# Prisma Cloud > This endpoint will return any SCAP datastreams uploaded to the console. This endpoint will return a 404 error if you have not configured your console to consume SCAP datastreams. --- This endpoint will return any SCAP datastreams uploaded to the console. This endpoint will return a 404 error if you have not configured your console to consume SCAP datastreams. The following is an example curl command that uses basic auth to retrieve any uploaded datastreams configured for SCAP scanning: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/scap ``` --- This endpoint will delete any SCAP datastreams uploaded to the console. You can find `xml_name` from the `GET /api/v1/scap` endpoint. The following is an example curl command that uses basic auth to delete an uploaded datastreams configured for SCAP scanning: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https://:8083/api/v1/scap/{xml_name} ``` --- This endpoint will allow you to add a SCAP datastream to the console. The following is an example curl command that uses basic auth to add an uploaded datastreams configured for SCAP scanning: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{"XMLName":{"Space":"","Local":""}}' \ https://:8083/api/v1/scap ``` --- Import custom security checklists and evaluate them against your container images. Custom checklists complement the predefined compliance checks provided in the default Prisma Cloud Compute installation. --- Checks if the Console is alive, responsive, and reachable from your network host. --- Checks if Console is reachable from your network host. ### cURL Request Refer to the following cURL example command that pings Console and prints the HTTP response code: ```bash $ curl -k \ -s \ -o /dev/null \ -w "%{http_code}\n" \ -X GET \ https:///api/v/_ping ``` --- The agentless security scan monitors hosts and containers for vulnerabilities and compliance risks by scanning the root volumes of snapshots without the need to install an agent. Supported cloud service provider platforms for agentless scanning: * Hosts - Amazon AWS, Google Cloud Platform, Microsoft Azure, and Oracle Cloud Infrastructure. * Containers- AWS, Azure, and GCP When you add a cloud account in the Prisma Cloud Compute (Manage > Cloud accounts), enable the agentless scan option and configure the scan scope. ### Authentication #### Basic Auth ##### Headers - Authorization: required (string): Authenticates with the Base64-encoded "username:password" credentials. #### JWT Access Token Use POST, /api/vVERSION/authenticate for authorization ##### Headers - Authorization: required (string): Authenticates with the Bearer authentication scheme to transmit the access token. Example: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJk………… --- Shows the progress of an ongoing scan on hosts or containers for vulnerabilities and compliance. ### cURL Request Refer to the following example cURL command: ``` $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ “https:///api/v/agentless/progress” ``` ### cURL Response Refer to the following example cURL response: ``` { "hostname": "", "id": "", "scanTime": "2022-11-09T11:10:51.649Z", "type": "agentlessHost", "discovery": true, "total": 5, "scanned": 2, "title": "Agentless discovering" } ] ``` --- Scans the hosts or containers for vulnerabilities and compliance. **Before you begin** Make sure that you download (use the agentless/templates API) and apply the permission templates in the supported cloud accounts: AWS, Azure, GCP, and OCI. ### cURL Request Refer to the following example cURL command: ``` $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ “https:///api/v/agentless/scan” ``` --- Stops an ongoing scan on hosts or containers for vulnerabilities and compliance. ### cURL Request Refer to the following example cURL command: ``` $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ “https:///api/v/agentless/stop” ``` --- Downloads a tarball file that contains the agentless resource permission templates for the cloud accounts. Apply these permission templates to complete the onboarding process for agentless scanning. * AWS: The tarball contains templates in JSON format ending with the following names: * _aws_hub_target_user_permissions.json * _aws_hub_user_permissions.json * _aws_target_user_permissions.json For more information on how to apply the permission templates, refer to the "Configure agentless scanning" section in the Prisma Cloud Compute administration guide. * Azure: Use the following script, that comes bundled in the tarball file, to apply permission template to an Azure cloud account: * apply_azure_permissions.sh: Run the script with a location (that specifies location of the resource) parameter. For more information on location parameters, see [resource location in ARM template](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/resource-location?tabs=azure-cli). * OCI: Use the following script, that comes bundled in the tarball file, to apply permission template to an OCI cloud account: * pcc-apply-permissions.sh: Run the script with a compartment name parameter. * GCP: The tarball contains Jinja templates in YAML format ending with the following names: * _hub_target_access_permissions.yaml.jinja * _hub_target_user_permissions.yaml.jinja * _hub_user_permissions.yaml.jinja * _target_user_permissions.yaml.jinja For more information on how to apply the permission templates, refer to the "Configure agentless scanning" section in the Prisma Cloud Compute administration guide. **Note**: The body parameter `credentialID` is required to download templates in tar.gz format. ### Before you begin Add the supported cloud accounts (AWS, Azure, GCP, and OCI) in Prisma Cloud Compute. ### cURL Request Refer to the following example cURL command: ``` $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -O \ -d {"credentialID":"aws_docs"} \ “https:///api/v/agentless/templates” ``` --- Manage alert profiles, which let you surface critical policy breaches by sending alerts to channels, such as email, Slack, and JIRA. Alert profiles define which events should be sent to which channel. Each profile declares: * One or more recipients. * One or more triggers, that raise alerts by sending messages on the configured channel. --- Retrieve a list of all alert profiles created in the system. The following example curl command uses basic auth to retrieve all alert profiles: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/alert-profiles ``` --- Deletes an alert profile entry by name. In the request payload, specify the alert profile name. This method has no response data. The following example curl command deletes an existing alert profile named `PROFILE-NAME`. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https://:8083/api/v1/alert-profiles/ ``` --- Retrieve a list of only the names of all alert profiles created in the system. The following example curl command uses basic auth to retrieve all alert profiles' names: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/alert-profiles/names ``` Example Response: ``` [ "jira", "aqsa vulns" ] ``` --- Update an existing alert profile created in the system. The following example curl command uses basic auth to add a Jira Alert profile: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v1/alert-profiles \ -d ' { "name": "jira", "_id": "jira", "jira": { "enabled": true, "projectKey": "TWIS", "issueType": "Task", "priority": "High", "labels": [], "assignee": "" } "policy": { "cve": { "enabled": true, "allRules": true, "rules": [], "clients": [ "jira" ] } } ' ``` --- Sends a test alert to verify successful configuration of the alert profile settings. The following example curl command uses basic auth to send test alert for an email alert profile: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d https://:8083/api/v1/alert-profiles/test ``` In this case, the `REQUEST-PAYLOAD` would be the full JSON formatted alert profile from the base `GET` command --- Paginated API requests are capped to a max of 50 returned objects because very large responses could DoS Console. If the response contains more than 50 objects, cycle through the collection with the `offset` query parameter to retrieve more objects. For example: ``` https:///api/v1/images?limit=50&offset=X ``` --- Deletes **all** access audits. This deletion cannot be undone. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https://console:8083/api/v1/audits/access ``` --- Returns the docker access audit events data in CSV format that are logged and aggregated for any container resource protected by a Defender in Prisma Cloud Compute. **Note**: You can download the access events from Console under **Monitor > Events > Docker audits > Download CSV**. ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -O \ "https:///api/v/audits/access/download?type=docker" ``` --- Retrieves all access audits by specific host filters. There are three types of host filters based on host history, sudo events on host and SSHD events on hosts. The following example uses basic auth to list history of commands that are run on hosts protected by Prisma Cloud Compute. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://console:8083/api/v1/history/host ``` The following command gives list of sudo events on hosts. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://console:8083/api/v1/audits/access/filters?type=sudo ``` The following command gives list of SSHD events on hosts. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://console:8083/api/v1/audits/access/filters?type=sshd ``` --- Retrieves all docker access audit events that are logged and aggregated for any container resource protected by a Defender in Prisma Cloud Compute. You can configure Prisma Cloud Compute to log and aggregate events such as sudo and SSH access on hosts protected by Defender. These events create an audit trail that tracks system components accessed by individual users. **Note**: Access events can also be viewed in Console under **Monitor > Events > Docker audits**. ### cURL Request Refer to the following example cURL command that gives a list of all access audit events: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/access" ``` ### cURL response ``` [ { "containerName": "/compliance_block_container_photon_fua", "imageName": "alpine:latest", "user": "", "time": "2022-11-08T18:24:09.249Z", "hostname": "jen-photon-v3-0811t165215-cont-def-pre-lngcon230", "fqdn": "", "sourceIP": "", "allow": false, "ruleName": "compliance_block_container_rule_svn", "api": "create", "msg": "[Twistlock] Container operation blocked by policy: compliance_block_container_rule_svn, has 1 compliance issues ", "collections": [ "All", "compliance_block_container_yue" ], "accountID": "twistlock-test-123456", "cluster": "", "namespace": "" } ... ] ``` --- Returns the access admission events data in CSV format that were alerted or blocked by Defender functioning as Open Policy Agent admission controller. ### cURL Request Refer to the following example cURL command that downloads the admission audit events: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https:///api/v/audits/admission/download" ``` --- Returns all activities that were alerted or blocked by Defender functioning as Open Policy Agent admission controller. ### cURL Request Refer to the following example cURL command that gives a list of all admission audit events: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/admission" ``` ### cURL response ``` { "time": "2022-11-24T13:46:37.057Z", "ruleName": "Twistlock Labs - CIS - Pod created in host process ID namespace", "message": "Pod created in host process ID namespace", "operation": "CREATE", "kind": "Pod", "resource": "pods", "username": "kubernetes-admin", "userUid": "aws-iam-authenticator:496947949261:AIDAXHNDH53GRQMZMIOQT", "userGroups": "system:masters, system:authenticated", "namespace": "default", "effect": "alert", "rawRequest": "{\"uid\":\"78d11e35-14ab-4b19-b3d3-a97b4252b56f\",\"kind\":{\"group\":\"\",\"version\":\"v1\",\"kind\":\"Pod\"},\"resource\":{\"group\":\"\",\"version\":\"v1\",\"resource\":\"pods\"},\"requestKind\":{\"group\":\"\",\"version\":\"v1\",\"kind\":\"Pod\"},\"requestResource\":{\"group\":\"\",\"version\":\"v1\",\"resource\":\"pods\"},\"name\":\"nginx2\",\"namespace\":\"default\",\"operation\":\"CREATE\",\"userInfo\":{\"username\":\"kubernetes-admin\",\"uid\":... ... ... ... }”, "accountID": "496947949261", "collections": [ "All" ], "cluster": "johndoe-eks-123", "attackTechniques": [ "privilegedContainer" ] } ``` --- Retrieve audits from the Prisma Cloud Compute database. Prisma Cloud Compute creates and stores audit events for the components that are associated with a policy (rule) and shows deviation from that policy. Endpoints support a wide range of filtering options. ### Authentication #### Basic Auth ##### Headers - Authorization: required (string): Authenticates with the Base64-encoded "username:password" credentials. #### JWT Access Token Use POST, /api/vVERSION/authenticate for authorization ##### Headers - Authorization: required (string): Authenticates with the Bearer authentication scheme to transmit the access token. Example: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJk………… --- Returns the Cloud Native Network Segmentation (CNNS) container audit events data in CSV format. For more information, see the [Cloud Native Network Segmentation (CNNS)](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/firewalls/cnns_saas) For containers, rules are defined between: * Image to image. * Image to Image to an external network not protected by Prisma Cloud. * Image to DNS domain. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https:///api/v/audits/firewall/network/container/download" ``` --- Retrieves all Cloud Native Network Segmentation (CNNS) container audit events. For more information, see the [Cloud Native Network Segmentation (CNNS)](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/firewalls/cnns_saas) For containers, rules are defined between: * Image to image. * Image to an external network not protected by Prisma Cloud. * Image to DNS domain. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/firewall/network/container" ``` ### cURL Response ``` { "_id": "localhost", "time": "2022-11-14T11:02:43.151Z", "total": 1, "resource": { "images": [ "" ] }, "collections": [ "All", "user123" ], "audits": { "unexpectedConnection": { "count": 1, "audits": [ { "ruleID": 4, "time": "2022-11-14T11:02:43.151Z", "type": "unexpectedConnection", "srcProfileID": "sha256:8d5df41c547bd107c14368ad302efc46760940ae188df451cabc23e10f7f161b_user_tkgi-users", "dstProfileID": "20", "srcProfileHash": 228, "srcContainerName": "users-ubuntu", "dstContainerName": "", "dstSubnet": "localhost", "srcImageName": "docker.io/library/ubuntu:18.04", "dstImageName": "", "dstPort": 8000, "block": false, "count": 1, "msg": "Unexpected connection to ip 127.0.0.1" } ] } } } ``` --- Returns the Cloud Native Network Segmentation (CNNS) host audit events data in CSV format. For hosts, rules are defined between: * Host to host. * Host to an external network not protected by Prisma Cloud. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https:///api/v/audits/firewall/network/host/download" ``` --- Retrieves all Cloud Native Network Segmentation (CNNS) host audits. For hosts, rules are defined between: * Host to host. * Host to an external network not protected by Prisma Cloud ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/firewall/network/host" ``` ### cURL Response ``` { "_id": "john-photon-v3-0811t165011-host-def-pre-lngcon230", "time": "2022-11-08T20:22:52.207Z", "total": 4, "resource": { "hosts": [ "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal", "john-photon-v3-0811t165011-host-def-pre-lngcon230" ], "accountIDs": [ "twistlock-test-247119" ] }, "collections": [ "All", "registry_scan_container_cen8-container_22_11_384_piu", "photon-v3-host_crn", "compliance_photon_etz", "cnnf_cen8_client_itu", "cnnf_photon_server_fsr" ], "audits": { "unexpectedConnection": { "count": 4, "audits": [ { "ruleID": 15, "time": "2022-11-08T20:22:52.207Z", "type": "unexpectedConnection", "srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal", "dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230", "dstPort": 80, "block": false, "count": 1, "accountID": "twistlock-test-247119" }, { "ruleID": 15, "time": "2022-11-08T20:22:48.175Z", "type": "unexpectedConnection", "srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal", "dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230", "dstPort": 80, "block": false, "count": 1, "accountID": "twistlock-test-247119" }, { "ruleID": 15, "time": "2022-11-08T20:22:46.127Z", "type": "unexpectedConnection", "srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal", "dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230", "dstPort": 80, "block": false, "count": 1, "accountID": "twistlock-test-247119" }, { "ruleID": 15, "time": "2022-11-08T20:22:45.122Z", "type": "unexpectedConnection", "srcHostname": "john-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal", "dstHostname": "john-photon-v3-0811t165011-host-def-pre-lngcon230", "dstPort": 80, "block": false, "count": 1, "accountID": "twistlock-test-247119" } ] } } } ``` --- Acknowledges an incident and moves it to an archived state. Requires a path parameter: id, an Incident ID You can get an incident ID from the list of incidents using the endpoint GET /api/vVERSION/audits/incidents. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PATCH \ -d {"acknowledged":true} \ "https:///api/v/audits/incidents/acknowledge/637627beb2a8e98a1c36a9db" ``` To undo this action (unarchive an incident), set the body parameter "acknowledged": false --- Downloads a list of incidents which are not acknowledged (i.e., not in archived state) in CSV format. Prisma Cloud Compute analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents. This endpoint maps to the **CSV** hyperlink in **Monitor > Runtime > Incident explorer** in the Console UI. ### cURL Request The following cURL command downloads all incidents and saves the result in a CSV file called `incidents.csv`: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o incidents.csv \ https:///api/v/audits/incidents/download ``` A successful response displays the status of the download. --- This endpoint lists the incident categories found in your environment. The following example lists incident filters. ```bash $ curl -k \ -u \ https://console:8083/api/v1/audits/incidents/filters ``` Response: ``` {"hostname":["aqsa-lab.internal"],"category":["hijackedProcess","dataExfiltration"]} ``` --- Retrieves a list of incidents that are not acknowledged (i.e., not in archived state). Prisma Cloud Compute analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents. This endpoint maps to the table in **Monitor > Runtime > Incident explorer** in the Console UI. ### cURL Request Refer to the following example cURL command that retrieves a list of unacknowledged incidents (not in the archived state): ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/incidents?acknowledged=false" ``` A successful response returns the incidents. --- Returns the audit events data that occur in an integrated Kubernetes cluster that you configured for Prisma Cloud Compute under **Defend > Access > Kubernetes** in CSV format. **Note:** This endpoint relates to the **Monitor > Events > Kubernetes** audits in Prisma Cloud Compute. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https:///api/v/audits/kubernetes/download" ``` --- Retrieves events that occur in an integrated Kubernetes cluster that you configured for Prisma Cloud Compute under **Defend > Access > Kubernetes**. **Note:** This endpoint relates to the **Monitor > Events > Kubernetes** audits in Prisma Cloud Compute. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/kubernetes" ``` ### cURL Response ``` { "time": "2022-11-23T16:20:20.383Z", "verb": "io.k8s.core.v1.pods.exec.create", "user": { "username": "johndoe@paloaltonetworks.com" }, "authorizationInfo": { "authorization.k8s.io/decision": "allow", "authorization.k8s.io/reason": "access granted by IAM permissions.", "failed-open.validating.webhook.admission.k8s.io/round_0_index_0": "validating-webhook.twistlock.com" }, "message": "Exec or attach to a pod detected on GKE", "sourceIPs": [ "private" ], "resources": "core/v1/namespaces/default/pods/test-pd/exec", ... ... ..., "attackTechniques": [ "execIntoContainer" ], "cluster": "johndoe-gke-9916911d51921853", "accountID": "twistlock-test-247119", "provider": "gcp", "collections": [ "All", "user1", "tv test", "tv test2" ] } ``` --- Returns the management audit events data in CSV format. Management audits are: * Changes to any settings (including previous and new values) * Changes to any rules (create, modify, or delete) * Logon activities (success and failure) ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https:///api/v/audits/mgmt/download" ``` --- Retrieves a list of management audit types from your environment. Use these filters to query management audit events. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/mgmt/filters" ``` ### cURL Response ``` { "type": [ "group", "login", "role", "rule", "settings", "user" ], "username": [ "admin2", "ReadOnly", "admin", "ci", "development-user" ] } ``` --- Retrieves a list of all management audit events. Management audit events are: * Changes to any settings (including previous and new values) * Changes to any rules (create, modify, or delete) * Logon activities (success and failure) ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/mgmt" ``` ### cURL Response ``` { "username": "user", "sourceIP": "10.47.99.218", "time": "2022-11-22T03:11:15.39Z", "type": "login", "diff": "", "status": "successful login attempt", "failure": false, "api": "/api/v1/authenticate" } ``` --- Returns the app-embedded runtime audit events data in CSV format. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https:///api/v/audits/runtime/app-embedded/download" ``` --- Retrieves all app-embedded runtime audit events. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/runtime/app-embedded" ``` ### cURL Response ``` { "_id": "636be11d2408ed63b48ebd44", "time": "2022-11-09T17:19:25.12Z", "hostname": "automation_azure_presetup-prevent-tvzwx:aa9f944f-0456-004d-7c69-fd444591fefd", "fqdn": "", "user": "root", "type": "network", "imageName": "automation_azure_presetup-prevent-tvzwx", "imageId": "b446aac9-6ee0-f254-ff75-cb21755cebdb", "effect": "prevent", "ruleName": "automation_azure_presetup-prevent-tvzwx_wul", "msg": "DNS resolution of domain name SandboxHost-638036111205626034 triggered by /usr/local/bin/python3.9 explicitly denied by a runtime rule", "profileId": "automation_azure_presetup-prevent-tvzwx:aa9f944f-0456-004d-7c69-fd444591fefd_", "pid": 28, "processPath": "/usr/local/bin/python3.9", "collections": [ "All", "automation_azure_presetup-prevent-tvzwx_dde" ], "attackType": "explicitlyDeniedDNS", "count": 1, "severity": "high", "appID": "automation_azure_presetup-prevent-tvzwx:aa9f944f-0456-004d-7c69-fd444591fefd", "version": "22.11.384", "accountID": "Non-onboarded cloud accounts" } ... ... ... ``` --- Deletes all container runtime audits. The following example curl command uses basic auth to delete all the audits: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https://:8083/api/v1/audits/runtime/container ``` --- Returns the container audit events data in CSV format when a runtime sensor such as process, network, file system, or system call detects an activity that deviates from the predictive model. **Note**: In Console, you can view the same under **Monitor > Events > Container Audits**. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -X GET \ -o \ "https:///api/v/audits/runtime/container/download" ``` --- Retrieves all container audit events when a runtime sensor such as process, network, file system, or system call detects an activity that deviates from the predictive model. **Note**: In Console, you can view the same under **Monitor > Events > Container Audits**. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/runtime/container" ``` ### cURL Response ``` { "os": "Ubuntu 20.04.4 LTS", "_id": "636a952a5a293a6ea06cbb87", "time": "2022-11-08T17:43:06.68Z", "hostname": "jen-sle15-dock-0811t165158-cont-def-pre-lngcon230.c.twistlock-test-247119.internal", "fqdn": "", "user": "root", "type": "processes", "containerId": "6d5b5401b0e406ad064e7020b663236d0df177fa7f4a060c2f21262c27a4a6b2", "containerName": "/runtime-wf-base-alert", "imageName": "usertwistlock/ubuntu:wf-base", "imageId": "sha256:76913b92c0cbacbec7440a62d751c0a38aba1dde6aefe9e832d2a3aa0a3c3f9f", "effect": "alert", "ruleName": "sle15-container_alert_usertwistlock/ubuntu:wf-base_mqu", "msg": "/usr/bin/dash launched but is not found in the runtime model. Full command: /bin/sh -c sleep 3; curl http://169.254.169.254:80", "profileId": "sha256:76913b92c0cbacbec7440a62d751c0a38aba1dde6aefe9e832d2a3aa0a3c3f9f__", "interactive": true, "pid": 1955, "processPath": "/usr/bin/dash", "collections": [ "All", "Prisma Cloud resources", "registry_scan_container_sle15-container_22_11_384_ghf", "sle15-container_alert_cnd" ], "attackType": "unexpectedProcess", "count": 1, "container": true, "severity": "high", "region": "us-central1-a", "accountID": "twistlock-test-247119", "attackTechniques": [ "nativeBinaryExecution" ], "command": "/bin/sh -c sleep 3; curl http://169.254.169.253:80", "provider": "gcp" } ... ... ... ``` --- Retrieves the container audit events when a runtime sensor such as process, network, file system, or system call detects an activity that deviates from the predictive model for a specific time frame. **Note**: In Console, you can view the same under **Monitor > Events > Container Audits**. Use the following mandatory query parameters to fetch results: * **from**: Specifies the start time in UTC standard of the time period for which the audit events are returned. * **to**: Specifies the end time in UTC standard of the time period for which the audit events are returned. * **buckets**: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Query within the range of 1-100. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/runtime/container/timeslice?from=2022-11-15T15:23:57Z&to=2022-11-16T15:23:57Z&buckets=5" ``` ### cURL Response ``` { "start": "2022-11-16T10:35:57Z", "end": "2022-11-16T15:23:57Z", "count": 87 } ``` **Response Parameters**: * **start**: Specifies the start time of the bucket in date-time UTC format. * **end**: Specifies the end time of the bucket in date-time UTC format. * **count**: Specifies the number of audit occurrences. --- Returns the audit events data in CSV format for file-integrity checks that are configured under host runtime rules. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -o \ "https:///api/v/audits/runtime/file-integrity/download" ``` --- Retrieves all audit events for file-integrity checks that are configured under host runtime rules. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/runtime/file-integrity" ``` ### cURL Response ``` { "_id": "63762bc3b2a8e98a1c36a9e6", "eventType": "read", "path": "/etc/user/user", "fileType": 2, "processName": "cat", "user": "ubuntu", "time": "2022-11-17T12:40:35.046Z", "description": "Process cat read from path (user: ubuntu)", "hostname": "ip-172-31-9-109.ec2.internal", "fqdn": "", "ruleName": "user-host-arm", "accountID": "496947949261", "collections": [ "All", "waas_oob_collection", "user123" ], "cluster": "" } ... ... ... ``` --- Deletes all host audits from the database. The following example curl command uses basic auth to delete all host audits: ```bash $ curl -k \ -u \ -X DELETE \ https://:8083/api/v1/audits/runtime/host ``` --- Returns the runtime host audit events data in CSV format. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https:///api/v/audits/runtime/host/download" ``` --- Retrieves the runtime host audit events. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/runtime/host" ``` ### cURL Response ``` { "_id": "637628beb2a8e98a1c36a9e1", "time": "2022-11-17T12:27:42.003Z", "hostname": "ip-172-31-9-109.ec2.internal", "fqdn": "", "type": "network", "effect": "alert", "ruleName": "user-host-arm", "msg": "DNS resolution of name www.yahoo.com, type AAAA explicitly denied by a runtime rule", "profileId": "ip-172-31-9-109.ec2.internal", "collections": [ "All", "waas_oob_collection", "user123" ], "attackType": "explicitlyDeniedDNS", "count": 1, "severity": "high", "region": "us-east-1", "accountID": "496947949261", "domain": "www.yahoo.com", "provider": "aws", "resourceID": "i-0bc31d26963bd2933" } ... ... ... ``` --- Retrieves the runtime host audit events for a specific time frame. **Note**: In Console, you can view the same under **Monitor > Events > Container Audits**. Use the following mandatory query parameters to fetch results: * **from**: Specifies the start time in UTC standard of the time period for which the audit events are returned. * **to**: Specifies the end time in UTC standard of the time period for which the audit events are returned. * **buckets**: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Query within the range of 1-100. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/runtime/host/timeslice?from=2022-11-15T15:23:57Z&to=2022-11-16T15:23:57Z&buckets=5" ``` ### cURL Response ``` { "start": "2022-11-12T15:23:57Z", "end": "2022-11-13T15:23:57Z", "count": 2 }, { "start": "2022-11-13T15:23:57Z", "end": "2022-11-14T15:23:57Z", "count": 1 } ``` **Response Parameters**: * **start**: Specifies the start time of the bucket in date-time UTC format. * **end**: Specifies the end time of the bucket in date-time UTC format. * **count**: Specifies the number of audit occurrences. --- Returns the audit events data in CSV format for log inspection checks that are configured under host runtime rules. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https:///api/v/audits/incidents/runtime/log-inspection/download" ``` --- Retrieves all audit events for log inspection checks that are configured under host runtime rules. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/runtime/log-inspection" ``` ### cURL Response ``` { "_id": "637639e2b962a7ae744851bf", "logfile": "/var/lib/twistlock/log/console.log", "line": "DEBU 2022-11-17T13:40:50.066 route_handler_middleware.go:507 GET /api/v1/audits/runtime/log-inspection?limit=20&offset=0&project=Central+Console&reverse=false&search=panic ssugandh admin 0.10s", "time": "2022-11-17T13:40:50.067Z", "hostname": "jen-cen8-cons-dock-0811t160649-cons-ssugandh-lngcon230.c.twistlock-test-247119.internal", "ruleName": "panic_error_log", "accountID": "twistlock-test-247119", "collections": [ "All", "registry_scan_container_cen8-container_22_11_384_piu", "cnnf_cen8_client_itu" ], "cluster": "" } ``` --- Deletes all RASP Defender runtime audits. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https://:8083/api/v1/audits/runtime/rasp ``` --- Returns CSV data describing all RASP Defender runtime events. ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o rasp-audits.csv https://:8083/api/v1/audits/runtime/rasp/download ``` --- Returns JSON data describing all RASP Defender runtime events. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/audits/runtime/rasp/download ``` --- This endpoint will delete all serverless runtime audits. The following example curl command uses basic auth to delete the current audits: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https://:8083/api/v1/audits/runtime/serverless ``` --- Returns the scan audit events data in CSV format for any configured serverless functions in Prisma Cloud Compute. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https:///api/v/audits/runtime/serverless/download" ``` --- Returns all serverless filters in JSON format. These filters can be used in the base `GET` request as query parameters. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless/filters ``` --- Retrieves all scan events for any configured serverless functions in Prisma Cloud Compute. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/runtime/serverless" ``` ### cURL Response ``` { "time": "2022-11-22T12:27:19.329Z", "fqdn": "", "type": "", "effect": "", "ruleName": "", "msg": "C:\\home\\xmrig launched by C:\\Windows\\system32\\inetsrv\\w3wp.exe and is identified as a crypto miner. Full command: \"C:\\home\\xmrig\" /I windows C:\\Windows\\*", "count": 1, "function": "Test44", "region": "Central US", "runtime": "dotnet", "provider": "azure" } ``` --- Retrieves all scan events for any configured serverless functions in Prisma Cloud Compute for a specific time frame. **Note**: In Console, you can view the same under **Monitor > Events > Container Audits**. Use the following mandatory query parameters to fetch results: * **from**: Specifies the start time in UTC standard of the time period for which the audit events are returned. * **to**: Specifies the end time in UTC standard of the time period for which the audit events are returned. * **buckets**: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Query within the range of 1-100. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/runtime/serverless/timeslice?from=2022-11-15T15:23:57Z&to=2022-11-16T15:23:57Z&buckets=5" ``` ### cURL Response ``` { "start": "2022-10-23T06:35:50.254Z", "end": "2022-10-24T04:58:47.103Z", "count": 4 } ``` **Response Parameters**: * **start**: Specifies the start time of the bucket in date-time UTC format. * **end**: Specifies the end time of the bucket in date-time UTC format. * **count**: Specifies the number of audit occurrences. --- Deletes all the trust audits from the events page in Console. ``` $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https://:8083/api/v1/audits/trust ``` --- Returns the trust audit events data in CSV format. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https:///api/v/audits/trust/download" ``` --- Retrieves all the trust audit events. