Get Runtime Host Audit Events
GET/api/v33.01/audits/runtime/host
x-prisma-cloud-target-env: {"permission":"monitorRuntimeHosts"}
Retrieves the runtime host audit events.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/runtime/host"
cURL Response
{
"_id": "637628beb2a8e98a1c36a9e1",
"time": "2022-11-17T12:27:42.003Z",
"hostname": "ip-172-31-9-109.ec2.internal",
"fqdn": "",
"type": "network",
"effect": "alert",
"ruleName": "user-host-arm",
"msg": "DNS resolution of name www.yahoo.com, type AAAA explicitly denied by a runtime rule",
"profileId": "ip-172-31-9-109.ec2.internal",
"collections": [
"All",
"waas_oob_collection",
"user123"
],
"attackType": "explicitlyDeniedDNS",
"count": 1,
"severity": "high",
"region": "us-east-1",
"accountID": "496947949261",
"domain": "www.yahoo.com",
"provider": "aws",
"resourceID": "i-0bc31d26963bd2933"
}
...
...
...
Request
Query Parameters
Offsets the result to a specific report count. Offset starts from 0.
Limit is the amount to fix.
Sorts the result using a key.
Sorts the result in reverse order.
IDs are the audit IDs to filter.
ProfileIDs are the profile IDs to filter.
From is an optional minimum time constraints for the audit.
To is an optional maximum time constraints for the audit.
Time is used to filter by audit time.
ImageNames is the image name filter.
Containers is the container name filter.
ContainerID is used to filter by container ID.
RuleNames is used to filter by rule name.
Types is used to filter by runtime audit type.
Effect is used to filter by runtime audit effect (e.g., block/alert).
Users is used to filter by host users.
OS is the image OS distro filter.
Namespaces is the namespaces filter.
Fields is used to fetch specific runtime audit fields.
Clusters is the cluster filter.
AttackTypes is used to filter by runtime audit attack type.
Hostname is the hostname filter.
Message is the audit message text filter.
Interactive is the audit interactive filter.
Function is used to filter by function name.
Runtime is used to filter by runtime.
AttackTechniques are the MITRE attack techniques.
App is the name constraint of the service that triggered the audit.
ProcessPath is the path constraint of the process that triggered the audit.
RequestID is used to filter by request ID.
FunctionID is used to filter by function ID.
Aggregate indicates whether the result audits should be aggregated according to the Select field.
AppID is used to filter by embedded app or Fargate task that triggered the audit.
Responses
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
Internal ID (used for in-place updates).
ID of the cloud account where the audit was generated.
Name of the service which violated the host policy.
Application ID.
Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery
]
MITRE attack techniques.
Possible values: [,cloudMetadataProbing,kubeletAPIAccess,kubeletReadonlyAccess,kubectlSpawned,kubectlDownloaded,horizontalPortScanning,verticalPortScanning,explicitlyDeniedIP,customFeedIP,feedIP,unexpectedOutboundPort,suspiciousNetworkActivity,unexpectedListeningPort,explicitlyDeniedListeningPort,explicitlyDeniedOutboundPort,listeningPortModifiedProcess,outboundPortModifiedProcess,feedDNS,explicitlyDeniedDNS,dnsQuery,unexpectedProcess,portScanProcess,malwareProcessCustom,malwareProcessFeed,explicitlyDeniedProcess,modifiedProcess,cryptoMinerProcess,lateralMovementProcess,tmpfsProcess,policyHijacked,reverseShell,suidBinaries,unknownOriginBinary,webShell,administrativeAccount,encryptedBinary,sshAccess,explicitlyDeniedFile,malwareFileCustom,malwareFileFeed,execFileAccess,elfFileAccess,secretFileAccess,regFileAccess,wildfireMalware,unknownOriginBinary,webShell,fileIntegrity,alteredBinary,malwareDownloaded,suspiciousELFHeader,executionFlowHijackAttempt,customRule
]
RuntimeAttackType is the sub-category of the attack (e.g., malware process, process not in model, etc...)
Cluster name.
Collections to which this audit applies.
ScrubbedCommand is the command executed by the process with scrubbed PII.
Indicates if this is a container audit (true) or host audit (false).
ID of the container that violates the rule.
Container name.
Attack type audits count.
Outbound country for outgoing network audits.
Domain is the requested domain.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Unknown error in the audit process.
Filepath is the path of the modified file.
Current full domain name used in audit alerts.
Name of the serverless function that caused the audit.
ID of the function invoked.
Current hostname.
Container image ID.
Container image name.
Indicates if the audit was triggered from a process that was spawned in interactive mode (e.g., docker exec ...) (true) or not (false).
IP is the connection destination IP address.
Container deployment label.
labels object
Custom labels which augment the audit data.
MD5 is the MD5 of the modified file (only for executables.
Blocking message text.
K8s deployment namespace.
Operating system distribution.
ID of the process that caused the audit event.
Port is the connection destination port.
Path of the process that caused the audit event.
Profile ID of the audit.
Possible values: [aws,azure,gcp,alibaba,oci,others
]
CloudProvider specifies the cloud provider name
Unparsed function handler event input.
Region of the resource where the audit was generated.
ID of the lambda function invocation request.
Unique ID of the resource where the audit was generated.
Name of the rule that was applied, if blocked.
