Get Trust Audit Events
x-prisma-cloud-target-env: {"permission":"monitorImages","saas":true,"self-hosted":true}
x-public: true
Retrieves all the trust audit events.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/trust"
cURL Response
{
"_id": "quay.io/openshift-release-dev/ocp-v4.0-art-dev",
"time": "2022-11-22T18:15:06.793Z",
"total": 7,
"resource": {
"images": [
"quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9dd1b7719d2a52910d7860f22d038ab57e1d3aa5274a3d0850112394fdf4aec0"
],
"accountIDs": [
"twistlock-test-247119"
],
"clusters": [
"openshift-v1-22-89e95cb9-cri-o-1-22-5-14-rhaos4-9-git80a8e67-el8-u-openshift-370392"
]
},
"collections": [
"All"
],
"cluster": "openshift-v1-22-89e95cb9-cri-o-1-22-5-14-rhaos4-9-git80a8e67-el8-u-openshift-370392",
"audits": {
"untrusted": {
"count": 7,
"audits": [
{
"_id": "quay.io/openshift-release-dev/ocp-v4.0-art-dev",
"time": "2022-11-22T18:15:06.793Z",
"imageName": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c3f8fe342716c0d9ba925a65f6f234e5c4d9670e7ea84bd227cf2af454dd4f0d",
"imageID": "0fad6b33183ae7dbd050b095bdd1d004911ba8f49d08104d513f4e0e1ee460b1",
"effect": "alert",
"ruleName": "TV 1",
"msg": "Untrusted by rule TV 1",
"count": 1,
"accountID": "twistlock-test-247119",
"cluster": "openshift-v1-22-89e95cb9-cri-o-1-22-5-14-rhaos4-9-git80a8e67-el8-u-openshift-370392"
},
{
"_id": "quay.io/openshift-release-dev/ocp-v4.0-art-dev",
"time": "2022-11-22T18:15:04.922Z",
"imageName": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9dd1b7719d2a52910d7860f22d038ab57e1d3aa5274a3d0850112394fdf4aec0",
"imageID": "90e290196294063f8638cbc4e4c8f1db669a0b2ff67ac2c3d6612e6f783ffbd3",
"effect": "alert",
"ruleName": "TV 1",
"msg": "Untrusted by rule TV 1",
"count": 1,
"accountID": "twistlock-test-247119",
"cluster": "openshift-v1-22-89e95cb9-cri-o-1-22-5-14-rhaos4-9-git80a8e67-el8-u-openshift-370392"
},
{
"_id": "quay.io/openshift-release-dev/ocp-v4.0-art-dev",
"time": "2022-11-22T18:00:02.682Z",
"imageName": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c3f8fe342716c0d9ba925a65f6f234e5c4d9670e7ea84bd227cf2af454dd4f0d",
"imageID": "0fad6b33183ae7dbd050b095bdd1d004911ba8f49d08104d513f4e0e1ee460b1",
"effect": "alert",
"ruleName": "TV 1",
"msg": "Untrusted by rule TV 1",
"count": 1,
"accountID": "twistlock-test-247119",
"cluster": "openshift-v1-22-89e95cb9-cri-o-1-22-5-14-rhaos4-9-git80a8e67-el8-u-openshift-370392"
},
{
"_id": "quay.io/openshift-release-dev/ocp-v4.0-art-dev",
"time": "2022-11-22T18:00:00.733Z",
"imageName": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9dd1b7719d2a52910d7860f22d038ab57e1d3aa5274a3d0850112394fdf4aec0",
"imageID": "90e290196294063f8638cbc4e4c8f1db669a0b2ff67ac2c3d6612e6f783ffbd3",
"effect": "alert",
"ruleName": "TV 1",
"msg": "Untrusted by rule TV 1",
"count": 1,
"accountID": "twistlock-test-247119",
"cluster": "openshift-v1-22-89e95cb9-cri-o-1-22-5-14-rhaos4-9-git80a8e67-el8-u-openshift-370392"
},
{
"_id": "quay.io/openshift-release-dev/ocp-v4.0-art-dev",
"time": "2022-11-22T17:45:14.196Z",
"imageName": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c3f8fe342716c0d9ba925a65f6f234e5c4d9670e7ea84bd227cf2af454dd4f0d",
"imageID": "0fad6b33183ae7dbd050b095bdd1d004911ba8f49d08104d513f4e0e1ee460b1",
"effect": "alert",
"ruleName": "TV 1",
"msg": "Untrusted by rule TV 1",
"count": 1,
"accountID": "twistlock-test-247119",
"cluster": "openshift-v1-22-89e95cb9-cri-o-1-22-5-14-rhaos4-9-git80a8e67-el8-u-openshift-370392"
}
]
}
}
}
Query Parameters
- offset integer
Offsets the result to a specific report count. Offset starts from 0.
