Prisma Cloud Compute API documentation version v1
https://{CONSOLE}:{PORT}/api/{version}
- CONSOLE: required(string)
Hostname or IP address where Console can be accessed.
- PORT: required(string)
Use port 8083 to access the API over HTTPS. You can configure Prisma Cloud Compute Console to use an alternative port at install time.
- version: required(v1)
How to evaluate <CONSOLE>
All the example API commands in these documents specify a <CONSOLE>
variable, which represents the address for Console. The Console address will depend on how Console was installed.
For SaaS Installations
To find your <CONSOLE>
path for a SaaS environment:
- Log into Console.
- Navigate to Compute > Manage > System > Downloads.
- You can find your
<CONSOLE>
path listed under Path to Console. Click Copy to quickly copy the path to your clipboard.

For Self-hosted Installations
For self-hosted environments, the Prisma Cloud Compute API is exposed on port 8083
(HTTPS). This port is specified at install time in twistlock.cfg
.
- (Default) Kubernetes installations: Console service is exposed by a LoadBalancer.
The value for <CONSOLE>
is the LoadBalancer followed by port 8083
:
https://<LOAD_BALANCER>:8083
- Onebox installations: Console installed on a stand-alone host.
The value for <CONSOLE>
is the IP address or DNS name of the host followed by port 8083
:
https://<IP_ADDRESS>:8083
Using the cURL API endpoint examples
The cURL example for each endpoint is called with a username (-u <USER>
) only. The cURL can be modified to use any of the following:
- Authentication Token: Use the
-H
option to pass the authentication token from the/api/v1/authenticate
endpoint into the request header.
For example, replace <ACCESS_TOKEN>
with the token from the /api/v1/authenticate
endpoint.
$ curl -k \
-H 'Authorization: Bearer <ACCESS_TOKEN>' \
-X POST \
https://<CONSOLE>/api/v1/<ENDPOINT_PATH>
- Username and Password: Use the
-u
and-p
options to include the username and password, eliminating the need to enter a password in a secondary step.
For example, replace <USER>
with the username string and <PASSWORD>
with the password string.
$ curl -k \
-u <USER> \
-p <PASSWORD> \
-X POST \
https://<CONSOLE>/api/v1/<ENDPOINT_PATH>
- Username Only: This will require the user's password to be entered as a secondary step.
For example, replace <USER>
with the username string.
$ curl -k \
-u <USER> \
-X POST \
https://<CONSOLE>/api/v1/<ENDPOINT_PATH>
Note: This is a more secure method than including the -p
option since your terminal history won't contain the password.
API restrictions
Paginated API requests are capped to a max of 50 returned objects because very large responses could DoS Console.
If the response contains more than 50 objects, cycle through the collection with the offset
query parameter to retrieve more objects. For example:
https://<CONSOLE>/api/v1/images?limit=50&offset=X
_Ping
Checks if the Console is alive, responsive, and reachable from your network host.
Checks if Console is reachable from your network host.
cURL Request
The following cURL command pings Console and prints the HTTP response code:
$ curl -k \
-s \
-o /dev/null \
-w "%{http_code}\n" \
-X GET \
https://<CONSOLE>/api/v1/_ping
Role
Minimum role required to access this endpoint: anyone.
get /_ping
Checks if Console is reachable from your network host.
cURL Request
The following cURL command pings Console and prints the HTTP response code:
$ curl -k \
-s \
-o /dev/null \
-w "%{http_code}\n" \
-X GET \
https://<CONSOLE>/api/v1/_ping
Role
Minimum role required to access this endpoint: anyone.
Alert profiles
Manage alert profiles, which let you surface critical policy breaches by sending alerts to channels, such as email, Slack, and JIRA.
Alert profiles define which events should be sent to which channel. Each profile declares:
- One or more recipients.
- One or more triggers, that raise alerts by sending messages on the configured channel.
Retrieve a list of all alert profiles created in the system.
The following example curl command uses basic auth to retrieve all alert profiles:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/alert-profiles
Role
Minimum role required to access this endpoint: auditor.
Update an existing alert profile created in the system.
The following example curl command uses basic auth to add a Jira Alert profile:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/alert-profiles \
-d ' {
"name": "jira",
"_id": "jira",
"jira": {
"enabled": true,
"projectKey": "TWIS",
"issueType": "Task",
"priority": "High",
"labels": [],
"assignee": ""
}
"policy": {
"cve": {
"enabled": true,
"allRules": true,
"rules": [],
"clients": [
"jira"
]
}
} '
Role
Minimum role required to access this endpoint: operator.
get /alert-profiles
Retrieve a list of all alert profiles created in the system.
The following example curl command uses basic auth to retrieve all alert profiles:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/alert-profiles
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is the alert profile ID
- disabled: (boolean)
Disabled states if the rule is currently disabled
- email: (object)
EmailSettings contains the email alert profile settings
- credentialId: (string)
CredentialID is the Email authentication credentials id
- enabled: (boolean)
- from: (string)
From is the from address of the mail
- labels: (string)
Labels are custom label names from which the mail recipients are extracted, allowing to dynamically extract the target of the alerts
- port: (integer)
- recipients: (string)
- smtpAddress: (string)
- ssl: (boolean)
- credentialId: (string)
- gcpPubsub: (object)
GcpPubsubSettings contains the GCP Pub/Sub alert profile settings
- credentialId: (string)
CredentialID is the GCP Pub/Sub authentication credentials id
- enabled: (boolean)
Enabled indicates whether the GCP Pub/Sub settings are enabled
- topic: (string)
Topic is the GCP Pub/Sub topic (used by subscribers to listen for messages)
- credentialId: (string)
- jira: (object)
JIRASettings contains the JIRA alert profile settings
- assignee: (object)
Assignee is the assignee of the issue
- id: (string)
ID is the field ID
- labels: (string)
Labels are the dynamic labels of which the value is based on
- name: (string)
Name is the static string field
- id: (string)
- baseUrl: (string)
BaseURL is the JIRA address
- caCert: (string)
CACert is the certificate used to verify the server
- credentialId: (string)
CredentialID is the JIRA authentication credentials id
- enabled: (boolean)
Enabled controls whether the rule is enabled
- issueType: (string)
IssueType is the type of the JIRA issue
- labels: (object)
Labels is the labels added to the created issue
- labels: (string)
Labels are the dynamic labels of which JIRA labels are based on
- names: (string)
Names are the static strings field
- labels: (string)
- priority: (string)
Priority is the issue priority
- projectKey: (object)
ProjectKey is the key of the project in which the issue will be created
- id: (string)
ID is the field ID
- labels: (string)
Labels are the dynamic labels of which the value is based on
- name: (string)
Name is the static string field
- id: (string)
- assignee: (object)
- lastError: (string)
LastError represents the last error when sending the profile
- modified: (datetime)
- name: (string)
- notes: (string)
Notes are the rule's user notes
- owner: (string)
- pagerduty: (object)
PagerDutySettings contains the PagerDuty alert profile settings
- enabled: (boolean)
Enabled is PagerDuty provider enabled/disabled indicator
- routingKey: (object)
RoutingKey is the unique PagerDuty service id
- encrypted: (string)
- plain: (string)
Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)
- severity: (object)
Severity is the PagerDuty's event severity
- summary: (string)
Summary is the PagerDuty's event summary
- enabled: (boolean)
- previousName: (string)
PreviousName is the rule previous name, required for rule renaming
- securityAdvisor: (object)
SecurityAdvisor contains the IBM security advisor alert profile settings
- auto: (boolean)
Automatic means the configuration was automatically provisioned by security advisor, and only notes should be created
- credentialID: (string)
CredentialID is the IBM security advisor credential
- enabled: (boolean)
Enabled indicates whether the overbridge settings are enabled
- findingsURL: (string)
FindingsURL is the URL to which findings should be sent
- providerId: (string)
ProviderID is the configured providerID (default twistlock)
- tokenURL: (string)
TokenURL is the url from which security tokens should be fetched
- auto: (boolean)
- securityCenter: (object)
SecurityCenterSettings contains the security center alert profile settings
- credentialId: (string)
CredentialID is the Security Center authentication credentials id
- enabled: (boolean)
- sourceID: (string)
SourceID is the google cloud security center organization source ID (used to construct security advisor findings)
- credentialId: (string)
- securityHub: (object)
SecurityHub contains the AWS security hub alert profile settings
- accountID: (string)
AccountID is the AWS account ID
- credentialId: (string)
CredentialID is the SecurityHub authentication credentials id
- enabled: (boolean)
Enabled indicates whether the overbridge settings are enabled
- region: (string)
Region is the overbridge region
- accountID: (string)
- serviceNow: (object)
ServiceNowSettings contains the ServiceNow alert profile settings
- application: (object)
Application is the ServiceNow application this profile sends to
- assignee: (string)
Assignee is the ServiceNow user to whom will assign ServiceNow incidents\items
- assignmentGroup: (string)
AssignmentGroup is the ServiceNow group of users handling security incidents
- auditPriority: (string)
AuditPriority is the priority at which to set audit alerts in security incidents
- caCert: (string)
CA certificate for on-premise ssl (optional)
- credentialID: (string)
CredentialID is the ServiceNow authentication credentials id
- enabled: (boolean)
Enabled is the ServiceNow provider enabled/disabled indicator
- project: (string)
Project is the name of the prisma compute project that was used to generate this configuration. It's required as secondary consoles do not store their project name
- securityIncidentBaseURL: (string)
SecurityIncidentBaseURL is the ServiceNow address, used to send security incidents
- vulnerabilityEndpointUrl: (string)
VulnerabilityEndpointURL to report ServiceNow vulnerabilities, customer defined scripted REST API, see: https://docs.servicenow.com/bundle/orlando-application-development/page/integrate/custom-web-services/concept/c_CustomWebServices.html
- application: (object)
- slack: (object)
SlackSettings contains the slack alert profile settings
- channels: (string)
- enabled: (boolean)
- users: (string)
- webhookUrl: (string)
- webhook: (object)
WebhookSettings contains the Webhook alert profile settings
- caCert: (string)
CACert is the certificate used to verify the server
- credentialId: (string)
CredentialID is the id of the basic authentication credential
- enabled: (boolean)
Enabled is Webhook provider enabled/disabled indicator
- json: (string)
Json is the custom json we send to the url
- url: (string)
URL is the Webhook address
- caCert: (string)
- xsoar: (object)
XSOARSettings contains the Cortex XSOAR alert profile settings
- enabled: (boolean)
Enabled is the XSOAR provider enabled/disabled indicator
- enabled: (boolean)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
post /alert-profiles
Update an existing alert profile created in the system.
The following example curl command uses basic auth to add a Jira Alert profile:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/alert-profiles \
-d ' {
"name": "jira",
"_id": "jira",
"jira": {
"enabled": true,
"projectKey": "TWIS",
"issueType": "Task",
"priority": "High",
"labels": [],
"assignee": ""
}
"policy": {
"cve": {
"enabled": true,
"allRules": true,
"rules": [],
"clients": [
"jira"
]
}
} '
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is the alert profile ID
- disabled: (boolean)
Disabled states if the rule is currently disabled
- email: (object)
EmailSettings contains the email alert profile settings
- credentialId: (string)
CredentialID is the Email authentication credentials id
- enabled: (boolean)
- from: (string)
From is the from address of the mail
- labels: (string)
Labels are custom label names from which the mail recipients are extracted, allowing to dynamically extract the target of the alerts
- port: (integer)
- recipients: (string)
- smtpAddress: (string)
- ssl: (boolean)
- credentialId: (string)
- gcpPubsub: (object)
GcpPubsubSettings contains the GCP Pub/Sub alert profile settings
- credentialId: (string)
CredentialID is the GCP Pub/Sub authentication credentials id
- enabled: (boolean)
Enabled indicates whether the GCP Pub/Sub settings are enabled
- topic: (string)
Topic is the GCP Pub/Sub topic (used by subscribers to listen for messages)
- credentialId: (string)
- jira: (object)
JIRASettings contains the JIRA alert profile settings
- assignee: (object)
Assignee is the assignee of the issue
- id: (string)
ID is the field ID
- labels: (string)
Labels are the dynamic labels of which the value is based on
- name: (string)
Name is the static string field
- id: (string)
- baseUrl: (string)
BaseURL is the JIRA address
- caCert: (string)
CACert is the certificate used to verify the server
- credentialId: (string)
CredentialID is the JIRA authentication credentials id
- enabled: (boolean)
Enabled controls whether the rule is enabled
- issueType: (string)
IssueType is the type of the JIRA issue
- labels: (object)
Labels is the labels added to the created issue
- labels: (string)
Labels are the dynamic labels of which JIRA labels are based on
- names: (string)
Names are the static strings field
- labels: (string)
- priority: (string)
Priority is the issue priority
- projectKey: (object)
ProjectKey is the key of the project in which the issue will be created
- id: (string)
ID is the field ID
- labels: (string)
Labels are the dynamic labels of which the value is based on
- name: (string)
Name is the static string field
- id: (string)
- assignee: (object)
- lastError: (string)
LastError represents the last error when sending the profile
- modified: (datetime)
- name: (string)
- notes: (string)
Notes are the rule's user notes
- owner: (string)
- pagerduty: (object)
PagerDutySettings contains the PagerDuty alert profile settings
- enabled: (boolean)
Enabled is PagerDuty provider enabled/disabled indicator
- routingKey: (object)
RoutingKey is the unique PagerDuty service id
- encrypted: (string)
- plain: (string)
Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)
- severity: (object)
Severity is the PagerDuty's event severity
- summary: (string)
Summary is the PagerDuty's event summary
- enabled: (boolean)
- previousName: (string)
PreviousName is the rule previous name, required for rule renaming
- securityAdvisor: (object)
SecurityAdvisor contains the IBM security advisor alert profile settings
- auto: (boolean)
Automatic means the configuration was automatically provisioned by security advisor, and only notes should be created
- credentialID: (string)
CredentialID is the IBM security advisor credential
- enabled: (boolean)
Enabled indicates whether the overbridge settings are enabled
- findingsURL: (string)
FindingsURL is the URL to which findings should be sent
- providerId: (string)
ProviderID is the configured providerID (default twistlock)
- tokenURL: (string)
TokenURL is the url from which security tokens should be fetched
- auto: (boolean)
- securityCenter: (object)
SecurityCenterSettings contains the security center alert profile settings
- credentialId: (string)
CredentialID is the Security Center authentication credentials id
- enabled: (boolean)
- sourceID: (string)
SourceID is the google cloud security center organization source ID (used to construct security advisor findings)
- credentialId: (string)
- securityHub: (object)
SecurityHub contains the AWS security hub alert profile settings
- accountID: (string)
AccountID is the AWS account ID
- credentialId: (string)
CredentialID is the SecurityHub authentication credentials id
- enabled: (boolean)
Enabled indicates whether the overbridge settings are enabled
- region: (string)
Region is the overbridge region
- accountID: (string)
- serviceNow: (object)
ServiceNowSettings contains the ServiceNow alert profile settings
- application: (object)
Application is the ServiceNow application this profile sends to
- assignee: (string)
Assignee is the ServiceNow user to whom will assign ServiceNow incidents\items
- assignmentGroup: (string)
AssignmentGroup is the ServiceNow group of users handling security incidents
- auditPriority: (string)
AuditPriority is the priority at which to set audit alerts in security incidents
- caCert: (string)
CA certificate for on-premise ssl (optional)
- credentialID: (string)
CredentialID is the ServiceNow authentication credentials id
- enabled: (boolean)
Enabled is the ServiceNow provider enabled/disabled indicator
- project: (string)
Project is the name of the prisma compute project that was used to generate this configuration. It's required as secondary consoles do not store their project name
- securityIncidentBaseURL: (string)
SecurityIncidentBaseURL is the ServiceNow address, used to send security incidents
- vulnerabilityEndpointUrl: (string)
VulnerabilityEndpointURL to report ServiceNow vulnerabilities, customer defined scripted REST API, see: https://docs.servicenow.com/bundle/orlando-application-development/page/integrate/custom-web-services/concept/c_CustomWebServices.html
- application: (object)
- slack: (object)
SlackSettings contains the slack alert profile settings
- channels: (string)
- enabled: (boolean)
- users: (string)
- webhookUrl: (string)
- webhook: (object)
WebhookSettings contains the Webhook alert profile settings
- caCert: (string)
CACert is the certificate used to verify the server
- credentialId: (string)
CredentialID is the id of the basic authentication credential
- enabled: (boolean)
Enabled is Webhook provider enabled/disabled indicator
- json: (string)
Json is the custom json we send to the url
- url: (string)
URL is the Webhook address
- caCert: (string)
- xsoar: (object)
XSOARSettings contains the Cortex XSOAR alert profile settings
- enabled: (boolean)
Enabled is the XSOAR provider enabled/disabled indicator
- enabled: (boolean)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieve a list of only the names of all alert profiles created in the system.
The following example curl command uses basic auth to retrieve all alert profiles' names:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/alert-profiles/names
Example Response:
[
"jira",
"aqsa vulns"
]
Role
Minimum role required to access this endpoint: auditor.
get /alert-profiles/names
Retrieve a list of only the names of all alert profiles created in the system.
The following example curl command uses basic auth to retrieve all alert profiles' names:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/alert-profiles/names
Example Response:
[
"jira",
"aqsa vulns"
]
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Sends a test alert to verify successful configuration of the alert profile settings.
The following example curl command uses basic auth to send test alert for an email alert profile:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d <REQUEST-PAYLOAD>
https://<CONSOLE>:8083/api/v1/alert-profiles/test
In this case, the REQUEST-PAYLOAD
would be the full JSON formatted alert profile from the base GET
command
Role
Minimum role required to access this endpoint: operator.
post /alert-profiles/test
Sends a test alert to verify successful configuration of the alert profile settings.
The following example curl command uses basic auth to send test alert for an email alert profile:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d <REQUEST-PAYLOAD>
https://<CONSOLE>:8083/api/v1/alert-profiles/test
In this case, the REQUEST-PAYLOAD
would be the full JSON formatted alert profile from the base GET
command
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is the alert profile ID
- disabled: (boolean)
Disabled states if the rule is currently disabled
- email: (object)
EmailSettings contains the email alert profile settings
- credentialId: (string)
CredentialID is the Email authentication credentials id
- enabled: (boolean)
- from: (string)
From is the from address of the mail
- labels: (string)
Labels are custom label names from which the mail recipients are extracted, allowing to dynamically extract the target of the alerts
- port: (integer)
- recipients: (string)
- smtpAddress: (string)
- ssl: (boolean)
- credentialId: (string)
- gcpPubsub: (object)
GcpPubsubSettings contains the GCP Pub/Sub alert profile settings
- credentialId: (string)
CredentialID is the GCP Pub/Sub authentication credentials id
- enabled: (boolean)
Enabled indicates whether the GCP Pub/Sub settings are enabled
- topic: (string)
Topic is the GCP Pub/Sub topic (used by subscribers to listen for messages)
- credentialId: (string)
- jira: (object)
JIRASettings contains the JIRA alert profile settings
- assignee: (object)
Assignee is the assignee of the issue
- id: (string)
ID is the field ID
- labels: (string)
Labels are the dynamic labels of which the value is based on
- name: (string)
Name is the static string field
- id: (string)
- baseUrl: (string)
BaseURL is the JIRA address
- caCert: (string)
CACert is the certificate used to verify the server
- credentialId: (string)
CredentialID is the JIRA authentication credentials id
- enabled: (boolean)
Enabled controls whether the rule is enabled
- issueType: (string)
IssueType is the type of the JIRA issue
- labels: (object)
Labels is the labels added to the created issue
- labels: (string)
Labels are the dynamic labels of which JIRA labels are based on
- names: (string)
Names are the static strings field
- labels: (string)
- priority: (string)
Priority is the issue priority
- projectKey: (object)
ProjectKey is the key of the project in which the issue will be created
- id: (string)
ID is the field ID
- labels: (string)
Labels are the dynamic labels of which the value is based on
- name: (string)
Name is the static string field
- id: (string)
- assignee: (object)
- lastError: (string)
LastError represents the last error when sending the profile
- modified: (datetime)
- name: (string)
- notes: (string)
Notes are the rule's user notes
- owner: (string)
- pagerduty: (object)
PagerDutySettings contains the PagerDuty alert profile settings
- enabled: (boolean)
Enabled is PagerDuty provider enabled/disabled indicator
- routingKey: (object)
RoutingKey is the unique PagerDuty service id
- encrypted: (string)
- plain: (string)
Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)
- severity: (object)
Severity is the PagerDuty's event severity
- summary: (string)
Summary is the PagerDuty's event summary
- enabled: (boolean)
- previousName: (string)
PreviousName is the rule previous name, required for rule renaming
- securityAdvisor: (object)
SecurityAdvisor contains the IBM security advisor alert profile settings
- auto: (boolean)
Automatic means the configuration was automatically provisioned by security advisor, and only notes should be created
- credentialID: (string)
CredentialID is the IBM security advisor credential
- enabled: (boolean)
Enabled indicates whether the overbridge settings are enabled
- findingsURL: (string)
FindingsURL is the URL to which findings should be sent
- providerId: (string)
ProviderID is the configured providerID (default twistlock)
- tokenURL: (string)
TokenURL is the url from which security tokens should be fetched
- auto: (boolean)
- securityCenter: (object)
SecurityCenterSettings contains the security center alert profile settings
- credentialId: (string)
CredentialID is the Security Center authentication credentials id
- enabled: (boolean)
- sourceID: (string)
SourceID is the google cloud security center organization source ID (used to construct security advisor findings)
- credentialId: (string)
- securityHub: (object)
SecurityHub contains the AWS security hub alert profile settings
- accountID: (string)
AccountID is the AWS account ID
- credentialId: (string)
CredentialID is the SecurityHub authentication credentials id
- enabled: (boolean)
Enabled indicates whether the overbridge settings are enabled
- region: (string)
Region is the overbridge region
- accountID: (string)
- serviceNow: (object)
ServiceNowSettings contains the ServiceNow alert profile settings
- application: (object)
Application is the ServiceNow application this profile sends to
- assignee: (string)
Assignee is the ServiceNow user to whom will assign ServiceNow incidents\items
- assignmentGroup: (string)
AssignmentGroup is the ServiceNow group of users handling security incidents
- auditPriority: (string)
AuditPriority is the priority at which to set audit alerts in security incidents
- caCert: (string)
CA certificate for on-premise ssl (optional)
- credentialID: (string)
CredentialID is the ServiceNow authentication credentials id
- enabled: (boolean)
Enabled is the ServiceNow provider enabled/disabled indicator
- project: (string)
Project is the name of the prisma compute project that was used to generate this configuration. It's required as secondary consoles do not store their project name
- securityIncidentBaseURL: (string)
SecurityIncidentBaseURL is the ServiceNow address, used to send security incidents
- vulnerabilityEndpointUrl: (string)
VulnerabilityEndpointURL to report ServiceNow vulnerabilities, customer defined scripted REST API, see: https://docs.servicenow.com/bundle/orlando-application-development/page/integrate/custom-web-services/concept/c_CustomWebServices.html
- application: (object)
- slack: (object)
SlackSettings contains the slack alert profile settings
- channels: (string)
- enabled: (boolean)
- users: (string)
- webhookUrl: (string)
- webhook: (object)
WebhookSettings contains the Webhook alert profile settings
- caCert: (string)
CACert is the certificate used to verify the server
- credentialId: (string)
CredentialID is the id of the basic authentication credential
- enabled: (boolean)
Enabled is Webhook provider enabled/disabled indicator
- json: (string)
Json is the custom json we send to the url
- url: (string)
URL is the Webhook address
- caCert: (string)
- xsoar: (object)
XSOARSettings contains the Cortex XSOAR alert profile settings
- enabled: (boolean)
Enabled is the XSOAR provider enabled/disabled indicator
- enabled: (boolean)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Deletes an alert profile entry by name. In the request payload, specify the alert profile name. This method has no response data.
The following example curl command uses basic auth to delete an existing alert profile entry, where aqsa is an alert profile name which is being deleted.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/alert-profiles/aqsa
Role
Minimum role required to access this endpoint: operator.
delete /alert-profiles/{id}
Deletes an alert profile entry by name. In the request payload, specify the alert profile name. This method has no response data.
The following example curl command uses basic auth to delete an existing alert profile entry, where aqsa is an alert profile name which is being deleted.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/alert-profiles/aqsa
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Audits
Retrieve audits from the Twistlock database. Twistlock creates and stores audit event records (audits) for all controls. Endpoints support a wide range of filtering options.
Retrieves all access audits. Twistlock records access audits every time a Docker Engine or Kubernetes command is run on a host protected by Defender. You can also configure Twistlock to record audits for any sudo or SSH commands that are executed on hosts protected Defender.
The following example command gives a list of ALL access audits.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/access
To get just the docker audits run it with type=docker parameter.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/access?type=docker
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/access
Retrieves all access audits. Twistlock records access audits every time a Docker Engine or Kubernetes command is run on a host protected by Defender. You can also configure Twistlock to record audits for any sudo or SSH commands that are executed on hosts protected Defender.
The following example command gives a list of ALL access audits.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/access
To get just the docker audits run it with type=docker parameter.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/access?type=docker
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- allow: (string)
Allow indicated whether allowed requests should be shown
- api: (string)
APIs are apis to filter by
- cluster: (string)
Clusters is the cluster filter
- from: (datetime)
From is an optional minimum time constraints for the audit
- hostname: (string)
Hosts are hosts to filter by
- ruleName: (string)
RuleNames are the rules names to filter by
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Type is the audit type
- user: (string)
Users are users to filter by
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- accountID: (string)
AccountID is the cloud account ID where the audit was created
- allow: (boolean)
Allow indicates whether the command was allowe or denied
- api: (string)
API is the api that is being audited
- cluster: (string)
Cluster is the cluster from which the audit originated
- collections: (string)
Collections are collections to which this audit applies
- containerName: (string)
ContainerName is the name of the container
- fqdn: (string)
FQDN is the fully qualified domain name from which the audit originated
- hostname: (string)
Hostname is the hostname from which the audit originated
- imageName: (string)
ImageName is the name of the image
- msg: (string)
Msg is the message explaining the audit
- ruleName: (string)
RulesName is contains the name of the rule that was applied, when blocked
- sourceIP: (string)
SourceIP is the remote agent's source IP
- time: (datetime)
Time is the UTC time of the audit event
- type: (string)
Type is the audit type
- user: (string)
User is the user that run the command
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Download all docker access audits into a CSV format file.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/access/download?type=docker > aqsa_audits.csv
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/access/download
Download all docker access audits into a CSV format file.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/access/download?type=docker > aqsa_audits.csv
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- allow: (string)
Allow indicated whether allowed requests should be shown
- api: (string)
APIs are apis to filter by
- cluster: (string)
Clusters is the cluster filter
- from: (datetime)
From is an optional minimum time constraints for the audit
- hostname: (string)
Hosts are hosts to filter by
- ruleName: (string)
RuleNames are the rules names to filter by
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Type is the audit type
- user: (string)
Users are users to filter by
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
AdmissionAudits returns all admission audits according to the query specification. Minimum role required to access this endpoint: devSecOps.
get /audits/admission
AdmissionAudits returns all admission audits according to the query specification. Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- from: (datetime)
From is an optional minimum time constraints for the activity
- namespace: (string)
Namespaces is the list of namespaces to use for filtering
- operation: (string)
Operations is the list of operations to use for filtering
- to: (datetime)
To is an optional maximum time constraints for the activity
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- accountID: (string)
AccountID is the cloud account ID
- cluster: (string)
Cluster is the cluster where the audit took place
- collections: (string)
Collections are collections to which this audit applies
- effect: (string)
Effect is the rule effect which was applied to the review which led to this audit
- kind: (string)
Kind is the type of object being manipulated. For example: Pod
- message: (string)
Message is the rule user defined message which appears on audit
- namespace: (string)
Namespace is the namespace associated with the request (if any)
- operation: (string)
Operation is the operation being performed
- rawRequest: (string)
RawRequest is the original review request that caused this audit
- resource: (string)
Resource is the name of the resource being requested. This is not the kind. For example: pods
- ruleName: (string)
RuleName is the name of the rule which issued this audit
- time: (datetime)
Time is the time at which the audit was generated
- userGroups: (string)
UserGroups is the names of groups this user is a part of
- userUid: (string)
UserUID is a unique value that identifies this user across time. If this user isdeleted and another user by the same name is added, they will havedifferent UIDs
- username: (string)
Username is the name that uniquely identifies this user among all active users
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
DownloadAdmissionAudits downloads the admission audits according to the specified query. Minimum role required to access this endpoint: devSecOps.
