Skip to main content

Get Runtime Host Audit Events

x-prisma-cloud-target-env: {"permission":"monitorRuntimeHosts","saas":true,"self-hosted":true}
x-public: true

Retrieves the runtime host audit events.

cURL Request

Refer to the following example cURL command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \

cURL Response

"_id": "637628beb2a8e98a1c36a9e1",
"time": "2022-11-17T12:27:42.003Z",
"hostname": "ip-172-31-9-109.ec2.internal",
"fqdn": "",
"type": "network",
"effect": "alert",
"ruleName": "user-host-arm",
"msg": "DNS resolution of name, type AAAA explicitly denied by a runtime rule",
"profileId": "ip-172-31-9-109.ec2.internal",
"collections": [
"attackType": "explicitlyDeniedDNS",
"count": 1,
"severity": "high",
"region": "us-east-1",
"accountID": "496947949261",
"domain": "",
"provider": "aws",
"resourceID": "i-0bc31d26963bd2933"

Query Parameters
  • offset integer

    Offsets the result to a specific report count. Offset starts from 0.

  • limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

  • search string

    Retrieves the result for a search term.

  • sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

  • reverse boolean

    Sorts the result in reverse order.

  • collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

  • provider string[]

    Scopes the query by cloud provider.

  • accountIDs string[]

    Filters the result based on cloud account IDs.

  • resourceIDs string[]

    Scopes the query by resource ID.

  • region string[]

    Scopes the query by cloud region.

  • fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

  • id string[]

    IDs are the audit IDs to filter.

  • profileID string[]

    ProfileIDs are the profile IDs to filter.

  • from date-time

    From is an optional minimum time constraints for the audit.

  • to date-time

    To is an optional maximum time constraints for the audit.

  • time date-time

    Time is used to filter by audit time.

  • imageName string[]

    ImageNames is the image name filter.

  • container string[]

    Containers is the container name filter.

  • containerID string[]

    ContainerID is used to filter by container ID.

  • ruleName string[]

    RuleNames is used to filter by rule name.

  • type string[]

    Types is used to filter by runtime audit type.

  • effect string[]

    Effect is used to filter by runtime audit effect (e.g., block/alert).

  • user string[]

    Users is used to filter by host users.

  • os string[]

    OS is the image OS distro filter.

  • namespace string[]

    Namespaces is the namespaces filter.

  • cluster string[]

    Clusters is the cluster filter.

  • attackType string[]

    AttackTypes is used to filter by runtime audit attack type.

  • hostname string[]

    Hostname is the hostname filter.

  • msg string[]

    Message is the audit message text filter.

  • interactive string[]

    Interactive is the audit interactive filter.

  • function string[]

    Function is used to filter by function name.

  • runtime string[]

    Runtime is used to filter by runtime.

  • attackTechniques string[]

    AttackTechniques are the MITRE attack techniques.

  • app string[]

    App is the name constraint of the service that triggered the audit.

  • processPath string[]

    ProcessPath is the path constraint of the process that triggered the audit.

  • requestID string[]

    RequestID is used to filter by request ID.

  • functionID string[]

    FunctionID is used to filter by function ID.

  • aggregate boolean

    Aggregate indicates whether the result audits should be aggregated according to the Select field.

  • appID string[]

    AppID is used to filter by embedded app or Fargate task that triggered the audit.


  • Array [
  • _id string

    Internal ID (used for in-place updates).

  • accountID string

    ID of the cloud account where the audit was generated.

  • app string

    Name of the service which violated the host policy.

  • appID string

    Application ID.

  • attackTechniques mitre.Technique[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    MITRE attack techniques.

  • attackType shared.RuntimeAttackType

    Possible values: [,cloudMetadataProbing,kubeletAPIAccess,kubeletReadonlyAccess,kubectlSpawned,kubectlDownloaded,horizontalPortScanning,verticalPortScanning,explicitlyDeniedIP,customFeedIP,feedIP,unexpectedOutboundPort,suspiciousNetworkActivity,unexpectedListeningPort,explicitlyDeniedListeningPort,explicitlyDeniedOutboundPort,listeningPortModifiedProcess,outboundPortModifiedProcess,feedDNS,explicitlyDeniedDNS,dnsQuery,unexpectedProcess,portScanProcess,malwareProcessCustom,malwareProcessFeed,explicitlyDeniedProcess,modifiedProcess,cryptoMinerProcess,lateralMovementProcess,tmpfsProcess,policyHijacked,reverseShell,suidBinaries,unknownOriginBinary,webShell,administrativeAccount,encryptedBinary,sshAccess,explicitlyDeniedFile,malwareFileCustom,malwareFileFeed,execFileAccess,elfFileAccess,secretFileAccess,regFileAccess,wildfireMalware,unknownOriginBinary,webShell,fileIntegrity,alteredBinary,malwareDownloaded,suspiciousELFHeader,executionFlowHijackAttempt,customRule]

    RuntimeAttackType is the sub-category of the attack (e.g., malware process, process not in model, etc...)

  • cluster string

    Cluster name.

  • collections string[]

    Collections to which this audit applies.

  • command string

    ScrubbedCommand is the command executed by the process with scrubbed PII.

  • container boolean

    Indicates if this is a container audit (true) or host audit (false).

  • containerId string

    ID of the container that violates the rule.

  • containerName string

    Container name.

  • count integer

    Attack type audits count.

  • country string

    Outbound country for outgoing network audits.

  • domain string

    Domain is the requested domain.

  • effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • err string

    Unknown error in the audit process.

  • filepath string

    Filepath is the path of the modified file.

  • fqdn string

    Current full domain name used in audit alerts.

  • function string

    Name of the serverless function that caused the audit.

  • functionID string

    ID of the function invoked.

  • hostname string

    Current hostname.

  • imageId string

    Container image ID.

  • imageName string

    Container image name.

  • interactive boolean

    Indicates if the audit was triggered from a process that was spawned in interactive mode (e.g., docker exec ...) (true) or not (false).

  • ip string

    IP is the connection destination IP address.

  • label string

    Container deployment label.

  • labels object

    Custom labels which augment the audit data.

  • property name* string
  • md5 string

    MD5 is the MD5 of the modified file (only for executables.

  • msg string

    Blocking message text.

  • namespace string

    K8s deployment namespace.

  • os string

    Operating system distribution.

  • pid integer

    ID of the process that caused the audit event.

  • port integer

    Port is the connection destination port.

  • processPath string

    Path of the process that caused the audit event.

  • profileId string

    Profile ID of the audit.

  • provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

  • rawEvent string

    Unparsed function handler event input.

  • region string

    Region of the resource where the audit was generated.

  • requestID string

    ID of the lambda function invocation request.

  • resourceID string

    Unique ID of the resource where the audit was generated.

  • ruleName string

    Name of the rule that was applied, if blocked.

  • runtime shared.LambdaRuntimeType

    Possible values: [python,python3.6,python3.7,python3.8,python3.9,nodejs12.x,nodejs14.x,dotnetcore2.1,dotnetcore3.1,dotnet6,java8,java11,ruby2.7]

    LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from:

  • severity shared.RuntimeSeverity

    Possible values: [low,medium,high]

    RuntimeSeverity represents the runtime severity

  • time date-time

    Time of the audit event (in UTC time).

  • type shared.RuntimeType

    Possible values: [processes,network,kubernetes,filesystem]

    RuntimeType represents the runtime protection type

  • user string

    Service user.

  • version string

    Defender version.

  • vmID string

    Azure unique VM ID where the audit was generated.

  • wildFireReportURL string

    WildFireReportURL is a URL link of the report generated by wildFire.

  • ]