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/trust" ``` ### cURL Response ``` { "_id": "quay.io/openshift-release-dev/ocp-v4.0-art-dev", "time": "2022-11-22T18:15:06.793Z", "total": 7, "resource": { "images": [ "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9dd1b7719d2a52910d7860f22d038ab57e1d3aa5274a3d0850112394fdf4aec0" ], "accountIDs": [ "twistlock-test-247119" ], "clusters": [ "openshift-v1-22-89e95cb9-cri-o-1-22-5-14-rhaos4-9-git80a8e67-el8-u-openshift-370392" ] }, "collections": [ "All" ], "cluster": "openshift-v1-22-89e95cb9-cri-o-1-22-5-14-rhaos4-9-git80a8e67-el8-u-openshift-370392", "audits": { "untrusted": { "count": 7, "audits": [ { "_id": "quay.io/openshift-release-dev/ocp-v4.0-art-dev", "time": "2022-11-22T18:15:06.793Z", "imageName": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c3f8fe342716c0d9ba925a65f6f234e5c4d9670e7ea84bd227cf2af454dd4f0d", "imageID": "0fad6b33183ae7dbd050b095bdd1d004911ba8f49d08104d513f4e0e1ee460b1", "effect": "alert", "ruleName": "TV 1", "msg": "Untrusted by rule TV 1", "count": 1, "accountID": "twistlock-test-247119", "cluster": "openshift-v1-22-89e95cb9-cri-o-1-22-5-14-rhaos4-9-git80a8e67-el8-u-openshift-370392" }, { "_id": "quay.io/openshift-release-dev/ocp-v4.0-art-dev", "time": "2022-11-22T18:15:04.922Z", "imageName": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9dd1b7719d2a52910d7860f22d038ab57e1d3aa5274a3d0850112394fdf4aec0", "imageID": "90e290196294063f8638cbc4e4c8f1db669a0b2ff67ac2c3d6612e6f783ffbd3", "effect": "alert", "ruleName": "TV 1", "msg": "Untrusted by rule TV 1", "count": 1, "accountID": "twistlock-test-247119", "cluster": "openshift-v1-22-89e95cb9-cri-o-1-22-5-14-rhaos4-9-git80a8e67-el8-u-openshift-370392" }, { "_id": "quay.io/openshift-release-dev/ocp-v4.0-art-dev", "time": "2022-11-22T18:00:02.682Z", "imageName": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c3f8fe342716c0d9ba925a65f6f234e5c4d9670e7ea84bd227cf2af454dd4f0d", "imageID": "0fad6b33183ae7dbd050b095bdd1d004911ba8f49d08104d513f4e0e1ee460b1", "effect": "alert", "ruleName": "TV 1", "msg": "Untrusted by rule TV 1", "count": 1, "accountID": "twistlock-test-247119", "cluster": "openshift-v1-22-89e95cb9-cri-o-1-22-5-14-rhaos4-9-git80a8e67-el8-u-openshift-370392" }, { "_id": "quay.io/openshift-release-dev/ocp-v4.0-art-dev", "time": "2022-11-22T18:00:00.733Z", "imageName": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:9dd1b7719d2a52910d7860f22d038ab57e1d3aa5274a3d0850112394fdf4aec0", "imageID": "90e290196294063f8638cbc4e4c8f1db669a0b2ff67ac2c3d6612e6f783ffbd3", "effect": "alert", "ruleName": "TV 1", "msg": "Untrusted by rule TV 1", "count": 1, "accountID": "twistlock-test-247119", "cluster": "openshift-v1-22-89e95cb9-cri-o-1-22-5-14-rhaos4-9-git80a8e67-el8-u-openshift-370392" }, { "_id": "quay.io/openshift-release-dev/ocp-v4.0-art-dev", "time": "2022-11-22T17:45:14.196Z", "imageName": "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:c3f8fe342716c0d9ba925a65f6f234e5c4d9670e7ea84bd227cf2af454dd4f0d", "imageID": "0fad6b33183ae7dbd050b095bdd1d004911ba8f49d08104d513f4e0e1ee460b1", "effect": "alert", "ruleName": "TV 1", "msg": "Untrusted by rule TV 1", "count": 1, "accountID": "twistlock-test-247119", "cluster": "openshift-v1-22-89e95cb9-cri-o-1-22-5-14-rhaos4-9-git80a8e67-el8-u-openshift-370392" } ] } } } ``` --- Returns the agentless Web-Application and API Security (WAAS) audit events data in CSV format. **Note:** These are based on violations of WAAS policies defined under **Defend > WAAS > Agentless > Agentless WAAS Policy**. ### cURL Request Refer to the following example cURL command that retrieves all agentless WAAS audit events: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https:///api/v/audits/firewall/app/agentless/download" ``` --- Retrieves all agentless Web-Application and API Security (WAAS) audit events. **Note:** These are based on violations of WAAS policies defined under **Defend > WAAS > Agentless > Agentless WAAS Policy**. ### cURL Request Refer to the following example cURL command that retrieves all agentless WAAS audit events: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/firewall/app/agentless" ``` ### cURL Response ``` { "_id": "", "time": "0001-01-01T00:00:00Z", "hostname": "", "fqdn": "", "effect": "", "ruleName": "", "ruleAppID": "", "msg": "", "host": false, "containerName": "", "containerId": "", "imageName": "", "appID": "", "type": "customRule", "count": 60, "url": "", "subnet": "", "requestHeaders": "", "attackField": {}, "eventID": "" } ``` --- Retrieves all agentless Web-Application and API Security (WAAS) audit buckets based on a specified query time frame. **Note:** These are based on violations of WAAS policies defined under Defend > WAAS > Agentless > Agentless WAAS Policy. Use the following mandatory query parameters to fetch results: * **from**: Specifies the start time in UTC standard of the time period for which the audit events are returned. * **to**: Specifies the end time in UTC standard of the time period for which the audit events are returned. * **buckets**: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Values in the range 1-100 are accepted. ### cURL Request Refer to the following example cURL command that retrieves all host WAAS audit events: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/firewall/app/agentless/timeslice?from=2022-11-15T15:23:57Z&to=2022-11-16T15:23:57Z&buckets=5" ``` ### cURL Response ``` { "start": "2022-11-22T02:49:23.827Z", "end": "2022-11-23T01:12:35.884Z", "count": 69 } ``` **Response Parameters**: * **start**: Specifies the start time of the bucket in date-time UTC format. * **end**: Specifies the end time of the bucket in date-time UTC format. * **count**: Specifies the number of audit occurrences. --- Returns the app-embedded WAAS audit events data in CSV format for the specified query parameters. **Note:** These audit events relate to violations of WAAS policies defined under **Defend > WAAS > App-Embedded > App-Embedded WAAS Policy**. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https:///api/v/audits/firewall/app/app-embedded/download" ``` --- Returns all app-embedded WAAS audit events for the specified query parameters. **Note:** These audit events relate to violations of WAAS policies defined under **Defend > WAAS > App-Embedded > App-Embedded WAAS Policy**. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/firewall/app/app-embedded" ``` ### cURL Response ``` { "_id": "636ab72055e55c25de4702c3", "time": "2022-11-08T20:08:00Z", "hostname": "waas-mock-service-testing:24edfabfc76140ae97485844b0d7579c", "fqdn": "", "effect": "alert", "ruleName": "waas-mock-service-testing_22_11_384_fargate", "ruleAppID": "hxrbsrky", "msg": "Detected Local File Inclusion attack in request body, match ../, value ../../", "host": true, "containerName": "", "containerId": "", "imageName": "", "appID": "waas-mock-service-testing:24edfabfc76140ae97485844b0d7579c", "type": "lfi", "count": 1, "region": "us-east-1", "version": "22.11.384", "accountID": "496947949261", "url": "34.239.179.111:2001/", "userAgentHeader": "python-requests/2.27.1", "method": "POST", "urlPath": "/", "subnet": "34.72.93.22", "requestHeaders": "POST / HTTP/1.1\r\nHost: 34.239.179.111:2001\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nContent-Length: 6\r\nUser-Agent: python-requests/2.27.1\r\n", "requestHost": "34.239.179.111:2001", "requestHeaderNames": [ "Accept", "Accept-Encoding", "Connection", "Content-Length", "User-Agent" ], "responseHeaderNames": [ "Content-Length", "Content-Type", "Date", "Server" ], "statusCode": 404, "collections": [ "All", "waas_collection_fargate_waas-mock-service-testing_22_11_384_zxo" ], "resource": { "appIDs": [ "waas-mock-service-testing:24edfabfc76140ae97485844b0d7579c" ], "accountIDs": [ "496947949261" ] }, "cluster": "automation-fargate-test", "attackTechniques": [ "exploitPublicFacingApplication", "applicationExploitRCE" ], "protection": "firewall", "attackField": { "value": "../../", "type": "rawBody" }, "eventID": "8513bd5f-3091-06cf-b856-4d007f11443d", "provider": "aws" } ``` --- Returns the app-embedded WAAS audit buckets based on the query time frame. Use the UTC time of an audit event to query for a time frame. **Note:** These audit events relate to violations of WAAS policies defined under **Defend > WAAS > App-Embedded > App-Embedded WAAS Policy**. Use the following mandatory query parameters to fetch results: * **from**: Specifies the start time in UTC standard of the time period for which the audit events are returned. * **to**: Specifies the end time in UTC standard of the time period for which the audit events are returned. * **buckets**: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Values in the range 1-100 are accepted. ### cURL Request Refer to the following example cURL command that retrieves the app-embedded WAAS audit buckets of five between 15 Nov. 2022 (15h:23m:57s) and 16 Nov. 2022 (15h:23m:57s): ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/firewall/app/app-embedded/timeslice?from=2022-11-15T15:23:57Z&to=2022-11-16T15:23:57Z&buckets=5" ``` ### cURL Response ``` { "start":"2022-11-12T20:11:57Z", "end":"2022-11-13T10:35:57Z", "count":44 } ``` **Response Parameters**: * **start**: Specifies the start time of the bucket in date-time UTC format. * **end**: Specifies the end time of the bucket in date-time UTC format. * **count**: Specifies the number of audit occurrences. --- Returns the container Web-Application and API Security (WAAS) audit events data in CSV format. **Note:** These audit events relate to violations of WAAS policies defined under **Defend > WAAS > Container > Container WAAS Policy**. ### cURL Request Refer to the following example cURL command that downloads the WAAS container audit events: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https:///api/v/audits/firewall/app/container/download" ``` --- Retrieves all container Web-Application and API Security (WAAS) audits. **Note:** These audit events relate to violations of WAAS policies defined under **Defend > WAAS > Container > Container WAAS Policy**. ### cURL Request Refer to the following example cURL command that retrieves all container WAAS audit events: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/firewall/app/container" ``` ### cURL Response ``` { "_id": "636aa20ca5eab1d485abc519", "profileId": "sha256:a9301dac5a66b3f54a324b9ee737c64a1cc68d2186d8082df82755fb6d551a06_waas_k8s-v1-23-13-docker-20-10-21-kube-ssugandh-2b19f07bd1e31534", "time": "2022-11-08T18:38:04Z", "hostname": "kube-ssugandh-2b19f07bd1e31534-k8s-worker-1", "fqdn": "", "effect": "alert", "ruleName": "k8s-7878_384_kubernetes", "ruleAppID": "zhdmrlnr", "msg": "Detected Local File Inclusion attack in request body, match ../, value ../../", "host": false, "containerName": "/k8s_mock-web-service-36666_mock-web-service-32001_waas_52d3dccd-44b4-48fa-b149-60835b47c614_0", "containerId": "22c03ede91779978eb664c03189e3b69432e754b984dd9be203e7567fc6461ba", "imageName": "doctwistlock/waas-mock-service:latest", "appID": "", "type": "lfi", "count": 1, "region": "us-central1-a", "version": "22.11.384", "accountID": "twistlock-test-247119", "url": "10.180.31.40:32001/", "userAgentHeader": "python-requests/2.27.1", "method": "POST", "urlPath": "/", "subnet": "10.180.31.40", "requestHeaders": "POST / HTTP/1.1\r\nHost: 10.180.31.40:32001\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nContent-Length: 6\r\nUser-Agent: python-requests/2.27.1\r\n", "requestHost": "10.180.31.40:32001", "requestHeaderNames": [ "Accept", "Accept-Encoding", "Connection", "Content-Length", "User-Agent" ], "responseHeaderNames": [ "Content-Length", "Content-Type", "Date", "Server" ], "statusCode": 404, "collections": [ "All", "Prisma Cloud resources" ], "os": "Ubuntu 20.04.5 LTS", "ns": [ "waas" ], "resource": { "images": [ "doctwistlock/waas-mock-service:latest" ], "namespaces": [ "waas" ], "accountIDs": [ "twistlock-test-247119" ] }, "cluster": "k8s-v1-23-13-docker-20-10-21-kube-ssugandh-2b19f07bd1e31534", "attackTechniques": [ "exploitPublicFacingApplication", "applicationExploitRCE" ], "protection": "firewall", "attackField": { "value": "../../", "type": "rawBody" }, "eventID": "dc2fb804-27b1-40f4-6b73-ae54783c548a", "provider": "gcp" }, ... ... ... } ``` --- Retrieves all container Web-Application and API Security (WAAS) audit events for a specific time frame. **Note:** These audit events relate to violations of WAAS policies defined under **Defend > WAAS > Container > Container WAAS Policy**. Use the following mandatory query parameters to fetch results: * **from**: Specifies the start time in UTC standard of the time period for which the audit events are returned. * **to**: Specifies the end time in UTC standard of the time period for which the audit events are returned. * **buckets**: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Values in the range 1-100 are accepted. ### cURL Request Refer to the following example cURL command that retrieves the container WAAS audit buckets of five between 15 Nov. 2022 (15h:23m:57s) and 16 Nov. 2022 (15h:23m:57s):: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/firewall/app/container/timeslice?from=2022-11-15T15:23:57Z&to=2022-11-16T15:23:57Z&buckets=5" ``` ### cURL Response ``` { "start": "2022-11-16T10:35:57Z", "end": "2022-11-16T15:23:57Z", "count": 46 } ``` Response Parameters: * **start**: Specifies the start time of the bucket in date-time UTC format. * **end**: Specifies the end time of the bucket in date-time UTC format. * **count**: Specifies the number of audit occurrences. --- Returns the host Web-Application and API Security (WAAS) audit events data in CSV format. **Note:** These audit events relate to violations of WAAS policies defined under **Defend > WAAS > Host > Host WAAS Policy**. ### cURL Request Refer to the following example cURL command that downloads the host WAAS audit events: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https://console:8083/api/v/audits/firewall/app/host/download" ``` --- Retrieves all host Web-Application and API Security (WAAS) audit events. **Note:** These are based on violations of WAAS policies defined under **Defend > WAAS > Host > Host WAAS Policy**. ### cURL Request Refer to the following example cURL command that retrieves all host WAAS audit events: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/firewall/app/host" ``` ### cURL Response ``` { "_id": "636ab7190487e34d5461a141", "profileId": "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal", "time": "2022-11-08T20:07:53Z", "hostname": "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal", "fqdn": "", "effect": "alert", "ruleName": "rhe7-host_22_11_384_host", "ruleAppID": "cggseacq", "msg": "Detected Local File Inclusion attack in request body, match ../, value ../../", "host": true, "containerName": "", "containerId": "", "imageName": "", "appID": "", "type": "lfi", "count": 1, "region": "us-central1-a", "version": "22.11.384", "accountID": "twistlock-test-247119", "url": "10.181.239.16:2001/", "userAgentHeader": "python-requests/2.27.1", "method": "POST", "urlPath": "/", "subnet": "10.180.30.249", "requestHeaders": "POST / HTTP/1.1\r\nHost: 10.181.239.16:2001\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate\r\nConnection: keep-alive\r\nContent-Length: 6\r\nUser-Agent: python-requests/2.27.1\r\n", "requestHost": "10.181.239.16:2001", "requestHeaderNames": [ "Accept", "Accept-Encoding", "Connection", "Content-Length", "User-Agent" ], "responseHeaderNames": [ "Content-Length", "Content-Type", "Date", "Server" ], "statusCode": 404, "collections": [ "All", "rhe7-host_mhm", "compliance_rhe7_hhk", "waas_collection_host_rhe7-host_22_11_384_hpx" ], "resource": { "hosts": [ "jen-rhe7-0811t164940-host-def-pre-lngcon230.c.twistlock-test-247119.internal" ], "accountIDs": [ "twistlock-test-247119" ] }, "attackTechniques": [ "exploitPublicFacingApplication", "applicationExploitRCE" ], "protection": "firewall", "attackField": { "value": "../../", "type": "rawBody" }, "eventID": "306032c4-2175-6d95-7a2c-c9abacfc9cb6", "provider": "gcp" } ``` --- Retrieves all host Web-Application and API Security (WAAS) audit events. **Note:** These are based on violations of WAAS policies defined under **Defend > WAAS > Host > Host WAAS Policy**. Use the following mandatory query parameters to fetch results: * **from**: Specifies the start time in UTC standard of the time period for which the audit events are returned. * **to**: Specifies the end time in UTC standard of the time period for which the audit events are returned. * **buckets**: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Values in the range 1-100 are accepted. ### cURL Request Refer to the following example cURL command that retrieves host WAAS audit events for a specific time frame: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/firewall/app/hosttimeslice?from=2022-11-15T15:23:57Z&to=2022-11-16T15:23:57Z&buckets=5" ``` ### cURL Response ``` { "start": "2022-11-16T10:35:57Z", "end": "2022-11-16T15:23:57Z", "count": 46 } ``` **Response Parameters**: * **start**: Specifies the start time of the bucket in date-time UTC format. * **end**: Specifies the end time of the bucket in date-time UTC format. * **count**: Specifies the number of audit occurrences. --- Returns the serverless function Web-Application and API Security (WAAS) audit events data in CSV format. **Note:** These are based on violations of WAAS policies defined under **Defend > WAAS > Serverless > Serverless WAAS Policy**. ### cURL Request Refer to the following example cURL command that downloads the serverless WAAS audit events: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o \ "https:///api/v/audits/firewall/app/serverless/download" ``` --- Retrieves all serverless function Web-Application and API Security (WAAS) audit events. **Note:** These are based on violations of WAAS policies defined under **Defend > WAAS > Serverless > Serverless WAAS Policy**. ### cURL Request Refer to the following example cURL command that retrieves all serverless WAAS audit events: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/firewall/app/serverless" ``` ### cURL Response ``` { "_id": "", "time": "0001-01-01T00:00:00Z", "hostname": "", "fqdn": "", "effect": "", "ruleName": "", "ruleAppID": "", "msg": "", "host": false, "containerName": "", "containerId": "", "imageName": "", "appID": "", "type": "cmdi", "count": 1, "url": "", "subnet": "", "requestHeaders": "", "attackField": {}, "eventID": "" } ``` --- Retrieves all serverless Web-Application and API Security (WAAS) audit buckets based on a specified query time frame in UTC. **Note:** These are based on violations of WAAS policies defined under **Defend > WAAS > Serverless > Serverless WAAS Policy**. Use the following mandatory query parameters to fetch results: * **from**: Specifies the start time in UTC standard of the time period for which the audit events are returned. * **to**: Specifies the end time in UTC standard of the time period for which the audit events are returned. * **buckets**: Specifies the number of buckets (buckets of audits based on aggregation logic) to return. Values in the range 1-100 are accepted. ### cURL Request Refer to the following example cURL command that retrieves the serverless WAAS audit events for a : ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/audits/firewall/app/serverless/timeslice?from=2022-11-15T15:23:57Z&to=2022-11-16T15:23:57Z&buckets=5" ``` ### cURL Response ``` { "start": "2022-11-21T04:26:58.066Z", "end": "2022-11-22T02:49:58.549Z", "count": 1 } ``` **Response Parameters**: * **start**: Specifies the start time of the bucket in date-time UTC format. * **end**: Specifies the start time of the bucket in date-time UTC format. * **count**: Specifies the number of audit occurrences. --- Retrieves an access token using your credentials. Valid tokens are required to access the rest of the Prisma Cloud Compute API. **Note:** The Prisma Cloud Compute API can also be accessed using [basic auth](https://docs.twistlock.com/docs/latest/api/access_api.html). --- Retrieves an access token using your username and password. By default, access tokens are valid for 30 minutes. You can set the validity period in Console under **Manage > Authentication > Logon**. **Note:** The username and password values are case-sensitive. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -H "Content-Type: application/json" \ -X POST \ -d \ '{ "username":"admin", "password":"password" }' \ https:///api/v/authenticate ``` ### Response Refer to the following successful example response that returns the access token for use in other API endpoints: ```bash {"token", "ACCESS_TOKEN_VALUE"} ``` --- Renews an old (unexpired) access token and returns a new token. ### cURL Request The following cURL command retrieves a new access token using an old access token. ```bash $ curl -k \ -H "Authorization: Bearer " \ https:///api/v1/authenticate/renew ``` ### Response A successful response will return the following response containing the new access token. This access token replaces the old access token. ```bash {"token", "ACCESS_TOKEN_VALUE"} ``` --- Retrieves an access token using a client certificate. Valid tokens are required to access the rest of the Prisma Cloud Compute API. Use this endpoint if your organization has rolled out multi-factor authentication built on X.509 certificates. The API can also be accessed using basic auth. * For Prisma Cloud Enterprise Edition (SaaS), see [here](https://prisma.pan.dev/docs/cloud/cwpp/access-api-self-hosted). * For Prisma Cloud Compute Edition (self-hosted), see [here](https://prisma.pan.dev/docs/cloud/cwpp/access-api-saas). --- Retrieves an access token using a client certificate. This endpoint checks the supplied client certificate and authorizes the user based on the username in the certificate's CN or UPN field. **Note:** The certificate must be in PEM format, and the certificate file must consist of a client certificate concatenated together with a private key. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -X POST \ --cert \ https:///api/v/authenticate-client ``` ### Response Refer to the following example cURL response that returns the user's role and an access token that you can use for subsequent API calls: ```bash { "admin", "" } ``` --- Retrieves the Base64-encoded SSL root certificate self-signed by primary certificate authority (CA) in PEM format. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v1/certs/ca.pem" ``` ### cURL Response ``` -----BEGIN CERTIFICATE----- MIIDHDCCAgSgAwIBAgIQDBOoX575awe…iQ6j6Icf8NDANBgkqhkiG9w0BAQsFADAo MRIwEAYDVQQKEwlUd2lzdGxvY2sxEjAQBgNVBAMTCVR3aXN0bG9jazAeFw0yMjEx MDgxNjA1MDBaFw0yNTExMDrbXDQLhFyPXcFfNgNdEaH EbVjIec/Frhk0TWIhDDphuwaIz2Qkuj/hIF1rtHhkMFXsYKsUGDcyGKJnEUxz9zR S4hdrn5QhEh+m+CLzuv+WRV925WJ5rCKYeT9DIhXgEM= -----END CERTIFICATE----- ``` --- Retrieve and manage the client and server certificates from the Prisma Cloud Compute. ### Authentication #### Basic Auth ##### Headers - Authorization: required (string): Authenticates with the Base64-encoded "username:password" credentials. #### JWT Access Token Use POST, /api/vVERSION/authenticate for authorization ##### Headers - Authorization: required (string): Authenticates with the Bearer authentication scheme to transmit the access token. Example: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJk………… --- Downloads a script that installs a client certificate, client private key, and certificate authority certificate for the authenticated user. The following example curl command uses basic auth to download and run the install script for your client certs: ```bash $ curl -k \ -u \ -X GET \ https://:8083/api/v1/certs/client-certs.sh | sh ``` --- Retrieves the server certificate bundle from Prisma Cloud Compute that contains a chain of certificates. * Certificate Authority (CA) certificate in PEM * RSA Private Key for server in PEM * Server certificate in PEM * Defender CA certificate in PEM * Defender RSA Private Key for client in PEM * Defender client certificate in PEM ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -H 'Content-Type: application/json' \ -u \ -X GET \ "https:///api/v1/certs/server-certs.sh" ``` ### cURL Response ``` #!/bin/sh # Copy Certificate Authority echo -n "-----BEGIN CERTIFICATE----- MIIDHDCCAgSgAwIBAgIQDBOoX575aweiQ6j6I…hXgEM= -----END CERTIFICATE----- " > ca.pem # Copy Server key echo -n "-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,a7a8cbceec7e97d51c04ce03f1b4c4dc HwlxgvmGJw068VUEletmSSBjE54Q+8BGcWuYc…3PjIj2nuD4PTtOULiuLnAoONb0 -----END RSA PRIVATE KEY----- " > server-key.pem # Copy Server Cert echo -n "-----BEGIN CERTIFICATE----- MIIDOjCCAiKgAwIBAgIRAOCRfG1Sot…5SY03wZf20LvAzrLTRLsIAbsivp0Ljmvt drBPViPXgryvwhpnaxU= -----END CERTIFICATE----- " > server-cert.pem # Copy the defender certificate authority echo -n "-----BEGIN CERTIFICATE----- MIIDHTCCAgWgAwIBAgIRAMAqTE7/cvmwb…xLx9lzxemN -----END CERTIFICATE----- " > defender-ca.pem # Copy the defender client key echo -n "-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-256-CBC,ab1bca8bc354c0866cfc26fd946c70b5 x1nwAJw5sbjoSL7aUpO3rP8IkMz63X1dD…3k1SVZSph63rRvv6d5O -----END RSA PRIVATE KEY----- " > defender-client-key.pem # Copy the defender client cert echo -n "-----BEGIN CERTIFICATE----- MIIDJzCCAg+gAwIBAgIQcb6VdD45Jbla…6kXfxAvSiLTs4mhC1wg68ZSDUQ== -----END CERTIFICATE----- " > defender-client-cert.pem ``` --- Find all the cloud-native services being used in your AWS, Azure, and Google Cloud accounts. Prisma Cloud Compute continuously monitors these accounts, detects when new services are added, and reports which services are unprotected. --- Download all cloud scan data in CSV format. ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o cloud-compliance.csv \ https://:8083/api/v1/cloud/compliance/download ``` --- Returns a list of all cloud compliance scan results. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/cloud/compliance ``` --- Initiates a new cloud compliance scan. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v1/cloud/compliance/scan ``` --- Terminates a cloud compliance scan that's in progress.. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v1/cloud/compliance/stop ``` --- Downloads all cloud scan data in a CSV file. ### cURL Request Refer to the following cURL example command: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o cloud-discovery.csv \ https://:8083/api/v/cloud/discovery/download ``` --- Returns a list of discovered cloud entities. Use this API endpoint along with the `GET, api/vVERSION/cloud/discovery` to get full information about the discovered cloud scan result. ### cURL Request Refer to the following cURL example request: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/cloud/discovery/entities" ``` --- Returns a list of all cloud discovery scan results in a paginated response. The `entities` object and the associated parameters in the response schema is now part of a new API endpoint `/api/v1/cloud/discovery/entities`. ### cURL Request Refer to the following cURL example request: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/cloud/discovery" ``` --- Initiates a new cloud discovery scan. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v/cloud/discovery/scan ``` --- Terminates a cloud discovery scan that's in progress. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v/cloud/discovery/stop ``` --- Returns the discovered cloud VM instances. ### cURL Request Refer to the following example cURL command that retrieves all the discovered cloud VM instances: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/cloud/discovery/vms' ``` --- Downloads code repository scan reports in CSV format. This endpoint maps to the CSV hyperlink in **Monitor > Vulnerabilities > Code repositories** in the Console UI. ### cURL Request The following cURL command generates a CSV file containing the reports: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v1/coderepos/download" \ > coderepos.csv ``` A successful response displays the status of the download. --- Retrieves all code repository scan reports. > _**Note:**_ The API rate limit for this endpoint is 30 requests per 30 seconds. You get an HTTP error response 429 if the limit exceeds. This endpoint maps to the **Code repositories** table in **Monitor > Vulnerabilities > Code repositories** in the Console UI. ### cURL Request The following cURL command retrieves all code repository scan reports. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v1/coderepos \ ``` A successful response returns all code repository scan reports. --- Adds a CI code repository scan result. > _**Note:**_ The API rate limit for this endpoint is 30 requests per 30 seconds. You get an HTTP error response 429 if the limit exceeds. --- Adds vulnerability data for the given code repository scan result. > _**Note:**_ The API rate limit for this endpoint is 30 requests per 30 seconds. You get an HTTP error response 429 if the limit exceeds. --- Collections are predefined filters that let you group related resources together. Resources include things like containers, images, hosts, functions, and clusters. Use collections to scope policy rules and segment data/views in the Console UI and the Prisma Cloud API. ### Endpoints with a `{id}` URL Parameter Some `/collections` endpoints take a URL parameter called `{id}`. The value for `{id}` should be a collection name. You can retrieve collection names from the `GET /api/v1/collections` endpoint. Each collection object in the response has a key called `name`, which can be used for `{id}`. **Note:** Spaces are considered [unsafe characters in a URL](https://www.ietf.org/rfc/rfc1738.txt). If your collection name has a space, encode the space with the value `%20` before passing it as a URL parameter. --- Retrieves a list of all collections. This endpoint maps to the table in **Manage > Collections and Tags > Collections** in the Console UI. ### cURL Request Refer to the following example cURL command that returns a list of collections: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/collections' ``` --- Deletes a collection. To invoke this endpoint in the Console UI: 1. Navigate to **Manage > Collections and Tags > Collections**. 2. Click the dotted icon under the **Actions** column to open up the menu options. **Note:** The default collections do not have a dotted icon in the **Actions** column. 3. Click the **Delete** button to initiate the deletion. 4. Click the **Delete Collection** button to confirm the deletion. ### cURL Request Refer to the following example cURL command that deletes a collection with the name `my-collection`: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ 'https:///api/v/collections/my-collection' ``` **Note:** No response will be returned upon successful execution. --- Updates the parameters for a specific collection. To invoke this endpoint in the Console UI: 1. Navigate to **Manage > Collections and Tags > Collections**. 2. Click the dotted icon under the **Actions** column to open up the menu options. **Note:** The default collections do not have a dotted icon in the **Actions** column. Use the **Manage** cog icon to open the update window. 3. Click the **Manage** button and update the collection's parameters. 4. Click the **Save** button to save the changes. ### cURL Request The PUT cURL command updates a collection. **To submit a cURL request:** * The `name` value is required. * If `description` is not included in the request, the value will be defaulted to an empty string. * If `color` is not included in the request, the system will set the color to a random value. * If one of the following resources is left unspecified, the resource value will be set to a wildcard `[*]`: `hosts`, `images`, `labels`, `containers`, `functions`, `namespaces`, `appIDs`, `accountIDs`, `codeRepos`, `clusters` #### Example cURL Request This existing collection `my-collection` captures all container images named `ubuntu:18.04`. ```json { "hosts":["*"], "images":["ubuntu:18.04"], "labels":["*"], "containers":["*"], "functions":["*"], "namespaces":["*"], "appIDs":["*"], "accountIDs":["*"], "codeRepos":["*"], "clusters":["*"], "name":"my-collection", "owner":"", "modified":"2021-01-01T21:04:30.417Z", "color":"#AD3C21", "system":"false" } ``` The following cURL command updates `my-collection` to captures all container images named `ubuntu:20.04`. **Note:** You can retrieve collection names from the `GET /api/v/collections` endpoint using the `name` key. Refer to the following example cURL command: ```bash $ curl 'https:///api/v/collections/my-collection' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "name":"my-collection", "images":["ubuntu:20.04"] }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves all policies that uses a specified collection. To invoke this endpoint in the Console UI: 1. Navigate to **Manage > Collections and Tags > Collections**. 2. Click the dotted icon under the **Actions** column to open up the menu options. **Note:** The default collections do not have a dotted icon in the **Actions** column. Use the **Manage** cog icon to open the update window. 3. Click the **Manage** button. 4. The **Usages** table displays the collection's usages. ### cURL Request Refer to the following example cURL command that retrieves all policies with name `my-collection`: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/collections/my-collection/usages' ``` --- Creates a new collection. Only the `name` field is required; the other fields are optional. The `name` field can contain the characters: 'A-Z', 'a-z', '0-9', '_', '-', and ':'. Optional fields for which you do not specify a value are set to the '*' wildcard. If you don't provide a value for the `name` field and try to use the collection, you'll get an empty resource error. To invoke this endpoint in the Console UI: 1. Navigate to **Manage > Collections and Tags > Collections**. 2. Add a collection using **+ Add collection**. 3. Click the **Save** button. ### cURL Request Refer to the following example cURL command that creates a new collection named `my-collection`, specifies a HEX color value of #AD3C21, and captures all container images named `ubuntu:18.04`: ```bash $ curl 'https://:8083/api/v/collections' \ -k \ -X POST \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "name":"my-collection", "images":["ubuntu:18.04"], "hosts":["*"], "labels":["*"], "containers":["*"], "functions":["*"], "namespaces":["*"], "appIDs":["*"], "accountIDs":["*"], "codeRepos":["*"], "clusters":["*"], "color":"#AD3C21" }' ``` **Note:** No response is returned upon successful execution. You must verify the collection in the Console UI. --- Returns an integer representing the number of containers in your environment. ### cURL Request Refer to the following example cURL command that returns the number of containers. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/containers/count ``` --- Downloads container scan reports in CSV format. You can download the container scan reports in CSV format in Console under **Monitor > Compliance > Containers**. **Note**: The query parameter `fields` is not supported for this API endpoint. ### cURL Request Refer to the following example cURL command that generates a CSV file containing the scan reports: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/containers/download?id={id}&layers=true" \ > container_report.csv ``` A successful response displays the status of the download. --- Returns all container filters in JSON format. These filters can be used in the base `GET` request as query parameters. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/containers/filters ``` --- Retrieves container scan reports. You can view the container scan reports in Console under **Monitor > Compliance > Containers**. > _**Note:**_ The API rate limit for this endpoint is 30 requests per 30 seconds. You get an HTTP error response 429 if the limit exceeds. Refer to the following available options for the `fields` query parameters: * labels * externalLabels * cluster * hostname * image ### cURL Request Refer to the following example cURL command that retrieves a scan report for all containers: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/containers" ``` Refer to the following example cURL command that retrieves a scan report for a container with the collection ``: ``` $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/containers?collections=" ``` The name query is synonymous with the filter containers text field in the Console UI. A successful response returns the container scan reports. --- Returns an array of strings containing all of the labels. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/containers/labels ``` --- Returns an array of strings containing all container names. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/containers/names ``` --- Re-scan all containers immediately. This endpoint returns the time that the scans were initiated. The following example command uses curl and basic auth to force Prisma Cloud Compute to re-scan all containers: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https:///api/v/containers/scan ``` --- Retrieves a list of all credentials from the credentials store. This endpoint maps to **Manage > Authentication > Credentials store** in the Console UI. ### cURL Request Refer to the following example cURL command that retrieves all credentials: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/credentials ``` A successful response returns a list of all credentials. --- Deletes a credential from the credential store. **Note:** Use only Prisma Cloud Compute user interface **Manage** > **Cloud accounts** to delete cloud credentials for `Amazon AWS`, `Microsoft Azure`, and `Google Cloud Platform`. To invoke this endpoint in the Prisma Cloud Compute user interface: 1. Navigate to **Manage > Authentication > Credentials Store**. 2. From the table, find the row of the credential you want to delete and click the dotted icon under the **Actions** column. 3. Click the **Delete** button to open the delete confirmation window. 4. Click the **Delete Credential** button to delete the credential. ### cURL Request Refer to the following example cURL command that deletes an existing credential: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https:///api/v/credentials/{id} ``` **Note:** No response will be returned upon successful execution. --- Retrieves all usages for a specific credential in the credential store. To invoke this endpoint in the Console UI: 1. Navigate to **Manage > Authentication > Credential Store**. 2. From the table, find the row of the credential you want to update and click the dotted icon under the **Actions** column. 3. Click the **Manage** button. 4. The **Usage** table displays the data from this endpoint. ### cURL Request Refer to the following cURL command that retrieves all usages for a credential: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/credentials/{id}/usages ``` A successful response returns a list of all usages for the credential. --- Updates a credential in the credentials store. **Note:** Use only Prisma Cloud Compute user interface **Manage** > **Cloud accounts** > **Add account** to add cloud credentials for `Amazon AWS`, `Microsoft Azure`, and `Google Cloud Platform`. To invoke this endpoint in the Prisma Cloud Compute user interface: 1. Navigate to **Manage > Authentication > Credentials Store**. 2. From the table, find the row of the credential you want to update and click the dotted icon under the **Actions** column. 