Prisma Cloud Compute API documentation version v1

https://{CONSOLE}:{PORT}/api/{version}

  • CONSOLE: required(string)

    Hostname or IP address where Console can be accessed.

  • PORT: required(string)

    Use port 8083 to access the API over HTTPS. You can configure Prisma Cloud Compute Console to use an alternative port at install time.

  • version: required(v1)

How to evaluate <CONSOLE>

All the example API commands in these documents specify a <CONSOLE> variable, which represents the address for Console. The Console address will depend on how Console was installed.

For SaaS Installations

To find your <CONSOLE> path for a SaaS environment:

  1. Log into Console.
  2. Navigate to Compute > Manage > System > Downloads.
  3. You can find your <CONSOLE> path listed under Path to Console. Click Copy to quickly copy the path to your clipboard.
console

For Self-hosted Installations

For self-hosted environments, the Prisma Cloud Compute API is exposed on port 8083 (HTTPS). This port is specified at install time in twistlock.cfg.

  • (Default) Kubernetes installations: Console service is exposed by a LoadBalancer.

The value for <CONSOLE> is the LoadBalancer followed by port 8083:

https://<LOAD_BALANCER>:8083
  • Onebox installations: Console installed on a stand-alone host.

The value for <CONSOLE> is the IP address or DNS name of the host followed by port 8083:

https://<IP_ADDRESS>:8083

Using the cURL API endpoint examples

The cURL example for each endpoint is called with a username (-u <USER>) only. The cURL can be modified to use any of the following:

  • Authentication Token: Use the -H option to pass the authentication token from the /api/v1/authenticate endpoint into the request header.

For example, replace <ACCESS_TOKEN> with the token from the /api/v1/authenticate endpoint.

$ curl -k \
-H 'Authorization: Bearer <ACCESS_TOKEN>' \
-X POST \
https://<CONSOLE>/api/v1/<ENDPOINT_PATH>
  • Username and Password: Use the -u and -p options to include the username and password, eliminating the need to enter a password in a secondary step.

For example, replace <USER> with the username string and <PASSWORD> with the password string.

$ curl -k \
-u <USER> \
-p <PASSWORD> \
-X POST \
https://<CONSOLE>/api/v1/<ENDPOINT_PATH>
  • Username Only: This will require the user's password to be entered as a secondary step.

For example, replace <USER> with the username string.

$ curl -k \
-u <USER> \
-X POST \
https://<CONSOLE>/api/v1/<ENDPOINT_PATH>

Note: This is a more secure method than including the -p option since your terminal history won't contain the password.

API restrictions

Paginated API requests are capped to a max of 50 returned objects because very large responses could DoS Console.

If the response contains more than 50 objects, cycle through the collection with the offset query parameter to retrieve more objects. For example:

https://<CONSOLE>/api/v1/images?limit=50&offset=X

_Ping

Checks if the Console is alive, responsive, and reachable from your network host.

get

get

Checks if Console is reachable from your network host.

cURL Request

The following cURL command pings Console and prints the HTTP response code:

$ curl -k \
-s \
-o /dev/null \
-w "%{http_code}\n" \
-X GET \
https://<CONSOLE>/api/v1/_ping

Role

Minimum role required to access this endpoint: anyone.

Alert profiles

Manage alert profiles, which let you surface critical policy breaches by sending alerts to channels, such as email, Slack, and JIRA.

Alert profiles define which events should be sent to which channel. Each profile declares:

  • One or more recipients.
  • One or more triggers, that raise alerts by sending messages on the configured channel.

get post

get

Retrieve a list of all alert profiles created in the system.

The following example curl command uses basic auth to retrieve all alert profiles:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/alert-profiles

Role

Minimum role required to access this endpoint: auditor.

post

Update an existing alert profile created in the system.

The following example curl command uses basic auth to add a Jira Alert profile:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/alert-profiles \
-d '  {
  "name": "jira",
  "_id": "jira",
  "jira": {
    "enabled": true,
    "projectKey": "TWIS",
    "issueType": "Task",
    "priority": "High",
    "labels": [],
    "assignee": ""
  }
  "policy": {
    "cve": {
      "enabled": true,
      "allRules": true,
      "rules": [],
      "clients": [
        "jira"
      ]
    }
  } '

Role

Minimum role required to access this endpoint: operator.

Update an existing alert profile created in the system.

The following example curl command uses basic auth to add a Jira Alert profile:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/alert-profiles \
-d '  {
  "name": "jira",
  "_id": "jira",
  "jira": {
    "enabled": true,
    "projectKey": "TWIS",
    "issueType": "Task",
    "priority": "High",
    "labels": [],
    "assignee": ""
  }
  "policy": {
    "cve": {
      "enabled": true,
      "allRules": true,
      "rules": [],
      "clients": [
        "jira"
      ]
    }
  } '

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • _id: (string)

    ID is the alert profile ID

  • disabled: (boolean)

    Disabled states if the rule is currently disabled

  • email: (object)

    EmailSettings contains the email alert profile settings

    • credentialId: (string)

      CredentialID is the Email authentication credentials id

    • enabled: (boolean)
    • from: (string)

      From is the from address of the mail

    • labels: (string)

      Labels are custom label names from which the mail recipients are extracted, allowing to dynamically extract the target of the alerts

    • port: (integer)
    • recipients: (string)
    • smtpAddress: (string)
    • ssl: (boolean)
  • gcpPubsub: (object)

    GcpPubsubSettings contains the GCP Pub/Sub alert profile settings

    • credentialId: (string)

      CredentialID is the GCP Pub/Sub authentication credentials id

    • enabled: (boolean)

      Enabled indicates whether the GCP Pub/Sub settings are enabled

    • topic: (string)

      Topic is the GCP Pub/Sub topic (used by subscribers to listen for messages)

  • jira: (object)

    JIRASettings contains the JIRA alert profile settings

    • assignee: (object)

      Assignee is the assignee of the issue

      • id: (string)

        ID is the field ID

      • labels: (string)

        Labels are the dynamic labels of which the value is based on

      • name: (string)

        Name is the static string field

    • baseUrl: (string)

      BaseURL is the JIRA address

    • caCert: (string)

      CACert is the certificate used to verify the server

    • credentialId: (string)

      CredentialID is the JIRA authentication credentials id

    • enabled: (boolean)

      Enabled controls whether the rule is enabled

    • issueType: (string)

      IssueType is the type of the JIRA issue

    • labels: (object)

      Labels is the labels added to the created issue

      • labels: (string)

        Labels are the dynamic labels of which JIRA labels are based on

      • names: (string)

        Names are the static strings field

    • priority: (string)

      Priority is the issue priority

    • projectKey: (object)

      ProjectKey is the key of the project in which the issue will be created

      • id: (string)

        ID is the field ID

      • labels: (string)

        Labels are the dynamic labels of which the value is based on

      • name: (string)

        Name is the static string field

  • lastError: (string)

    LastError represents the last error when sending the profile

  • modified: (datetime)
  • name: (string)
  • notes: (string)

    Notes are the rule's user notes

  • owner: (string)
  • pagerduty: (object)

    PagerDutySettings contains the PagerDuty alert profile settings

    • enabled: (boolean)

      Enabled is PagerDuty provider enabled/disabled indicator

    • routingKey: (object)

      RoutingKey is the unique PagerDuty service id

      • encrypted: (string)
      • plain: (string)

        Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)

    • severity: (object)

      Severity is the PagerDuty's event severity

    • summary: (string)

      Summary is the PagerDuty's event summary

  • previousName: (string)

    PreviousName is the rule previous name, required for rule renaming

  • securityAdvisor: (object)

    SecurityAdvisor contains the IBM security advisor alert profile settings

    • auto: (boolean)

      Automatic means the configuration was automatically provisioned by security advisor, and only notes should be created

    • credentialID: (string)

      CredentialID is the IBM security advisor credential

    • enabled: (boolean)

      Enabled indicates whether the overbridge settings are enabled

    • findingsURL: (string)

      FindingsURL is the URL to which findings should be sent

    • providerId: (string)

      ProviderID is the configured providerID (default twistlock)

    • tokenURL: (string)

      TokenURL is the url from which security tokens should be fetched

  • securityCenter: (object)

    SecurityCenterSettings contains the security center alert profile settings

    • credentialId: (string)

      CredentialID is the Security Center authentication credentials id

    • enabled: (boolean)
    • sourceID: (string)

      SourceID is the google cloud security center organization source ID (used to construct security advisor findings)

  • securityHub: (object)

    SecurityHub contains the AWS security hub alert profile settings

    • accountID: (string)

      AccountID is the AWS account ID

    • credentialId: (string)

      CredentialID is the SecurityHub authentication credentials id

    • enabled: (boolean)

      Enabled indicates whether the overbridge settings are enabled

    • region: (string)

      Region is the overbridge region

  • serviceNow: (object)

    ServiceNowSettings contains the ServiceNow alert profile settings

    • application: (object)

      Application is the ServiceNow application this profile sends to

    • assignee: (string)

      Assignee is the ServiceNow user to whom will assign ServiceNow incidents\items

    • assignmentGroup: (string)

      AssignmentGroup is the ServiceNow group of users handling security incidents

    • auditPriority: (string)

      AuditPriority is the priority at which to set audit alerts in security incidents

    • caCert: (string)

      CA certificate for on-premise ssl (optional)

    • credentialID: (string)

      CredentialID is the ServiceNow authentication credentials id

    • enabled: (boolean)

      Enabled is the ServiceNow provider enabled/disabled indicator

    • project: (string)

      Project is the name of the prisma compute project that was used to generate this configuration. It's required as secondary consoles do not store their project name

    • securityIncidentBaseURL: (string)

      SecurityIncidentBaseURL is the ServiceNow address, used to send security incidents

    • vulnerabilityEndpointUrl: (string)

      VulnerabilityEndpointURL to report ServiceNow vulnerabilities, customer defined scripted REST API, see: https://docs.servicenow.com/bundle/orlando-application-development/page/integrate/custom-web-services/concept/c_CustomWebServices.html

  • slack: (object)

    SlackSettings contains the slack alert profile settings

    • channels: (string)
    • enabled: (boolean)
    • users: (string)
    • webhookUrl: (string)
  • webhook: (object)

    WebhookSettings contains the Webhook alert profile settings

    • caCert: (string)

      CACert is the certificate used to verify the server

    • credentialId: (string)

      CredentialID is the id of the basic authentication credential

    • enabled: (boolean)

      Enabled is Webhook provider enabled/disabled indicator

    • json: (string)

      Json is the custom json we send to the url

    • url: (string)

      URL is the Webhook address

  • xsoar: (object)

    XSOARSettings contains the Cortex XSOAR alert profile settings

    • enabled: (boolean)

      Enabled is the XSOAR provider enabled/disabled indicator

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

Retrieve a list of only the names of all alert profiles created in the system.

