Get Runtime File Integrity Audit Events
GET/api/v33.01/audits/runtime/file-integrity
x-prisma-cloud-target-env: {"permission":"monitorRuntimeHosts"}
Retrieves all audit events for file-integrity checks that are configured under host runtime rules.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/runtime/file-integrity"
cURL Response
{
"_id": "63762bc3b2a8e98a1c36a9e6",
"eventType": "read",
"path": "/etc/user/user",
"fileType": 2,
"processName": "cat",
"user": "ubuntu",
"time": "2022-11-17T12:40:35.046Z",
"description": "Process cat read from path (user: ubuntu)",
"hostname": "ip-172-31-9-109.ec2.internal",
"fqdn": "",
"ruleName": "user-host-arm",
"accountID": "496947949261",
"collections": [
"All",
"waas_oob_collection",
"user123"
],
"cluster": ""
}
...
...
...
Request
Query Parameters
Offsets the result to a specific report count. Offset starts from 0.
Limit is the amount to fix.
Sorts the result using a key.
Sorts the result in reverse order.
IDs is the list of IDs to use for filtering.
From is an optional minimum time constraints for the event.
To is an optional maximum time constraints for the event.
Hosts is the list of hosts to use for filtering.
Paths is the list of paths to use for filtering.
EventTypes is the list of file intergrity events to use for filtering.
Clusters is the cluster filter.
Responses
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
ID is activity's unique identifier.
AccountID is the cloud account ID.
Cluster is the cluster on which the event was found.
Collections are collections to which this event applies.
Description is a human readable description of the action performed on the path.
Possible values: [metadata,read,write
]
FileIntegrityEventType represents the type of the file integrity event
FSFileType represents the file type
FQDN is the current fully qualified domain name used in audit alerts.
Hostname is the hostname on which the event was found.
metadata object
FileMetadata represents the metadata of a single file/directory
GID is the ID of the group that owns the file/directory.
Permissions are the file/directory permission bits.
UID is the ID of the user that owns the file/directory.
Path is the absolute path of the event.
ProcessName is the name of the process initiated the event.
RuleName is the name of the applied rule for auditing file integrity rules.
Time is the time of the event.
User is the user initiated the event.
[
{
"_id": "string",
"accountID": "string",
"cluster": "string",
"collections": [
"string"
],
"description": "string",
"eventType": [
"metadata",
"read",
"write"
],
"fileType": 0,
"fqdn": "string",
"hostname": "string",
"metadata": {
"gid": 0,
"permissions": 0,
"uid": 0
},
"path": "string",
"processName": "string",
"ruleName": "string",
"time": "2024-07-29T15:51:28.071Z",
"user": "string"
}
]