Skip to main content

Get Runtime Container Audit Events

x-prisma-cloud-target-env: {"permission":"monitorRuntimeContainers","saas":true,"self-hosted":true}
x-public: true

Retrieves all container audit events when a runtime sensor such as process, network, file system, or system call detects an activity that deviates from the predictive model.

Note: In Console, you can view the same under Monitor > Events > Container Audits.

cURL Request

Refer to the following example cURL command:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/runtime/container"

cURL Response

{
   "os": "Ubuntu 20.04.4 LTS",
   "_id": "636a952a5a293a6ea06cbb87",
   "time": "2022-11-08T17:43:06.68Z",
   "hostname": "jen-sle15-dock-0811t165158-cont-def-pre-lngcon230.c.twistlock-test-247119.internal",
   "fqdn": "",
   "user": "root",
   "type": "processes",
   "containerId": "6d5b5401b0e406ad064e7020b663236d0df177fa7f4a060c2f21262c27a4a6b2",
   "containerName": "/runtime-wf-base-alert",
   "imageName": "usertwistlock/ubuntu:wf-base",
   "imageId": "sha256:76913b92c0cbacbec7440a62d751c0a38aba1dde6aefe9e832d2a3aa0a3c3f9f",
   "effect": "alert",
   "ruleName": "sle15-container_alert_usertwistlock/ubuntu:wf-base_mqu",
   "msg": "/usr/bin/dash launched but is not found in the runtime model. Full command: /bin/sh -c sleep 3; curl http://169.254.169.254:80",
   "profileId": "sha256:76913b92c0cbacbec7440a62d751c0a38aba1dde6aefe9e832d2a3aa0a3c3f9f__",
   "interactive": true,
   "pid": 1955,
   "processPath": "/usr/bin/dash",
   "collections": [
     "All",
     "Prisma Cloud resources",
     "registry_scan_container_sle15-container_22_11_384_ghf",
     "sle15-container_alert_cnd"
   ],
   "attackType": "unexpectedProcess",
   "count": 1,
   "container": true,
   "severity": "high",
   "region": "us-central1-a",
   "accountID": "twistlock-test-247119",
   "attackTechniques": [
     "nativeBinaryExecution"
   ],
   "command": "/bin/sh -c sleep 3; curl http://169.254.169.253:80",
   "provider": "gcp"
 }
...
...
...

Query Parameters
  • offset integer

    Offsets the result to a specific report count. Offset starts from 0.

  • limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

  • search string

    Retrieves the result for a search term.

  • sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

  • reverse boolean

    Sorts the result in reverse order.

  • collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

  • provider string[]

    Scopes the query by cloud provider.

  • accountIDs string[]

    Filters the result based on cloud account IDs.

  • resourceIDs string[]

    Scopes the query by resource ID.

  • region string[]

    Scopes the query by cloud region.

  • fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

  • id string[]

    IDs are the audit IDs to filter.

  • profileID string[]

    ProfileIDs are the profile IDs to filter.

  • from date-time

    From is an optional minimum time constraints for the audit.

  • to date-time

    To is an optional maximum time constraints for the audit.

  • time date-time

    Time is used to filter by audit time.

  • imageName string[]

    ImageNames is the image name filter.

  • container string[]

    Containers is the container name filter.

  • containerID string[]

    ContainerID is used to filter by container ID.

  • ruleName string[]

    RuleNames is used to filter by rule name.

  • type string[]

    Types is used to filter by runtime audit type.

  • effect string[]

    Effect is used to filter by runtime audit effect (e.g., block/alert).

  • user string[]

    Users is used to filter by host users.

  • os string[]

    OS is the image OS distro filter.

  • namespace string[]

    Namespaces is the namespaces filter.

  • cluster string[]

    Clusters is the cluster filter.

  • attackType string[]

    AttackTypes is used to filter by runtime audit attack type.

  • hostname string[]

    Hostname is the hostname filter.

  • msg string[]

    Message is the audit message text filter.

  • interactive string[]

    Interactive is the audit interactive filter.

  • function string[]

    Function is used to filter by function name.

  • runtime string[]

    Runtime is used to filter by runtime.

  • attackTechniques string[]

    AttackTechniques are the MITRE attack techniques.

  • app string[]

    App is the name constraint of the service that triggered the audit.

  • processPath string[]

    ProcessPath is the path constraint of the process that triggered the audit.

  • requestID string[]

    RequestID is used to filter by request ID.

  • functionID string[]

    FunctionID is used to filter by function ID.

  • aggregate boolean

    Aggregate indicates whether the result audits should be aggregated according to the Select field.