The following example curl command uses basic auth to retrieve all alert profiles' names:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/alert-profiles/names

Example Response:

[
  "jira",
  "aqsa vulns"
]

Role

Minimum role required to access this endpoint: auditor.

post

post

Sends a test alert to verify successful configuration of the alert profile settings.

The following example curl command uses basic auth to send test alert for an email alert profile:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d <REQUEST-PAYLOAD>
https://<CONSOLE>:8083/api/v1/alert-profiles/test

In this case, the REQUEST-PAYLOAD would be the full JSON formatted alert profile from the base GET command

Role

Minimum role required to access this endpoint: operator.

Sends a test alert to verify successful configuration of the alert profile settings.

The following example curl command uses basic auth to send test alert for an email alert profile:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d <REQUEST-PAYLOAD>
https://<CONSOLE>:8083/api/v1/alert-profiles/test

In this case, the REQUEST-PAYLOAD would be the full JSON formatted alert profile from the base GET command

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • _id: (string)

    ID is the alert profile ID

  • disabled: (boolean)

    Disabled states if the rule is currently disabled

  • email: (object)

    EmailSettings contains the email alert profile settings

    • credentialId: (string)

      CredentialID is the Email authentication credentials id

    • enabled: (boolean)
    • from: (string)

      From is the from address of the mail

    • labels: (string)

      Labels are custom label names from which the mail recipients are extracted, allowing to dynamically extract the target of the alerts

    • port: (integer)
    • recipients: (string)
    • smtpAddress: (string)
    • ssl: (boolean)
  • gcpPubsub: (object)

    GcpPubsubSettings contains the GCP Pub/Sub alert profile settings

    • credentialId: (string)

      CredentialID is the GCP Pub/Sub authentication credentials id

    • enabled: (boolean)

      Enabled indicates whether the GCP Pub/Sub settings are enabled

    • topic: (string)

      Topic is the GCP Pub/Sub topic (used by subscribers to listen for messages)

  • jira: (object)

    JIRASettings contains the JIRA alert profile settings

    • assignee: (object)

      Assignee is the assignee of the issue

      • id: (string)

        ID is the field ID

      • labels: (string)

        Labels are the dynamic labels of which the value is based on

      • name: (string)

        Name is the static string field

    • baseUrl: (string)

      BaseURL is the JIRA address

    • caCert: (string)

      CACert is the certificate used to verify the server

    • credentialId: (string)

      CredentialID is the JIRA authentication credentials id

    • enabled: (boolean)

      Enabled controls whether the rule is enabled

    • issueType: (string)

      IssueType is the type of the JIRA issue

    • labels: (object)

      Labels is the labels added to the created issue

      • labels: (string)

        Labels are the dynamic labels of which JIRA labels are based on

      • names: (string)

        Names are the static strings field

    • priority: (string)

      Priority is the issue priority

    • projectKey: (object)

      ProjectKey is the key of the project in which the issue will be created

      • id: (string)

        ID is the field ID

      • labels: (string)

        Labels are the dynamic labels of which the value is based on

      • name: (string)

        Name is the static string field

  • lastError: (string)

    LastError represents the last error when sending the profile

  • modified: (datetime)
  • name: (string)
  • notes: (string)

    Notes are the rule's user notes

  • owner: (string)
  • pagerduty: (object)

    PagerDutySettings contains the PagerDuty alert profile settings

    • enabled: (boolean)

      Enabled is PagerDuty provider enabled/disabled indicator

    • routingKey: (object)

      RoutingKey is the unique PagerDuty service id

      • encrypted: (string)
      • plain: (string)

        Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)

    • severity: (object)

      Severity is the PagerDuty's event severity

    • summary: (string)

      Summary is the PagerDuty's event summary

  • previousName: (string)

    PreviousName is the rule previous name, required for rule renaming

  • securityAdvisor: (object)

    SecurityAdvisor contains the IBM security advisor alert profile settings

    • auto: (boolean)

      Automatic means the configuration was automatically provisioned by security advisor, and only notes should be created

    • credentialID: (string)

      CredentialID is the IBM security advisor credential

    • enabled: (boolean)

      Enabled indicates whether the overbridge settings are enabled

    • findingsURL: (string)

      FindingsURL is the URL to which findings should be sent

    • providerId: (string)

      ProviderID is the configured providerID (default twistlock)

    • tokenURL: (string)

      TokenURL is the url from which security tokens should be fetched

  • securityCenter: (object)

    SecurityCenterSettings contains the security center alert profile settings

    • credentialId: (string)

      CredentialID is the Security Center authentication credentials id

    • enabled: (boolean)
    • sourceID: (string)

      SourceID is the google cloud security center organization source ID (used to construct security advisor findings)

  • securityHub: (object)

    SecurityHub contains the AWS security hub alert profile settings

    • accountID: (string)

      AccountID is the AWS account ID

    • credentialId: (string)

      CredentialID is the SecurityHub authentication credentials id

    • enabled: (boolean)

      Enabled indicates whether the overbridge settings are enabled

    • region: (string)

      Region is the overbridge region

  • serviceNow: (object)

    ServiceNowSettings contains the ServiceNow alert profile settings

    • application: (object)

      Application is the ServiceNow application this profile sends to

    • assignee: (string)

      Assignee is the ServiceNow user to whom will assign ServiceNow incidents\items

    • assignmentGroup: (string)

      AssignmentGroup is the ServiceNow group of users handling security incidents

    • auditPriority: (string)

      AuditPriority is the priority at which to set audit alerts in security incidents

    • caCert: (string)

      CA certificate for on-premise ssl (optional)

    • credentialID: (string)

      CredentialID is the ServiceNow authentication credentials id

    • enabled: (boolean)

      Enabled is the ServiceNow provider enabled/disabled indicator

    • project: (string)

      Project is the name of the prisma compute project that was used to generate this configuration. It's required as secondary consoles do not store their project name

    • securityIncidentBaseURL: (string)

      SecurityIncidentBaseURL is the ServiceNow address, used to send security incidents

    • vulnerabilityEndpointUrl: (string)

      VulnerabilityEndpointURL to report ServiceNow vulnerabilities, customer defined scripted REST API, see: https://docs.servicenow.com/bundle/orlando-application-development/page/integrate/custom-web-services/concept/c_CustomWebServices.html

  • slack: (object)

    SlackSettings contains the slack alert profile settings

    • channels: (string)
    • enabled: (boolean)
    • users: (string)
    • webhookUrl: (string)
  • webhook: (object)

    WebhookSettings contains the Webhook alert profile settings

    • caCert: (string)

      CACert is the certificate used to verify the server

    • credentialId: (string)

      CredentialID is the id of the basic authentication credential

    • enabled: (boolean)

      Enabled is Webhook provider enabled/disabled indicator

    • json: (string)

      Json is the custom json we send to the url

    • url: (string)

      URL is the Webhook address

  • xsoar: (object)

    XSOARSettings contains the Cortex XSOAR alert profile settings

    • enabled: (boolean)

      Enabled is the XSOAR provider enabled/disabled indicator

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

delete

delete

Deletes an alert profile entry by name. In the request payload, specify the alert profile name. This method has no response data.

The following example curl command uses basic auth to delete an existing alert profile entry, where aqsa is an alert profile name which is being deleted.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/alert-profiles/aqsa

Role

Minimum role required to access this endpoint: operator.

Deletes an alert profile entry by name. In the request payload, specify the alert profile name. This method has no response data.

The following example curl command uses basic auth to delete an existing alert profile entry, where aqsa is an alert profile name which is being deleted.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/alert-profiles/aqsa

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Audits

Retrieve audits from the Twistlock database. Twistlock creates and stores audit event records (audits) for all controls. Endpoints support a wide range of filtering options.

get

get

Retrieves all access audits. Twistlock records access audits every time a Docker Engine or Kubernetes command is run on a host protected by Defender. You can also configure Twistlock to record audits for any sudo or SSH commands that are executed on hosts protected Defender.