3. Click the **Manage** button and update the credential's parameters. 4. Click the **Save** button to save the updated credential. ### cURL Request Refer to the following example cURL command: ```bash $ curl 'https:///api/v/credentials' \ -k \ -X POST \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "serviceAccount":{ }, "apiToken":{ "encrypted":"ENCRYPTED_TOKEN" }, "type":"TYPE", "_id":"{id}" }' ``` **Note:** There's no response upon successful execution. --- The cURL example for each endpoint is called with a username (`-u `) only. The cURL can be modified to use any of the following: * **Authentication Token:** Use the `-H` option to pass the authentication token from the `/api/v1/authenticate` endpoint into the request header. For example, replace `` with the token from the `/api/v1/authenticate` endpoint. ```bash $ curl -k \ -H 'Authorization: Bearer ' \ -X POST \ https:///api/v1/ ``` * **Username and Password:** Use the `-u` and `-p` options to include the username and password, eliminating the need to enter a password in a secondary step. For example, replace `` with the username string and `` with the password string. ```bash $ curl -k \ -u \ -p \ -X POST \ https:///api/v1/ ``` * **Username Only:** This will require the user's password to be entered as a secondary step. For example, replace `` with the username string. ```bash $ curl -k \ -u \ -X POST \ https:///api/v1/ ``` **Note:** This is a more secure method than including the `-p` option since your terminal history won't contain the password. --- Custom image checks give you a way to write and run your own compliance checks to assess, measure, and enforce security baselines in your environment. Although Prisma Cloud Compute supports OpenSCAP and XCCDF, these frameworks are complicated, and they can be overkill when all you want to do is run a simple check. Prisma Cloud Compute lets you implement your own custom image checks with simple scripts. A custom image check consists of a single script. The script’s exit code determines the result of the check, where 0 is pass and 1 is fail. Scripts are executed in the container’s default shell. For many Linux container images, the default shell is bash, but that’s not always the case. For Windows container images, the default shell is `cmd.exe`. --- Returns a list of all custom compliance checks. This endpoint maps to **Defend > Compliance > Custom** in the Console UI. ### cURL Request Refer to the following example curl command that gets the list of custom compliance checks: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/custom-compliance ``` ### Response ``` [ { "modified": "2019-03-07T17:01:12.355Z", "owner": "pierre", "name": "apitest", "previousName": "", "_id": 9000, "title": "apitest", "script": "if [ $(stat -c %a /bin/busybox) -eq 755 ]; then\n echo 'test permission failure' && exit 1;\nfi", "severity": "high" } ] ``` --- Deletes a specific custom compliance check. This endpoint maps to **Defend > Compliance > Custom** in the Console UI. ### cURL Request Refer to the following example cURL command that uses basic auth to delete the compliance check with id 9000: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https:///api/v/custom-compliance/9000 ``` --- This endpoint will allow for update of the custom compliance checks. This endpoint maps to **Defend > Compliance > Custom** in the Console UI. ### cURL Request Create `custom_check.json` file (example): ```bash { "modified": "2019-03-07T17:01:12.355Z", "owner": "pierre", "name": "apitest", "previousName": "", "_id": 9000, "title": "apitest", "script": "if [ $(stat -c %a /bin/busybox) -eq 755 ]; then\n echo 'test permission failure' && exit 1;\nfi", "severity": "high" } ``` Refer to the following example curl command that uses basic auth to update the checks: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT \ -d @custom_check.json \ https:///api/v/custom-compliance ``` --- Defines a precise defense action for containers, hosts, Kubernetes audits, WAAS requests, and WAAS responses. --- Retrieves a list of all custom rules. This endpoint maps to the policy table in **Defend > Custom rules** in the Console UI. ### cURL Request Refer to the following example cURL command that retrieves all rules in the policy. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/custom-rules' ``` A successful response returns a list of custom rules in the policy. --- Deletes a custom rule. ### cURL Request Refer to the following example cURL command that deletes a custom rule: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ 'https:///api/v/custom-rules/{id}' ``` ​**Note:** No response will be returned upon successful execution. --- Creates or updates a custom rule. To invoke this endpoint in the Console UI: 1. Navigate to **Defend > Custom rules**. 2. Click **+ Add rule** or the dotted icon under the **Actions** column and choose to the **Manage** cog icon to open the update window. 3. Configure the custom rule's parameters. 4. Click the **Add** or **Update** button to save the changes. ### cURL Request Refer to the following example cURL command that updates a custom rule. ```bash $ curl 'https:///api/v/custom-rules/{id}' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "_id":{id}, "type":"processes", "message":"unexpected %proc.name was spawned", "name":"", "script":"proc.interactive" }' ``` **Note:** No response will be returned upon successful execution. --- Browse Prisma Cloud Compute's vulnerability database. --- Retrieves CVEs from the vulnerability database grouped into distribution where you will see a count for vulnerabilities per distribution. The following example curl command uses basic auth to retrieve this data: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/cves/distribution ``` --- Retrieves CVEs from Prisma Cloud Compute's vulnerability database. Query the database by CVE ID. Partial matches are supported. A null response indicates that the CVE is not in our database. The following example curl command queries the Prisma Cloud Compute database for `CVE-2018-1102`. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/cves?id=CVE-2018-1102 ``` --- Creates an augmented Dockerfile with Defender and dependencies included as a ZIP file. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "appID": "my-app", "consoleAddr": "https://localhost:8083", "dataFolder": "/var/lib/docker/containers/twistlock/tmp", "dockerfile": "/var/lib/docker/overlay2/183e9e3ec933ba2363bcf6066b7605d99bfcf4dce84f72eeeba0f616c679cf48" }' \ "https:///api/v/defenders/app-embedded" ``` --- Creates a DaemonSet deployment file in YAML format that can be used to deploy Defender to your cluster. For more information about how to use this endpoint, see [Deploy a Defender DaemonSet using the API](https://docs.twistlock.com/docs/latest/api/automate_defender_install.html). The following example curl command returns a Defender DaemonSet deployment file. The `` query parameter specifies the address that Defender uses to communicate with Console. It can be a DNS name or IP address. `` is a single list item from the `/api/v1/defenders/names` endpoint. ```bash $ curl -k \ -u \ -X GET \ 'https://:8083/api/v1/defenders/daemonset.yaml?consoleaddr=&listener=none&namespace=twistlock&orchestration=kubernetes' ``` --- Creates a DaemonSet deployment file in YAML format that you can use to deploy Defender to your cluster. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "orchestration": "container", "consoleAddr": "servo-vmware71", "namespace": "twistlock" }' \ "https:///api/v/defenders/daemonset.yaml" ``` --- Manage Defender. Defender is Prisma Cloud Compute's security agent. In general, one Defender is deployed per node. --- Downloads information about deployed Defenders in CSV format. Use the query parameters to filter what data is returned. **Note:** The results contain "hostname" even if you don't specify a "hostname" in the "fields" query parameter. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET -o \ https:///api/v/defenders/download ``` --- Returns a protected Fargate task definition given an unprotected task definition. ### cURL Request Refer to the following example cURL command: `` is a single list item from the `/api/v/defenders/names` endpoint. Unprotected task definition in `unprotected.json` ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ --data-binary "@unprotected.json" --output protected.json \ "https:///api/v/defenders/fargate.json?consoleaddr=&defenderType=appEmbedded" ``` Refer to the following example cURL command that accepts the task definition in JSON format for a CloudFormation template: `` is a single list item from the `/api/v/defenders/names` endpoint. Unprotected task definition in `unprotected.json` ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ --data-binary "@unprotected.json" --output protected.json \ "https:///api/v/defenders/fargate.json?cloudFormation=true&consoleaddr=&filestemMonitoring=false&interpreter=&project=Central+Console" ``` ### cURL Response New Protected task will be in `protected.json` --- Returns a protected Fargate task definition for a CloudFormation YAML template given an unprotected task definition. ### cURL Request Refer to the following example cURL command that accepts the task definition in YAML format for a CloudFormation template: `` is a single list item from the `/api/v/defenders/names` endpoint. Unprotected task definition in `unprotected.yaml` ```bash $ curl -k \ -u \ -H 'Content-Type: application/yaml' \ -X POST \ --data-binary "@unprotected.yaml" --output protected.yaml \ "https:///api/v/defenders/fargate.yaml?cloudFormation=true&consoleaddr=&filestemMonitoring=false&interpreter=&project=Central+Console" ``` New Protected task will be in `protected.yaml` --- Retrieves all deployed Defenders. This endpoint maps to the UI Console page in **Manage > Defenders > Defenders**. ### cURL Request Refer to the following example cURL command that retrieves all deployed Defenders. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/defenders ``` A successful response returns all deployed Defenders. --- Creates a Helm deployment file that can be used to deploy Defenders to your cluster. For more information about how to use this endpoint, see [Deploy a Defender Helm using the API](https://docs.twistlock.com/docs/19.07/install/install_kubernetes.html#install-twistlock-with-helm-charts). ### cURL Request Refer to the following example curl command that returns a Defender Helm deployment file: The `` query parameter specifies the address that Defender uses to communicate with Console. It can be a DNS name or IP address. `` is a single list item from the `/api/v/defenders/names` endpoint. ```bash $ curl -k \ -u \ -X GET \ -o twistlock-defender-helm.tar.gz \ 'https:///api/v/defenders/helm/twistlock-defender-helm.tar.gz?consoleaddr=&namespace=twistlock&orchestration=kubernetes' ``` --- Creates a Helm deployment file that you can use to deploy Defenders to your cluster. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -o twistlock-defender-helm.tar.gz \ -d \ '{ "orchestration": "container", "consoleAddr": "servo-vmware71", "namespace": "twistlock" }' \ "https:///api/v/defenders/helm/twistlock-defender-helm.tar.gz" ``` --- Deletes an existing Defender on a given host. To invoke this endpoint in the Console UI: 1. Navigate to **Manage > Defenders > Defenders**. 2. In a table row, click the dotted **Actions** button for the Defender you want to delete. 3. Click the **Decommission** button to open the delete confirmation window. 4. Click the **Delete Defender** button to delete the Defender. ### cURL Request The following cURL command deletes an existing Defender on a host. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https:///api/v/defenders/ ``` `` is populated with a value returned from the `/api/v/defenders/names` endpoint. **Note:** No response will be returned upon successful execution. --- Updates a deployed Defender's configuration. `` is a single list item from the `/api/v1/defenders/names` endpoint. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{"proxyListenerType": "tcp", "registryScanner":"", "serverlessScanner":""}' \ https:///api/v/defenders//features ``` --- Restarts Defender on a given host. `` is a single list item from the `/api/v1/defenders/names` endpoint. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https:///api/v/defenders//restart ``` --- Upgrades Defender on ``. `` is a single list item from the `/api/v/defenders/names` endpoint. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https:///api/v/defenders//upgrade ``` --- Returns the full Docker image name for Defender. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/defenders/image-name ``` ### Response Refer to the following example cURL response: `registry-auth.twistlock.com/tw_mcxweebesog0apjuhtmatv7saf9xdnwd/twistlock/defender:defender_21_11_812` --- Returns the certificate bundle that Defender needs to securely connect to Console. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/defenders/install-bundle?consoleaddr=" ``` is the hostname of the Console. --- Retrieves a list of Defender hostnames that can be used as the `{id}` query parameter in other `/api/v1/defenders` endpoints. ### cURL Request Refer to the following example cURL command that retrieves a list of all Defenders: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/defenders/names ``` Refer to the following example cURL command that retrieves a list of connected Defenders using a query parameter and a specified boolean value in lower case: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/defenders/names?connected=true" ``` Refer to the following example cURL command that retrieves a list of disconnected Defenders using a query parameter and a specified boolean value in lower case: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/defenders/names?connected=false" ``` **Note**: The query parameter `connected` expects and accepts a boolean value in lower case. The endpoint enlists all the connected and disconnected Defenders if do not specify a boolean value. Refer to the following example cURL command that retrieves a list of Defenders by type: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/defenders/names?type=" ``` --- Creates an augmented Dockerfile with RASP Defender and dependencies included as a ZIP file. The following example curl command returns a RASP Defender zip file. The `` query parameter specifies the address that Defender uses to communicate with Console. It can be a DNS name or IP address. `` is a single list item from the `/api/v1/defenders/names` endpoint. ```bash $ curl -k \ -u \ -X GET \ -o rasp-defender.zip 'https://:8083/api/v1/defenders/rasp?appId=&consoleaddr=&dataFolder=&dockerfile=' ``` --- Downloads a ZIP file with serverless Defender bundle. Refer to the following values to assign: * For `provider`: Use `aws` or `azure`. * For `runtime`: * If you use `aws`, then you can add the runtime values: `python`, `python3.6`, `python3.7`, `python3.8`, `python3.9`, `nodejs12.x`, `nodejs14.x`, `dotnet6`, `java8`, `java11`, or `ruby2.7`. * If you use `azure`, then you can add `dotnet3` or `dotnet6`. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/octet-stream' \ -o serverless_bundle.zip \ -X POST \ -d '{"provider": ["aws"], "runtime": ["nodejs14.x"]}' \ "https:///api/v/defenders/serverless/bundle" ``` --- Lists the number of Defenders in each defender category. ### cURL Request Refer to the following example cURL command that retrieves a summary of Defenders: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/defenders/summary ``` --- Upgrades all connected single Linux Container Defenders. This does not update cluster Container Defenders (such as Defender DaemonSets), Serverless Defenders, or Fargate Defenders. To upgrade cluster Container Defenders, redeploy them. To upgrade Serverless and Fargate Defenders, re-embed them. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https:///api/v/defenders/upgrade ``` --- Deploys a Defender DaemonSet to the cluster identified by `credentialID`. The `credentialID`, of type `kubeconfig`, must exist before calling this endpoint. It identifies the cluster's API server, user, and credentials. Use the various request parameters to control the properties of the deployed DaemonSet. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{ "credentialID": "", "consoleAddr": "", "namespace": "", "orchestration": "", "...":"..." }' \ https://:8083/api/v1/deployment/daemonsets/deploy ``` --- Retrieves a list of deployed Defender DaemonSets. You must specify a `credentialID`, of type `kubeconfig`, which identifies your cluster and user. Credentials are managed in Console's credentials store (`/api/v1/credentials`). ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/deployment/daemonsets?credentialID= ``` --- Returns the list of custom vulnerabilities and associated rules for handling internally created or packaged apps. This list is used by the Prisma Cloud Compute scanner to detect vulnerable custom components (apps, libraries, etc) that were developed and packaged internally. > **Note:** When a vulnerable custom component is detected in an image, you must have a rule to tell Prisma Cloud Compute how to handle it. Vulnerability rules can be created using the Prisma Cloud Compute. ### cURL Request Refer to the following cURL command that retrieves a list of all the custom vulnerabilities and associated rules. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/feeds/custom/custom-vulnerabilities" ``` ### Response A successful response will return a list of custom vulnerability rules and the associated digest: ```json { "_id":"customVulnerabilities", "rules": [ { "_id": "", "package": "internal-lib", "type": "package", "minVersionInclusive": "1.1", "name": "internal-lib", "maxVersionInclusive": "1.8", "md5": "" } ], "digest":"" } ``` --- Updates all the custom vulnerabilities and associated rules simultaneously for handling internally created or packaged apps. ### cURL Request Refer to the following cURL command that updates a vulnerability for a library named `internal-lib`, and specifies that its versions `1.1` to `1.8` are known to be vulnerable. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT \ -d ' { "rules": [ { "_id": "", "package": "internal-lib", "type": "package", "minVersionInclusive": "1.1", "name": "internal-lib", "maxVersionInclusive": "1.8", "md5": "" } ] }' \ "https:///api/v/feeds/custom/custom-vulnerabilities" ``` **Note:** No response will be returned upon successful execution. ### Maintain your Custom Vulnerabilities We suggest you maintain your custom vulnerabilities using the following steps: 1. Get all the custom vulnerability rules from the `GET` endpoint and save the results to a file. **Note:** You will need `jq` to execute this command. ``` $ curl -k \ -u \ https:///api/v/feeds/custom/custom-vulnerabilities \ | jq '.' > custom_vulnerability_rules.json ``` 2. Open the JSON file and add, modify, and/or delete the rules by directly editing the JSON output. For example: ```json { "id": "customVulnerabilities", "rules": [ { "_id": "", "package": "internal-lib", "type": "package", "minVersionInclusive": "1.1", "name": "internal-lib", "maxVersionInclusive": "1.8", "md5": "" } ], "digest": "97de7f27XXXXXXXXXX" } ``` 3. Update the rules by pushing the new JSON payload. **Note:** Do not forget to specify the `@` symbol. ``` $ curl -k \ -u \ -X PUT \ -H "Content-Type:application/json" \ -d @custom_vulnerability_rules.json \ https:///api/v/feeds/custom/custom-vulnerabilities ``` 4. Run the cURL command for the `GET /api/vVERSION/feeds/custom/custom-vulnerabilities` endpoint and you can see that the previously installed rules are now overwritten with your new rules. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/feeds/custom/custom-vulnerabilities ``` --- Returns the unique digest for the custom vulnerabilities and associated rules for handling internally created or packaged apps. ### cURL Request The following cURL command retrieves the digest for the configured custom vulnerabilities. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v1/feeds/custom/custom-vulnerabilities/digest ``` A successful response will return the digest string. This is the same value as the `digest` property in the response of the `GET api/v1/feeds/custom/custom-vulnerabilities` endpoint. --- Retrieves the digest string for the Common Vulnerabilities and Exposures (CVE) allow list configured in Console. ### cURL Request The following cURL command retrieves the digest for the configured CVE allow list. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v1/feeds/custom/cve-allow-list/digest ``` A successful response will return the digest string. This is the same value as the `digest` property in the response of the `GET api/v1/feeds/custom/cve-allow-list` endpoint. --- Retrieves the globally allow-listed Common Vulnerabilities and Exposures (CVE). ### cURL Request The following cURL command retrieves the globally allow-listed CVEs. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v1/feeds/custom/cve-allow-list ``` ### Response A successful response returns all CVEs globally allow-listed. ```json { "_id":"cveAllowList", "rules": [ { "cve": "CVE-2018-2222", "expiration": "2020-06-18T00:00:00Z" } ], "digest":"" } ``` --- Globally allow-lists a set of Common Vulnerabilities and Exposures (CVE). **Note:** Any previously installed lists are overwritten. ### cURL Request The following cURL command installs a global CVE allow-list. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT \ -d \ '{ "rules": [ { "cve": "CVE-2018-2222", "expiration": "2020-06-18T00:00:00Z" } ] }' \ https:///api/v1/feeds/custom/cve-allow-list ``` **Note:** No response will be returned upon successful execution. To confirm the CVE list has been added to the global allow-list, call the `GET /api/v1/feeds/custom/cve-allow-list` endpoint. --- Augments the Prisma Cloud Compute Intelligence Stream with custom threat data. Enables you expand the scope of threats and vulnerabilities that Prisma Cloud Compute can detect and report. --- Retrieves the digest string for the list of suspicious or high risk IP endpoints configured in Console. ### cURL Request The following cURL command retrieves the digest for the banned suspicious or high-risk IP addresses. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v1/feeds/custom/ips/digest ``` A successful response will return the digest string. This is the same value as the `digest` property in the response of the `GET api/v1/feeds/custom/ips` endpoint. --- Retrieves the customized list of block-listed suspicious or high-risk IP addresses. ### cURL Request The following cURL command retrieves the list of globally block-listed suspicious or high-risk IP addresses. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v1/feeds/custom/ips ``` ### Response A successful response will return a list of suspicious or high-risk IP addresses that will be banned. ```json { "_id":"", "modified":"2020-11:00:00T00:00:01.62Z", "feed":["193.171.1.1","193.171.1.2"]}, "digest":"" } ``` --- Bans a custom list of suspicious or high-risk IP addresses. **Note:** Any previously installed lists are overwritten. ### cURL Request The following cURL command installs a custom list of banned suspicious or high-risk IP addresses. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT \ -d '{"name":"banned-ips", "feed":["193.171.1.1","193.171.1.2"]}' \ https:///api/v1/feeds/custom/ips ``` **Note:** No response will be returned upon successful execution. To confirm the IPs have been added to the ban list, invoke the `GET /api/v1/feeds/custom/ips` endpoint. --- Retrieves the digest string for all the MD5 signatures of malicious executables configured in Console. ### cURL Request The following cURL command retrieves the digest for the configured list for the MD5 signatures of malicious executables. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v1/feeds/custom/malware/digest ``` A successful response will return the digest string. This is the same value as the `digest` property in the response of the `GET api/v1/feeds/custom/malware` endpoint. --- Returns the customized list of MD5 signatures of malicious executables. ### cURL Request Refer to the following cURL command that retrieves the list of MD5 signatures of malicious executables: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/feeds/custom/malware" ``` ### Response A successful response will return a list of MD5 signatures of malicious executables. ```json { "_id":"", "modified":"2020-11:00:00T00:00:01.62Z", "feed": [ { "name": "dimaaa", "md5": "d4ba1008e7d97458fdd65deca2ba801b" }, { "name": "emacs", "md5": "5ce9d1116755f827f5d1e06246dd30b9" } ] "digest":"" } ``` --- Creates a custom list of malware MD5 signatures of malicious executables. > **Note:** Any previously installed lists are overwritten. ### cURL Request Refer to the following cURL command that installs a custom list of malware MD5 signatures of malicious executables: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT \ -d ' { "name": "malware-sigs", "feed": [ { "name": "dimaaa", "md5": "d4ba1008e7d57458fdd65deca2ba801b" }, { "name": "emacs", "md5": "5ce9d1116755f827f5d1e06246dd30b9" } ] }' \ "https:///api/v/feeds/custom/malware" ``` **Note:** No response will be returned upon successful execution. To confirm the malware list has been added / overwritten to the ban list, invoke the `GET /api/vVERSION/feeds/custom/malware` endpoint. --- Triggers Console to refresh its data from the **Intelligence Stream** ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v1/feeds/offline/refresh ``` --- Downloads all host activities that can be found on *Monitor > Events > Host Activities* Use the query parameters to filter what data is returned. ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o host_activities.csv https://:8083/api/v1/forensic/activities/download ``` --- Retrieves all host activities that can be found on *Monitor > Events > Host Activities*. Use the query parameters to filter what data is returned. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/forensic/activities ``` --- The forensic endpoint will return data for host activities. --- Retrieves the list of all groups. This endpoint maps to the table data on the **Manage > Authentication > Groups** Console UI page. ### cURL Request Refer to the following example cURL command that retrieves all the system groups. ```bash $ curl -k \ -X GET \ -u \ -H 'Content-Type: application/json' \ https:///api/v/groups ``` --- Manage (create, modify, delete) groups in the system. If you integrated OpenLDAP, AD, or SAML, you can re-use groups from there, and assign roles to them as appropriate. Otherwise, create Prisma Cloud Compute local groups to manage privileges for groups of users. --- Deletes a group. The `id` can be retrieved from the `GET /api/v1/groups` endpoint. To invoke this endpoint in the Console UI: 1. Navigate to **Manage > Authentication > Groups**. 2. Click the dotted icon under the **Actions** column to open the menu options. 3. Click the **Delete** button to initiate the deletion. 4. Click the **Delete Group** button to confirm the deletion. ### cURL Request The following cURL command deletes a collection with the name `{id}`. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ 'https:///api/v1/groups/{id}' ``` **Note:** No response will be returned upon successful execution. --- Creates or modifies a group. The `id` can be retrieved with from the `GET /api/v1/groups` endpoint. To invoke this endpoint in the Console UI: 1. Navigate to **Manage > Authentication > Groups**. 2. Click the row of the group you want to update or click dotted icon under the **Actions** column to open the menu options and click the **Manage** button. 3. Update the group's parameters. 4. Click the **Save** button to save the changes. ### cURL Request The PUT cURL command updates a group. **To submit a cURL request:** * The `name` value is required. * If one of the following resources is left unspecified, the resource value will be set to a wildcard `[*]`: `hosts`, `images`, `labels`, `containers`, `functions`, `namespaces`, `appIDs`, `accountIDs`, `codeRepos`, `clusters` The following cURL command updates `my-group` with the users associated with the usernames `john` and `jane`. **Note:** You can retrieve the group `id` names from the `GET /api/v1/groups`. ```bash $ curl 'https:///api/v1/groups/{id}' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "groupName": "my-group", "user": [ {"username": "john"}, {"username": "jane"} ], "lastModified":"2021-03-11T23:32:51.336Z" }' ``` You must include a `lastModified` timestamp even though it will be overwritten by the system **Note:** No response will be returned upon successful execution. --- Retrieves a list of all group names as an array of strings. This endpoint maps to the table data on the **Manage > Authentication > Groups** Console UI page. ### cURL Request Refer to the following example cURL command that retrieves all the system groups: ```bash $ curl -k \ -X GET \ -u \ -H 'Content-Type: application/json' \ https:///api/v/groups/names ``` A sample output would look similar to this: ```json [ "admins", "secops", "devops", "" ] ``` --- Creates a group with users. To invoke this endpoint in the Console UI: 1. Navigate to **Manage > Authentication > Groups**. 2. Add a collection using **+ Add group**. 3. Enter a group name and add at least one user. 3. Click the **Save** button. ### cURL Request Refer to the following example cURL command that creates a new group named `my-group`: ```bash $ curl -k \ -X POST \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "groupName": "my-group", "user": [ {"username": "john"}, {"username": "jane"} ] }' \ 'https:///api/v/groups' ``` This group includes the users associated with the usernames `john` and `jane`. **Note:** You must use usernames that already exist in the system. No response will be returned upon successful execution. --- Returns the status of high high availability. A curl command to access this endpoint may resemble the following code snippet: ```bash $ curl -k \ -X GET \ -u \ -H 'Content-Type: application/json' \ https://:8083/api/v1/high-availability \ ``` --- Downloads all host scan reports in CSV format. This endpoint maps to the CSV hyperlink in **Monitor > Vulnerabilities > Hosts > Running hosts** in the Console UI. **Note**: The query parameters `fields`, `complianceID` and `normalizedSeverity` are not supported for this API endpoint. ### cURL Request Refer to the following example cURL command that downloads all host scan reports to a CSV file called `hosts_report.csv`: ```bash curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET -o hosts_report.csv \ https:///api/v/hosts/download ``` A successful response displays the status of the download. --- Returns host filters such as distribution and host name. A curl command to access this endpoint may resemble the following code snippet: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/hosts/filters \ ``` --- Retrieves all host scan reports. > _**Note:**_ The API rate limit for this endpoint is 30 requests per 30 seconds. You get an HTTP error response 429 if the limit exceeds. This endpoint maps to the **Running hosts** table in **Monitor > Vulnerabilities > Hosts > Running hosts** in the Console UI. Refer to the following available options for the `fields` query parameters: * type * hostname * collections * firewallProtection * agentless * stopped * scanID * err * labels * externalLabels * clusters * cloudMetadata * ecsClusterName * k8sClusterAddr * vulnerabilityRiskScore * complianceIssuesCount * complianceRiskScore * complianceDistribution * vulnerabilityDistribution * vulnerabilitiesCount * osDistro * distro * osDistroRelease ### cURL Request Refer to the following cURL command that retrieves all host scan reports: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/hosts ``` A successful response returns all host scan reports. --- Host scan reports. Prisma Cloud Compute scans the host machines in your container environment for CVEs and compliance issues. Scan reports are generated for any host running Defender. --- Returns minimal information that includes hostname, distro, distro-release, collections, clusters, and agentless about all deployed hosts. A curl command to access this endpoint may resemble the following code snippet: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/hosts/info ``` --- Re-scan all hosts immediately. Refer to the following example command that forces Prisma Cloud Compute to re-scan all hosts: ```bash $ curl -k \ -u \ -X POST \ https:///api/v/hosts/scan ``` --- All the example API commands in these documents specify a `` variable, which represents the address for Console. The Console address will depend on how Console was installed. #### For SaaS Installations To find your `` path for a SaaS environment: 1. Log into Console. 2. Navigate to **Compute** > **Manage** > **System** > **Downloads**. 3. You can find your `` path listed under **Path to Console**. Click **Copy** to quickly copy the path to your clipboard. console #### For Self-hosted Installations For self-hosted environments, the Prisma Cloud Compute API is exposed on port `8083` (HTTPS). This port is specified at install time in `twistlock.cfg`. * **(Default) Kubernetes installations:** Console service is exposed by a LoadBalancer. The value for `` is the LoadBalancer followed by port `8083`: ``` https://:8083 ``` * **Onebox installations:** Console installed on a stand-alone host. The value for `` is the IP address or DNS name of the host followed by port `8083`: ``` https://:8083 ``` --- # How to evaluate All the example API commands in these documents specify a `` variable, which represents the address for Console. The Console address will depend on how Console was installed. ## For SaaS Installations To find your `` path for a SaaS environment: 1. Log into Console. 2. Navigate to **Compute** > **Manage** > **System** > **Downloads**. 3. You can find your `` path listed under **Path to Console**. Click **Copy** to quickly copy the path to your clipboard. console ## For Self-hosted Installations For self-hosted environments, the Prisma Cloud Compute API is exposed on port `8083` (HTTPS). This port is specified at install time in `twistlock.cfg`. * **(Default) Kubernetes installations:** Console service is exposed by a LoadBalancer. The value for `` is the LoadBalancer followed by port `8083`: ``` https://:8083 ``` * **Onebox installations:** Console installed on a stand-alone host. The value for `` is the IP address or DNS name of the host followed by port `8083`: ``` https://:8083 ``` # Using the curl example commands The cURL example for each endpoint is called with a username (`-u `) only. The cURL can be modified to use any of the following: * **Authentication Token:** Use the `-H` option to pass the authentication token from the `/api/v1/authenticate` endpoint into the request header. For example, replace `` with the token from the `/api/v1/authenticate` endpoint. ```bash $ curl -k \ -H 'Authorization: Bearer ' \ -X POST \ https:///api/v1/ ``` * **Username and Password:** Use the `-u` and `-p` options to include the username and password, eliminating the need to enter a password in a secondary step. For example, replace `` with the username string and `` with the password string. ```bash $ curl -k \ -u \ -p \ -X POST \ https:///api/v1/ ``` * **Username Only:** This will require the user's password to be entered as a secondary step. For example, replace `` with the username string. ```bash $ curl -k \ -u \ -X POST \ https:///api/v1/ ``` **Note:** This is a more secure method than including the `-p` option since your terminal history won't contain the password. # API restrictions Paginated API requests are capped to a max of 50 returned objects because very large responses could DoS Console. If the response contains more than 50 objects, cycle through the collection with the `offset` query parameter to retrieve more objects. For example: ``` https:///api/v1/images?limit=50&offset=X ``` --- This endpoint will trigger a Kubernetes scan. The following example curl command uses basic auth to initiate this scan: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v1/kubernetes/scan ``` --- Retrieves the latest Console log messages. The following example curl command retrieves the 10 latest Console log messages: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/logs/console?lines=10 ``` --- This endpoint will return the defender logs with `tar.gz` file extension given the hostname of the defender. The hostname can be returned from the endpoint `/defenders/names` The following example curl command uses basic auth to download the logs: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -o defender_logs.tar.gz https://:8083/api/v1/logs/defender/download?hostname={hostname} ``` --- Retrieves the latest log messages for a given Defender. The Defender is specified by the host where it runs. You can retrieve the hostname for each Defender from the `GET /api/v1/defenders` endpoint. The following example curl command retrieves the 10 log messages for the Defender that runs on `worker.sandbox.internal`. Note that you must quote the URL when running the following command. Otherwise the shell misinterprets the ampersand (`&`) as the end of the command, and puts the curl command in the background. