Skip to main content

Get Runtime File Integrity Audit Events

x-prisma-cloud-target-env: {"permission":"monitorRuntimeHosts","saas":true,"self-hosted":true}
x-public: true

Retrieves all audit events for file-integrity checks that are configured under host runtime rules.

cURL Request

Refer to the following example cURL command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \

cURL Response

"_id": "63762bc3b2a8e98a1c36a9e6",
"eventType": "read",
"path": "/etc/user/user",
"fileType": 2,
"processName": "cat",
"user": "ubuntu",
"time": "2022-11-17T12:40:35.046Z",
"description": "Process cat read from path (user: ubuntu)",
"hostname": "ip-172-31-9-109.ec2.internal",
"fqdn": "",
"ruleName": "user-host-arm",
"accountID": "496947949261",
"collections": [
"cluster": ""

Query Parameters
  • offset integer

    Offsets the result to a specific report count. Offset starts from 0.

  • limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

  • search string

    Retrieves the result for a search term.

  • sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

  • reverse boolean

    Sorts the result in reverse order.

  • collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

  • provider string[]

    Scopes the query by cloud provider.

  • accountIDs string[]

    Filters the result based on cloud account IDs.

  • resourceIDs string[]

    Scopes the query by resource ID.

  • region string[]

    Scopes the query by cloud region.

  • fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

  • id string[]

    IDs is the list of IDs to use for filtering.

  • from date-time

    From is an optional minimum time constraints for the event.

  • to date-time

    To is an optional maximum time constraints for the event.

  • hostname string[]

    Hosts is the list of hosts to use for filtering.

  • path string[]

    Paths is the list of paths to use for filtering.

  • eventType string[]

    EventTypes is the list of file intergrity events to use for filtering.

  • cluster string[]

    Clusters is the cluster filter.


  • Array [
  • _id string

    ID is activity's unique identifier.

  • accountID string

    AccountID is the cloud account ID.

  • cluster string

    Cluster is the cluster on which the event was found.

  • collections string[]

    Collections are collections to which this event applies.

  • description string

    Description is a human readable description of the action performed on the path.

  • eventType shared.FileIntegrityEventType

    Possible values: [metadata,read,write]

    FileIntegrityEventType represents the type of the file integrity event

  • fileType runtime.FSFileType

    FSFileType represents the file type

  • fqdn string

    FQDN is the current fully qualified domain name used in audit alerts.

  • hostname string

    Hostname is the hostname on which the event was found.

  • metadata object

    FileMetadata represents the metadata of a single file/directory

  • gid integer

    GID is the ID of the group that owns the file/directory.

  • permissions integer

    Permissions are the file/directory permission bits.

  • uid integer

    UID is the ID of the user that owns the file/directory.

  • path string

    Path is the absolute path of the event.

  • processName string

    ProcessName is the name of the process initiated the event.

  • ruleName string

    RuleName is the name of the applied rule for auditing file integrity rules.

  • time date-time

    Time is the time of the event.

  • user string

    User is the user initiated the event.

  • ]