The following example command gives a list of ALL access audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/access

To get just the docker audits run it with type=docker parameter.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/access?type=docker

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Download all docker access audits into a CSV format file.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/access/download?type=docker > aqsa_audits.csv

Role

Minimum role required to access this endpoint: devSecOps.

get

get

AdmissionAudits returns all admission audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

get

DownloadAdmissionAudits downloads the admission audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

get

get

AppEmbeddedAppFirewallAudits returns all embedded defender firewall audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

get

DownloadAppEmbeddedAppFirewallAudits downloads the embedded defender firewall audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

get

get

AppEmbeddedAppFirewallAuditTimeslice returns embedded firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.

get

get

Retrieves all Cloud Native Application Firewall (CNAF) audits. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to retrieve all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/app/container

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Downloads all Cloud Native Application Firewall (CNAF) audits into CSV format. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to download all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnaf-container-audits.csv \
https://console:8083/api/v1/audits/firewall/app/container/download



### Role
Minimum role required to access this endpoint: devSecOps.

get

get

ContainerAppFirewallAuditTimeslice returns container firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.

get

get

Retrieves all Cloud Native Application Firewall (CNAF) audits. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to retrieve all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/app/host

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Downloads all Cloud Native Application Firewall (CNAF) audits into CSV format. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to download all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnaf-host-audits.csv \
https://console:8083/api/v1/audits/firewall/app/host/download

Role

Minimum role required to access this endpoint: devSecOps.

get

get

HostAppFirewallAuditTimeslice returns host firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.

get

get

ServerlessAppFirewallAudits returns all serverless firewall audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

get

DownloadServerlessAppFirewallAudits downloads the serverless firewall audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

get

get

ServerlessAppFirewallAuditTimeslice returns serverless firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.

get

get

Retrieves all Cloud Native Network Firewall (CNNF) container audits.

Cloud Native Network Firewall (CNNF) is a Layer 3 container-aware virtual firewall that utilizes machine learning to identify valid traffic flows between app components and alert or block anomalous flows. CNNF works as an east-west firewall between containers. It limits damage by preventing attackers from moving laterally through your environment when they have already compromised one part of it.

$ curl -k \
-u <USER> \
https://<CONSOLE>:8083/api/v1/audits/firewall/network/container

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Downloads all network firewall audits (CNNF) into a CSV file.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
-o cnnf_container_audits.csv \
https://<CONSOLE>:8083/api/v1/audits/firewall/network/container/download

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Retrieves all Cloud Native Network Firewall (CNNF) audits. These are based on violations of CNNF policies defined under Defend > Firewalls > Cloud Native Network Firewall. Click here to learn more about CNNF.

The following example uses basic auth to retrieve all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/network/host

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Downloads all Cloud Native Network Firewall (CNNF) audits. These are based on violations of CNNF policies defined under Defend > Firewalls > Cloud Native Network Firewall. Click here to learn more about CNNF.

The following example uses basic auth to retrieve all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnnf-host-audits.csv \
https://console:8083/api/v1/audits/firewall/network/host/download

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Twistlock analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents. This api call retrieves a list of incidents that are not acknowledged (not in archived state).

The following example uses basic auth to list incidents.

$ curl -k \
-u <USER> \
https://console:8083/api/v1/audits/incidents

Role

Minimum role required to access this endpoint: devSecOps.

patch

patch

Use this call to acknowledge an incident and move it to Archived state. Incident ID of the incident you want to archive is required. You can get incident ID from the list of incidents in GET /api/v1/audits/incidents.

Note that you can undo this action by changing "true" to "false" in the following example.

The following example uses basic auth and PATCH method to acknowledge an incident

$ curl -k \
-u <USER> \
 https://aqsa-console:8083/api/v1/audits/incidents/acknowledge/5c76e18784bf4b7278d9a820 -d '{"acknowledged":true}'

Where 5c76e18784bf4b7278d9a820 is the incident ID

Role

Minimum role required to access this endpoint: auditor.

Use this call to acknowledge an incident and move it to Archived state. Incident ID of the incident you want to archive is required. You can get incident ID from the list of incidents in GET /api/v1/audits/incidents.

Note that you can undo this action by changing "true" to "false" in the following example.

The following example uses basic auth and PATCH method to acknowledge an incident

$ curl -k \
-u <USER> \
 https://aqsa-console:8083/api/v1/audits/incidents/acknowledge/5c76e18784bf4b7278d9a820 -d '{"acknowledged":true}'

Where 5c76e18784bf4b7278d9a820 is the incident ID

Role

Minimum role required to access this endpoint: auditor.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Body

Media type: application/json

Type: object

Properties
  • _id: (string)

    ID is internal id representation

  • accountID: (string)

    AccountID is the cloud account ID

  • acknowledged: (boolean)

    Acknowledged indicates that the incident has been acknowledged

  • app: (string)

    App represents the application that caused the incident

  • appID: (string)

    AppID is the application ID

  • category: (object)

    Category represents the incident category (for example: hostViolation, cryptoMiner). Range of acceptable values: portScanning, hijackedProcess, dataExfiltration, kubernetes, backdoorAdministrativeAccount, backdoorSSHAccess, cryptoMiner, lateralMovement, bruteForce, customRule, alteredBinary, suspiciousBinary, executionFlowHijackAttempt, reverseShell

  • cluster: (string)

    Cluster is the cluster on which the incident was found

  • collections: (string)

    Collections are collections to which this incident applies

  • containerID: (string)

    ContainerID is the container id that triggered the incident

  • containerName: (string)

    ContainerName is the container unique name

  • customRuleName: (string)

    CustomRuleName is the name of the custom runtime rule that triggered the incident

  • fqdn: (string)

    FQDN is the current hostname's full domain name

  • function: (string)

    Function is the name of the serverless function

  • hostname: (string)

    Hostname is the current hostname

  • imageID: (string)

    ImageID is the container image ID

  • imageName: (string)

    ImageName is the container image name

  • namespace: (string)

    Namespace is the k8s deployment namespace

  • profileID: (string)

    ProfileID is the profile id

  • region: (string)

    Region is the region of the serverless function

  • runtime: (string)

    Runtime is the runtime of the serverless function

  • serialNum: (integer)

    SerialNum is the serial number of the incident

  • shouldCollect: (boolean)

    ShouldCollect indicates this incident should be collected

  • time: (datetime)

    Time is the UTC time of the incident

  • type: (object)

    Type is the incident type (for example host, container). Range of acceptable values: host, container, function, appEmbedded

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

Twistlock analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents. This api call retrieves a list of incidents that are not acknowledged (not in archived state).

The following example uses basic auth to list incidents.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o incidents.csv \
https://console:8083/api/v1/audits/incidents/download

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Twistlock can provide events from kubernetes if this integration is configured.

The following example uses basic auth to list all kubernetes events that are configured.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/kubernetes

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Twistlock can provide events from kubernetes if this integration is configured.

The following example uses basic auth to download all kubernetes events that are configured.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o kubernetes-events.csv \
https://console:8083/api/v1/audits/kubernetes/download

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Changes to any settings (including previous and new values), changes to any rules (create, modify, or delete), and all logon activity (success and failure) are logged. These events are called management audits.

This call retrieves a list of all management audits that match the query.

The following example curl command uses basic auth to retrieve all management audits

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt

Role

Minimum role required to access this endpoint: auditor.

get

get

Downloads a list of all management audits into CSV format.

The following example curl command uses basic auth to retrieve all management audits

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt/download -o aqsa.csv

Role

Minimum role required to access this endpoint: auditor.

get

get

Retrieves a list of management audit types found in your environment. These fields can be firther used as your queries to get management audit data.

The following example curl command uses basic auth to retrieve all management audit filters

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt/filters

Role

Minimum role required to access this endpoint: auditor.

delete get

delete

DeleteAppEmbeddedRuntimeAudits deletes all embedded defender runtime audits. Minimum role required to access this endpoint: operator.

get

AppEmbeddedRuntimeAudits returns all embedded defender audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

get

DownloadAppEmbeddedRuntimeAudits downloads the embedded defender audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

delete get

delete

Deletes all container runtime audits.

The following example curl command uses basic auth to delete all the audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/container

Role

Minimum role required to access this endpoint: operator.

get

Twistlock records an audit every time a runtime sensor (process, network, file system, and system call) detects activity that deviates from the predictive model. This endpoint retrieves all container audits from the console Monitor > Runtime > Container Audits.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/container

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Downloads the runtime container audit logs in csv format.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/container/download
> conatiner_audits.csv

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Twistlock can provide audits for file-integrity checks that are configured under host runtime rules.

The following example uses basic auth to list these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/runtime/file-integrity

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Twistlock can provide audits for file-integrity checks that are configured under host runtime rules.

The following example uses basic auth to download these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o file-integrity-events.csv \
https://console:8083/api/v1/audits/runtime/file-integrity/download

Role

Minimum role required to access this endpoint: devSecOps.

delete get

delete

Deletes all host audits from the database.

The following example curl command uses basic auth to delete all host audits:

$ curl -k \
-u <USER> \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/host

Role

Minimum role required to access this endpoint: operator.

get

Retrieves a list of all host audits that match the query.

The following example curl command uses basic auth to retrieve all host audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/host

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Downloads the runtime host audit logs in csv format.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o host_audits.csv \
https://<CONSOLE>:8083/api/v1/audits/runtime/host/download

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Twistlock can provide audits for log inspection checks that are configured under host runtime rules.

The following example uses basic auth to list these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/runtime/log-inspection

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Twistlock can provide audits for log inspection checks that are configured under host runtime rules.

The following example uses basic auth to download these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o log-inspection.csv \
https://console:8083/api/v1/audits/incidents/runtime/log-inspection/download

Role

Minimum role required to access this endpoint: devSecOps.

delete get

delete

This endpoint will delete all serverless runtime audits.

The following example curl command uses basic auth to delete the current audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/serverless

Role

Minimum role required to access this endpoint: operator.

get

Returns scan reports in JSON format for any serverless functions you've configured Twistlock to scan.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Returns scan reports in CSV format for any serverless functions you've configured Twistlock to scan.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o serverless-audits.csv
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless/download

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Returns all serverless filters in JSON format. These filters can be used in the base GET request as query parameters.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless/filters

Role

Minimum role required to access this endpoint: devSecOps.

delete get

delete

Deletes all the trust audits from the events page in Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/trust

Role

Minimum role required to access this endpoint: operator.

get

Gets all the trust audits from the events page in Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/trust

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Downloads all the trust audits from the events page in Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/trust/download

Role

Minimum role required to access this endpoint: vulnerabilityManager.

