Skip to main content

Archive an Incident Audit Event

x-prisma-cloud-target-env: {"permission":"monitorRuntimeIncidents","saas":true,"self-hosted":true}
x-public: true

Acknowledges an incident and moves it to an archived state. Requires a path parameter: id, an Incident ID

You can get an incident ID from the list of incidents using the endpoint GET /api/vVERSION/audits/incidents.

cURL Request

Refer to the following example cURL command:

$ curl -k \
  -u <USER> \
  -H 'Content-Type: application/json' \
  -X PATCH \
  -d {"acknowledged":true} \
  "https://<CONSOLE>/api/v<VERSION>/audits/incidents/acknowledge/637627beb2a8e98a1c36a9db"

To undo this action (unarchive an incident), set the body parameter "acknowledged": false

Path Parameters
  • id string required
Request Body
  • _id string

    Internal ID of the incident.

  • accountID string

    Cloud account ID.

  • acknowledged boolean

    Indicates if the incident has been acknowledged (true) or not (false).

  • app string

    Application that caused the incident.

  • appID string

    Application ID.

  • audits object[]

    All runtime audits of the incident.

  • Array [
  • _id string

    Internal ID (used for in-place updates).

  • accountID string

    ID of the cloud account where the audit was generated.

  • app string

    Name of the service which violated the host policy.

  • appID string

    Application ID.

  • attackTechniques mitre.Technique[]

    Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]

    MITRE attack techniques.

  • attackType shared.RuntimeAttackType

    Possible values: [,cloudMetadataProbing,kubeletAPIAccess,kubeletReadonlyAccess,kubectlSpawned,kubectlDownloaded,horizontalPortScanning,verticalPortScanning,explicitlyDeniedIP,customFeedIP,feedIP,unexpectedOutboundPort,suspiciousNetworkActivity,unexpectedListeningPort,explicitlyDeniedListeningPort,explicitlyDeniedOutboundPort,listeningPortModifiedProcess,outboundPortModifiedProcess,feedDNS,explicitlyDeniedDNS,dnsQuery,unexpectedProcess,portScanProcess,malwareProcessCustom,malwareProcessFeed,explicitlyDeniedProcess,modifiedProcess,cryptoMinerProcess,lateralMovementProcess,tmpfsProcess,policyHijacked,reverseShell,suidBinaries,unknownOriginBinary,webShell,administrativeAccount,encryptedBinary,sshAccess,explicitlyDeniedFile,malwareFileCustom,malwareFileFeed,execFileAccess,elfFileAccess,secretFileAccess,regFileAccess,wildfireMalware,unknownOriginBinary,webShell,fileIntegrity,alteredBinary,malwareDownloaded,suspiciousELFHeader,executionFlowHijackAttempt,customRule]

    RuntimeAttackType is the sub-category of the attack (e.g., malware process, process not in model, etc...)

  • cluster string

    Cluster name.

  • collections string[]

    Collections to which this audit applies.

  • command string

    ScrubbedCommand is the command executed by the process with scrubbed PII.

  • container boolean

    Indicates if this is a container audit (true) or host audit (false).

  • containerId string

    ID of the container that violates the rule.

  • containerName string

    Container name.

  • count integer

    Attack type audits count.

  • country string

    Outbound country for outgoing network audits.

  • domain string

    Domain is the requested domain.

  • effect runtime.RuleEffect

    Possible values: [block,prevent,alert,disable]

    RuleEffect is the effect that will be used in the runtime rule

  • err string

    Unknown error in the audit process.

  • filepath string

    Filepath is the path of the modified file.

  • fqdn string

    Current full domain name used in audit alerts.

  • function string

    Name of the serverless function that caused the audit.

  • functionID string

    ID of the function invoked.

  • hostname string

    Current hostname.

  • imageId string

    Container image ID.

  • imageName string

    Container image name.

  • interactive boolean

    Indicates if the audit was triggered from a process that was spawned in interactive mode (e.g., docker exec ...) (true) or not (false).

  • ip string

    IP is the connection destination IP address.

  • label string

    Container deployment label.

  • labels object

    Custom labels which augment the audit data.

  • property name* string
  • md5 string

    MD5 is the MD5 of the modified file (only for executables.

  • msg string

    Blocking message text.

  • namespace string

    K8s deployment namespace.

  • os string

    Operating system distribution.

  • pid integer

    ID of the process that caused the audit event.

  • port integer

    Port is the connection destination port.

  • processPath string

    Path of the process that caused the audit event.

  • profileId string

    Profile ID of the audit.

  • provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

  • rawEvent string

    Unparsed function handler event input.

  • region string

    Region of the resource where the audit was generated.

  • requestID string

    ID of the lambda function invocation request.

  • resourceID string

    Unique ID of the resource where the audit was generated.

  • ruleName string

    Name of the rule that was applied, if blocked.

  • runtime shared.LambdaRuntimeType

    Possible values: [python,python3.6,python3.7,python3.8,python3.9,nodejs12.x,nodejs14.x,dotnetcore2.1,dotnetcore3.1,dotnet6,java8,java11,ruby2.7]

    LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime

  • severity shared.RuntimeSeverity

    Possible values: [low,medium,high]

    RuntimeSeverity represents the runtime severity

  • time date-time

    Time of the audit event (in UTC time).

  • type shared.RuntimeType

    Possible values: [processes,network,kubernetes,filesystem]

    RuntimeType represents the runtime protection type

  • user string

    Service user.

  • version string

    Defender version.

  • vmID string

    Azure unique VM ID where the audit was generated.

  • wildFireReportURL string

    WildFireReportURL is a URL link of the report generated by wildFire.

  • ]
  • category shared.IncidentCategory

    Possible values: [portScanning,hijackedProcess,dataExfiltration,kubernetes,backdoorAdministrativeAccount,backdoorSSHAccess,cryptoMiner,lateralMovement,bruteForce,customRule,alteredBinary,suspiciousBinary,executionFlowHijackAttempt,reverseShell,malware,cloudProvider]

    IncidentCategory is the incident category

  • cluster string

    Cluster on which the incident was found.

  • collections string[]

    Collections to which this incident applies.

  • containerID string

    ID of the container that triggered the incident.

  • containerName string

    Unique container name.

  • customRuleName string

    Name of the custom runtime rule that triggered the incident.

  • fqdn string

    Current hostname's full domain name.

  • function string

    Name of the serverless function.

  • functionID string

    ID of the function that triggered the incident.

  • hostname string

    Current hostname.

  • imageID string

    Container image ID.

  • imageName string

    Container image name.

  • labels object

    Custom labels associated with the container.

  • property name* string
  • namespace string

    k8s deployment namespace.

  • profileID string

    Runtime profile ID.

  • provider common.CloudProvider

    Possible values: [aws,azure,gcp,alibaba,oci,others]

    CloudProvider specifies the cloud provider name

  • region string

    Region of the resource on which the incident was found.

  • resourceID string

    Unique ID of the resource on which the incident was found.

  • runtime string

    Runtime of the serverless function.

  • serialNum integer

    Serial number of the incident.

  • shouldCollect boolean

    Indicates if this incident should be collected (true) or not (false).

  • time date-time

    Time of the incident (in UTC time).

  • type shared.IncidentType

    Possible values: [host,container,function,appEmbedded,fargate]

    IncidentType is the type of the incident

  • vmID string

    Azure unique VM ID on which the incident was found.

  • windows boolean

    Windows indicates if defender OS type is Windows.

Responses

OK

Loading...