Get Runtime File Integrity Audit Events
x-prisma-cloud-target-env: {"permission":"monitorRuntimeHosts","saas":true,"self-hosted":true}
x-public: true
Retrieves all audit events for file-integrity checks that are configured under host runtime rules.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/runtime/file-integrity"
cURL Response
{
"_id": "63762bc3b2a8e98a1c36a9e6",
"eventType": "read",
"path": "/etc/user/user",
"fileType": 2,
"processName": "cat",
"user": "ubuntu",
"time": "2022-11-17T12:40:35.046Z",
"description": "Process cat read from path (user: ubuntu)",
"hostname": "ip-172-31-9-109.ec2.internal",
"fqdn": "",
"ruleName": "user-host-arm",
"accountID": "496947949261",
"collections": [
"All",
"waas_oob_collection",
"user123"
],
"cluster": ""
}
...
...
...
Query Parameters
- offset integer
Offsets the result to a specific report count. Offset starts from 0.
- limit integer
Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.
- search string
Retrieves the result for a search term.
- sort string
Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.
- reverse boolean
Sorts the result in reverse order.
- collections string[]
Filters the result based on collection names that you have defined in Prisma Cloud Compute.
- provider string[]
Scopes the query by cloud provider.
- accountIDs string[]
Filters the result based on cloud account IDs.
- resourceIDs string[]
Scopes the query by resource ID.
- region string[]
Scopes the query by cloud region.
- fields string[]
Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.
- id string[]
IDs is the list of IDs to use for filtering.
- from date-time
From is an optional minimum time constraints for the event.
- to date-time
To is an optional maximum time constraints for the event.
- hostname string[]
Hosts is the list of hosts to use for filtering.
- path string[]
Paths is the list of paths to use for filtering.
- eventType string[]
EventTypes is the list of file intergrity events to use for filtering.
- cluster string[]
Clusters is the cluster filter.
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- _id string
ID is activity's unique identifier.
- accountID string
AccountID is the cloud account ID.
- cluster string
Cluster is the cluster on which the event was found.
- collections string[]
Collections are collections to which this event applies.
- description string
Description is a human readable description of the action performed on the path.
- eventType shared.FileIntegrityEventType
Possible values: [
metadata,read,write
]FileIntegrityEventType represents the type of the file integrity event
- fileType runtime.FSFileType
FSFileType represents the file type
- fqdn string
FQDN is the current fully qualified domain name used in audit alerts.
- hostname string
Hostname is the hostname on which the event was found.
metadata object
FileMetadata represents the metadata of a single file/directory
gid integerGID is the ID of the group that owns the file/directory.
permissions integerPermissions are the file/directory permission bits.
uid integerUID is the ID of the user that owns the file/directory.
- path string
Path is the absolute path of the event.
- processName string
ProcessName is the name of the process initiated the event.
- ruleName string
RuleName is the name of the applied rule for auditing file integrity rules.
- time date-time
Time is the time of the event.
- user string
User is the user initiated the event.
- ]
[
{
"_id": "string",
"accountID": "string",
"cluster": "string",
"collections": [
"string"
],
"description": "string",
"eventType": [
"metadata",
"read",
"write"
],
"fileType": 0,
"fqdn": "string",
"hostname": "string",
"metadata": {
"gid": 0,
"permissions": 0,
"uid": 0
},
"path": "string",
"processName": "string",
"ruleName": "string",
"time": "2023-06-07T22:06:28.951Z",
"user": "string"
}
]