Authenticate

Retrieves an access token using your credentials. Valid tokens are required to access the rest of the Prisma Cloud Compute API.

Note: The Prisma Cloud Compute API can also be accessed using basic auth.

post

post

Retrieves an access token using your username and password. By default, access tokens are valid for 24 hours.

cURL Request

The following cURL command retrieves a token for user admin with password password.

$ curl -k \
-H "Content-Type: application/json" \
-X POST \
-d \
'{
 "username":"admin",
 "password":"password"
}' \
https://<CONSOLE>/api/v1/authenticate

Note: The username and password values are case-sensitive.

Response

A successful response will return the following response containing the access token which can be used for the rest of the API endpoints.

{"token", "ACCESS_TOKEN_VALUE"}

Role

Minimum role required to access this endpoint: anyone.

Retrieves an access token using your username and password. By default, access tokens are valid for 24 hours.

cURL Request

The following cURL command retrieves a token for user admin with password password.

$ curl -k \
-H "Content-Type: application/json" \
-X POST \
-d \
'{
 "username":"admin",
 "password":"password"
}' \
https://<CONSOLE>/api/v1/authenticate

Note: The username and password values are case-sensitive.

Response

A successful response will return the following response containing the access token which can be used for the rest of the API endpoints.

{"token", "ACCESS_TOKEN_VALUE"}

Role

Minimum role required to access this endpoint: anyone.

Body

Media type: application/json

Type: object

Properties
  • password: (string)

    Password for Twistlock user

  • username: (string)

    Username for Twistlock user

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Properties
  • token: (string)

get

get

IdentityRedirectURL returns the redirect URL for the given authentication provider. Minimum role required to access this endpoint: none.

get

get

Renews an old (unexpired) access token and returns a new token.

cURL Request

The following cURL command retrieves a new access token using an old access token.

$ curl -k \
-H "Authorization: Bearer <OLD_ACCESS_TOKEN>" \
 https://<CONSOLE>/api/v1/authenticate/renew

Response

A successful response will return the following response containing the new access token. This access token replaces the old access token.

{"token", "ACCESS_TOKEN_VALUE"}

Role

Minimum role required to access this endpoint: user.

Authenticate client

Retrieve an access token using a client certificate. Valid tokens are required to access the rest of the Twistlock API. Use this endpoint if your organization has rolled out multi-factor authentication built on x.509 certificates.

The Twistlock API can also be accessed using basic auth.

post

post

Retrieves an access token using a client certificate. This endpoint checks the supplied client certificate and authorizes the user based on the username in the certificate's CN or UPN field. By default, access tokens are valid for 24 hours.

The following example curl command retrieves a token using a client certificate:

$ curl -k \
-X POST \
--cert <CERT.PEM>
https://<CONSOLE>:8083/api/v1/authenticate-client

Where the certificate must be in PEM format, and the certificate file must consist of a private key and client certificate concatenated together.

Role

Minimum role required to access this endpoint: none.

Retrieves an access token using a client certificate. This endpoint checks the supplied client certificate and authorizes the user based on the username in the certificate's CN or UPN field. By default, access tokens are valid for 24 hours.

The following example curl command retrieves a token using a client certificate:

$ curl -k \
-X POST \
--cert <CERT.PEM>
https://<CONSOLE>:8083/api/v1/authenticate-client

Where the certificate must be in PEM format, and the certificate file must consist of a private key and client certificate concatenated together.

Role

Minimum role required to access this endpoint: none.

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Properties
  • role: (object)

    UserRole is the authenticated user role

  • token: (string)

    Token is the console authentication response token

Backups

Manage backup files.

get post

get

List returns the available backups. Minimum role required to access this endpoint: operator.

post

Backup invokes a mongo backup (dump) process. Minimum role required to access this endpoint: operator.

Backup invokes a mongo backup (dump) process. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

delete get patch post

delete

DeleteBackup deletes the given backup. Minimum role required to access this endpoint: admin.

get

DownloadBackup downloads the given backup file. Minimum role required to access this endpoint: operator.

patch

Renames the specified backup file.

Role

Minimum role required to access this endpoint: admin.

post

UploadBackup saves uploaded backup file. Minimum role required to access this endpoint: operator.

DeleteBackup deletes the given backup. Minimum role required to access this endpoint: admin.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

DownloadBackup downloads the given backup file. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Renames the specified backup file.

Role

Minimum role required to access this endpoint: admin.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Body

Media type: application/json

Type: object

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

UploadBackup saves uploaded backup file. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

Restore invokes a mongo restore process. Minimum role required to access this endpoint: admin.

Restore invokes a mongo restore process. Minimum role required to access this endpoint: admin.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Certificates

Manage client certificates. Users need client certificates to authenticate commands sent from the Docker client through Twistlock.

get

get

Downloads a script that installs a client certificate, client private key, and certificate authority certificate for the authenticated user.

The following example curl command uses basic auth to download and run the install script for your client certs:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/certs/client-certs.sh | sh

Role

Minimum role required to access this endpoint: user.

put

put

RotateCerts rotate the certificates in case of being close to expiration. Minimum role required to access this endpoint: admin.

get

get

Returns the server certificate bundle from the console.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/certs/server-certs.sh | sh

Role

Minimum role required to access this endpoint: operator.

Cloud

Find all the cloud-native services being used in your AWS, Azure, and Google Cloud accounts. Twistlock continuously monitors these accounts, detects when new services are added, and reports which services are unprotected.

get

get

Returns a list of all cloud compliance scan results.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/compliance

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Download all cloud scan data in CSV format.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cloud-compliance.csv \
https://<CONSOLE>:8083/api/v1/cloud/compliance/download

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Returns a JSON object of the scan progress.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/compliance/progress

Role

Minimum role required to access this endpoint: vulnerabilityManager.

post

post

Initiates a new cloud compliance scan.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/scan

Role

Minimum role required to access this endpoint: operator.

Initiates a new cloud compliance scan.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/scan

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

Terminates a cloud compliance scan that's in progress..

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/stop

Role

Minimum role required to access this endpoint: operator.

Terminates a cloud compliance scan that's in progress..

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/stop

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

Returns a list of all cloud discovery scan results.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/discovery

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Download all cloud scan data in CSV format.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cloud-discovery.csv \
https://<CONSOLE>:8083/api/v1/cloud/discovery/download

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Returns a JSON object of the scan progress.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/discovery/progress

Role

Minimum role required to access this endpoint: vulnerabilityManager.

post

post

Initiates a new cloud discovery scan.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/scan

Role

Minimum role required to access this endpoint: operator.

Initiates a new cloud discovery scan.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/scan

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

Terminates a cloud discovery scan that's in progress..

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/stop

Role

Minimum role required to access this endpoint: operator.

Terminates a cloud discovery scan that's in progress..

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/stop

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

DiscoveredVMs returns discovered cloud VM instances. Minimum role required to access this endpoint: vulnerabilityManager.

Code repo scan reports

Scan reports for your GitHub repositories.

get

get

CodeRepos returns code repositories scan results. Minimum role required to access this endpoint: vulnerabilityManager.

get

get

DiscoverCodeRepos discovers the available repositories for a credential according to the given credential ID. Minimum role required to access this endpoint: operator.

get

get

DownloadCodeRepos downloads code repository scan results. Minimum role required to access this endpoint: vulnerabilityManager.

get

get

CodeRepoScanProgress returns the code repositories scan progress. Minimum role required to access this endpoint: vulnerabilityManager.

post

post

ScanCodeRepos triggers a scan for all code repositories. Minimum role required to access this endpoint: operator.

ScanCodeRepos triggers a scan for all code repositories. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

StopCodeReposScan stops the current active scan. Minimum role required to access this endpoint: operator.

StopCodeReposScan stops the current active scan. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

CodeReposWebhook handles events from code repositories. Minimum role required to access this endpoint: none.

CodeReposWebhook handles events from code repositories. Minimum role required to access this endpoint: none.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Collections

Group related resources (containers, images, hosts) together. Collections are predefined filters that let you segment your views in the Console UI and the Twistlock API.

get post

get

Retrieves the list of collections.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/collections"

Role

Minimum role required to access this endpoint: auditor.

post

Creates a new collection. Any field left unspecified is assigned the value of "" (i.e. an emtpy string).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d \
'{
 "name": "my collection",
 "color": "#ff0000",
 "description": "A test collection",
 "images": [
   "docker.io/library/hello-world:latest",
   "docker.io/library/ian_app:1.0"
 ],
 "hosts": [
   "*"
 ]
}' \
https://<CONSOLE>:8083/api/v1/collections

Role

Minimum role required to access this endpoint: operator.

Creates a new collection. Any field left unspecified is assigned the value of "" (i.e. an emtpy string).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d \
'{
 "name": "my collection",
 "color": "#ff0000",
 "description": "A test collection",
 "images": [
   "docker.io/library/hello-world:latest",
   "docker.io/library/ian_app:1.0"
 ],
 "hosts": [
   "*"
 ]
}' \
https://<CONSOLE>:8083/api/v1/collections

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • accountIDs: (string)

    AccountIDs is a list of the cloud account IDs

  • appIDs: (string)

    AppIDs is a list of application IDs

  • clusters: (string)

    Clusters is a list of kubernetes cluster names

  • codeRepos: (string)

    CodeRepos is a list of remote code repositories

  • color: (object)

    Color is a color code associated with the collection

  • containers: (string)
  • description: (string)

    Description is a free-text description of the collection

  • functions: (string)
  • hosts: (string)
  • images: (string)
  • labels: (string)
  • modified: (datetime)

    Modified is a timestamp if when the collection was last modified

  • name: (string)

    Name is a unique name associated with the collection

  • namespaces: (string)

    Namespaces are the k8s namespaces

  • owner: (string)

    Owner is the collection owner (the last user who modified the collection)

  • system: (boolean)

    System indicates that this collection was created by the system (non user)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

delete put

delete

Deletes a collection from the system.