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https://:8083/api/v1/logs/defender?lines=10&hostname=worker.sandbox.internal" ``` --- This endpoint will return the system debug logs with `tar.gz` file extension. The following example curl command uses basic auth to download the logs: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -o {file_name}.tar.gz https://:8083/api/v1/logs/system/download ``` --- This endpoint will return the cloud controller addresses configured for PCF Blobstore scanning. You can also add optional query parameters to this API call, in this example `cloudControllerAddresses` and/or `id` The following example curl command retrieves the list of addresses: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https://:8083/api/v1/pcf-droplets/addresses?cloudControllerAddresses={cloudControllerAddresses}&id={id}" ``` --- This endpoint will download the list of configured cloud controller addresses configured for PCF Blobstore scanning. The following example curl command retrieves the list of addresses and outputs it to a file call `PCF_blobstores.csv`: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -o PCF_blobstores.csv "https://:8083/api/v1/pcf-droplets/download?cloudControllerAddresses={cloudControllerAddresses}&id={id}" ``` --- This endpoint will return the full metadata of PCF blobstore from page **Monitor > Vulnerabilities > PCF** within the Console. The following example curl command will retrieve this: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https://:8083/api/v1/pcf-droplets?cloudControllerAddresses={cloudControllerAddresses}&id={id}" ``` --- Scan reports for the VMWare Tanzu Application Service (TAS) droplets in your blobstore(s). Droplets are archives that contain ready to run applications. They contain an OS stack, a buildpack (which contains the languages, libraries, and services used by the app), and custom app code. --- This endpoint will kick off a scan of the any PCF Blobstores you have configured. Example curl command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v1/pcf-droplets/scan ``` --- This endpoint will instruct the PFC Defenders to stop scanning. Example curl command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v1/pcf-droplets/stop ``` --- Retrieves the compliance policy for images scanned in your continuous integration (CI) pipeline. A policy consists of ordered rules. This endpoint maps to **Defend > Compliance > Containers and images > CI** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/compliance/ci/images' ``` A successful response returns a list of compliance rules in the policy. --- Updates the compliance policy for images scanned in your continuous integration (CI) pipeline. All rules in the policy are updated in a single shot. The policy set in this endpoint is enforced by the scanners in the Jenkins plugin and the `twistcli` command line tool. This endpoint maps to the policy table in **Defend > Compliance > Containers and images > CI** in the Console UI. ### cURL Request The following cURL command overwrites all rules in your current policy with a new policy that has a single rule. To construct an effective rule for this policy, specify at least one "check" and the `effect`. See [How to Construct a Compliance Policy](#how-to-construct-a-compliance-policy) for more info. For a full list of checks, go to **Defend > Compliance > Containers and images > CI** in the Console UI and create a new rule. All prebuilt checks and their IDs are shown under **Compliance actions**. ### cURL Request Refer to the following example cURL command: ```bash $ curl 'https:///api/v/policies/compliance/ci/images' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules": [ { "name": "my-rule", "effect": "alert", "collections":[ { "name":"All" } ], "condition": { "vulnerabilities": [ { "id": 41, "block": false, "minSeverity": 1 } ] } } ], "policyType": "ciImagesCompliance" }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves the compliance policy for serverless functions built in your Continuous Integration (CI) pipeline. A policy consists of ordered rules. This endpoint maps to the policy table in **Defend > Compliance > Functions > CI** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/policies/compliance/ci/serverless ``` A successful response contains a list of compliance rules in the policy. --- Updates the compliance policy for serverless functions built in your Continuous Integration (CI) pipeline. All rules in the policy are updated in a single shot. The policy set in this endpoint is enforced by the scanners in the Jenkins plugin and the `twistcli` command line tool. This endpoint maps to the policy table in **Defend > Compliance > Functions > CI** in the Console UI. To construct an effective rule for this policy, specify at least one "check" and one `effect` value. See [How to Construct a Compliance Policy](#how-to-construct-a-compliance-policy) for more info. For a full list of checks, go to **Defend > Compliance > Functions > CI** in the Console UI and create a new rule. All prebuilt checks and their IDs are shown under **Compliance actions**. ### cURL Request Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule: ```bash $ curl 'https:///api/v/policies/compliance/ci/serverless' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules": [ { "name": "my-rule", "effect": "alert", "collections":[ { "name":"All" } ], "condition": { "vulnerabilities": [ { "id": 436, "block": false, "minSeverity": 1 } ] } } ], "policyType": "ciServerlessCompliance" }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves the compliance policy for running containers. A policy consists of ordered rules. This endpoint maps to **Defend > Compliance > Containers and images > Deployed** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/compliance/container' ``` A successful response returns a list of compliance rules in the policy. --- Lists the containers caught by your compliance policy on a per-rule basis. These rule names can be found from the `name` variable in the response from a `GET` on the basic policies/compliance endpoint. To see where Console invokes this endpoint: * In Console, go to **Defend > Compliance > Containers and images > Deployed**. * In the **Compliance rules** section, click **Show** under the **Entities in scope** column for a rule. * The endpoint is invoked when the pop-up is displayed. ### cURL Request The following cURL command returns a list of containers captured by ``. ```bash $ curl -k \ -u \ -X GET \ 'https:///api/v/policies/compliance/container/impacted?ruleName=' ``` A successful response contains a list of impacted containers by a rule within the context of the policy. --- Updates the compliance policy for running containers. All rules in the policy are updated in a single shot. This endpoint maps to the policy table in **Defend > Compliance > Containers and images > Deployed** in the Console UI. To construct an effective rule for this policy, specify at least one "check" and one `effect` value. See [How to Construct a Compliance Policy](#how-to-construct-a-compliance-policy) for more info. For a full list of checks, go to **Defend > Compliance > Containers and images > Deployed** in the Console UI and create a new rule. All prebuilt checks and their IDs are shown under **Compliance actions**. ### cURL Request Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule: ```bash $ curl 'https:///api/v/policies/compliance/container' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules":[ { "name": "my-rule", "effect": "alert", "collections":[ { "name":"All" } ], "condition": { "vulnerabilities": [ { "id": 531, "block": false, "minSeverity": 1 } ] } } ], "policyType":"containerCompliance" }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves the compliance policy for hosts protected by Defender. A policy consists of ordered rules. This endpoint maps to **Defend > Compliance > Hosts > Running hosts** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/compliance/host' ``` A successful response returns a list of compliance rules in the policy. --- Updates the compliance policy for hosts protected by Defender. All rules in the policy are updated in a single shot. This endpoint maps to the policy table in **Defend > Compliance > Hosts > Running hosts** in the Console UI. To construct an effective rule for this policy, specify at least one "check" and one `effect` value. See [How to Construct a Compliance Policy](#how-to-construct-a-compliance-policy) for more info. For a full list of checks, go to **Defend > Compliance > Hosts > Running Hosts** in the Console UI and create a new rule. All prebuilt checks and their IDs are shown under **Compliance actions**. ### cURL Request Refer tp the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule: ```bash $ curl 'https:///api/v/policies/compliance/host' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules":[ { "name":"my-rule", "effect":"alert", "collections":[ { "name":"All" } ], "condition":{ "vulnerabilities":[ { "id":6151, "block":false } ] } } ], "policyType":"hostCompliance" }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves the compliance policy for serverless functions situated in your cloud provider's infrastructure. A policy consists of ordered rules. This endpoint maps to **Defend > Compliance > Functions > Functions** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/compliance/serverless' ``` A successful response returns a list of compliance rules in the policy. --- Updates the compliance policy for serverless functions situated in your cloud provider's infrastructure. All rules in the policy are updated in a single shot. This endpoint maps to the policy table in **Defend > Compliance > Functions > Functions** in the Console UI. ### cURL Request The following cURL command overwrites all rules in your current policy with a new policy that has a single rule. To construct an effective rule for this policy, specify at least one "check" and one `effect` value. See [How to Construct a Compliance Policy](#how-to-construct-a-compliance-policy) for more info. For a full list of checks, go to **Defend > Compliance > Functions > Functions** in the Console UI and create a new rule. All prebuilt checks and their IDs are shown under **Compliance actions**. ```bash $ curl 'https:///api/v/policies/compliance/serverless' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules":[ { "name":"my-rule", "effect":"alert", "collections":[ { "name":"All" } ], "condition":{ "vulnerabilities":[ { "id":434, "block":false } ] } } ], "policyType":"serverlessCompliance" }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves the compliance policy for VM images scanned in your cloud accounts. A policy consists of ordered rules. This endpoint maps to the policy table in **Defend > Compliance > Hosts > VM images** in the Console UI. ### cURL Request The following cURL command retrieves all rules in the policy. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/compliance/vms' ``` A successful response returns a list of compliance rules in the policy. --- Retrieves a list of all resources a compliance rule impacts. These rule names can be found from the `name` variable in the response from a `GET` on the basic policies/compliance endpoint. Use query parameters to retrieve the list of impacted resources by *account ID*, *rule name*, or *collection*. ### cURL Request Refer to the following example cURL command, which retrieves a list of impacted resources: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/policies/compliance/vms/impacted" ``` --- Updates the compliance policy for VM images scanned in your cloud accounts. All rules in the policy are updated in a single shot. This endpoint maps to the policy table in **Defend > Compliance > Hosts > VM images** in the Console UI. ### cURL Request The following cURL command overwrites all rules in your current policy with a new policy that has a single rule. To construct an effective rule for this policy, specify at least one "check" and one `effect` value. See [How to Construct a Compliance Policy](#how-to-construct-a-compliance-policy) for more info. For a full list of checks, go to **Defend > Compliance > Hosts > VM images** in the Console UI and create a new rule. All prebuilt checks and their IDs are shown under **Compliance actions**. ```bash $ curl 'https:///api/v/policies/compliance/vms' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules":[ { "name":"my-rule", "effect":"alert", "collections":[ { "name":"All" } ], "condition":{ "vulnerabilities":[ { "id":6151, "block":false } ] } } ], "policyType":"vmCompliance" }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves a list of all access control rules for Docker Engine commands. Example curl command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/policies/docker ``` --- Updates all Docker Engine access control rules in a single shot. Updating all rules at the same time makes it possible to maintain strict ordering between rules. The procedure to add, edit, or remove Docker access control rules is: 1. Get all Docker access control rules using the GET endpoint. The following curl command uses basic auth to retrieve a list of all rules, pretty-print the JSON response, and save the results to a file. ``` $ curl -k \ -u \ https://:8083/api/v1/policies/docker \ | jq '.' > docker_access_control_rules.json ``` 2. Modify the JSON output according to your needs. 3. Update rules by pushing the new JSON payload. The following curl command installs the rules defined in your `docker_access_control_rules.json` file. Do not forget to specify the `@` symbol. ``` $ curl -k \ -u \ -X PUT \ -H "Content-Type:application/json" \ https://:8083/api/v1/policies/docker \ --data-binary "@docker_access_control_rules.json" ``` Any previously installed rules are overwritten. --- Retrieves the WAAS policy for web apps protected by App-Embedded Defender. A policy consists of ordered rules. This endpoint maps to **Defend > WAAS > App-Embedded** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/firewall/app/app-embedded' ``` A successful response returns a list of rules in the policy. --- Updates the WAAS policy for web apps protected by App-Embedded Defender. All rules in the policy are updated in a single shot. To invoke this endpoint in the Console UI: 1. Navigate to **Defend > WAAS > App-Embedded**. 2. Click **+ Add rule** and enter the new rule information. 3. Click the **Add new app** button to move to the configuration window. 4. Configure the application with at least one endpoint, and click the **Save** button. Adding and maintaining rules for a WAAS app involves populating a large and complex JSON request body. We recommend the following process: 1. Manually define your app's policy via the Console UI as described [here](https://docs.twistlock.com/docs/compute_edition/waas/deploy_waas.html). 2. Use the **Export** button on **Defend** > **WAAS** to export the app's policy rules to a JSON file. 3. Use the exported file as a template to modify, then either import the file back in using the **Import** button, or use it as the basis for defining the rules to include in this endpoint's payload. ### cURL Request The following cURL command overwrites all rules in your current policy with a new policy that has a single rule. ```bash $ curl 'https:///api/v/policies/firewall/app/app-embedded' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ ' { "_id":"appEmbeddedAppFirewall", "rules":[ { "name":"my-rule", "collections":[ { "name":"All" } ], "applicationsSpec":[ { "banDurationMinutes":5, "certificate":{ }, "dosConfig":{ "effect":"disable", "matchConditions":[ ] }, "apiSpec":{ "endpoints":[ { "host":"*", "basePath":"*", "exposedPort":1, "internalPort":1, "tls":false, "http2":false } ], "paths":[ { "path":"/api/v1/logs/system/upload", "methods":[ { "method":"POST" } ] } ], "effect":"disable", "fallbackEffect":"disable" }, "botProtectionSpec":{ "userDefinedBots":[ ], "knownBotProtectionsSpec":{ "searchEngineCrawlers":"disable", "businessAnalytics":"disable", "educational":"disable", "news":"disable", "financial":"disable", "contentFeedClients":"disable", "archiving":"disable", "careerSearch":"disable", "mediaSearch":"disable" }, "unknownBotProtectionSpec":{ "generic":"disable", "webAutomationTools":"disable", "webScrapers":"disable", "apiLibraries":"disable", "httpLibraries":"disable", "botImpersonation":"disable", "browserImpersonation":"disable", "requestAnomalies":{ "threshold":9, "effect":"disable" } }, "sessionValidation":"disable", "interstitialPage":false, "jsInjectionSpec":{ "enabled":false, "timeoutEffect":"disable" } }, "networkControls":{ "advancedProtectionEffect":"alert", "deniedSubnetsEffect":"alert", "deniedCountriesEffect":"alert", "allowedCountriesEffect":"alert" }, "body":{ "inspectionSizeBytes":131072 }, "intelGathering":{ "infoLeakageEffect":"disable", "removeFingerprintsEnabled":true }, "maliciousUpload":{ "effect":"disable", "allowedFileTypes":[ ], "allowedExtensions":[ ] }, "csrfEnabled":true, "clickjackingEnabled":true, "sqli":{ "effect":"prevent", "exceptionFields":[ ] }, "xss":{ "effect":"alert", "exceptionFields":[ ] }, "attackTools":{ "effect":"alert", "exceptionFields":[ ] }, "shellshock":{ "effect":"alert", "exceptionFields":[ ] }, "malformedReq":{ "effect":"alert", "exceptionFields":[ ] }, "cmdi":{ "effect":"alert", "exceptionFields":[ ] }, "lfi":{ "effect":"alert", "exceptionFields":[ ] }, "codeInjection":{ "effect":"alert", "exceptionFields":[ ] }, "remoteHostForwarding":{ }, "selected":true, "headerSpecs":[ ] } ], "expandDetails":true } ], "minPort":30000, "maxPort":31000 }' ``` **Note:** No response will be returned upon successful execution. --- Resolves the endpoints defined in an OpenAPI/Swagger specification and returns a `waas.APISpec` object. The `waas.APISpec` object can be included in the body of a subsequent call to the `PUT api/v1/policies/firewall/app/app-embedded` endpoint to define an app that WAAS monitors and protects. To invoke this endpoint in the Console UI: 1. Navigate to the **Defend > WAAS > App-Embedded** page. 2. Click **Add rule**. 3. Enter the details for the new rule and click **Add new app**. 4. On the **App definition** tab, click the **Import** button and select an OpenAPI/Swagger specification file. **Note:** You can use a YAML or JSON format for the OpenAPI/Swagger specification. ### cURL Request Refer to the following example cURL command that imports an API from an OpenAPI/Swagger specification: ```bash $ curl 'https:///api/v/policies/firewall/app/apispec' \ -k \ -X POST \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "swagger": "2.0", "info": { "version": "2021.7.28", "title": "Book API", "description": "A simple API for books.", "contact": { "name": "John Smith", "email": "test.email@email.com", "url": "http://mywebsite.com" }, "license": { "name": "Apache 2.0", "url": "https://www.apache.org/licenses/LICENSE-2.0.html" } }, "host": "api.mywebsite.com", "basePath": "/api", "schemes": [ "http" ], "consumes": [ "application/json" ], "produces": [ "application/json" ], "paths": { "/books": { "get": { "description": "Returns a list of books.", "operationId": "findBooks", "responses": { "200": { "description": "Success response", "schema": { "type": "array", "items": { "$ref": "#/definitions/Book" } } }, "default": { "description": "unexpected error", "schema": { "$ref": "#/definitions/Error" } } } } } }, "definitions": { "Book": { "allOf": [ { "required": [ "id" ], "properties": { "id": { "type": "integer", "format": "int64" } } } ] }, "Error": { "required": [ "code", "message" ], "properties": { "code": { "type": "integer", "format": "int32" }, "message": { "type": "string" } } } } }' ``` A successful response returns a `waas.APISpec` object containing the API specification that was imported. --- Retrieves the WAAS policy for containers. A policy consists of ordered rules. This endpoint maps to **Defend > WAAS > Container** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ 'https:///api/v/policies/firewall/app/container' ``` A successful response returns a list of rules in the policy. --- Updates the WAAS policy for containers. All rules are updated in a single shot. Updating all rules at the same time makes it possible to maintain strict ordering between rules. To invoke this endpoint in the Console UI: 1. Navigate to **Defend > WAAS > Container**. 2. Click **+ Add rule** and enter the new rule information. 3. Click the **Add new app** button to move to the configuration window. 4. Configure the application with at least one endpoint, and click the **Save** button. Adding and maintaining rules for a WAAS app involves populating a large and complex JSON request body. We recommend the following process: 1. Manually define your app's policy via the Console UI as described [here](https://docs.twistlock.com/docs/compute_edition/waas/deploy_waas.html). 2. Use the **Export** button on **Defend** > **WAAS** to export the app's policy rules to a JSON file. 3. Use the exported file as a template to modify, then either import the file back in using the **Import** button, or use it as the basis for defining the rules to include in this endpoint's payload. ### cURL Request Refer to the following example cURL command that overwrites all applications rules with a single rule. ``` $ curl 'https:///api/v/policies/firewall/app/container' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ ' { "_id":"appEmbeddedAppFirewall", "rules":[ { "name":"my-rule", "collections":[ { "name":"All" } ], "applicationsSpec":[ { "banDurationMinutes":5, "certificate":{ }, "dosConfig":{ "effect":"disable", "matchConditions":[ ] }, "apiSpec":{ "endpoints":[ { "host":"*", "basePath":"*", "exposedPort":1, "internalPort":1, "tls":false, "http2":false } ], "paths":[ { "path":"/api/v1/logs/system/upload", "methods":[ { "method":"POST" } ] } ], "effect":"disable", "fallbackEffect":"disable" }, "botProtectionSpec":{ "userDefinedBots":[ ], "knownBotProtectionsSpec":{ "searchEngineCrawlers":"disable", "businessAnalytics":"disable", "educational":"disable", "news":"disable", "financial":"disable", "contentFeedClients":"disable", "archiving":"disable", "careerSearch":"disable", "mediaSearch":"disable" }, "unknownBotProtectionSpec":{ "generic":"disable", "webAutomationTools":"disable", "webScrapers":"disable", "apiLibraries":"disable", "httpLibraries":"disable", "botImpersonation":"disable", "browserImpersonation":"disable", "requestAnomalies":{ "threshold":9, "effect":"disable" } }, "sessionValidation":"disable", "interstitialPage":false, "jsInjectionSpec":{ "enabled":false, "timeoutEffect":"disable" } }, "networkControls":{ "advancedProtectionEffect":"alert", "deniedSubnetsEffect":"alert", "deniedCountriesEffect":"alert", "allowedCountriesEffect":"alert" }, "body":{ "inspectionSizeBytes":131072 }, "intelGathering":{ "infoLeakageEffect":"disable", "removeFingerprintsEnabled":true }, "maliciousUpload":{ "effect":"disable", "allowedFileTypes":[ ], "allowedExtensions":[ ] }, "csrfEnabled":true, "clickjackingEnabled":true, "sqli":{ "effect":"prevent", "exceptionFields":[ ] }, "xss":{ "effect":"alert", "exceptionFields":[ ] }, "attackTools":{ "effect":"alert", "exceptionFields":[ ] }, "shellshock":{ "effect":"alert", "exceptionFields":[ ] }, "malformedReq":{ "effect":"alert", "exceptionFields":[ ] }, "cmdi":{ "effect":"alert", "exceptionFields":[ ] }, "lfi":{ "effect":"alert", "exceptionFields":[ ] }, "codeInjection":{ "effect":"alert", "exceptionFields":[ ] }, "remoteHostForwarding":{ }, "selected":true, "headerSpecs":[ ] } ], "expandDetails":true } ], "minPort":30000, "maxPort":31000 }' ``` ​**Note:** No response will be returned upon successful execution. --- Retrieves the WAAS policy for hosts. A policy consists of ordered rules. This endpoint maps to **Defend > WAAS > Host** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/firewall/app/host' ``` A successful response returns a list of rules in the policy. --- Updates the WAAS policy for hosts. All rules in the policy are updated in a single shot. To invoke this endpoint in the Console UI: 1. Navigate to **Defend > WAAS > Host**. 2. Click **+ Add rule** and enter the new rule information. 3. Click the **Add new app** button to move to the configuration window. 4. Configure the application with at least one endpoint, and click the **Save** button. Adding and maintaining rules for a WAAS app involves populating a large and complex JSON request body. We recommend the following process: 1. Manually define your app's policy via the Console UI as described [here](https://docs.twistlock.com/docs/compute_edition/waas/deploy_waas.html). 2. Use the **Export** button on **Defend** > **WAAS** to export the app's policy rules to a JSON file. 3. Use the exported file as a template to modify, then either import the file back in using the **Import** button, or use it as the basis for defining the rules to include in this endpoint's payload. ### cURL Request Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule: ```bash $ curl 'https:///api/v/policies/firewall/app/host' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "_id":"hostAppFirewall", "rules":[ { "name":"My Rule", "notes":"My Notes 4", "collections":[ { "name":"All" } ], "applicationsSpec":[ { "banDurationMinutes":5, "certificate":{ "encrypted":"" }, "dosConfig":{ "effect":"disable" }, "apiSpec":{ "description":"test", "endpoints":[ { "host":"*", "basePath":"*", "exposedPort":0, "internalPort":1, "tls":false, "http2":false } ], "effect":"disable", "fallbackEffect":"disable" }, "botProtectionSpec":{ "userDefinedBots":[ ], "knownBotProtectionsSpec":{ "searchEngineCrawlers":"disable", "businessAnalytics":"disable", "educational":"disable", "news":"disable", "financial":"disable", "contentFeedClients":"disable", "archiving":"disable", "careerSearch":"disable", "mediaSearch":"disable" }, "unknownBotProtectionSpec":{ "generic":"disable", "webAutomationTools":"disable", "webScrapers":"disable", "apiLibraries":"disable", "httpLibraries":"disable", "botImpersonation":"disable", "browserImpersonation":"disable", "requestAnomalies":{ "threshold":9, "effect":"disable" } }, "sessionValidation":"disable", "interstitialPage":false, "jsInjectionSpec":{ "enabled":false, "timeoutEffect":"disable" } }, "networkControls":{ "advancedProtectionEffect":"alert", "deniedSubnetsEffect":"alert", "deniedCountriesEffect":"alert", "allowedCountriesEffect":"alert" }, "body":{ "inspectionSizeBytes":131072 }, "intelGathering":{ "infoLeakageEffect":"disable", "removeFingerprintsEnabled":true }, "maliciousUpload":{ "effect":"disable", "allowedFileTypes":[ ], "allowedExtensions":[ ] }, "csrfEnabled":true, "clickjackingEnabled":true, "sqli":{ "effect":"alert", "exceptionFields":[ ] }, "xss":{ "effect":"alert", "exceptionFields":[ ] }, "attackTools":{ "effect":"alert", "exceptionFields":[ ] }, "shellshock":{ "effect":"alert", "exceptionFields":[ ] }, "malformedReq":{ "effect":"alert", "exceptionFields":[ ] }, "cmdi":{ "effect":"alert", "exceptionFields":[ ] }, "lfi":{ "effect":"alert", "exceptionFields":[ ] }, "codeInjection":{ "effect":"alert", "exceptionFields":[ ] }, "remoteHostForwarding":{ } } ], "expandDetails":true } ], "minPort":30000, "maxPort":31000 }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves a list of all WAAS network lists. Network lists are groups or related IPv4 addresses and CIDR blocks used in WAAS policy rules. This endpoint is typically called as part of a process to programmatically update network lists based on new threat intelligence. For example: add, update, or delete IP addresses. This endpoint maps to **Defend > WAAS > Network lists** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ 'https:///api/v/policies/firewall/app/network-list' ``` A successful response returns the lists of IPv4 addresses/IP CIDR blocks for networks in WAAS. --- Deletes an existing WAAS network list. This endpoint is typically called to programmatically delete a network list, based on new threat intelligence. To invoke this endpoint in the Console UI: 1. Navigate to the **Defend > WAAS > Network lists** page. 2. Locate an existing list in the table to delete and click the trash icon under the **Actions** columns. 3. Click **Delete Network List** to confirm the deletion. ### cURL Request Refer to the following example cURL command that deletes a new network list. ```bash $ curl 'https:///api/v/policies/firewall/app/network-list/{id}' \ -k \ -X DELETE \ -u \ -H 'Content-Type: application/json' ``` ​**Note:** No response will be returned upon successful execution. --- Creates a new WAAS network list. This endpoint is typically called to programmatically create a list, based on new threat intelligence. To invoke this endpoint in the Console UI: 1. Navigate to the **Defend > WAAS > Network lists** page. 2. Click **+ Add new network list**. 3. Enter the details for the new network list and click **Save Network List** ### cURL Request Refer to the following example cURL command that adds a new network list. ```bash $ curl 'https:///api/v/policies/firewall/app/network-list' \ -k \ -X POST \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "_id":"{id}", "subnets":[ "192.145.2.3", "192.167.2.2" ] }' ``` ​**Note:** No response will be returned upon successful execution. --- Updates an existing WAAS network list. This endpoint is typically called to programmatically update a network list, based on new threat intelligence. To invoke this endpoint in the Console UI: 1. Navigate to the **Defend > WAAS > Network lists** page. 2. Click on an existing list in the table and update the list as required. 3. Click **Update Network List** to save the changes. ### cURL Request Refer to the following example cURL command that updates a network list. ```bash $ curl 'https:///api/v/policies/firewall/app/network-list' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "_id":"{id}", "subnets":[ "192.145.3.3", "192.167.3.2" ] }' ``` ​**Note:** No response will be returned upon successful execution. --- Discovers and detects the HTTP traffic for an existing WAAS out of band custom rule. A policy consists of ordered rules. This endpoint maps to **Defend > WAAS > Out of band** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/firewall/app/out-of-band' ``` A successful response returns a list of rules in the policy. --- Discovers and detects the impacted resources for the HTTP traffic in an existing WAAS out of band custom rule. This endpoint maps to **Defend > WAAS > Out of band** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/firewall/app/out-of-band/impacted' ``` A successful response returns a list of impacted resources in the policy. --- Updates or edits a WAAS custom rule for out of band traffic. A policy consists of ordered rules. This endpoint maps to **Defend > WAAS > Out of band** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl 'https:///api/v/policies/firewall/app/out-of-band' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules":[ { "name":"my-rule", "effect":"disable", "collections":[ { "name":"All" } ], } ], }' ``` --- Retrieves a list of all application firewall (CNAF) rules for RASP. ``` $ curl -k \ -u \ https://:8083/api/v1/policies/firewall/app/rasp ``` --- Updates all application firewall (CNAF for RASP) rules in a single shot. Updating all rules at the same time makes it possible to maintain strict ordering between rules. The procedure to add, edit, or remove rules is: 1. Get all rules using the GET endpoint. The following curl command uses basic auth to retrieve a list of all rules, pretty-print the JSON response, and save the results to a file. ``` $ curl -k \ -u \ https://:8083/api/v1/policies/firewall/app/rasp \ | jq '.' > app_firewall_rules.json ``` 2. Modify the JSON output according to your needs. 3. Update rules by pushing the new JSON payload. The following curl command installs the rules defined in your `app_firewall_rules.json` file. Do not forget to specify the `@` symbol. ``` $ curl -k \ -u \ -X PUT \ -H "Content-Type:application/json" \ https://:8083/api/v1/policies/firewall/app/rasp \ --data-binary "@app_firewall_rules.json" ``` Any previously installed rules are overwritten. --- Retrieves a list of all WAAS policy rules for serverless functions. This endpoint maps to **Defend > WAAS > Serverless** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ 'https:///api/v/policies/firewall/app/serverless' ``` A successful response returns a list of firewall rules in the policy. --- Updates the WAAS policy for serverless functions. To invoke this endpoint in the Console UI: 1. Navigate to the **Defend > WAAS > Serverless** page. 2. Click **+ Add rule**. 3. Enter the details for the new serverless function and click **Save** Adding and maintaining rules for a WAAS app involves populating a large and complex JSON request body. We recommend the process: 1. Manually define your app's policy via the Console UI as described [here](https://docs.twistlock.com/docs/compute_edition/waas/deploy_waas.html). 2. Use the **Export** button on **Defend** > **WAAS** to export the app's policy rules to a JSON file. 3. Use the exported file as a template to modify, then either import the file back in using the **Import** button, or use it as the basis for defining the rules to include in this endpoint's payload. ### cURL Request Refer to the following example cURL command: ```bash $ curl 'https:///api/v/policies/firewall/app/serverless' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "_id": "serverlessAppFirewall", "rules": [ { "name": "{id}", "previousName": "", "collections": [ { "hosts": ["*"], "images": ["*"], "labels": ["*"], "containers": ["*"], "functions": ["*"], "namespaces": ["*"], "appIDs": ["*"], "accountIDs": ["*"], "codeRepos": ["*"], "clusters": ["*"], "name": "All" } ], "applicationsSpec": [ { "xss": { "effect": "alert", "exceptionFields": [] }, "codeInjection": { "effect": "alert", "exceptionFields": [] }, "sqli": { "effect": "alert", "exceptionFields": [] }, "lfi": { "effect": "alert", "exceptionFields": [] }, "cmdi": { "effect": "alert", "exceptionFields": [] }, "body": { "inspectionSizeBytes": 131072 } } ] } ], "minPort": 0, "maxPort": 0 }' ``` ​**Note:** No response will be returned upon successful execution. --- Retrieves a list of all CNNS container and host rules. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/policies/firewall/network" ``` --- Updates all container and host CNNS rules in a single shot. Updating all rules at the same time makes it possible to maintain strict ordering between rules. The procedure to add, edit, or remove rules is: 1. Get all rules using the GET endpoint. ### cURL Request Refer to the following example cURL command that retrieves a list of all rules, pretty-print the JSON response, and save the results to a file: ```bash $ curl -k \ -u \ -X PUT \ -H "Content-Type:application/json" \ -o \ "https:///api/v/policies/firewall/network/container" ``` 2. Modify the JSON output according to your needs. 3. Update rules by pushing the new JSON payload. ### cURL Request Refer to the following example cURL command that installs the rules defined in your `network_firewall_rules.json` file. Do not forget to specify the `@` symbol. ```bash $ curl -k \ -u \ -X PUT \ -H "Content-Type:application/json" \ --data-binary "@network_firewall_rules.json" \ "https:///api/v/policies/firewall/network/container" ``` Any previously installed rules are overwritten. --- Retrieves a list of all CNNF network objects. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/policies/firewall/network/entities ``` --- Updates the list of CNNF network objects. The following example curl command updates the network objects. There is an example of all three types (images,subnets, and applications ): ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT \ -d \ '[ {"_id":"Ubuntu","type":"container","resource":{"images":["ubuntu:latest"],"labels":["*"]}}, {"_id":"Google DNS","type":"subnet","resource":{"labels":["*"]},"subnets":[{"name":"8.8.8.8/24","cidr":"8.8.8.8/24"}]}, {"_id":"SSH","type":"appID","resource":{"appIDs":["ssh"]},"subnets":[]} ]' \ https://:8083/api/v1/policies/firewall/network/entities ``` --- Policies are sets of ordered rules. [Rule order](https://docs.twistlock.com/docs/latest/configure/rule_ordering_pattern_matching.html) determines how a policy is evaluated. You can manage your rules and policies programmatically using the policy API endpoints. For more information about policy endpoints, see: * [How to Add / Update Policy Rules](#how-to-add--update-policy-rules) * [How to Delete Policy Rules](#how-to-delete-policy-rules) * [How to Construct a Compliance Policy](#how-to-construct-a-compliance-policy) ### How to Add / Update Policy Rules All of the `PUT /api/vVERSION/policies/*` endpoints work similarly. To add, edit, or remove vulnerability rules from a policy: 1. Retrieve the entire policy, which includes all the vulnerability rules using the `GET` endpoint. For example, the following cURL command uses basic auth to retrieve a list of all image vulnerability rules, pretty-prints the JSON response, and saves the results to a `vulnerability_rules.json` file. ```bash $ curl -k \ -u \ https:///api/v1/policies/runtime/host \ | jq '.' > vulnerability_rules.json ``` 2. Modify the saved JSON with the updates, including any new rule insertions. **Note:** Rule order is important. 3. Update the rules by pushing the new JSON payload into the `PUT` endpoint. For example, the following cURL command installs the rules defined in your `vulnerability_rules.json` file. **Note:** Remember to specify the `@` symbol. ```bash $ curl -k \ -u \ -X PUT \ -H "Content-Type:application/json" \ 'https:///api/v/policies/runtime/host \ --data-binary "@vulnerability_rules.json"' ``` Any previously installed rules are overwritten. #### Minimum Rule Parameters To create or update a rule, specify the following: * Rule name * At least 1 collection specifying a collection name (at minimum) * A block threshold (optional, but recommended) * An alert threshold (optional, but recommended) For example, to replace all the vulnerability rules for CI image deployments: ```bash $ curl 'https:///api/v/policies/vulnerability/ci/images?project=' \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules": [ { "name": "", "collections":[ { "name":"", } ], "alertThreshold":{ "disabled":false, "value":4 }, "blockThreshold":{ "enabled":false, "value":0 }, } ], "policyType": "ciImagesVulnerability" }' ``` **Note:** The default alert threshold of `Low` is typically too broad and not actionable. Usually you'll want to specify a threshold of `Critical` or `High`. ##### Referencing Collections by Name You can reference a collection by its name when creating / updating a rule. If the collection name exists in Console, the remaining resource fields for the collection will automatically be filled in. **Note:** The referenced collections *must* exist prior to creating / updating rules, or the API will not add / update your rules. In Console, the default collection is `All`. `All` is a collection created by the system when the software is installed / upgraded. When using the API, you can specify `All` as the `` to apply the default collection. ### How to Delete Policy Rules In general, the policy endpoints don't have `DELETE` methods. Use the `PUT` method to delete all rules by submitting an empty JSON object. For example, to delete all host runtime rules: ``` curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT \ -d '{}' \ https:///api/v1/policies/runtime/host ``` ### How to Construct a Compliance Policy To construct an effective rule for a compliance policy: 1. Specify at least one "check" in the `condition.vulnerabilities` object. A check is a security best practice or baseline setting which will be validated by the scanner. 2. Specify an action for each check. Prisma Cloud needs to know what to do when a check fails (for example, alert or block). 3. In the `effect` parameter, specify the range of possible actions configured in the rule. The value in `effect` a comma-separated list. For example, in a one-check rule, the effect could be `alert` or in a two-check rule, the effect could be `alert, fail`. See [Actions for failed checks](#actions-for-failed-checks) for more info. The following curl command creates a single rule compliance policy for container images scanned in the CI pipeline: ```bash $ curl 'https:///api/v/policies/compliance/ci/images' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules": [ { "name": "my-rule", "effect": "alert", "collections":[ { "name":"All" } ], "condition": { "vulnerabilities": [ { "id": 41, "block": false, "minSeverity": 1 } ] } } ], "policyType": "ciImagesCompliance" }' ``` #### Actions for failed checks To configure Prisma Cloud to run a check, add the check to your rule in the `condition.vulnerabilities` object. For each check, specify the action to take if the check fails. Actions are set on a per-check basis in `condition.vulnerabilities[X].block`, where: Effect |`condition.vulnerabilities[X].block` ---|--- `alert`|`false` `fail`|`true` The `ignore` effect is set implicitly for any check *not* explicitly included in the `condition.vulnerabilities[X]` array. The `effect` parameter is a helper for the Console UI and has no impact on the policy itself. However, we recommend you specify an `effect` parameter for each rule, to ensure the policy table in the Console UI renders properly. In the UI, these are convenience strings which enable you to quickly review the policy table and see the effect of each rule. For example, you may want to quickly find the rule that's failing/blocking your build in the CI pipeline. --- Retrieves the runtime policy for apps protected by App-Embedded Defenders. A policy consists of ordered rules. This endpoint maps to **Defend > Runtime > App-Embedded policy** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/runtime/app-embedded' ``` A successful response returns a list of runtime rules in the policy. --- Adds a runtime policy for app-embedded deployments. This endpoint maps to the **Add rule** button in **Defend > Runtime > App-Embedded policy** in the Console UI. ### cURL Request The following cURL command adds a single rule to your policy. ```bash $ curl 'https:///api/v/policies/runtime/app-embedded' \ -k \ -X POST \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "name":"my-rule", "collections":[ { "name":"All" } ], "processes":{ "effect":"alert" }, "network":{ "effect":"alert", "blacklistIPs":[ ], "blacklistListeningPorts":[ ], "whitelistListeningPorts":[ ], "blacklistOutboundPorts":[ ], "whitelistOutboundPorts":[ { "start":4312, "end":4555, "deny":false } ], "whitelistIPs":[ ] }, "dns":{ "effect":"prevent", "whitelist":[ ], "blacklist":[ ] } }' ``` **Note:** No response will be returned upon successful execution. --- Updates the runtime policy for app-embedded deployments. All rules in the policy are updated in a single shot. This endpoint maps to the **Add rule** button in **Defend > Runtime > App-Embedded policy** in the Console UI. ### cURL Request The following cURL command overwrites all rules in your current policy with a new policy that has a single rule. ```bash $ curl 'https:///api/v/policies/runtime/app-embedded' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules":[ { "name":"my-rule", "collections":[ { "name":"All" } ], "processes":{ "effect":"alert" }, "network":{ "effect":"alert" }, "dns":{ "effect":"alert" } } ] }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves the runtime policy for containers protected by Defender. A policy consists of ordered rules. This endpoint maps to **Defend > Runtime > Container policy** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/runtime/container' ``` A successful response returns a list of runtime rules in the policy. --- Returns the impacted images based on a given rule In the Console UI, you can see how it works by going to the **Defend > Runtime > Container policy** page and clicking the **Show** link. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/runtime/container/impacted?ruleName={ruleName}' ``` For additional help with your `ruleName`: ```bash $ curl -k -G \ -u \ -H 'Content-Type: application/json' \ -X GET \ --data-urlencode 'ruleName=Default - alert on suspicious runtime behavior' \ 'https:///api/v/policies/runtime/container/impacted' ``` --- Updates the runtime policy for containers. All rules in the policy are updated in a single shot. Prisma Cloud automatically builds allow-list security models for each container image in your environment. Use runtime container rules to augment the rules in those models. Manually defined rules augment learned models as follows: Policy (allowed) = Manual rules (explicitly allowed) + Model (all learned behavior) - Manual rules (explicitly denied) This endpoint maps to the **Add rule** button in **Defend > Runtime > Container policy** in the Console UI. ### cURL Request Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule: ```bash $ curl 'https:///api/v/policies/runtime/container' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules":[ { "name":"my-rule", "collections":[ { "name":"All" } ], "processes":{ "effect":"alert" }, "network":{ "effect":"alert" }, "dns":{ "effect":"alert" }, "filesystem":{ "effect":"alert" } } ] }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves the runtime policy for hosts protected by Defender. A policy consists of ordered rules. This endpoint maps to **Defend > Runtime > Host policy** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/runtime/host' ``` A successful response returns a list of runtime rules in the policy. --- Updates the runtime policy for hosts protected by Defender. All rules in the policy are updated in a single shot. This endpoint maps to the **Add rule** button in **Defend > Runtime > Host policy** in the Console UI. ### cURL Request Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule: ```bash $ curl 'https:///api/v/policies/runtime/host' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules":[ { "name":"my-rule", "collections":[ { "name":"All" } ], "advancedProtection":"alert", "processes":{ "effect":"alert" }, "network":{ "effect":"disable" }, "dns":{ "effect":"disable" } } ] }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves the list of rules that make up your RASP runtime policy. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/policies/runtime/rasp ``` --- Updates all RASP runtime rules in a single shot. Updating all rules at the same time makes it possible to maintain strict ordering between rules. The procedure to add, edit, or remove rules is: 1. Get all runtime rules using the GET endpoint. The following curl command uses basic auth to retrieve the rules, pretty-print the JSON response, and save the results to a file. ``` $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET https://:8083/api/v1/policies/runtime/rasp \ | jq '.' > rasp_runtime_rules.json ``` 2. Modify the JSON output according to your needs. 3. Update rules by pushing the new JSON payload. The following curl command installs the rules defined in your `rasp_runtime_rules.json` file. Do not forget to specify the `@` symbol. ``` $ curl -k \ -u \ -H "Content-Type:application/json" \ -X PUT \ https://:8083/api/v1/policies/runtime/rasp \ --data-binary "@rasp_runtime_rules.json" ``` Any previously installed rules are overwritten. --- Retrieves the runtime policy for your serverless functions. A policy consists of ordered rules. This endpoint maps to **Defend > Runtime > Serverless policy** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/runtime/serverless' ``` A successful response returns a list of runtime rules in the policy. --- Updates the runtime policy for your serverless functions. All rules in the policy are updated in a single shot. This endpoint maps to the **Add rule** button in **Defend > Runtime > Serverless policy** in the Console UI. ### cURL Request Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule: ```bash $ curl 'https:///api/v/policies/runtime/serverless' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules":[ { "name":"my-rule", "collections":[ { "name":"All" } ], "processes":{ "effect":"alert" }, "network":{ "effect":"disable" }, "dns":{ "effect":"disable" }, "filesystem":{ "effect":"disable" } } ] }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves a list of all secrets rules. The following curl command uses basic auth to retrieve a list of all rules, pretty-print the JSON response, and save the results to a file. ``` $ curl -k \ -u \ -X GET \ https://:8083/api/v1/policies/secrets ``` --- Updates all secrets rules in a single shot. Updating all rules at the same time makes it possible to maintain strict ordering between rules. Each rule specifies how and where specified secrets from a given store are injected into running containers. The procedure to add, edit, or remove secrets rules is: 1. Get all secrets rules using the GET endpoint. The following curl command uses basic auth to retrieve a list of all rules, pretty-print the JSON response, and save the results to a file. ``` $ curl -k \ -u \ https://:8083/api/v1/policies/secrets \ | jq '.' > secrets_rules.json ``` 2. Modify the JSON output according to your needs. 3. Update rules by pushing the new JSON payload. The following curl command installs the rules defined in your `secrets_rules.json` file. Do not forget to specify the `@` symbol. ``` $ curl -k \ -u \ -X PUT \ -H "Content-Type:application/json" \ https://:8083/api/v1/policies/secrets \ --data-binary "@secrets_rules.json" ``` Any previously installed rules are overwritten. --- Retrieves the list of rules that make up your trusted images policy. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/policies/trust ``` --- Updates the list of rules that make up your trusted images policy. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT \ -d \ '{ "_id":"imageTrust", "rules":[{"allowedGroups":[],"deniedGroups":[], "effect":"alert","action":["*"], "blockMsg":"", "resources":{"images":["*"],"hosts":["*"],"labels":["*"]}, "name":"My rule"}] }' \ https://:8083/api/v1/policies/trust ``` --- Removes all base images under a given scope. For the `id` path parameter to be passed correctly in the URL, it needs to be percent-encoded. Further, the percent ("%") character itself must be percent-encoded as "%25". Therefore, each forward slash ("/") character needs to be encoded as "%252F". --- Retrieves the vulnerability policy for images scanned in your continuous integration (CI) pipeline. A policy consists of ordered rules. This endpoint maps to **Defend > Vulnerabilities > Images > CI** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/vulnerability/ci/images' ``` A successful response returns a list of vulnerability rules in the policy. --- Updates the policy for images scanned in your continuous integration (CI) pipeline. All rules in the policy are updated in a single shot. The policy set in this endpoint is enforced by the scanners in the Jenkins plugin and the `twistcli` command line tool. This endpoint maps to the policy table in **Defend > Vulnerabilities > Images > CI** in the Console UI. ### cURL Request Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule: ```bash $ curl 'https:///api/v/policies/vulnerability/ci/images' \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules": [ { "name": "", "collections":[ { "name":"", } ], "alertThreshold":{ "disabled":false, "value":4 }, "blockThreshold":{ "enabled":false, "value":0 }, ... } ], "policyType": "ciImagesVulnerability" ... }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves the vulnerability policy for serverless functions scanned in your continuous integration (CI) pipeline. A policy consists of ordered rules. This endpoint maps to the policy table in **Defend > Vulnerabilities > Functions > CI** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/vulnerability/ci/serverless' ``` A successful response contains a list of vulnerability rules in the policy. --- Updates the vulnerability policy for serverless functions scanned in your continuous integration (CI) pipeline. All rules in the policy are updated in a single shot. The policy set in this endpoint is enforced by the scanners in the Jenkins plugin and the `twistcli` command line tool. This endpoint maps to the policy table in **Defend > Vulnerabilities > Functions > CI** in the Console UI. ### cURL Request Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule: ```bash $ curl 'https:///api/v/policies/vulnerability/ci/serverless' \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules": [ { "name": "", "collections": [ { "name":"", } ], "alertThreshold": { "value": 1, "disabled": false }, "blockThreshold": { "value": 0, "enabled": false }, ... } ], "policyType": "ciServerlessVulnerability", ... }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves the vulnerability policy for code repositories. A policy consists of ordered rules. This endpoint maps to **Defend > Vulnerabilities > Code repositories** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -X GET \ 'https:///api/v/policies/vulnerability/coderepos' ``` A successful response returns a list of vulnerability rules in the policy. --- Lists the code repositories caught by your policy on a per-rule basis. To see where Console invokes this endpoint: * In Console, go to **Defend > Vulnerabilities**. * In the **Vulnerability rules** section, click **Show** under the **Entities in scope** column for a rule. * The endpoint is invoked when the pop-up is displayed. ### cURL Request The following cURL command returns a list of code repositories captured by ``. ```bash $ curl -k \ -u \ -X GET 'https:///api/v/policies/vulnerability/coderepos/impacted?project=&ruleName=' ``` A successful response contains a list of impacted repositories by a rule within the context of the policy. --- Updates the vulnerability policy for your code repositories. All rules in the policy are updated in a single shot. This endpoint maps to the policy table in **Defend > Vulnerabilities > Code repositories** in the Console UI. ### cURL Request Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT 'https:///api/v/policies/vulnerability/coderepos' \ --data ' { "rules":[ { "name":"", "collections":[ { "name":"", } ], "alertThreshold":{ "disabled":false, "value":0 }, "blockThreshold":{ "enabled":false, "value":0 }, ... } ], "policyType": "codeRepoVulnerability" ... }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves the vulnerability policy for your hosts protected by Defender. A policy consists of ordered rules. This endpoint maps to **Defend > Vulnerabilities > Hosts > Running hosts** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/vulnerability/host' ``` A successful response returns a list of vulnerability rules in the policy. --- Lists the hosts ensnared by your policy on a per-rule basis. To see where Console invokes this endpoint: * In Console, go to **Defend > Vulnerabilities**. * Select the **Hosts** tab. * In the **Vulnerability rules** section, click **Show** under the **Entities in scope** column for a rule. * The endpoint is invoked when the pop-up is displayed. ### cURL Request The following cURL command returns a list of code repositories captured by `RULE_NAME`. ```bash $ curl -k \ -u \ -X GET 'https:///api/v/policies/vulnerability/host/impacted?project={PROJECT_NAME}&ruleName={RULE_NAME}' ``` A successful response contains a list of impacted hosts by a rule within the context of the policy. --- Updates the vulnerability policy for your hosts protected by Defender. All rules in the policy are updated in a single shot. This endpoint maps to the policy table in **Defend > Vulnerabilities > Hosts > Running hosts** in the Console UI. ### cURL Request Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule: ```bash $ curl 'https:///api/v/policies/vulnerability/host' \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules":[ { "name":"", "collections":[ { "name":"" } ], "alertThreshold":{ "disabled":false, "value":1 } } ], "policyType":"hostVulnerability", "_id":"hostVulnerability" }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves the vulnerability policy for deployed container images. A policy consists of ordered rules. This endpoint maps to the policy table in **Defend > Vulnerabilities > Images > Deployed** in the Console UI. ### cURL Request The following cURL command retrieves all rules in the policy. ```bash $ curl -k \ -u \ -X GET \ "https:///api/v/policies/vulnerability/images?project=" ``` A successful response contains a list of vulnerability rules in the policy. --- Lists the images caught by your policy on a per-rule basis. To see where Console invokes this endpoint: * In Console, go to **Defend > Vulnerabilities > Images > Deployed**. * In the policy table, click **Show** under the **Entities in scope** column for a rule. * The endpoint is invoked when the pop-up is displayed. ### cURL Request The following cURL command returns a list of images caught by ``. ```bash $ curl -k \ -u \ -X GET \ "https:///api/v/policies/vulnerability/images/impacted?project=&ruleName=" ``` A successful response contains a list of entities caught by a rule within the context of the policy. --- Updates the vulnerability policy for deployed container images. All rules in the policy are updated in a single shot. This endpoint maps to the policy table in **Defend > Vulnerabilities > Images > Deployed** in the Console UI. ### cURL Request Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule: ```bash $ curl -k \ -u \ -X PUT 'https:///api/v/policies/vulnerability/images' \ --data '{ "rules":[ { "name":"", "collections":[ { "name":"", } ], "alertThreshold":{ "disabled":false, "value":4 }, "blockThreshold":{ "enabled":false, "value":0 }, ... } ], "policyType": "containerVulnerability" ... }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves the vulnerability policy for serverless functions situated in your cloud provider's infrastructure. A policy consists of ordered rules. This endpoint maps to **Defend > Vulnerabilities > Functions** in the Console UI. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/vulnerability/serverless' ``` A successful response contains a list of vulnerability rules in the policy. --- Updates the vulnerability policy for serverless functions situated in your cloud provider's infrastructure. All rules in the policy are updated in a single shot. This endpoint maps to the policy table in **Defend > Vulnerabilities > Functions** in the Console UI. ### cURL Request Refer to the following example cURL command that overwrites all rules in your current policy with a new policy that has a single rule: ```bash $ curl -k 'https:///api/v/policies/vulnerability/serverless' \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules": [ { "name": "", "collections": [ { "name":"" } ], "alertThreshold": { "value": 1, "disabled": false } } ], "policyType": "serverlessVulnerability" }' ``` **Note:** No response will be returned upon successful execution. --- Retrieves the vulnerability policy for VM images scanned in your cloud accounts. A policy consists of ordered rules. This endpoint maps to the policy table in **Defend > Vulnerabilities > Hosts > VM images** in the Console UI. ### cURL Request The following cURL command retrieves all rules in the policy. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/policies/vulnerability/vms?project=' ``` A successful response returns a list of vulnerability rules in the policy. --- Lists the VM images caught by your policy on a per-rule basis. To see where Console invokes this endpoint: * In Console, go to **Defend > Vulnerabilities > Hosts**. * Select the **VM images** tab. * In the **Vulnerability rules** section, click **Show** under the **Entities in scope** column for a rule. * The endpoint is invoked when the pop-up is displayed. ### cURL Request The following cURL command returns a list of code repositories captured by ``. ```bash $ curl -k \ -u \ -X GET 'https:///api/v/policies/vulnerability/vms?project=&ruleName=' ``` A successful response contains a list of impacted repositories by a rule within the context of the policy. --- Updates the policy for VM images scanned in your cloud accounts. All rules in the policy are updated in a single shot. This endpoint maps to the policy table in **Defend > Vulnerabilities > Hosts > VM images** in the Console UI. ### cURL Request The following cURL command overwrites all rules in your current policy with a new policy that has a single rule. ```bash $ curl 'https:///api/v/policies/vulnerability/vms?project=' \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "rules": [ { "name": "", "collections":[ { "name":"", } ], "alertThreshold":{ "disabled":false, "value":4 }, ... } ], "policyType": "vmVulnerability" ... }' ``` **Note:** No response will be returned upon successful execution. --- Downloads the app-embedded observations in a CSV format. ## cURL Request Refer to the following example cURL command that downloads all the app-embedded runtime profiles: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -o \ 'https:///api/v/profiles/app-embedded/download' ``` --- Retrieves the app-embedded observations. ## cURL Request Refer to the following example cURL command that lists all the app-embedded runtime: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/profiles/app-embedded' ``` --- Retrieves the details and state of all runtime models in CSV format. ## cURL Request Refer to the following example cURL command that downloads a complete list in CSV format: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -o \ https:///api/v/profiles/container/download ``` --- Returns a list of os and images from page monitor/runtime/container-models in Console. Example curl command: ```bash $ curl -k -G \ -u \ -H 'Content-Type: application/json' \ -X GET \ --data-urlencode 'image=istio/examples-bookinfo-reviews-v2:1.8.0' https://:8083/api/v1/profiles/container/filters ``` --- Retrieves the details and state of all runtime models. ## cURL Request Refer to the following example cURL command that lists all runtime models in a system: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/profiles/container ``` --- Puts all containers into relearn mode. ## cURL Request Refer to the following example cURL command: ```bash $ curl -k -G \ -u \ -H 'Content-Type: application/json' \ -X POST \ https:///api/v/profiles/container/learn ``` --- Retrieves the details and state of each host service runtime model in CSV format. ## cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -o \ https:///api/v/profiles/host/download ``` --- Retrieves the details and state of each host service runtime model on a host-by-host basis. The returned JSON object has the following structure: ``` * host1: * service1: model * service2: model * host2: * service1: model * service3: model ``` ## cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/profiles/host ``` --- Return the runtime rule/policy that is associated with this host. To get the `PROFILE_ID` for a profile: 1. Retrieve a list of profiles using the GET method on the `/api/v1/profiles/host` endpoint. 2. For the profile of interest, copy the value in `_id`. This is the `PROFILE_ID`. The following example command uses curl and basic auth to specify the learning mode for a profile. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/host/container//rule ``` --- Manage the runtime models (profiles) created for each image in your environment. For more information about how models are used to secure you running containers, see [Runtime defense](https://docs.twistlock.com/docs/latest/runtime_defense/runtime_defense.html). --- Retrieves the details and state of all host service runtime models in CSV format ```bash $ curl -k \ -u \ -H 'Content-Type: text/csv' \ -X GET \ -o profiles-service.csv \ https://:8083/api/v1/profiles/service/download ``` --- Retrieves the details and state of all host service runtime models. The returned JSON object has the following structure: ``` * service1: model * service2: model * service3: model ``` Example curl command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/profiles/service ``` --- Specify the learning mode for a host service profile. To get the `PROFILE_ID` for a profile: 1. Retrieve a list of profiles using the GET method on the `/api/v1/profiles/service` endpoint. 2. For the profile of interest, copy the value in `_id`. This is the `PROFILE_ID`. The `PROFILE_ID` is typically the service's name, such as `sshd` or `ntpd`. The following example command uses curl and basic auth to specify the learning mode for a host service profile. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{"state":"manualLearning"}' \ https://:8083/api/v1/profiles/container//learn ``` --- Specify the learning mode for all host service profiles. The following example command uses curl and basic auth to specify the learning mode for all host service profiles. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v1/profiles/service/learn ``` --- Retrieves the name of all host service runtime models from within the app at **Monitor > Runtime > Host-models**. The following example curl command uses basic auth to retrieve this data: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/profiles/service/names ``` --- Lists all projects visible to the given user. Assuming the given user is an admin, the following example curl command would list all projects: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/projects ``` --- Deletes a project from the system. The following example curl command deletes a project named ``. The value for `` can be retrieved from the `_id` field in the response object from `GET /api/v1/projects`. The DELETE method returns the decommissioned supervisor's admin username and password. ```bash $ curl -k \ -u \ -X DELETE \ https://:8083/api/v1/projects/ ``` --- Updates a project. The following example curl command updates a project named ``. The value for `` can be retrieved from the `_id` field in the response object from `GET /api/v1/projects`. ```bash $ curl -k \ -u \ -X PUT \ https://:8083/api/v1/projects/ ``` --- Provisions a new project. The following example curl command provisions a new project named `my-project`. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "_id":"my-project", "type":"tenant", "address":"https://:8083" }' \ https://:8083/api/v1/projects ``` If you have installed a new instance of Console, and you have already created an initial admin user for it, then you can specify the admin username name and password when you provision the project. ``` $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "_id":"my-project", "type":"tenant", "address":"https://:8083", "username":"henry", "password":{"plain":"testing123"} }' \ https://:8083/api/v1/projects ``` --- Manage [Projects](https://docs.twistlock.com/docs/latest/deployment_patterns/projects.html). Before you can provision a project using this endpoint, you must designate one instance of Console as master using the `POST /api/v1/settings/projects` endpoint. #### Accessing the REST API of a supervisor Console [comment]: # (See twistlock/pkg/console/route_handler_middleware.go: function NewRouteOpt, for the list of endpoints that are proxied.) After enabling projects and provisioning a new project, access to the supervisor Console is proxied through Central Console. You cannot access a supervisor's REST API directly. All API requests to a supervisor must be made through Central Console. To retrieve data from a project, add the the following query parameter to your request: `project=` Where the default value for `project` is `Central+Console`. If `project` is not specified, it is set to `Central+Console`. For example, to retrieve the compliance policies for a tenant project named `mobile_payments_division`, use the following curl command: ``` curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/policies/compliance?project=mobile_payments_division ``` Not all REST endpoints are proxied to the supervisor. It largely depends on the project type (tenant or supervisor). In some cases, requests cannot be proxied because management of that system is delegated to Central Console only. Proxying a request to the right project is mostly a concern for tenant projects, which operate with their own policies and settings. The following user management endpoints can be accessed from Central Console only. An administrator centrally manages all users, and specifies who has access to which projects. These calls are handled by Central Console only. * `/api/v1/users` * `/api/v1/groups` * `/api/v1/projects` The following endpoints are proxied to the relevant supervisor for tenant projects only. * `/api/v1/policies` * `/api/v1/trust` * `/api/v1/settings` * `/api/v1/collections` * `/api/v1/feeds` The following endpoints are proxied to the relevant supervisor for both tenant and scale projects: * `/api/v1/settings/alerts` * `/api/v1/alert-profiles` * `/api/v1/settings/regisry` * `/api/v1/settings/certs` * `/api/v1/settings/secrets` * `/api/v1/policies/secrets` --- Cleans the container runtime profiles and Radar entities. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v1/radar/container/clean ``` --- Deletes a learned connection between two containers. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https://:8083/api/v1/radar/container?dstProfileID=sha256:&srcProfileID=sha256: ``` --- Returns the current learned connections from CNNF (for containers) in JSON format. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -o cnnf_containers_export.json \ https://:8083/api/v1/radar/container/export ``` --- Returns the namespaces from the container view on the Radar page. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/radar/container/filters ``` --- Returns data from Console's Radar page (container view). ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/radar/container ``` --- Deletes a learned connection between two apps in CNNF for hosts. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https://:8083/api/v1/radar/host?dstProfileID=&srcProfileID= ``` --- Returns the current learned connections from CNNF (for hosts) in JSON format. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -o \ https://:8083/api/v1/radar/host/export ``` --- Returns data from Console's Radar page (host view). ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/radar/host ``` --- Radar is the primary interface for visualizing your environment. It is designed to let you navigate through all the data Prisma Cloud Compute has collected about your environment. --- Returns data from Console's Radar page (serverless view). ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/radar/serverless ``` --- Returns the scan progress from Console's Radar page (serverless view). ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/radar/serverless/progress ``` Example of the return data: ```json [ { "hostname": "", "id": "", "type": "serverlessRadar", "discovery": false, "total": 1, "scanned": 1, "title": "" } ] ``` --- Initiates a serverless scan of your environments. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v1/radar/serverless/scan ``` --- Stops an in-progress serverless scan. