Archive an Incident Audit Event
x-prisma-cloud-target-env: {"permission":"monitorRuntimeIncidents","saas":true,"self-hosted":true}
x-public: true
Acknowledges an incident and moves it to an archived state. Requires a path parameter: id, an Incident ID
You can get an incident ID from the list of incidents using the endpoint GET /api/vVERSION/audits/incidents.
cURL Request
Refer to the following example cURL command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PATCH \
-d {"acknowledged":true} \
"https://<CONSOLE>/api/v<VERSION>/audits/incidents/acknowledge/637627beb2a8e98a1c36a9db"
To undo this action (unarchive an incident), set the body parameter "acknowledged": false
Path Parameters
- id string required
- application/json
Request Body
- _id string
Internal ID of the incident.
- accountID string
Cloud account ID.
- acknowledged boolean
Indicates if the incident has been acknowledged (true) or not (false).
- app string
Application that caused the incident.
- appID string
Application ID.
audits object[]
All runtime audits of the incident.
Array [_id stringInternal ID (used for in-place updates).
accountID stringID of the cloud account where the audit was generated.
app stringName of the service which violated the host policy.
appID stringApplication ID.
attackTechniques mitre.Technique[]Possible values: [
exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery
]MITRE attack techniques.
attackType shared.RuntimeAttackTypePossible values: [
,cloudMetadataProbing,kubeletAPIAccess,kubeletReadonlyAccess,kubectlSpawned,kubectlDownloaded,horizontalPortScanning,verticalPortScanning,explicitlyDeniedIP,customFeedIP,feedIP,unexpectedOutboundPort,suspiciousNetworkActivity,unexpectedListeningPort,explicitlyDeniedListeningPort,explicitlyDeniedOutboundPort,listeningPortModifiedProcess,outboundPortModifiedProcess,feedDNS,explicitlyDeniedDNS,dnsQuery,unexpectedProcess,portScanProcess,malwareProcessCustom,malwareProcessFeed,explicitlyDeniedProcess,modifiedProcess,cryptoMinerProcess,lateralMovementProcess,tmpfsProcess,policyHijacked,reverseShell,suidBinaries,unknownOriginBinary,webShell,administrativeAccount,encryptedBinary,sshAccess,explicitlyDeniedFile,malwareFileCustom,malwareFileFeed,execFileAccess,elfFileAccess,secretFileAccess,regFileAccess,wildfireMalware,unknownOriginBinary,webShell,fileIntegrity,alteredBinary,malwareDownloaded,suspiciousELFHeader,executionFlowHijackAttempt,customRule
]RuntimeAttackType is the sub-category of the attack (e.g., malware process, process not in model, etc...)
cluster stringCluster name.
collections string[]Collections to which this audit applies.
command stringScrubbedCommand is the command executed by the process with scrubbed PII.
container booleanIndicates if this is a container audit (true) or host audit (false).
containerId stringID of the container that violates the rule.
containerName stringContainer name.
count integerAttack type audits count.
country stringOutbound country for outgoing network audits.
domain stringDomain is the requested domain.
effect runtime.RuleEffectPossible values: [
block,prevent,alert,disable
]RuleEffect is the effect that will be used in the runtime rule
err stringUnknown error in the audit process.
filepath stringFilepath is the path of the modified file.
fqdn stringCurrent full domain name used in audit alerts.
function stringName of the serverless function that caused the audit.
functionID stringID of the function invoked.
hostname stringCurrent hostname.
imageId stringContainer image ID.
imageName stringContainer image name.
interactive booleanIndicates if the audit was triggered from a process that was spawned in interactive mode (e.g., docker exec ...) (true) or not (false).
ip stringIP is the connection destination IP address.
label stringContainer deployment label.
labels object
Custom labels which augment the audit data.
property name*
stringmd5 stringMD5 is the MD5 of the modified file (only for executables.
msg stringBlocking message text.
namespace stringK8s deployment namespace.
os stringOperating system distribution.
pid integerID of the process that caused the audit event.
port integerPort is the connection destination port.
processPath stringPath of the process that caused the audit event.
profileId stringProfile ID of the audit.
provider common.CloudProviderPossible values: [
aws,azure,gcp,alibaba,oci,others
]CloudProvider specifies the cloud provider name
rawEvent stringUnparsed function handler event input.
region stringRegion of the resource where the audit was generated.
requestID stringID of the lambda function invocation request.
resourceID stringUnique ID of the resource where the audit was generated.
ruleName stringName of the rule that was applied, if blocked.
runtime shared.LambdaRuntimeTypePossible values: [
python,python3.6,python3.7,python3.8,python3.9,nodejs12.x,nodejs14.x,dotnetcore2.1,dotnetcore3.1,dotnet6,java8,java11,ruby2.7
]LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime
severity shared.RuntimeSeverityPossible values: [
low,medium,high
]RuntimeSeverity represents the runtime severity
time date-timeTime of the audit event (in UTC time).
type shared.RuntimeTypePossible values: [
processes,network,kubernetes,filesystem
]RuntimeType represents the runtime protection type
user stringService user.
version stringDefender version.
vmID stringAzure unique VM ID where the audit was generated.
wildFireReportURL stringWildFireReportURL is a URL link of the report generated by wildFire.
]- category shared.IncidentCategory
Possible values: [
portScanning,hijackedProcess,dataExfiltration,kubernetes,backdoorAdministrativeAccount,backdoorSSHAccess,cryptoMiner,lateralMovement,bruteForce,customRule,alteredBinary,suspiciousBinary,executionFlowHijackAttempt,reverseShell,malware,cloudProvider
]IncidentCategory is the incident category
- cluster string
Cluster on which the incident was found.
- collections string[]
Collections to which this incident applies.
- containerID string
ID of the container that triggered the incident.
- containerName string
Unique container name.
- customRuleName string
Name of the custom runtime rule that triggered the incident.
- fqdn string
Current hostname's full domain name.
- function string
Name of the serverless function.
- functionID string
ID of the function that triggered the incident.
- hostname string
Current hostname.
- imageID string
Container image ID.
- imageName string
Container image name.
labels object
Custom labels associated with the container.
property name*
string- namespace string
k8s deployment namespace.
- profileID string
Runtime profile ID.
- provider common.CloudProvider
Possible values: [
aws,azure,gcp,alibaba,oci,others
]CloudProvider specifies the cloud provider name
- region string
Region of the resource on which the incident was found.
- resourceID string
Unique ID of the resource on which the incident was found.
- runtime string
Runtime of the serverless function.
- serialNum integer
Serial number of the incident.
- shouldCollect boolean
Indicates if this incident should be collected (true) or not (false).
- time date-time
Time of the incident (in UTC time).
- type shared.IncidentType
Possible values: [
host,container,function,appEmbedded,fargate
]IncidentType is the type of the incident
- vmID string
Azure unique VM ID on which the incident was found.
- windows boolean
Windows indicates if defender OS type is Windows.
- 200
- default
OK