The following example curl command deletes a collection named my collection. Because spaces are considered unsafe characters in a URL, they must be encoded with the value %20.

$ curl -k \
-u <USER> \
-X DELETE \
"https://<CONSOLE>:8083/api/v1/collections/my%20collection"

Role

Minimum role required to access this endpoint: operator.

put

Updates the parameters that define a given collection.

The following example curl command updates the parameters that define the collection named finance_group_app. In general, all parameters in your PUT request should be defined or redefined. Any field left unspecified is assigned the value of "" (i.e. an emtpy string).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
 "name": "finance_group_app",
 "color": "#ff0000",
 "description": "A super cool collection",
 "images": [
   "docker.io/library/hello-world:latest",
   "docker.io/library/ian_app:1.0"
 ],
 "hosts": [
   "*"
 ]
}' \
https://<CONSOLE>:8083/api/v1/collections/test_collection

Role

Minimum role required to access this endpoint: operator.

Deletes a collection from the system.

The following example curl command deletes a collection named my collection. Because spaces are considered unsafe characters in a URL, they must be encoded with the value %20.

$ curl -k \
-u <USER> \
-X DELETE \
"https://<CONSOLE>:8083/api/v1/collections/my%20collection"

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Updates the parameters that define a given collection.

The following example curl command updates the parameters that define the collection named finance_group_app. In general, all parameters in your PUT request should be defined or redefined. Any field left unspecified is assigned the value of "" (i.e. an emtpy string).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
 "name": "finance_group_app",
 "color": "#ff0000",
 "description": "A super cool collection",
 "images": [
   "docker.io/library/hello-world:latest",
   "docker.io/library/ian_app:1.0"
 ],
 "hosts": [
   "*"
 ]
}' \
https://<CONSOLE>:8083/api/v1/collections/test_collection

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Body

Media type: application/json

Type: object

Properties
  • accountIDs: (string)

    AccountIDs is a list of the cloud account IDs

  • appIDs: (string)

    AppIDs is a list of application IDs

  • clusters: (string)

    Clusters is a list of kubernetes cluster names

  • codeRepos: (string)

    CodeRepos is a list of remote code repositories

  • color: (object)

    Color is a color code associated with the collection

  • containers: (string)
  • description: (string)

    Description is a free-text description of the collection

  • functions: (string)
  • hosts: (string)
  • images: (string)
  • labels: (string)
  • modified: (datetime)

    Modified is a timestamp if when the collection was last modified

  • name: (string)

    Name is a unique name associated with the collection

  • namespaces: (string)

    Namespaces are the k8s namespaces

  • owner: (string)

    Owner is the collection owner (the last user who modified the collection)

  • system: (boolean)

    System indicates that this collection was created by the system (non user)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

CollectionUsages returns all usages of the queried collection. Minimum role required to access this endpoint: auditor.

CollectionUsages returns all usages of the queried collection. Minimum role required to access this endpoint: auditor.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Properties
  • name: (string)

    Name is the consumer name (e.g. container runtime, username, etc.)

  • type: (object)

    Type is the consumer type (e.g. policy, user, etc.). Range of acceptable values: policy, settings, user, group

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Kubernetes auditing

get

get

GenerateAuditSinkConfig returns the audit sink configuration for integrating k8s audit sink with the Console,based upon https://kubernetes.io/docs/tasks/debug-application-cluster/audit/. Minimum role required to access this endpoint: auditor.

get

get

GenerateValidatingWebhookConfig returns a validating webhook configuration forintegrating k8s admission control with a Defender. Minimum role required to access this endpoint: operator.

Container scan reports

Container scan reports.

get

get

Retrieves all container scan reports.

Note that the discovered field for each compliance finding (info > allCompliance > compliance > discovered) doesn't contain valid data and will be removed in a future release.

Example curl command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Returns an integer representing the number of containers in your environment.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/count

Role

Minimum role required to access this endpoint: devOps.

get

get

Downloads all container scan reports in CSV format.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/download
> container_report.csv

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Returns an array of strings containing all container names.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/names

Role

Minimum role required to access this endpoint: devOps.

post

post

Re-scan all containers immediately. This endpoint returns the time that the scans were initiated.

The following example command uses curl and basic auth to force Twistlock to re-scan all containers:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/containers/scan

Role

Minimum role required to access this endpoint: operator.

Re-scan all containers immediately. This endpoint returns the time that the scans were initiated.

The following example command uses curl and basic auth to force Twistlock to re-scan all containers:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/containers/scan

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Credentials

Management of Centrally Managed Credentials

get post

get

This endpoint will return a list in json format of the credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to return:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/credentials

Role

Minimum role required to access this endpoint: auditor.

post

This endpoint will allow for update of the credentials found with the app here Manage > Authentication > Credential Store

Create credentials.json file (example)

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

The following example curl command uses basic auth to update the checks:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--binary-data @credentials.json \
https://<CONSOLE>:8083/api/v1/credentials

Role

Minimum role required to access this endpoint: operator.

This endpoint will allow for update of the credentials found with the app here Manage > Authentication > Credential Store

Create credentials.json file (example)

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

The following example curl command uses basic auth to update the checks:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--binary-data @credentials.json \
https://<CONSOLE>:8083/api/v1/credentials

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • _id: (string)

    ID is a unique name for the credential

  • accountGUID: (string)

    AccountGUID is the unique ID for an IBM Cloud account

  • accountID: (string)

    AccountID is the account identifier, e.g., username, access key, account GUID, etc

  • apiToken: (object)

    APIToken is token used to authenticate to GCP

    • encrypted: (string)
    • plain: (string)

      Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)

  • caCert: (string)

    CACert is the CA certificate used for cert-based auth

  • description: (string)

    Description is the credential description

  • external: (boolean)

    External indicates if the credential is external

  • lastModified: (datetime)

    Modified represents the last time the credentials data changed

  • owner: (string)

    Owner represents the user who added/modified the credentials

  • roleArn: (string)

    RoleARN is the Amazon Resource Name (ARN) of the role to assume

  • secret: (object)

    Secret is the credential secret data

    • encrypted: (string)
    • plain: (string)

      Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)

  • type: (object)

    Type is the cloud provider/external service the credentials are associated with. Range of acceptable values: aws, azure, gcp, ibmCloud, apiToken, githubToken, basic, dtr, kubeconfig, certificate

  • useAWSRole: (boolean)

    UseAWSRole indicates authentication should be made using the instance's attached credentials (EC2 IAM Role)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

delete

delete

This endpoint will delete a specific credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to delete check with id "Sample":

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/credentials/Sample

Below is an example of a credential that was added with the GET endpoint.

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

Role

Minimum role required to access this endpoint: operator.

This endpoint will delete a specific credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to delete check with id "Sample":

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/credentials/Sample

Below is an example of a credential that was added with the GET endpoint.

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

This endpoint will return a list in json format of all the usages of credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to return:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/credentials/Sample/usages

Below is an example of a credential that was added with the GET endpoint.

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

Role

Minimum role required to access this endpoint: auditor.

This endpoint will return a list in json format of all the usages of credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to return:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/credentials/Sample/usages

Below is an example of a credential that was added with the GET endpoint.

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

Role

Minimum role required to access this endpoint: auditor.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Properties
  • description: (string)

    Description is the resource description, e.g., repository name for registry scan

  • type: (object)

    Type is the usage type, e.g., registry scan, serverless scan. Range of acceptable values: Alert settings, Alert profile, Registry Scan, Serverless Scan, Cloud Scan, Secret Store, Serverless Auto-Deploy, Host Auto-deploy, VM Scan, Code Repository Scan, Custom Intelligence Endpoint

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Custom compliance checks

Custom image checks give you a way to write and run your own compliance checks to assess, measure, and enforce security baselines in your environment. Although Twistlock supports OpenSCAP and XCCDF, these frameworks are complicated, and they can be overkill when all you want to do is run a simple check. Twistlock lets you implement your own custom image checks with simple scripts.

A custom image check consists of a single script. The script’s exit code determines the result of the check, where 0 is pass and 1 is fail. Scripts are executed in the container’s default shell. For many Linux container images, the default shell is bash, but that’s not always the case. For Windows container images, the default shell is cmd.exe.

get put

get

This endpoint will return a list in json format of all the custom compliance checks found with the app here Defend > Compliance > Custom

The following example curl command uses basic auth to return:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/custom-compliance

An example returned json could be something similar to:

[
{
  "modified": "2019-03-07T17:01:12.355Z",
  "owner": "pierre",
  "name": "apitest",
  "previousName": "",
  "_id": 9000,
  "title": "apitest",
  "script": "if [ $(stat -c %a /bin/busybox) -eq 755 ]; then\n echo 'test permission failure' && exit 1;\nfi",
  "severity": "high"
}
]

Role

Minimum role required to access this endpoint: ci.

put

This endpoint will allow for update of the custom compliance checks on page Defend > Compliance > Custom

Create custom_check.json file (example)

[
{
  "modified": "2019-03-07T17:01:12.355Z",
  "owner": "pierre",
  "name": "apitest",
  "previousName": "",
  "_id": 9000,
  "title": "apitest",
  "script": "if [ $(stat -c %a /bin/busybox) -eq 755 ]; then\n echo 'test permission failure' && exit 1;\nfi",
  "severity": "high"
}
]

The following example curl command uses basic auth to update the checks:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--binary-data @custom_check.json \
https://<CONSOLE>:8083/api/v1/custom-compliance

Role

Minimum role required to access this endpoint: operator.

delete

delete

This endpoint will delete a specific custom compliance check on page Defend > Compliance > Custom

The following example curl command uses basic auth to delete check with id 9000:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/custom-compliance/9000

Role

Minimum role required to access this endpoint: operator.

