Get Runtime Serverless Audit Events
GET/api/v33.02/audits/runtime/serverless
x-prisma-cloud-target-env: {"permission":"monitorRuntimeServerless"}
Retrieves all scan events for any configured serverless functions in Prisma Cloud Compute.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/runtime/serverless"
cURL Response
{
"time": "2022-11-22T12:27:19.329Z",
"fqdn": "",
"type": "",
"effect": "",
"ruleName": "",
"msg": "C:\\home\\xmrig launched by C:\\Windows\\system32\\inetsrv\\w3wp.exe and is identified as a crypto miner. Full command: \"C:\\home\\xmrig\" /I windows C:\\Windows\\*",
"count": 1,
"function": "Test44",
"region": "Central US",
"runtime": "dotnet",
"provider": "azure"
}
Request
Query Parameters
Offsets the result to a specific report count. Offset starts from 0.
Limit is the amount to fix.
Sorts the result using a key.
Sorts the result in reverse order.
ProfileIDs are the profile ids to filter.
From is an optional minimum time constraints for the audit.
To is an optional maximum time constraints for the audit.
Time is an optional exact time constraint for the audit.
RuleNames is used to filter by rule name.
Types is a filter by runtime audit type.
Effect is used to filter by runtime audit effect (block/alert).
Function is used to filter by function name.
Runtime is used to filter by runtime.
AttackTechniques are the MITRE attack techniques.
RequestID is used to filter by request id.
Message is the audit message text filter.
AttackTypes is used to filter by runtime audit attack type.
Aggregate indicates whether the result audits should be aggregated according to the Select field.
Responses
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
Internal ID (used for in-place updates).
ID of the cloud account where the audit was generated.
Name of the service which violated the host policy.
Application ID.
Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery
]
MITRE attack techniques.
Possible values: [,cloudMetadataProbing,kubeletAPIAccess,kubeletReadonlyAccess,kubectlSpawned,kubectlDownloaded,horizontalPortScanning,verticalPortScanning,explicitlyDeniedIP,customFeedIP,feedIP,unexpectedOutboundPort,suspiciousNetworkActivity,unexpectedListeningPort,explicitlyDeniedListeningPort,explicitlyDeniedOutboundPort,listeningPortModifiedProcess,outboundPortModifiedProcess,feedDNS,explicitlyDeniedDNS,dnsQuery,unexpectedProcess,portScanProcess,malwareProcessCustom,malwareProcessFeed,explicitlyDeniedProcess,modifiedProcess,cryptoMinerProcess,lateralMovementProcess,tmpfsProcess,policyHijacked,reverseShell,suidBinaries,unknownOriginBinary,webShell,administrativeAccount,encryptedBinary,sshAccess,explicitlyDeniedFile,malwareFileCustom,malwareFileFeed,execFileAccess,elfFileAccess,secretFileAccess,regFileAccess,wildfireMalware,unknownOriginBinary,webShell,fileIntegrity,alteredBinary,malwareDownloaded,suspiciousELFHeader,executionFlowHijackAttempt,customRule
]
RuntimeAttackType is the sub-category of the attack (e.g., malware process, process not in model, etc...)
Cluster name.
Collections to which this audit applies.
ScrubbedCommand is the command executed by the process with scrubbed PII.
Indicates if this is a container audit (true) or host audit (false).
ID of the container that violates the rule.
Container name.
Attack type audits count.
Outbound country for outgoing network audits.
Domain is the requested domain.
Possible values: [block,prevent,alert,disable
]
RuleEffect is the effect that will be used in the runtime rule
Unknown error in the audit process.
Filepath is the path of the modified file.
Current full domain name used in audit alerts.
Name of the serverless function that caused the audit.
ID of the function invoked.
Current hostname.
Container image ID.
Container image name.
Indicates if the audit was triggered from a process that was spawned in interactive mode (e.g., docker exec ...) (true) or not (false).
IP is the connection destination IP address.
Container deployment label.
labels object
Custom labels which augment the audit data.
MD5 is the MD5 of the modified file (only for executables.
Blocking message text.
K8s deployment namespace.
Operating system distribution.
ID of the process that caused the audit event.
Port is the connection destination port.
Path of the process that caused the audit event.
Profile ID of the audit.
Possible values: [aws,azure,gcp,alibaba,oci,others
]
CloudProvider specifies the cloud provider name
Unparsed function handler event input.
Region of the resource where the audit was generated.
ID of the lambda function invocation request.
Unique ID of the resource where the audit was generated.
Name of the rule that was applied, if blocked.
Possible values: [python,python3.6,python3.7,python3.8,python3.9,python3.10,python3.11,python3.12,nodejs,nodejs12.x,nodejs14.x,nodejs16.x,nodejs18.x,nodejs20.x,dotnet,dotnetcore2.1,dotnetcore3.1,dotnet6,java,java8,java11,java17,java21,ruby,ruby2.7
]
LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime
Possible values: [low,medium,high
]
RuntimeSeverity represents the runtime severity
Time of the audit event (in UTC time).