get /audits/admission/download
DownloadAdmissionAudits downloads the admission audits according to the specified query. Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- from: (datetime)
From is an optional minimum time constraints for the activity
- namespace: (string)
Namespaces is the list of namespaces to use for filtering
- operation: (string)
Operations is the list of operations to use for filtering
- to: (datetime)
To is an optional maximum time constraints for the activity
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
AppEmbeddedAppFirewallAudits returns all embedded defender firewall audits according to the query specification. Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/app/app-embedded
AppEmbeddedAppFirewallAudits returns all embedded defender firewall audits according to the query specification. Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- aggregate: (boolean)
Aggregate indicates whether the result audits should be aggregated according to the Select field
- appID: (string)
AppIDs is the app embedded appID filter
- cluster: (string)
Cluster is the audit cluster filter
- connectingIPs: (string)
ConnectingIPs is the connecting IPs filter
- containerName: (string)
Containers is the container names filter
- country: (string)
Countries is the source IP country filter
- effect: (string)
Effect is used to filter by runtime audit effect
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- function: (string)
FunctionName is used to filter by function name
- hostname: (string)
Hosts is the hostnames filter
- imageName: (string)
Images is the image names filter
- method: (string)
Methods is the request method filter
- msg: (string)
Messages is the audit message text filter
- ns: (string)
Namespaces is the list of namespaces to use for filtering
- os: (string)
OS is the OS filter
- region: (string)
Region is used to filter by region
- requestHeaderNames: (string)
RequestHeaderNames is the request header names filter
- requestHost: (string)
RequestHosts is the request host filter
- ruleName: (string)
RuleNames is the rule names filter
- runtime: (string)
Runtime is used to filter by runtime
- subnet: (string)
Subnets is the source IPs filter
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is the firewall audit type filter
- url: (string)
URLs is the URL filter
- urlPath: (string)
Paths is the URL path filter
- urlQuery: (string)
Queries is the URL query filter
- userAgentHeader: (string)
UserAgents is the user agent header filter
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is internal id representation
- accountID: (string)
AccountID is the cloud account ID where the audit was generated
- appID: (string)
AppID is the application ID
- cluster: (string)
Cluster is the cluster on which the audit was originated
- collections: (string)
Collections are collections to which this audit applies
- connectingIPs: (string)
ConnectingIPs are the requests connecting IPs such as proxy and load-balancer
- containerId: (string)
ContainerId is the firewall container id
- containerName: (string)
ContainerName is the firewall container name
- count: (object)
Count is the number of audit occurrences
- country: (string)
Country is the source IP country
- effect: (object)
Effect indicates the applied rule effect. Range of acceptable values:
ban
,prevent
,alert
,allow
,disable
- fqdn: (string)
FQDN is the current hostname's FQDN
- function: (string)
Function is the name of the serverless function that caused the audit
- functionID: (string)
FunctionID is the id of the function called
- hash: (string)
Hash is the hash of the defender audit aggregation key that is used for identifying an audit for count increment
- host: (boolean)
Host indicates this audit if for a host firewall
- hostname: (string)
Hostname is the current hostname
- imageName: (string)
ImageName is the firewall image name
- method: (string)
HTTPMethod is the request HTTP method
- msg: (string)
Message is the blocking message text
- ns: (string)
Namespaces are the k8s namespaces
- os: (string)
OS is the operating system distribution
- profileId: (string)
ProfileID is the profile of the audit
- rawEvent: (string)
RawEvent contains unparsed function handler event input
- region: (string)
Region is the name of the region in which the serverless function is located
- requestHeaderNames: (string)
RequestHeaderNames are the request header names
- requestHeaders: (string)
RequestHeaders represent the request headers
- requestHost: (string)
RequestHost is the request host
- requestID: (string)
RequestID is lambda function invocation request id
- responseHeaderNames: (string)
ResponseHeaderNames are the response header names
- ruleName: (string)
If blocked, contains the name of the rule that was applied
- runtime: (object)
Runtime is the runtime type of the serverless function
- statusCode: (object)
StatusCode is the response status code
- subnet: (string)
Subnet is the source IP subnet
- time: (datetime)
Time is the UTC time of the audit event
- type: (object)
Type is the attack type. Range of acceptable values:
xss
,sqli
,cmdi
,lfi
,codeInjection
,deniedIP
,deniedCountry
,header
,violationsExceeded
,attackTools
,shellshock
,disallowedFile
,malformedRequest
,informationLeak
,unexpectedAPI
,dos
,searchEngineCrawler
,businessAnalyticsBot
,educationalBot
,newsBot
,financialBot
,contentFeedClient
,archivingBot
,careerSearchBot
,mediaSearchBot
,genericBot
,webAutomationTool
,webScraper
,apiLibrary
,httpLibrary
,sessionValidation
,javascriptTimeout
,missingCookie
,browserImpersonation
,botImpersonation
,requestAnomalies
,userDefinedBot
- url: (string)
URL is the requests full URL (partial on server side - path and query only)
- urlPath: (string)
URLPath is the requests url path
- urlQuery: (string)
URLQuery is the requests url query
- userAgentHeader: (string)
UserAgentHeader is the requests User-Agent header
- version: (string)
Version is the defender version
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
DownloadAppEmbeddedAppFirewallAudits downloads the embedded defender firewall audits according to the specified query. Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/app/app-embedded/download
DownloadAppEmbeddedAppFirewallAudits downloads the embedded defender firewall audits according to the specified query. Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- aggregate: (boolean)
Aggregate indicates whether the result audits should be aggregated according to the Select field
- appID: (string)
AppIDs is the app embedded appID filter
- cluster: (string)
Cluster is the audit cluster filter
- connectingIPs: (string)
ConnectingIPs is the connecting IPs filter
- containerName: (string)
Containers is the container names filter
- country: (string)
Countries is the source IP country filter
- effect: (string)
Effect is used to filter by runtime audit effect
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- function: (string)
FunctionName is used to filter by function name
- hostname: (string)
Hosts is the hostnames filter
- imageName: (string)
Images is the image names filter
- method: (string)
Methods is the request method filter
- msg: (string)
Messages is the audit message text filter
- ns: (string)
Namespaces is the list of namespaces to use for filtering
- os: (string)
OS is the OS filter
- region: (string)
Region is used to filter by region
- requestHeaderNames: (string)
RequestHeaderNames is the request header names filter
- requestHost: (string)
RequestHosts is the request host filter
- ruleName: (string)
RuleNames is the rule names filter
- runtime: (string)
Runtime is used to filter by runtime
- subnet: (string)
Subnets is the source IPs filter
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is the firewall audit type filter
- url: (string)
URLs is the URL filter
- urlPath: (string)
Paths is the URL path filter
- urlQuery: (string)
Queries is the URL query filter
- userAgentHeader: (string)
UserAgents is the user agent header filter
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
AppEmbeddedAppFirewallAuditTimeslice returns embedded firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/app/app-embedded/timeslice
AppEmbeddedAppFirewallAuditTimeslice returns embedded firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- buckets: (integer)
Buckets is the number of buckets to return
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- count: (object)
Count is the number of audit occurrences
- end: (datetime)
End is the end time of the bucket
- start: (datetime)
Start is the start time of the bucket
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieves all Cloud Native Application Firewall (CNAF) audits. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.
The following example uses basic auth to retrieve all application firewall audits.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/app/container
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/app/container
Retrieves all Cloud Native Application Firewall (CNAF) audits. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.
The following example uses basic auth to retrieve all application firewall audits.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/app/container
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- aggregate: (boolean)
Aggregate indicates whether the result audits should be aggregated according to the Select field
- appID: (string)
AppIDs is the app embedded appID filter
- cluster: (string)
Cluster is the audit cluster filter
- connectingIPs: (string)
ConnectingIPs is the connecting IPs filter
- containerName: (string)
Containers is the container names filter
- country: (string)
Countries is the source IP country filter
- effect: (string)
Effect is used to filter by runtime audit effect
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- function: (string)
FunctionName is used to filter by function name
- hostname: (string)
Hosts is the hostnames filter
- imageName: (string)
Images is the image names filter
- method: (string)
Methods is the request method filter
- msg: (string)
Messages is the audit message text filter
- ns: (string)
Namespaces is the list of namespaces to use for filtering
- os: (string)
OS is the OS filter
- region: (string)
Region is used to filter by region
- requestHeaderNames: (string)
RequestHeaderNames is the request header names filter
- requestHost: (string)
RequestHosts is the request host filter
- ruleName: (string)
RuleNames is the rule names filter
- runtime: (string)
Runtime is used to filter by runtime
- subnet: (string)
Subnets is the source IPs filter
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is the firewall audit type filter
- url: (string)
URLs is the URL filter
- urlPath: (string)
Paths is the URL path filter
- urlQuery: (string)
Queries is the URL query filter
- userAgentHeader: (string)
UserAgents is the user agent header filter
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is internal id representation
- accountID: (string)
AccountID is the cloud account ID where the audit was generated
- appID: (string)
AppID is the application ID
- cluster: (string)
Cluster is the cluster on which the audit was originated
- collections: (string)
Collections are collections to which this audit applies
- connectingIPs: (string)
ConnectingIPs are the requests connecting IPs such as proxy and load-balancer
- containerId: (string)
ContainerId is the firewall container id
- containerName: (string)
ContainerName is the firewall container name
- count: (object)
Count is the number of audit occurrences
- country: (string)
Country is the source IP country
- effect: (object)
Effect indicates the applied rule effect. Range of acceptable values:
ban
,prevent
,alert
,allow
,disable
- fqdn: (string)
FQDN is the current hostname's FQDN
- function: (string)
Function is the name of the serverless function that caused the audit
- functionID: (string)
FunctionID is the id of the function called
- hash: (string)
Hash is the hash of the defender audit aggregation key that is used for identifying an audit for count increment
- host: (boolean)
Host indicates this audit if for a host firewall
- hostname: (string)
Hostname is the current hostname
- imageName: (string)
ImageName is the firewall image name
- method: (string)
HTTPMethod is the request HTTP method
- msg: (string)
Message is the blocking message text
- ns: (string)
Namespaces are the k8s namespaces
- os: (string)
OS is the operating system distribution
- profileId: (string)
ProfileID is the profile of the audit
- rawEvent: (string)
RawEvent contains unparsed function handler event input
- region: (string)
Region is the name of the region in which the serverless function is located
- requestHeaderNames: (string)
RequestHeaderNames are the request header names
- requestHeaders: (string)
RequestHeaders represent the request headers
- requestHost: (string)
RequestHost is the request host
- requestID: (string)
RequestID is lambda function invocation request id
- responseHeaderNames: (string)
ResponseHeaderNames are the response header names
- ruleName: (string)
If blocked, contains the name of the rule that was applied
- runtime: (object)
Runtime is the runtime type of the serverless function
- statusCode: (object)
StatusCode is the response status code
- subnet: (string)
Subnet is the source IP subnet
- time: (datetime)
Time is the UTC time of the audit event
- type: (object)
Type is the attack type. Range of acceptable values:
xss
,sqli
,cmdi
,lfi
,codeInjection
,deniedIP
,deniedCountry
,header
,violationsExceeded
,attackTools
,shellshock
,disallowedFile
,malformedRequest
,informationLeak
,unexpectedAPI
,dos
,searchEngineCrawler
,businessAnalyticsBot
,educationalBot
,newsBot
,financialBot
,contentFeedClient
,archivingBot
,careerSearchBot
,mediaSearchBot
,genericBot
,webAutomationTool
,webScraper
,apiLibrary
,httpLibrary
,sessionValidation
,javascriptTimeout
,missingCookie
,browserImpersonation
,botImpersonation
,requestAnomalies
,userDefinedBot
- url: (string)
URL is the requests full URL (partial on server side - path and query only)
- urlPath: (string)
URLPath is the requests url path
- urlQuery: (string)
URLQuery is the requests url query
- userAgentHeader: (string)
UserAgentHeader is the requests User-Agent header
- version: (string)
Version is the defender version
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Downloads all Cloud Native Application Firewall (CNAF) audits into CSV format. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.
The following example uses basic auth to download all application firewall audits.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnaf-container-audits.csv \
https://console:8083/api/v1/audits/firewall/app/container/download
### Role
Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/app/container/download
Downloads all Cloud Native Application Firewall (CNAF) audits into CSV format. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.
The following example uses basic auth to download all application firewall audits.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnaf-container-audits.csv \
https://console:8083/api/v1/audits/firewall/app/container/download
### Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- aggregate: (boolean)
Aggregate indicates whether the result audits should be aggregated according to the Select field
- appID: (string)
AppIDs is the app embedded appID filter
- cluster: (string)
Cluster is the audit cluster filter
- connectingIPs: (string)
ConnectingIPs is the connecting IPs filter
- containerName: (string)
Containers is the container names filter
- country: (string)
Countries is the source IP country filter
- effect: (string)
Effect is used to filter by runtime audit effect
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- function: (string)
FunctionName is used to filter by function name
- hostname: (string)
Hosts is the hostnames filter
- imageName: (string)
Images is the image names filter
- method: (string)
Methods is the request method filter
- msg: (string)
Messages is the audit message text filter
- ns: (string)
Namespaces is the list of namespaces to use for filtering
- os: (string)
OS is the OS filter
- region: (string)
Region is used to filter by region
- requestHeaderNames: (string)
RequestHeaderNames is the request header names filter
- requestHost: (string)
RequestHosts is the request host filter
- ruleName: (string)
RuleNames is the rule names filter
- runtime: (string)
Runtime is used to filter by runtime
- subnet: (string)
Subnets is the source IPs filter
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is the firewall audit type filter
- url: (string)
URLs is the URL filter
- urlPath: (string)
Paths is the URL path filter
- urlQuery: (string)
Queries is the URL query filter
- userAgentHeader: (string)
UserAgents is the user agent header filter
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
ContainerAppFirewallAuditTimeslice returns container firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/app/container/timeslice
ContainerAppFirewallAuditTimeslice returns container firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- buckets: (integer)
Buckets is the number of buckets to return
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- count: (object)
Count is the number of audit occurrences
- end: (datetime)
End is the end time of the bucket
- start: (datetime)
Start is the start time of the bucket
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieves all Cloud Native Application Firewall (CNAF) audits. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.
The following example uses basic auth to retrieve all application firewall audits.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/app/host
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/app/host
Retrieves all Cloud Native Application Firewall (CNAF) audits. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.
The following example uses basic auth to retrieve all application firewall audits.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/app/host
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- aggregate: (boolean)
Aggregate indicates whether the result audits should be aggregated according to the Select field
- appID: (string)
AppIDs is the app embedded appID filter
- cluster: (string)
Cluster is the audit cluster filter
- connectingIPs: (string)
ConnectingIPs is the connecting IPs filter
- containerName: (string)
Containers is the container names filter
- country: (string)
Countries is the source IP country filter
- effect: (string)
Effect is used to filter by runtime audit effect
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- function: (string)
FunctionName is used to filter by function name
- hostname: (string)
Hosts is the hostnames filter
- imageName: (string)
Images is the image names filter
- method: (string)
Methods is the request method filter
- msg: (string)
Messages is the audit message text filter
- ns: (string)
Namespaces is the list of namespaces to use for filtering
- os: (string)
OS is the OS filter
- region: (string)
Region is used to filter by region
- requestHeaderNames: (string)
RequestHeaderNames is the request header names filter
- requestHost: (string)
RequestHosts is the request host filter
- ruleName: (string)
RuleNames is the rule names filter
- runtime: (string)
Runtime is used to filter by runtime
- subnet: (string)
Subnets is the source IPs filter
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is the firewall audit type filter
- url: (string)
URLs is the URL filter
- urlPath: (string)
Paths is the URL path filter
- urlQuery: (string)
Queries is the URL query filter
- userAgentHeader: (string)
UserAgents is the user agent header filter
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is internal id representation
- accountID: (string)
AccountID is the cloud account ID where the audit was generated
- appID: (string)
AppID is the application ID
- cluster: (string)
Cluster is the cluster on which the audit was originated
- collections: (string)
Collections are collections to which this audit applies
- connectingIPs: (string)
ConnectingIPs are the requests connecting IPs such as proxy and load-balancer
- containerId: (string)
ContainerId is the firewall container id
- containerName: (string)
ContainerName is the firewall container name
- count: (object)
Count is the number of audit occurrences
- country: (string)
Country is the source IP country
- effect: (object)
Effect indicates the applied rule effect. Range of acceptable values:
ban
,prevent
,alert
,allow
,disable
- fqdn: (string)
FQDN is the current hostname's FQDN
- function: (string)
Function is the name of the serverless function that caused the audit
- functionID: (string)
FunctionID is the id of the function called
- hash: (string)
Hash is the hash of the defender audit aggregation key that is used for identifying an audit for count increment
- host: (boolean)
Host indicates this audit if for a host firewall
- hostname: (string)
Hostname is the current hostname
- imageName: (string)
ImageName is the firewall image name
- method: (string)
HTTPMethod is the request HTTP method
- msg: (string)
Message is the blocking message text
- ns: (string)
Namespaces are the k8s namespaces
- os: (string)
OS is the operating system distribution
- profileId: (string)
ProfileID is the profile of the audit
- rawEvent: (string)
RawEvent contains unparsed function handler event input
- region: (string)
Region is the name of the region in which the serverless function is located
- requestHeaderNames: (string)
RequestHeaderNames are the request header names
- requestHeaders: (string)
RequestHeaders represent the request headers
- requestHost: (string)
RequestHost is the request host
- requestID: (string)
RequestID is lambda function invocation request id
- responseHeaderNames: (string)
ResponseHeaderNames are the response header names
- ruleName: (string)
If blocked, contains the name of the rule that was applied
- runtime: (object)
Runtime is the runtime type of the serverless function
- statusCode: (object)
StatusCode is the response status code
- subnet: (string)
Subnet is the source IP subnet
- time: (datetime)
Time is the UTC time of the audit event
- type: (object)
Type is the attack type. Range of acceptable values:
xss
,sqli
,cmdi
,lfi
,codeInjection
,deniedIP
,deniedCountry
,header
,violationsExceeded
,attackTools
,shellshock
,disallowedFile
,malformedRequest
,informationLeak
,unexpectedAPI
,dos
,searchEngineCrawler
,businessAnalyticsBot
,educationalBot
,newsBot
,financialBot
,contentFeedClient
,archivingBot
,careerSearchBot
,mediaSearchBot
,genericBot
,webAutomationTool
,webScraper
,apiLibrary
,httpLibrary
,sessionValidation
,javascriptTimeout
,missingCookie
,browserImpersonation
,botImpersonation
,requestAnomalies
,userDefinedBot
- url: (string)
URL is the requests full URL (partial on server side - path and query only)
- urlPath: (string)
URLPath is the requests url path
- urlQuery: (string)
URLQuery is the requests url query
- userAgentHeader: (string)
UserAgentHeader is the requests User-Agent header
- version: (string)
Version is the defender version
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Downloads all Cloud Native Application Firewall (CNAF) audits into CSV format. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.
The following example uses basic auth to download all application firewall audits.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnaf-host-audits.csv \
https://console:8083/api/v1/audits/firewall/app/host/download
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/app/host/download
Downloads all Cloud Native Application Firewall (CNAF) audits into CSV format. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.
The following example uses basic auth to download all application firewall audits.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnaf-host-audits.csv \
https://console:8083/api/v1/audits/firewall/app/host/download
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- aggregate: (boolean)
Aggregate indicates whether the result audits should be aggregated according to the Select field
- appID: (string)
AppIDs is the app embedded appID filter
- cluster: (string)
Cluster is the audit cluster filter
- connectingIPs: (string)
ConnectingIPs is the connecting IPs filter
- containerName: (string)
Containers is the container names filter
- country: (string)
Countries is the source IP country filter
- effect: (string)
Effect is used to filter by runtime audit effect
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- function: (string)
FunctionName is used to filter by function name
- hostname: (string)
Hosts is the hostnames filter
- imageName: (string)
Images is the image names filter
- method: (string)
Methods is the request method filter
- msg: (string)
Messages is the audit message text filter
- ns: (string)
Namespaces is the list of namespaces to use for filtering
- os: (string)
OS is the OS filter
- region: (string)
Region is used to filter by region
- requestHeaderNames: (string)
RequestHeaderNames is the request header names filter
- requestHost: (string)
RequestHosts is the request host filter
- ruleName: (string)
RuleNames is the rule names filter
- runtime: (string)
Runtime is used to filter by runtime
- subnet: (string)
Subnets is the source IPs filter
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is the firewall audit type filter
- url: (string)
URLs is the URL filter
- urlPath: (string)
Paths is the URL path filter
- urlQuery: (string)
Queries is the URL query filter
- userAgentHeader: (string)
UserAgents is the user agent header filter
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
HostAppFirewallAuditTimeslice returns host firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/app/host/timeslice
HostAppFirewallAuditTimeslice returns host firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- buckets: (integer)
Buckets is the number of buckets to return
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- count: (object)
Count is the number of audit occurrences
- end: (datetime)
End is the end time of the bucket
- start: (datetime)
Start is the start time of the bucket
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
ServerlessAppFirewallAudits returns all serverless firewall audits according to the query specification. Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/app/serverless
ServerlessAppFirewallAudits returns all serverless firewall audits according to the query specification. Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- aggregate: (boolean)
Aggregate indicates whether the result audits should be aggregated according to the Select field
- appID: (string)
AppIDs is the app embedded appID filter
- cluster: (string)
Cluster is the audit cluster filter
- connectingIPs: (string)
ConnectingIPs is the connecting IPs filter
- containerName: (string)
Containers is the container names filter
- country: (string)
Countries is the source IP country filter
- effect: (string)
Effect is used to filter by runtime audit effect
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- function: (string)
FunctionName is used to filter by function name
- hostname: (string)
Hosts is the hostnames filter
- imageName: (string)
Images is the image names filter
- method: (string)
Methods is the request method filter
- msg: (string)
Messages is the audit message text filter
- ns: (string)
Namespaces is the list of namespaces to use for filtering
- os: (string)
OS is the OS filter
- region: (string)
Region is used to filter by region
- requestHeaderNames: (string)
RequestHeaderNames is the request header names filter
- requestHost: (string)
RequestHosts is the request host filter
- ruleName: (string)
RuleNames is the rule names filter
- runtime: (string)
Runtime is used to filter by runtime
- subnet: (string)
Subnets is the source IPs filter
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is the firewall audit type filter
- url: (string)
URLs is the URL filter
- urlPath: (string)
Paths is the URL path filter
- urlQuery: (string)
Queries is the URL query filter
- userAgentHeader: (string)
UserAgents is the user agent header filter
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is internal id representation
- accountID: (string)
AccountID is the cloud account ID where the audit was generated
- appID: (string)
AppID is the application ID
- cluster: (string)
Cluster is the cluster on which the audit was originated
- collections: (string)
Collections are collections to which this audit applies
- connectingIPs: (string)
ConnectingIPs are the requests connecting IPs such as proxy and load-balancer
- containerId: (string)
ContainerId is the firewall container id
- containerName: (string)
ContainerName is the firewall container name
- count: (object)
Count is the number of audit occurrences
- country: (string)
Country is the source IP country
- effect: (object)
Effect indicates the applied rule effect. Range of acceptable values:
ban
,prevent
,alert
,allow
,disable
- fqdn: (string)
FQDN is the current hostname's FQDN
- function: (string)
Function is the name of the serverless function that caused the audit
- functionID: (string)
FunctionID is the id of the function called
- hash: (string)
Hash is the hash of the defender audit aggregation key that is used for identifying an audit for count increment
- host: (boolean)
Host indicates this audit if for a host firewall
- hostname: (string)
Hostname is the current hostname
- imageName: (string)
ImageName is the firewall image name
- method: (string)
HTTPMethod is the request HTTP method
- msg: (string)
Message is the blocking message text
- ns: (string)
Namespaces are the k8s namespaces
- os: (string)
OS is the operating system distribution
- profileId: (string)
ProfileID is the profile of the audit
- rawEvent: (string)
RawEvent contains unparsed function handler event input
- region: (string)
Region is the name of the region in which the serverless function is located
- requestHeaderNames: (string)
RequestHeaderNames are the request header names
- requestHeaders: (string)
RequestHeaders represent the request headers
- requestHost: (string)
RequestHost is the request host
- requestID: (string)
RequestID is lambda function invocation request id
- responseHeaderNames: (string)
ResponseHeaderNames are the response header names
- ruleName: (string)
If blocked, contains the name of the rule that was applied
- runtime: (object)
Runtime is the runtime type of the serverless function
- statusCode: (object)
StatusCode is the response status code
- subnet: (string)
Subnet is the source IP subnet
- time: (datetime)
Time is the UTC time of the audit event
- type: (object)
Type is the attack type. Range of acceptable values:
xss
,sqli
,cmdi
,lfi
,codeInjection
,deniedIP
,deniedCountry
,header
,violationsExceeded
,attackTools
,shellshock
,disallowedFile
,malformedRequest
,informationLeak
,unexpectedAPI
,dos
,searchEngineCrawler
,businessAnalyticsBot
,educationalBot
,newsBot
,financialBot
,contentFeedClient
,archivingBot
,careerSearchBot
,mediaSearchBot
,genericBot
,webAutomationTool
,webScraper
,apiLibrary
,httpLibrary
,sessionValidation
,javascriptTimeout
,missingCookie
,browserImpersonation
,botImpersonation
,requestAnomalies
,userDefinedBot
- url: (string)
URL is the requests full URL (partial on server side - path and query only)
- urlPath: (string)
URLPath is the requests url path
- urlQuery: (string)
URLQuery is the requests url query
- userAgentHeader: (string)
UserAgentHeader is the requests User-Agent header
- version: (string)
Version is the defender version
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
DownloadServerlessAppFirewallAudits downloads the serverless firewall audits according to the specified query. Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/app/serverless/download
DownloadServerlessAppFirewallAudits downloads the serverless firewall audits according to the specified query. Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- aggregate: (boolean)
Aggregate indicates whether the result audits should be aggregated according to the Select field
- appID: (string)
AppIDs is the app embedded appID filter
- cluster: (string)
Cluster is the audit cluster filter
- connectingIPs: (string)
ConnectingIPs is the connecting IPs filter
- containerName: (string)
Containers is the container names filter
- country: (string)
Countries is the source IP country filter
- effect: (string)
Effect is used to filter by runtime audit effect
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- function: (string)
FunctionName is used to filter by function name
- hostname: (string)
Hosts is the hostnames filter
- imageName: (string)
Images is the image names filter
- method: (string)
Methods is the request method filter
- msg: (string)
Messages is the audit message text filter
- ns: (string)
Namespaces is the list of namespaces to use for filtering
- os: (string)
OS is the OS filter
- region: (string)
Region is used to filter by region
- requestHeaderNames: (string)
RequestHeaderNames is the request header names filter
- requestHost: (string)
RequestHosts is the request host filter
- ruleName: (string)
RuleNames is the rule names filter
- runtime: (string)
Runtime is used to filter by runtime
- subnet: (string)
Subnets is the source IPs filter
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is the firewall audit type filter
- url: (string)
URLs is the URL filter
- urlPath: (string)
Paths is the URL path filter
- urlQuery: (string)
Queries is the URL query filter
- userAgentHeader: (string)
UserAgents is the user agent header filter
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
ServerlessAppFirewallAuditTimeslice returns serverless firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/app/serverless/timeslice
ServerlessAppFirewallAuditTimeslice returns serverless firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- buckets: (integer)
Buckets is the number of buckets to return
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- count: (object)
Count is the number of audit occurrences
- end: (datetime)
End is the end time of the bucket
- start: (datetime)
Start is the start time of the bucket
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieves all Cloud Native Network Firewall (CNNF) container audits.
Cloud Native Network Firewall (CNNF) is a Layer 3 container-aware virtual firewall that utilizes machine learning to identify valid traffic flows between app components and alert or block anomalous flows. CNNF works as an east-west firewall between containers. It limits damage by preventing attackers from moving laterally through your environment when they have already compromised one part of it.
$ curl -k \
-u <USER> \
https://<CONSOLE>:8083/api/v1/audits/firewall/network/container
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/network/container
Retrieves all Cloud Native Network Firewall (CNNF) container audits.
Cloud Native Network Firewall (CNNF) is a Layer 3 container-aware virtual firewall that utilizes machine learning to identify valid traffic flows between app components and alert or block anomalous flows. CNNF works as an east-west firewall between containers. It limits damage by preventing attackers from moving laterally through your environment when they have already compromised one part of it.
$ curl -k \
-u <USER> \
https://<CONSOLE>:8083/api/v1/audits/firewall/network/container
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- block: (string)
Block is the block/audit filter
- dstImageName: (string)
DstImages are the destination images filter
- from: (datetime)
From is an optional minimum time constraints for the audits
- srcImageName: (string)
SrcImages are the source images filter
- to: (datetime)
To is an optional maximum time constraints for the audits
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ProfileID is the runtime profile ID
- cluster: (string)
Cluster is the cluster from which the audit originated
- collections: (string)
Collections are collections to which this audit applies
- imageName: (string)
ImageName is the container image name
- label: (string)
Label represents the container deployment label
- os: (string)
OS is the operating system distribution
- resource: (object)
Resource specify the runtime resources that apply to the profile audit
- accountIDs: (string)
AccountIDs is a list of the cloud account IDs
- appIDs: (string)
AppIDs is a list of application IDs
- clusters: (string)
Clusters is a list of kubernetes cluster names
- codeRepos: (string)
CodeRepos is a list of remote code repositories
- containers: (string)
- functions: (string)
- hosts: (string)
- images: (string)
- labels: (string)
- namespaces: (string)
Namespaces are the k8s namespaces
- accountIDs: (string)
- time: (datetime)
Time is the UTC time of the last audit event
- total: (integer)
Total is the total count of audits per runtime profile
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Downloads all network firewall audits (CNNF) into a CSV file.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
-o cnnf_container_audits.csv \
https://<CONSOLE>:8083/api/v1/audits/firewall/network/container/download
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/network/container/download
Downloads all network firewall audits (CNNF) into a CSV file.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
-o cnnf_container_audits.csv \
https://<CONSOLE>:8083/api/v1/audits/firewall/network/container/download
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- block: (string)
Block is the block/audit filter
- dstImageName: (string)
DstImages are the destination images filter
- from: (datetime)
From is an optional minimum time constraints for the audits
- srcImageName: (string)
SrcImages are the source images filter
- to: (datetime)
To is an optional maximum time constraints for the audits
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieves all Cloud Native Network Firewall (CNNF) audits. These are based on violations of CNNF policies defined under Defend > Firewalls > Cloud Native Network Firewall. Click here to learn more about CNNF.
The following example uses basic auth to retrieve all application firewall audits.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/network/host
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/network/host
Retrieves all Cloud Native Network Firewall (CNNF) audits. These are based on violations of CNNF policies defined under Defend > Firewalls > Cloud Native Network Firewall. Click here to learn more about CNNF.
The following example uses basic auth to retrieve all application firewall audits.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/network/host
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- dstHostnames: (string)
DstHostname are the destination hostnames filter
- from: (datetime)
From is an optional minimum time constraints for the audits
- srcHostnames: (string)
SrcHostname are the source hostnames filter
- to: (datetime)
To is an optional maximum time constraints for the audits
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ProfileID is the runtime profile ID
- cluster: (string)
Cluster is the cluster from which the audit originated
- collections: (string)
Collections are collections to which this audit applies
- imageName: (string)
ImageName is the container image name
- label: (string)
Label represents the container deployment label
- os: (string)
OS is the operating system distribution
- resource: (object)
Resource specify the runtime resources that apply to the profile audit
- accountIDs: (string)
AccountIDs is a list of the cloud account IDs
- appIDs: (string)
AppIDs is a list of application IDs
- clusters: (string)
Clusters is a list of kubernetes cluster names
- codeRepos: (string)
CodeRepos is a list of remote code repositories
- containers: (string)
- functions: (string)
- hosts: (string)
- images: (string)
- labels: (string)
- namespaces: (string)
Namespaces are the k8s namespaces
- accountIDs: (string)
- time: (datetime)
Time is the UTC time of the last audit event
- total: (integer)
Total is the total count of audits per runtime profile
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Downloads all Cloud Native Network Firewall (CNNF) audits. These are based on violations of CNNF policies defined under Defend > Firewalls > Cloud Native Network Firewall. Click here to learn more about CNNF.
The following example uses basic auth to retrieve all application firewall audits.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnnf-host-audits.csv \
https://console:8083/api/v1/audits/firewall/network/host/download
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/firewall/network/host/download
Downloads all Cloud Native Network Firewall (CNNF) audits. These are based on violations of CNNF policies defined under Defend > Firewalls > Cloud Native Network Firewall. Click here to learn more about CNNF.
The following example uses basic auth to retrieve all application firewall audits.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnnf-host-audits.csv \
https://console:8083/api/v1/audits/firewall/network/host/download
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- dstHostnames: (string)
DstHostname are the destination hostnames filter
- from: (datetime)
From is an optional minimum time constraints for the audits
- srcHostnames: (string)
SrcHostname are the source hostnames filter
- to: (datetime)
To is an optional maximum time constraints for the audits
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Twistlock analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents. This api call retrieves a list of incidents that are not acknowledged (not in archived state).