This endpoint will delete a specific custom compliance check on page Defend > Compliance > Custom

The following example curl command uses basic auth to delete check with id 9000:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/custom-compliance/9000

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

CVEs

Browse Twistlock's vulnerability database.

get

get

Retrieves CVEs from Twistlock's vulnernability database. Query the database by CVE ID. Partial matches are supported. A null response indicates that the CVE is not in our database.

The following example curl command queries the Twistlock database for CVE-2018-1102.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cves?id=CVE-2018-1102

Role

Minimum role required to access this endpoint: devOps.

get

get

Retrieves CVEs from the vulnerability database grouped into distribution where you will see a count for vulnerabilities per distribution.

The following example curl command uses basic auth to retrieve this data:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cves/distribution

Role

Minimum role required to access this endpoint: auditor.

Defenders

Manage Defender. Defender is Twistlock's security agent. In general, one Defender is deployed per node.

get

get

Lists all deployed Defenders.

The following command uses basic authorization to retrieve a list of all deployed Defenders along with metadata

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders

Role

Minimum role required to access this endpoint: vulnerabilityManager.

post

post

EmbedAppEmbeddedDefender returns an augmented Dockerfile + embedded defender dependencies as a ZIP file. Minimum role required to access this endpoint: operator.

EmbedAppEmbeddedDefender returns an augmented Dockerfile + embedded defender dependencies as a ZIP file. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • appID: (string)

    AppID identifies the app that the embedded app defender defender is protecting

  • consoleAddr: (string)

    ConsoleAddr is the console address

  • dataFolder: (string)

    DataFolder is the path to the Twistlock data folder in the container

  • dockerfile: (string)

    Dockerfile is the Dockerfile to embed AppEmbedded defender into

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

GenerateDaemonSet generates the defender daemonset k8s yaml. Minimum role required to access this endpoint: operator.

GenerateDaemonSet generates the defender daemonset k8s yaml. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • cluster: (string)

    Cluster is the kubernetes or ecs cluster name

  • collectPodLabels: (boolean)

    CollectPodLabels indicates whether to collect pod related labels resource labels

  • consoleAddr: (string)

    ConsoleAddr is the console address for defender communication

  • credentialID: (string)

    CredentialID is the name of the credential used

  • cri: (boolean)

    CRI indicates defender uses CRI instead of docker

  • dockerSocketPath: (string)

    DockerSocketPath is the path of the docker socket file

  • image: (string)

    Image is the full daemonset image name

  • istio: (boolean)

    MonitorIstio indicates whether to monitor Istio

  • namespace: (string)

    Namespace is the target deamonset namespaces

  • nodeSelector: (string)

    NodeSelector is a key/value node selector

  • orchestration: (string)

    Orchestration is the orchestration type

  • privileged: (boolean)

    Privileged indicates whether to run defenders as privileged

  • region: (string)

    Region is the kubernetes cluster location region

  • secretsname: (string)

    SecretName is the secret

  • selinux: (boolean)

    SelinuxEnforced indicates whether selinux is enforced on the target host

  • serviceaccounts: (boolean)

    MonitorServiceAccounts indicates whether to monitor service accounts

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

Downloads information about deployed Defenders in CSV format. Use the query parameters to filter what data is returned.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/download

Role

Minimum role required to access this endpoint: auditor.

post

post

GenerateEcsTaskDefinition generates the defender ecs task definition json. Minimum role required to access this endpoint: operator.

GenerateEcsTaskDefinition generates the defender ecs task definition json. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • taskName: (string)

    TaskName is the name used for the task definition

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

Returns a protected Fargate task definition given an unprotected task definition.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

Unprotected task definition in unprotected.json

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--data-binary "@unprotected.json"
--output protected.json
https://<CONSOLE>:8083/api/v1/defenders/fargate.json?consoleaddr=<HOSTNAME>&defenderType=appEmbedded

New Protected task will be in protected.json

Role

Minimum role required to access this endpoint: operator.

Returns a protected Fargate task definition given an unprotected task definition.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

Unprotected task definition in unprotected.json

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--data-binary "@unprotected.json"
--output protected.json
https://<CONSOLE>:8083/api/v1/defenders/fargate.json?consoleaddr=<HOSTNAME>&defenderType=appEmbedded

New Protected task will be in protected.json

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Query Parameters

  • consoleaddr: (string)

    consoleaddr is the remote console address

  • defenderType: (object)

    DefenderType is the type of the defender to create the install bundle for. Range of acceptable values: none, docker, dockerWindows, swarm, daemonset, serverLinux, serverWindows, cri, fargate, appEmbedded, tas, serverless, ecs

  • interpreter: (string)

    Interpreter is a custom interpreter set by the user to run the fargate defender entrypoint script

Body

Media type: application/json

Type: object

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

DefenderHelmChart generates a defender helm chart. Minimum role required to access this endpoint: operator.

DefenderHelmChart generates a defender helm chart. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • cluster: (string)

    Cluster is the kubernetes or ecs cluster name

  • collectPodLabels: (boolean)

    CollectPodLabels indicates whether to collect pod related labels resource labels

  • consoleAddr: (string)

    ConsoleAddr is the console address for defender communication

  • credentialID: (string)

    CredentialID is the name of the credential used

  • cri: (boolean)

    CRI indicates defender uses CRI instead of docker

  • dockerSocketPath: (string)

    DockerSocketPath is the path of the docker socket file

  • image: (string)

    Image is the full daemonset image name

  • istio: (boolean)

    MonitorIstio indicates whether to monitor Istio

  • namespace: (string)

    Namespace is the target deamonset namespaces

  • nodeSelector: (string)

    NodeSelector is a key/value node selector

  • orchestration: (string)

    Orchestration is the orchestration type

  • privileged: (boolean)

    Privileged indicates whether to run defenders as privileged

  • region: (string)

    Region is the kubernetes cluster location region

  • secretsname: (string)

    SecretName is the secret

  • selinux: (boolean)

    SelinuxEnforced indicates whether selinux is enforced on the target host

  • serviceaccounts: (boolean)

    MonitorServiceAccounts indicates whether to monitor service accounts

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

Returns the full Docker image name for Defender.

Example: registry-auth.twistlock.com/tw_smbvukudjypnnrqmso0/twistlock/defender:defender_18_11_128

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/image-name

Role

Minimum role required to access this endpoint: operator.

get

get

Returns the certsBundle that Defender needs to securely connect to Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/install-bundle?consoleaddr=<CONSOLEADDR>

Role

Minimum role required to access this endpoint: defenderManager.

get

get

Retrieves a list of Defender hostnames that can be used as the {id} query parameter in other /api/v1/defenders endpoints.

Retrieve a list of all Defenders:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names

Retrieve a list of connected Defenders:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names?connected

Retrieve a list of Defenders by type:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names?type=<linux|windows|docker|...>

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

DownloadServerlessBundle returns a ZIP with serverless defender bundle. Minimum role required to access this endpoint: operator.

get

get

List the number of Defenders in each defender category.

The following command uses basic authorization to retrieve a summary of Defenders:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/summary

Role

Minimum role required to access this endpoint: defenderManager.

post

post

Upgrades all connected single Linux Container Defenders.

This does not update cluster Container Defenders (such as Defender DaemonSets), Serverless Defenders, or Fargate Defenders. To upgrade cluster Container Defenders, reploy them. To upgrade Serverless and Fargate Defenders, re-embed them.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/upgrade

Role

Minimum role required to access this endpoint: operator.

Upgrades all connected single Linux Container Defenders.

This does not update cluster Container Defenders (such as Defender DaemonSets), Serverless Defenders, or Fargate Defenders. To upgrade cluster Container Defenders, reploy them. To upgrade Serverless and Fargate Defenders, re-embed them.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/upgrade

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

delete

delete

Deletes a Defender on a given host.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>

Role

Minimum role required to access this endpoint: operator.

Deletes a Defender on a given host.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

Updates a deployed Defender's configuration.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"proxyListenerType": "tcp", "registryScanner":"<true|false>", "serverlessScanner":"<true|false>"}' \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/features

Role

Minimum role required to access this endpoint: operator.

Updates a deployed Defender's configuration.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"proxyListenerType": "tcp", "registryScanner":"<true|false>", "serverlessScanner":"<true|false>"}' \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/features

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Body

Media type: application/json

Type: object

Properties
  • clusterMonitoring: (boolean)

    ClusterMonitoring determines whether the k8s or Istio cluster monitoring features are enabled

  • proxyListenerType: (object)

    ProxyListenerType determines whether the defender acts as a TCP proxy. Range of acceptable values: none, tcp, default

  • registryScanner: (boolean)

    RegistryScanner determines whether the defender is a registry scanner

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Properties
  • category: (object)

    Category is the category of the defender type (host/container/serverless). Range of acceptable values: container, host, serverless, appEmbedded

  • certificateExpiration: (datetime)

    CertificateExpiration is the client's certificate expiry time

  • cloudMetadata: (object)

    CloudMetadata is the cloud provider metadata of the host

    • accountID: (string)

      AccountID is the cloud account ID

    • image: (string)

      Image is the image name

    • name: (string)

      Name is the instance name

    • provider: (object)

      Provider is the cloud provider (AWS/GCP/Azure). Range of acceptable values: aws, azure, gcp, others

    • region: (string)

      Region the instance region

    • resourceID: (string)

      ResourceID is the resource unique ID

    • type: (string)

      Type is the instance type

  • cluster: (string)

    Cluster is the provided cluster name (fallback is internal IP)

  • clusterID: (string)

    ClusterID is a unique ID generated for each daemon set, and used to group Defenders by clustersNote: Kubernetes does not provide a cluster name as part of its API

