Get WAAS Host Audit Events
GET/api/v33.01/audits/firewall/app/host
x-prisma-cloud-target-env: {"permission":"monitorWAAS"}
Retrieves all host Web-Application and API Security (WAAS) audit events.
Note: These are based on violations of WAAS policies defined under Defend > WAAS > Host > Host WAAS Policy.
cURL Request
Refer to the following example cURL command that retrieves all host WAAS audit events:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>/api/v<VERSION>/audits/firewall/app/host"
cURL Response
{
"_id": "636ab7190487e34d5461a141",
"profileId": "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal",
"time": "2022-11-08T20:07:53Z",
"hostname": "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal",
"fqdn": "",
"effect": "alert",
"ruleName": "rhe7-host_22_11_384_host",
"ruleAppID": "cggseacq",
"msg": "Detected Local File Inclusion attack in request body, match ../, value ../../",
"host": true,
"containerName": "",
"containerId": "",
"imageName": "",
"appID": "",
"type": "lfi",
"count": 1,
"region": "us-central1-a",
"version": "22.11.384",
"accountID": "twistlock-test-247119",
"url": "10.181.239.16:2001/",
"userAgentHeader": "python-requests/2.27.1",
"method": "POST",
"urlPath": "/",
"subnet": "10.180.30.249",
"requestHeaders": "POST / HTTP/1.1\r\nHost: 10.181.239.16:2001\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nContent-Length: 6\r\nUser-Agent: python-requests/2.27.1\r\n",
"requestHost": "10.181.239.16:2001",
"requestHeaderNames": [
"Accept",
"Accept-Encoding",
"Connection",
"Content-Length",
"User-Agent"
],
"responseHeaderNames": [
"Content-Length",
"Content-Type",
"Date",
"Server"
],
"statusCode": 404,
"collections": [
"All",
"rhe7-host_mhm",
"compliance_rhe7_hhk",
"waas_collection_host_rhe7-host_22_11_384_hpx"
],
"resource": {
"hosts": [
"jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal"
],
"accountIDs": [
"twistlock-test-247119"
]
},
"attackTechniques": [
"exploitPublicFacingApplication",
"applicationExploitRCE"
],
"protection": "firewall",
"attackField": {
"value": "../../",
"type": "rawBody"
},
"eventID": "306032c4-2175-6d95-7a2c-c9abacfc9cb6",
"provider": "gcp"
}
Request
Query Parameters
Offsets the result to a specific report count. Offset starts from 0.
Limit is the amount to fix.
Sorts the result using a key.
Sorts the result in reverse order.
From is an optional minimum time constraints for the audit.
To is an optional maximum time constraints for the audit.
Images is the image names filter.
Containers is the container names filter.
Hosts is the hostnames filter.
RuleNames is the rule names filter.
Types is the firewall audit type filter.
Effect is used to filter by runtime audit effect.
RuleAppIDs is the rule app IDs filter.
FunctionName is used to filter by function name.
Runtime is used to filter by runtime.
Namespaces is the list of namespaces to use for filtering.
AppIDs is the app embedded appID filter.
Subnets is the source IPs filter.
ConnectingIPs is the connecting IPs filter.
Countries is the source IP country filter.
UserAgents is the user agent header filter.
URLs is the URL filter.
RequestHosts is the request host filter.
Paths is the URL path filter.
Queries is the URL query filter.
Methods is the request method filter.
RequestHeaderNames is the request header names filter.
OS is the OS filter.
Messages is the audit message text filter.
Cluster is the audit cluster filter.
AttackTechniques are the MITRE attack techniques.
Aggregate indicates whether the result audits should be aggregated according to the Select field.
Protections is the firewall audit protection type filter.
EventID is the event IDs filter.
OWASPTop10 is the OWASP top 10 filter.
OWASPAPITop10 is the OWASP API top 10 filter.
AdditionalHash is used to filter by the additional hash value.
ModelPath is used to filter by the API model path.
Responses
- 200
- default
- application/json
- Schema
- Example (from schema)
Schema
- Array [
- ]
ID is internal id representation.
AccountID is the cloud account ID where the audit was generated.
AdditionalHash for internal use only. This parameter is used to add an additional level of uniqueness to the audit.
AppID is the application ID.
attackField object
HTTPField is used to perform checks on flags and fields
Key is the key of the field, if exists (e.g. header and cookie).