The following example uses basic auth to list incidents.
$ curl -k \
-u <USER> \
https://console:8083/api/v1/audits/incidents
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/incidents
Twistlock analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents. This api call retrieves a list of incidents that are not acknowledged (not in archived state).
The following example uses basic auth to list incidents.
$ curl -k \
-u <USER> \
https://console:8083/api/v1/audits/incidents
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- acknowledged: (string)
Acknowledged indicates whether acknowledged incidents should be filtered
- category: (string)
Category is the incident category filter
- cluster: (string)
Cluster is the audit cluster filter
- from: (datetime)
From is an optional minimum time constraints for the incident
- hostname: (string)
Hosts is the incident hostname filter
- profileID: (string)
ProfileID is the profileID filter
- region: (string)
Regions is the function region filter
- to: (datetime)
To is an optional maximum time constraints for the incident
- type: (string)
Type is the incident type filter
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is internal id representation
- accountID: (string)
AccountID is the cloud account ID
- acknowledged: (boolean)
Acknowledged indicates that the incident has been acknowledged
- app: (string)
App represents the application that caused the incident
- appID: (string)
AppID is the application ID
- category: (object)
Category represents the incident category (for example: hostViolation, cryptoMiner). Range of acceptable values:
portScanning
,hijackedProcess
,dataExfiltration
,kubernetes
,backdoorAdministrativeAccount
,backdoorSSHAccess
,cryptoMiner
,lateralMovement
,bruteForce
,customRule
,alteredBinary
,suspiciousBinary
,executionFlowHijackAttempt
,reverseShell
- cluster: (string)
Cluster is the cluster on which the incident was found
- collections: (string)
Collections are collections to which this incident applies
- containerID: (string)
ContainerID is the container id that triggered the incident
- containerName: (string)
ContainerName is the container unique name
- customRuleName: (string)
CustomRuleName is the name of the custom runtime rule that triggered the incident
- fqdn: (string)
FQDN is the current hostname's full domain name
- function: (string)
Function is the name of the serverless function
- hostname: (string)
Hostname is the current hostname
- imageID: (string)
ImageID is the container image ID
- imageName: (string)
ImageName is the container image name
- namespace: (string)
Namespace is the k8s deployment namespace
- profileID: (string)
ProfileID is the profile id
- region: (string)
Region is the region of the serverless function
- runtime: (string)
Runtime is the runtime of the serverless function
- serialNum: (integer)
SerialNum is the serial number of the incident
- shouldCollect: (boolean)
ShouldCollect indicates this incident should be collected
- time: (datetime)
Time is the UTC time of the incident
- type: (object)
Type is the incident type (for example host, container). Range of acceptable values:
host
,container
,function
,appEmbedded
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Use this call to acknowledge an incident and move it to Archived state. Incident ID of the incident you want to archive is required. You can get incident ID from the list of incidents in GET /api/v1/audits/incidents.
Note that you can undo this action by changing "true" to "false" in the following example.
The following example uses basic auth and PATCH method to acknowledge an incident
$ curl -k \
-u <USER> \
https://aqsa-console:8083/api/v1/audits/incidents/acknowledge/5c76e18784bf4b7278d9a820 -d '{"acknowledged":true}'
Where 5c76e18784bf4b7278d9a820 is the incident ID
Role
Minimum role required to access this endpoint: auditor.
patch /audits/incidents/acknowledge/{id}
Use this call to acknowledge an incident and move it to Archived state. Incident ID of the incident you want to archive is required. You can get incident ID from the list of incidents in GET /api/v1/audits/incidents.
Note that you can undo this action by changing "true" to "false" in the following example.
The following example uses basic auth and PATCH method to acknowledge an incident
$ curl -k \
-u <USER> \
https://aqsa-console:8083/api/v1/audits/incidents/acknowledge/5c76e18784bf4b7278d9a820 -d '{"acknowledged":true}'
Where 5c76e18784bf4b7278d9a820 is the incident ID
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is internal id representation
- accountID: (string)
AccountID is the cloud account ID
- acknowledged: (boolean)
Acknowledged indicates that the incident has been acknowledged
- app: (string)
App represents the application that caused the incident
- appID: (string)
AppID is the application ID
- category: (object)
Category represents the incident category (for example: hostViolation, cryptoMiner). Range of acceptable values:
portScanning
,hijackedProcess
,dataExfiltration
,kubernetes
,backdoorAdministrativeAccount
,backdoorSSHAccess
,cryptoMiner
,lateralMovement
,bruteForce
,customRule
,alteredBinary
,suspiciousBinary
,executionFlowHijackAttempt
,reverseShell
- cluster: (string)
Cluster is the cluster on which the incident was found
- collections: (string)
Collections are collections to which this incident applies
- containerID: (string)
ContainerID is the container id that triggered the incident
- containerName: (string)
ContainerName is the container unique name
- customRuleName: (string)
CustomRuleName is the name of the custom runtime rule that triggered the incident
- fqdn: (string)
FQDN is the current hostname's full domain name
- function: (string)
Function is the name of the serverless function
- hostname: (string)
Hostname is the current hostname
- imageID: (string)
ImageID is the container image ID
- imageName: (string)
ImageName is the container image name
- namespace: (string)
Namespace is the k8s deployment namespace
- profileID: (string)
ProfileID is the profile id
- region: (string)
Region is the region of the serverless function
- runtime: (string)
Runtime is the runtime of the serverless function
- serialNum: (integer)
SerialNum is the serial number of the incident
- shouldCollect: (boolean)
ShouldCollect indicates this incident should be collected
- time: (datetime)
Time is the UTC time of the incident
- type: (object)
Type is the incident type (for example host, container). Range of acceptable values:
host
,container
,function
,appEmbedded
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Twistlock analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents. This api call retrieves a list of incidents that are not acknowledged (not in archived state).
The following example uses basic auth to list incidents.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o incidents.csv \
https://console:8083/api/v1/audits/incidents/download
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/incidents/download
Twistlock analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents. This api call retrieves a list of incidents that are not acknowledged (not in archived state).
The following example uses basic auth to list incidents.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o incidents.csv \
https://console:8083/api/v1/audits/incidents/download
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- acknowledged: (string)
Acknowledged indicates whether acknowledged incidents should be filtered
- category: (string)
Category is the incident category filter
- cluster: (string)
Cluster is the audit cluster filter
- from: (datetime)
From is an optional minimum time constraints for the incident
- hostname: (string)
Hosts is the incident hostname filter
- profileID: (string)
ProfileID is the profileID filter
- region: (string)
Regions is the function region filter
- to: (datetime)
To is an optional maximum time constraints for the incident
- type: (string)
Type is the incident type filter
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Twistlock can provide events from kubernetes if this integration is configured.
The following example uses basic auth to list all kubernetes events that are configured.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/kubernetes
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/kubernetes
Twistlock can provide events from kubernetes if this integration is configured.
The following example uses basic auth to list all kubernetes events that are configured.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/kubernetes
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- from: (datetime)
From is an optional minimum time constraints for the activity
- to: (datetime)
To is an optional maximum time constraints for the activity
- user: (string)
Users is the list of users to use for filtering
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- eventBlob: (string)
EventBlob is the original event that caused this audit
- message: (string)
Message is the user defined message which appears on audit
- requestURI: (string)
RequestURI is the request URI as sent by the client to a server
- resources: (string)
Resource represents the resource that is impacted by this event
- sourceIPs: (string)
Source IPs, from where the request originated and intermediate proxies (optional)
- time: (datetime)
Time is the time at which the request was generated
- user: (object)
User holds the authenticated user information
- groups: (string)
The names of groups this user is a part of (optional)
- uid: (string)
A unique value that identifies this user across time. If this user isdeleted and another user by the same name is added, they will havedifferent UIDs (optional)
- username: (string)
The name that uniquely identifies this user among all active users (optional)
- groups: (string)
- verb: (string)
Verb is the kubernetes verb associated with the request
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Twistlock can provide events from kubernetes if this integration is configured.
The following example uses basic auth to download all kubernetes events that are configured.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o kubernetes-events.csv \
https://console:8083/api/v1/audits/kubernetes/download
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/kubernetes/download
Twistlock can provide events from kubernetes if this integration is configured.
The following example uses basic auth to download all kubernetes events that are configured.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o kubernetes-events.csv \
https://console:8083/api/v1/audits/kubernetes/download
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- from: (datetime)
From is an optional minimum time constraints for the activity
- to: (datetime)
To is an optional maximum time constraints for the activity
- user: (string)
Users is the list of users to use for filtering
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Changes to any settings (including previous and new values), changes to any rules (create, modify, or delete), and all logon activity (success and failure) are logged. These events are called management audits.
This call retrieves a list of all management audits that match the query.
The following example curl command uses basic auth to retrieve all management audits
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt
Role
Minimum role required to access this endpoint: auditor.
get /audits/mgmt
Changes to any settings (including previous and new values), changes to any rules (create, modify, or delete), and all logon activity (success and failure) are logged. These events are called management audits.
This call retrieves a list of all management audits that match the query.
The following example curl command uses basic auth to retrieve all management audits
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- from: (datetime)
From is an optional minimum time constraints for the audit
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is the audit type filter
- username: (string)
Usernames is the username filter
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- api: (string)
API is the api used in the audit process
- diff: (string)
Diff is the diff between old and new values
- failure: (boolean)
Failure states whether the request failed or not
- sourceIP: (string)
SourceIP is the request's source IP
- status: (string)
Status is the request's response status
- time: (datetime)
Time is the time of the request
- type: (object)
Type is the event type, used for filtering. Range of acceptable values:
login
,profile
,settings
,rule
,user
,group
,credential
,tag
- username: (string)
Username is the username of the user who performed the action
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Downloads a list of all management audits into CSV format.
The following example curl command uses basic auth to retrieve all management audits
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt/download -o aqsa.csv
Role
Minimum role required to access this endpoint: auditor.
get /audits/mgmt/download
Downloads a list of all management audits into CSV format.
The following example curl command uses basic auth to retrieve all management audits
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt/download -o aqsa.csv
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- from: (datetime)
From is an optional minimum time constraints for the audit
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is the audit type filter
- username: (string)
Usernames is the username filter
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieves a list of management audit types found in your environment. These fields can be firther used as your queries to get management audit data.
The following example curl command uses basic auth to retrieve all management audit filters
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt/filters
Role
Minimum role required to access this endpoint: auditor.
get /audits/mgmt/filters
Retrieves a list of management audit types found in your environment. These fields can be firther used as your queries to get management audit data.
The following example curl command uses basic auth to retrieve all management audit filters
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt/filters
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- from: (datetime)
From is an optional minimum time constraints for the audit
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is the audit type filter
- username: (string)
Usernames is the username filter
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- type: (string)
Type is the management audit type filter
- username: (string)
Usernames is a filter for specific users
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
DeleteAppEmbeddedRuntimeAudits deletes all embedded defender runtime audits. Minimum role required to access this endpoint: operator.
AppEmbeddedRuntimeAudits returns all embedded defender audits according to the query specification. Minimum role required to access this endpoint: devSecOps.
delete /audits/runtime/app-embedded
DeleteAppEmbeddedRuntimeAudits deletes all embedded defender runtime audits. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
get /audits/runtime/app-embedded
AppEmbeddedRuntimeAudits returns all embedded defender audits according to the query specification. Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- container: (string)
Containers is the container name filter
- effect: (string)
Effect is used to filter by runtime audit effect (e.g., block/alert)
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- image: (string)
Images is the image name filter
- ns: (string)
Namespaces is the namespaces filter
- os: (string)
OS is the image OS distro filter
- profileID: (string)
ProfileIDs are the profile IDs to filter
- ruleName: (string)
RuleNames is used to filter by rule name
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is used to filter by runtime audit type
- user: (string)
Users is used to filter by host users
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is internal id representation (used for in-place updates)
- accountID: (string)
AccountID is the cloud account ID where the audit was generated
- app: (string)
App is the name of the service which violated the host policy
- appID: (string)
AppID is the application ID
- attackType: (object)
AttackType is the sub-category of the attack (e.g., port scanning, listening port, connection event, etc...). Range of acceptable values:
cloudMetadataProbing
,kubeletMetadataProbing
,kubeletMetricProbing
,kubectlSpawned
,kubectlDownloaded
,horizontalPortScanning
,verticalPortScanning
,explicitlyDeniedIP
,customFeedIP
,feedIP
,unexpectedOutboundPort
,suspiciousNetworkActivity
,unexpectedListeningPort
,explicitlyDeniedListeningPort
,explicitlyDeniedOutboundPort
,listeningPortModifiedProcess
,outboundPortModifiedProcess
,feedDNS
,explicitlyDeniedDNS
,dnsQuery
,unexpectedProcess
,portScanProcess
,malwareProcessCustom
,malwareProcessFeed
,explicitlyDeniedProcess
,modifiedProcess
,cryptoMinerProcess
,lateralMovementProcess
,tmpfsProcess
,policyHijacked
,reverseShell
,administrativeAccount
,sshAccess
,explicitlyDeniedFile
,malwareFileCustom
,malwareFileFeed
,execFileAccess
,elfFileAccess
,secretFileAccess
,regFileAccess
,fileIntegrity
,alteredBinary
,malwareDownloaded
,suspiciousELFHeader
,executionFlowHijackAttempt
,customRule
- cluster: (string)
Cluster is the cluster name
- collections: (string)
Collections are collections to which this audit applies
- container: (boolean)
Container indicates if this is a container audit or host audit
- containerId: (string)
ContainerId is the id of the container that violates the rule
- containerName: (string)
ContainerName is the container unique name
- count: (object)
Count is the attack type audits count
- country: (string)
Country is the outbound country for outgoing network audits
- effect: (object)
Effect indicates the applied rule effect. Range of acceptable values:
block
,prevent
,alert
,disable
- err: (string)
Err represents an unknown error in the audit process
- fqdn: (string)
FQDN is the current full domain name used in audit alerts
- function: (string)
Function is the name of the serverless function that caused the audit
- functionID: (string)
FunctionID is the id of the function called
- hostname: (string)
Hostname is the current hostname
- imageId: (string)
ImageId is the container image id
- imageName: (string)
ImageName is the container image name
- interactive: (boolean)
Interactive indicates that the audits was triggered from a process that was spawned in interactive mode (e.g., docker exec ...)
- label: (string)
Label is the container deployment label
- msg: (string)
Message is the blocking message text
- namespace: (string)
Namespace is the k8s deployment namespace
- pid: (integer)
Pid is the process ID that caused the audit event
- processPath: (string)
ProcessPath is the process path that caused the audit event
- profileId: (string)
ProfileId is the profile of the audit
- rawEvent: (string)
RawEvent contains unparsed function handler event input
- region: (string)
Region is the name of the region in which the serverless function is located
- requestID: (string)
RequestID is lambda function invocation request id
- ruleName: (string)
If blocked, contains the name of the rule that was applied
- runtime: (object)
Runtime is the runtime type of the serverless function
- severity: (object)
Severity represents the runtime severity. Range of acceptable values:
low
,medium
,high
- time: (datetime)
Time is the UTC time of the audit event
- type: (object)
Type is the runtime type. Range of acceptable values:
processes
,network
,kubernetes
,filesystem
- user: (string)
User represents the service user
- version: (string)
Version is the defender version
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
DownloadAppEmbeddedRuntimeAudits downloads the embedded defender audits according to the specified query. Minimum role required to access this endpoint: devSecOps.
get /audits/runtime/app-embedded/download
DownloadAppEmbeddedRuntimeAudits downloads the embedded defender audits according to the specified query. Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- container: (string)
Containers is the container name filter
- effect: (string)
Effect is used to filter by runtime audit effect (e.g., block/alert)
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- image: (string)
Images is the image name filter
- ns: (string)
Namespaces is the namespaces filter
- os: (string)
OS is the image OS distro filter
- profileID: (string)
ProfileIDs are the profile IDs to filter
- ruleName: (string)
RuleNames is used to filter by rule name
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is used to filter by runtime audit type
- user: (string)
Users is used to filter by host users
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Deletes all container runtime audits.
The following example curl command uses basic auth to delete all the audits:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/container
Role
Minimum role required to access this endpoint: operator.
Twistlock records an audit every time a runtime sensor (process, network, file system, and system call) detects activity that deviates from the predictive model. This endpoint retrieves all container audits from the console Monitor > Runtime > Container Audits.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/container
Role
Minimum role required to access this endpoint: devSecOps.
delete /audits/runtime/container
Deletes all container runtime audits.
The following example curl command uses basic auth to delete all the audits:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/container
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
get /audits/runtime/container
Twistlock records an audit every time a runtime sensor (process, network, file system, and system call) detects activity that deviates from the predictive model. This endpoint retrieves all container audits from the console Monitor > Runtime > Container Audits.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/container
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- container: (string)
Containers is the container name filter
- effect: (string)
Effect is used to filter by runtime audit effect (e.g., block/alert)
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- image: (string)
Images is the image name filter
- ns: (string)
Namespaces is the namespaces filter
- os: (string)
OS is the image OS distro filter
- profileID: (string)
ProfileIDs are the profile IDs to filter
- ruleName: (string)
RuleNames is used to filter by rule name
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is used to filter by runtime audit type
- user: (string)
Users is used to filter by host users
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ProfileID is the runtime profile ID
- cluster: (string)
Cluster is the cluster from which the audit originated
- collections: (string)
Collections are collections to which this audit applies
- imageName: (string)
ImageName is the container image name
- label: (string)
Label represents the container deployment label
- os: (string)
OS is the operating system distribution
- resource: (object)
Resource specify the runtime resources that apply to the profile audit
- accountIDs: (string)
AccountIDs is a list of the cloud account IDs
- appIDs: (string)
AppIDs is a list of application IDs
- clusters: (string)
Clusters is a list of kubernetes cluster names
- codeRepos: (string)
CodeRepos is a list of remote code repositories
- containers: (string)
- functions: (string)
- hosts: (string)
- images: (string)
- labels: (string)
- namespaces: (string)
Namespaces are the k8s namespaces
- accountIDs: (string)
- time: (datetime)
Time is the UTC time of the last audit event
- total: (integer)
Total is the total count of audits per runtime profile
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Downloads the runtime container audit logs in csv format.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/container/download
> conatiner_audits.csv
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/runtime/container/download
Downloads the runtime container audit logs in csv format.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/container/download
> conatiner_audits.csv
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- container: (string)
Containers is the container name filter
- effect: (string)
Effect is used to filter by runtime audit effect (e.g., block/alert)
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- image: (string)
Images is the image name filter
- ns: (string)
Namespaces is the namespaces filter
- os: (string)
OS is the image OS distro filter
- profileID: (string)
ProfileIDs are the profile IDs to filter
- ruleName: (string)
RuleNames is used to filter by rule name
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is used to filter by runtime audit type
- user: (string)
Users is used to filter by host users
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Twistlock can provide audits for file-integrity checks that are configured under host runtime rules.
The following example uses basic auth to list these audits:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/runtime/file-integrity
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/runtime/file-integrity
Twistlock can provide audits for file-integrity checks that are configured under host runtime rules.
The following example uses basic auth to list these audits:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/runtime/file-integrity
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- eventType: (string)
EventTypes is the list of file intergrity events to use for filtering
- from: (datetime)
From is an optional minimum time constraints for the event
- hostname: (string)
Hosts is the list of hosts to use for filtering
- path: (string)
Paths is the list of paths to use for filtering
- to: (datetime)
To is an optional maximum time constraints for the event
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- accountID: (string)
AccountID is the cloud account ID
- cluster: (string)
Cluster is the cluster on which the event was found
- collections: (string)
Collections are collections to which this event applies
- description: (string)
Description is a human readable description of the action performed on the path
- eventType: (object)
EventType is the type of the event. Range of acceptable values:
metadata
,read
,write
- fileType: (object)
FileType is the file type of the path
- fqdn: (string)
FQDN is the current fully qualified domain name used in audit alerts
- hostname: (string)
Hostname is the hostname on which the event was found
- path: (string)
Path is the absolute path of the event
- processName: (string)
ProcessName is the name of the process initiated the event
- ruleName: (string)
RuleName is the name of the applied rule for auditing file integrity rules
- time: (datetime)
Time is the time of the event
- user: (string)
User is the user initiated the event
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Twistlock can provide audits for file-integrity checks that are configured under host runtime rules.
The following example uses basic auth to download these audits:
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o file-integrity-events.csv \
https://console:8083/api/v1/audits/runtime/file-integrity/download
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/runtime/file-integrity/download
Twistlock can provide audits for file-integrity checks that are configured under host runtime rules.
The following example uses basic auth to download these audits:
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o file-integrity-events.csv \
https://console:8083/api/v1/audits/runtime/file-integrity/download
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- eventType: (string)
EventTypes is the list of file intergrity events to use for filtering
- from: (datetime)
From is an optional minimum time constraints for the event
- hostname: (string)
Hosts is the list of hosts to use for filtering
- path: (string)
Paths is the list of paths to use for filtering
- to: (datetime)
To is an optional maximum time constraints for the event
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Deletes all host audits from the database.
The following example curl command uses basic auth to delete all host audits:
$ curl -k \
-u <USER> \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/host
Role
Minimum role required to access this endpoint: operator.
Retrieves a list of all host audits that match the query.
The following example curl command uses basic auth to retrieve all host audits:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/host
Role
Minimum role required to access this endpoint: devSecOps.
delete /audits/runtime/host
Deletes all host audits from the database.
The following example curl command uses basic auth to delete all host audits:
$ curl -k \
-u <USER> \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/host
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
get /audits/runtime/host
Retrieves a list of all host audits that match the query.
The following example curl command uses basic auth to retrieve all host audits:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/host
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- container: (string)
Containers is the container name filter
- effect: (string)
Effect is used to filter by runtime audit effect (e.g., block/alert)
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- image: (string)
Images is the image name filter
- ns: (string)
Namespaces is the namespaces filter
- os: (string)
OS is the image OS distro filter
- profileID: (string)
ProfileIDs are the profile IDs to filter
- ruleName: (string)
RuleNames is used to filter by rule name
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is used to filter by runtime audit type
- user: (string)
Users is used to filter by host users
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ProfileID is the runtime profile ID
- cluster: (string)
Cluster is the cluster from which the audit originated
- collections: (string)
Collections are collections to which this audit applies
- imageName: (string)
ImageName is the container image name
- label: (string)
Label represents the container deployment label
- os: (string)
OS is the operating system distribution
- resource: (object)
Resource specify the runtime resources that apply to the profile audit
- accountIDs: (string)
AccountIDs is a list of the cloud account IDs
- appIDs: (string)
AppIDs is a list of application IDs
- clusters: (string)
Clusters is a list of kubernetes cluster names
- codeRepos: (string)
CodeRepos is a list of remote code repositories
- containers: (string)
- functions: (string)
- hosts: (string)
- images: (string)
- labels: (string)
- namespaces: (string)
Namespaces are the k8s namespaces
- accountIDs: (string)
- time: (datetime)
Time is the UTC time of the last audit event
- total: (integer)
Total is the total count of audits per runtime profile
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Downloads the runtime host audit logs in csv format.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o host_audits.csv \
https://<CONSOLE>:8083/api/v1/audits/runtime/host/download
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/runtime/host/download
Downloads the runtime host audit logs in csv format.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o host_audits.csv \
https://<CONSOLE>:8083/api/v1/audits/runtime/host/download
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- container: (string)
Containers is the container name filter
- effect: (string)
Effect is used to filter by runtime audit effect (e.g., block/alert)
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- image: (string)
Images is the image name filter
- ns: (string)
Namespaces is the namespaces filter
- os: (string)
OS is the image OS distro filter
- profileID: (string)
ProfileIDs are the profile IDs to filter
- ruleName: (string)
RuleNames is used to filter by rule name
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is used to filter by runtime audit type
- user: (string)
Users is used to filter by host users
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Twistlock can provide audits for log inspection checks that are configured under host runtime rules.
The following example uses basic auth to list these audits:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/runtime/log-inspection
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/runtime/log-inspection
Twistlock can provide audits for log inspection checks that are configured under host runtime rules.
The following example uses basic auth to list these audits:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/runtime/log-inspection
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- from: (datetime)
From is an optional minimum time constraints for the event
- hostname: (string)
Hosts is the list of hosts to use for filtering
- logfile: (string)
Logfiles is the list of log files to use for filtering
- to: (datetime)
To is an optional maximum time constraints for the event
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- accountID: (string)
AccountID is the cloud account ID
- cluster: (string)
Cluster is the cluster on which the event was found
- collections: (string)
Collections are collections to which this event applies
- hostname: (string)
Hostname is the hostname on which the event was found
- line: (string)
Line is the matching log line
- logfile: (string)
Logfile is the log file which triggered the event
- ruleName: (string)
RuleName is the name of the applied rule for auditing log inspection events
- time: (datetime)
Time is the time of the event
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Twistlock can provide audits for log inspection checks that are configured under host runtime rules.
The following example uses basic auth to download these audits:
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o log-inspection.csv \
https://console:8083/api/v1/audits/incidents/runtime/log-inspection/download
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/runtime/log-inspection/download
Twistlock can provide audits for log inspection checks that are configured under host runtime rules.
The following example uses basic auth to download these audits:
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o log-inspection.csv \
https://console:8083/api/v1/audits/incidents/runtime/log-inspection/download
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- from: (datetime)
From is an optional minimum time constraints for the event
- hostname: (string)
Hosts is the list of hosts to use for filtering
- logfile: (string)
Logfiles is the list of log files to use for filtering
- to: (datetime)
To is an optional maximum time constraints for the event
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
This endpoint will delete all serverless runtime audits.
The following example curl command uses basic auth to delete the current audits:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/serverless
Role
Minimum role required to access this endpoint: operator.
Returns scan reports in JSON format for any serverless functions you've configured Twistlock to scan.
A curl command to access this endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless
Role
Minimum role required to access this endpoint: devSecOps.
delete /audits/runtime/serverless
This endpoint will delete all serverless runtime audits.
The following example curl command uses basic auth to delete the current audits:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/serverless
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
get /audits/runtime/serverless
Returns scan reports in JSON format for any serverless functions you've configured Twistlock to scan.
A curl command to access this endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- effect: (string)
Effect is used to filter by runtime audit effect (block/alert)
- from: (datetime)
From is an optional minimum time constraints for the audit
- functionName: (string)
FunctionName is used to filter by function name
- profileID: (string)
ProfileIDs are the profile ids to filter
- region: (string)
Region is used to filter by region
- ruleName: (string)
RuleNames is used to filter by rulename
- runtime: (string)
Runtime is used to filter by runtime
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is a filter by runtime audit type
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ProfileID is the runtime profile ID
- cluster: (string)
Cluster is the cluster from which the audit originated
- collections: (string)
Collections are collections to which this audit applies
- functionName: (string)
FunctionName is the name of the serverless function that caused the audit (version included)
- imageName: (string)
ImageName is the container image name
- label: (string)
Label represents the container deployment label
- os: (string)
OS is the operating system distribution
- region: (string)
Region is the name of the region in which the serverless function is located
- resource: (object)
Resource specify the runtime resources that apply to the profile audit
- accountIDs: (string)
AccountIDs is a list of the cloud account IDs
- appIDs: (string)
AppIDs is a list of application IDs
- clusters: (string)
Clusters is a list of kubernetes cluster names
- codeRepos: (string)
CodeRepos is a list of remote code repositories
- containers: (string)
- functions: (string)
- hosts: (string)
- images: (string)
- labels: (string)
- namespaces: (string)
Namespaces are the k8s namespaces
- accountIDs: (string)
- runtime: (object)
Runtime is the runtime type of the serverless function
- time: (datetime)
Time is the UTC time of the last audit event
- total: (integer)
Total is the total count of audits per runtime profile
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Returns scan reports in CSV format for any serverless functions you've configured Twistlock to scan.
A curl command to access this endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o serverless-audits.csv
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless/download
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/runtime/serverless/download
Returns scan reports in CSV format for any serverless functions you've configured Twistlock to scan.
A curl command to access this endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o serverless-audits.csv
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless/download
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- container: (string)
Containers is the container name filter
- effect: (string)
Effect is used to filter by runtime audit effect (e.g., block/alert)
- fields: (string)
Fields is used to fetch specific runtime audit fields
- from: (datetime)
From is an optional minimum time constraints for the audit
- image: (string)
Images is the image name filter
- ns: (string)
Namespaces is the namespaces filter
- os: (string)
OS is the image OS distro filter
- profileID: (string)
ProfileIDs are the profile IDs to filter
- ruleName: (string)
RuleNames is used to filter by rule name
- to: (datetime)
To is an optional maximum time constraints for the audit
- type: (string)
Types is used to filter by runtime audit type
- user: (string)
Users is used to filter by host users
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Returns all serverless filters in JSON format. These filters can be used in the base GET
request as query parameters.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless/filters
Role
Minimum role required to access this endpoint: devSecOps.
get /audits/runtime/serverless/filters
Returns all serverless filters in JSON format. These filters can be used in the base GET
request as query parameters.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless/filters
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Deletes all the trust audits from the events page in Console.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/trust
Role
Minimum role required to access this endpoint: operator.
Gets all the trust audits from the events page in Console.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/trust
Role
Minimum role required to access this endpoint: vulnerabilityManager.
delete /audits/trust
Deletes all the trust audits from the events page in Console.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/trust
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
get /audits/trust
Gets all the trust audits from the events page in Console.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/trust
Role
Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- _id: (string)
IDs is used to filter by registry/repo
- effect: (string)
Effect is used to filter by runtime audit effect (block/alert)
- from: (datetime)
From is an optional minimum time constraints for the audit
- ruleName: (string)
RuleNames is used to filter by rulename
- to: (datetime)
To is an optional maximum time constraints for the audit
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ProfileID is the runtime profile ID
- cluster: (string)
Cluster is the cluster from which the audit originated
- collections: (string)
Collections are collections to which this audit applies
- imageName: (string)
ImageName is the container image name
- label: (string)
Label represents the container deployment label
- os: (string)
OS is the operating system distribution
- resource: (object)
Resource specify the runtime resources that apply to the profile audit
- accountIDs: (string)
AccountIDs is a list of the cloud account IDs
- appIDs: (string)
AppIDs is a list of application IDs
- clusters: (string)
Clusters is a list of kubernetes cluster names
- codeRepos: (string)
CodeRepos is a list of remote code repositories
- containers: (string)
- functions: (string)
- hosts: (string)
- images: (string)
- labels: (string)
- namespaces: (string)
Namespaces are the k8s namespaces
- accountIDs: (string)
- time: (datetime)
Time is the UTC time of the last audit event
- total: (integer)
Total is the total count of audits per runtime profile
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Downloads all the trust audits from the events page in Console.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/trust/download
Role
Minimum role required to access this endpoint: vulnerabilityManager.
get /audits/trust/download
Downloads all the trust audits from the events page in Console.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/trust/download
Role
Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- _id: (string)
IDs is used to filter by registry/repo
- effect: (string)
Effect is used to filter by runtime audit effect (block/alert)
- from: (datetime)
From is an optional minimum time constraints for the audit
- ruleName: (string)
RuleNames is used to filter by rulename
- to: (datetime)
To is an optional maximum time constraints for the audit
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Authenticate
Retrieves an access token using your credentials. Valid tokens are required to access the rest of the Prisma Cloud Compute API.