  • collections: (string)

    Collections are collections to which this defender applies

  • compatibleVersion: (boolean)

    CompatibleVersion indicates if the defender has a compatible version for communication (e.g. request logs)

  • connected: (boolean)

    Connected indicates whether the defender is connected

  • features: (object)

    Features are feature that are enabled in the defender

    • clusterMonitoring: (boolean)

      ClusterMonitoring determines whether the k8s or Istio cluster monitoring features are enabled

    • proxyListenerType: (object)

      ProxyListenerType determines whether the defender acts as a TCP proxy. Range of acceptable values: none, tcp, default

    • registryScanner: (boolean)

      RegistryScanner determines whether the defender is a registry scanner

  • firewallProtection: (object)

    FirewallProtection describes the firewall protection status of app embedded defenders

    • enabled: (boolean)

      Enabled indicates that WAAS protection is enabled

    • supported: (boolean)

      Supported indicates that WAAS protection is supported

  • fqdn: (string)

    FQDN is the full domain name used in audit alerts to identify specific hosts

  • hostname: (string)

    Hostname is the defender hostname

  • lastModified: (datetime)

    LastModified is the last time the defender connectivity was modified

  • port: (integer)

    Port is the communication port between defender to console

  • proxy: (object)

    Proxy is the proxy options of the defender

    • ca: (string)

      CA is the user proxy's CA

    • httpProxy: (string)

      HttpProxy is the proxy address

    • noProxy: (string)

      NoProxy is a list of addresses for which the proxy should not be used

    • password: (object)

      Password is the password used for proxy authentication

      • encrypted: (string)
      • plain: (string)

        Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)

    • user: (string)

      User is the username to be used in authentication in front of the user's proxy

  • remoteLoggingSupported: (boolean)

    RemoteLoggingSupported indicates if the defender logs can be retrieved from remote

  • remoteMgmtSupported: (boolean)

    RemoteMgmtSupported indicated if the defender can be remotely managed (upgrade, restart)

  • status: (object)

    Status is the feature status of the defender

    • lastModified: (datetime)

      Modified is the time the event was modified

  • systemInfo: (object)

    SystemInfo is the system information of the defender host

    • cpuCount: (integer)

      CPUCount is the CPU count on the defender host

    • freeDiskSpaceGB: (object)

      FreeDiskSpaceGB is the free disk space (in GB) on the defender host

    • kernelVersion: (string)

      KernelVersion is the kernel version on the defender host

    • memoryGB: (number)

      MemoryGB is the total memory (in GB) on the defender host

    • totalDiskSpaceGB: (object)

      TotalDiskSpaceGB is the total disk space (in GB) on the defender host

  • tasClusterID: (string)

    TASClusterID is the ID used to identify the TAS cluster of the defender. Typically will be the Cloud controller API address

  • type: (object)

    Type is the type of the defender (registry scanner/kubernetes node/etc...). Range of acceptable values: none, docker, dockerWindows, swarm, daemonset, serverLinux, serverWindows, cri, fargate, appEmbedded, tas, serverless, ecs

  • version: (string)

    Version is the agent version

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

Restarts Defender on a given host.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/restart

Role

Minimum role required to access this endpoint: operator.

Restarts Defender on a given host.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/restart

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

Upgrades Defender on <HOSTNAME>.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/upgrade

Role

Minimum role required to access this endpoint: operator.

Upgrades Defender on <HOSTNAME>.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/upgrade

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Deployments

Manage Defender DaemonSet deployments.

get

get

Retrieves a list of deployed Defender DaemonSets. You must specify a credentialID, of type kubeconfig, which identifies your cluster and user. Credentials are managed in Console's credentials store (/api/v1/credentials).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/deployment/daemonsets?credentialID=<CREDENTIAL NAME>

Role

Minimum role required to access this endpoint: auditor.

post

post

Deploys a Defender DaemonSet to the cluster identified by credentialID. The credentialID, of type kubeconfig, must exist before calling this endpoint. It identifies the cluster's API server, user, and credentials.

Use the various request parameters to control the properties of the deployed DaemonSet.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{
    "credentialID": "",
    "consoleAddr": "",
    "namespace": "",
    "orchestration": "",
    "...":"..."
    }' \
https://<CONSOLE>:8083/api/v1/deployment/daemonsets/deploy

Role

Minimum role required to access this endpoint: operator.

Deploys a Defender DaemonSet to the cluster identified by credentialID. The credentialID, of type kubeconfig, must exist before calling this endpoint. It identifies the cluster's API server, user, and credentials.

Use the various request parameters to control the properties of the deployed DaemonSet.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{
    "credentialID": "",
    "consoleAddr": "",
    "namespace": "",
    "orchestration": "",
    "...":"..."
    }' \
https://<CONSOLE>:8083/api/v1/deployment/daemonsets/deploy

Role

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • cluster: (string)

    Cluster is the kubernetes or ecs cluster name

  • collectPodLabels: (boolean)

    CollectPodLabels indicates whether to collect pod related labels resource labels

  • consoleAddr: (string)

    ConsoleAddr is the console address for defender communication

  • credentialID: (string)

    CredentialID is the name of the credential used

  • cri: (boolean)

    CRI indicates defender uses CRI instead of docker

  • dockerSocketPath: (string)

    DockerSocketPath is the path of the docker socket file

  • image: (string)

    Image is the full daemonset image name

  • istio: (boolean)

    MonitorIstio indicates whether to monitor Istio

  • namespace: (string)

    Namespace is the target deamonset namespaces

  • nodeSelector: (string)

    NodeSelector is a key/value node selector

  • orchestration: (string)

    Orchestration is the orchestration type

  • privileged: (boolean)

    Privileged indicates whether to run defenders as privileged

  • region: (string)

    Region is the kubernetes cluster location region

  • secretsname: (string)

    SecretName is the secret

  • selinux: (boolean)

    SelinuxEnforced indicates whether selinux is enforced on the target host

  • serviceaccounts: (boolean)

    MonitorServiceAccounts indicates whether to monitor service accounts

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

HostAutoDeployProgress returns the host auto-deploy progress. Minimum role required to access this endpoint: operator.

post

post

StartHostAutoDeploy starts a host auto-deploy. Minimum role required to access this endpoint: operator.

StartHostAutoDeploy starts a host auto-deploy. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

StopHostAutoDeploy stops the host auto-deploy auto-deploy scan. Minimum role required to access this endpoint: operator.

StopHostAutoDeploy stops the host auto-deploy auto-deploy scan. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

ServerlessAutoDeployProgress returns the serverless auto-deploy scan progress. Minimum role required to access this endpoint: operator.

post

post

StartServerlessAutoDeploy starts a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.

StartServerlessAutoDeploy starts a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

StopServerlessAutoDeploy stops a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.

StopServerlessAutoDeploy stops a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Custom feeds

Augments the Prisma Cloud Compute Intelligence Stream with custom threat data. Enables you expand the scope of threats and vulnerabilities that Prisma Cloud Compute can detect and report.

get put

get

DownloadFeedsBundle creates and serves the intelligence feeds bundle. Minimum role required to access this endpoint: vulnerabilityManager.

put

UploadOfflineIntelligenceFeeds uploads the offline intelligence feeds bundle. Minimum role required to access this endpoint: operator.

get put

get

Retrieves the list of custom vulnerabilities and associated rules for handling internally created or packaged apps.

This list is used by the Prisma Cloud Compute scanner to detect vulnerable custom components (apps, libraries, etc) that were developed and packaged internally.

Note: When a vulnerable custom component is detected in an image, you must have a rule to tell Twistlock how to handle it. Vulnerability rules can be created using the Console UI or with the /api/v1/vulnerabilty/<RESOURCE-TYPE> endpoint. See the /api/v1/vulnerabilty/<RESOURCE-TYPE> endpoint for more info.

cURL Request

The following cURL command retrieves a list of all the custom vulnerabilities and associated rules.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities

Response

A successful response will return a list of custom vulnerability rules and the associated digest:

{
"_id":"customVulnerabilities",
"rules": [
{
     "_id": "<ID>",
     "package": "internal-lib",
     "type": "package",
     "minVersionInclusive": "1.1",
     "name": "internal-lib",
     "maxVersionInclusive": "1.8",
     "md5": ""
   }
],
"digest":"<DIGEST>"
}

Role

Minimum role required to access this endpoint: auditor.

put

Simultaneously updates all the custom vulnerabilities and associated rules for handling internally created or packaged apps.

cURL Request

The following cURL command updates a vulnerability for a library named internal-lib, and specifies that its versions 1.1 to 1.8 are known to be vulnerable.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"rules": [
  {
    "_id": "<ID>",
    "package": "internal-lib",
    "type": "package",
    "minVersionInclusive": "1.1",
    "name": "internal-lib",
    "maxVersionInclusive": "1.8",
    "md5": ""
  }
]
}' \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities

Note: No response will be returned upon successful execution.

Maintain your Custom Vulnerabilities

We suggest you maintain your custom vulnerabilities using the following steps:

  1. Get all the custom vulnerability rules from the GET endpoint and save the results to a file.

Note: You will need jq to execute this command.

 $ curl -k \
   -u <USER> \
   https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities \
   | jq '.' > custom_vulnerability_rules.json
  1. Open the JSON file and add, modify, and/or delete the rules by directly editing the JSON output. For example:
{
"id": "customVulnerabilities",
"rules": [
    {
      "_id": "<ID>",
      "package": "internal-lib",
      "type": "package",
      "minVersionInclusive": "1.1",
      "name": "internal-lib",
      "maxVersionInclusive": "1.8",
      "md5": ""
    }
],
"digest": "97de7f27XXXXXXXXXX"
}

  1. Update the rules by pushing the new JSON payload. Note: Do not forget to specify the @ symbol.

    $ curl -k \
-u <USER> \
-X PUT \
-H "Content-Type:application/json" \
-d @custom_vulnerability_rules.json \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities

  2. Run the cURL command for the GET /api/v1/feeds/custom/custom-vulnerabilities endpoint and you can see that the previously installed rules are now overwritten with your new rules.

