
"hijackExecutionFlow",
"impairDefences",
"scheduledTaskJob",
"exploitationOfRemoteServices",
"eventTriggeredExecution",
"accountAccessRemoval",
"privilegedContainer",
"writableVolumes",
"execIntoContainer",
"softwareDiscovery",
"createContainer",
"kubernetesSecrets",
"fileAndDirectoryDiscovery",
"masquerading",
"webShell",
"compileAfterDelivery"
]
],
"attackType": [
"",
"cloudMetadataProbing",
"kubeletAPIAccess",
"kubeletReadonlyAccess",
"kubectlSpawned",
"kubectlDownloaded",
"horizontalPortScanning",
"verticalPortScanning",
"explicitlyDeniedIP",
"customFeedIP",
"feedIP",
"unexpectedOutboundPort",
"suspiciousNetworkActivity",
"unexpectedListeningPort",
"explicitlyDeniedListeningPort",
"explicitlyDeniedOutboundPort",
"listeningPortModifiedProcess",
"outboundPortModifiedProcess",
"feedDNS",
"explicitlyDeniedDNS",
"dnsQuery",
"unexpectedProcess",
"portScanProcess",
"malwareProcessCustom",
"malwareProcessFeed",
"explicitlyDeniedProcess",
"modifiedProcess",
"cryptoMinerProcess",
"lateralMovementProcess",
"tmpfsProcess",
"policyHijacked",
"reverseShell",
"suidBinaries",
"unknownOriginBinary",
"webShell",
"administrativeAccount",
"encryptedBinary",
"sshAccess",
"explicitlyDeniedFile",
"malwareFileCustom",
"malwareFileFeed",
"execFileAccess",
"elfFileAccess",
"secretFileAccess",
"regFileAccess",
"wildfireMalware",
"unknownOriginBinary",
"webShell",
"fileIntegrity",
"alteredBinary",
"malwareDownloaded",
"suspiciousELFHeader",
"executionFlowHijackAttempt",
"customRule"
],
"cluster": "string",
"collections": [
"string"
],
"command": "string",
"container": true,
"containerId": "string",
"containerName": "string",
"count": 0,
"country": "string",
"domain": "string",
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"err": "string",
"filepath": "string",
"fqdn": "string",
"function": "string",
"functionID": "string",
"hostname": "string",
"imageId": "string",
"imageName": "string",
"interactive": true,
"ip": "string",
"label": "string",
"labels": {},
"md5": "string",
"msg": "string",
"namespace": "string",
"os": "string",
"pid": 0,
"port": 0,
"processPath": "string",
"profileId": "string",
"provider": [
"aws",
"azure",
"gcp",
"alibaba",
"oci",
"others"
],
"rawEvent": "string",
"region": "string",
"requestID": "string",
"resourceID": "string",
"ruleName": "string",
"runtime": [
"python",
"python3.6",
"python3.7",
"python3.8",
"python3.9",
"nodejs12.x",
"nodejs14.x",
"dotnetcore2.1",
"dotnetcore3.1",
"dotnet6",
"java8",
"java11",
"ruby2.7"
],
"severity": [
"low",
"medium",
"high"
],
"time": "2023-06-07T22:06:28.949Z",
"type": [
"processes",
"network",
"kubernetes",
"filesystem"
],
"user": "string",
"version": "string",
"vmID": "string",
"wildFireReportURL": "string"
}
]