Note: The Prisma Cloud Compute API can also be accessed using basic auth.
Retrieves an access token using your username and password. By default, access tokens are valid for 24 hours.
cURL Request
The following cURL command retrieves a token for user admin
with password password
.
$ curl -k \
-H "Content-Type: application/json" \
-X POST \
-d \
'{
"username":"admin",
"password":"password"
}' \
https://<CONSOLE>/api/v1/authenticate
Note: The username and password values are case-sensitive.
Response
A successful response will return the following response containing the access token which can be used for the rest of the API endpoints.
{"token", "ACCESS_TOKEN_VALUE"}
Role
Minimum role required to access this endpoint: anyone.
post /authenticate
Retrieves an access token using your username and password. By default, access tokens are valid for 24 hours.
cURL Request
The following cURL command retrieves a token for user admin
with password password
.
$ curl -k \
-H "Content-Type: application/json" \
-X POST \
-d \
'{
"username":"admin",
"password":"password"
}' \
https://<CONSOLE>/api/v1/authenticate
Note: The username and password values are case-sensitive.
Response
A successful response will return the following response containing the access token which can be used for the rest of the API endpoints.
{"token", "ACCESS_TOKEN_VALUE"}
Role
Minimum role required to access this endpoint: anyone.
Body
Media type: application/json
Type: object
Properties- password: (string)
Password for Twistlock user
- username: (string)
Username for Twistlock user
IdentityRedirectURL returns the redirect URL for the given authentication provider. Minimum role required to access this endpoint: none.
get /authenticate/identity-redirect-url
IdentityRedirectURL returns the redirect URL for the given authentication provider. Minimum role required to access this endpoint: none.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- redirect: (boolean)
Redirect will redirect to the specified identity provider authentication flow
- type: (string)
Type is the auth provider type
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- enabled: (boolean)
Enabled identify if auth provider is enabled
- url: (string)
URL is the redirect URL
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Renews an old (unexpired) access token and returns a new token.
cURL Request
The following cURL command retrieves a new access token using an old access token.
$ curl -k \
-H "Authorization: Bearer <OLD_ACCESS_TOKEN>" \
https://<CONSOLE>/api/v1/authenticate/renew
Response
A successful response will return the following response containing the new access token. This access token replaces the old access token.
{"token", "ACCESS_TOKEN_VALUE"}
Role
Minimum role required to access this endpoint: user.
get /authenticate/renew
Renews an old (unexpired) access token and returns a new token.
cURL Request
The following cURL command retrieves a new access token using an old access token.
$ curl -k \
-H "Authorization: Bearer <OLD_ACCESS_TOKEN>" \
https://<CONSOLE>/api/v1/authenticate/renew
Response
A successful response will return the following response containing the new access token. This access token replaces the old access token.
{"token", "ACCESS_TOKEN_VALUE"}
Role
Minimum role required to access this endpoint: user.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- token: (string)
Token is the new JWT token
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Authenticate client
Retrieve an access token using a client certificate. Valid tokens are required to access the rest of the Twistlock API. Use this endpoint if your organization has rolled out multi-factor authentication built on x.509 certificates.
The Twistlock API can also be accessed using basic auth.
Retrieves an access token using a client certificate. This endpoint checks the supplied client certificate and authorizes the user based on the username in the certificate's CN or UPN field. By default, access tokens are valid for 24 hours.
The following example curl command retrieves a token using a client certificate:
$ curl -k \
-X POST \
--cert <CERT.PEM>
https://<CONSOLE>:8083/api/v1/authenticate-client
Where the certificate must be in PEM format, and the certificate file must consist of a private key and client certificate concatenated together.
Role
Minimum role required to access this endpoint: none.
post /authenticate-client
Retrieves an access token using a client certificate. This endpoint checks the supplied client certificate and authorizes the user based on the username in the certificate's CN or UPN field. By default, access tokens are valid for 24 hours.
The following example curl command retrieves a token using a client certificate:
$ curl -k \
-X POST \
--cert <CERT.PEM>
https://<CONSOLE>:8083/api/v1/authenticate-client
Where the certificate must be in PEM format, and the certificate file must consist of a private key and client certificate concatenated together.
Role
Minimum role required to access this endpoint: none.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- role: (object)
UserRole is the authenticated user role
- token: (string)
Token is the console authentication response token
Backups
Manage backup files.
List returns the available backups. Minimum role required to access this endpoint: operator.
Backup invokes a mongo backup (dump) process. Minimum role required to access this endpoint: operator.
get /backups
List returns the available backups. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- id: (string)
ID is the full backup file name, used as the instance id in API calls
- name: (string)
Name is the backup name
- release: (string)
Release is the backup release
- time: (datetime)
Time is the backup creation time
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
post /backups
Backup invokes a mongo backup (dump) process. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
DeleteBackup deletes the given backup. Minimum role required to access this endpoint: admin.
DownloadBackup downloads the given backup file. Minimum role required to access this endpoint: operator.
Renames the specified backup file.
Role
Minimum role required to access this endpoint: admin.
UploadBackup saves uploaded backup file. Minimum role required to access this endpoint: operator.
delete /backups/{id}
DeleteBackup deletes the given backup. Minimum role required to access this endpoint: admin.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
get /backups/{id}
DownloadBackup downloads the given backup file. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
patch /backups/{id}
Renames the specified backup file.
Role
Minimum role required to access this endpoint: admin.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Body
Media type: application/json
Type: object
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
post /backups/{id}
UploadBackup saves uploaded backup file. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Restore invokes a mongo restore process. Minimum role required to access this endpoint: admin.
post /backups/{id}/restore
Restore invokes a mongo restore process. Minimum role required to access this endpoint: admin.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Certificates
Manage client certificates. Users need client certificates to authenticate commands sent from the Docker client through Twistlock.
Downloads a script that installs a client certificate, client private key, and certificate authority certificate for the authenticated user.
The following example curl command uses basic auth to download and run the install script for your client certs:
$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/certs/client-certs.sh | sh
Role
Minimum role required to access this endpoint: user.
get /certs/client-certs.sh
Downloads a script that installs a client certificate, client private key, and certificate authority certificate for the authenticated user.
The following example curl command uses basic auth to download and run the install script for your client certs:
$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/certs/client-certs.sh | sh
Role
Minimum role required to access this endpoint: user.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
RotateCerts rotate the certificates in case of being close to expiration. Minimum role required to access this endpoint: admin.
put /certs/rotate
RotateCerts rotate the certificates in case of being close to expiration. Minimum role required to access this endpoint: admin.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Returns the server certificate bundle from the console.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/certs/server-certs.sh | sh
Role
Minimum role required to access this endpoint: operator.
get /certs/server-certs.sh
Returns the server certificate bundle from the console.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/certs/server-certs.sh | sh
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- hostname: (string)
Hostname is the target defender hostname
- ip: (string)
IPs is the list of addresses for which the certificates are generated
- os: (string)
OS is the target os
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Cloud
Find all the cloud-native services being used in your AWS, Azure, and Google Cloud accounts. Twistlock continuously monitors these accounts, detects when new services are added, and reports which services are unprotected.
Returns a list of all cloud compliance scan results.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/compliance
Role
Minimum role required to access this endpoint: vulnerabilityManager.
get /cloud/compliance
Returns a list of all cloud compliance scan results.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/compliance
Role
Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- collections: (string)
Collections are collections scoping the query
- fields: (string)
Select is a list of fields to select from the query (others will be empty)
- limit: (integer)
Limit limits the number of documents
- offset: (integer)
Offset from query start
- reverse: (boolean)
Reverse is the sorting order
- search: (string)
Search is the search term
- sort: (string)
Sort is the sort key
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- accountID: (string)
AccountID is the cloud account ID
- applicableRules: (string)
ApplicableRules are the applied rules on the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built from the source of the package)
- block: (boolean)
Block indicates if the vulnerability has block effect
- cause: (string)
Cause provides additional information regarding the root cause for the vulnerability
- collections: (string)
Collections are collections to which this compliance applies
- credentialId: (string)
CredentialID is the id of the used credential
- cri: (boolean)
CRI indicates that this is a CRI specific vulnerability
- custom: (boolean)
Custom indicates whether vulnerability is a custom vulnerability, for example: openscap, sandbox
- cve: (string)
CVE is the cve id of the vulnerability (if applied)
- cvss: (number)
Cvss is the cvss score of the vulnerability.
- description: (string)
Description is the vulnerabilities description.
- discovered: (datetime)
Discovered indicates when the vulnerability was discovered
- err: (string)
Err holds any error found during a scan
- exploit: (object)
Exploit indicates if an exploit exists and its type. Range of acceptable values:
exploit-db
,exploit-windows
- fixDate: (integer)
FixDate is the vulnerability fix date (unix time)
- fixLink: (string)
FixLink is a link to the vendor fixed version info
- id: (integer)
Unique id to identify the violation
- layerTime: (integer)
LayerTime is the layer to which the CVE belongs - layer creation time
- link: (string)
Link is the vendor link to the CVE
- packageName: (string)
PackageName is the name of the package that caused the vulnerability
- packageVersion: (string)
PackageVersion is the version of the package that caused the vulnerability (or null)
- passed: (boolean)
Passed indicates if the compliance check pass
- published: (integer)
Published is the vulnerability publish date (unix time)
- riskFactors: (object)
RiskFactors are the vulnerability's risk factors
- severity: (string)
Severity is a textual representation of the vulnerability's severity.
- status: (string)
Status is the vendor status for the vulnerability
- templates: (object)
Templates is a list of templates that the vulnerability is associated with. Range of acceptable values:
PCI
,HIPAA
,NIST SP 800-190
,GDPR
- text: (string)
Text that explains the violation
- title: (string)
Title is the compliance title
- twistlock: (boolean)
Twistlock indicates that this is a Twistlock specific vulnerability
- type: (object)
Type is the vulnerability's type.
- vecStr: (string)
VectorString is a textual representation of the metric values used to score the vulnerability
- vulnTagInfos: (object)
VulnTagInfos are the tags info the vulnerability has
- comment: (string)
Comment is the tag comment in a specific vulnerability context
- name: (string)
Name is the tag name
- comment: (string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Download all cloud scan data in CSV format.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cloud-compliance.csv \
https://<CONSOLE>:8083/api/v1/cloud/compliance/download
Role
Minimum role required to access this endpoint: vulnerabilityManager.
get /cloud/compliance/download
Download all cloud scan data in CSV format.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cloud-compliance.csv \
https://<CONSOLE>:8083/api/v1/cloud/compliance/download
Role
Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- collections: (string)
Collections are collections scoping the query
- fields: (string)
Select is a list of fields to select from the query (others will be empty)
- limit: (integer)
Limit limits the number of documents
- offset: (integer)
Offset from query start
- reverse: (boolean)
Reverse is the sorting order
- search: (string)
Search is the search term
- sort: (string)
Sort is the sort key
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Returns a JSON object of the scan progress.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/compliance/progress
Role
Minimum role required to access this endpoint: vulnerabilityManager.
get /cloud/compliance/progress
Returns a JSON object of the scan progress.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/compliance/progress
Role
Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- discovery: (boolean)
Discovery indicates whether the scan is in discovery phase
- error: (string)
Error is the error that happened during scan
- hostname: (string)
Hostname is the hostname for which the progress apply
- id: (string)
ID is the ID of the entity being scanned
- scanTime: (datetime)
ScanTime is the time of scan
- scanned: (integer)
Scanned is the number of entities for which the scan completed
- title: (string)
Title is the progress title (set by the scanning process)
- total: (integer)
Total is the total amount of entities that should be scanned
- type: (object)
Type is the scan type (e.g., images/serverless). Range of acceptable values:
image
,ciImage
,container
,host
,registry
,serverlessScan
,ciServerless
,vm
,tas
,cloudDiscovery
,cloudCompliance
,serverlessRadar
,serverlessAutoDeploy
,hostAutoDeploy
,codeRepo
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Initiates a new cloud compliance scan.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/scan
Role
Minimum role required to access this endpoint: operator.
post /cloud/compliance/scan
Initiates a new cloud compliance scan.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/scan
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Terminates a cloud compliance scan that's in progress..
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/stop
Role
Minimum role required to access this endpoint: operator.
post /cloud/compliance/stop
Terminates a cloud compliance scan that's in progress..
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/stop
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Returns a list of all cloud discovery scan results.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/discovery
Role
Minimum role required to access this endpoint: vulnerabilityManager.
get /cloud/discovery
Returns a list of all cloud discovery scan results.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/discovery
Role
Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- provider: (string)
Provider is the provider filter
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- accountID: (string)
AccountID is the cloud account ID
- collections: (string)
Collections are the matched result collections
- credentialId: (string)
CredentialID is the id reference of the credential used
- entities: (object)
Entities holds detailed scan results
- activeServicesCount: (integer)
ActiveServicesCount is the number of active services in ecs cluster
- arn: (string)
The Amazon Resource Name (ARN) assigned to the entity
- containerGroup: (string)
ContainerGroup is the azure aci container group the container belongs to
- createdAt: (datetime)
CreatedAt is the time when the entity was created
- image: (string)
Image is the image of an aci container
- lastModified: (datetime)
LastModified is the modification time of the function
- name: (string)
Name is the name of the entity
- nodesCount: (integer)
NodesCount is the number of nodes in the cluster (aks, gke)
- protected: (boolean)
Protected indicates if the entity is protected
- resourceGroup: (string)
ResourceGroup is the the azure resource group containing the entity
- runningTasksCount: (integer)
RunningTasksCount is the number of running tasks in ecs cluster
- runtime: (string)
Runtime is runtime environment for the function, i.e. nodejs
- status: (string)
Status is the current status of entity
- version: (string)
Version is the version of the entity
- activeServicesCount: (integer)
- err: (string)
Err holds any error found during a scan
- project: (string)
Project is the GCP project that was scanned
- protected: (integer)
Protected is the number of protected entities (registries, functions, clusters)
- provider: (object)
Provider is the cloud provider for example: AWS, GCP. Range of acceptable values:
aws
,azure
,gcp
,others
- region: (string)
Region is the region that was scanned, for example: GCP - "us-east-1", Azure - "westus"
- registry: (string)
Registry is the Azure registry that was scanned, for example: testcloudscanregistry.azurecr.io
- serviceType: (object)
ServiceType is the cloud service type for example: ECR, GCR. Range of acceptable values:
aws-ecr
,aws-lambda
,aws-ec2
,aws-eks
,aws-ecs
,aws-s3
,aws-config
,aws-cloud-trail
,aws-kms
,aws-cloud-watch
,aws-sns
,aws-security-hub
,aws-secrets-manager
,aws-parameter-store
,azure-acr
,azure-functions
,azure-aks
,azure-aci
,gcp-gcr
,gcp-gcf
,gcp-gke
- total: (integer)
Total is total number of entities found in cloud scan
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Download all cloud scan data in CSV format.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cloud-discovery.csv \
https://<CONSOLE>:8083/api/v1/cloud/discovery/download
Role
Minimum role required to access this endpoint: vulnerabilityManager.
get /cloud/discovery/download
Download all cloud scan data in CSV format.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cloud-discovery.csv \
https://<CONSOLE>:8083/api/v1/cloud/discovery/download
Role
Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- provider: (string)
Provider is the provider filter
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Returns a JSON object of the scan progress.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/discovery/progress
Role
Minimum role required to access this endpoint: vulnerabilityManager.
get /cloud/discovery/progress
Returns a JSON object of the scan progress.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/discovery/progress
Role
Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- discovery: (boolean)
Discovery indicates whether the scan is in discovery phase
- error: (string)
Error is the error that happened during scan
- hostname: (string)
Hostname is the hostname for which the progress apply
- id: (string)
ID is the ID of the entity being scanned
- scanTime: (datetime)
ScanTime is the time of scan
- scanned: (integer)
Scanned is the number of entities for which the scan completed
- title: (string)
Title is the progress title (set by the scanning process)
- total: (integer)
Total is the total amount of entities that should be scanned
- type: (object)
Type is the scan type (e.g., images/serverless). Range of acceptable values:
image
,ciImage
,container
,host
,registry
,serverlessScan
,ciServerless
,vm
,tas
,cloudDiscovery
,cloudCompliance
,serverlessRadar
,serverlessAutoDeploy
,hostAutoDeploy
,codeRepo
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Initiates a new cloud discovery scan.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/scan
Role
Minimum role required to access this endpoint: operator.
post /cloud/discovery/scan
Initiates a new cloud discovery scan.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/scan
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Terminates a cloud discovery scan that's in progress..
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/stop
Role
Minimum role required to access this endpoint: operator.
post /cloud/discovery/stop
Terminates a cloud discovery scan that's in progress..
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/stop
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
DiscoveredVMs returns discovered cloud VM instances. Minimum role required to access this endpoint: vulnerabilityManager.
get /cloud/discovery/vms
DiscoveredVMs returns discovered cloud VM instances. Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- provider: (string)
Provider is the provider filter
- region: (string)
Region is the region filter
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is the instance id. E.g. "i-5cd23551"
- accountID: (string)
AccountID is the cloud provider account ID
- architecture: (string)
Architecture is the architecture of the image
- arn: (string)
The Amazon Resource Name (ARN) assigned to the instance
- collections: (string)
Collections is a list of the matched collections
- createdAt: (datetime)
CreatedAt is the time when the instance was launched
- fqdn: (string)
FQDN is the host's fully qualified domain name . E.g. "ip-192-0-2-0.us-east-2.compute.internal"
- hasDefender: (boolean)
HasDefender indicates that the instance has a defender installed on it
- hostname: (string)
Hostname is the hostname. E.g. "ip-192-0-2-0" or "custom"
- imageID: (string)
ImageID is the the ID of the AMI used to launch the instance. E.g. "ami-35501205"
- imageName,omitemptyName: (string)
ImageName is the the name of the AMI used to launch the instance.
- os: (string)
OS is the Operating System installed on the instance
- provider: (object)
Provider is the cloud provider. Range of acceptable values:
aws
,azure
,gcp
,others
- region: (string)
Region is the region the VM is located at
- tags: (object)
Tags are the tags of the VM instance
- key: (string)
Key is the label key
- sourceName: (string)
SourceName is the source name e.g., for a Namespace, source name can be 'twistlock'
- sourceType: (object)
SourceType is source type
- timestamp: (datetime)
Timestamp is the time in which the label was fetched
- value: (string)
Value is the label value
- key: (string)
- timestamp: (datetime)
Timestamp is the time in which the instance info was fetched
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Code repo scan reports
Scan reports for your GitHub repositories.
CodeRepos returns code repositories scan results. Minimum role required to access this endpoint: vulnerabilityManager.
get /coderepos
CodeRepos returns code repositories scan results. Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- compact: (boolean)
Compact indicates that only minimum image data should be sent (vulnerabilities, compliance and extended image metadata should be skipped)
- credentialID: (string)
CredentialID is the id of the requested credential, used for code repo scans
- from: (datetime)
From is an optional minimum time constraints for the last scan update time
- id: (string)
IDs is the code repositories id filter, the id is the repository full name
- to: (datetime)
To is an optional maximum time constraints for the last scan update time
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- collections: (string)
Collections is a list of the matched code repository collections
- files: (object)
Files is the scan result for each manifest file in the repository
- dependencies: (object)
Dependencies are the packages listed in the manifest file
- devDependency: (boolean)
DevDependency indicates if this dependency is used only for the development of the package
- lastResolved: (datetime)
LastResolved is the last time of version resolution, if the value is the time zero value, it means the version is explicit and does not require resolving
- name: (string)
Name is the package name the dependency refers to
- rawRequirement: (string)
RawRequirement is the line in which the package is declared
- unsupported: (boolean)
Unsupported indicates this package is unsupported by the remote package manager DB, the cause might be a bad name or private package
- version: (string)
Version is the package version, either explicitly specified in a manifest or resolved by the scanner
- vulnerabilities: (object)
Vulnerabilities are the package resolved vulnerabilities
- applicableRules: (string)
ApplicableRules are the applied rules on the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built from the source of the package)
- block: (boolean)
Block indicates if the vulnerability has block effect
- cause: (string)
Cause provides additional information regarding the root cause for the vulnerability
- cri: (boolean)
CRI indicates that this is a CRI specific vulnerability
- custom: (boolean)
Custom indicates whether vulnerability is a custom vulnerability, for example: openscap, sandbox
- cve: (string)
CVE is the cve id of the vulnerability (if applied)
- cvss: (number)
Cvss is the cvss score of the vulnerability.
- description: (string)
Description is the vulnerabilities description.
- discovered: (datetime)
Discovered indicates when the vulnerability was discovered
- exploit: (object)
Exploit indicates if an exploit exists and its type. Range of acceptable values:
exploit-db
,exploit-windows
- fixDate: (integer)
FixDate is the vulnerability fix date (unix time)
- fixLink: (string)
FixLink is a link to the vendor fixed version info
- id: (integer)
Unique id to identify the violation
- layerTime: (integer)
LayerTime is the layer to which the CVE belongs - layer creation time
- link: (string)
Link is the vendor link to the CVE
- packageName: (string)
PackageName is the name of the package that caused the vulnerability
- packageVersion: (string)
PackageVersion is the version of the package that caused the vulnerability (or null)
- published: (integer)
Published is the vulnerability publish date (unix time)
- riskFactors: (object)
RiskFactors are the vulnerability's risk factors
- severity: (string)
Severity is a textual representation of the vulnerability's severity.
- status: (string)
Status is the vendor status for the vulnerability
- templates: (object)
Templates is a list of templates that the vulnerability is associated with. Range of acceptable values:
PCI
,HIPAA
,NIST SP 800-190
,GDPR
- text: (string)
Text that explains the violation
- title: (string)
Title is the compliance title
- twistlock: (boolean)
Twistlock indicates that this is a Twistlock specific vulnerability
- type: (object)
Type is the vulnerability's type.
- vecStr: (string)
VectorString is a textual representation of the metric values used to score the vulnerability
- vulnTagInfos: (object)
VulnTagInfos are the tags info the vulnerability has
- comment: (string)
Comment is the tag comment in a specific vulnerability context
- name: (string)
Name is the tag name
- comment: (string)
- applicableRules: (string)
- devDependency: (boolean)
- distribution: (object)
Distribution is the vulnerability distribution per file
- critical: (integer)
- high: (integer)
- low: (integer)
- medium: (integer)
- total: (integer)
- path: (string)
Path to file
- type: (object)
CodeRepoProviderType is the manifest file type. e.g., nodejs/python/jar. Range of acceptable values:
nodejs
,gem
,python
,jar
,package
,windows
,binary
,nuget
- dependencies: (object)
- repository: (object)
Repository holds the repository properties
- defaultBranch: (string)
DefaultBranch is the default branch in the repository, usually master
- digest: (string)
Digest is the repository content digest, used to indicate if the content of the repository changed
- fullName: (string)
FullName is the full name that represents the repository
/ - name: (string)
Name is the repository name
- owner: (string)
Owner is the GitHub username or organization name of the repository's owner
- private: (boolean)
Private indicates whether the repository is private or not
- size: (integer)
Size is the repository size in KB
- defaultBranch: (string)
- scanTime: (datetime)
ScanTime is the last scanning time for this repository, the results might be from the DB and not updated if the repository contents have not changed
- type: (object)
CodeRepoProviderType is the repository type. e.g., GitHub, GitLab etc.. Range of acceptable values:
github
- updateTime: (datetime)
UpdateTime is the last time this repository was updated
- vulnInfo: (object)
VulnInfo Holds the vulnerabilities info collected during scan
- allCompliance: (object)
AllCompliance are all compliance vulnerabilities the image is compliant with (all failed compliance tests are filtered)
- compliance: (object)
Compliance are all the passed compliance checks
- applicableRules: (string)
ApplicableRules are the applied rules on the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built from the source of the package)
- block: (boolean)
Block indicates if the vulnerability has block effect
- cause: (string)
Cause provides additional information regarding the root cause for the vulnerability
- cri: (boolean)
CRI indicates that this is a CRI specific vulnerability
- custom: (boolean)
Custom indicates whether vulnerability is a custom vulnerability, for example: openscap, sandbox
- cve: (string)
CVE is the cve id of the vulnerability (if applied)
- cvss: (number)
Cvss is the cvss score of the vulnerability.
- description: (string)
Description is the vulnerabilities description.
- discovered: (datetime)
Discovered indicates when the vulnerability was discovered
- exploit: (object)
Exploit indicates if an exploit exists and its type. Range of acceptable values:
exploit-db
,exploit-windows
- fixDate: (integer)
FixDate is the vulnerability fix date (unix time)
- fixLink: (string)
FixLink is a link to the vendor fixed version info
- id: (integer)
Unique id to identify the violation
- layerTime: (integer)
LayerTime is the layer to which the CVE belongs - layer creation time
- link: (string)
Link is the vendor link to the CVE
- packageName: (string)
PackageName is the name of the package that caused the vulnerability
- packageVersion: (string)
PackageVersion is the version of the package that caused the vulnerability (or null)
- published: (integer)
Published is the vulnerability publish date (unix time)
- riskFactors: (object)
RiskFactors are the vulnerability's risk factors
- severity: (string)
Severity is a textual representation of the vulnerability's severity.
- status: (string)
Status is the vendor status for the vulnerability
- templates: (object)
Templates is a list of templates that the vulnerability is associated with. Range of acceptable values:
PCI
,HIPAA
,NIST SP 800-190
,GDPR
- text: (string)
Text that explains the violation
- title: (string)
Title is the compliance title
- twistlock: (boolean)
Twistlock indicates that this is a Twistlock specific vulnerability
- type: (object)
Type is the vulnerability's type.
- vecStr: (string)
VectorString is a textual representation of the metric values used to score the vulnerability
- vulnTagInfos: (object)
VulnTagInfos are the tags info the vulnerability has
- comment: (string)
Comment is the tag comment in a specific vulnerability context
- name: (string)
Name is the tag name
- comment: (string)
- applicableRules: (string)
- enabled: (boolean)
Enabled indicates whether passed compliance checks is enabled by policy
- compliance: (object)
- baseImage: (string)
BaseImage is the image’s base image name, used as an indication in case of filtering the vulnerabilities by base images
- binaries: (object)
Binaries are the binaries found in the image
- altered: (boolean)
Altered indicates the binary was installed from a package manager and modified/replaced
- cveCount: (integer)
CVECount is the total number of CVEs for this specific binary
- deps: (string)
Deps are the third party pkgs files that are used by the binary
- layerTime: (integer)
LayerTime is the layer to which the binary belongs - layer creation time
- md5: (string)
md5 is the md5 hashset of the binary
- missingPkg: (boolean)
MissingPkg indicates this binary is not related to any package
- name: (string)
- path: (string)
Path is the relative binary path inside the container
- pkgRootDir: (string)
PkgRootDir is the path for searching packages used by the binary
- services: (string)
Services are the name of services that use the binary
- version: (string)
Version is the version of a specific binary
- altered: (boolean)
- cloudMetadata: (object)
CloudMetadata is the cloud provider metadata of the host
- accountID: (string)
AccountID is the cloud account ID
- image: (string)
Image is the image name
- name: (string)
Name is the instance name
- provider: (object)
Provider is the cloud provider (AWS/GCP/Azure). Range of acceptable values:
aws
,azure
,gcp
,others
- region: (string)
Region the instance region
- resourceID: (string)
ResourceID is the resource unique ID
- type: (string)
Type is the instance type
- accountID: (string)
- clusters: (string)
Clusters is the provided cluster names
- complianceDistribution: (object)
ComplianceDistribution is the compliance issues distribution
- critical: (integer)
- high: (integer)
- low: (integer)
- medium: (integer)
- total: (integer)
- complianceIssues: (object)
ComplianceIssues are the compliance vulnerabilities of the image
- applicableRules: (string)
ApplicableRules are the applied rules on the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built from the source of the package)
- block: (boolean)
Block indicates if the vulnerability has block effect
- cause: (string)
Cause provides additional information regarding the root cause for the vulnerability
- cri: (boolean)
CRI indicates that this is a CRI specific vulnerability
- custom: (boolean)
Custom indicates whether vulnerability is a custom vulnerability, for example: openscap, sandbox
- cve: (string)
CVE is the cve id of the vulnerability (if applied)
- cvss: (number)
Cvss is the cvss score of the vulnerability.
- description: (string)
Description is the vulnerabilities description.
- discovered: (datetime)
Discovered indicates when the vulnerability was discovered
- exploit: (object)
Exploit indicates if an exploit exists and its type. Range of acceptable values:
exploit-db
,exploit-windows
- fixDate: (integer)
FixDate is the vulnerability fix date (unix time)
- fixLink: (string)
FixLink is a link to the vendor fixed version info
- id: (integer)
Unique id to identify the violation
- layerTime: (integer)
LayerTime is the layer to which the CVE belongs - layer creation time
- link: (string)
Link is the vendor link to the CVE
- packageName: (string)
PackageName is the name of the package that caused the vulnerability
- packageVersion: (string)
PackageVersion is the version of the package that caused the vulnerability (or null)
- published: (integer)
Published is the vulnerability publish date (unix time)
- riskFactors: (object)
RiskFactors are the vulnerability's risk factors
- severity: (string)
Severity is a textual representation of the vulnerability's severity.
- status: (string)
Status is the vendor status for the vulnerability
- templates: (object)
Templates is a list of templates that the vulnerability is associated with. Range of acceptable values:
PCI
,HIPAA
,NIST SP 800-190
,GDPR
- text: (string)
Text that explains the violation
- title: (string)
Title is the compliance title
- twistlock: (boolean)
Twistlock indicates that this is a Twistlock specific vulnerability
- type: (object)
Type is the vulnerability's type.
