Get WAAS Agentless Audit Events for a Timeframe
GET/api/v33.01/audits/firewall/app/agentless/timeslice
x-prisma-cloud-target-env: {"permission":"monitorWAAS"}
Retrieves all agentless Web-Application and API Security (WAAS) audit buckets based on a specified query time frame.
Note: These are based on violations of WAAS policies defined under Defend > WAAS > Agentless > Agentless WAAS Policy.
Use the following mandatory query parameters to fetch results:
- from: Specifies the start time in UTC standard of the time period for which the audit events are returned.
- to: Specifies the end time in UTC standard of the time period for which the audit events are returned.
- buckets: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Values in the range 1-100 are accepted.
cURL Request
Refer to the following example cURL command that retrieves all host WAAS audit events:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/firewall/app/agentless/timeslice?from=2022-11-15T15:23:57Z&to=2022-11-16T15:23:57Z&buckets=5"
cURL Response
{
"start": "2022-11-22T02:49:23.827Z",
"end": "2022-11-23T01:12:35.884Z",
"count": 69
}
Response Parameters:
- start: Specifies the start time of the bucket in date-time UTC format.
- end: Specifies the end time of the bucket in date-time UTC format.
- count: Specifies the number of audit occurrences.
Request
Query Parameters
Offsets the result to a specific report count. Offset starts from 0.
Limit is the amount to fix.
Sorts the result using a key.
Sorts the result in reverse order.
From is an optional minimum time constraints for the audit.
To is an optional maximum time constraints for the audit.
Images is the image names filter.
Containers is the container names filter.
Hosts is the hostnames filter.
RuleNames is the rule names filter.
Types is the firewall audit type filter.
Effect is used to filter by runtime audit effect.
RuleAppIDs is the rule app IDs filter.
FunctionName is used to filter by function name.
Runtime is used to filter by runtime.
Namespaces is the list of namespaces to use for filtering.
AppIDs is the app embedded appID filter.
Subnets is the source IPs filter.
ConnectingIPs is the connecting IPs filter.
Countries is the source IP country filter.
UserAgents is the user agent header filter.
URLs is the URL filter.
RequestHosts is the request host filter.
Paths is the URL path filter.
Queries is the URL query filter.
Methods is the request method filter.
RequestHeaderNames is the request header names filter.
OS is the OS filter.
Messages is the audit message text filter.
Cluster is the audit cluster filter.
AttackTechniques are the MITRE attack techniques.
Aggregate indicates whether the result audits should be aggregated according to the Select field.
Protections is the firewall audit protection type filter.
EventID is the event IDs filter.
OWASPTop10 is the OWASP top 10 filter.
OWASPAPITop10 is the OWASP API top 10 filter.
AdditionalHash is used to filter by the additional hash value.
ModelPath is used to filter by the API model path.
Buckets is the number of buckets to return.
Responses
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
Count is the number of audit occurrences.
End is the end time of the bucket.
Start is the start time of the bucket.
[
{
"count": 0,
"end": "2024-07-29T15:51:28.071Z",
"start": "2024-07-29T15:51:28.071Z"
}
]