Get Runtime File Integrity Audit Events

GET 
/api/v32.04/audits/runtime/file-integrity

x-prisma-cloud-target-env: {"permission":"monitorRuntimeHosts","saas":true,"self-hosted":true}
x-public: true

Retrieves all audit events for file-integrity checks that are configured under host runtime rules.

cURL Request

Refer to the following example cURL command:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X GET \
  "https://<CONSOLE>/api/v<VERSION>/audits/runtime/file-integrity"

cURL Response

{
   "_id": "63762bc3b2a8e98a1c36a9e6",
   "eventType": "read",
   "path": "/etc/user/user",
   "fileType": 2,
   "processName": "cat",
   "user": "ubuntu",
   "time": "2022-11-17T12:40:35.046Z",
   "description": "Process cat read from path (user: ubuntu)",
   "hostname": "ip-172-31-9-109.ec2.internal",
   "fqdn": "",
   "ruleName": "user-host-arm",
   "accountID": "496947949261",
   "collections": [
     "All",
     "waas_oob_collection",
     "user123"
   ],
   "cluster": ""
}
...
...
...

Request

Query Parameters

offset integer

Offsets the result to a specific report count. Offset starts from 0.

limit integer

Limit is the amount to fix.

sort string

Sorts the result using a key.

reverse boolean

Sorts the result in reverse order.

id string[]

IDs is the list of IDs to use for filtering.

from date-time

From is an optional minimum time constraints for the event.

to date-time

To is an optional maximum time constraints for the event.

hostname string[]

Hosts is the list of hosts to use for filtering.

path string[]

Paths is the list of paths to use for filtering.

eventType string[]

EventTypes is the list of file intergrity events to use for filtering.

cluster string[]

Clusters is the cluster filter.

Responses

200

application/json

Schema

Schema

• Array [
_id string

ID is activity's unique identifier.

accountID string

AccountID is the cloud account ID.

cluster string

Cluster is the cluster on which the event was found.

collections string (string)[]

Collections are collections to which this event applies.

description string

Description is a human readable description of the action performed on the path.

eventType shared.FileIntegrityEventType (string)

Possible values: [metadata,read,write]

FileIntegrityEventType represents the type of the file integrity event

fileType runtime.FSFileType (integer)

FSFileType represents the file type

fqdn string

FQDN is the current fully qualified domain name used in audit alerts.

hostname string

Hostname is the hostname on which the event was found.

metadata object

FileMetadata represents the metadata of a single file/directory

gid integer

GID is the ID of the group that owns the file/directory.

permissions integer

Permissions are the file/directory permission bits.

uid integer

UID is the ID of the user that owns the file/directory.

path string

Path is the absolute path of the event.

processName string

ProcessName is the name of the process initiated the event.

ruleName string

RuleName is the name of the applied rule for auditing file integrity rules.

time date-time

Time is the time of the event.

user string

User is the user initiated the event.

• ]

Example (from schema)

[
  {
    "_id": "string",
    "accountID": "string",
    "cluster": "string",
    "collections": [
      "string"
    ],
    "description": "string",
    "eventType": [
      "metadata",
      "read",
      "write"
    ],
    "fileType": 0,
    "fqdn": "string",
    "hostname": "string",
    "metadata": {
      "gid": 0,
      "permissions": 0,
      "uid": 0
    },
    "path": "string",
    "processName": "string",
    "ruleName": "string",
    "time": "2024-04-25T18:28:20.168Z",
    "user": "string"
  }
]

default

Loading...