Possible values: [processes,network,kubernetes,filesystem
]
RuntimeType represents the runtime protection type
Service user.
Defender version.
Azure unique VM ID where the audit was generated.
WildFireReportURL is a URL link of the report generated by wildFire.
[
{
"_id": "string",
"accountID": "string",
"app": "string",
"appID": "string",
"attackTechniques": [
[
"exploitationForPrivilegeEscalation",
"exploitPublicFacingApplication",
"applicationExploitRCE",
"networkServiceScanning",
"endpointDenialOfService",
"exfiltrationGeneral",
"systemNetworkConfigurationDiscovery",
"unsecuredCredentials",
"credentialDumping",
"systemInformationDiscovery",
"systemNetworkConnectionDiscovery",
"systemUserDiscovery",
"accountDiscovery",
"cloudInstanceMetadataAPI",
"accessKubeletMainAPI",
"queryKubeletReadonlyAPI",
"accessKubernetesAPIServer",
"softwareDeploymentTools",
"ingressToolTransfer",
"lateralToolTransfer",
"commandAndControlGeneral",
"resourceHijacking",
"manInTheMiddle",
"nativeBinaryExecution",
"foreignBinaryExecution",
"createAccount",
"accountManipulation",
"abuseElevationControlMechanisms",
"supplyChainCompromise",
"obfuscatedFiles",
"hijackExecutionFlow",
"impairDefences",
"scheduledTaskJob",
"exploitationOfRemoteServices",
"eventTriggeredExecution",
"accountAccessRemoval",
"privilegedContainer",
"writableVolumes",
"execIntoContainer",
"softwareDiscovery",
"createContainer",
"kubernetesSecrets",
"fileAndDirectoryDiscovery",
"masquerading",
"webShell",
"compileAfterDelivery"
]
],
"attackType": [
"",
"cloudMetadataProbing",
"kubeletAPIAccess",
"kubeletReadonlyAccess",
"kubectlSpawned",
"kubectlDownloaded",
"horizontalPortScanning",
"verticalPortScanning",
"explicitlyDeniedIP",
"customFeedIP",
"feedIP",
"unexpectedOutboundPort",
"suspiciousNetworkActivity",
"unexpectedListeningPort",
"explicitlyDeniedListeningPort",
"explicitlyDeniedOutboundPort",
"listeningPortModifiedProcess",
"outboundPortModifiedProcess",
"feedDNS",
"explicitlyDeniedDNS",
"dnsQuery",
"unexpectedProcess",
"portScanProcess",
"malwareProcessCustom",
"malwareProcessFeed",
"explicitlyDeniedProcess",
"modifiedProcess",
"cryptoMinerProcess",
"lateralMovementProcess",
"tmpfsProcess",
"policyHijacked",
"reverseShell",
"suidBinaries",
"unknownOriginBinary",
"webShell",
"administrativeAccount",
"encryptedBinary",
"sshAccess",
"explicitlyDeniedFile",
"malwareFileCustom",
"malwareFileFeed",
"execFileAccess",
"elfFileAccess",
"secretFileAccess",
"regFileAccess",
"wildfireMalware",
"unknownOriginBinary",
"webShell",
"fileIntegrity",
"alteredBinary",
"malwareDownloaded",
"suspiciousELFHeader",
"executionFlowHijackAttempt",
"customRule"
],
"cluster": "string",
"collections": [
"string"
],
"command": "string",
"container": true,
"containerId": "string",
"containerName": "string",
"count": 0,
"country": "string",
"domain": "string",
"effect": [
"block",
"prevent",
"alert",
"disable"
],
"err": "string",
"filepath": "string",
"fqdn": "string",
"function": "string",
"functionID": "string",
"hostname": "string",
"imageId": "string",
"imageName": "string",
"interactive": true,
"ip": "string",
"label": "string",
"labels": {},
"md5": "string",
"msg": "string",
"namespace": "string",
"os": "string",
"pid": 0,
"port": 0,
"processPath": "string",
"profileId": "string",
"provider": [
"aws",
"azure",
"gcp",
"alibaba",
"oci",
"others"
],
"rawEvent": "string",
"region": "string",
"requestID": "string",
"resourceID": "string",
"ruleName": "string",
"runtime": [
"python",
"python3.6",
"python3.7",
"python3.8",
"python3.9",
"python3.10",
"python3.11",
"python3.12",
"nodejs",
"nodejs12.x",
"nodejs14.x",
"nodejs16.x",
"nodejs18.x",
"nodejs20.x",
"dotnet",
"dotnetcore2.1",
"dotnetcore3.1",
"dotnet6",
"java",
"java8",
"java11",
"java17",
"java21",
"ruby",
"ruby2.7"
],
"severity": [
"low",
"medium",
"high"
],
"time": "2024-07-29T15:51:28.071Z",
"type": [
"processes",
"network",
"kubernetes",
"filesystem"
],
"user": "string",
"version": "string",
"vmID": "string",
"wildFireReportURL": "string"
}
]