Archive an Incident Audit Event
PATCH/api/v31.02/audits/incidents/acknowledge/:id
x-prisma-cloud-target-env: {"permission":"monitorRuntimeIncidents","saas":true,"self-hosted":true}
x-public: true
Acknowledges an incident and moves it to an archived state. Requires a path parameter: id, an Incident ID
You can get an incident ID from the list of incidents using the endpoint GET /api/vVERSION/audits/incidents.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PATCH \
-d {"acknowledged":true} \
"https://<CONSOLE>/api/v<VERSION>/audits/incidents/acknowledge/637627beb2a8e98a1c36a9db"
To undo this action (unarchive an incident), set the body parameter "acknowledged": false
Request
Path Parameters
- application/json
Body
- Array [
- ]
Internal ID of the incident.
Cloud account ID.
Indicates if the incident has been acknowledged (true) or not (false).
Application that caused the incident.
Application ID.
audits object[]
All runtime audits of the incident.
Internal ID (used for in-place updates).
ID of the cloud account where the audit was generated.
Name of the service which violated the host policy.
Application ID.
Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery]
MITRE attack techniques.
Possible values: [,cloudMetadataProbing,kubeletAPIAccess,kubeletReadonlyAccess,kubectlSpawned,kubectlDownloaded,horizontalPortScanning,verticalPortScanning,explicitlyDeniedIP,customFeedIP,feedIP,unexpectedOutboundPort,suspiciousNetworkActivity,unexpectedListeningPort,explicitlyDeniedListeningPort,explicitlyDeniedOutboundPort,listeningPortModifiedProcess,outboundPortModifiedProcess,feedDNS,explicitlyDeniedDNS,dnsQuery,unexpectedProcess,portScanProcess,malwareProcessCustom,malwareProcessFeed,explicitlyDeniedProcess,modifiedProcess,cryptoMinerProcess,lateralMovementProcess,tmpfsProcess,policyHijacked,reverseShell,suidBinaries,unknownOriginBinary,webShell,administrativeAccount,encryptedBinary,sshAccess,explicitlyDeniedFile,malwareFileCustom,malwareFileFeed,execFileAccess,elfFileAccess,secretFileAccess,regFileAccess,wildfireMalware,unknownOriginBinary,webShell,fileIntegrity,alteredBinary,malwareDownloaded,suspiciousELFHeader,executionFlowHijackAttempt,customRule]
RuntimeAttackType is the sub-category of the attack (e.g., malware process, process not in model, etc...)
Cluster name.
Collections to which this audit applies.
ScrubbedCommand is the command executed by the process with scrubbed PII.
Indicates if this is a container audit (true) or host audit (false).
ID of the container that violates the rule.
Container name.
Attack type audits count.
Outbound country for outgoing network audits.
Domain is the requested domain.
Possible values: [block,prevent,alert,disable]
RuleEffect is the effect that will be used in the runtime rule
Unknown error in the audit process.
Filepath is the path of the modified file.
Current full domain name used in audit alerts.
Name of the serverless function that caused the audit.
ID of the function invoked.
Current hostname.
Container image ID.
Container image name.
Indicates if the audit was triggered from a process that was spawned in interactive mode (e.g., docker exec ...) (true) or not (false).
IP is the connection destination IP address.
Container deployment label.
labels object
Custom labels which augment the audit data.
MD5 is the MD5 of the modified file (only for executables.
Blocking message text.
K8s deployment namespace.
Operating system distribution.
ID of the process that caused the audit event.
Port is the connection destination port.
Path of the process that caused the audit event.
Profile ID of the audit.
Possible values: [aws,azure,gcp,alibaba,oci,others]
CloudProvider specifies the cloud provider name
Unparsed function handler event input.
Region of the resource where the audit was generated.
ID of the lambda function invocation request.
Unique ID of the resource where the audit was generated.
Name of the rule that was applied, if blocked.
Possible values: [python,python3.6,python3.7,python3.8,python3.9,nodejs12.x,nodejs14.x,dotnetcore2.1,dotnetcore3.1,dotnet6,java8,java11,ruby2.7]
LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime
Possible values: [low,medium,high]
RuntimeSeverity represents the runtime severity
Time of the audit event (in UTC time).
Possible values: [processes,network,kubernetes,filesystem]
RuntimeType represents the runtime protection type
Service user.
Defender version.
Azure unique VM ID where the audit was generated.
WildFireReportURL is a URL link of the report generated by wildFire.
Possible values: [portScanning,hijackedProcess,dataExfiltration,kubernetes,backdoorAdministrativeAccount,backdoorSSHAccess,cryptoMiner,lateralMovement,bruteForce,customRule,alteredBinary,suspiciousBinary,executionFlowHijackAttempt,reverseShell,malware,cloudProvider]
IncidentCategory is the incident category
Cluster on which the incident was found.
Collections to which this incident applies.
ID of the container that triggered the incident.
Unique container name.
Name of the custom runtime rule that triggered the incident.
Current hostname's full domain name.
Name of the serverless function.
ID of the function that triggered the incident.
Current hostname.
Container image ID.
Container image name.
labels object
Custom labels associated with the container.
k8s deployment namespace.
Runtime profile ID.
Possible values: [aws,azure,gcp,alibaba,oci,others]
CloudProvider specifies the cloud provider name
Region of the resource on which the incident was found.
Unique ID of the resource on which the incident was found.
Runtime of the serverless function.
Serial number of the incident.
Indicates if this incident should be collected (true) or not (false).
Time of the incident (in UTC time).
Possible values: [host,container,function,appEmbedded,fargate]
IncidentType is the type of the incident
Azure unique VM ID on which the incident was found.
Windows indicates if defender OS type is Windows.
Responses
- 200
- default
OK