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v1/radar/serverless/stop ``` --- Administrative endpoint to create and manage roles for RBAC. Roles management with these endpoints is supported for Compute Edition (self-hosted) only. --- This endpoint will delete a specific role by its name from page **Manage > Authentication > Roles** System roles and roles assigned to users/groups cannot be deleted. The following example curl command uses basic auth to delete role: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https://:8083/api/v1/roles/ ``` --- This endpoint will return a list in JSON format of the roles can be found under Manage > Authentication > Roles The following example curl command uses basic auth to return: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/rbac/roles ``` --- Adds a new custom role to the system. This endpoint accepts one role at a time. Create role.json file (example) The added role must contain the "user" permission with read-write access. This permission contains basic API routes required for every authenticated user. ``` [ { "perms": [ { "name": "monitorCI", "readWrite": true }, { "name": "downloads", "readWrite": false }, { "name": "accessUI", "readWrite": false }, { "name": "uIEventSubscriber", "readWrite": false }, { "name": "user", "readWrite": true } ], "name": "runtime manager", "description": "runtime manager" } ] ``` The following example curl command uses basic auth to create the role: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ --binary-data @role.json \ https://:8083/api/v1/roles ``` --- Updates a single role by its name. This endpoint accepts one role at a time, and overrides its entire permissions set. System role cannot be updated. Create role.json file (example) The updated role must contain the "user" permission with read-write access. This permission contains basic API routes required for every authenticated user. ``` [ { "perms": [ { "name": "monitorCI", "readWrite": true }, { "name": "downloads", "readWrite": false }, { "name": "accessUI", "readWrite": false }, { "name": "uIEventSubscriber", "readWrite": false }, { "name": "user", "readWrite": true } ], "name": "runtime manager", "description": "runtime manager" } ] ``` The following example curl command uses basic auth to update the role: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT \ --binary-data @role.json \ https://:8083/api/v1/roles ``` --- Returns a list of available backups. Example curl command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/recovery/backup ``` --- Deletes a given backup by name. `{file_name_of_backup} = {backup_name}-18.11.128-1551386737.tar.gz` Example curl command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https://:8083/api/v1/recovery/backup/{file_name_of_backup} ``` --- Deletes a given backup by name. `{file_name_of_backup} = {backup_name}-18.11.128-1551386737.tar.gz` Example curl command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PATCH \ -d '"{new_name}"' https://:8083/api/v1/recovery/backup/{file_name_of_backup} ``` --- Creates a backup named `backup_name` by invoking the MongoDB dump process. Example curl command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d "{backup_name}" \ https://:8083/api/v1/recovery/backup ``` --- Back up and restore Prisma Cloud Compute data. Prisma Cloud Compute automatically backs up all data and configuration files periodically. You can view all backups, make new backups, and restore specific backups from the Console UI or API. You can also restore specific backups using the twistcli command line utility. --- Restores Prisma Cloud Compute from the given backup. `{file_name_of_backup} = {backup_name}-18.11.128-1551386737.tar.gz` Example curl command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v1/recovery/restore/{file_name_of_backup} ``` --- Downloads registry image scan reports in CSV format. This endpoint maps to the CSV hyperlink in **Monitor > Compliance > Images > Registries** in the Console UI. ### cURL Request Refer to the following cURL command that generates a CSV file containing the scan reports: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/registry/download" \ > registry_report.csv ``` A successful response displays the status of the download. --- Retrieves registry image scan reports. > _**Note:**_ The API rate limit for this endpoint is 30 requests per 30 seconds. You get an HTTP error response 429 if the limit exceeds. This endpoint maps to **Monitor > Compliance > Images > Registries** in the Console UI. > _**Note:**_ In the Console UI, the images can be found in **Monitor > Vulnerabilities > Images > Registries**. Consider the following available options to retrieve when you use the `fields` query parameter: - labels - repoTag.repo - repoTag.registry - clusters - hosts - repoTag.tag ### cURL Request Refer to the following cURL command that retrieves a scan report for all images in the registry: ``` $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/registry" ``` The compact query can be used to get a general overview of the number of Vulnerabilities and Compliance issue counts rather than listing all the CVEs and compliance violations. Refer to the following cURL command that retrieves a compact scan report for the Ubuntu image in the registry: ``` $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/registry?name=https:///ubuntu:latest&compact=true" ``` The name query is synonymous with the filter registry text field in the Console UI. Refer to the following cURL that retrieves the scan report for the image in the registry with the matching **sha256** hash: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/registry?imageID=sha256:d461f1845c43105d7d686a9cfca9d73b0272b1dcd0381bf105276c978cb02832" ``` Refer to the following cURL command that retrieves the images in the first 10 registries: ``` $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/registry?limit=10&offset=0&reverse=false" ``` A successful response returns the registry scan reports in alphabetical order. --- Shows the progress of an ongoing regular or on-demand registry scan. By default, the API endpoint displays the progress of a regular scan. ## View regular registry scan progress For a regular scan, use the API path only without any query parameters. ### cURL Request Refer to the following example cURL request that retrieves the ongoing scan details for a regular registry scan: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/registry/progress" ``` ### cURL Response Refer to the following example cURL response: ```bash [ { "discovery": { "hostname": "", "id": "", "scanTime": "0001-01-01T00:00:00Z", "type": "", "discovery": false, "total": 4, "scanned": 2, "title": "Step 1/2 discovering tags in registry us-west2-docker.pkg.dev: Discovered tags in 2/4 repositories with 1 Defenders" }, "imageScan": { "hostname": "", "id": "", "scanTime": "0001-01-01T00:00:00Z", "type": "", "discovery": false, "total": 2, "scanned": 0, "title": "Step 2/2 scanning images in registry us-west2-docker.pkg.dev: Scanned 0/2 images with 1 Defender" }, "isScanOngoing": true } ] ``` ## View on-demand registry scan progress For an on-demand scan that is started using the `/registry/scan` endpoint with the following fields: - onDemand: (Mandatory) Set the parameter to `true`. - repo: (Mandatory) Specify the repository name. - tag: Specify the image tag (alias of image ID). - digest: Specify the image digest identifier. > **Note:** You must specify either `tag` or `digest` along with the mandatory parameters `onDemand` and `repo` to view the progress. ### cURL Request Refer to the following example cURL request that retrieves the ongoing scan details for an on-demand registry scan that is started using the `/registry/scan` endpoint for the repository `alpine` with tag `3.16`: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/registry/progress?onDemand=true&repo=library/alpine&tag=3.16" ``` ### cURL Response Refer to the following example cURL response: ```bash [ { "discovery": { "hostname": "", "id": "", "scanTime": "0001-01-01T00:00:00Z", "type": "", "discovery": false, "total": 1, "scanned": 1, "title": "Step 1/2 discovering tags in repository: library/alpine, tag: 3.16" }, "imageScan": { "hostname": "", "id": "", "scanTime": "0001-01-01T00:00:00Z", "type": "", "discovery": false, "total": 1, "scanned": 1, "title": "Step 2/2 scanning images in repository: library/alpine, tag: 3.16" }, "isScanOngoing": false } ] ``` > **Important:** - If you use on-demand scan related parameters such as `registry`, `repo`, or `tag` but set the query parameter `onDemand` to `false`, you'll get a bad request error (400). - If an on-demand scan was completed and you get the progress response for that scan (i.e. "isScanOngoing": false), the next progress response for that image will be an empty list: `[]`, until you initiate another on-demand scan for that image. --- Retrieves a list of image names from current scanned registry images. The base `/api/v1/registry` endpoint takes repositories listed in this response as the `names` query. ## cURL Request Refer to the following example cURL command that retrieves a list of image names from your scanned registry images: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/registry/names ``` --- Triggers a new scan for all images when a new image is added to the registry or a new scan for an individual image. You can use the scanning feature in the following ways: ## Regular scan This feature allows you to trigger a new scan immediately for all the images when a new image is added to the registry or trigger a scan for an individual image. Consider the following points for a regular scan: * You cannot make multiple parallel scan requests with a regular scan. * You either need to stop the on-going scan using the `api/vVERSION/registry/stop` or wait for the on-going scan to finish. For information on stopping a regular scan, see [Stop Registry Scan](https://prisma.pan.dev/api/cloud/cwpp/registry#operation/post-registry-stop) * You can view the scan result or response for all the images by using the `api/vVERSION/registry` API endpoint. For information on scan result, see [Get Registry Scan Report](https://prisma.pan.dev/api/cloud/cwpp/registry#operation/get-registry) ### cURL Request Refer to the following example cURL command that forces Prisma Cloud Compute to rescan all registry images: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https:///api/v/registry/scan ``` Refer to the following example cURL command that forces Prisma Cloud Compute to re-scan a specific image: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{"tag":{"registry":"","repo":"","tag":"","digest":""}}'\ https:///api/v/registry/scan ``` ## On-demand scan This feature allows you to trigger a new scan immediately for an individual image and not wait for the next periodic scan. **Note**: For an on-demand scan, you must pre-define the image registry scope in the registry scanning configuration. Consider the following points for an on-demand scan: * You can trigger multiple on-demand image scans without interrupting the main registry scanning process. * You cannot stop a running on-demand scan, you can only initiate a new parallel scan. * You can view the on-demand scan result or response by using query parameter `name` that specifies the full image name in the `api/vVERSION/registry` API endpoint. For information on scan result, see [Get Registry Scan Report](https://pan.dev/prisma-cloud/api/cwpp/get-registry/) ### cURL Request Refer to the following example cURL command to trigger an on-demand scan for an image: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{“onDemandScan”:true,“tag”:{“registry” :“”,“repo”:“”,“digest”:“”}}' \ "https:///api/v/registry/scan" ``` --- Stops current registry scan immediately. ## cURL Request Refer to the following example cURL command that forces Prisma Cloud Compute to stop scanning all registry images: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https:///api/v/registry/stop ``` --- Listens for registry updates. Although this endpoint is supported, no backwards compatibility is offered for it. --- Listens for registry updates. Although this endpoint is supported, no backwards compatibility is offered for it. --- Downloads all scan reports from the Jenkins plugin and twistcli in CSV format. This endpoint maps to the CSV hyperlink in **Monitor > Vulnerabilities > Images > CI** in the Console UI. ### cURL Request The following cURL command retrieves and saves your Jenkins and twistcli scan reports to a CSV file called `scans_report.csv`: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/scans/download \ > scans_report.csv ``` A successful response displays the status of the download. --- Retrieves the list of Jenkins projects that have been scanned by the Jenkins plugin. Each project in the `jobName` array can be used to query the base `api/v1/scans` endpoint to retrieve only scan reports in that Jenkins project. The following example curl command uses basic auth to retrieve the list of Jenkins project names: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/scans/filters ``` --- Retrieves all scan reports for images scanned by the Jenkins plugin or twistcli. > _**Note:**_ The API rate limit for this endpoint is 30 requests per 30 seconds. You get an HTTP error response 429 if the limit exceeds. This endpoint maps to **Monitor > Vulnerabilities > Images > CI** in the Console UI. ### cURL Request Refer to the following example cURL command that retrieves the scan reports for all images scanned using the Jenkins CI plugin or the twistcli tool: ``` $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/scans ``` To get the report of a specific scan, add query parameters to narrow the scope of the request. The following cURL command retrieves the scan report for an image with a SHA256 ID of `sha256:f756e84300d8e53006090573dd33abe5b8cfac3e42d104fc4be37f435fe512f3`. ``` $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/scans?imageID=sha256:f756e84300d8e53006090573dd33abe5b8cfac3e42d104fc4be37f435fe512f3' ``` A successful response returns the scan reports. --- Retrieves all scan reports for images scanned by the Jenkins plugin or twistcli tool for a specific image with an given `id`. The `id` is `_id` value returned in the base `/api/v1/scans` request. The following example curl command uses basic auth to retrieve the scan report for just an image with a SHA256 ID of `5c3385fd2e76c5c16124c077`. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/scans/5c3385fd2e76c5c16124c077" ``` --- Download the Console set up script for Linux hosts. Only users that have a user role of Defender Manager or higher (Operator and Administrator) are permitted to download this file. For more information about each supported role, see [User roles](https://docs.twistlock.com/docs/latest/access_control/user_roles.html). ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -o console.sh \ https://:8083/api/v1/scripts/console.sh ``` The script must be made executable before it can run: ```bash $ chmod +x console.sh ``` --- Download the Defender set up script for Windows hosts. Only users that have a user role of Defender Manager or higher (Operator and Administrator) are permitted to download this file. For more information about each supported role, see [User roles](https://docs.twistlock.com/docs/latest/access_control/user_roles.html). ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -o defender.ps1 \ https://:8083/api/v1/scripts/defender.ps1 ``` NOTE: The downloaded script takes a number of parameters to control how Defender is installed. To see the default parameters, open Console, go to **Manage > Defenders > Deploy**, and examine how the script is configured based on the options you select. --- Download the Defender set up script for Linux hosts. Only users that have a user role of Defender Manager or higher (Operator and Administrator) are permitted to download this file. For more information about each supported role, see [User roles](https://docs.twistlock.com/docs/latest/access_control/user_roles.html). ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -o defender.sh \ https://:8083/api/v1/scripts/defender.sh ``` The script must be made executable before it can run: ```bash $ chmod +x defender.sh ``` NOTE: The downloaded script takes a number of parameters to control how Defender is installed. To see the default parameters, open Console, go to **Manage > Defenders > Deploy**, and examine how the script is configured based on the options you select. --- Download the scripts used in the Prisma Cloud Compute environment. --- Downloads all serverless scan reports in CSV format. This endpoint maps to the CSV hyperlink in **Monitor > Vulnerabilities > Functions > Scanned functions** in the Console UI. ### cURL Request The following cURL command retrieves a list of all serverless resources monitored by Prisma Cloud Compute and saves the results in a CSV file called `serverless.csv`: ```bash $ curl -k \ -u \ -X GET \ 'https:///api/v/serverless/download' \ > serverless.csv ``` A successful response displays the status of the download. --- The following curl command uses basic auth to retrieve a list of all Serverless resources that monitored by Prisma Cloud Compute, and save the results to a CSV file: ```bash $ curl -k \ -X POST \ -H "Content-Type: application/octet-stream" \ -u \ --data-binary @ \ 'http://:8083/api/v1/serverless/embed?runtime=&handler=&function=' \ -o twistlock_lambda.zip ``` --- Retrieves all scan reports for the serverless functions which Prisma Cloud has been configured to scan. > _**Note:**_ The API rate limit for this endpoint is 30 requests per 30 seconds. You get an HTTP error response 429 if the limit exceeds. This endpoint maps to **Monitor > Vulnerabilities > Functions > Scanned functions** in the Console UI. ### cURL Request Refer to the following example cURL command that retrieves the scan reports for serverless functions: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/serverless ``` A successful response returns the scan reports. --- The following curl command uses basic auth to retrieve a list of names of all Serverless resources monitored by Prisma Cloud Compute: ```bash $ curl -k \ -X GET \ -H "Content-Type: application/json" \ -u \ http:///api/v/serverless/names \ ``` --- Re-scan all serverless functions immediately. ### cURL Request Refer to the following example cURL command that forces Prisma Cloud Compute to re-scan all serverless functions: ```bash $ curl -k \ -u \ -X POST \ https:///api/v/serverless/scan ``` --- Stops the ongoing serverless scan. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -X POST \ https:///api/v/serverless/stop ``` --- Retrieves a list of your alert settings. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/settings/alerts ``` --- This endpoint will return the alert profile configuration options that can be found in the console under the alert type selection when setting up a new alert profile. The following example curl command uses basic auth to retrieve all alert profile configuration options: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/settings/alerts/options ``` --- Configure alerts. The following example curl command sets the aggregation period for alerts to one hour. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "aggregationPeriodMs": 3600000, "consoleAddress": "https://:8083", "securityAdvisorWebhook": "" }' \ https://:8083/api/v1/settings/alerts ``` --- Sets a certificate authority (CA) to trust and the validity period for client certificates. Use client certificates to authenticate commands sent from the Docker client through Prisma Cloud Compute. For more information, see [Certificates](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/configure/certificates). ## cURL Request Refer to the following example cURL request that uses basic auth to set the validity period for client certificates to seven days: ```bash curl -k \ -u \ -H 'Content-Type: application/json' \ -w "\nResponse code: %{http_code}\n" \ -X POST \ -d '{"certificatePeriodDays": 7} ' \ "https:///api/v/settings/certificates" ``` --- Returns the Subject Alternative Name(s) (SANs) in Console's certificate. Defenders use these names to connect to Console. ## cURL Request Refer to the following example cURL request that uses basic auth to retrieve the SANs in Console's cert: ```bash curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/settings/certs" ``` --- Adds or deletes Subject Alternative Name(s) (SANs) in Prisma Cloud Compute's certificate. Defenders use these names to connect to Prisma Cloud Compute. SANs are set in a single shot. You should first retrieve the list of SANs with the GET method. Then add or remove entries from the `consoleSAN` array, and post the updated JSON object. For more information, see [Certificates](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/configure/certificates). ## cURL Request Refer to the following example cURL request that uses basic auth to add `node-01.example.com` to the `subjectAltName` field in the certificate: ```bash curl -k \ -u \ -H 'Content-Type: application/json' \ -w "\nResponse code: %{http_code}\n" \ -X POST \ -d ' { "consoleSAN": [ "10.240.0.34", "172.17.0.1", "ian-23.c.cto-sandbox.internal", "127.0.0.1", "node-01.example.com" ] }' \ "https:///api/v/settings/certs" ``` --- Retrieves the list of code repositories Prisma Cloud is configured to scan. It also retrieves a partial webhook URL. > _**Note:**_ The API rate limit for this endpoint is 30 requests per 30 seconds. You get an HTTP error response 429 if the limit exceeds. This endpoint maps to **Defend > Vulnerabilities > Code repositories** in the Console UI page. * **GitHub repositories scan scope** table data * URL suffix in **Webhook settings** ### Webhook You can optionally configure your code repositories with a webhook to trigger Prisma Cloud to scan repositories when there are pertinent events (e.g., new code commits). Construct the full webhook using Console's publicly accessible DNS name or IP address, plus the webhook URL suffix. ### cURL Request Refer to the following example cURL command that retrieves all code repositories to scan, as well as the webhook URL suffix: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/settings/coderepos' ``` --- Updates the code repositories to scan. The list of code repositories to scan is updated in a single shot. To invoke this endpoint in the Console UI: 1. Navigate to **Defend > Vulnerabilities > Code repositories**. 2. Under the **GitHub repositories scan scope** table, add a scope item using **+ Add scope** **Note:** If your table is not present add an item to the table by clicking **Add the first item**. 3. Click the **Save** button. ### General Set up and Scan Process This endpoint works hand-in-hand with the `/policies` endpoints. **To set up Prisma Cloud to scan your code repositories:** 1. Add a scan scope with this endpoint (`/settings/coderepos`), where the principle component is the account information for the service that hosts your code repositories. For example, specify the the credentials of your GitHub account. You can further refine the scope by specifying which repos to scan using explicit strings or pattern matching. Scan all repos by specifying a wildcard. 2. Prisma Cloud auto-discovers all code repositories in each scan scope. The system invokes the GET `/coderepos/discover` endpoint to discover the available repositories using the credential ID provided. 3. The list of auto-discovered code repositories is passed to the scanner for evaluation. The scanner uses the corresponding `/policies/vulnerability/coderepos` endpoint to assess each code repository. ### cURL Request Each scan scope is specified as an element in the endpoint's payload array. Itemize the repositories to scan in the `repositories` array. A wildcard tells Prisma Cloud to scan all repos in the account. The critical fields for this endpoint are: * `type` - Hosting service, such as GitHub (`github`) * `credentialID` - Credential, from the credentials store, that Prisma Cloud uses to authenticate with the hosting service. * `repositories` - List of repository names. The format is `/`. Refer to the following example cURL command that overwrites all code repository scan scopes with a single new scan scope: ```bash $ curl 'https:///api/v/settings/coderepos' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '[ { "type":"github", "publicOnly":false, "credentialID":"", "repositories":[ "*" ] } ]' ``` This scan scope includes all repositories in the GitHub account that can be accessed with `CREDENTIAL_ID`. **Note:** No response will be returned upon successful execution. --- Configures the custom certificate for securing browser access to the Console. These settings can be seen in the console under **Manage > Authentication > System Certificates**. For the custom TLS certificate for securing browser access, this file must be in the concatenated public cert and private key in PEM format. For more information about this configuration, see [Custom certs for Console access](https://docs.paloaltonetworks.com/prisma/prisma-cloud/30/prisma-cloud-compute-edition-admin/configure/custom_certs_predefined_dir) ## cURL Request Refer to the following example cURL request that uses basic auth and configures the custom certificate to use for securing browser access to the console: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{"consoleCustomCert":"....."}' \ "https:///api/v/settings/console-certificate" ``` --- Returns the list of alert labels configured in Prisma Cloud Compute. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/settings/custom-labels ``` --- Creates a custom alert label to augment audit events. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d "{labels:"new_label"}" \ "https:///api/v/settings/custom-labels" ``` --- Returns the advanced settings for Defenders. ### cURL Request Refer to the following example cURL command that gets all advanced settings for Defenders: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/settings/defender' ``` A successful response returns all advanced settings for Defenders. --- Retrieves the settings for the forensics system. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/settings/forensic ``` --- Configures the forensics system. The following example curl command allocates 100 MB of local disk space for container forensic data and 10 MB for host forensics data. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "enabled": true, "containerDiskUsageMb": 100, "hostDiskUsageMb": 10 }' \ https://:8083/api/v1/settings/forensic ``` --- Checks whether Console has been configured with an initial admin account. After first installing Console, the first thing you must do is create an admin account. Example curl command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/settings/initialized ``` --- This endpoint will enable or disable the Windows Intelligence Service from **Manage > System > Intelligence** page in the console. The following example curl command uses basic auth to enable online updates of Windows vulnerabilities from the intelligence stream: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{"windowsFeedEnabled":true}' \ https://:8083/api/v1/settings/intelligence-windows ``` --- Returns the details about the Intelligence Stream configuration. ### cURL Request Refer to the following example cURL command that uses basic auth to retrieve your Intelligence Stream configuration settings. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/settings/intelligence" ``` --- Configures the Intelligence Stream. For more information, see [Intelligence Stream](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/technology_overviews/intel_stream) ### cURL Request Refer to the following example cURL command that uses basic auth to configure settings of your Intelligence Stream. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d ' { "windowsFeedEnabled": true, "enabled": true, "address": "https://intelligence.example.com", "token": "", }' \ "https:///api/v/settings/intelligence" ``` --- Retrieves the version number of the latest available Prisma Cloud Compute release. Example curl command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https://:8083/api/v1/settings/latest-version' ``` --- This endpoint will return the latest version of the product. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/settings/latest-version ``` --- Returns the LDAP integration settings. ## cURL Request Refer to the following example cURL request: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/settings/ldap" ``` ## cURL Response Refer to the following example cURL response: ```bash $ { "enabled": true, "url": "ldap://10.176.135.212:379", "caCert": "", "searchBase": "", "groupSearchBase": "ou=Groups,dc=example,dc=org", "userSearchBase": "ou=Users,dc=example,dc=org", "accountUpn": "cn=admin,dc=example,dc=org", "accountPassword": { "encrypted": "nkMtVY4NN9RccvbVIfLvJw==" }, "type": "openldap", "userSearchIdentifier": "cn" } ``` --- Configures the LDAP integration. For more information, see [Active Directory](https://docs.paloaltonetworks.com/prisma/prisma-cloud/30/prisma-cloud-compute-edition-admin/authentication/active_directory) and [OpenLDAP](https://docs.paloaltonetworks.com/prisma/prisma-cloud/30/prisma-cloud-compute-edition-admin/authentication/openldap) ## cURL Request Refer to the following example cURL command that enables the LDAP integration and specifies the parameters required to integrate with an Active Directory service. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "enabled": true, "url": "ldap://ldapserver.example.com:3268", "searchBase": "dc=example,dc=com", "accountUpn": "example_service@example.com", "accountPassword": { "plain": "pass!-W0RD" }, "type": "activedirectory", "userSearchIdentifier": "userprincipalname" }' \ "https:///api/v/settings/ldap" ``` --- Returns the details about the installed license. ## cURL Request Refer to the following example cURL request that retrieves the license details. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/settings/license" ``` --- Configures the Prisma Cloud Compute license. Use this endpoint, along with `/api/v1/signup`, as part of the initial set up flow after Prisma Cloud Compute is first installed. For more information, see [Licensing](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/welcome/licensing). ## cURL Request Refer to the following example cURL request that uses basic auth to set your license: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{"key": ""}' \ https:///api/v/settings/license ``` --- Returns the logging settings. ## cURL Request Refer to the following example cURL request that uses basic auth to retrieve your logging details. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/settings/logging" ``` --- Configures the logging settings. This includes Syslog, Stdout, and Prometheus instrumentation. For more information, see [Logging](https://docs.paloaltonetworks.com/prisma/prisma-cloud/30/prisma-cloud-compute-edition-admin/audit/logging). ## cURL Request Refer to the following example cURL request that enables verbose scan output for syslog and stdout: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "syslog": { "enabled": true, "verboseScan": true, "allProcEvents": false, "addr": "" }, "stdout": { "enabled": true, "verboseScan": true, "allProcEvents": false, } }' \ "https:///api/v/settings/logging" ``` --- Configures the logon settings. ## cURL Request Refer to the following example cURL request that uses basic auth to retrieve all current logon settings. ```bash curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/settings/logon" ``` --- Configures the timeout for Prisma Cloud Compute sessions. For more information, see [Logon Settings](https://docs.paloaltonetworks.com/prisma/prisma-cloud/30/prisma-cloud-compute-edition-admin/configure/logon_settings). ## cURL Request Refer to the following example cURL request that uses basic auth to set the timeout to 900 seconds (15 minutes): ```bash curl -k \ -u \ -H 'Content-Type: application/json' \ -w "\nResponse code: %{http_code}\n" \ -X POST \ -d '{"sessionTimeoutSec": 900}' \ "https:///api/v/settings/logon" ``` --- Returns the OAuth configuration settings. ## cURL Request Refer to the following example cURL request: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/settings/oauth" ``` ## cURL Response Refer to the following example cURL response: ```bash { "enabled": true, "clientID": "ef3a806a249a31b7d15e", "clientSecret": { "encrypted": "O27GsQ7PDX4LrVx6q+A7sMLUAKTbKU3DAYTZyaOhqTqdNwI7raKFCA3/RrmRPUgk" }, "providerName": "github", "authURL": "https://github.com/login/oauth/authorize", "tokenURL": "https://github.com/login/oauth/access_token", "groupScope": "", "groupClaim": "", "userClaim": "", "cert": "", "openshiftBaseURL": "", "openIDIssuesURL": "", "providerAlias": "github_ss" } ``` --- Configures the OAuth settings. For more information, see [GitHub OAuth](https://docs.paloaltonetworks.com/prisma/prisma-cloud/30/prisma-cloud-compute-edition-admin/authentication/oauth2_github) and [OpenShift](https://docs.paloaltonetworks.com/prisma/prisma-cloud/30/prisma-cloud-compute-edition-admin/authentication/oauth2_openshift) ## cURL Request Refer to the following example cURL response: ```bash curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{"clientID":"ef3a806a249a31b7d15e","clientSecret":{"encrypted":"O27GsQ7PDX4LrVx6q+A7sMLUAKTbKU3DAYTZyaOhqTqdNwI7raKFCA3/RrmRPUgk"},"providerName":"github","authURL":"https://github.com/login/oauth/authorize","tokenURL":"https://github.com/login/oauth/access_token","providerAlias":"github_ss"}' \ "https:///api/v/settings/oauth" ``` --- Returns the OpenID Connect configuration settings. ## cURL Request Refer to the following example cURL request: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/settings/oidc" ``` ## cURL Response Refer to the following example cURL response: ```bash $ { "enabled": true, "clientID": "0oajdm6atavfYyJfr4x6", "clientSecret": { "encrypted": "rnEk+1be20FLv+BYnDX4s5/T0NOb49hkNkaZQtgiF7K2s65" }, "providerName": "", "authURL": "", "tokenURL": "", "groupScope": "groups", "groupClaim": "groups", "userClaim": "", "cert": "", "openshiftBaseURL": "", "openIDIssuesURL": "https://ss-123456.okta.com", "providerAlias": "oidc_okta_ss" } ``` --- Configures the OpenID Connect settings. For more information, see [OIDC](https://docs.paloaltonetworks.com/prisma/prisma-cloud/30/prisma-cloud-compute-edition-admin/authentication/oidc). ## cURL Request Refer to the following example cURL request: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -d '{"enabled": true,"clientID":"0oajdm6atavfYyJfr4x6","clientSecret":{"encrypted":"rnEk+1be20FLv+BYnDX4s5/T0NOb49hkNkaZQtgiF7K2s65"},"groupScope":"groups","groupClaim":"groups","openIDIssuesURL":"https://ss-123456.okta.com","providerAlias":"oidc_okta_ss"}' \ "https:///api/v/settings/oidc" ``` --- This endpoint will return settings for PCF (Pivotal Cloud Foundry)Blobstore scanning, which can be found in the console under **Defend > Vulnerabilities > PCF Blobstore**. This requires that you have a defender configured for PCF Blobstore scanning. For more information, see [PCF blobstore scanning](https://docs.twistlock.com/docs/latest/vulnerability_management/pcf_blobstore.html). The following example curl command uses basic auth to retrieve the current PCF Blobstore scanning settings: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/settings/pcf ``` --- This endpoint will allow for updating settings for PCF (Pivotal Cloud Foundry) Blobstore scanning. The following example curl command uses basic auth to set up a PCF Blobstore scanner that scans the last `5` droplets for every droplet in the PCF Blobstore: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{"cap":"5","cloudControllerAddress":"https://my-cloud-controller.twistlock.com","pattern":"*"}' \ https://:8083/api/v1/settings/pcf ``` --- Tells you whether the [Projects](https://docs.twistlock.com/docs/latest/deployment_patterns/projects.html) feature is enabled. Projects are enabled when an instance of Console is designated as master. The following example curl command retrieves the state of the Projects feature from Console. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/settings/projects ``` If you direct the request to a supervisor Console, the response object tells you the URL Central Console (master) uses to communicate with the supervisor Console. All API calls must be proxied through Central Console, where the request is automatically rerouted to the appropriate supervisor Console. To retrieve the Projects settings from a supervisor Console, append the `project` query parameter to your request. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/settings/projects?project= ``` --- Enables or disables the [Projects](https://docs.twistlock.com/docs/latest/deployment_patterns/projects.html) feature. Projects are enabled when an instance of Console is designated as master. The following example curl command designates `` as master. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "master":true }' \ https://:8083/api/v1/settings/projects ``` --- Returns the proxy settings for Prisma Cloud Compute containers to access the Internet. ## cURL Request Refer to the following example cURL request: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/settings/proxy" ``` --- Configures the proxy settings. For more information, see [Proxy Settings](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/configure/proxy). ## cURL Request Refer to the following example cURL request that specifies the proxy to use to access the Internet: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "httpProxy":"http://proxyserver.example.com:8282" }' \ https:///api/v/settings/proxy ``` --- Retrieves the list of registries Prisma Cloud is configured to scan. It also retrieves a partial webhook URL. This endpoint maps to the following information on the **Defend > Vulnerabilities > Images > Registry settings** Console UI page: * **Registries** table data * The URL suffix under **Webhooks** ### Webhook You can optionally configure your registry with a webook to trigger Prisma Cloud to scan repositories when there is a pertinent event (e.g. a new image is pushed to the registry). Construct the full webhook using the publicly accessible DNS name or IP address, plus the webhook URL suffix. ### cURL Request The following cURL command retrieves all the registries to scan and the URL suffix for the registry's webhook URL suffix. