Skip to main content

Get Runtime Serverless Audit Events for a Timeframe

GET 

/api/v32.06/audits/runtime/serverless/timeslice

x-prisma-cloud-target-env: {"permission":"monitorRuntimeServerless","saas":true,"self-hosted":true}
x-public: true

Retrieves all scan events for any configured serverless functions in Prisma Cloud Compute for a specific time frame.

Note: In Console, you can view the same under Monitor > Events > Container Audits.

Use the following mandatory query parameters to fetch results:

  • from: Specifies the start time in UTC standard of the time period for which the audit events are returned.
  • to: Specifies the end time in UTC standard of the time period for which the audit events are returned.
  • buckets: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Query within the range of 1-100.

cURL Request

Refer to the following example cURL command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/runtime/serverless/timeslice?from=2022-11-15T15:23:57Z&to=2022-11-16T15:23:57Z&buckets=5"

cURL Response

{
"start": "2022-10-23T06:35:50.254Z",
"end": "2022-10-24T04:58:47.103Z",
"count": 4
}

Response Parameters:

  • start: Specifies the start time of the bucket in date-time UTC format.
  • end: Specifies the end time of the bucket in date-time UTC format.
  • count: Specifies the number of audit occurrences.

Request

Query Parameters

    offset integer

    Offsets the result to a specific report count. Offset starts from 0.

    limit integer

    Limit is the amount to fix.

    sort string

    Sorts the result using a key.

    reverse boolean

    Sorts the result in reverse order.

    id string[]

    IDs are the audit IDs to filter.

    profileID string[]

    ProfileIDs are the profile IDs to filter.

    from date-time

    From is an optional minimum time constraints for the audit.

    to date-time

    To is an optional maximum time constraints for the audit.

    time date-time

    Time is used to filter by audit time.

    imageName string[]

    ImageNames is the image name filter.

    container string[]

    Containers is the container name filter.

    containerID string[]

    ContainerID is used to filter by container ID.

    ruleName string[]

    RuleNames is used to filter by rule name.

    type string[]

    Types is used to filter by runtime audit type.

    effect string[]

    Effect is used to filter by runtime audit effect (e.g., block/alert).

    user string[]

    Users is used to filter by host users.

    os string[]

    OS is the image OS distro filter.

    namespace string[]

    Namespaces is the namespaces filter.

    fields string[]

    Fields is used to fetch specific runtime audit fields.

    cluster string[]

    Clusters is the cluster filter.

    attackType string[]

    AttackTypes is used to filter by runtime audit attack type.

    hostname string[]

    Hostname is the hostname filter.

    msg string[]

    Message is the audit message text filter.

    interactive string[]

    Interactive is the audit interactive filter.

    function string[]

    Function is used to filter by function name.

    runtime string[]

    Runtime is used to filter by runtime.

    attackTechniques string[]

    AttackTechniques are the MITRE attack techniques.

    app string[]

    App is the name constraint of the service that triggered the audit.

    processPath string[]

    ProcessPath is the path constraint of the process that triggered the audit.

    requestID string[]

    RequestID is used to filter by request ID.

    functionID string[]

    FunctionID is used to filter by function ID.

    aggregate boolean

    Aggregate indicates whether the result audits should be aggregated according to the Select field.

    appID string[]

    AppID is used to filter by embedded app or Fargate task that triggered the audit.

    buckets integer

    Buckets is the number of buckets to return.

Responses

Schema
  • Array [
  • count integer

    Count is the number of audit occurrences.

    end date-time

    End is the end time of the bucket.

    start date-time

    Start is the start time of the bucket.

  • ]
Loading...