Possible values: [method,xmlBody,jsonBody,formBody,multipartBody,rawBody,rawBodyResponse,protobufBody,query,queryParamName,cookie,header,url
]
HTTPFieldType indicates type of http field
Value is the value of the field, if exists.
Possible values: [exploitationForPrivilegeEscalation,exploitPublicFacingApplication,applicationExploitRCE,networkServiceScanning,endpointDenialOfService,exfiltrationGeneral,systemNetworkConfigurationDiscovery,unsecuredCredentials,credentialDumping,systemInformationDiscovery,systemNetworkConnectionDiscovery,systemUserDiscovery,accountDiscovery,cloudInstanceMetadataAPI,accessKubeletMainAPI,queryKubeletReadonlyAPI,accessKubernetesAPIServer,softwareDeploymentTools,ingressToolTransfer,lateralToolTransfer,commandAndControlGeneral,resourceHijacking,manInTheMiddle,nativeBinaryExecution,foreignBinaryExecution,createAccount,accountManipulation,abuseElevationControlMechanisms,supplyChainCompromise,obfuscatedFiles,hijackExecutionFlow,impairDefences,scheduledTaskJob,exploitationOfRemoteServices,eventTriggeredExecution,accountAccessRemoval,privilegedContainer,writableVolumes,execIntoContainer,softwareDiscovery,createContainer,kubernetesSecrets,fileAndDirectoryDiscovery,masquerading,webShell,compileAfterDelivery
]
AttackTechniques are the MITRE attack techniques.
Possible values: [aws,azure,gcp,alibaba_cloud,oci,other
]
ServiceProvider represents service provider id or "other" in case it is non cloud.
Cluster is the cluster on which the audit was originated.
Collections are collections to which this audit applies.
ConnectingIPs are the requests connecting IPs such as proxy and load-balancer.
ContainerID is the firewall container ID.
ContainerName is the firewall container name.
Count is the number of audit occurrences.
Country is the source IP country.
Possible values: [ban,prevent,alert,allow,disable,reCAPTCHA
]
Effect is the effect that will be used in the rule
EventID is the event identifier of the audit relevant request.
Possible values: [host-proxy,host-out-of-band,container-proxy,container-out-of-band,app-embedded,agentless,REST
]
FirewallType represents the firewall type
FQDN is the current hostname's FQDN.
Function is the name of the serverless function that caused the audit.
FunctionID is the id of the function called.
Host indicates this audit is either for host firewall or out of band firewall or agentless firewall.
Hostname is the current hostname.
ImageID is the firewall image ID.
ImageName is the firewall image name.
labels object
Labels are the custom labels associated with the container.
HTTPMethod is the request HTTP method.
ModelPath for internal use only. This parameter is a correlated path for the mapped API Model.
Message is the blocking message text.
Namespaces are the k8s namespaces.
OS is the operating system distribution.
Possible values: [excessiveDataExposure,lackOfResources&RateLimiting,brokenFunctionLevelAuthorization,securityMisconfiguration,injection
]
OWASPAPITop10 represents OWASP API top 10 attacks
Possible values: [brokenAccessControl,cryptographicFailures,injection,insecureDesign
]
OWASPTop10 represents OWASP top 10 attacks
PrismaAccountID is the Prisma format account ID.
Possible values: [1,2,3,4,5,6
]
CloudType is the prisma cloud type of the resource that is used for policy verdict creation Cloud type values are documented here - https://docs.google.com/spreadsheets/d/1ZRlPl2IdEX22-7pSnqxeJGwwS0jyUbJJ16IkuPoiHMU
PrismaRegion is the Prisma format cloud region.
ProfileID is the profile of the audit.
Possible values: [firewall,dos,bot,custom,accessControl
]
Protection is the type of protection
Possible values: [aws,azure,gcp,alibaba,oci,others
]
CloudProvider specifies the cloud provider name
RawEvent contains unparsed function handler event input.
Region is the name of the region in which the serverless function is located.
RequestHeaderNames are the request header names.
RequestHeaders represent the request headers.
RequestHost is the request host.
RequestID is lambda function invocation request id.
resource object
RuntimeResource represents on which resource in the system a rule applies (e.g., specific host or image) Empty resource or wildcard (*) represents all resources of a given type
List of account IDs.
List of application IDs.
List of Kubernetes cluster names.
List of containers.
List of functions.
List of hosts.
List of images.
List of labels.
List of Kubernetes namespaces.