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/settings/registry' ``` --- Specifies a single registry to scan. Each registry to scan is specified as an item in the `specifications` array. The POST method appends an entry to the `specifications` array. In contrast, the PUT method adds all registries in a single shot, completely overwriting any previous configuration by replacing the contents of the `specifications` array. For more information about the `specifications` array, see the GET endpoint. The `version` string specifies the type of registry to scan. It can be one of the following strings: * Amazon EC2 Container Registry: `aws` * Azure Container Registry: `azure` * CoreOS Quay: `coreos` * Docker Registry v2: `2` * Docker Trusted Registry: `dtr` * Google Container Registry: `gcr` * GitLab Container Registry: `gitlab` * IBM Cloud Container Registry: `bluemix` * JFrog Artifactory: `jfrog` * Red Hat OpenShift: `redhat` * Sonatype Nexus: `sonatype` **Note**: From 22.11 (Lagrange) release or later, you can add a maximum of 19,999 registry entries in **Defend > Vulnerabilities > Images > Registry settings**. The API response returns an HTTP 400 error, if the number of registry specifications exceeds the maximum allowable limit of 19,999 registry entries. **cURL Request** Refer to the following example cURL command that configures Prisma Cloud Compute to scan the Ubuntu 16.04 repository on Docker Hub: ```bash curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d ' { "version": "2", "registry": "", "repository": "library/ubuntu", "tag": "16.04", "os": "linux", "cap": 5, "hostname": "", "scanners": 2, "collections": ["All"] } ' \ 'https:///api/v/settings/registry' ``` Starting with 30.03, you can directly add a GitLab Container Registry. To add settings for a GitLab Container Registry, you must specify the following parameters: * **version**: Specify the value *gitlab* for GitLab Container Registry. * **registry**: Specify the GitLab registry URL address. Example, for native registries, you can specify the address as "https://registry.gitlab.com" * **credentialID**: Specify the GitLab credential that you added in the credential store in Prisma Cloud Compute. For example, an API token that has atleast the *read_api* scope. * **gitlabRegistrySpec**: Specify at least one of the following fields: * **userID**: Specify your GitLab user ID to add all registries associated with it. * **projectIDs**: Specify the project IDs to add all registries associated with a GitLab project. * **groupIDs**: Specify the group ID to add all registries associated with a GitLab group. * **excludedGroupIDs**: Specify the top-level group IDs that you don't want to add. Refer to the following example cURL command: ```bash curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d ' { "version":"gitlab", "registry":"https://registry.gitlab.com", "namespace":"", "repository":"", "tag":"", "credentialID":"", "os":"linux", "harborDeploymentSecurity":false, "collections":["All"], "cap":5, "scanners":2, "versionPattern":"", "gitlabRegistrySpec":{"userID":"14631394"} } ' \ 'https:///api/v/settings/registry' ``` --- Updates the registries to scan. The list of registries to scan is updated in a single shot. To invoke this endpoint in the Console UI: 1. Navigate to **Defend > Vulnerabilities > Images > Registry settings**. 2. Under the **Registries** table, add a registry item using **+ Add registry** 3. Click the **Save** button. **Note**: From 22.11 (Lagrange) release or later, you can add a maximum of 19,999 registry entries in **Defend > Vulnerabilities > Images > Registry settings**. The API response returns an HTTP 400 error, if the number of registry specifications exceeds the maximum allowable limit of 19,999 registry entries. ### General Set up and Scan Process This endpoint works hand-in-hand with the `/policies` endpoints. **To set up a registry for scanning:** 1. Add your registry account information using this endpoint. For example, specify the location and credentials of an ECR registry in your AWS account. 2. Prisma Cloud auto-discovers the images in the registries specified with this endpoint. 3. The list of auto-discovered images is passed to the scanner for evaluation. The scanner uses the corresponding `/policies/vulnerability/images` and `/policies/compliance/images` endpoints to assess each image. ### cURL Request Each registry to scan is specified as an item in the `specifications` array. The critical fields for this endpoint are: * `registry` - String specifying the registry URL. * `credentialID` - String specifying the registry credential. * `version` - String specifying the type of registry to scan and may be one of the following strings: Version|Description ---|--- `aws`|Amazon EC2 Container Registry `azure`|Azure Container Registry `2`|Docker Registry v2 `dtr`|Docker Trusted Registry `gcr`|Google Container Registry `jfrog`|JFrog Artifactory `sonatype`|Sonatype Nexus `coreos`|CoreOS Quay `redhat`|Red Hat OpenShift `bluemix`|IBM Cloud Container Registry The remaining fields in the `specifications` object (e.g., `repository`, `exclusions`, etc.) are optional. They let you refine the scope of what Prisma Cloud auto-discovers. **Note:** An empty string in `registry` implicitly refers to Docker Hub. In `repository`, use the `library/` namespace to specify a [Docker official image](https://docs.docker.com/docker-hub/official_images/). To see the current list of Docker official images, see [here](https://github.com/docker-library/official-images/tree/master/library). #### Set up a Private Registry for Scanning Most registries you'll configure for scanning will be private. Prisma Cloud needs credentials to access private registries. To set this up: * Create the credentials with the `/credentials` endpoint. * Retrieve the credential ID from the `/credentials` endpoint (`_id`). * Create the registry setting with the recommended minimum required fields (`version`, `registry`, and `credentialID`). #### Example cURL Request The following cURL command overwrites the current list of registries to scan with two new registries: * The official Ubuntu 18.04 image in Docker Hub * All repositories in a private AWS ECR registry ```bash $ curl 'https:///api/v/settings/registry' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "specifications": [ { "version": "2", "registry": "", "repository": "library/ubuntu", "tag": "18.04", "os": "linux", "cap": 5, "credentialID": "", "scanners": 2, "collections": ["All"] }, { "version": "aws", "registry": ".dkr.ecr..amazonaws.com", "os": "linux", "credentialID": "", "scanners": 2, "cap": 5, "collections": ["All"] } ] }' ``` **Note:** No response will be returned upon successful execution. ### Remove a Registry To remove a registry from the list: 1. Retrieve the current list using the GET method. 2. Remove the entry from the `specifications` JSON array in the response. 3. Use the PUT method to submit the updated JSON object. To delete all entries, submit an empty `specifications` array. For example: ```bash curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT \ -d '{"specifications":[]}' \ https:///api/v/settings/registry ``` --- Returns the configured SAML settings that is used to authenticate to the Prisma Cloud Compute console. ## cURL Request Refer to the following example cURL request: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/settings/saml ``` --- Configures the SAML settings that is used to authenticate to the Prisma Cloud Compute. For more information, see [Okta via SAML 2.0](https://docs.paloaltonetworks.com/prisma/prisma-cloud/30/prisma-cloud-compute-edition-admin/authentication/saml), [G Suite via SAML](https://docs.paloaltonetworks.com/prisma/prisma-cloud/30/prisma-cloud-compute-edition-admin/authentication/saml_google_g_suite), [Azure AD via SAML](https://docs.paloaltonetworks.com/prisma/prisma-cloud/30/prisma-cloud-compute-edition-admin/authentication/saml_azure_active_directory), [PingFederate via SAML](https://docs.paloaltonetworks.com/prisma/prisma-cloud/30/prisma-cloud-compute-edition-admin/authentication/saml_ping_federate), and [ADFS via SAML](https://docs.paloaltonetworks.com/prisma/prisma-cloud/30/prisma-cloud-compute-edition-admin/authentication/saml_active_directory_federation_services). ## cURL Request Refer to the following example cURL request that uses the basic auth to set up and enable the SAML integration with Prisma Cloud Compute: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{ "enabled": true, "url": "https://my-adfs-server.twistlock.com/adfs/SSO", "cert": "", "issuer": "https://my-adfs-server.twistlock.com/adfs/services/trust", "type": "adfs", "audience": "twistlock", "appId": "", "tenantId": "", "appSecret": { "encrypted": "" } }' \ "https:///api/v/settings/saml" ``` --- Returns the global settings for image, host, container, and registry scanning. ## cURL Request Refer to the following example cURL request: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/settings/scan" ``` --- Configures the Prisma Cloud Compute scanner settings. For more information, see [Configure Scanning](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/configure/configure_scan_intervals). ## cURL Request Refer to the following example cURL request that configures the following scan intervals: * Scan registries and serverless functions once per week. * Scan images, containers, and hosts once per day. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "imagesScanPeriodMs":86400000, "containersScanPeriodMs": 86400000, "systemScanPeriodMs": 86400000, "serverlessScanPeriodMs": 604800000, "registryScanPeriodMs":604800000 }' \ "https:///api/v/settings/scan" ``` --- This endpoint will return configured secret store already configured in the console. This can be found in the console under **Manage > Authentication > Secrets**. The following example curl command retrieves any configured secret stores, as well as the refresh period in hours: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/settings/secrets ``` --- Updates the secret store settings found in the console under **Manage > Authentication > Secrets**. Please note the data structure returned from endpoint /settings/secrets GET to set in POST Refer to the following example curl command that adds a CyberArk secret store to the console with the appID set to `Prisma_Cloud_Compute_Console` and set the URL to `https://services-myca.twistlock.com:10882`: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{ "secretsStores": [ { "name": "Cyberark", "type": "cyberark", "appID": "Prisma_Cloud_Compute_Console", "url": "https://services-myca.twistlock.com:10882", "caCert": { "encrypted": "" }, "clientCert": { "encrypted": "" }, "useAWSRole": false, "region": "", "credentialId": "", "roleArn": "" } ]}' \ https://:8083/api/v/settings/secrets ``` --- Retrieves the list of serverless function scan scopes. Serverless scan scopes specify a region and a credential. This endpoint maps to the **Function scope** table data in the **Defend > Vulnerabilities > Functions > Functions** Console UI. ### cURL Request Refer to the following example cURL command that retrieves a list of serverless scan scopes: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/settings/serverless-scan' ``` A successful response returns a list of scan scopes. --- Adds serverless function providers to scan for vulnerabilities. To invoke this endpoint in the Console UI: 1. Navigate to **Defend > Vulnerabilities > Functions > Functions**. 2. Under the **Function scope** table, add a registry item using **+ Add scope** **Note:** If the table is not present, use the **Add the first item** link. 3. Click the **Save** button. ### General Set up and Scan Process This endpoint works hand-in-hand with the `/policies` endpoints. **To set up a scope for serverless scanning:** 1. Add your scope information using this endpoint. For example, specify a region and credentials for accessing the AWS account. 2. Prisma Cloud auto-discovers the serverless functions in scope. 3. The list of auto-discovered serverless functions is passed to the scanner for evaluation. The scanner uses the corresponding `/policies/vulnerability/serverless` endpoint to assess each serverless function. ### cURL Request Each scan scope is specified as an element in array. The critical fields for this endpoint are: * `provider` - Host provider name. For example, `aws` refers to Amazon Web Services. * `credentialID` - ID of the credentials in the credentials store to authenticate against the service provider. Refer to the following example cURL command that adds serverless scan scopes to scan with a new single serverless scan scope. ```bash $ curl 'https:///api/v/settings/serverless-scan' \ -k \ -X POST \ -u \ -H 'Content-Type: application/json' \ -d \ '[ { "provider": "aws", "credential":{}, "credentialID":"IAM Role" } ]' ``` **Note:** No response will be returned upon successful execution. --- This endpoint will return any configured serverless function scanners found in **Defend > Vulnerabilities > Functions**. The following example curl command uses basic auth to retrieve serverless settings in an array, sorted by Cloud Provider: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/settings/serverless ``` --- This endpoint will add serverless function providers to scan for vulnerabilities. The following example curl command uses basic auth to add a serverless account to scan for serverless functions. This is assuming that you already have the [credential](https://docs.twistlock.com/docs/latest/configure/credentials_store.html) added to the console that is needed to scan that provider: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '[ { "provider": "aws", "region": "us-east-1", "pattern": "*", "cap": 5, "useAWSRole": false, "credential": { "_id": "AWS" } } ]' \ https://:8083/api/v1/settings/serverless ``` --- Updates the serverless scan scopes. All scan scopes are updated in a single shot. ### cURL Request Each scan scope is specified as an element in array. The critical fields for this endpoint are: * `provider` - Host provider name. For example, `aws` refers to Amazon Web Services. * `credentialID` - ID of the credentials in the credentials store to authenticate against the service provider. Refer to the following example cURL command that overwrites all serverless scan scopes to scan with a new single serverless scan scope: ```bash $ curl 'https:///api/v/settings/serverless-scan' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '[ { "provider": "aws", "credential":{}, "credentialID":"IAM Role" } ]' ``` **Note:** No response will be returned upon successful execution. --- This endpoint will return all system settings in JSON format. The following example curl command does exactly that: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/settings/system ``` --- Retrieves Tanzu Application Service (TAS) settings. ### cURL Request Refer to the following example cURL command that retrieves all TAS settings: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/settings/tas" ``` --- Sets the Tanzu Application Service (TAS) settings. ### cURL Request Refer to the following example cURL command that configures the TAS settings: ```bash $ curl 'https:///api/v/settings/tas' -k \ -X POST \ -u \ -H 'Content-Type: application/json' \ -d \ '[ { "cap": 5, "cloudControllerAddress": "https://example.com", "hostname": "vm-host", "pattern": "droplet-name" } ]' ``` --- Returns the telemetry settings that anonymously reports the threats and vulnerabilities to Prisma Cloud Compute. For more information, see [telemetry](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/technology_overviews/telemetry) article. ## cURL Request Refer to the following example cURL request that retrieves the settings if telemetry is enabled or not: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/settings/telemetry" ``` --- Enables or disables the telemetry feature. For more information, see [telemetry](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/technology_overviews/telemetry) article. ## cURL Request Refer to the following example cURL request that uses basic auth to turn off telemetry: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{"enabled":false}' \ "https:///api/v/settings/telemetry" ``` --- Adds a certificate to the list of explicitly trusted certificates. Use this endpoint to control how users authenticate to Prisma Cloud Compute. Users employ client certificates to authenticate commands sent from a Docker client through Prisma Cloud Compute. > **_NOTE:_** You can only add a custom certificate if the trusted certificates mode is enabled. For more information, see the `/settings/trusted-certificates` endpoint. ## cURL Request Refer to the following example cURL request that uses basic auth to add a certificate to the list: ```bash curl -k \ -u \ -H 'Content-Type: application/json' \ -w "\nResponse code: %{http_code}\n" \ -X POST \ -d '{"certificate": "-----BEGIN CERTIFICATE-----\nMIIDUTCCAjmgAwIBAgI......XMKXJA==\n-----END CERTIFICATE-----" }' "https:///api/v/settings/trusted-certificate" ``` --- Enables authentication for just an explicit list of trusted certificates. Use this endpoint to control how users authenticate to Prisma Cloud Compute. Users employ client certificates to authenticate commands sent from a Docker client through Prisma Cloud Compute. > **_NOTE:_** This feature can only be enabled if a custom certificate authority has been configured. For more information, see the `/settings/certificates` endpoint. ## cURL Request Refer to the following example cURL request that uses basic auth to enable this feature: ```bash curl -k \ -u \ -H 'Content-Type: application/json' \ -w "\nResponse code: %{http_code}\n" \ -X POST \ -d '{"enabled" : true }' "https:///api/v/settings/trusted-certificates" ``` --- Retrieves the list of VM image scan scopes. This endpoint maps to the **VM images scope** table data in the **Defend > Vulnerabilities > Hosts > VM images** Console UI. ### cURL Request Refer to the following example cURL command that retrieves all the scopes used for pattern matching on VM functions: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/settings/vm' ``` --- Updates the list of VM image scan scopes. The list of scopes are updated in a single shot. To invoke this endpoint in the Console UI: 1. Navigate to **Defend > Vulnerabilities > Hosts > VM images**. 2. Under the **VM images scope** table, add a registry item using **+ Add scope**. **Note:** If the **+ Add scope** button is not present, use the **Add the first item** link. 3. Click the **Save** button. ### General Set up and Scan Process This endpoint works hand-in-hand with the `/policies` endpoints. Prisma Cloud auto-discovers the VM images in your cloud account according to the scan scopes specified in `/settings/vm`. The list of auto-discovered VM images is passed to the scanner for evaluation. The scanner uses the corresponding `/policies/vulnerability/vms` endpoint to assess each VM image. ### cURL Request Each VM image scan scope is specified as an element in the endpoint's payload array. The critical fields for this endpoint are: * `version` - Cloud provider. Currently, only Amazon AWS is supported. * `region` - Region to scan. * `credentialID` - Credential ID from the credentials store so Prisma Cloud can authenticate with the cloud provider to access the VM images. * `collections` - Filter for refining the scope of VM images to scan. You can scope by VM image name and AWS tag. * `consoleAddr` - Address for Console that Defender (the scanner) can reach over the network to publish scan results. Refer to the following example cURL command that overwrites all current scan scopes with single scan scope: ```bash $ curl 'https:///api/v/settings/vm' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '[ { "version":"aws", "region":"us-east-1", "credentialID":"IAM Role", "collections":[{"name":"All"}], "cap": 5, "scanners": 1, "consoleAddr":"127.0.0.1" } ]' ``` **Note:** No response will be returned upon successful execution. --- Creates the initial admin user after Console is first installed. Although this endpoint is supported, no backwards compatibility is offered for it. ### cURL Request The following cURL command creates the initial admin user with the username `admin` and password `password`. ```bash $ curl -k \ -H 'Content-Type: application/json' \ -X POST \ -d '{"username": "admin", "password": "password"}' \ https:///api/v1/signup ``` **Note:** The username and password values are case-sensitive. ### Responses **Success Response:** No response will return if the user creation is successful. ```bash {"token", "ACCESS_TOKEN_VALUE"} ``` **Error Response:** An error response will return the following response if the initial sign up process was previously completed. ```bash {"err":"system already initialized"} ``` --- Creates the initial admin user after Console is first installed, to help automation of Console setup. Invoke this endpoint after Prisma Cloud Compute is first installed. You can use this endpoint along with other endpoints to automate the Prisma Cloud Compute installation and setup. For example, see `POST /api/v1/settings/license` to automate the submission of your license key. **Note:** This sign up endpoint can only be executed once from Console *or* the API. Invoking this endpoint after completion of the initial sign up will result in a `400` error response. --- Returns a list of capabilities used in host models. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/static/capabilities ``` --- Returns a list of regions used in cloud radar. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/static/regions ``` --- Return lists of constants used throughout the product. --- Returns a list of the Linux kernel system calls. Runtime rules for containers can allow-list and deny-list specific system calls. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/static/syscalls ``` --- Returns a list of static compliance and vulnerability data. This data can be used for building out reports with the API. This data can be correlated with the `/api/v1/images` endpoint, specifically the the `complianceVulnerabilities` and `cveVulnerabilities` objects, to generate more thorough reports. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/static/vulnerabilities ``` --- Returns statistics on the number of compliance issues found on hosts/images/serverless/containers in your environment, organized by day (`_id`). This will also return a list of all of the compliance issues affecting the resources in your environment for each day. For the current day, the response will also include detailed compliance stats for each running container and host at the time of the last scan. The following example command that uses curl and basic auth to retrieve compliance statistics: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/stats/compliance ``` --- Returns compliance statistics, including: * Compliance rate by regulation, CIS benchmark, and policy rule. * Trend of failed compliance checks over time. * List of all compliance checks with their corresponding compliance rate. This endpoint maps to the table in **Monitor > Compliance > Compliance explorer** in the Console UI. ### cURL Request Refer to the following example cURL command that retrieves compliance statistics: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/stats/compliance' ``` A successful response returns a summary count of compliance issues. The response also shows a detailed list of compliance issues for each running container and host. --- Refreshes the current day's compliance violations counts and list, as well as the affected running resources. The response will return exactly what the /statistics/compliance endpoint returns, only with updated statistics for the current day. The following example command that uses curl and basic auth to refresh compliance statistics: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v1/stats/compliance ``` --- Refreshes the current day's list and counts of compliance issues, as well as the list of affected running resources. This endpoint returns the same response as `/api/v/stats/compliance`, but with updated data for the current day. ### cURL Request Refer to the following example cURL command that refreshes compliance statistics for the current day: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ 'https:///api/v/stats/compliance/refresh' ``` A successful response returns a summary count of compliance issues for the current day. The response also shows a detailed list of compliance issues for each running container and host for the current day. --- Returns daily statistics about the resources protected by Prisma Cloud Compute, including the total number of generated runtime audits, number of image vulnerabilities and compliance violations, etc. The following example command that uses curl and basic auth to retrieve daily stats: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/stats/daily ``` --- Returns a historical list of per-day statistics for the resources protected by Prisma Cloud Compute, including the total number of runtime audits, image vulnerabilities, and compliance violations. The following example command uses curl and basic auth to retrieve the daily stats: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/stats/daily ``` --- Returns daily statistics about the resources protected by Prisma Cloud Compute, including the total number of generated runtime audits, number of image vulnerabilities and compliance violations, etc. The following example command that uses curl and basic auth to retrieve dashboard stats: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/stats/dashboard ``` --- Returns statistics about the resources protected by Prisma Cloud Compute, including the total number of runtime audits, image vulnerabilities, and compliance violations. ### cURL Request Refer to the following example cURL command that retrieves dashboard stats: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/stats/dashboard ``` --- Returns events statistics for your environment. ### cURL Request Refer to the following example cURL command retrieves event stats: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/stats/events ``` ### Response ```json { "containerAppFirewall": 0, "hostAppFirewall": 0, "containerRuntime": 0, "containerNetworkFirewall": 0, "hostRuntime": 0, "hostNetworkFirewall": 0, "hostActivities": 0, "raspAppFirewall": 0, "raspRuntime": 0, "serverlessRuntime": 0, "logInspection": 0, "fileIntegrity": 0, "dockerAccess": 0, "kubernetesAudits": 0, "trustAudits": 0 } ``` --- Return vulnerability and compliance stats for your environment. --- Returns statistics on the number of CVEs found on hosts/images/serverless/containers in your environment, organized by day (`_id`). This will also return a list of all of the CVEs affecting the resources in your environment for each day. For the current day, the response will also include descriptions of the CVEs currently affecting the resources in your environment. The following example command that uses curl and basic auth to retrieve vulnerability statistics: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/stats/vulnerabilities ``` --- Downloads a list of vulnerabilities (CVEs) in the deployed images, registry images, hosts, and serverless functions affecting your environment in a CSV format. The response also includes detailed descriptions for each CVE. The data for each CVE, such as impacted packages, highest severity, and so on, is based on the entire environment irrespective of the collections filter, assigned collections, or assigned accounts. You can use filters such as `cvssThreshold`, `severityThreshold`, or `collections` as query parameters to get desired results. Consider the following observations: - You cannot use new filters such as **severityThreshold** and **cvssThreshold** with the **collections** filter or when you're assigned with specific collections or accounts. - The impacted resources and distribution counts are not retrieved when you apply filters or you are assigned with specific collections or accounts. For example, when you apply these filters, the counts in the API `/stats/vulnerabilities` are returned as zero and empty in the API `/stats/vulnerabilites/download`. * **cvssThresold**: Retrieves a list of vulnerabilities (CVEs) that matches the specified value of CVSS score or higher. * **severityThreshold**: Retrieves a list of vulnerabilities (CVEs) that matches the specified value of the severity threshold or higher. * **collections**: Retrieves a list of vulnerabilities (CVEs) that matches the specified collection name. ### cURL Request Refer to the following example cURL command that downloads a summary count of the CVEs and detailed descriptions for each CVE in a CSV format: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ - o \ 'https:///api/v/stats/vulnerabilities/download' ``` --- Returns a list of vulnerabilities (CVEs) in the deployed images, registry images, hosts, and serverless functions affecting your environment. The response also includes detailed descriptions for each CVE. The data for each CVE, such as impacted packages, highest severity, and so on, is based on the entire environment irrespective of the collections filter, assigned collections, or assigned accounts. This endpoint maps to the table in **Monitor > Vulnerabilities > Vulnerability explorer** in the Console UI. You can use filters such as `cvssThreshold`, `severityThreshold`, or `collections` as query parameters to get desired results. Consider the following observations: - You cannot use new filters such as **severityThreshold** and **cvssThreshold** with the **collections** filter or when you're assigned with specific collections or accounts. - The impacted resources and distribution counts are not retrieved when you apply filters or you are assigned with specific collections or accounts. For example, when you apply these filters, the counts in the API `/stats/vulnerabilities` are returned as zero and empty in the API `/stats/vulnerabilites/download`. * **cvssThresold**: Retrieves a list of vulnerabilities (CVEs) that matches the specified value of CVSS score or higher. * **severityThreshold**: Retrieves a list of vulnerabilities (CVEs) that matches the specified value of the severity threshold or higher. * **collections**: Retrieves a list of vulnerabilities (CVEs) that matches the specified collection name. ### cURL Request Refer to the following example cURL command that retrieves a summary count of the CVEs and detailed descriptions for each CVE: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/stats/vulnerabilities' ``` ### cURL Response A successful response returns a summary count of the CVEs and detailed descriptions for each CVE. --- Downloads a list of impacted resources for a specific vulnerability in a CSV format. This endpoint returns a list of all deployed images, registry images, hosts, and serverless functions affected by a given CVE. You can use filters such as `cvssThreshold`, `severityThreshold`, or `collections` as query parameters to get desired results. Consider the following observations: - You cannot use new filters such as **severityThreshold** and **cvssThreshold** with the **collections** filter or when you're assigned with specific collections or accounts. * **cvssThresold**: Retrieves a list of vulnerabilities (CVEs) that matches the specified value of CVSS score or higher. * **severityThreshold**: Retrieves a list of vulnerabilities (CVEs) that matches the specified value of the severity threshold or higher. * **collections**: Retrieves a list of vulnerabilities (CVEs) that matches the specified collection name. ### cURL Request Refer to the following example cURL command that downloads a list of impacted resources for `CVE-2015-0313` in a CSV format: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -o \ "https:///api/v/stats/vulnerabilities/impacted-resources/download?cve=CVE-2015-0313" ``` --- Generates a list of impacted resources for a specific vulnerability. This endpoint returns a list of all deployed images, registry images, hosts, and serverless functions affected by a given CVE. Prisma Cloud Compute recalculates the stats for your environment every 24 hours. Alternatively, you can manually update the stats by clicking the Refresh button in Vulnerability Explorer. You can use filters such as `cvssThreshold`, `severityThreshold`, or `collections` as query parameters to get desired results. Consider the following observations: - You cannot use new filters such as **severityThreshold** and **cvssThreshold** with the **collections** filter or when you're assigned with specific collections or accounts. * **cvssThresold**: Retrieves a list of vulnerabilities (CVEs) that matches the specified value of CVSS score or higher. * **severityThreshold**: Retrieves a list of vulnerabilities (CVEs) that matches the specified value of the severity threshold or higher. * **collections**: Retrieves a list of vulnerabilities (CVEs) that matches the specified collection name. ### cURL Request Refer to the following example cURL command that retrieves a list of impacted resources for `CVE-2022-28391`: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/stats/vulnerabilities/impacted-resources?cve=CVE-2022-28391' ``` ### cURL Response Refer to the following example JSON response that shows the risk tree for the impacted resources: ```bash { "_id": "CVE-2022-28391", "images": [ { "resourceID": "sha256:a787cb9865032e5b5a407ecdf34b57a23a4a076aaa043d71742ddb6726ec9229", "containers": [ { "image": "alpine:3.11", "container": "mystifying_banzai", "host": "jen-sle12-dock-0911t162051-cont-def-pre-lngcon231.c.twistlock-test-247119.internal", "factors": { "rootPrivilege": true } }, { "image": "alpine:3.11", "container": "compassionate_austin", "host": "jen-sle15-dock-0911t162051-cont-def-pre-lngcon231.c.twistlock-test-247119.internal", "factors": { "rootPrivilege": true } }, ... }, { "resourceID": "sha256:fcd5d51fc526ef1ff7cf2e94aa91be39d052874057ff603b66b9b461386fae93", "containers": [ { "image": "infoslack/dvwa:latest", "factors": {} } ] }, { "resourceID": "sha256:bc6b65772f298854ea0dca7d562684cb835f2f677e0e2ea1863b4566f29dcac1", "containers": [ { "image": "ghcr.io/christophetd/log4shell-vulnerable-app:latest", "factors": {} } ] }, ... ], "hosts": [ { "resourceID": "jen-ubu2204-dock-0911t162051-cont-def-pre-lngcon231.c.twistlock-test-247119.internal" }, { "resourceID": "jen-ubu2004-dock-0911t162051-cont-def-pre-lngcon231.c.twistlock-test-247119.internal" }, ... ], "imagesCount": 5, "hostsCount": 21, "functionsCount": 0, "codeReposCount": 0, "registryImagesCount": 0 } ``` ### cURL Request Refer to the following example cURL command that retrieves a the impacted registry images `CVE-2015-0313` by using an optional query parameter `resourceType`: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/stats/vulnerabilities/impacted-resources?cve=CVE-2015-0313&resourceType=registryImage' ``` **Note**: The API returns the impacted registry images only when you use the optional `resourceType` parameter with value `registryImage`. ### cURL Request Refer to the following example cURL command that retrieves a paginated list of impacted resources for `CVE-2015-0313` by using optional query parameters `limit` and `offset`: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/stats/vulnerabilities/impacted-resources?cve=CVE-2015-0313&offset=10&limit=100' ``` --- Refreshes the current day's CVE counts and CVE list, as well as their descriptions. The response will return exactly what the /statistics/vulnerabilities endpoint returns, only with updated statistics for the current day. The following example command that uses curl and basic auth to refresh vulnerability statistics: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ https://:8083/api/v1/stats/vulnerabilities/refresh ``` --- Refreshes the current day's CVE counts and CVE list, as well as their descriptions. This endpoint returns the same response as `/api/v/stats/vulnerabilities`, but with updated data for the current day. ### cURL Request Refer to the following example cURL command that refreshes the vulnerability statistics for current day: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ 'https:///api/v/stats/vulnerabilities/refresh' ``` A successful response returns a summary count of the CVEs and detailed descriptions for each CVE for the current day. --- Returns the workload statistics from Console. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/stats/workload ``` Here is an example of when would be returned: ```json { "Timestamp": "0001-01-01T00:00:00Z", "HourSamples": 0, "HourAvg": 0, "DailySamples": null, "exceeded": false, "avg": 0, "msg": "" } ``` --- Returns the connection status of the intelligence stream and the last intelligence stream update. The following is an example curl using basic auth to find the intelligence stream status: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/statuses/intelligence ``` --- Returns the connection status for the Intelligence Stream, along with the time of the last update. The following is an example curl using basic auth to find the intelligence stream status: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/statuses/intelligence ``` --- Returns the status of a regular registry scan that might include the following information: - Scan is completed: `"completed": true` - Scan is ongoing. - Errors: 10 most recent aggregated errors that occured during the scan with error messages such as: - "Failed to retrieve repositories info..." - "Failed to query image details..." - "No available Defender was found" To view the more details about the progress of a regular or on-demand registry scan, use the `/registry/progress` API endpoint. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/statuses/registry ``` ### Response ```json { "scanTime": "2019-07-31T19:42:49.036311567Z", "completed": true } ``` --- Returns the connection status of any secret stores you have configured, as well as the last update to the secret store. The following is an example curl using basic auth to find the secret store status: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/statuses/secrets ``` --- Returns the status of the serverless scans. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/statuses/serverless-radar ``` --- Return connection and scan statuses for the various Prisma Cloud Compute subsystems. --- Retrieves a list of tags. ### cURL Request Refer to the following example cURL command that retrieves a list of tags: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/tags" ``` A successful response returns a list of defined tags. --- Deletes a tag from the system. ### cURL Request Refer to the following example cURL command that deletes a tag named *my tag*: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ "https:///api/v/tags/my%20tag" ``` A space must be encoded with the value `%20` as specified here in [unsafe characters in a URL](https://www.ietf.org/rfc/rfc1738.txt). --- Updates the parameters in a given tag. You must define all parameters in your PUT request. **Note:** `""` (an empty string) is automatically assigned for any unspecified field. ### cURL Request Refer to the following example cURL command that updates the parameters in a tag named `my_tag`: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT \ -d \ '{ "name": "my_tag2", "color": "#ff0000", "description": "A super cool tag" }' \ "https:///api/v/tags/my_tag" ``` --- Creates a tag that helps you manage the vulnerabilities in your environment. You can use tags as policy exceptions or assign them to vulnerabilities for action. **Note:** `""` (an empty string) is automatically assigned for any unspecified field. ### cURL Request Refer to the following example cURL command that creates a tag named "my-tag": ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "name": "my-tag", "color": "#ff0000", "description": "A test collection" }' \ "https:///api/v/tags" ``` --- Removes a tag from a vulnerability. When you delete a tag, the tag is deleted from a wider scope. All the packages and resources that were in scope will be untagged. ### cURL Request Refer to the following example cURL command that removes the tag named `ignored` from the CVE `CVE-2017-15088`: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ -d \ '{ "id": "CVE-2017-15088", "packageName": "krb5" }' \ "https:///api/v/tags/ignored/vuln" ``` --- Sets a tag to a vulnerability based on Common Vulnerability and Exposures (CVE) ID, package, and resource. **Consider the following scenarios**: - When you apply a tag to a vulnerability only on a package, the tag applies to the vulnerability in all the resources related to it. - When you apply a tag only to a vulnerability, the tag applies to the vulnerability in all the packages and resources related to it. - When you apply a tag to a vulnerability on a resource type, specify the scope of the resources using either a wildcard "*" or resource names. A vulnerability can be found in a source package or a binary package. The vulnerability feed reports CVE data either on source packages or binary packages. For example, Debian and Ubuntu report CVEs on the source package, while RHEL reports on binary packages. **Source package:** Provides all the necessary files to compile or build the desired piece of software. For more information, see [Source Package](https://wiki.debian.org/Packaging/SourcePackage). **Binary package:** Built from a source package. There could be multile binary packages that are built from a source package. For example, `perl` is a source package, and you can build different binary packages such as `libperl-dev`, `perl`, or `perl-base`. For more information, see [Perl](https://packages.ubuntu.com/source/focal/perl). Prisma Cloud ingests all the various distro vulnerability feeds, and normalizes them so that they can be used uniformly across the product. The **package info** tab shows both source and binary package fields in a vulnerability report. Refer to the following parameter descriptions: - **id**: `Required` Specifies the Common Vulnerability and Exposures (CVE) ID. - **packageName**: `Required` Specifies the source or the binary package name where the vulnerability is found. Specify the source package name for tagging when the vulnerability is found in the source package. Use the wildcard `*` to apply the tag to all the packages where the vulnerability is found. - **resourceType**: Specifies the resource type for tagging where the vulnerability is found. Use the wildcard `*` to apply the tag to all the resource types where the vulnerability is found. The available values are: `image`, `host`, `function`, `codeRepo`, and `""`. - **resources**: `Required when you define the resource type.` Specifies the resource for tagging where the vulnerability is found. Either specify the resource names separated by a comma or use the wildcard `*` to apply the tag to all the resources where the vulnerability is found. - **checkBaseLayer**: `Applies only to the resource type image.` Checks for the base image in the resources and whether to tag those resources. - **comment**: Adds a comment. Consider the following scenarios for source and binary packages: - Debian or Ubuntu lists the binary packages and source packages. A CVE-2020-16156 is found in a binary package `perl-base` and source package `perl` in Ubuntu 20.04.3 LTS distro. ![Package information](https://cdn.twistlock.com/docs/api/Ubuntu-Vuln-Bin-Package-Info.png) The parameter *packageName* in the endpoint accepts only the source package name for tagging if a source package is available. ### cURL Request Refer to the following example cURL command that tags `Ignored` to the CVE `CVE-2020-16156` on the source package `perl`: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "id": "CVE-2020-16156", "packageName": "perl" }' \ "https:///api/v/tags/Ignored/vuln" ``` Refer to the following image that displays the tagged vulnerability: ![Tagged vulnerability in Ubuntu](https://cdn.twistlock.com/docs/api/Ubuntu-Vuln-Bin-Package-CVE-tagged-Ignored-Vuln.png) - The RPM package lists CVEs on the available binary packages and not the source packages. A CVE `CVE-2021-20305` found in only `gnutls` binary package in CentOS Linux Release 8.4.2105. ![Package information](https://cdn.twistlock.com/docs/api/CentOS-Vuln-Bin-Package-Info.png) Use the binary package name for tagging only when the source package is not available or NULL. ### cURL Request Refer to the following example cURL command that tags `Ignored` to the CVE `CVE-2021-20305` on the binary package `gnutls`: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "id": "CVE-2021-20305", "packageName": "gnutls" }' \ "https:///api/v/tags/Ignored/vuln" ``` Refer to the following image that displays the tagged vulnerability: ![Tagged vulnerability in CentOS](https://cdn.twistlock.com/docs/api/CentOS-Vuln-Bin-Package-CVE-tagged-Ignored-Vuln.png) Consider the following scenarios when you want to tag a vulnerability to all packages and resources related to it: - A CVE `CVE-2020-16156` is found in several packages such as `perl`, `perl-open`, `perl-macros`, `perl-libs`, and so on. You want to apply a tag `Ignored` to all the packages and resources. ![CVE information](https://cdn.twistlock.com/docs/api/Tagging-Only-Vulnerability.png) ### cURL Request Refer to the following example cURL command that tags `Ignored` to the CVE `CVE-2020-16156`: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "id": "CVE-2020-16156", "packageName": "*" }' \ "https:///api/v/tags/Ignored/vuln" ``` Refer to the following image that displays the tagged vulnerability: ![Tagged vulnerability](https://cdn.twistlock.com/docs/api/Tagged-Vulnerability.png) - A CVE `CVE-2020-16156` is found in several packages such as `perl`, `perl-open`, `perl-macros`, `perl-libs`, and so on. You want to apply a tag `Ignored` to the resource type `image` but to all the packages and resources. ### cURL Request Refer to the following example cURL command that tags `Ignored` to the CVE `CVE-2020-16156` on the resource type `image` and to all the packages and resources. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "id": "CVE-2020-16156", "packageName": "*", "resourceType": "image", "resources": ["*"] }' \ "https:///api/v/tags/Ignored/vuln" ``` - A CVE `CVE-2020-16156` is found in several packages such as `perl`, `perl-open`, `perl-macros`, `perl-libs`, and so on. You want to apply a tag `Ignored` to the resource type `host`and resource `servo-vmware71` but to all the packages. ### cURL Request Refer to the following example cURL command that tags `Ignored` to the CVE `CVE-2020-16156` on the resource type `host`, resource `servo-vmware71`, and to all the packages. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d \ '{ "id": "CVE-2020-16156", "packageName": "*", "resourceType": "host", "resources": ["servo-vmware71"] }' \ "https:///api/v/tags/Ignored/vuln" ``` *Note:* A tag assignment is identified by the combination of the `id`, `packageName`, `resourceType`, and `tag` fields. Invoking the endpoint again for an existing tag assignment overrides the existing tag assignment for the resource. For example, invoking the endpoint consecutively with the following values: 1. `{"id":"CVE-1","packageName":"pkg","resourceType":"image","resources":["library/python:latest"],"tag":"In progress"}` 2. `{"id":"CVE-1","packageName":"pkg","resourceType":"image","resources":["library/python:latest"],"tag":"New Tag"}` 3. `{"id":"CVE-1","packageName":"pkg","resourceType":"host","resources":["devbox"],"tag":"New Tag"}` 4. `{"id":"CVE-1","packageName":"pkg","resourceType":"image","resources":["node:latest"],"tag":"New Tag"}` Will result in the following tag assignments: 1. The first invocation creates the entry: "In progress", "CVE-1", "pkg", "image", "library/python:latest" 2. The second invocation creates a second (new) entry: "New Tag", "CVE-1", "pkg","image", "library/python:latest" 3. The third invocation creates a third (new) entry: "New Tag", "CVE-1", "pkg","host", "devbox" 4. The fourth invocation overrides the second entry with the following values: "New Tag", "CVE-1", "pkg", "image", "node:latest" --- Tags are predefined labels that help you manage your vulnerabilities via the Console UI and Prisma Cloud Compute API. --- Downloads scan reports for Tanzu Application Service (TAS) droplets in CSV format. This endpoint maps to the CSV hyperlink in **Monitor > Vulnerabilities > VMware Tanzu blobstore** in the Console UI. ### cURL Request The following cURL command downloads all TAS droplets to a CSV file called `tas_droplets.csv`: ```bash curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/tas-droplets/download \ > tas_droplets.csv ``` A successful response displays the status of the download. --- Retrieves scan reports for Tanzu Application Service (TAS) droplets. > _**Note:**_ The API rate limit for this endpoint is 30 requests per 30 seconds. You get an HTTP error response 429 if the limit exceeds. This endpoint maps to the table in **Monitor > Vulnerabilities > VMware Tanzu blobstore** in the Console UI. ### cURL Request The following cURL command retrieves all TAS droplets. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/tas-droplets \ ``` A successful response returns all TAS droplets. --- Gets the Cloud Controller Addresses of scanned Tanzu Application Service (TAS) droplets.\n > _**Note:**_ The API rate limit for this endpoint is 30 requests per 30 seconds. You get an HTTP error response 429 if the limit exceeds. ### cURL Request The following cURL command retrieves the Cloud Controller Addresses of scanned TAS droplets. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/tas-droplets/addresses \ ``` --- Returns the details of the TAS Droplets ongoing scan. ### cURL Request Refer to the following cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/tas-droplets/progress" ``` --- Scans the TAS Droplets. ### cURL Request Refer to the following cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/tas-droplets/scan" ``` --- Stops the ongoing scan of TAS Droplets. ### cURL Request Refer to the following cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/tas-droplets/stop" ``` --- Returns the trusted registries, repositories, and images. ## cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/trust/data ``` ## cURL Response Refer to the following example response: ```bash $ { "policy": { "_id": "trust", "enabled": false, "rules": [ { "modified": "2023-05-11T09:24:33.936Z", "owner": "ss", "name": "Copy of combined", "previousName": "", "disabled": true, "allowedGroups": [ "by_cluster" ], "deniedGroups": [ "by_host" ], "collections": [ { "hosts": [ "ss-ubu2204-dock-0905t072802-cont-def-pre-lngcon443.c.example-247119.internal" ], "images": [ "*" ], "labels": [ "*" ], "containers": [ "*" ], "functions": [ "*" ], "namespaces": [ "*" ], "appIDs": [ "*" ], "accountIDs": [ "*" ], "codeRepos": [ "*" ], "clusters": [ "*" ], "name": "trust_by_host", "owner": "ss", "modified": "2023-05-11T09:17:17.556Z", "color": "#D64CA8", "system": false, "prisma": false } ], "effect": "alert" }, { "modified": "2023-05-11T09:24:13.952Z", "owner": "ss", "name": "combined", "previousName": "", "disabled": true, "allowedGroups": [ "by_cluster" ], "deniedGroups": [ "by_host" ], "collections": [ { "hosts": [ "jen-ubu2204-dock-0905t072802-cont-def-pre-lngcon443.c.twistlock-test-247119.internal" ], "images": [ "*" ], "labels": [ "*" ], "containers": [ "*" ], "functions": [ "*" ], "namespaces": [ "*" ], "appIDs": [ "*" ], "accountIDs": [ "*" ], "codeRepos": [ "*" ], "clusters": [ "*" ], "name": "trust_by_host", "owner": "ss", "modified": "2023-05-11T09:17:17.556Z", "color": "#D64CA8", "system": false, "prisma": false } ], "effect": "alert" }, { "modified": "2023-05-10T19:05:27.651Z", "owner": "ss", "name": "Default - alert all", "previousName": "", "collections": [ { "hosts": [ "*" ], "images": [ "*" ], "labels": [ "*" ], "containers": [ "*" ], "functions": [ "*" ], "namespaces": [ "*" ], "appIDs": [ "*" ], "accountIDs": [ "*" ], "codeRepos": [ "*" ], "clusters": [ "*" ], "name": "All", "owner": "system", "modified": "2023-05-09T07:00:08.761Z", "color": "#3FA2F7", "description": "System - all resources collection", "system": true, "prisma": false } ], "effect": "alert" } ] }, "groups": [ { "modified": "2023-05-10T19:08:34.893Z", "owner": "mbarash", "name": "", "previousName": "", "_id": "by_host", "images": [ "alpine:*" ] }, { "modified": "2023-05-10T19:16:46.886Z", "owner": "ss", "name": "", "previousName": "", "_id": "by_cluster", "images": [ "registry.k8s.io/etcd:*" ] }, { "modified": "2023-05-11T09:11:54.683Z", "owner": "ss", "name": "", "previousName": "", "_id": "by_image", "images": [ "node:*" ] }, { "modified": "2023-05-11T09:21:23.54Z", "owner": "ss", "name": "", "previousName": "", "_id": "by_registry", "images": [ "mcr.azk8s.cn/*" ] }, { "modified": "2023-05-11T09:22:13.522Z", "owner": "ss", "name": "", "previousName": "", "_id": "by_repository", "images": [ "python:*" ] }, { "modified": "2023-05-11T09:22:47.854Z", "owner": "ss", "name": "", "previousName": "", "_id": "bu_layer_automated", "layers": [ "sha256:a0d44e5352dcb84bca48b6ee3d30a9ec91b5e6eb6793747e06d2454d360a9338", "sha256:5ad177daa048ca8b354b9ad03deac863ff519a2860a35dc9fdc0011619aacc3c", "sha256:543bb037d9827e706ea0ee9277e56ff916439a114fa56c520ac7dcaf6daae84a", "sha256:efd3b1563a816d85c6414e0c139691df720c34d6f65abaa19819d37b11459b40", "sha256:bc30bde5a6578b9643d05dd47105414777adadaf5df93b493eff1785e1e07328", "sha256:77e7191206a99af5cf1718885fb45262c2e2da30ad650c5868dfa3c54739c24a", "sha256:4fcf730353158873699670f97f2556942ff470c360539ff9283d80c72f275030", "sha256:d1a8d814c41eab7ee00b94a9184f081bf4c36721d559c5b349b9653bd473d8a0" ] }, { "modified": "2023-05-11T09:23:21.338Z", "owner": "ss", "name": "", "previousName": "", "_id": "by_manual_manual", "layers": [ "sha256:05f4935ad90ae437375c64090af07a6232bfeffc9f311e3e315919627c542ac9", "sha256:5aea01ea0a0f088b7844c169b9b8fd5ea034a21b4aa075ae3c54a1cb64138b93", "sha256:d8183b2c9c73e92b3569c8c77f05a245d1d4a58c3d3f23e740ea4f69c5e8d8f4", "sha256:ee50c22fdf6c99affec8690f7ef820f0e8cd19f4ece9a32503cdcf59a391514d" ] }, { "modified": "2023-05-11T12:41:27.885Z", "owner": "ss", "name": "", "previousName": "", "_id": "ss_test", "images": [ "kuku:*", "example/cves:*" ] } ] } ``` --- Updates a trusted image to the system. Specify trusted images using either the image name or layers properties. ## cURL Request Refer to the following example cURL command that uses basic auth to specify that the Ubuntu 16.04 image on Docker Hub is a trusted image: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT \ -d '{"image":"ubuntu/16.04", "_id":"docker-ubuntu-group"}' \ https:///api/v/trust/data ``` To edit a trust group based on image base layers, use PUT to specify a list of SHA256 hashes for the layers that are trusted. Refer to the following example that specifies the Ubuntu 16.04 image is a trusted base OS. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT \ -d '{"layers":"["sha256:a94e0d5a7c404d0e6fa15d8cd4010e69663bd8813b5117fbad71365a73656df9", "sha256:88888b9b1b5b7bce5db41267e669e6da63ee95736cb904485f96f29be648bfda", "sha256:52f389ea437ebf419d1c9754d0184b57edb45c951666ee86951d9f6afd26035e", "sha256:52a7ea2bb533dc2a91614795760a67fb807561e8a588204c4858a300074c082b", "sha256:db584c622b50c3b8f9b8b94c270cc5fe235e5f23ec4aacea8ce67a8c16e0fbad"]", "_id":"docker-ubuntu-group"}' \ "https:///api/v/trust/data" ``` --- Retrieves a list of all trusted images. The following example curl command uses basic auth to retrieve all trusted images: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/trust ``` --- Deletes an image trust group. Specify the image trust group to be deleted by the `_id`. The following example curl command uses basic auth to specify a image trust group for deletion with the handle `docker-ubuntu-group`. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https://:8083/api/v1/trust/docker-ubuntu-group ``` --- Updates the properties of an existing trusted image entry. In the request payload, specify either the `_id` or image name. The trusted group ID needs to be specified in request payload. On success, this method returns the handle (unique ID) for the modified entry. For more information about handles, see the `_id` in the response body for the GET method. The following example curl command uses basic auth to modify the image property for an existing trusted image entry, where the handle for the entry is `docker-ubuntu-group`. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X PUT \ -d '{"image":"ubuntu/18.04", "_id":"docker-ubuntu-group"}' \ https://:8083/api/v1/trust/docker-ubuntu-group ``` --- Returns the state of the trusted images model. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https://:8083/api/v1/trust/learn ``` --- Sets the state of trusted images model. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{"state":"learning"}' https://:8083/api/v1/trust/learn ``` --- Adds a trusted image to the system. Specify trusted images using either the image name or layers properties. On success, this method returns the `_id` for the image trust group. For more information about handles, see the `_id` key in the response body for the GET method. The following example curl command uses basic auth to specify that the Ubuntu 16.04 image on Docker Hub is a trusted image. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{"image":"ubuntu/16.04", "_id":"docker-ubuntu-group"}' \ https://:8083/api/v1/trust ``` To create a trust group based on image base layers, POST a list of SHA256 hashes for the layers that are trusted. The following example specifies the Ubuntu 16.04 image is a trusted base OS. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X POST \ -d '{"layers":"["sha256:a94e0d5a7c404d0e6fa15d8cd4010e69663bd8813b5117fbad71365a73656df9", "sha256:88888b9b1b5b7bce5db41267e669e6da63ee95736cb904485f96f29be648bfda", "sha256:52f389ea437ebf419d1c9754d0184b57edb45c951666ee86951d9f6afd26035e", "sha256:52a7ea2bb533dc2a91614795760a67fb807561e8a588204c4858a300074c082b", "sha256:db584c622b50c3b8f9b8b94c270cc5fe235e5f23ec4aacea8ce67a8c16e0fbad"]", "_id":"docker-ubuntu-group"}' \ https://:8083/api/v1/trust ``` --- Manage the list of registries, repositories, and images that are considered trusted. You can create a compliance policy that permits just the images in this list to execute in your environment. --- Retrieves a list of all users. This endpoint maps to **Manage > Authentication > Users** in the Console UI. ### cURL Request The following cURL command retrieves all users. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ 'https:///api/v/users' ``` A successful response returns a list of all users. --- Deletes a user from the system. The URL parameter `{id}` maps to `username`. The `username` for each user can be retrieved from the `GET /api/v/users` endpoint. To invoke this endpoint in the Console UI: 1. Navigate to **Manage > Authentication > Users**. 2. In a table row, click the **Actions** button for the user to update. 3. Click the **Delete** button to open the delete confirmation window. 4. Click the **Delete User** button to delete the user. **Note:** You can not delete the user for the current logged in account. ### cURL Request The following cURL command deletes user `ID` from the system. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X DELETE \ https:///api/v/users/ ``` **Note:** No response will be returned upon successful execution. --- Changes the password of a user. To invoke this endpoint in the Console UI: 1. Click on the user icon near the top-right corner of the Console UI. 2. Select **Change password**. 3. Enter the old and new passwords. 3. Click the **Save** button. ### cURL Request The following cURL command replaces the password of `USER` (the user authenticating with Console to call this endpoint). ```bash $ curl 'https:///api/v/users/password' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "oldPassword": "", "newPassword": "" }' ``` **Note:** No response will be returned upon successful execution. --- Adds a new user to the system. To invoke this endpoint in the Console UI: 1. Navigate to **Manage > Authentication > Users**. 2. Click **+ Add user** and enter the user's information. 3. Click the **Save** button. Every Console has a project name, even if projects aren't enabled. If you've deployed a single stand-alone Console, it's called `Central Console`. If you've enabled projects, the master Console is called `Central Console`. Each connected tenant project has a unique name, which is specified when the project is created. All users are created and managed in `Central Console`. ### cURL Requests Refer to the following example cURL requests: #### Add a New User When `authType` is set to `basic`, the system creates a "local" user that's managed in Console's database. If you integrated Prisma Cloud with an identity provider, set `authType` to a supported value, such as `saml`. The following example cURL command adds a new user to Central Console: ```bash $ curl 'https:///api/v/users' \ -k \ -X POST \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "username":"", "password":"", "role":"auditor", "authType":"basic" }' ``` **Note:** No response will be returned upon successful execution. #### Add a New User and Grant Access to a Project Use the `permissions` object to grant a user access to specific projects and specific collections in a project. When you define the `permissions` object, specify the following parameters: `projects`: (Required.) Specifies a project name. `collections`: (Requires initialization with a valid collection name.) Specifies a valid collection to assign to the user. If left unspecified, users are granted access to the `All` collection by default. The following example cURL command adds a new user to Console and grants access to the tenant project `PROJECT_NAME`: Before you invoke this request: 1. In the Console UI navigate to **Manage > Projects**. 2. Enable the **Use projects** setting. 3. If no project is provisioned, use the **+ Provision project** button to create a new project. 4. Retrieve a tenant project name from the table from the **Project** column. ```bash $ curl 'https:///api/v/users' \ -k \ -X POST \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "username":"", "password":"", "role":"auditor", "authType":"basic", "permissions":[ { "project":"" } ] }' ``` **Note:** No response will be returned upon successful execution. #### Add a New User and Grant Access to a Collection When assigning collections, you must explicitly specify a project. When you're working with a single stand-alone Console, the value for project is `Central Console`. The following example cURL command adds a new user to Console and grants access to the `finance-app` collection in `Central Console`: ```bash $ curl 'https:///api/v/users' \ -k \ -X POST \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "username":"", "password":"", "role":"auditor", "authType":"basic", "permissions":[ { "project":"Central Console", "collections":[ "finance-app" ] } ] }' ``` **Note:** No response will be returned upon successful execution. --- Updates an existing user in the system. To invoke this endpoint in the Console UI: 1. Navigate to **Manage > Authentication > Users**. 2. In a table row, click the **Actions** button for the user to update. 3. Click the **Manage** button and update the user's parameters. 4. Click the **Save** button to save the updated user. ### cURL Request The following example command changes the role of a user to `auditor`. In general, you should get the user object from `GET /api/v/users` and resubmit all key-value pairs, changing just the values that need updating. If key-values are left unspecified, their default values will override any current values (note the exception below). For example, if `permissions.collections` specified a collection named `finance-app`, but the submitted request omitted `permissions.collections`, its value would be reset to `All`. For "local" users, where `authType` is set to `basic`: if a password isn't specified, it's left as-is. For any other `authType`, passwords are managed by the identity provider (IdP), and aren't specified in the request body. ```bash $ curl 'https:///api/v/users' \ -k \ -X PUT \ -u \ -H 'Content-Type: application/json' \ -d \ '{ "username":"", "role":"auditor", "authType":"basic", "permissions":[ { "project":"", "collections":[ "All" ] } ] }' ``` **Note:** No response will be returned upon successful execution. --- Administrative endpoint to create and manage users. Assign roles and specify who has access to which projects and which collections. User management with these endpoints is supported for Compute Edition (self-hosted) only. If you integrated Prisma Cloud Compute Edition with an identity provider, use these endpoints to assign roles to individual users. Note that groups are a better way to assign roles when you have a large number of users. --- Downloads the twistcli binary executable for MacOS platforms based on ARM64 architecture. **Note:** This endpoint maps to the **MacOS platform** hyperlink in **Manage > System > Utilities** in the Console UI. ### cURL Request Refer to the following example cURL command that downloads and saves the “twistcli” binary executable for ARM64 bit MacOS platforms to your HOME directory: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET -o \ 'https:///api/v/util/osx/arm64/twistcli' ``` A successful response displays the status of the download. --- Downloads the twistcli binary executable for MacOS platforms. This endpoint maps to the **MacOS platform** hyperlink in **Manage > System > Utilities** in the Console UI. ### cURL Request The following cURL command downloads the twistcli binary executable for MacOS platforms. ```bash $ curl -k \ -u \ -L \ -o twistcli \ https:///api/v1/util/osx/twistcli ``` A successful response displays the status of the download. --- Downloads the twistcli binary executable for ARM64 bit Linux platforms. This endpoint maps to the **Linux platform** hyperlink in **Manage > System > Utilities** in the Console UI. ### cURL Request Refer to the following example cURL command that downloads and saves the “twistcli” binary executable to your HOME directory: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET -o \ 'https:///api/v/util/arm64/twistcli' ``` A successful response displays the status of the download. --- Downloads the twistcli binary executable for Linux platforms. This endpoint maps to the **Linux platform** hyperlink in **Manage > System > Utilities** in the Console UI. ### cURL Request Refer to the following example cURL command that downloads and saves the “twistcli” binary executable to your HOME directory: ```bash $ curl -k \ -u \ -X GET -o \ 'https:///api/v/util/twistcli' ``` A successful response displays the status of the download. --- Downloads the Prisma Cloud Compute Jenkins plugin. Although this endpoint is supported, no backwards compatibility is offered for it. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -L \ -o twistlock-jenkins-plugin.hpi \ https:///api/v1/util/twistlock-jenkins-plugin.hpi ``` A successful response displays the status of the download. --- Downloads the VMware Tanzu Application Service tile for Prisma Cloud Compute. Although this endpoint is supported, no backwards compatibility is offered for it. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -L \ -o twistlock-tile.pivotal \ "https:///api/v1/util/tas-tile" ``` A successful response displays the status of the download. --- Downloads the twistcli binary executable for Windows platforms. This endpoint maps to the **Windows platform** hyperlink in **Manage > System > Utilities** in the Console UI. ### cURL Request The following cURL command downloads the twistcli binary executable for Windows platforms. ```bash $ curl -k \ -u \ -L \ -o twistcli.exe \ https:///api/v1/util/windows/twistcli.exe ``` A successful response displays the status of the download. --- Retrieves the version number for Console. ### cURL Request The following cURL command retrieves the version number for Console. ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ https:///api/v/version ``` A successful response returns the version number for Console. --- Returns all VM image scan reports in CSV format. **Note**: This endpoint maps to the table in **Monitor > Vulnerabilities > Hosts > VM images > CSV** in the Prisma Cloud Compute. ### cURL Request Refer to the following example cURL command that retrieves all VM image scan reports and saves the results in a CSV file called `vm_images_scan.csv`: ```bash curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ -o vm_images_scan.csv \ "https:///api/v/vms/download" ``` A successful response displays the status of the download. --- Returns all VM image scan reports. > _**Note:**_ The API rate limit for this endpoint is 30 requests per 30 seconds. You get an HTTP error response 429 if the limit exceeds. This endpoint maps to the table in **Monitor > Vulnerabilities > Hosts > VM images** in the Prisma Cloud Compute. ### cURL Request Refer to the following example cURL command that retrieves all VM image scan reports: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/vms" ``` ### cURL Response Refer to the following example VM scan report: ``` { "_id": "2226875301309860442", "type": "vm", "hostname": "", "scanTime": "2022-12-01T18:08:15.299Z", "binaries": [], "Secrets": [], "startupBinaries": [], "osDistro": "redhat", "osDistroVersion": "7", "osDistroRelease": "RHEL7", "distro": "CentOS Linux release 7.9.2009 (Core)", "packages": [ { "pkgsType": "package", "pkgs": [ { "version": "0.100-7.el7", "name": "dbus-glib", "cveCount": 8, "license": "AFL and GPLv2+", "layerTime": 0 }, { "version": "2.02-0.87.el7.centos.7", "name": "grub2-common", "cveCount": 184, "license": "GPLv3+", "layerTime": 0 } ... ... ... ] } ] } ``` --- Returns an array of strings containing all AWS tags of the scanned VM images. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -u \ -H 'Content-Type: application/json' \ -X GET \ "https:///api/v/vms/labels" ``` ### cURL Response Refer to the following example response: ``` [ "gcp:vmscan", "with_pulled_images:true", "test-linux-key-2:test-linux-value-2", "test-linux-key-1:test-linux-value-1", "Name:user-test-b" ] ``` --- Returns an array of strings containing VM image names. ### cURL Request Refer to the following example cURL command: ```bash $ curl -k \ -X GET \ -u \ -H 'Content-Type: application/json' \ "https:///api/v/vms/names" ``` ### cURL Response Refer to the following example response: ``` [ "new-auto-images-cen7-dock", "ubuntu-pro-2004-focal-v20210720", "user-encrypted2", "ubuntu-20.04-lts:1.0.0", "user-test-b", "user-ubuntu-image-scan1", "Canonical:0001-com-ubuntu-server-focal:20_04-lts:20.04.202110260", "ubuntu-20.04-lts" ] ``` --- Re-scans all VM images immediately. This endpoint returns the time that the scans were initiated. ### cURL Request Refer to the following example cURL command that forces Prisma Cloud to re-scan all VM images: ```bash $ curl -k \ -u \ H 'Content-Type: application/json' \ -X POST \ "https:///api/v/vms/scan" ``` --- Stops current VM image scan immediately. ### cURL Request Refer to the following example cURL command that forces Prisma Cloud to stop scanning all VM images: ```bash $ curl -k \ -u \ H 'Content-Type: application/json' \ -X POST \ "https:///api/v/vms/stop" ``` --- Scan VM images in AWS, Azure, and GCP for vulnerabilities. Prisma Cloud can scan the following VM images: * AWS: Linux Amazon Machine Images (AMIs) * Azure: Managed, Gallery and Marketplace images * GCP: Public and Custom images (including Premium images) For more information, see [Configure VM Image Scanning](https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-compute/vulnerability_management/vm_image_scanning) ### Authentication #### Basic Auth ##### Headers - Authorization: required (string): Authenticates with the Base64-encoded "username:password" credentials. #### JWT Access Token Use POST, /api/vVERSION/authenticate for authorization ##### Headers - Authorization: required (string): Authenticates with the Bearer authentication scheme to transmit the access token. Example: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJk………… --- Scans the OpenAPI specifications file of size not more than 100 KB and generates a report for any errors, or shortcomings such as structural issues, compromised security, best practices, and so on. API definition scan supports scanning OpenAPI 2.X and 3.X definition files in either YAML or JSON formats. ### cURL Request Refer to the following example cURL command that generates a report for any errors or shortcomings in the OpenAPI specification: ```bash $ curl 'https:///api/v/waas/openapi-scans' \ -k \ -H 'Content-Type: multipart/form-data' \ -u \ -X POST \ -v -F‘spec=@.json;type=application/json’-F‘data={“source”:“manual”};type=application/json’ ```