Skip to main content

Get Runtime Serverless Audit Events



x-prisma-cloud-target-env: {"permission":"monitorRuntimeServerless","saas":true,"self-hosted":true}
x-public: true

Retrieves all scan events for any configured serverless functions in Prisma Cloud Compute.

cURL Request

Refer to the following example cURL command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \

cURL Response

"time": "2022-11-22T12:27:19.329Z",
"fqdn": "",
"type": "",
"effect": "",
"ruleName": "",
"msg": "C:\\home\\xmrig launched by C:\\Windows\\system32\\inetsrv\\w3wp.exe and is identified as a crypto miner. Full command: \"C:\\home\\xmrig\" /I windows C:\\Windows\\*",
"count": 1,
"function": "Test44",
"region": "Central US",
"runtime": "dotnet",
"provider": "azure"


Query Parameters

    offset integer

    Offsets the result to a specific report count. Offset starts from 0.

    limit integer

    Limit is the amount to fix.

    sort string

    Sorts the result using a key.

    reverse boolean

    Sorts the result in reverse order.

    profileID string[]

    ProfileIDs are the profile ids to filter.

    from date-time

    From is an optional minimum time constraints for the audit.

    to date-time

    To is an optional maximum time constraints for the audit.

    time date-time

    Time is an optional exact time constraint for the audit.

    ruleName string[]

    RuleNames is used to filter by rule name.

    type string[]

    Types is a filter by runtime audit type.

    effect string[]

    Effect is used to filter by runtime audit effect (block/alert).

    function string[]

    Function is used to filter by function name.

    runtime string[]

    Runtime is used to filter by runtime.

    attackTechniques string[]

    AttackTechniques are the MITRE attack techniques.

    requestID string[]

    RequestID is used to filter by request id.

    msg string[]

    Message is the audit message text filter.

    attackType string[]

    AttackTypes is used to filter by runtime audit attack type.

    aggregate boolean

    Aggregate indicates whether the result audits should be aggregated according to the Select field.


  • Array [
  • _id string

    Internal ID (used for in-place updates).

    accountID string

    ID of the cloud account where the audit was generated.

    app string

    Name of the service which violated the host policy.

    appID string

    Application ID.

    attackTechniques mitre.Technique (string)[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    MITRE attack techniques.

    attackType shared.RuntimeAttackType (string)

    Possible values: [,cloudMetadataProbing,kubeletAPIAccess,kubeletReadonlyAccess,kubectlSpawned,kubectlDownloaded,horizontalPortScanning,verticalPortScanning,explicitlyDeniedIP,customFeedIP,feedIP,unexpectedOutboundPort,suspiciousNetworkActivity,unexpectedListeningPort,explicitlyDeniedListeningPort,explicitlyDeniedOutboundPort,listeningPortModifiedProcess,outboundPortModifiedProcess,feedDNS,explicitlyDeniedDNS,dnsQuery,unexpectedProcess,portScanProcess,malwareProcessCustom,malwareProcessFeed,explicitlyDeniedProcess,modifiedProcess,cryptoMinerProcess,lateralMovementProcess,tmpfsProcess,policyHijacked,reverseShell,suidBinaries,unknownOriginBinary,webShell,administrativeAccount,encryptedBinary,sshAccess,explicitlyDeniedFile,malwareFileCustom,malwareFileFeed,execFileAccess,elfFileAccess,secretFileAccess,regFileAccess,wildfireMalware,unknownOriginBinary,webShell,fileIntegrity,alteredBinary,malwareDownloaded,suspiciousELFHeader,executionFlowHijackAttempt,customRule]

    RuntimeAttackType is the sub-category of the attack (e.g., malware process, process not in model, etc...)

    cluster string

    Cluster name.

    collections string (string)[]

    Collections to which this audit applies.

    command string

    ScrubbedCommand is the command executed by the process with scrubbed PII.

    container boolean

    Indicates if this is a container audit (true) or host audit (false).

    containerId string

    ID of the container that violates the rule.

    containerName string

    Container name.

    count integer

    Attack type audits count.

    country string

    Outbound country for outgoing network audits.

    domain string

    Domain is the requested domain.

    effect runtime.RuleEffect (string)

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

    err string

    Unknown error in the audit process.

    filepath string

    Filepath is the path of the modified file.

    fqdn string

    Current full domain name used in audit alerts.

    function string

    Name of the serverless function that caused the audit.

    functionID string

    ID of the function invoked.

    hostname string

    Current hostname.

    imageId string

    Container image ID.

    imageName string

    Container image name.

    interactive boolean

    Indicates if the audit was triggered from a process that was spawned in interactive mode (e.g., docker exec ...) (true) or not (false).

    ip string

    IP is the connection destination IP address.

    label string

    Container deployment label.

    labels object

    Custom labels which augment the audit data.

    property name* string (string)
    md5 string

    MD5 is the MD5 of the modified file (only for executables.

    msg string

    Blocking message text.

    namespace string

    K8s deployment namespace.

    os string

    Operating system distribution.

    pid integer

    ID of the process that caused the audit event.

    port integer

    Port is the connection destination port.

    processPath string

    Path of the process that caused the audit event.

    profileId string

    Profile ID of the audit.

    provider common.CloudProvider (string)

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

    rawEvent string

    Unparsed function handler event input.

    region string

    Region of the resource where the audit was generated.

    requestID string

    ID of the lambda function invocation request.

    resourceID string

    Unique ID of the resource where the audit was generated.

    ruleName string

    Name of the rule that was applied, if blocked.

    runtime shared.LambdaRuntimeType (string)

    Possible values: [python,python3.6,python3.7,python3.8,python3.9,python3.10,python3.11,python3.12,nodejs,nodejs12.x,nodejs14.x,nodejs16.x,nodejs18.x,nodejs20.x,dotnet,dotnetcore2.1,dotnetcore3.1,dotnet6,java,java8,java11,java17,java21,ruby,ruby2.7]

    LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from:

    severity shared.RuntimeSeverity (string)

    Possible values: [low,medium,high]

    RuntimeSeverity represents the runtime severity

    time date-time

    Time of the audit event (in UTC time).

    type shared.RuntimeType (string)

    Possible values: [processes,network,kubernetes,filesystem]

    RuntimeType represents the runtime protection type

    user string

    Service user.

    version string

    Defender version.

    vmID string

    Azure unique VM ID where the audit was generated.

    wildFireReportURL string

    WildFireReportURL is a URL link of the report generated by wildFire.

  • ]