ResponseHeaderNames are the response header names.
RuleAppID is the ID of the rule's app that was applied.
RuleName is the name of the rule that was applied.
Possible values: [python,python3.6,python3.7,python3.8,python3.9,python3.10,python3.11,python3.12,nodejs,nodejs12.x,nodejs14.x,nodejs16.x,nodejs18.x,nodejs20.x,dotnet,dotnetcore2.1,dotnetcore3.1,dotnet6,java,java8,java11,java17,java21,ruby,ruby2.7
]
LambdaRuntimeType represents the runtime type of the serverless function The constants used are taken from: https://docs.aws.amazon.com/lambda/latest/dg/API_CreateFunction.html#SSS-CreateFunction-request-Runtime
StatusCode is the response status code.
Subnet is the source IP subnet.
Time is the UTC time of the audit event.
Possible values: [xss,sqli,cmdi,lfi,codeInjection,deniedIP,deniedCountry,header,violationsExceeded,attackTools,shellshock,disallowedFile,malformedRequest,inspectionLimitExceeded,informationLeak,unexpectedAPI,dos,searchEngineCrawler,businessAnalyticsBot,educationalBot,newsBot,financialBot,contentFeedClient,archivingBot,careerSearchBot,mediaSearchBot,genericBot,webAutomationTool,webScraper,apiLibrary,httpLibrary,sessionValidation,javascriptTimeout,missingCookie,browserImpersonation,botImpersonation,requestAnomalies,userDefinedBot,recaptchaRequired,recaptchaVerificationFailed,customRule,publicSensitiveDataWithoutAuthentication,publicSensitiveDataWithoutEncryption
]
AttackType is the type of the attack
URL is the requests full URL (partial on server side - path and query only).
URLPath is the requests url path.
URLQuery is the requests url query.
UserAgentHeader is the requests User-Agent header.
Version is the defender version.
Possible values: [15,16,18,5109,39,45,65,5051,5070,7075,7077,10523,10524,10562,15000,20019,20028,20042,20051,20125,20126,20127,20155,25001,30012,30013,30014,30015,30016,30018,30020
]
AssetType is the integral value that we need to pass to PC in the UAI and Unified Alerts integrations to identify the asset type Mappings of the asset types agreed upon with PC can be found here - https://docs.google.com/spreadsheets/d/1M0Aj5U4vpFGEnpd0v_xK-CsxSH4lovE7p93hkzE4DTY Additional asset types can be found here - https://redlock.atlassian.net/browse/RLP-57240 This value will be identical to resource api id in case of Unified Alerts
WorkloadExternalResourceID is the workload external resource ID (Asset External ID).
[
{
"_id": "string",
"accountID": "string",
"additionalHash": "string",
"appID": "string",
"attackField": {
"key": "string",
"type": [
"method",
"xmlBody",
"jsonBody",
"formBody",
"multipartBody",
"rawBody",
"rawBodyResponse",
"protobufBody",
"query",
"queryParamName",
"cookie",
"header",
"url"
],
"value": "string"
},
"attackTechniques": [
[
"exploitationForPrivilegeEscalation",
"exploitPublicFacingApplication",
"applicationExploitRCE",
"networkServiceScanning",
"endpointDenialOfService",
"exfiltrationGeneral",
"systemNetworkConfigurationDiscovery",
"unsecuredCredentials",
"credentialDumping",
"systemInformationDiscovery",
"systemNetworkConnectionDiscovery",
"systemUserDiscovery",
"accountDiscovery",
"cloudInstanceMetadataAPI",
"accessKubeletMainAPI",
"queryKubeletReadonlyAPI",
"accessKubernetesAPIServer",
"softwareDeploymentTools",
"ingressToolTransfer",
"lateralToolTransfer",
"commandAndControlGeneral",
"resourceHijacking",
"manInTheMiddle",
"nativeBinaryExecution",
"foreignBinaryExecution",
"createAccount",
"accountManipulation",
"abuseElevationControlMechanisms",
"supplyChainCompromise",
"obfuscatedFiles",
"hijackExecutionFlow",
"impairDefences",
"scheduledTaskJob",
"exploitationOfRemoteServices",