- vecStr: (string)
VectorString is a textual representation of the metric values used to score the vulnerability
- vulnTagInfos: (object)
VulnTagInfos are the tags info the vulnerability has
- comment: (string)
Comment is the tag comment in a specific vulnerability context
- name: (string)
Name is the tag name
- comment: (string)
- applicableRules: (string)
- complianceIssuesCount: (integer)
ComplianceIssuesCount is the total number of compliance issues
- complianceRiskScore: (number)
ComplianceRiskScore is the image's compliance risk score
- creationTime: (datetime)
CreationTime is the time when the image was created
- distro: (string)
DistroName is the full name of the distro
- ecsClusterName: (string)
EcsClusterName is the ECS cluster name
- externalLabels: (object)
ExternalLabels are the k8s external labels of all the containers running this image
- key: (string)
Key is the label key
- sourceName: (string)
SourceName is the source name e.g., for a Namespace, source name can be 'twistlock'
- sourceType: (object)
SourceType is source type
- timestamp: (datetime)
Timestamp is the time in which the label was fetched
- value: (string)
Value is the label value
- key: (string)
- files: (object)
Files are all the files in the container
- md5: (string)
Md5 is the hash sum of the file by md5 method
- path: (string)
Path is the path to the specific file
- sha1: (string)
Sha1 is the hash sum of the file by sha1 method
- sha256: (string)
Sha256 is the hash sum of the file by sha256 method
- md5: (string)
- firstScanTime: (datetime)
FirstScanTime indicates the first time when this image was scanned (preserved during version updates)
- history: (object)
History is the docker image history
- baseLayer: (boolean)
BaseLayer indicates this layer originated from the base image
- created: (integer)
Created is the creation date of a image layer
- emptyLayer: (boolean)
EmptyLayer indicates this instruction didn't create a separate layer file
- id: (string)
ID is the layer ID
- instruction: (string)
Instruction is the docker file instruction and arguments which created this layer
- sizeBytes: (integer)
SizeBytes is the layer size in bytes
- tags: (string)
ImageNames holds the image tags
- vulnerabilities: (object)
Vulnerabilities holds the list of the vulnerabilities that originated from this layer
- applicableRules: (string)
ApplicableRules are the applied rules on the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built from the source of the package)
- block: (boolean)
Block indicates if the vulnerability has block effect
- cause: (string)
Cause provides additional information regarding the root cause for the vulnerability
- cri: (boolean)
CRI indicates that this is a CRI specific vulnerability
- custom: (boolean)
Custom indicates whether vulnerability is a custom vulnerability, for example: openscap, sandbox
- cve: (string)
CVE is the cve id of the vulnerability (if applied)
- cvss: (number)
Cvss is the cvss score of the vulnerability.
- description: (string)
Description is the vulnerabilities description.
- discovered: (datetime)
Discovered indicates when the vulnerability was discovered
- exploit: (object)
Exploit indicates if an exploit exists and its type. Range of acceptable values:
exploit-db
,exploit-windows
- fixDate: (integer)
FixDate is the vulnerability fix date (unix time)
- fixLink: (string)
FixLink is a link to the vendor fixed version info
- id: (integer)
Unique id to identify the violation
- layerTime: (integer)
LayerTime is the layer to which the CVE belongs - layer creation time
- link: (string)
Link is the vendor link to the CVE
- packageName: (string)
PackageName is the name of the package that caused the vulnerability
- packageVersion: (string)
PackageVersion is the version of the package that caused the vulnerability (or null)
- published: (integer)
Published is the vulnerability publish date (unix time)
- riskFactors: (object)
RiskFactors are the vulnerability's risk factors
- severity: (string)
Severity is a textual representation of the vulnerability's severity.
- status: (string)
Status is the vendor status for the vulnerability
- templates: (object)
Templates is a list of templates that the vulnerability is associated with. Range of acceptable values:
PCI
,HIPAA
,NIST SP 800-190
,GDPR
- text: (string)
Text that explains the violation
- title: (string)
Title is the compliance title
- twistlock: (boolean)
Twistlock indicates that this is a Twistlock specific vulnerability
- type: (object)
Type is the vulnerability's type.
- vecStr: (string)
VectorString is a textual representation of the metric values used to score the vulnerability
- vulnTagInfos: (object)
VulnTagInfos are the tags info the vulnerability has
- comment: (string)
Comment is the tag comment in a specific vulnerability context
- name: (string)
Name is the tag name
- comment: (string)
- applicableRules: (string)
- baseLayer: (boolean)
- hostDevices: (object)
HostDevices is a map from host network device name to IP address
- ip: (string)
IP is the network device IPv4 address
- name: (string)
Name is the network device name
- ip: (string)
- id: (string)
Id is the image id
- image: (object)
Image is the image metadata associated with docker inspect
- created: (datetime)
Created is the image creation time
- entrypoint: (string)
Entrypoint is the combined entrypoint of the image (entrypoint + CMD)
- env: (string)
Env is the image environment variables
- healthcheck: (boolean)
HealthCheck indicates whether health check is enabled
- history: (object)
History holds the image history
- baseLayer: (boolean)
BaseLayer indicates this layer originated from the base image
- created: (integer)
Created is the creation date of a image layer
- emptyLayer: (boolean)
EmptyLayer indicates this instruction didn't create a separate layer file
- id: (string)
ID is the layer ID
- instruction: (string)
Instruction is the docker file instruction and arguments which created this layer
- sizeBytes: (integer)
SizeBytes is the layer size in bytes
- tags: (string)
ImageNames holds the image tags
- vulnerabilities: (object)
Vulnerabilities holds the list of the vulnerabilities that originated from this layer
- applicableRules: (string)
ApplicableRules are the applied rules on the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built from the source of the package)
- block: (boolean)
Block indicates if the vulnerability has block effect
- cause: (string)
Cause provides additional information regarding the root cause for the vulnerability
- cri: (boolean)
CRI indicates that this is a CRI specific vulnerability
- custom: (boolean)
Custom indicates whether vulnerability is a custom vulnerability, for example: openscap, sandbox
- cve: (string)
CVE is the cve id of the vulnerability (if applied)
- cvss: (number)
Cvss is the cvss score of the vulnerability.
- description: (string)
Description is the vulnerabilities description.
- discovered: (datetime)
Discovered indicates when the vulnerability was discovered
- exploit: (object)
Exploit indicates if an exploit exists and its type. Range of acceptable values:
exploit-db
,exploit-windows
- fixDate: (integer)
FixDate is the vulnerability fix date (unix time)
- fixLink: (string)
FixLink is a link to the vendor fixed version info
- id: (integer)
Unique id to identify the violation
- layerTime: (integer)
LayerTime is the layer to which the CVE belongs - layer creation time
- link: (string)
Link is the vendor link to the CVE
- packageName: (string)
PackageName is the name of the package that caused the vulnerability
- packageVersion: (string)
PackageVersion is the version of the package that caused the vulnerability (or null)
- published: (integer)
Published is the vulnerability publish date (unix time)
- riskFactors: (object)
RiskFactors are the vulnerability's risk factors
- severity: (string)
Severity is a textual representation of the vulnerability's severity.
- status: (string)
Status is the vendor status for the vulnerability
- templates: (object)
Templates is a list of templates that the vulnerability is associated with. Range of acceptable values:
PCI
,HIPAA
,NIST SP 800-190
,GDPR
- text: (string)
Text that explains the violation
- title: (string)
Title is the compliance title
- twistlock: (boolean)
Twistlock indicates that this is a Twistlock specific vulnerability
- type: (object)
Type is the vulnerability's type.
- vecStr: (string)
VectorString is a textual representation of the metric values used to score the vulnerability
- vulnTagInfos: (object)
VulnTagInfos are the tags info the vulnerability has
- comment: (string)
Comment is the tag comment in a specific vulnerability context
- name: (string)
Name is the tag name
- comment: (string)
- applicableRules: (string)
- baseLayer: (boolean)
- id: (string)
ID is the image ID
- layers: (string)
Layers are the image filesystem layers
- os: (string)
OS is the image os type
- repoDigest: (string)
RepoDigests are the image repo digests
- repoTags: (string)
RepoTags are the image repo tags
- user: (string)
User is the image user
- workingDir: (string)
WorkingDir is the base working directory of the image
- created: (datetime)
- installedProducts: (object)
InstalledProducts contains data about running product in environment
- apache: (string)
Apache indicates the apache server version, empty in case apache not running
- awsCloud: (boolean)
AWSCloud indicates whether AWS cloud is used
- crio: (boolean)
CRI indicates whether the container runtime is CRI (and not docker)
- docker: (string)
Docker represents the docker daemon version
- hasPackageManager: (boolean)
HasPackageManager indicates whether package manager is installed on the OS
- k8sApiServer: (boolean)
K8sApiServer indicates whether a kubernetes api server is running
- k8sControllerManager: (boolean)
K8sControllerManager indicates whether a kubernetes controller manager is running
- k8sEtcd: (boolean)
K8sEtcd indicates whether etcd is running
- k8sFederationApiServer: (boolean)
K8sFederationApiServer indicates whether a federation api server is running
- k8sFederationControllerManager: (boolean)
K8sFederationControllerManager indicates whether a federation controller manager is running
- k8sKubelet: (boolean)
K8sKubelet indicates whether kubelet is running
- k8sProxy: (boolean)
K8sProxy indicates whether a kubernetes proxy is running
- k8sScheduler: (boolean)
K8sScheduler indicates whether the a kubernetes scheduler is running
- kubernetes: (string)
Kubernetes represents the kubernetes version
- openshift: (boolean)
Openshift indicates whether openshift is deployed
- osDistro: (string)
OSDistro specify os distribution
- serverless: (boolean)
Serverless indicates whether evaluated on a serverless environment
- swarmManager: (boolean)
SwarmManager indicates whether a swarm manager is running
- swarmNode: (boolean)
SwarmNode indicates whether the node is part of an active swarm
- apache: (string)
- k8sClusterAddr: (string)
K8sClusterAddr is the endpoint for Kubernetes API server
- labels: (string)
Labels are the image labels
- layers: (string)
Layers is the image's filesystem layers, each layers is a sha256 digest of the filesystem diffSee: https://windsock.io/explaining-docker-image-ids/
- missingDistroVulnCoverage: (boolean)
MissingDistroVulnCoverage states whether the image os is covered in the IS
- namespaces: (string)
Namespaces are the k8s namespaces of all the containers running this image
- osDistro: (string)
OSDistro is the OS distro name (e.g., ubuntu)
- osDistroRelease: (string)
OSDistroRelease is the OS distro release (e.g., willy)
- osDistroVersion: (string)
OSDistroVersion is the OS distro version (e.g. 19.10)
- packageManager: (boolean)
PackageManager indicates whether package manager is installed on the OS
- packages: (object)
Packages are the packages that exist in the image
- pkgs: (object)
Packages is the list of packages
- binaryIdx: (object)
BinaryIdx are the indexes of top binaries that uses the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built on the source of the package)
- cveCount: (integer)
CVECount is the total number of CVEs for this specific package
- files: (object)
Files is the list of package related files and their hashes, only included when the appropriate scan option is set
- md5: (string)
Md5 is the hash sum of the file by md5 method
- path: (string)
Path is the path to the specific file
- sha1: (string)
Sha1 is the hash sum of the file by sha1 method
- sha256: (string)
Sha256 is the hash sum of the file by sha256 method
- md5: (string)
- layerTime: (integer)
LayerTime is the layer to which the package belongs - layer creation time
- license: (string)
License info for the package
- name: (string)
- path: (string)
Path is the full package path (e.g., JAR or nodejs package path)
- version: (string)
- binaryIdx: (object)
- pkgsType: (object)
Type is the package type. Range of acceptable values:
nodejs
,gem
,python
,jar
,package
,windows
,binary
,nuget
- pkgs: (object)
- repoDigests: (string)
RepoDigests are the digests of the image. Used for content trust (notary). Has a digest per tag.
- riskFactors: (object)
RiskFactors are the aggregated risk factors of the image
- scanVersion: (string)
ScanVersion is the defender version that published the image.
- startupBinaries: (object)
StartupBinaries are binaries that are expected to run when container is created from this image
- altered: (boolean)
Altered indicates the binary was installed from a package manager and modified/replaced
- cveCount: (integer)
CVECount is the total number of CVEs for this specific binary
- deps: (string)
Deps are the third party pkgs files that are used by the binary
- layerTime: (integer)
LayerTime is the layer to which the binary belongs - layer creation time
- md5: (string)
md5 is the md5 hashset of the binary
- missingPkg: (boolean)
MissingPkg indicates this binary is not related to any package
- name: (string)
- path: (string)
Path is the relative binary path inside the container
- pkgRootDir: (string)
PkgRootDir is the path for searching packages used by the binary
- services: (string)
Services are the name of services that use the binary
- version: (string)
Version is the version of a specific binary
- altered: (boolean)
- tags: (object)
Tags are tags associated with the given image
- digest: (string)
Digest is the image digest (requires V2 and later registry)
- id: (string)
ID is the id of image
- registry: (string)
Registry is the registry name to which the image belongs
- repo: (string)
Repository is the repository name to which the image belongs
- tag: (string)
Tag is the tag of the image
- digest: (string)
- topLayer: (string)
TopLayer is the sha256 of the image's last layer which is the last element of the Layers field
- twistlockImage: (boolean)
TwistlockImage indicates if the image is a Twistlock image
- vulnerabilities: (object)
Vulnerabilities are the CVE vulnerabilities of the image
- applicableRules: (string)
ApplicableRules are the applied rules on the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built from the source of the package)
- block: (boolean)
Block indicates if the vulnerability has block effect
- cause: (string)
Cause provides additional information regarding the root cause for the vulnerability
- cri: (boolean)
CRI indicates that this is a CRI specific vulnerability
- custom: (boolean)
Custom indicates whether vulnerability is a custom vulnerability, for example: openscap, sandbox
- cve: (string)
CVE is the cve id of the vulnerability (if applied)
- cvss: (number)
Cvss is the cvss score of the vulnerability.
- description: (string)
Description is the vulnerabilities description.
- discovered: (datetime)
Discovered indicates when the vulnerability was discovered
- exploit: (object)
Exploit indicates if an exploit exists and its type. Range of acceptable values:
exploit-db
,exploit-windows
- fixDate: (integer)
FixDate is the vulnerability fix date (unix time)
- fixLink: (string)
FixLink is a link to the vendor fixed version info
- id: (integer)
Unique id to identify the violation
- layerTime: (integer)
LayerTime is the layer to which the CVE belongs - layer creation time
- link: (string)
Link is the vendor link to the CVE
- packageName: (string)
PackageName is the name of the package that caused the vulnerability
- packageVersion: (string)
PackageVersion is the version of the package that caused the vulnerability (or null)
- published: (integer)
Published is the vulnerability publish date (unix time)
- riskFactors: (object)
RiskFactors are the vulnerability's risk factors
- severity: (string)
Severity is a textual representation of the vulnerability's severity.
- status: (string)
Status is the vendor status for the vulnerability
- templates: (object)
Templates is a list of templates that the vulnerability is associated with. Range of acceptable values:
PCI
,HIPAA
,NIST SP 800-190
,GDPR
- text: (string)
Text that explains the violation
- title: (string)
Title is the compliance title
- twistlock: (boolean)
Twistlock indicates that this is a Twistlock specific vulnerability
- type: (object)
Type is the vulnerability's type.
- vecStr: (string)
VectorString is a textual representation of the metric values used to score the vulnerability
- vulnTagInfos: (object)
VulnTagInfos are the tags info the vulnerability has
- comment: (string)
Comment is the tag comment in a specific vulnerability context
- name: (string)
Name is the tag name
- comment: (string)
- applicableRules: (string)
- vulnerabilitiesCount: (integer)
VulnerabilitiesCount is the total number of vulnerabilities
- vulnerabilityDistribution: (object)
Distribution is the distribution of vulnerability issues
- critical: (integer)
- high: (integer)
- low: (integer)
- medium: (integer)
- total: (integer)
- vulnerabilityRiskScore: (number)
VulnerabilityRiskScore is the image's CVE risk score
- allCompliance: (object)
- vulnerabilityRiskScore: (number)
VulnerabilityRiskScore is the code repository's CVE risk score, used for sorting
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
DiscoverCodeRepos discovers the available repositories for a credential according to the given credential ID. Minimum role required to access this endpoint: operator.
get /coderepos/discover
DiscoverCodeRepos discovers the available repositories for a credential according to the given credential ID. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- compact: (boolean)
Compact indicates that only minimum image data should be sent (vulnerabilities, compliance and extended image metadata should be skipped)
- credentialID: (string)
CredentialID is the id of the requested credential, used for code repo scans
- from: (datetime)
From is an optional minimum time constraints for the last scan update time
- id: (string)
IDs is the code repositories id filter, the id is the repository full name
- to: (datetime)
To is an optional maximum time constraints for the last scan update time
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
DownloadCodeRepos downloads code repository scan results. Minimum role required to access this endpoint: vulnerabilityManager.
get /coderepos/download
DownloadCodeRepos downloads code repository scan results. Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- compact: (boolean)
Compact indicates that only minimum image data should be sent (vulnerabilities, compliance and extended image metadata should be skipped)
- credentialID: (string)
CredentialID is the id of the requested credential, used for code repo scans
- from: (datetime)
From is an optional minimum time constraints for the last scan update time
- id: (string)
IDs is the code repositories id filter, the id is the repository full name
- to: (datetime)
To is an optional maximum time constraints for the last scan update time
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
CodeRepoScanProgress returns the code repositories scan progress. Minimum role required to access this endpoint: vulnerabilityManager.
get /coderepos/progress
CodeRepoScanProgress returns the code repositories scan progress. Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- discovery: (boolean)
Discovery indicates whether the scan is in discovery phase
- error: (string)
Error is the error that happened during scan
- hostname: (string)
Hostname is the hostname for which the progress apply
- id: (string)
ID is the ID of the entity being scanned
- scanTime: (datetime)
ScanTime is the time of scan
- scanned: (integer)
Scanned is the number of entities for which the scan completed
- title: (string)
Title is the progress title (set by the scanning process)
- total: (integer)
Total is the total amount of entities that should be scanned
- type: (object)
Type is the scan type (e.g., images/serverless). Range of acceptable values:
image
,ciImage
,container
,host
,registry
,serverlessScan
,ciServerless
,vm
,tas
,cloudDiscovery
,cloudCompliance
,serverlessRadar
,serverlessAutoDeploy
,hostAutoDeploy
,codeRepo
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
ScanCodeRepos triggers a scan for all code repositories. Minimum role required to access this endpoint: operator.
post /coderepos/scan
ScanCodeRepos triggers a scan for all code repositories. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
StopCodeReposScan stops the current active scan. Minimum role required to access this endpoint: operator.
post /coderepos/stop
StopCodeReposScan stops the current active scan. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
CodeReposWebhook handles events from code repositories. Minimum role required to access this endpoint: none.
post /coderepos/webhook/
CodeReposWebhook handles events from code repositories. Minimum role required to access this endpoint: none.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Collections
Group related resources (containers, images, hosts) together. Collections are predefined filters that let you segment your views in the Console UI and the Twistlock API.
Retrieves the list of collections.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/collections"
Role
Minimum role required to access this endpoint: auditor.
Creates a new collection. Any field left unspecified is assigned the value of ""
(i.e. an emtpy string).
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d \
'{
"name": "my collection",
"color": "#ff0000",
"description": "A test collection",
"images": [
"docker.io/library/hello-world:latest",
"docker.io/library/ian_app:1.0"
],
"hosts": [
"*"
]
}' \
https://<CONSOLE>:8083/api/v1/collections
Role
Minimum role required to access this endpoint: operator.
get /collections
Retrieves the list of collections.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/collections"
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- accountIDs: (string)
AccountIDs is a list of the cloud account IDs
- appIDs: (string)
AppIDs is a list of application IDs
- clusters: (string)
Clusters is a list of kubernetes cluster names
- codeRepos: (string)
CodeRepos is a list of remote code repositories
- color: (object)
Color is a color code associated with the collection
- containers: (string)
- description: (string)
Description is a free-text description of the collection
- functions: (string)
- hosts: (string)
- images: (string)
- labels: (string)
- modified: (datetime)
Modified is a timestamp if when the collection was last modified
- name: (string)
Name is a unique name associated with the collection
- namespaces: (string)
Namespaces are the k8s namespaces
- owner: (string)
Owner is the collection owner (the last user who modified the collection)
- system: (boolean)
System indicates that this collection was created by the system (non user)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
post /collections
Creates a new collection. Any field left unspecified is assigned the value of ""
(i.e. an emtpy string).
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d \
'{
"name": "my collection",
"color": "#ff0000",
"description": "A test collection",
"images": [
"docker.io/library/hello-world:latest",
"docker.io/library/ian_app:1.0"
],
"hosts": [
"*"
]
}' \
https://<CONSOLE>:8083/api/v1/collections
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- accountIDs: (string)
AccountIDs is a list of the cloud account IDs
- appIDs: (string)
AppIDs is a list of application IDs
- clusters: (string)
Clusters is a list of kubernetes cluster names
- codeRepos: (string)
CodeRepos is a list of remote code repositories
- color: (object)
Color is a color code associated with the collection
- containers: (string)
- description: (string)
Description is a free-text description of the collection
- functions: (string)
- hosts: (string)
- images: (string)
- labels: (string)
- modified: (datetime)
Modified is a timestamp if when the collection was last modified
- name: (string)
Name is a unique name associated with the collection
- namespaces: (string)
Namespaces are the k8s namespaces
- owner: (string)
Owner is the collection owner (the last user who modified the collection)
- system: (boolean)
System indicates that this collection was created by the system (non user)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Deletes a collection from the system.
The following example curl command deletes a collection named my collection. Because spaces are considered unsafe characters in a URL, they must be encoded with the value %20
.
$ curl -k \
-u <USER> \
-X DELETE \
"https://<CONSOLE>:8083/api/v1/collections/my%20collection"
Role
Minimum role required to access this endpoint: operator.
Updates the parameters that define a given collection.
The following example curl command updates the parameters that define the collection named finance_group_app
. In general, all parameters in your PUT request should be defined or redefined. Any field left unspecified is assigned the value of ""
(i.e. an emtpy string).
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"name": "finance_group_app",
"color": "#ff0000",
"description": "A super cool collection",
"images": [
"docker.io/library/hello-world:latest",
"docker.io/library/ian_app:1.0"
],
"hosts": [
"*"
]
}' \
https://<CONSOLE>:8083/api/v1/collections/test_collection
Role
Minimum role required to access this endpoint: operator.
delete /collections/{id}
Deletes a collection from the system.
The following example curl command deletes a collection named my collection. Because spaces are considered unsafe characters in a URL, they must be encoded with the value %20
.
$ curl -k \
-u <USER> \
-X DELETE \
"https://<CONSOLE>:8083/api/v1/collections/my%20collection"
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
put /collections/{id}
Updates the parameters that define a given collection.
The following example curl command updates the parameters that define the collection named finance_group_app
. In general, all parameters in your PUT request should be defined or redefined. Any field left unspecified is assigned the value of ""
(i.e. an emtpy string).
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"name": "finance_group_app",
"color": "#ff0000",
"description": "A super cool collection",
"images": [
"docker.io/library/hello-world:latest",
"docker.io/library/ian_app:1.0"
],
"hosts": [
"*"
]
}' \
https://<CONSOLE>:8083/api/v1/collections/test_collection
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Body
Media type: application/json
Type: object
Properties- accountIDs: (string)
AccountIDs is a list of the cloud account IDs
- appIDs: (string)
AppIDs is a list of application IDs
- clusters: (string)
Clusters is a list of kubernetes cluster names
- codeRepos: (string)
CodeRepos is a list of remote code repositories
- color: (object)
Color is a color code associated with the collection
- containers: (string)
- description: (string)
Description is a free-text description of the collection
- functions: (string)
- hosts: (string)
- images: (string)
- labels: (string)
- modified: (datetime)
Modified is a timestamp if when the collection was last modified
- name: (string)
Name is a unique name associated with the collection
- namespaces: (string)
Namespaces are the k8s namespaces
- owner: (string)
Owner is the collection owner (the last user who modified the collection)
- system: (boolean)
System indicates that this collection was created by the system (non user)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
CollectionUsages returns all usages of the queried collection. Minimum role required to access this endpoint: auditor.
get /collections/{id}/usages
CollectionUsages returns all usages of the queried collection. Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- name: (string)
Name is the consumer name (e.g. container runtime, username, etc.)
- type: (object)
Type is the consumer type (e.g. policy, user, etc.). Range of acceptable values:
policy
,settings
,user
,group
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Kubernetes auditing
GenerateAuditSinkConfig returns the audit sink configuration for integrating k8s audit sink with the Console,based upon https://kubernetes.io/docs/tasks/debug-application-cluster/audit/. Minimum role required to access this endpoint: auditor.
get /config/auditsink
GenerateAuditSinkConfig returns the audit sink configuration for integrating k8s audit sink with the Console,based upon https://kubernetes.io/docs/tasks/debug-application-cluster/audit/. Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
GenerateValidatingWebhookConfig returns a validating webhook configuration forintegrating k8s admission control with a Defender. Minimum role required to access this endpoint: operator.
get /config/validating-webhook
GenerateValidatingWebhookConfig returns a validating webhook configuration forintegrating k8s admission control with a Defender. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Container scan reports
Container scan reports.
Retrieves all container scan reports.
Note that the discovered
field for each compliance finding (info > allCompliance > compliance > discovered
) doesn't contain valid data and will be removed in a future release.
Example curl command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers
Role
Minimum role required to access this endpoint: vulnerabilityManager.
get /containers
Retrieves all container scan reports.
Note that the discovered
field for each compliance finding (info > allCompliance > compliance > discovered
) doesn't contain valid data and will be removed in a future release.
Example curl command:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers
Role
Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- clusters: (string)
Clusters is used to filter containers by cluster name
- fields: (string)
Fields are used to fetch specific container field
- hostname: (string)
Hosts is used to filter containers by host
- id: (string)
IDs is used to filter container by container ID
- image: (string)
Images is used to filter containers by image name
- imageId: (string)
ImageIDs is used to filter containers by image ids
- namespaces: (string)
Namespaces are the namespaces to filter
- profileId: (string)
ProfileIDs is used to filter container by runtime profile ID
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
Id is the container id
- collections: (string)
Collections are collections to which this container applies
- firewallProtection: (object)
FirewallProtection describes the firewall protection status of this container
- enabled: (boolean)
Enabled indicates that WAAS protection is enabled
- supported: (boolean)
Supported indicates that WAAS protection is supported
- enabled: (boolean)
- hostname: (string)
Hostname is the hostname on which the container is deployed
- info: (object)
Info is the full container info
- allCompliance: (object)
AllCompliance are all the container compliance checks that passed (all failed tests are filtered)
- compliance: (object)
Compliance are all the passed compliance checks
- applicableRules: (string)
ApplicableRules are the applied rules on the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built from the source of the package)
- block: (boolean)
Block indicates if the vulnerability has block effect
- cause: (string)
Cause provides additional information regarding the root cause for the vulnerability
- cri: (boolean)
CRI indicates that this is a CRI specific vulnerability
- custom: (boolean)
Custom indicates whether vulnerability is a custom vulnerability, for example: openscap, sandbox
- cve: (string)
CVE is the cve id of the vulnerability (if applied)
- cvss: (number)
Cvss is the cvss score of the vulnerability.
- description: (string)
Description is the vulnerabilities description.
- discovered: (datetime)
Discovered indicates when the vulnerability was discovered
- exploit: (object)
Exploit indicates if an exploit exists and its type. Range of acceptable values:
exploit-db
,exploit-windows
- fixDate: (integer)
FixDate is the vulnerability fix date (unix time)
- fixLink: (string)
FixLink is a link to the vendor fixed version info
- id: (integer)
Unique id to identify the violation
- layerTime: (integer)
LayerTime is the layer to which the CVE belongs - layer creation time
- link: (string)
Link is the vendor link to the CVE
- packageName: (string)
PackageName is the name of the package that caused the vulnerability
- packageVersion: (string)
PackageVersion is the version of the package that caused the vulnerability (or null)
- published: (integer)
Published is the vulnerability publish date (unix time)
- riskFactors: (object)
RiskFactors are the vulnerability's risk factors
- severity: (string)
Severity is a textual representation of the vulnerability's severity.
- status: (string)
Status is the vendor status for the vulnerability
- templates: (object)
Templates is a list of templates that the vulnerability is associated with. Range of acceptable values:
PCI
,HIPAA
,NIST SP 800-190
,GDPR
- text: (string)
Text that explains the violation
- title: (string)
Title is the compliance title
- twistlock: (boolean)
Twistlock indicates that this is a Twistlock specific vulnerability
- type: (object)
Type is the vulnerability's type.
- vecStr: (string)
VectorString is a textual representation of the metric values used to score the vulnerability
- vulnTagInfos: (object)
VulnTagInfos are the tags info the vulnerability has
- comment: (string)
Comment is the tag comment in a specific vulnerability context
- name: (string)
Name is the tag name
- comment: (string)
- applicableRules: (string)
- enabled: (boolean)
Enabled indicates whether passed compliance checks is enabled by policy
- compliance: (object)
- app: (string)
App is the app that is hosted in the container
- cloudMetadata: (object)
CloudMetadata is the cloud provider metadata for the scanner host
- accountID: (string)
AccountID is the cloud account ID
- image: (string)
Image is the image name
- name: (string)
Name is the instance name
- provider: (object)
Provider is the cloud provider (AWS/GCP/Azure). Range of acceptable values:
aws
,azure
,gcp
,others
- region: (string)
Region the instance region
- resourceID: (string)
ResourceID is the resource unique ID
- type: (string)
Type is the instance type
- accountID: (string)
- cluster: (string)
Cluster is the provided cluster name
- complianceDistribution: (object)
ComplianceDistribution is the distribution of compliance issues
- critical: (integer)
- high: (integer)
- low: (integer)
- medium: (integer)
- total: (integer)
- complianceIssues: (object)
ComplianceIssues are all the container compliance issues
- applicableRules: (string)
ApplicableRules are the applied rules on the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built from the source of the package)
- block: (boolean)
Block indicates if the vulnerability has block effect
- cause: (string)
Cause provides additional information regarding the root cause for the vulnerability
- cri: (boolean)
CRI indicates that this is a CRI specific vulnerability
- custom: (boolean)
Custom indicates whether vulnerability is a custom vulnerability, for example: openscap, sandbox
- cve: (string)
CVE is the cve id of the vulnerability (if applied)
- cvss: (number)
Cvss is the cvss score of the vulnerability.
- description: (string)
Description is the vulnerabilities description.
- discovered: (datetime)
Discovered indicates when the vulnerability was discovered
- exploit: (object)
Exploit indicates if an exploit exists and its type. Range of acceptable values:
exploit-db
,exploit-windows
- fixDate: (integer)
FixDate is the vulnerability fix date (unix time)
- fixLink: (string)
FixLink is a link to the vendor fixed version info
- id: (integer)
Unique id to identify the violation
- layerTime: (integer)
LayerTime is the layer to which the CVE belongs - layer creation time
- link: (string)
Link is the vendor link to the CVE
- packageName: (string)
PackageName is the name of the package that caused the vulnerability
- packageVersion: (string)
PackageVersion is the version of the package that caused the vulnerability (or null)
- published: (integer)
Published is the vulnerability publish date (unix time)
- riskFactors: (object)
RiskFactors are the vulnerability's risk factors
- severity: (string)
Severity is a textual representation of the vulnerability's severity.
