Skip to main content

Get Runtime Serverless Audit Events

x-prisma-cloud-target-env: {"permission":"monitorRuntimeServerless","saas":true,"self-hosted":true}
x-public: true

Retrieves all scan events for any configured serverless functions in Prisma Cloud Compute.

cURL Request

Refer to the following example cURL command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \

cURL Response

"time": "2022-11-22T12:27:19.329Z",
"fqdn": "",
"type": "",
"effect": "",
"ruleName": "",
"msg": "C:\\home\\xmrig launched by C:\\Windows\\system32\\inetsrv\\w3wp.exe and is identified as a crypto miner. Full command: \"C:\\home\\xmrig\" /I windows C:\\Windows\\*",
"count": 1,
"function": "Test44",
"region": "Central US",
"runtime": "dotnet",
"provider": "azure"

Query Parameters
  • offset integer

    Offsets the result to a specific report count. Offset starts from 0.

  • limit integer

    Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.

  • search string

    Retrieves the result for a search term.

  • sort string

    Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.

  • reverse boolean

    Sorts the result in reverse order.

  • collections string[]

    Filters the result based on collection names that you have defined in Prisma Cloud Compute.

  • provider string[]

    Scopes the query by cloud provider.

  • accountIDs string[]

    Filters the result based on cloud account IDs.

  • resourceIDs string[]

    Scopes the query by resource ID.

  • region string[]

    Scopes the query by cloud region.

  • fields string[]

    Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.

  • profileID string[]

    ProfileIDs are the profile ids to filter.

  • from date-time

    From is an optional minimum time constraints for the audit.

  • to date-time

    To is an optional maximum time constraints for the audit.

  • time date-time

    Time is an optional exact time constraint for the audit.

  • ruleName string[]

    RuleNames is used to filter by rule name.

  • type string[]

    Types is a filter by runtime audit type.

  • effect string[]

    Effect is used to filter by runtime audit effect (block/alert).

  • function string[]

    Function is used to filter by function name.

  • runtime string[]

    Runtime is used to filter by runtime.

  • attackTechniques string[]

    AttackTechniques are the MITRE attack techniques.

  • requestID string[]

    RequestID is used to filter by request id.

  • msg string[]

    Message is the audit message text filter.

  • attackType string[]

    AttackTypes is used to filter by runtime audit attack type.

  • aggregate boolean

    Aggregate indicates whether the result audits should be aggregated according to the Select field.


  • Array [
  • _id string

    Internal ID (used for in-place updates).

  • accountID string

    ID of the cloud account where the audit was generated.

  • app string

    Name of the service which violated the host policy.

  • appID string

    Application ID.

  • attackTechniques mitre.Technique[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    MITRE attack techniques.

  • attackType shared.RuntimeAttackType

    Possible values: [,cloudMetadataProbing,kubeletAPIAccess,kubeletReadonlyAccess,kubectlSpawned,kubectlDownloaded,horizontalPortScanning,verticalPortScanning,explicitlyDeniedIP,customFeedIP,feedIP,unexpectedOutboundPort,suspiciousNetworkActivity,unexpectedListeningPort,explicitlyDeniedListeningPort,explicitlyDeniedOutboundPort,listeningPortModifiedProcess,outboundPortModifiedProcess,feedDNS,explicitlyDeniedDNS,dnsQuery,unexpectedProcess,portScanProcess,malwareProcessCustom,malwareProcessFeed,explicitlyDeniedProcess,modifiedProcess,cryptoMinerProcess,lateralMovementProcess,tmpfsProcess,policyHijacked,reverseShell,suidBinaries,unknownOriginBinary,webShell,administrativeAccount,encryptedBinary,sshAccess,explicitlyDeniedFile,malwareFileCustom,malwareFileFeed,execFileAccess,elfFileAccess,secretFileAccess,regFileAccess,wildfireMalware,unknownOriginBinary,webShell,fileIntegrity,alteredBinary,malwareDownloaded,suspiciousELFHeader,executionFlowHijackAttempt,customRule]

    RuntimeAttackType is the sub-category of the attack (e.g., malware process, process not in model, etc...)

  • cluster string

    Cluster name.

  • collections string[]

    Collections to which this audit applies.

  • command string

    ScrubbedCommand is the command executed by the process with scrubbed PII.

  • container boolean

    Indicates if this is a container audit (true) or host audit (false).

  • containerId string

    ID of the container that violates the rule.

  • containerName string

    Container name.

  • count integer

    Attack type audits count.

  • country string

    Outbound country for outgoing network audits.

  • domain string

    Domain is the requested domain.

  • effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • err string

    Unknown error in the audit process.

  • filepath string

    Filepath is the path of the modified file.

  • fqdn string

    Current full domain name used in audit alerts.

  • function string

    Name of the serverless function that caused the audit.

  • functionID string

    ID of the function invoked.

  • hostname string

    Current hostname.

  • imageId string

    Container image ID.

  • imageName string

    Container image name.

  • interactive boolean

    Indicates if the audit was triggered from a process that was spawned in interactive mode (e.g., docker exec ...) (true) or not (false).

  • ip string

    IP is the connection destination IP address.

  • label string

    Container deployment label.

  • labels object

    Custom labels which augment the audit data.

  • property name* string
  • md5 string

    MD5 is the MD5 of the modified file (only for executables.

  • msg string

    Blocking message text.

  • namespace string

    K8s deployment namespace.

  • os string

    Operating system distribution.

  • pid integer

    ID of the process that caused the audit event.

  • port integer

    Port is the connection destination port.

  • processPath string

    Path of the process that caused the audit event.

  • profileId string

    Profile ID of the audit.

  • provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

  • rawEvent string

    Unparsed function handler event input.

  • region string

    Region of the resource where the audit was generated.

  • requestID string

    ID of the lambda function invocation request.

  • resourceID string

    Unique ID of the resource where the audit was generated.

  • ruleName string

    Name of the rule that was applied, if blocked.

  • runtime shared.LambdaRuntimeType

    Possible values: [python,python3.6,python3.7,python3.8,python3.9,nodejs12.x,nodejs14.x,dotnetcore2.1,dotnetcore3.1,dotnet6,java8,java11,ruby2.7]

    LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from:

  • severity shared.RuntimeSeverity

    Possible values: [low,medium,high]

    RuntimeSeverity represents the runtime severity

  • time date-time

    Time of the audit event (in UTC time).

  • type shared.RuntimeType

    Possible values: [processes,network,kubernetes,filesystem]

    RuntimeType represents the runtime protection type

  • user string

    Service user.

  • version string

    Defender version.

  • vmID string

    Azure unique VM ID where the audit was generated.

  • wildFireReportURL string

    WildFireReportURL is a URL link of the report generated by wildFire.

  • ]