"eventTriggeredExecution",
"accountAccessRemoval",
"privilegedContainer",
"writableVolumes",
"execIntoContainer",
"softwareDiscovery",
"createContainer",
"kubernetesSecrets",
"fileAndDirectoryDiscovery",
"masquerading",
"webShell",
"compileAfterDelivery"
]
],
"cloudProviderName": [
"aws",
"azure",
"gcp",
"alibaba_cloud",
"oci",
"other"
],
"cluster": "string",
"collections": [
"string"
],
"connectingIPs": [
"string"
],
"containerId": "string",
"containerName": "string",
"count": 0,
"country": "string",
"effect": [
"ban",
"prevent",
"alert",
"allow",
"disable",
"reCAPTCHA"
],
"eventID": "string",
"firewallType": [
"host-proxy",
"host-out-of-band",
"container-proxy",
"container-out-of-band",
"app-embedded",
"agentless",
"REST"
],
"fqdn": "string",
"function": "string",
"functionID": "string",
"host": true,
"hostname": "string",
"imageID": "string",
"imageName": "string",
"labels": {},
"method": "string",
"modelPath": "string",
"msg": "string",
"ns": [
"string"
],
"os": "string",
"owaspAPITop10": [
"excessiveDataExposure",
"lackOfResources&RateLimiting",
"brokenFunctionLevelAuthorization",
"securityMisconfiguration",
"injection"
],
"owaspTop10": [
"brokenAccessControl",
"cryptographicFailures",
"injection",
"insecureDesign"
],
"prismaAccountID": "string",
"prismaCloudProvider": [
"1",
"2",
"3",
"4",
"5",
"6"
],
"prismaRegion": "string",
"profileId": "string",
"protection": [
"firewall",
"dos",
"bot",
"custom",
"accessControl"
],
"provider": [
"aws",
"azure",
"gcp",
"alibaba",
"oci",
"others"
],
"rawEvent": "string",
"region": "string",
"requestHeaderNames": [
"string"
],
"requestHeaders": "string",
"requestHost": "string",
"requestID": "string",
"resource": {
"accountIDs": [
"string"
],
"appIDs": [
"string"
],
"clusters": [
"string"
],
"containers": [
"string"
],
"functions": [
"string"
],
"hosts": [
"string"
],
"images": [
"string"
],
"labels": [
"string"
],
"namespaces": [
"string"
]
},
"responseHeaderNames": [
"string"
],
"ruleAppID": "string",
"ruleName": "string",
"runtime": [
"python",
"python3.6",
"python3.7",
"python3.8",
"python3.9",
"python3.10",
"python3.11",
"python3.12",
"nodejs",
"nodejs12.x",
"nodejs14.x",
"nodejs16.x",
"nodejs18.x",
"nodejs20.x",
"dotnet",
"dotnetcore2.1",
"dotnetcore3.1",
"dotnet6",
"java",
"java8",
"java11",
"java17",
"java21",
"ruby",
"ruby2.7"
],
"statusCode": 0,
"subnet": "string",
"time": "2024-07-29T15:51:28.071Z",
"type": [
"xss",
"sqli",
"cmdi",
"lfi",
"codeInjection",
"deniedIP",
"deniedCountry",
"header",
"violationsExceeded",
"attackTools",
"shellshock",
"disallowedFile",
"malformedRequest",
"inspectionLimitExceeded",
"informationLeak",
"unexpectedAPI",
"dos",
"searchEngineCrawler",
"businessAnalyticsBot",
"educationalBot",
"newsBot",
"financialBot",
"contentFeedClient",
"archivingBot",
"careerSearchBot",
"mediaSearchBot",
"genericBot",
"webAutomationTool",
"webScraper",
"apiLibrary",
"httpLibrary",
"sessionValidation",
"javascriptTimeout",
"missingCookie",
"browserImpersonation",
"botImpersonation",
"requestAnomalies",
"userDefinedBot",
"recaptchaRequired",
"recaptchaVerificationFailed",
"customRule",
"publicSensitiveDataWithoutAuthentication",
"publicSensitiveDataWithoutEncryption"
],
"url": "string",
"urlPath": "string",
"urlQuery": "string",
"userAgentHeader": "string",
"version": "string",
"workloadAssetType": [
"15",
"16",
"18",
"5109",
"39",
"45",
"65",
"5051",
"5070",
"7075",
"7077",
"10523",
"10524",
"10562",
"15000",
"20019",
"20028",
"20042",
"20051",
"20125",
"20126",
"20127",
"20155",
"25001",
"30012",
"30013",
"30014",
"30015",
"30016",
"30018",
"30020"
],
"workloadExternalResourceID": "string"
}
]