- status: (string)
Status is the vendor status for the vulnerability
- templates: (object)
Templates is a list of templates that the vulnerability is associated with. Range of acceptable values:
PCI
,HIPAA
,NIST SP 800-190
,GDPR
- text: (string)
Text that explains the violation
- title: (string)
Title is the compliance title
- twistlock: (boolean)
Twistlock indicates that this is a Twistlock specific vulnerability
- type: (object)
Type is the vulnerability's type.
- vecStr: (string)
VectorString is a textual representation of the metric values used to score the vulnerability
- vulnTagInfos: (object)
VulnTagInfos are the tags info the vulnerability has
- comment: (string)
Comment is the tag comment in a specific vulnerability context
- name: (string)
Name is the tag name
- comment: (string)
- applicableRules: (string)
- complianceIssuesCount: (integer)
- complianceRiskScore: (number)
ComplianceRiskScore is the container's compliance risk score
- externalLabels: (object)
ExternalLabels is the external labels e.g., kubernetes namespace labels
- key: (string)
Key is the label key
- sourceName: (string)
SourceName is the source name e.g., for a Namespace, source name can be 'twistlock'
- sourceType: (object)
SourceType is source type
- timestamp: (datetime)
Timestamp is the time in which the label was fetched
- value: (string)
Value is the label value
- key: (string)
- id: (string)
Id is the container id
- image: (string)
Image is the canonical image name
- imageID: (string)
ImageId is the image id
- imageName: (string)
Deprecated: The image name as stated in the docker run command
- infra: (boolean)
Infra represents any container that belongs to the infrastructure
- installedProducts: (object)
InstalledProducts contains data about running product in environment
- apache: (string)
Apache indicates the apache server version, empty in case apache not running
- awsCloud: (boolean)
AWSCloud indicates whether AWS cloud is used
- crio: (boolean)
CRI indicates whether the container runtime is CRI (and not docker)
- docker: (string)
Docker represents the docker daemon version
- hasPackageManager: (boolean)
HasPackageManager indicates whether package manager is installed on the OS
- k8sApiServer: (boolean)
K8sApiServer indicates whether a kubernetes api server is running
- k8sControllerManager: (boolean)
K8sControllerManager indicates whether a kubernetes controller manager is running
- k8sEtcd: (boolean)
K8sEtcd indicates whether etcd is running
- k8sFederationApiServer: (boolean)
K8sFederationApiServer indicates whether a federation api server is running
- k8sFederationControllerManager: (boolean)
K8sFederationControllerManager indicates whether a federation controller manager is running
- k8sKubelet: (boolean)
K8sKubelet indicates whether kubelet is running
- k8sProxy: (boolean)
K8sProxy indicates whether a kubernetes proxy is running
- k8sScheduler: (boolean)
K8sScheduler indicates whether the a kubernetes scheduler is running
- kubernetes: (string)
Kubernetes represents the kubernetes version
- openshift: (boolean)
Openshift indicates whether openshift is deployed
- osDistro: (string)
OSDistro specify os distribution
- serverless: (boolean)
Serverless indicates whether evaluated on a serverless environment
- swarmManager: (boolean)
SwarmManager indicates whether a swarm manager is running
- swarmNode: (boolean)
SwarmNode indicates whether the node is part of an active swarm
- apache: (string)
- labels: (string)
Labels are the container labels (https://docs.docker.com/engine/userguide/labels-custom-metadata/)
- name: (string)
Name is the container name
- namespace: (string)
Namespace is the k8s deployment namespace
- network: (object)
Network is the container network info
- ports: (object)
Ports are the ports details associated with the container
- container: (integer)
Container is the mapped port inside the container
- host: (integer)
Host is the host port number
- hostIP: (string)
HostIP is the host IP
- listening: (boolean)
Listening indicates whether the port is in listening mode
- nat: (boolean)
NAT indicates the port is exposed using NAT
- container: (integer)
- ports: (object)
- processes: (object)
Processes are the processes that are running inside the container
- name: (string)
Name is a process name
- name: (string)
- profileID: (string)
ProfileID is the container profile id
- sizeBytes: (integer)
- allCompliance: (object)
- scanTime: (datetime)
ScanTime is the container scan time
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Returns an integer representing the number of containers in your environment.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/count
Role
Minimum role required to access this endpoint: devOps.
get /containers/count
Returns an integer representing the number of containers in your environment.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/count
Role
Minimum role required to access this endpoint: devOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- clusters: (string)
Clusters is used to filter containers by cluster name
- fields: (string)
Fields are used to fetch specific container field
- hostname: (string)
Hosts is used to filter containers by host
- id: (string)
IDs is used to filter container by container ID
- image: (string)
Images is used to filter containers by image name
- imageId: (string)
ImageIDs is used to filter containers by image ids
- namespaces: (string)
Namespaces are the namespaces to filter
- profileId: (string)
ProfileIDs is used to filter container by runtime profile ID
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Downloads all container scan reports in CSV format.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/download
> container_report.csv
Role
Minimum role required to access this endpoint: vulnerabilityManager.
get /containers/download
Downloads all container scan reports in CSV format.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/download
> container_report.csv
Role
Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- clusters: (string)
Clusters is used to filter containers by cluster name
- fields: (string)
Fields are used to fetch specific container field
- hostname: (string)
Hosts is used to filter containers by host
- id: (string)
IDs is used to filter container by container ID
- image: (string)
Images is used to filter containers by image name
- imageId: (string)
ImageIDs is used to filter containers by image ids
- namespaces: (string)
Namespaces are the namespaces to filter
- profileId: (string)
ProfileIDs is used to filter container by runtime profile ID
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Returns an array of strings containing all container names.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/names
Role
Minimum role required to access this endpoint: devOps.
get /containers/names
Returns an array of strings containing all container names.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/names
Role
Minimum role required to access this endpoint: devOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- clusters: (string)
Clusters is used to filter containers by cluster name
- fields: (string)
Fields are used to fetch specific container field
- hostname: (string)
Hosts is used to filter containers by host
- id: (string)
IDs is used to filter container by container ID
- image: (string)
Images is used to filter containers by image name
- imageId: (string)
ImageIDs is used to filter containers by image ids
- namespaces: (string)
Namespaces are the namespaces to filter
- profileId: (string)
ProfileIDs is used to filter container by runtime profile ID
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Re-scan all containers immediately. This endpoint returns the time that the scans were initiated.
The following example command uses curl and basic auth to force Twistlock to re-scan all containers:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/containers/scan
Role
Minimum role required to access this endpoint: operator.
post /containers/scan
Re-scan all containers immediately. This endpoint returns the time that the scans were initiated.
The following example command uses curl and basic auth to force Twistlock to re-scan all containers:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/containers/scan
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Credentials
Management of Centrally Managed Credentials
This endpoint will return a list in json format of the credentials found with the app here Manage > Authentication > Credential Store
The following example curl command uses basic auth to return:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/credentials
Role
Minimum role required to access this endpoint: auditor.
This endpoint will allow for update of the credentials found with the app here Manage > Authentication > Credential Store
Create credentials.json file (example)
[
{
"_id": "Sample",
"type": "basic",
"accountID": "username",
"secret": {
"plain": "password"
}
}
]
The following example curl command uses basic auth to update the checks:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--binary-data @credentials.json \
https://<CONSOLE>:8083/api/v1/credentials
Role
Minimum role required to access this endpoint: operator.
get /credentials
This endpoint will return a list in json format of the credentials found with the app here Manage > Authentication > Credential Store
The following example curl command uses basic auth to return:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/credentials
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is a unique name for the credential
- accountGUID: (string)
AccountGUID is the unique ID for an IBM Cloud account
- accountID: (string)
AccountID is the account identifier, e.g., username, access key, account GUID, etc
- apiToken: (object)
APIToken is token used to authenticate to GCP
- encrypted: (string)
- plain: (string)
Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)
- caCert: (string)
CACert is the CA certificate used for cert-based auth
- description: (string)
Description is the credential description
- external: (boolean)
External indicates if the credential is external
- lastModified: (datetime)
Modified represents the last time the credentials data changed
- owner: (string)
Owner represents the user who added/modified the credentials
- roleArn: (string)
RoleARN is the Amazon Resource Name (ARN) of the role to assume
- secret: (object)
Secret is the credential secret data
- encrypted: (string)
- plain: (string)
Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)
- type: (object)
Type is the cloud provider/external service the credentials are associated with. Range of acceptable values:
aws
,azure
,gcp
,ibmCloud
,apiToken
,githubToken
,basic
,dtr
,kubeconfig
,certificate
- useAWSRole: (boolean)
UseAWSRole indicates authentication should be made using the instance's attached credentials (EC2 IAM Role)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
post /credentials
This endpoint will allow for update of the credentials found with the app here Manage > Authentication > Credential Store
Create credentials.json file (example)
[
{
"_id": "Sample",
"type": "basic",
"accountID": "username",
"secret": {
"plain": "password"
}
}
]
The following example curl command uses basic auth to update the checks:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--binary-data @credentials.json \
https://<CONSOLE>:8083/api/v1/credentials
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is a unique name for the credential
- accountGUID: (string)
AccountGUID is the unique ID for an IBM Cloud account
- accountID: (string)
AccountID is the account identifier, e.g., username, access key, account GUID, etc
- apiToken: (object)
APIToken is token used to authenticate to GCP
- encrypted: (string)
- plain: (string)
Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)
- caCert: (string)
CACert is the CA certificate used for cert-based auth
- description: (string)
Description is the credential description
- external: (boolean)
External indicates if the credential is external
- lastModified: (datetime)
Modified represents the last time the credentials data changed
- owner: (string)
Owner represents the user who added/modified the credentials
- roleArn: (string)
RoleARN is the Amazon Resource Name (ARN) of the role to assume
- secret: (object)
Secret is the credential secret data
- encrypted: (string)
- plain: (string)
Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)
- type: (object)
Type is the cloud provider/external service the credentials are associated with. Range of acceptable values:
aws
,azure
,gcp
,ibmCloud
,apiToken
,githubToken
,basic
,dtr
,kubeconfig
,certificate
- useAWSRole: (boolean)
UseAWSRole indicates authentication should be made using the instance's attached credentials (EC2 IAM Role)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
This endpoint will delete a specific credentials found with the app here Manage > Authentication > Credential Store
The following example curl command uses basic auth to delete check with id "Sample":
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/credentials/Sample
Below is an example of a credential that was added with the GET endpoint.
[
{
"_id": "Sample",
"type": "basic",
"accountID": "username",
"secret": {
"plain": "password"
}
}
]
Role
Minimum role required to access this endpoint: operator.
delete /credentials/{id}
This endpoint will delete a specific credentials found with the app here Manage > Authentication > Credential Store
The following example curl command uses basic auth to delete check with id "Sample":
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/credentials/Sample
Below is an example of a credential that was added with the GET endpoint.
[
{
"_id": "Sample",
"type": "basic",
"accountID": "username",
"secret": {
"plain": "password"
}
}
]
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
This endpoint will return a list in json format of all the usages of credentials found with the app here Manage > Authentication > Credential Store
The following example curl command uses basic auth to return:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/credentials/Sample/usages
Below is an example of a credential that was added with the GET endpoint.
[
{
"_id": "Sample",
"type": "basic",
"accountID": "username",
"secret": {
"plain": "password"
}
}
]
Role
Minimum role required to access this endpoint: auditor.
get /credentials/{id}/usages
This endpoint will return a list in json format of all the usages of credentials found with the app here Manage > Authentication > Credential Store
The following example curl command uses basic auth to return:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/credentials/Sample/usages
Below is an example of a credential that was added with the GET endpoint.
[
{
"_id": "Sample",
"type": "basic",
"accountID": "username",
"secret": {
"plain": "password"
}
}
]
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- description: (string)
Description is the resource description, e.g., repository name for registry scan
- type: (object)
Type is the usage type, e.g., registry scan, serverless scan. Range of acceptable values:
Alert settings
,Alert profile
,Registry Scan
,Serverless Scan
,Cloud Scan
,Secret Store
,Serverless Auto-Deploy
,Host Auto-deploy
,VM Scan
,Code Repository Scan
,Custom Intelligence Endpoint
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Custom compliance checks
Custom image checks give you a way to write and run your own compliance checks to assess, measure, and enforce security baselines in your environment. Although Twistlock supports OpenSCAP and XCCDF, these frameworks are complicated, and they can be overkill when all you want to do is run a simple check. Twistlock lets you implement your own custom image checks with simple scripts.
A custom image check consists of a single script. The script’s exit code determines the result of the check, where 0 is pass and 1 is fail. Scripts are executed in the container’s default shell. For many Linux container images, the default shell is bash, but that’s not always the case. For Windows container images, the default shell is cmd.exe.
This endpoint will return a list in json format of all the custom compliance checks found with the app here Defend > Compliance > Custom
The following example curl command uses basic auth to return:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/custom-compliance
An example returned json could be something similar to:
[
{
"modified": "2019-03-07T17:01:12.355Z",
"owner": "pierre",
"name": "apitest",
"previousName": "",
"_id": 9000,
"title": "apitest",
"script": "if [ $(stat -c %a /bin/busybox) -eq 755 ]; then\n echo 'test permission failure' && exit 1;\nfi",
"severity": "high"
}
]
Role
Minimum role required to access this endpoint: ci.
This endpoint will allow for update of the custom compliance checks on page Defend > Compliance > Custom
Create custom_check.json file (example)
[
{
"modified": "2019-03-07T17:01:12.355Z",
"owner": "pierre",
"name": "apitest",
"previousName": "",
"_id": 9000,
"title": "apitest",
"script": "if [ $(stat -c %a /bin/busybox) -eq 755 ]; then\n echo 'test permission failure' && exit 1;\nfi",
"severity": "high"
}
]
The following example curl command uses basic auth to update the checks:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--binary-data @custom_check.json \
https://<CONSOLE>:8083/api/v1/custom-compliance
Role
Minimum role required to access this endpoint: operator.
get /custom-compliance
This endpoint will return a list in json format of all the custom compliance checks found with the app here Defend > Compliance > Custom
The following example curl command uses basic auth to return:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/custom-compliance
An example returned json could be something similar to:
[
{
"modified": "2019-03-07T17:01:12.355Z",
"owner": "pierre",
"name": "apitest",
"previousName": "",
"_id": 9000,
"title": "apitest",
"script": "if [ $(stat -c %a /bin/busybox) -eq 755 ]; then\n echo 'test permission failure' && exit 1;\nfi",
"severity": "high"
}
]
Role
Minimum role required to access this endpoint: ci.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (integer)
ID is the compliance check ID
- disabled: (boolean)
Disabled states if the rule is currently disabled
- modified: (datetime)
- name: (string)
- notes: (string)
Notes are the rule's user notes
- owner: (string)
- previousName: (string)
PreviousName is the rule previous name, required for rule renaming
- script: (string)
Script is the custom check script
- severity: (string)
Severity is the custom check defined severity
- title: (string)
Title is the custom check title
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
put /custom-compliance
This endpoint will allow for update of the custom compliance checks on page Defend > Compliance > Custom
Create custom_check.json file (example)
[
{
"modified": "2019-03-07T17:01:12.355Z",
"owner": "pierre",
"name": "apitest",
"previousName": "",
"_id": 9000,
"title": "apitest",
"script": "if [ $(stat -c %a /bin/busybox) -eq 755 ]; then\n echo 'test permission failure' && exit 1;\nfi",
"severity": "high"
}
]
The following example curl command uses basic auth to update the checks:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--binary-data @custom_check.json \
https://<CONSOLE>:8083/api/v1/custom-compliance
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- _id: (integer)
ID is the compliance check ID
- disabled: (boolean)
Disabled states if the rule is currently disabled
- modified: (datetime)
- name: (string)
- notes: (string)
Notes are the rule's user notes
- owner: (string)
- previousName: (string)
PreviousName is the rule previous name, required for rule renaming
- script: (string)
Script is the custom check script
- severity: (string)
Severity is the custom check defined severity
- title: (string)
Title is the custom check title
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (integer)
ID is the compliance check ID
- disabled: (boolean)
Disabled states if the rule is currently disabled
- modified: (datetime)
- name: (string)
- notes: (string)
Notes are the rule's user notes
- owner: (string)
- previousName: (string)
PreviousName is the rule previous name, required for rule renaming
- script: (string)
Script is the custom check script
- severity: (string)
Severity is the custom check defined severity
- title: (string)
Title is the custom check title
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
This endpoint will delete a specific custom compliance check on page Defend > Compliance > Custom
The following example curl command uses basic auth to delete check with id 9000:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/custom-compliance/9000
Role
Minimum role required to access this endpoint: operator.
delete /custom-compliance/{id}
This endpoint will delete a specific custom compliance check on page Defend > Compliance > Custom
The following example curl command uses basic auth to delete check with id 9000:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/custom-compliance/9000
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
CVEs
Browse Twistlock's vulnerability database.
Retrieves CVEs from Twistlock's vulnernability database. Query the database by CVE ID. Partial matches are supported. A null response indicates that the CVE is not in our database.
The following example curl command queries the Twistlock database for CVE-2018-1102.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cves?id=CVE-2018-1102
Role
Minimum role required to access this endpoint: devOps.
get /cves
Retrieves CVEs from Twistlock's vulnernability database. Query the database by CVE ID. Partial matches are supported. A null response indicates that the CVE is not in our database.
The following example curl command queries the Twistlock database for CVE-2018-1102.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cves?id=CVE-2018-1102
Role
Minimum role required to access this endpoint: devOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- id: (string)
ID is the term to search
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- conditions: (object)
Conditions are the rules that apply to the vulnerability split into distinct ranges
- cve: (string)
- cvss: (number)
- description: (string)
Description is the vulnerability description
- distro: (string)
- distro_release: (string)
- exploit: (object)
Exploit indicates whether the vulnerability has a public exploit. Range of acceptable values:
exploit-db
,exploit-windows
- fixDate: (integer)
FixDate is the date this CVE was fixed (unix timestamp)
- link_id: (string)
LinkId is the id required to construct the vendor link to the CVE
- modified: (integer)
Modified is the last time this CVE was modified (unix timestamp)
- package: (string)
- rules: (object)
Rules are the rules that apply to the vulnerability
- severity: (string)
- status: (string)
Status is the official vendor state for the CVE
- type: (object)
Type is the type of vulnerability. Range of acceptable values:
python
,gem
,nodejs
,jar
,package
,product
- vecStr: (string)
VectorString is the NVD vulnerability string
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieves CVEs from the vulnerability database grouped into distribution where you will see a count for vulnerabilities per distribution.
The following example curl command uses basic auth to retrieve this data:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cves/distribution
Role
Minimum role required to access this endpoint: auditor.
get /cves/distribution
Retrieves CVEs from the vulnerability database grouped into distribution where you will see a count for vulnerabilities per distribution.
The following example curl command uses basic auth to retrieve this data:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cves/distribution
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- count: (integer)
Count is the number of CVEs from the specific type
- distro: (string)
Distro is the impacted image distro (e.g., ubuntu)
- distro_release: (string)
DistroRelase is the impacted image distro release (bionic)
- modified: (integer)
Modified is the max unix timestamp for the specific CVE
- type: (string)
Type is the vulnerability type
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Defenders
Manage Defender. Defender is Twistlock's security agent. In general, one Defender is deployed per node.
Lists all deployed Defenders.
The following command uses basic authorization to retrieve a list of all deployed Defenders along with metadata
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders
Role
Minimum role required to access this endpoint: vulnerabilityManager.
get /defenders
Lists all deployed Defenders.
The following command uses basic authorization to retrieve a list of all deployed Defenders along with metadata
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders
Role
Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters are the defender clusters to filter
- hostname: (string)
Hostname indicates the query should fetch a specific defender
- onlyRegistryScanners: (boolean)
OnlyRegistryScanner flag indicates only registry scanner defender should return
- role: (string)
Roles are the defender api.Roles to filter
- tasClusterIDs: (string)
TASClusterIDs is used to fetch defenders that belong to the TAS cluster IDs
- type: (string)
Types are the defender types to filter (linux, windows etc.)
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- category: (object)
Category is the category of the defender type (host/container/serverless). Range of acceptable values:
container
,host
,serverless
,appEmbedded
- certificateExpiration: (datetime)
CertificateExpiration is the client's certificate expiry time
- cloudMetadata: (object)
CloudMetadata is the cloud provider metadata of the host
- accountID: (string)
AccountID is the cloud account ID
- image: (string)
Image is the image name
- name: (string)
Name is the instance name
- provider: (object)
Provider is the cloud provider (AWS/GCP/Azure). Range of acceptable values:
aws
,azure
,gcp
,others
- region: (string)
Region the instance region
- resourceID: (string)
ResourceID is the resource unique ID
- type: (string)
Type is the instance type
- accountID: (string)
- cluster: (string)
Cluster is the provided cluster name (fallback is internal IP)
- clusterID: (string)
ClusterID is a unique ID generated for each daemon set, and used to group Defenders by clustersNote: Kubernetes does not provide a cluster name as part of its API
- collections: (string)
Collections are collections to which this defender applies
- compatibleVersion: (boolean)
CompatibleVersion indicates if the defender has a compatible version for communication (e.g. request logs)
- connected: (boolean)
Connected indicates whether the defender is connected
- features: (object)
Features are feature that are enabled in the defender
- clusterMonitoring: (boolean)
ClusterMonitoring determines whether the k8s or Istio cluster monitoring features are enabled
- proxyListenerType: (object)
ProxyListenerType determines whether the defender acts as a TCP proxy. Range of acceptable values:
none
,tcp
,default
- registryScanner: (boolean)
RegistryScanner determines whether the defender is a registry scanner
- clusterMonitoring: (boolean)
- firewallProtection: (object)
FirewallProtection describes the firewall protection status of app embedded defenders
- enabled: (boolean)
Enabled indicates that WAAS protection is enabled
- supported: (boolean)
Supported indicates that WAAS protection is supported
- enabled: (boolean)
- fqdn: (string)
FQDN is the full domain name used in audit alerts to identify specific hosts
- hostname: (string)
Hostname is the defender hostname
- lastModified: (datetime)
LastModified is the last time the defender connectivity was modified
- port: (integer)
Port is the communication port between defender to console
- proxy: (object)
Proxy is the proxy options of the defender
- ca: (string)
CA is the user proxy's CA
- httpProxy: (string)
HttpProxy is the proxy address
- noProxy: (string)
NoProxy is a list of addresses for which the proxy should not be used
- password: (object)
Password is the password used for proxy authentication
- encrypted: (string)
- plain: (string)
Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)
- user: (string)
User is the username to be used in authentication in front of the user's proxy
- ca: (string)
- remoteLoggingSupported: (boolean)
RemoteLoggingSupported indicates if the defender logs can be retrieved from remote
- remoteMgmtSupported: (boolean)
RemoteMgmtSupported indicated if the defender can be remotely managed (upgrade, restart)
- status: (object)
Status is the feature status of the defender
- lastModified: (datetime)
Modified is the time the event was modified
- lastModified: (datetime)
- systemInfo: (object)
SystemInfo is the system information of the defender host
- cpuCount: (integer)
CPUCount is the CPU count on the defender host
- freeDiskSpaceGB: (object)
FreeDiskSpaceGB is the free disk space (in GB) on the defender host
- kernelVersion: (string)
KernelVersion is the kernel version on the defender host
- memoryGB: (number)
MemoryGB is the total memory (in GB) on the defender host
- totalDiskSpaceGB: (object)
TotalDiskSpaceGB is the total disk space (in GB) on the defender host
- cpuCount: (integer)
- tasClusterID: (string)
TASClusterID is the ID used to identify the TAS cluster of the defender. Typically will be the Cloud controller API address
- type: (object)
Type is the type of the defender (registry scanner/kubernetes node/etc...). Range of acceptable values:
none
,docker
,dockerWindows
,swarm
,daemonset
,serverLinux
,serverWindows
,cri
,fargate
,appEmbedded
,tas
,serverless
,ecs
- version: (string)
Version is the agent version
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
EmbedAppEmbeddedDefender returns an augmented Dockerfile + embedded defender dependencies as a ZIP file. Minimum role required to access this endpoint: operator.
post /defenders/app-embedded
EmbedAppEmbeddedDefender returns an augmented Dockerfile + embedded defender dependencies as a ZIP file. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- appID: (string)
AppID identifies the app that the embedded app defender defender is protecting
- consoleAddr: (string)
ConsoleAddr is the console address
- dataFolder: (string)
DataFolder is the path to the Twistlock data folder in the container
- dockerfile: (string)
Dockerfile is the Dockerfile to embed AppEmbedded defender into
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
GenerateDaemonSet generates the defender daemonset k8s yaml. Minimum role required to access this endpoint: operator.
post /defenders/daemonset.yaml
GenerateDaemonSet generates the defender daemonset k8s yaml. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- cluster: (string)
Cluster is the kubernetes or ecs cluster name
- collectPodLabels: (boolean)
CollectPodLabels indicates whether to collect pod related labels resource labels
- consoleAddr: (string)
ConsoleAddr is the console address for defender communication
- credentialID: (string)
CredentialID is the name of the credential used
- cri: (boolean)
CRI indicates defender uses CRI instead of docker
- dockerSocketPath: (string)
DockerSocketPath is the path of the docker socket file
- image: (string)
Image is the full daemonset image name
- istio: (boolean)
MonitorIstio indicates whether to monitor Istio
- namespace: (string)
Namespace is the target deamonset namespaces
- nodeSelector: (string)
NodeSelector is a key/value node selector
- orchestration: (string)
Orchestration is the orchestration type
- privileged: (boolean)
Privileged indicates whether to run defenders as privileged
- region: (string)
Region is the kubernetes cluster location region
- secretsname: (string)
SecretName is the secret
- selinux: (boolean)
SelinuxEnforced indicates whether selinux is enforced on the target host
- serviceaccounts: (boolean)
MonitorServiceAccounts indicates whether to monitor service accounts
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Downloads information about deployed Defenders in CSV format. Use the query parameters to filter what data is returned.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/download
Role
Minimum role required to access this endpoint: auditor.
get /defenders/download
Downloads information about deployed Defenders in CSV format. Use the query parameters to filter what data is returned.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/download
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters are the defender clusters to filter
- hostname: (string)
Hostname indicates the query should fetch a specific defender
- onlyRegistryScanners: (boolean)
OnlyRegistryScanner flag indicates only registry scanner defender should return
- role: (string)
Roles are the defender api.Roles to filter
- tasClusterIDs: (string)
TASClusterIDs is used to fetch defenders that belong to the TAS cluster IDs
- type: (string)
Types are the defender types to filter (linux, windows etc.)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
GenerateEcsTaskDefinition generates the defender ecs task definition json. Minimum role required to access this endpoint: operator.
post /defenders/ecs-task.json
GenerateEcsTaskDefinition generates the defender ecs task definition json. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- taskName: (string)
TaskName is the name used for the task definition
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Returns a protected Fargate task definition given an unprotected task definition.
<HOSTNAME>
is a single list item from the /api/v1/defenders/names
endpoint.
Unprotected task definition in unprotected.json
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--data-binary "@unprotected.json"
--output protected.json
https://<CONSOLE>:8083/api/v1/defenders/fargate.json?consoleaddr=<HOSTNAME>&defenderType=appEmbedded
New Protected task will be in protected.json
Role
Minimum role required to access this endpoint: operator.
post /defenders/fargate.json
Returns a protected Fargate task definition given an unprotected task definition.
<HOSTNAME>
is a single list item from the /api/v1/defenders/names
endpoint.
Unprotected task definition in unprotected.json
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--data-binary "@unprotected.json"
--output protected.json
https://<CONSOLE>:8083/api/v1/defenders/fargate.json?consoleaddr=<HOSTNAME>&defenderType=appEmbedded
New Protected task will be in protected.json
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- consoleaddr: (string)
consoleaddr is the remote console address
- defenderType: (object)
DefenderType is the type of the defender to create the install bundle for. Range of acceptable values:
none
,docker
,dockerWindows
,swarm
,daemonset
,serverLinux
,serverWindows
,cri
,fargate
,appEmbedded
,tas
,serverless
,ecs
- interpreter: (string)
Interpreter is a custom interpreter set by the user to run the fargate defender entrypoint script
Body
Media type: application/json
Type: object
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
DefenderHelmChart generates a defender helm chart. Minimum role required to access this endpoint: operator.
post /defenders/helm/twistlock-defender-helm.tar.gz
DefenderHelmChart generates a defender helm chart. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- cluster: (string)
Cluster is the kubernetes or ecs cluster name
- collectPodLabels: (boolean)
CollectPodLabels indicates whether to collect pod related labels resource labels
- consoleAddr: (string)
ConsoleAddr is the console address for defender communication
- credentialID: (string)
CredentialID is the name of the credential used
- cri: (boolean)
CRI indicates defender uses CRI instead of docker
- dockerSocketPath: (string)
DockerSocketPath is the path of the docker socket file
- image: (string)
Image is the full daemonset image name
- istio: (boolean)
MonitorIstio indicates whether to monitor Istio
- namespace: (string)
Namespace is the target deamonset namespaces
- nodeSelector: (string)
NodeSelector is a key/value node selector
- orchestration: (string)
Orchestration is the orchestration type
- privileged: (boolean)
Privileged indicates whether to run defenders as privileged
- region: (string)
Region is the kubernetes cluster location region
- secretsname: (string)
SecretName is the secret
- selinux: (boolean)
SelinuxEnforced indicates whether selinux is enforced on the target host
- serviceaccounts: (boolean)
MonitorServiceAccounts indicates whether to monitor service accounts
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Returns the full Docker image name for Defender.
Example: registry-auth.twistlock.com/tw_smbvukudjypnnrqmso0/twistlock/defender:defender_18_11_128
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/image-name
Role
Minimum role required to access this endpoint: operator.
get /defenders/image-name
Returns the full Docker image name for Defender.
Example: registry-auth.twistlock.com/tw_smbvukudjypnnrqmso0/twistlock/defender:defender_18_11_128
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/image-name
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Returns the certsBundle that Defender needs to securely connect to Console.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/install-bundle?consoleaddr=<CONSOLEADDR>
Role
Minimum role required to access this endpoint: defenderManager.
get /defenders/install-bundle
Returns the certsBundle that Defender needs to securely connect to Console.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/install-bundle?consoleaddr=<CONSOLEADDR>
Role
Minimum role required to access this endpoint: defenderManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- consoleaddr: (string)
consoleaddr is the remote console address
- defenderType: (object)
DefenderType is the type of the defender to create the install bundle for. Range of acceptable values:
none
,docker
,dockerWindows
,swarm
,daemonset
,serverLinux
,serverWindows
,cri
,fargate
,appEmbedded
,tas
,serverless
,ecs
- interpreter: (string)
Interpreter is a custom interpreter set by the user to run the fargate defender entrypoint script
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- installBundle: (string)
InstallBundle is the base64 bundle of certificates used to communicate with the console
- wsAddress: (string)
WSAddress is the websocket address (console ) the TAS defender connects to
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieves a list of Defender hostnames that can be used as the {id}
query parameter in other /api/v1/defenders
endpoints.