Possible values: [python,python3.6,python3.7,python3.8,python3.9,python3.10,python3.11,python3.12,nodejs,nodejs12.x,nodejs14.x,nodejs16.x,nodejs18.x,nodejs20.x,dotnet,dotnetcore2.1,dotnetcore3.1,dotnet6,java,java8,java11,java17,java21,ruby,ruby2.7
]
LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime
Possible values: [low,medium,high
]
RuntimeSeverity represents the runtime severity
Time of the audit event (in UTC time).
Possible values: [processes,network,kubernetes,filesystem
]
RuntimeType represents the runtime protection type
Service user.
Defender version.
Azure unique VM ID where the audit was generated.
WildFireReportURL is a URL link of the report generated by wildFire.
[
{
"_id": "string",
"accountID": "string",
"app": "string",
"appID": "string",
"attackTechniques": [
[
"exploitationForPrivilegeEscalation",
"exploitPublicFacingApplication",
"applicationExploitRCE",
"networkServiceScanning",
"endpointDenialOfService",
"exfiltrationGeneral",
"systemNetworkConfigurationDiscovery",
"unsecuredCredentials",
"credentialDumping",
"systemInformationDiscovery",
"systemNetworkConnectionDiscovery",
"systemUserDiscovery",
"accountDiscovery",
"cloudInstanceMetadataAPI",
"accessKubeletMainAPI",
"queryKubeletReadonlyAPI",
"accessKubernetesAPIServer",
"softwareDeploymentTools",
"ingressToolTransfer",
"lateralToolTransfer",
"commandAndControlGeneral",
"resourceHijacking",
"manInTheMiddle",
"nativeBinaryExecution",
"foreignBinaryExecution",
"createAccount",
"accountManipulation",
"abuseElevationControlMechanisms",
"supplyChainCompromise",
"obfuscatedFiles",
"hijackExecutionFlow",
"impairDefences",
"scheduledTaskJob",
"exploitationOfRemoteServices",
"eventTriggeredExecution",
"accountAccessRemoval",
"privilegedContainer",
"writableVolumes",
"execIntoContainer",
"softwareDiscovery",
"createContainer",
"kubernetesSecrets",
"fileAndDirectoryDiscovery",
"masquerading",
"webShell",
"compileAfterDelivery"
]
],
"attackType": [
"",
"cloudMetadataProbing",
"kubeletAPIAccess",
"kubeletReadonlyAccess",
"kubectlSpawned",
"kubectlDownloaded",
"horizontalPortScanning",
"verticalPortScanning",
"explicitlyDeniedIP",
"customFeedIP",
"feedIP",
"unexpectedOutboundPort",
"suspiciousNetworkActivity",
"unexpectedListeningPort",
"explicitlyDeniedListeningPort",
"explicitlyDeniedOutboundPort",
"listeningPortModifiedProcess",
"outboundPortModifiedProcess",
"feedDNS",
"explicitlyDeniedDNS",
"dnsQuery",
"unexpectedProcess",
"portScanProcess",
"malwareProcessCustom",
"malwareProcessFeed",
"explicitlyDeniedProcess",
"modifiedProcess",
"cryptoMinerProcess",
"lateralMovementProcess",
"tmpfsProcess",
"policyHijacked",
"reverseShell",
"suidBinaries",
"unknownOriginBinary",
"webShell",
"administrativeAccount",
"encryptedBinary",
"sshAccess",
"explicitlyDeniedFile",
"malwareFileCustom",
"malwareFileFeed",
"execFileAccess",
"elfFileAccess",
"secretFileAccess",
"regFileAccess",
"wildfireMalware",
"unknownOriginBinary",
"webShell",
"fileIntegrity",
"alteredBinary",
"malwareDownloaded",
"suspiciousELFHeader",
"executionFlowHijackAttempt",
"customRule"
],
"cluster": "string",
"collections": [
"string"
],
"command": "string",
"container": true,
"containerId": "string",
"containerName": "string",
"count": 0,
"country": "string",
"domain": "string",
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"err": "string",
"filepath": "string",
"fqdn": "string",
"function": "string",
"functionID": "string",
"hostname": "string",
"imageId": "string",
"imageName": "string",
"interactive": true,
"ip": "string",
"label": "string",
"labels": {},
"md5": "string",
"msg": "string",
"namespace": "string",
"os": "string",
"pid": 0,
"port": 0,
"processPath": "string",
"profileId": "string",
"provider": [
"aws",
"azure",
"gcp",
"alibaba",
"oci",
"others"
],
"rawEvent": "string",
"region": "string",
"requestID": "string",
"resourceID": "string",
"ruleName": "string",
"runtime": [
"python",
"python3.6",
"python3.7",
"python3.8",
"python3.9",
"python3.10",
"python3.11",
"python3.12",
"nodejs",
"nodejs12.x",
"nodejs14.x",
"nodejs16.x",
"nodejs18.x",
"nodejs20.x",
"dotnet",
"dotnetcore2.1",
"dotnetcore3.1",
"dotnet6",
"java",
"java8",
"java11",
"java17",
"java21",
"ruby",
"ruby2.7"
],
"severity": [
"low",
"medium",
"high"
],
"time": "2024-07-29T15:51:28.071Z",
"type": [
"processes",
"network",
"kubernetes",
"filesystem"
],
"user": "string",
"version": "string",
"vmID": "string",
"wildFireReportURL": "string"
}
]