  • appID string[]

    AppID is used to filter by embedded app or Fargate task that triggered the audit.

Responses
Schema
  • Array [
  • _id string

    Internal ID (used for in-place updates).

  • accountID string

    ID of the cloud account where the audit was generated.

  • app string

    Name of the service which violated the host policy.

  • appID string

    Application ID.

  • attackTechniques mitre.Technique[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    MITRE attack techniques.

  • attackType shared.RuntimeAttackType

    Possible values: [,cloudMetadataProbing,kubeletAPIAccess,kubeletReadonlyAccess,kubectlSpawned,kubectlDownloaded,horizontalPortScanning,verticalPortScanning,explicitlyDeniedIP,customFeedIP,feedIP,unexpectedOutboundPort,suspiciousNetworkActivity,unexpectedListeningPort,explicitlyDeniedListeningPort,explicitlyDeniedOutboundPort,listeningPortModifiedProcess,outboundPortModifiedProcess,feedDNS,explicitlyDeniedDNS,dnsQuery,unexpectedProcess,portScanProcess,malwareProcessCustom,malwareProcessFeed,explicitlyDeniedProcess,modifiedProcess,cryptoMinerProcess,lateralMovementProcess,tmpfsProcess,policyHijacked,reverseShell,suidBinaries,unknownOriginBinary,webShell,administrativeAccount,encryptedBinary,sshAccess,explicitlyDeniedFile,malwareFileCustom,malwareFileFeed,execFileAccess,elfFileAccess,secretFileAccess,regFileAccess,wildfireMalware,unknownOriginBinary,webShell,fileIntegrity,alteredBinary,malwareDownloaded,suspiciousELFHeader,executionFlowHijackAttempt,customRule]

    RuntimeAttackType is the sub-category of the attack (e.g., malware process, process not in model, etc...)

  • cluster string

    Cluster name.

  • collections string[]

    Collections to which this audit applies.

  • command string

    ScrubbedCommand is the command executed by the process with scrubbed PII.

  • container boolean

    Indicates if this is a container audit (true) or host audit (false).

  • containerId string

    ID of the container that violates the rule.

  • containerName string

    Container name.

  • count integer

    Attack type audits count.

  • country string

    Outbound country for outgoing network audits.

  • domain string

    Domain is the requested domain.

  • effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • err string

    Unknown error in the audit process.

  • filepath string

    Filepath is the path of the modified file.

  • fqdn string

    Current full domain name used in audit alerts.

  • function string

    Name of the serverless function that caused the audit.

  • functionID string

    ID of the function invoked.

  • hostname string

    Current hostname.

  • imageId string

    Container image ID.

  • imageName string

    Container image name.

  • interactive boolean

    Indicates if the audit was triggered from a process that was spawned in interactive mode (e.g., docker exec ...) (true) or not (false).

  • ip string

    IP is the connection destination IP address.

  • label string

    Container deployment label.

  • labels object

    Custom labels which augment the audit data.

  • property name* string
  • md5 string

    MD5 is the MD5 of the modified file (only for executables.

  • msg string

    Blocking message text.

  • namespace string

    K8s deployment namespace.

  • os string

    Operating system distribution.

  • pid integer

    ID of the process that caused the audit event.

  • port integer

    Port is the connection destination port.

  • processPath string

    Path of the process that caused the audit event.

  • profileId string

    Profile ID of the audit.

  • provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

  • rawEvent string

    Unparsed function handler event input.

  • region string

    Region of the resource where the audit was generated.

  • requestID string

    ID of the lambda function invocation request.

  • resourceID string

    Unique ID of the resource where the audit was generated.

  • ruleName string

    Name of the rule that was applied, if blocked.

  • runtime shared.LambdaRuntimeType

    Possible values: [python,python3.6,python3.7,python3.8,python3.9,nodejs12.x,nodejs14.x,dotnetcore2.1,dotnetcore3.1,dotnet6,java8,java11,ruby2.7]

    LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime

  • severity shared.RuntimeSeverity

    Possible values: [low,medium,high]

    RuntimeSeverity represents the runtime severity

  • time date-time

    Time of the audit event (in UTC time).

  • type shared.RuntimeType

    Possible values: [processes,network,kubernetes,filesystem]

    RuntimeType represents the runtime protection type

  • user string

    Service user.

  • version string

    Defender version.

  • vmID string

    Azure unique VM ID where the audit was generated.

  • wildFireReportURL string

    WildFireReportURL is a URL link of the report generated by wildFire.

  • ]
Loading...