Get Runtime File Integrity Audit Events

x-prisma-cloud-target-env: {"permission":"monitorRuntimeHosts","saas":true,"self-hosted":true}
x-public: true

Retrieves all audit events for file-integrity checks that are configured under host runtime rules.

cURL Request

Refer to the following example cURL command:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/runtime/file-integrity"

cURL Response

{
   "_id": "63762bc3b2a8e98a1c36a9e6",
   "eventType": "read",
   "path": "/etc/user/user",
   "fileType": 2,
   "processName": "cat",
   "user": "ubuntu",
   "time": "2022-11-17T12:40:35.046Z",
   "description": "Process cat read from path (user: ubuntu)",
   "hostname": "ip-172-31-9-109.ec2.internal",
   "fqdn": "",
   "ruleName": "user-host-arm",
   "accountID": "496947949261",
   "collections": [
     "All",
     "waas_oob_collection",
     "user123"
   ],
   "cluster": ""
}
...
...
...

Query Parameters

• offset integer

  Offsets the result to a specific report count. Offset starts from 0.

• limit integer

  Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

• search string

  Retrieves the result for a search term.

• sort string

  Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

• reverse boolean

  Sorts the result in reverse order.

• collections string[]

  Filters the result based on collection names that you have defined in Prisma Cloud Compute.

• provider string[]

  Scopes the query by cloud provider.

• accountIDs string[]

  Filters the result based on cloud account IDs.

• resourceIDs string[]

  Scopes the query by resource ID.

• region string[]

  Scopes the query by cloud region.

• fields string[]

  Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

• id string[]

  IDs is the list of IDs to use for filtering.

• from date-time

  From is an optional minimum time constraints for the event.

• to date-time

  To is an optional maximum time constraints for the event.

• hostname string[]

  Hosts is the list of hosts to use for filtering.

• path string[]

  Paths is the list of paths to use for filtering.

• eventType string[]

  EventTypes is the list of file intergrity events to use for filtering.

• cluster string[]

  Clusters is the cluster filter.

Responses

• 200
• default

---

application/json

• Schema
• Example (from schema)

---

Schema

• Array [
• _id string

  ID is activity's unique identifier.

• accountID string

  AccountID is the cloud account ID.

• cluster string

  Cluster is the cluster on which the event was found.

• collections string[]

  Collections are collections to which this event applies.

• description string

  Description is a human readable description of the action performed on the path.

• eventType shared.FileIntegrityEventType

  Possible values: [metadata,read,write]

  FileIntegrityEventType represents the type of the file integrity event

• fileType runtime.FSFileType

  FSFileType represents the file type

• fqdn string

  FQDN is the current fully qualified domain name used in audit alerts.

• hostname string

  Hostname is the hostname on which the event was found.

• metadata object

  FileMetadata represents the metadata of a single file/directory

  gid integer

  GID is the ID of the group that owns the file/directory.

  permissions integer

  Permissions are the file/directory permission bits.

  uid integer

  UID is the ID of the user that owns the file/directory.

• path string

  Path is the absolute path of the event.

• processName string

  ProcessName is the name of the process initiated the event.

• ruleName string

  RuleName is the name of the applied rule for auditing file integrity rules.

• time date-time

  Time is the time of the event.

• user string

  User is the user initiated the event.

• ]

[
  {
    "_id": "string",
    "accountID": "string",
    "cluster": "string",
    "collections": [
      "string"
    ],
    "description": "string",
    "eventType": [
      "metadata",
      "read",
      "write"
    ],
    "fileType": 0,
    "fqdn": "string",
    "hostname": "string",
    "metadata": {
      "gid": 0,
      "permissions": 0,
      "uid": 0
    },
    "path": "string",
    "processName": "string",
    "ruleName": "string",
    "time": "2023-06-07T22:06:28.951Z",
    "user": "string"
  }
]

Loading...