Retrieve a list of all Defenders:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names
Retrieve a list of connected Defenders:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names?connected
Retrieve a list of Defenders by type:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names?type=<linux|windows|docker|...>
Role
Minimum role required to access this endpoint: vulnerabilityManager.
get /defenders/names
Retrieves a list of Defender hostnames that can be used as the {id}
query parameter in other /api/v1/defenders
endpoints.
Retrieve a list of all Defenders:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names
Retrieve a list of connected Defenders:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names?connected
Retrieve a list of Defenders by type:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names?type=<linux|windows|docker|...>
Role
Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters are the defender clusters to filter
- hostname: (string)
Hostname indicates the query should fetch a specific defender
- onlyRegistryScanners: (boolean)
OnlyRegistryScanner flag indicates only registry scanner defender should return
- role: (string)
Roles are the defender api.Roles to filter
- tasClusterIDs: (string)
TASClusterIDs is used to fetch defenders that belong to the TAS cluster IDs
- type: (string)
Types are the defender types to filter (linux, windows etc.)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
DownloadServerlessBundle returns a ZIP with serverless defender bundle. Minimum role required to access this endpoint: operator.
get /defenders/serverless/bundle
DownloadServerlessBundle returns a ZIP with serverless defender bundle. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- runtime: (object)
Runtime is the type of the serverless function
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
List the number of Defenders in each defender category.
The following command uses basic authorization to retrieve a summary of Defenders:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/summary
Role
Minimum role required to access this endpoint: defenderManager.
get /defenders/summary
List the number of Defenders in each defender category.
The following command uses basic authorization to retrieve a summary of Defenders:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/summary
Role
Minimum role required to access this endpoint: defenderManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- category: (object)
Category is the defender's category. Range of acceptable values:
container
,host
,serverless
,appEmbedded
- connected: (integer)
Connected counts how many defenders are connected for this category
- deployed: (integer)
Deployed counts how many defenders are deployed for this category
- licensed: (integer)
Licensed counts how many defenders are licensed for this category
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Upgrades all connected single Linux Container Defenders.
This does not update cluster Container Defenders (such as Defender DaemonSets), Serverless Defenders, or Fargate Defenders. To upgrade cluster Container Defenders, reploy them. To upgrade Serverless and Fargate Defenders, re-embed them.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/upgrade
Role
Minimum role required to access this endpoint: operator.
post /defenders/upgrade
Upgrades all connected single Linux Container Defenders.
This does not update cluster Container Defenders (such as Defender DaemonSets), Serverless Defenders, or Fargate Defenders. To upgrade cluster Container Defenders, reploy them. To upgrade Serverless and Fargate Defenders, re-embed them.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/upgrade
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Deletes a Defender on a given host.
<HOSTNAME>
is a single list item from the /api/v1/defenders/names
endpoint.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>
Role
Minimum role required to access this endpoint: operator.
delete /defenders/{id}
Deletes a Defender on a given host.
<HOSTNAME>
is a single list item from the /api/v1/defenders/names
endpoint.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Updates a deployed Defender's configuration.
<HOSTNAME>
is a single list item from the /api/v1/defenders/names
endpoint.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"proxyListenerType": "tcp", "registryScanner":"<true|false>", "serverlessScanner":"<true|false>"}' \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/features
Role
Minimum role required to access this endpoint: operator.
post /defenders/{id}/features
Updates a deployed Defender's configuration.
<HOSTNAME>
is a single list item from the /api/v1/defenders/names
endpoint.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"proxyListenerType": "tcp", "registryScanner":"<true|false>", "serverlessScanner":"<true|false>"}' \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/features
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Body
Media type: application/json
Type: object
Properties- clusterMonitoring: (boolean)
ClusterMonitoring determines whether the k8s or Istio cluster monitoring features are enabled
- proxyListenerType: (object)
ProxyListenerType determines whether the defender acts as a TCP proxy. Range of acceptable values:
none
,tcp
,default
- registryScanner: (boolean)
RegistryScanner determines whether the defender is a registry scanner
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- category: (object)
Category is the category of the defender type (host/container/serverless). Range of acceptable values:
container
,host
,serverless
,appEmbedded
- certificateExpiration: (datetime)
CertificateExpiration is the client's certificate expiry time
- cloudMetadata: (object)
CloudMetadata is the cloud provider metadata of the host
- accountID: (string)
AccountID is the cloud account ID
- image: (string)
Image is the image name
- name: (string)
Name is the instance name
- provider: (object)
Provider is the cloud provider (AWS/GCP/Azure). Range of acceptable values:
aws
,azure
,gcp
,others
- region: (string)
Region the instance region
- resourceID: (string)
ResourceID is the resource unique ID
- type: (string)
Type is the instance type
- accountID: (string)
- cluster: (string)
Cluster is the provided cluster name (fallback is internal IP)
- clusterID: (string)
ClusterID is a unique ID generated for each daemon set, and used to group Defenders by clustersNote: Kubernetes does not provide a cluster name as part of its API
- collections: (string)
Collections are collections to which this defender applies
- compatibleVersion: (boolean)
CompatibleVersion indicates if the defender has a compatible version for communication (e.g. request logs)
- connected: (boolean)
Connected indicates whether the defender is connected
- features: (object)
Features are feature that are enabled in the defender
- clusterMonitoring: (boolean)
ClusterMonitoring determines whether the k8s or Istio cluster monitoring features are enabled
- proxyListenerType: (object)
ProxyListenerType determines whether the defender acts as a TCP proxy. Range of acceptable values:
none
,tcp
,default
- registryScanner: (boolean)
RegistryScanner determines whether the defender is a registry scanner
- clusterMonitoring: (boolean)
- firewallProtection: (object)
FirewallProtection describes the firewall protection status of app embedded defenders
- enabled: (boolean)
Enabled indicates that WAAS protection is enabled
- supported: (boolean)
Supported indicates that WAAS protection is supported
- enabled: (boolean)
- fqdn: (string)
FQDN is the full domain name used in audit alerts to identify specific hosts
- hostname: (string)
Hostname is the defender hostname
- lastModified: (datetime)
LastModified is the last time the defender connectivity was modified
- port: (integer)
Port is the communication port between defender to console
- proxy: (object)
Proxy is the proxy options of the defender
- ca: (string)
CA is the user proxy's CA
- httpProxy: (string)
HttpProxy is the proxy address
- noProxy: (string)
NoProxy is a list of addresses for which the proxy should not be used
- password: (object)
Password is the password used for proxy authentication
- encrypted: (string)
- plain: (string)
Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)
- user: (string)
User is the username to be used in authentication in front of the user's proxy
- ca: (string)
- remoteLoggingSupported: (boolean)
RemoteLoggingSupported indicates if the defender logs can be retrieved from remote
- remoteMgmtSupported: (boolean)
RemoteMgmtSupported indicated if the defender can be remotely managed (upgrade, restart)
- status: (object)
Status is the feature status of the defender
- lastModified: (datetime)
Modified is the time the event was modified
- lastModified: (datetime)
- systemInfo: (object)
SystemInfo is the system information of the defender host
- cpuCount: (integer)
CPUCount is the CPU count on the defender host
- freeDiskSpaceGB: (object)
FreeDiskSpaceGB is the free disk space (in GB) on the defender host
- kernelVersion: (string)
KernelVersion is the kernel version on the defender host
- memoryGB: (number)
MemoryGB is the total memory (in GB) on the defender host
- totalDiskSpaceGB: (object)
TotalDiskSpaceGB is the total disk space (in GB) on the defender host
- cpuCount: (integer)
- tasClusterID: (string)
TASClusterID is the ID used to identify the TAS cluster of the defender. Typically will be the Cloud controller API address
- type: (object)
Type is the type of the defender (registry scanner/kubernetes node/etc...). Range of acceptable values:
none
,docker
,dockerWindows
,swarm
,daemonset
,serverLinux
,serverWindows
,cri
,fargate
,appEmbedded
,tas
,serverless
,ecs
- version: (string)
Version is the agent version
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Restarts Defender on a given host.
<HOSTNAME>
is a single list item from the /api/v1/defenders/names
endpoint.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/restart
Role
Minimum role required to access this endpoint: operator.
post /defenders/{id}/restart
Restarts Defender on a given host.
<HOSTNAME>
is a single list item from the /api/v1/defenders/names
endpoint.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/restart
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Upgrades Defender on <HOSTNAME>
.
<HOSTNAME>
is a single list item from the /api/v1/defenders/names
endpoint.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/upgrade
Role
Minimum role required to access this endpoint: operator.
post /defenders/{id}/upgrade
Upgrades Defender on <HOSTNAME>
.
<HOSTNAME>
is a single list item from the /api/v1/defenders/names
endpoint.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/upgrade
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Deployments
Manage Defender DaemonSet deployments.
Retrieves a list of deployed Defender DaemonSets. You must specify a credentialID
, of type kubeconfig
, which identifies your cluster and user. Credentials are managed in Console's credentials store (/api/v1/credentials
).
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/deployment/daemonsets?credentialID=<CREDENTIAL NAME>
Role
Minimum role required to access this endpoint: auditor.
get /deployment/daemonsets
Retrieves a list of deployed Defender DaemonSets. You must specify a credentialID
, of type kubeconfig
, which identifies your cluster and user. Credentials are managed in Console's credentials store (/api/v1/credentials
).
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/deployment/daemonsets?credentialID=<CREDENTIAL NAME>
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- credentialID: (string)
CredentialID is the name of the credential used
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- address: (string)
Address is the kubernetes cluster address
- cluster: (string)
Cluster is the kubernetes cluster name
- credentialID: (string)
CredentialID is the name of the credential used
- defendersVersion: (string)
DefendersVersion is the version of the defenders deployed
- desiredDefenders: (integer)
DesiredDefenders is the number of desired defenders
- error: (string)
Error indicates any related errors found
- hasDefender: (boolean)
HasDefender indicates if the cluster has at least one running defender
- region: (string)
Region is the kubernetes cluster location region
- runningDefenders: (integer)
RunningDefenders is the number of defenders running
- upgradable: (boolean)
Upgradable indicates if the cluster is upgradable
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Deploys a Defender DaemonSet to the cluster identified by credentialID
. The credentialID
, of type kubeconfig
, must exist before calling this endpoint. It identifies the cluster's API server, user, and credentials.
Use the various request parameters to control the properties of the deployed DaemonSet.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{
"credentialID": "",
"consoleAddr": "",
"namespace": "",
"orchestration": "",
"...":"..."
}' \
https://<CONSOLE>:8083/api/v1/deployment/daemonsets/deploy
Role
Minimum role required to access this endpoint: operator.
post /deployment/daemonsets/deploy
Deploys a Defender DaemonSet to the cluster identified by credentialID
. The credentialID
, of type kubeconfig
, must exist before calling this endpoint. It identifies the cluster's API server, user, and credentials.
Use the various request parameters to control the properties of the deployed DaemonSet.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{
"credentialID": "",
"consoleAddr": "",
"namespace": "",
"orchestration": "",
"...":"..."
}' \
https://<CONSOLE>:8083/api/v1/deployment/daemonsets/deploy
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- cluster: (string)
Cluster is the kubernetes or ecs cluster name
- collectPodLabels: (boolean)
CollectPodLabels indicates whether to collect pod related labels resource labels
- consoleAddr: (string)
ConsoleAddr is the console address for defender communication
- credentialID: (string)
CredentialID is the name of the credential used
- cri: (boolean)
CRI indicates defender uses CRI instead of docker
- dockerSocketPath: (string)
DockerSocketPath is the path of the docker socket file
- image: (string)
Image is the full daemonset image name
- istio: (boolean)
MonitorIstio indicates whether to monitor Istio
- namespace: (string)
Namespace is the target deamonset namespaces
- nodeSelector: (string)
NodeSelector is a key/value node selector
- orchestration: (string)
Orchestration is the orchestration type
- privileged: (boolean)
Privileged indicates whether to run defenders as privileged
- region: (string)
Region is the kubernetes cluster location region
- secretsname: (string)
SecretName is the secret
- selinux: (boolean)
SelinuxEnforced indicates whether selinux is enforced on the target host
- serviceaccounts: (boolean)
MonitorServiceAccounts indicates whether to monitor service accounts
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
HostAutoDeployProgress returns the host auto-deploy progress. Minimum role required to access this endpoint: operator.
get /deployment/host/progress
HostAutoDeployProgress returns the host auto-deploy progress. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- discovery: (boolean)
Discovery indicates whether the scan is in discovery phase
- error: (string)
Error is the error that happened during scan
- hostname: (string)
Hostname is the hostname for which the progress apply
- id: (string)
ID is the ID of the entity being scanned
- scanTime: (datetime)
ScanTime is the time of scan
- scanned: (integer)
Scanned is the number of entities for which the scan completed
- title: (string)
Title is the progress title (set by the scanning process)
- total: (integer)
Total is the total amount of entities that should be scanned
- type: (object)
Type is the scan type (e.g., images/serverless). Range of acceptable values:
image
,ciImage
,container
,host
,registry
,serverlessScan
,ciServerless
,vm
,tas
,cloudDiscovery
,cloudCompliance
,serverlessRadar
,serverlessAutoDeploy
,hostAutoDeploy
,codeRepo
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
StartHostAutoDeploy starts a host auto-deploy. Minimum role required to access this endpoint: operator.
post /deployment/host/scan
StartHostAutoDeploy starts a host auto-deploy. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
StopHostAutoDeploy stops the host auto-deploy auto-deploy scan. Minimum role required to access this endpoint: operator.
post /deployment/host/stop
StopHostAutoDeploy stops the host auto-deploy auto-deploy scan. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
ServerlessAutoDeployProgress returns the serverless auto-deploy scan progress. Minimum role required to access this endpoint: operator.
get /deployment/serverless/progress
ServerlessAutoDeployProgress returns the serverless auto-deploy scan progress. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- discovery: (boolean)
Discovery indicates whether the scan is in discovery phase
- error: (string)
Error is the error that happened during scan
- hostname: (string)
Hostname is the hostname for which the progress apply
- id: (string)
ID is the ID of the entity being scanned
- scanTime: (datetime)
ScanTime is the time of scan
- scanned: (integer)
Scanned is the number of entities for which the scan completed
- title: (string)
Title is the progress title (set by the scanning process)
- total: (integer)
Total is the total amount of entities that should be scanned
- type: (object)
Type is the scan type (e.g., images/serverless). Range of acceptable values:
image
,ciImage
,container
,host
,registry
,serverlessScan
,ciServerless
,vm
,tas
,cloudDiscovery
,cloudCompliance
,serverlessRadar
,serverlessAutoDeploy
,hostAutoDeploy
,codeRepo
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
StartServerlessAutoDeploy starts a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.
post /deployment/serverless/scan
StartServerlessAutoDeploy starts a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
StopServerlessAutoDeploy stops a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.
post /deployment/serverless/stop
StopServerlessAutoDeploy stops a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Custom feeds
Augments the Prisma Cloud Compute Intelligence Stream with custom threat data. Enables you expand the scope of threats and vulnerabilities that Prisma Cloud Compute can detect and report.
DownloadFeedsBundle creates and serves the intelligence feeds bundle. Minimum role required to access this endpoint: vulnerabilityManager.
UploadOfflineIntelligenceFeeds uploads the offline intelligence feeds bundle. Minimum role required to access this endpoint: operator.
get /feeds/bundle
DownloadFeedsBundle creates and serves the intelligence feeds bundle. Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
put /feeds/bundle
UploadOfflineIntelligenceFeeds uploads the offline intelligence feeds bundle. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieves the list of custom vulnerabilities and associated rules for handling internally created or packaged apps.
This list is used by the Prisma Cloud Compute scanner to detect vulnerable custom components (apps, libraries, etc) that were developed and packaged internally.
Note: When a vulnerable custom component is detected in an image, you must have a rule to tell Twistlock how to handle it. Vulnerability rules can be created using the Console UI or with the /api/v1/vulnerabilty/<RESOURCE-TYPE>
endpoint. See the /api/v1/vulnerabilty/<RESOURCE-TYPE>
endpoint for more info.
cURL Request
The following cURL command retrieves a list of all the custom vulnerabilities and associated rules.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities
Response
A successful response will return a list of custom vulnerability rules and the associated digest:
{
"_id":"customVulnerabilities",
"rules": [
{
"_id": "<ID>",
"package": "internal-lib",
"type": "package",
"minVersionInclusive": "1.1",
"name": "internal-lib",
"maxVersionInclusive": "1.8",
"md5": ""
}
],
"digest":"<DIGEST>"
}
Role
Minimum role required to access this endpoint: auditor.
Simultaneously updates all the custom vulnerabilities and associated rules for handling internally created or packaged apps.
cURL Request
The following cURL command updates a vulnerability for a library named internal-lib
, and specifies that its versions 1.1
to 1.8
are known to be vulnerable.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"rules": [
{
"_id": "<ID>",
"package": "internal-lib",
"type": "package",
"minVersionInclusive": "1.1",
"name": "internal-lib",
"maxVersionInclusive": "1.8",
"md5": ""
}
]
}' \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities
Note: No response will be returned upon successful execution.
Maintain your Custom Vulnerabilities
We suggest you maintain your custom vulnerabilities using the following steps:
- Get all the custom vulnerability rules from the
GET
endpoint and save the results to a file.
Note: You will need jq
to execute this command.
$ curl -k \
-u <USER> \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities \
| jq '.' > custom_vulnerability_rules.json
- Open the JSON file and add, modify, and/or delete the rules by directly editing the JSON output. For example:
{
"id": "customVulnerabilities",
"rules": [
{
"_id": "<ID>",
"package": "internal-lib",
"type": "package",
"minVersionInclusive": "1.1",
"name": "internal-lib",
"maxVersionInclusive": "1.8",
"md5": ""
}
],
"digest": "97de7f27XXXXXXXXXX"
}
Update the rules by pushing the new JSON payload. Note: Do not forget to specify the
@
symbol.$ curl -k \ -u <USER> \ -X PUT \ -H "Content-Type:application/json" \ -d @custom_vulnerability_rules.json \ https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities
Run the cURL command for the
GET /api/v1/feeds/custom/custom-vulnerabilities
endpoint and you can see that the previously installed rules are now overwritten with your new rules.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities
Role
Minimum role required to access this endpoint: operator.
get /feeds/custom/custom-vulnerabilities
Retrieves the list of custom vulnerabilities and associated rules for handling internally created or packaged apps.
This list is used by the Prisma Cloud Compute scanner to detect vulnerable custom components (apps, libraries, etc) that were developed and packaged internally.
Note: When a vulnerable custom component is detected in an image, you must have a rule to tell Twistlock how to handle it. Vulnerability rules can be created using the Console UI or with the /api/v1/vulnerabilty/<RESOURCE-TYPE>
endpoint. See the /api/v1/vulnerabilty/<RESOURCE-TYPE>
endpoint for more info.
cURL Request
The following cURL command retrieves a list of all the custom vulnerabilities and associated rules.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities
Response
A successful response will return a list of custom vulnerability rules and the associated digest:
{
"_id":"customVulnerabilities",
"rules": [
{
"_id": "<ID>",
"package": "internal-lib",
"type": "package",
"minVersionInclusive": "1.1",
"name": "internal-lib",
"maxVersionInclusive": "1.8",
"md5": ""
}
],
"digest":"<DIGEST>"
}
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is the custom vulnerabilities feed ID
- digest: (string)
Digest is the internal custom vulnerabilities feed digest
- rules: (object)
Rules is the list of custom vulnerabilities rules
- _id: (string)
- maxVersionInclusive: (string)
- md5: (string)
- minVersionInclusive: (string)
- name: (string)
- package: (string)
- type: (object)
Type is the custom vulnerability type. Range of acceptable values:
nodejs
,gem
,python
,jar
,package
,windows
,binary
,nuget
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
put /feeds/custom/custom-vulnerabilities
Simultaneously updates all the custom vulnerabilities and associated rules for handling internally created or packaged apps.
cURL Request
The following cURL command updates a vulnerability for a library named internal-lib
, and specifies that its versions 1.1
to 1.8
are known to be vulnerable.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"rules": [
{
"_id": "<ID>",
"package": "internal-lib",
"type": "package",
"minVersionInclusive": "1.1",
"name": "internal-lib",
"maxVersionInclusive": "1.8",
"md5": ""
}
]
}' \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities
Note: No response will be returned upon successful execution.
Maintain your Custom Vulnerabilities
We suggest you maintain your custom vulnerabilities using the following steps:
- Get all the custom vulnerability rules from the
GET
endpoint and save the results to a file.
Note: You will need jq
to execute this command.
$ curl -k \
-u <USER> \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities \
| jq '.' > custom_vulnerability_rules.json
- Open the JSON file and add, modify, and/or delete the rules by directly editing the JSON output. For example:
{
"id": "customVulnerabilities",
"rules": [
{
"_id": "<ID>",
"package": "internal-lib",
"type": "package",
"minVersionInclusive": "1.1",
"name": "internal-lib",
"maxVersionInclusive": "1.8",
"md5": ""
}
],
"digest": "97de7f27XXXXXXXXXX"
}
Update the rules by pushing the new JSON payload. Note: Do not forget to specify the
@
symbol.$ curl -k \ -u <USER> \ -X PUT \ -H "Content-Type:application/json" \ -d @custom_vulnerability_rules.json \ https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities
Run the cURL command for the
GET /api/v1/feeds/custom/custom-vulnerabilities
endpoint and you can see that the previously installed rules are now overwritten with your new rules.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is the custom vulnerabilities feed ID
- digest: (string)
Digest is the internal custom vulnerabilities feed digest
- rules: (object)
Rules is the list of custom vulnerabilities rules
- _id: (string)
- maxVersionInclusive: (string)
- md5: (string)
- minVersionInclusive: (string)
- name: (string)
- package: (string)
- type: (object)
Type is the custom vulnerability type. Range of acceptable values:
nodejs
,gem
,python
,jar
,package
,windows
,binary
,nuget
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Returns the unique digest for the custom vulnerabilities and associated rules for handling internally created or packaged apps.
cURL Request
The following cURL command retrieves the digest for the configured custom vulnerabilities.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities/digest
A successful response will return the digest string. This is the same value as the digest
property in the response of the GET api/v1/feeds/custom/custom-vulnerabilities
endpoint.
Role
Minimum role required to access this endpoint: auditor.
get /feeds/custom/custom-vulnerabilities/digest
Returns the unique digest for the custom vulnerabilities and associated rules for handling internally created or packaged apps.
cURL Request
The following cURL command retrieves the digest for the configured custom vulnerabilities.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities/digest
A successful response will return the digest string. This is the same value as the digest
property in the response of the GET api/v1/feeds/custom/custom-vulnerabilities
endpoint.
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieves the list of globally whitelisted Common Vulnerabilities and Exposures (CVE).
cURL Request
The following cURL command retrieves the globally whitelisted CVE list.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/cve-allow-list
Response
A successful response will return a CVE list that will be used for global whitelisting.
{
"_id":"cveAllowList",
"rules": [
{
"cve": "CVE-2018-2222",
"expiration": "2020-06-18T00:00:00Z"
}
],
"digest":"<DIGEST>"
}
Role
Minimum role required to access this endpoint: auditor.
Globally whitelists a set of Common Vulnerabilities and Exposures (CVE).
Note: Any previously installed lists are overwritten.
cURL Request
The following cURL command installs a globally whitelisted CVE list.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"rules": [
{
"cve": "CVE-2018-2222",
"expiration": "2020-06-18T00:00:00Z"
}
]
}' \
https://<CONSOLE>/api/v1/feeds/custom/cve-allow-list
Note: No response will be returned upon successful execution.
To confirm the CVE list has been added to the global whitelist, invoke the GET /api/v1/feeds/custom/cve-allow-list
endpoint.
Role
Minimum role required to access this endpoint: operator.
get /feeds/custom/cve-allow-list
Retrieves the list of globally whitelisted Common Vulnerabilities and Exposures (CVE).
cURL Request
The following cURL command retrieves the globally whitelisted CVE list.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/cve-allow-list
Response
A successful response will return a CVE list that will be used for global whitelisting.
{
"_id":"cveAllowList",
"rules": [
{
"cve": "CVE-2018-2222",
"expiration": "2020-06-18T00:00:00Z"
}
],
"digest":"<DIGEST>"
}
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is the id of the feed
- digest: (string)
Digest is the feed digest
- rules: (object)
Rules is the list of allowed CVEs
- cve: (string)
CVE is the CVE to allow
- description: (string)
Description is the description of why this CVE is allowed
- expiration: (datetime)
Expiration is the expiration date for the allowed CVE
- cve: (string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
put /feeds/custom/cve-allow-list
Globally whitelists a set of Common Vulnerabilities and Exposures (CVE).
Note: Any previously installed lists are overwritten.
cURL Request
The following cURL command installs a globally whitelisted CVE list.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"rules": [
{
"cve": "CVE-2018-2222",
"expiration": "2020-06-18T00:00:00Z"
}
]
}' \
https://<CONSOLE>/api/v1/feeds/custom/cve-allow-list
Note: No response will be returned upon successful execution.
To confirm the CVE list has been added to the global whitelist, invoke the GET /api/v1/feeds/custom/cve-allow-list
endpoint.
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is the id of the feed
- digest: (string)
Digest is the feed digest
- rules: (object)
Rules is the list of allowed CVEs
- cve: (string)
CVE is the CVE to allow
- description: (string)
Description is the description of why this CVE is allowed
- expiration: (datetime)
Expiration is the expiration date for the allowed CVE
- cve: (string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieves the digest string for the Common Vulnerabilities and Exposures (CVE) allow list configured in Console.
cURL Request
The following cURL command retrieves the digest for the configured CVE allow list.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/cve-allow-list/digest
A successful response will return the digest string. This is the same value as the digest
property in the response of the GET api/v1/feeds/custom/cve-allow-list
endpoint.
Role
Minimum role required to access this endpoint: auditor.
get /feeds/custom/cve-allow-list/digest
Retrieves the digest string for the Common Vulnerabilities and Exposures (CVE) allow list configured in Console.
cURL Request
The following cURL command retrieves the digest for the configured CVE allow list.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/cve-allow-list/digest
A successful response will return the digest string. This is the same value as the digest
property in the response of the GET api/v1/feeds/custom/cve-allow-list
endpoint.
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieves the customized list of blacklisted suspicious or high-risk IP addresses.
cURL Request
The following cURL command retrieves the list of globally blacklisted suspicious or high-risk IP addresses.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/ips
Response
A successful response will return a list of suspicious or high-risk IP addresses that will be banned.
{
"_id":"<ID>",
"modified":"2020-11:00:00T00:00:01.62Z",
"feed":["193.171.1.1","193.171.1.2"]},
"digest":"<DIGEST>"
}
Role
Minimum role required to access this endpoint: auditor.
Bans a custom list of suspicious or high-risk IP addresses.
Note: Any previously installed lists are overwritten.
cURL Request
The following cURL command installs a custom list of banned suspicious or high-risk IP addresses.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d '{"name":"banned-ips", "feed":["193.171.1.1","193.171.1.2"]}' \
https://<CONSOLE>/api/v1/feeds/custom/ips
Note: No response will be returned upon successful execution.
To confirm the IPs have been added to the ban list, invoke the GET /api/v1/feeds/custom/ips
endpoint.
Role
Minimum role required to access this endpoint: operator.
get /feeds/custom/ips
Retrieves the customized list of blacklisted suspicious or high-risk IP addresses.
cURL Request
The following cURL command retrieves the list of globally blacklisted suspicious or high-risk IP addresses.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/ips
Response
A successful response will return a list of suspicious or high-risk IP addresses that will be banned.
{
"_id":"<ID>",
"modified":"2020-11:00:00T00:00:01.62Z",
"feed":["193.171.1.1","193.171.1.2"]},
"digest":"<DIGEST>"
}
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is the custom feed id
- digest: (string)
Digest is an internal digest of the custom ip feed
- feed: (object)
Feed is the list of custom ips
- modified: (datetime)
Modified is the last time the custom feed was modified
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
put /feeds/custom/ips
Bans a custom list of suspicious or high-risk IP addresses.
Note: Any previously installed lists are overwritten.
cURL Request
The following cURL command installs a custom list of banned suspicious or high-risk IP addresses.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d '{"name":"banned-ips", "feed":["193.171.1.1","193.171.1.2"]}' \
https://<CONSOLE>/api/v1/feeds/custom/ips
Note: No response will be returned upon successful execution.
To confirm the IPs have been added to the ban list, invoke the GET /api/v1/feeds/custom/ips
endpoint.
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is the custom feed id
- digest: (string)
Digest is an internal digest of the custom ip feed
- feed: (object)
Feed is the list of custom ips
- modified: (datetime)
Modified is the last time the custom feed was modified
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieves the digest string for the list of suspicious or high risk IP endpoints configured in Console.
cURL Request
The following cURL command retrieves the digest for the banned suspicious or high-risk IP addresses.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/ips/digest
A successful response will return the digest string. This is the same value as the digest
property in the response of the GET api/v1/feeds/custom/ips
endpoint.
Role
Minimum role required to access this endpoint: auditor.
get /feeds/custom/ips/digest
Retrieves the digest string for the list of suspicious or high risk IP endpoints configured in Console.
cURL Request
The following cURL command retrieves the digest for the banned suspicious or high-risk IP addresses.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/ips/digest
A successful response will return the digest string. This is the same value as the digest
property in the response of the GET api/v1/feeds/custom/ips
endpoint.
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieves the customized list of MD5 signatures of malicious executables.
cURL Request
The following cURL command retrieves the list of MD5 signatures of malicious executables.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/malware
Response
A successful response will return a list of MD5 signatures of malicious executables.
{
"_id":"<ID>",
"modified":"2020-11:00:00T00:00:01.62Z",
"feed": [
{
"name": "dimaaa",
"md5": "d4ba1008e7d97458fdd65deca2ba801b"
},
{
"name": "emacs",
"md5": "5ce9d1116755f827f5d1e06246dd30b9"
}
]
"digest":"<DIGEST>"
}
Role
Minimum role required to access this endpoint: auditor.
Creates a custom list of malware MD5 signatures of malicious executables.
Note: Any previously installed lists are overwritten.
cURL Request
The following cURL command installs a custom list of malware MD5 signatures of malicious executables.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"name": "malware-sigs",
"feed": [
{
"name": "dimaaa",
"md5": "d4ba1008e7d97458fdd65deca2ba801b"
},
{
"name": "emacs",
"md5": "5ce9d1116755f827f5d1e06246dd30b9"
}
]
}' \
https://<CONSOLE>/api/v1/feeds/custom/malware
Note: No response will be returned upon successful execution.