- limit integer
Number of reports to retrieve in a page. For PCCE, the maximum limit is 250. For PCEE, the maximum limit is 50. The default value is 50.
- search string
Retrieves the result for a search term.
- sort string
Sorts the result using a key. Refer to the columns in the relevant Prisma Cloud Compute user interface to use them as sort keys.
- reverse boolean
Sorts the result in reverse order.
- collections string[]
Filters the result based on collection names that you have defined in Prisma Cloud Compute.
- provider string[]
Scopes the query by cloud provider.
- accountIDs string[]
Filters the result based on cloud account IDs.
- resourceIDs string[]
Scopes the query by resource ID.
- region string[]
Scopes the query by cloud region.
- fields string[]
Retrieves the fields that you need in a report. Use the list of fields you want to retrieve. By default, the result shows all fields of data.
- from date-time
From is an optional minimum time constraints for the audit.
- to date-time
To is an optional maximum time constraints for the audit.
- ruleName string[]
RuleNames is used to filter by rulename.
- effect string[]
Effect is used to filter by runtime audit effect (block/alert).
- _id string[]
IDs is used to filter by registry/repo.
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- _id string
ProfileID is the runtime profile ID.
audits object
Audits is a map from trust status (audits are only for untrusted type) to the audit events list.
property name* object (shared.TrustRegistryRepoAudits)
TrustRegistryRepoAudits represents the trust registry/repo audits per profile
audits object[]
Audits are the trust audits associated with the registry/repo, limited to the determined capacity.
Array [_id stringID is the registry-repo of the created container.
accountID stringAccountID is the cloud account ID where the audit was generated.
cluster stringCluster is the cluster where the audit was generated.
count integerCount is the number of times this audit occurred.
effect vuln.EffectPossible values: [
ignore,alert,block]Effect specifies relevant action for a vulnerability
imageID stringImageID is the container image id.
imageName stringImageName is the container image name.
msg stringMessage is the blocking message text.
ruleName stringIf blocked, contains the name of the rule that was applied.
time date-timeTime is the UTC time of the audit event.
]count integerCount is the total count of the sub-type audits.
- cluster string
Cluster is the cluster from which the audit originated.
- collections string[]
Collections are collections to which this audit applies.
- imageName string
ImageName is the container image name.
- label string
Label represents the container deployment label.
- os string
OS is the operating system distribution.
resource object
RuntimeResource represents on which resource in the system a rule applies (e.g., specific host or image) Empty resource or wildcard (*) represents all resources of a given type
accountIDs string[]List of account IDs.
appIDs string[]List of application IDs.
clusters string[]List of Kubernetes cluster names.
codeRepos string[]List of code repositories.
containers string[]List of containers.
functions string[]List of functions.
hosts string[]List of hosts.
images string[]List of images.
labels string[]List of labels.
namespaces string[]List of Kubernetes namespaces.
- time date-time
Time is the UTC time of the last audit event.
- total integer
Total is the total count of audits per runtime profile.
- ]
[
{
"_id": "string",
"audits": {},
"cluster": "string",
"collections": [
"string"
],
"imageName": "string",
"label": "string",
"os": "string",
"resource": {
"accountIDs": [
"string"
],
"appIDs": [
"string"
],
"clusters": [
"string"
],
"codeRepos": [
"string"
],
"containers": [
"string"
],
"functions": [
"string"
],
"hosts": [
"string"
],
"images": [
"string"
],
"labels": [
"string"
],
"namespaces": [
"string"
]
},
"time": "2023-06-07T22:06:28.957Z",
"total": 0
}
]