To confirm the malware list has been added / overwritten to the ban list, invoke the GET /api/v1/feeds/custom/malware
endpoint.
Role
Minimum role required to access this endpoint: operator.
get /feeds/custom/malware
Retrieves the customized list of MD5 signatures of malicious executables.
cURL Request
The following cURL command retrieves the list of MD5 signatures of malicious executables.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/malware
Response
A successful response will return a list of MD5 signatures of malicious executables.
{
"_id":"<ID>",
"modified":"2020-11:00:00T00:00:01.62Z",
"feed": [
{
"name": "dimaaa",
"md5": "d4ba1008e7d97458fdd65deca2ba801b"
},
{
"name": "emacs",
"md5": "5ce9d1116755f827f5d1e06246dd30b9"
}
]
"digest":"<DIGEST>"
}
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is the custom feed id
- digest: (string)
Digest is an internal digest of the feed
- feed: (object)
Feed is the list of custom malware signatures
- md5: (string)
- modified: (integer)
Modified is the time the malware was added to the DB
- name: (string)
- modified: (datetime)
Modified is the last time the custom feed was modified
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
put /feeds/custom/malware
Creates a custom list of malware MD5 signatures of malicious executables.
Note: Any previously installed lists are overwritten.
cURL Request
The following cURL command installs a custom list of malware MD5 signatures of malicious executables.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"name": "malware-sigs",
"feed": [
{
"name": "dimaaa",
"md5": "d4ba1008e7d97458fdd65deca2ba801b"
},
{
"name": "emacs",
"md5": "5ce9d1116755f827f5d1e06246dd30b9"
}
]
}' \
https://<CONSOLE>/api/v1/feeds/custom/malware
Note: No response will be returned upon successful execution.
To confirm the malware list has been added / overwritten to the ban list, invoke the GET /api/v1/feeds/custom/malware
endpoint.
Role
Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is the custom feed id
- digest: (string)
Digest is an internal digest of the feed
- feed: (object)
Feed is the list of custom malware signatures
- md5: (string)
- modified: (integer)
Modified is the time the malware was added to the DB
- name: (string)
- modified: (datetime)
Modified is the last time the custom feed was modified
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Retrieves the digest string for all the MD5 signatures of malicious executables configured in Console.
cURL Request
The following cURL command retrieves the digest for the configured list for the MD5 signatures of malicious executables.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/malware/digest
A successful response will return the digest string. This is the same value as the digest
property in the response of the GET api/v1/feeds/custom/malware
endpoint.
Role
Minimum role required to access this endpoint: auditor.
get /feeds/custom/malware/digest
Retrieves the digest string for all the MD5 signatures of malicious executables configured in Console.
cURL Request
The following cURL command retrieves the digest for the configured list for the MD5 signatures of malicious executables.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/malware/digest
A successful response will return the digest string. This is the same value as the digest
property in the response of the GET api/v1/feeds/custom/malware
endpoint.
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
ForceIntelligenceUpdate performs pushing/polling of intelligence feeds on demand. Minimum role required to access this endpoint: operator.
put /feeds/force-refresh
ForceIntelligenceUpdate performs pushing/polling of intelligence feeds on demand. Minimum role required to access this endpoint: operator.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Forensics
The forensic endpoint will return data for host activities.
Retrieves all host activities that can be found on Monitor > Evenets > Host Activities
Use the query parameters to filter what data is returned.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/forensic/activities
Role
Minimum role required to access this endpoint: devSecOps.
get /forensic/activities
Retrieves all host activities that can be found on Monitor > Evenets > Host Activities
Use the query parameters to filter what data is returned.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/forensic/activities
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- fields: (string)
Fields is used to fetch specific host activities fields
- from: (datetime)
From is an optional minimum time constraints for the activity
- hostname: (string)
Hosts is the list of hosts to use for filtering
- service: (string)
Services is the list of services to use for filtering
- to: (datetime)
To is an optional maximum time constraints for the activity
- type: (string)
Types is the activity type filter
- user: (string)
Users is the list of users to use for filtering
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- accountID: (string)
AccountID is the cloud account ID
- affectedServices: (string)
AffectedServices is the affected systemd service
- cluster: (string)
Cluster is the cluster from which the audit originated
- collections: (string)
Collections are collections to which this host activity applies
- command: (string)
Command is the original (with arguments) command the user invoked
- hostname: (string)
Hostname the activity originated from
- interactive: (boolean)
Interactive indicates that the target process was spawned in an interactive session
- modifiedFiles: (string)
ModifiedFiles is the related modified files
- ruleName: (string)
RuleName is the name of the rule applied to the host activity
- service: (string)
Service is the owning systemd service
- time: (datetime)
Time is time of the activity
- type: (object)
ActivityType is the type of the activity. Range of acceptable values:
app restart
,app install
,app modified
,cron modified
,system update
,system reboot
,source modified
,source added
,iptables changed
,secret modified
,login
,sudo
,accounts modified
,sensitive files modified
,docker
- user: (string)
Username of the user that triggered the activity
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Downloads all host activities that can be found on Monitor > Evenets > Host Activities
Use the query parameters to filter what data is returned.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o host_activities.csv
https://<CONSOLE>:8083/api/v1/forensic/activities/download
Role
Minimum role required to access this endpoint: devSecOps.
get /forensic/activities/download
Downloads all host activities that can be found on Monitor > Evenets > Host Activities
Use the query parameters to filter what data is returned.
$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o host_activities.csv
https://<CONSOLE>:8083/api/v1/forensic/activities/download
Role
Minimum role required to access this endpoint: devSecOps.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- cluster: (string)
Clusters is the cluster filter
- fields: (string)
Fields is used to fetch specific host activities fields
- from: (datetime)
From is an optional minimum time constraints for the activity
- hostname: (string)
Hosts is the list of hosts to use for filtering
- service: (string)
Services is the list of services to use for filtering
- to: (datetime)
To is an optional maximum time constraints for the activity
- type: (string)
Types is the activity type filter
- user: (string)
Users is the list of users to use for filtering
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Groups
Manage (create, modify, delete) groups in the system. If you integrated OpenLDAP, AD, or SAML, you can re-use groups from there, and assign roles to them as appropriate. Otherwise, create Twistlock local groups to manage privileges for groups of users.
Retrieves a list of all groups.
A curl command to access this endpoint may resemble the following code snippet:
$ curl -k \
-X GET \
-u <USER> \
-H 'Content-Type: application/json' \
https://<CONSOLE>:8083/api/v1/groups \
Role
Minimum role required to access this endpoint: auditor.
Adds a group to the system, or updates an existing one.
The following example command uses curl and basic auth to create a new group with two users. Note that the values for lastModified
, owner
, and _id
do not need to be specified. They are automatically filled in by the system.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups
Role
Minimum role required to access this endpoint: admin.
get /groups
Retrieves a list of all groups.
A curl command to access this endpoint may resemble the following code snippet:
$ curl -k \
-X GET \
-u <USER> \
-H 'Content-Type: application/json' \
https://<CONSOLE>:8083/api/v1/groups \
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
post /groups
Adds a group to the system, or updates an existing one.
The following example command uses curl and basic auth to create a new group with two users. Note that the values for lastModified
, owner
, and _id
do not need to be specified. They are automatically filled in by the system.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups
Role
Minimum role required to access this endpoint: admin.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is the group name
- groupId: (string)
GroupId is used as a group identifier in Azure SAML identification process
- groupName: (string)
Name is the group name
- lastModified: (datetime)
Modified is the last modification time of the group
- ldapGroup: (boolean)
LdapGroup indicates whether group is an ldap group
- oauthGroup: (boolean)
OauthGroup indicates whether group is oauth group
- oidcGroup: (boolean)
OidcGroup indicates whether group is oidc group
- owner: (string)
Owner is the group owner
- permissions: (object)
Permissions is the set of projects the group's users is assigned to and the set of collections the user may access in each project
- role: (object)
Role is the group role
- samlGroup: (boolean)
SamlGroup indicates whether group is saml group
- user: (object)
Users are the users associated with the group
- username: (string)
Name is the user name
- username: (string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Returns the names of all groups as strings in an array.
A curl command to access this endpoint may resemble the following code snippet:
$ curl -X GET \
https://<CONSOLE>:8083/api/v1/groups/names \
-u <USER> \
-H 'Content-Type: application/json' \
Sample output:
[
"admins",
"secops",
"devops",
""
]
Role
Minimum role required to access this endpoint: auditor.
get /groups/names
Returns the names of all groups as strings in an array.
A curl command to access this endpoint may resemble the following code snippet:
$ curl -X GET \
https://<CONSOLE>:8083/api/v1/groups/names \
-u <USER> \
-H 'Content-Type: application/json' \
Sample output:
[
"admins",
"secops",
"devops",
""
]
Role
Minimum role required to access this endpoint: auditor.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Deletes a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-X DELETE \
https://<CONSOLE>:8083/api/v1/groups
Role
Minimum role required to access this endpoint: admin.
Adds or modifies a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups
Role
Minimum role required to access this endpoint: admin.
delete /groups/{id}
Deletes a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-X DELETE \
https://<CONSOLE>:8083/api/v1/groups
Role
Minimum role required to access this endpoint: admin.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
put /groups/{id}
Adds or modifies a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.
A call to this api endpoint may resemble the following code snippet:
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups
Role
Minimum role required to access this endpoint: admin.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Body
Media type: application/json
Type: object
Properties- _id: (string)
ID is the group name
- groupId: (string)
GroupId is used as a group identifier in Azure SAML identification process
- groupName: (string)
Name is the group name
- lastModified: (datetime)
Modified is the last modification time of the group
- ldapGroup: (boolean)
LdapGroup indicates whether group is an ldap group
- oauthGroup: (boolean)
OauthGroup indicates whether group is oauth group
- oidcGroup: (boolean)
OidcGroup indicates whether group is oidc group
- owner: (string)
Owner is the group owner
- permissions: (object)
Permissions is the set of projects the group's users is assigned to and the set of collections the user may access in each project
- role: (object)
Role is the group role
- samlGroup: (boolean)
SamlGroup indicates whether group is saml group
- user: (object)
Users are the users associated with the group
- username: (string)
Name is the user name
- username: (string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
/harbor
HarborScannerMetadata returns metadata of the PCC vulnerability scanner adapter for Harbor registrySee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.
get /harbor//api/v1/metadata
HarborScannerMetadata returns metadata of the PCC vulnerability scanner adapter for Harbor registrySee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
HarborScannerScan accepts an image vulnerability scan request from Harbor registry and submits it asynchronouslySee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.
post /harbor//api/v1/scan
HarborScannerScan accepts an image vulnerability scan request from Harbor registry and submits it asynchronouslySee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
HarborScannerInstanceReport returns the scan results of the requested scan via its IDSee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.
get /harbor//api/v1/scan/{id}/report
HarborScannerInstanceReport returns the scan results of the requested scan via its IDSee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
URI Parameters
- id: required(string)
Secured by basicAuth
Headers
- Authorization: required(string)
Used to send the Base64-encoded "username:password" credentials.
HTTP status code 401
Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.
Secured by jwtAccessToken
Headers
- Authorization: required(string)
When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.
Example:
Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik
HTTP status code 401
Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.
Host scan reports
Host scan reports.
Twistlock scans the host machines in your container environment for CVEs and compliance issues. Scan reports are generated for any host running Defender.
Retrieves all host scan reports. A curl command to access this endpoint may resemble the following code snippet.
Note that the discovered
field for each compliance finding (info > allCompliance > compliance > discovered
) doesn't contain valid data and will be removed in a future release.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/hosts \
Role
Minimum role required to access this endpoint: vulnerabilityManager.
get /hosts
Retrieves all host scan reports. A curl command to access this endpoint may resemble the following code snippet.
Note that the discovered
field for each compliance finding (info > allCompliance > compliance > discovered
) doesn't contain valid data and will be removed in a future release.
$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/hosts \
Role
Minimum role required to access this endpoint: vulnerabilityManager.
Authenticate each request with a username and password.
Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.
Query Parameters
- clusters: (string)
Clusters is the cluster filter
- compact: (boolean)
Compact indicates that only minimum image data should be sent (vulnerabilities, compliance and extended image metadata should be skipped)
- distro: (string)
Distro is the OS distro filter
- fields: (string)
Fields is used to fetch specific host fields
- hostname: (string)
Hostanme is the hostname filter
- provider: (string)
Provider is the cloud provider filter
HTTP status code 200
Success
Body
Media type: application/json
Type: object
Properties- ,inline: (object)
Holds static image data collected during static analysis
- binaries: (object)
Binaries are the binaries found in the image
- altered: (boolean)
Altered indicates the binary was installed from a package manager and modified/replaced
- cveCount: (integer)
CVECount is the total number of CVEs for this specific binary
- deps: (string)
Deps are the third party pkgs files that are used by the binary
- layerTime: (integer)
LayerTime is the layer to which the binary belongs - layer creation time
- md5: (string)
md5 is the md5 hashset of the binary
- missingPkg: (boolean)
MissingPkg indicates this binary is not related to any package
- name: (string)
- path: (string)
Path is the relative binary path inside the container
- pkgRootDir: (string)
PkgRootDir is the path for searching packages used by the binary
- services: (string)
Services are the name of services that use the binary
- version: (string)
Version is the version of a specific binary
- altered: (boolean)
- distro: (string)
DistroName is the full name of the distro
- files: (object)
Files are all the files in the container
- md5: (string)
Md5 is the hash sum of the file by md5 method
- path: (string)
Path is the path to the specific file
- sha1: (string)
Sha1 is the hash sum of the file by sha1 method
- sha256: (string)
Sha256 is the hash sum of the file by sha256 method
- md5: (string)
- osDistro: (string)
OSDistro is the OS distro name (e.g., ubuntu)
- osDistroRelease: (string)
OSDistroRelease is the OS distro release (e.g., willy)
- osDistroVersion: (string)
OSDistroVersion is the OS distro version (e.g. 19.10)
- packageManager: (boolean)
PackageManager indicates whether package manager is installed on the OS
- packages: (object)
Packages are the packages that exist in the image
- pkgs: (object)
Packages is the list of packages
- binaryIdx: (object)
BinaryIdx are the indexes of top binaries that uses the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built on the source of the package)
- cveCount: (integer)
CVECount is the total number of CVEs for this specific package
- files: (object)
Files is the list of package related files and their hashes, only included when the appropriate scan option is set
- md5: (string)
Md5 is the hash sum of the file by md5 method
- path: (string)
Path is the path to the specific file
- sha1: (string)
Sha1 is the hash sum of the file by sha1 method
- sha256: (string)
Sha256 is the hash sum of the file by sha256 method
- md5: (string)
- layerTime: (integer)
LayerTime is the layer to which the package belongs - layer creation time
- license: (string)
License info for the package
- name: (string)
- path: (string)
Path is the full package path (e.g., JAR or nodejs package path)
- version: (string)
- binaryIdx: (object)
- pkgsType: (object)
Type is the package type. Range of acceptable values:
nodejs
,gem
,python
,jar
,package
,windows
,binary
,nuget
- pkgs: (object)
- startupBinaries: (object)
StartupBinaries are binaries that are expected to run when container is created from this image
- altered: (boolean)
Altered indicates the binary was installed from a package manager and modified/replaced
- cveCount: (integer)
CVECount is the total number of CVEs for this specific binary
- deps: (string)
Deps are the third party pkgs files that are used by the binary
- layerTime: (integer)
LayerTime is the layer to which the binary belongs - layer creation time
- md5: (string)
md5 is the md5 hashset of the binary
- missingPkg: (boolean)
MissingPkg indicates this binary is not related to any package
- name: (string)
- path: (string)
Path is the relative binary path inside the container
- pkgRootDir: (string)
PkgRootDir is the path for searching packages used by the binary
- services: (string)
Services are the name of services that use the binary
- version: (string)
Version is the version of a specific binary
- altered: (boolean)
- binaries: (object)
- _id: (string)
Id is the image identifier (image ID or repo:tag)
- allCompliance: (object)
AllCompliance are all compliance vulnerabilities the image is compliant with (all failed compliance tests are filtered)
- compliance: (object)
Compliance are all the passed compliance checks
- applicableRules: (string)
ApplicableRules are the applied rules on the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built from the source of the package)
- block: (boolean)
Block indicates if the vulnerability has block effect
- cause: (string)
Cause provides additional information regarding the root cause for the vulnerability
- cri: (boolean)
CRI indicates that this is a CRI specific vulnerability
- custom: (boolean)
Custom indicates whether vulnerability is a custom vulnerability, for example: openscap, sandbox
- cve: (string)
CVE is the cve id of the vulnerability (if applied)
- cvss: (number)
Cvss is the cvss score of the vulnerability.
- description: (string)
Description is the vulnerabilities description.
- discovered: (datetime)
Discovered indicates when the vulnerability was discovered
- exploit: (object)
Exploit indicates if an exploit exists and its type. Range of acceptable values:
exploit-db
,exploit-windows
- fixDate: (integer)
FixDate is the vulnerability fix date (unix time)
- fixLink: (string)
FixLink is a link to the vendor fixed version info
- id: (integer)
Unique id to identify the violation
- layerTime: (integer)
LayerTime is the layer to which the CVE belongs - layer creation time
- link: (string)
Link is the vendor link to the CVE
- packageName: (string)
PackageName is the name of the package that caused the vulnerability
- packageVersion: (string)
PackageVersion is the version of the package that caused the vulnerability (or null)
- published: (integer)
Published is the vulnerability publish date (unix time)
- riskFactors: (object)
RiskFactors are the vulnerability's risk factors
- severity: (string)
Severity is a textual representation of the vulnerability's severity.
- status: (string)
Status is the vendor status for the vulnerability
- templates: (object)
Templates is a list of templates that the vulnerability is associated with. Range of acceptable values:
PCI
,HIPAA
,NIST SP 800-190
,GDPR
- text: (string)
Text that explains the violation
- title: (string)
Title is the compliance title
- twistlock: (boolean)
Twistlock indicates that this is a Twistlock specific vulnerability
- type: (object)
Type is the vulnerability's type.
- vecStr: (string)
VectorString is a textual representation of the metric values used to score the vulnerability
- vulnTagInfos: (object)
VulnTagInfos are the tags info the vulnerability has
- comment: (string)
Comment is the tag comment in a specific vulnerability context
- name: (string)
Name is the tag name
- comment: (string)
- applicableRules: (string)
- enabled: (boolean)
Enabled indicates whether passed compliance checks is enabled by policy
- compliance: (object)
- baseImage: (string)
BaseImage is the image’s base image name, used as an indication in case of filtering the vulnerabilities by base images
- cloudMetadata: (object)
CloudMetadata is the cloud provider metadata of the host
- accountID: (string)
AccountID is the cloud account ID
- image: (string)
Image is the image name
- name: (string)
Name is the instance name
- provider: (object)
Provider is the cloud provider (AWS/GCP/Azure). Range of acceptable values:
aws
,azure
,gcp
,others
- region: (string)
Region the instance region
- resourceID: (string)
ResourceID is the resource unique ID
- type: (string)
Type is the instance type
- accountID: (string)
- clusters: (string)
Clusters is the provided cluster names
- collections: (string)
Collections are collections to which this result applies
- complianceDistribution: (object)
ComplianceDistribution is the compliance issues distribution
- critical: (integer)
- high: (integer)
- low: (integer)
- medium: (integer)
- total: (integer)
- complianceIssues: (object)
ComplianceIssues are the compliance vulnerabilities of the image
- applicableRules: (string)
ApplicableRules are the applied rules on the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built from the source of the package)
- block: (boolean)
Block indicates if the vulnerability has block effect
- cause: (string)
Cause provides additional information regarding the root cause for the vulnerability
- cri: (boolean)
CRI indicates that this is a CRI specific vulnerability
- custom: (boolean)
Custom indicates whether vulnerability is a custom vulnerability, for example: openscap, sandbox
- cve: (string)
CVE is the cve id of the vulnerability (if applied)
- cvss: (number)
Cvss is the cvss score of the vulnerability.
- description: (string)
Description is the vulnerabilities description.
- discovered: (datetime)
Discovered indicates when the vulnerability was discovered
- exploit: (object)
Exploit indicates if an exploit exists and its type. Range of acceptable values:
exploit-db
,exploit-windows
- fixDate: (integer)
FixDate is the vulnerability fix date (unix time)
- fixLink: (string)
FixLink is a link to the vendor fixed version info
- id: (integer)
Unique id to identify the violation
- layerTime: (integer)
LayerTime is the layer to which the CVE belongs - layer creation time
- link: (string)
Link is the vendor link to the CVE
- packageName: (string)
PackageName is the name of the package that caused the vulnerability
- packageVersion: (string)
PackageVersion is the version of the package that caused the vulnerability (or null)
- published: (integer)
Published is the vulnerability publish date (unix time)
- riskFactors: (object)
RiskFactors are the vulnerability's risk factors
- severity: (string)
Severity is a textual representation of the vulnerability's severity.
- status: (string)
Status is the vendor status for the vulnerability
- templates: (object)
Templates is a list of templates that the vulnerability is associated with. Range of acceptable values:
PCI
,HIPAA
,NIST SP 800-190
,GDPR
- text: (string)
Text that explains the violation
- title: (string)
Title is the compliance title
- twistlock: (boolean)
Twistlock indicates that this is a Twistlock specific vulnerability
- type: (object)
Type is the vulnerability's type.
- vecStr: (string)
VectorString is a textual representation of the metric values used to score the vulnerability
- vulnTagInfos: (object)
VulnTagInfos are the tags info the vulnerability has
- comment: (string)
Comment is the tag comment in a specific vulnerability context
- name: (string)
Name is the tag name
- comment: (string)
- applicableRules: (string)
- complianceIssuesCount: (integer)
ComplianceIssuesCount is the total number of compliance issues
- complianceRiskScore: (number)
ComplianceRiskScore is the image's compliance risk score
- creationTime: (datetime)
CreationTime is the time when the image was created
- ecsClusterName: (string)
EcsClusterName is the ECS cluster name
- err: (string)
Err indicates an error occurred during image health scan
- externalLabels: (object)
ExternalLabels are the k8s external labels of all the containers running this image
- key: (string)
Key is the label key
- sourceName: (string)
SourceName is the source name e.g., for a Namespace, source name can be 'twistlock'
- sourceType: (object)
SourceType is source type
- timestamp: (datetime)
Timestamp is the time in which the label was fetched
- value: (string)
Value is the label value
- key: (string)
- firewallProtection: (object)
FirewallProtection is the firewall protection status
- enabled: (boolean)
Enabled indicates that WAAS protection is enabled
- supported: (boolean)
Supported indicates that WAAS protection is supported
- enabled: (boolean)
- firstScanTime: (datetime)
FirstScanTime indicates the first time when this image was scanned (preserved during version updates)
- history: (object)
History is the docker image history
- baseLayer: (boolean)
BaseLayer indicates this layer originated from the base image
- created: (integer)
Created is the creation date of a image layer
- emptyLayer: (boolean)
EmptyLayer indicates this instruction didn't create a separate layer file
- id: (string)
ID is the layer ID
- instruction: (string)
Instruction is the docker file instruction and arguments which created this layer
- sizeBytes: (integer)
SizeBytes is the layer size in bytes
- tags: (string)
ImageNames holds the image tags
- vulnerabilities: (object)
Vulnerabilities holds the list of the vulnerabilities that originated from this layer
- applicableRules: (string)
ApplicableRules are the applied rules on the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built from the source of the package)
- block: (boolean)
Block indicates if the vulnerability has block effect
- cause: (string)
Cause provides additional information regarding the root cause for the vulnerability
- cri: (boolean)
CRI indicates that this is a CRI specific vulnerability
- custom: (boolean)
Custom indicates whether vulnerability is a custom vulnerability, for example: openscap, sandbox
- cve: (string)
CVE is the cve id of the vulnerability (if applied)
- cvss: (number)
Cvss is the cvss score of the vulnerability.
- description: (string)
Description is the vulnerabilities description.
- discovered: (datetime)
Discovered indicates when the vulnerability was discovered
- exploit: (object)
Exploit indicates if an exploit exists and its type. Range of acceptable values:
exploit-db
,exploit-windows
- fixDate: (integer)
FixDate is the vulnerability fix date (unix time)
- fixLink: (string)
FixLink is a link to the vendor fixed version info
- id: (integer)
Unique id to identify the violation
- layerTime: (integer)
LayerTime is the layer to which the CVE belongs - layer creation time
- link: (string)
Link is the vendor link to the CVE
- packageName: (string)
PackageName is the name of the package that caused the vulnerability
- packageVersion: (string)
PackageVersion is the version of the package that caused the vulnerability (or null)
- published: (integer)
Published is the vulnerability publish date (unix time)
- riskFactors: (object)
RiskFactors are the vulnerability's risk factors
- severity: (string)
Severity is a textual representation of the vulnerability's severity.
- status: (string)
Status is the vendor status for the vulnerability
- templates: (object)
Templates is a list of templates that the vulnerability is associated with. Range of acceptable values:
PCI
,HIPAA
,NIST SP 800-190
,GDPR
- text: (string)
Text that explains the violation
- title: (string)
Title is the compliance title
- twistlock: (boolean)
Twistlock indicates that this is a Twistlock specific vulnerability
- type: (object)
Type is the vulnerability's type.
- vecStr: (string)
VectorString is a textual representation of the metric values used to score the vulnerability
- vulnTagInfos: (object)
VulnTagInfos are the tags info the vulnerability has
- comment: (string)
Comment is the tag comment in a specific vulnerability context
- name: (string)
Name is the tag name
- comment: (string)
- applicableRules: (string)
- baseLayer: (boolean)
- hostDevices: (object)
HostDevices is a map from host network device name to IP address
- ip: (string)
IP is the network device IPv4 address
- name: (string)
Name is the network device name
- ip: (string)
- hostname: (string)
Hostname is the name of the host that was scanned
- hosts: (object)
Hosts is an index for host scanning results. The key is the host being scanned
- id: (string)
Id is the image id
- image: (object)
Image is the image metadata associated with docker inspect
- created: (datetime)
Created is the image creation time
- entrypoint: (string)
Entrypoint is the combined entrypoint of the image (entrypoint + CMD)
- env: (string)
Env is the image environment variables
- healthcheck: (boolean)
HealthCheck indicates whether health check is enabled
- history: (object)
History holds the image history
- baseLayer: (boolean)
BaseLayer indicates this layer originated from the base image
- created: (integer)
Created is the creation date of a image layer
- emptyLayer: (boolean)
EmptyLayer indicates this instruction didn't create a separate layer file
- id: (string)
ID is the layer ID
- instruction: (string)
Instruction is the docker file instruction and arguments which created this layer
- sizeBytes: (integer)
SizeBytes is the layer size in bytes
- tags: (string)
ImageNames holds the image tags
- vulnerabilities: (object)
Vulnerabilities holds the list of the vulnerabilities that originated from this layer
- applicableRules: (string)
ApplicableRules are the applied rules on the package
- binaryPkgs: (string)
BinaryPkgs are the names of distro binary packages names (packages that are built from the source of the package)
- block: (boolean)
Block indicates if the vulnerability has block effect
- cause: (string)
Cause provides additional information regarding the root cause for the vulnerability
- cri: (boolean)
CRI indicates that this is a CRI specific vulnerability
- custom: (boolean)
Custom indicates whether vulnerability is a custom vulnerability, for example: openscap, sandbox
- cve: (string)
CVE is the cve id of the vulnerability (if applied)
- cvss: (number)
Cvss is the cvss score of the vulnerability.
- description: (string)
Description is the vulnerabilities description.
- discovered: (datetime)
Discovered indicates when the vulnerability was discovered
- exploit: (object)
Exploit indicates if an exploit exists and its type. Range of acceptable values:
exploit-db
,exploit-windows
- fixDate: (integer)
FixDate is the vulnerability fix date (unix time)
- fixLink: (string)
FixLink is a link to the vendor fixed version info
- id: (integer)
Unique id to identify the violation
- layerTime: (integer)
LayerTime is the layer to which the CVE belongs - layer creation time
- link: (string)
Link is the vendor link to the CVE
- packageName: (string)
PackageName is the name of the package that caused the vulnerability
- packageVersion: (string)
PackageVersion is the version of the package that caused the vulnerability (or null)
- published: (integer)
Published is the vulnerability publish date (unix time)
- riskFactors: (object)
RiskFactors are the vulnerability's risk factors
- severity: (string)
Severity is a textual representation of the vulnerability's severity.
- status: (string)
Status is the vendor status for the vulnerability
- templates: (object)
Templates is a list of templates that the vulnerability is associated with. Range of acceptable values:
PCI
,HIPAA
,NIST SP 800-190
,GDPR
- text: (string)
Text that explains the violation
- title: (string)
Title is the compliance title
- twistlock: (boolean)
Twistlock indicates that this is a Twistlock specific vulnerability
- type: (object)
Type is the vulnerability's type.
- vecStr: (string)
VectorString is a textual representation of the metric values used to score the vulnerability
- vulnTagInfos: (object)
VulnTagInfos are the tags info the vulnerability has
- comment: (string)
Comment is the tag comment in a specific vulnerability context
- name: (string)
Name is the tag name
- comment: (string)
- applicableRules: (string)
- baseLayer: (boolean)
- id: (string)
ID is the image ID
- layers: (string)
Layers are the image filesystem layers
- os: (string)
OS is the image os type
- repoDigest: (string)
RepoDigests are the image repo digests
- repoTags: (string)
RepoTags are the image repo tags
- user: (string)
User is the image user
- workingDir: (string)
WorkingDir is the base working directory of the image
- created: (datetime)
- installedProducts: (object)
InstalledProducts contains data about running product in environment
- apache: (string)
Apache indicates the apache server version, empty in case apache not running
- awsCloud: (boolean)
AWSCloud indicates whether AWS cloud is used
- crio: (boolean)
CRI indicates whether the container runtime is CRI (and not docker)
- docker: (string)
Docker represents the docker daemon version
- hasPackageManager: (boolean)
HasPackageManager indicates whether package manager is installed on the OS
- k8sApiServer: (boolean)
K8sApiServer indicates whether a kubernetes api server is running
- k8sControllerManager: (boolean)
K8sControllerManager indicates whether a kubernetes controller manager is running
- k8sEtcd: (boolean)
K8sEtcd indicates whether etcd is running
- k8sFederationApiServer: (boolean)
K8sFederationApiServer indicates whether a federation api server is running
- k8sFederationControllerManager: (boolean)
K8sFederationControllerManager indicates whether a federation controller manager is running
- k8sKubelet: (boolean)
K8sKubelet indicates whether kubelet is running
- k8sProxy: (bool
- apache: (string)