$ curl -k \
 -u <USER> \
 -H 'Content-Type: application/json' \
 -X GET \
 https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities

Role

Minimum role required to access this endpoint: operator.

get

get

Returns the unique digest for the custom vulnerabilities and associated rules for handling internally created or packaged apps.

cURL Request

The following cURL command retrieves the digest for the configured custom vulnerabilities.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities/digest

A successful response will return the digest string. This is the same value as the digest property in the response of the GET api/v1/feeds/custom/custom-vulnerabilities endpoint.

Role

Minimum role required to access this endpoint: auditor.

get put

get

Retrieves the list of globally whitelisted Common Vulnerabilities and Exposures (CVE).

cURL Request

The following cURL command retrieves the globally whitelisted CVE list.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/cve-allow-list

Response

A successful response will return a CVE list that will be used for global whitelisting.

{
"_id":"cveAllowList",
"rules": [
{
    "cve": "CVE-2018-2222",
    "expiration": "2020-06-18T00:00:00Z"
}
],
"digest":"<DIGEST>"
}

Role

Minimum role required to access this endpoint: auditor.

put

Globally whitelists a set of Common Vulnerabilities and Exposures (CVE).

Note: Any previously installed lists are overwritten.

cURL Request

The following cURL command installs a globally whitelisted CVE list.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"rules": [
  {
    "cve": "CVE-2018-2222",
    "expiration": "2020-06-18T00:00:00Z"
  }
]
}' \
https://<CONSOLE>/api/v1/feeds/custom/cve-allow-list

Note: No response will be returned upon successful execution.

To confirm the CVE list has been added to the global whitelist, invoke the GET /api/v1/feeds/custom/cve-allow-list endpoint.

Role

Minimum role required to access this endpoint: operator.

get

get

Retrieves the digest string for the Common Vulnerabilities and Exposures (CVE) allow list configured in Console.

cURL Request

The following cURL command retrieves the digest for the configured CVE allow list.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/cve-allow-list/digest

A successful response will return the digest string. This is the same value as the digest property in the response of the GET api/v1/feeds/custom/cve-allow-list endpoint.

Role

Minimum role required to access this endpoint: auditor.

get put

get

Retrieves the customized list of blacklisted suspicious or high-risk IP addresses.

cURL Request

The following cURL command retrieves the list of globally blacklisted suspicious or high-risk IP addresses.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/ips

Response

A successful response will return a list of suspicious or high-risk IP addresses that will be banned.

{
"_id":"<ID>",
"modified":"2020-11:00:00T00:00:01.62Z",
"feed":["193.171.1.1","193.171.1.2"]},
"digest":"<DIGEST>"
}

Role

Minimum role required to access this endpoint: auditor.

put

Bans a custom list of suspicious or high-risk IP addresses.

Note: Any previously installed lists are overwritten.

cURL Request

The following cURL command installs a custom list of banned suspicious or high-risk IP addresses.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d '{"name":"banned-ips", "feed":["193.171.1.1","193.171.1.2"]}' \
https://<CONSOLE>/api/v1/feeds/custom/ips

Note: No response will be returned upon successful execution.

To confirm the IPs have been added to the ban list, invoke the GET /api/v1/feeds/custom/ips endpoint.

Role

Minimum role required to access this endpoint: operator.

get

get

Retrieves the digest string for the list of suspicious or high risk IP endpoints configured in Console.

cURL Request

The following cURL command retrieves the digest for the banned suspicious or high-risk IP addresses.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/ips/digest

A successful response will return the digest string. This is the same value as the digest property in the response of the GET api/v1/feeds/custom/ips endpoint.

Role

Minimum role required to access this endpoint: auditor.

get put

get

Retrieves the customized list of MD5 signatures of malicious executables.

cURL Request

The following cURL command retrieves the list of MD5 signatures of malicious executables.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/malware

Response

A successful response will return a list of MD5 signatures of malicious executables.

{
"_id":"<ID>",
"modified":"2020-11:00:00T00:00:01.62Z",
"feed": [
{
    "name": "dimaaa",
    "md5": "d4ba1008e7d97458fdd65deca2ba801b"
},
{
    "name": "emacs",
    "md5": "5ce9d1116755f827f5d1e06246dd30b9"
}
]
"digest":"<DIGEST>"
}

Role

Minimum role required to access this endpoint: auditor.

put

Creates a custom list of malware MD5 signatures of malicious executables.

Note: Any previously installed lists are overwritten.

cURL Request

The following cURL command installs a custom list of malware MD5 signatures of malicious executables.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"name": "malware-sigs",
"feed": [
  {
    "name": "dimaaa",
    "md5": "d4ba1008e7d97458fdd65deca2ba801b"
  },
  {
    "name": "emacs",
    "md5": "5ce9d1116755f827f5d1e06246dd30b9"
  }
]
}' \
https://<CONSOLE>/api/v1/feeds/custom/malware

Note: No response will be returned upon successful execution.

To confirm the malware list has been added / overwritten to the ban list, invoke the GET /api/v1/feeds/custom/malware endpoint.

Role

Minimum role required to access this endpoint: operator.

get

get

Retrieves the digest string for all the MD5 signatures of malicious executables configured in Console.

cURL Request

The following cURL command retrieves the digest for the configured list for the MD5 signatures of malicious executables.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/malware/digest

A successful response will return the digest string. This is the same value as the digest property in the response of the GET api/v1/feeds/custom/malware endpoint.

Role

Minimum role required to access this endpoint: auditor.

put

put

ForceIntelligenceUpdate performs pushing/polling of intelligence feeds on demand. Minimum role required to access this endpoint: operator.

Forensics

The forensic endpoint will return data for host activities.

get

get

Retrieves all host activities that can be found on Monitor > Evenets > Host Activities

Use the query parameters to filter what data is returned.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/forensic/activities

Role

Minimum role required to access this endpoint: devSecOps.

get

get

Downloads all host activities that can be found on Monitor > Evenets > Host Activities

Use the query parameters to filter what data is returned.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o host_activities.csv
https://<CONSOLE>:8083/api/v1/forensic/activities/download

Role

Minimum role required to access this endpoint: devSecOps.

Groups

Manage (create, modify, delete) groups in the system. If you integrated OpenLDAP, AD, or SAML, you can re-use groups from there, and assign roles to them as appropriate. Otherwise, create Twistlock local groups to manage privileges for groups of users.

get post

get

Retrieves a list of all groups.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-X GET \
-u <USER> \
-H 'Content-Type: application/json' \
https://<CONSOLE>:8083/api/v1/groups \

Role

Minimum role required to access this endpoint: auditor.

post

Adds a group to the system, or updates an existing one.

The following example command uses curl and basic auth to create a new group with two users. Note that the values for lastModified, owner, and _id do not need to be specified. They are automatically filled in by the system.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups

Role

Minimum role required to access this endpoint: admin.

Adds a group to the system, or updates an existing one.

The following example command uses curl and basic auth to create a new group with two users. Note that the values for lastModified, owner, and _id do not need to be specified. They are automatically filled in by the system.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups

Role

Minimum role required to access this endpoint: admin.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • _id: (string)

    ID is the group name

  • groupId: (string)

    GroupId is used as a group identifier in Azure SAML identification process

  • groupName: (string)

    Name is the group name

  • lastModified: (datetime)

    Modified is the last modification time of the group

  • ldapGroup: (boolean)

    LdapGroup indicates whether group is an ldap group

  • oauthGroup: (boolean)

    OauthGroup indicates whether group is oauth group

  • oidcGroup: (boolean)

    OidcGroup indicates whether group is oidc group

  • owner: (string)

    Owner is the group owner

  • permissions: (object)

    Permissions is the set of projects the group's users is assigned to and the set of collections the user may access in each project

  • role: (object)

    Role is the group role

  • samlGroup: (boolean)

    SamlGroup indicates whether group is saml group

  • user: (object)

    Users are the users associated with the group

    • username: (string)

      Name is the user name

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

Returns the names of all groups as strings in an array.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -X GET \
https://<CONSOLE>:8083/api/v1/groups/names \
-u <USER> \
-H 'Content-Type: application/json' \

Sample output:

[
  "admins",
  "secops",
  "devops",
  ""
]

Role

Minimum role required to access this endpoint: auditor.

delete put

delete

Deletes a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X DELETE \
https://<CONSOLE>:8083/api/v1/groups

Role

Minimum role required to access this endpoint: admin.

put

Adds or modifies a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups

Role

Minimum role required to access this endpoint: admin.

Deletes a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X DELETE \
https://<CONSOLE>:8083/api/v1/groups

Role

Minimum role required to access this endpoint: admin.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Adds or modifies a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups

Role

Minimum role required to access this endpoint: admin.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Body

Media type: application/json

Type: object

Properties
  • _id: (string)

    ID is the group name

  • groupId: (string)

    GroupId is used as a group identifier in Azure SAML identification process

  • groupName: (string)

    Name is the group name

  • lastModified: (datetime)

    Modified is the last modification time of the group

  • ldapGroup: (boolean)

    LdapGroup indicates whether group is an ldap group

  • oauthGroup: (boolean)

    OauthGroup indicates whether group is oauth group

  • oidcGroup: (boolean)

    OidcGroup indicates whether group is oidc group

  • owner: (string)

    Owner is the group owner

  • permissions: (object)

    Permissions is the set of projects the group's users is assigned to and the set of collections the user may access in each project

  • role: (object)

    Role is the group role

  • samlGroup: (boolean)

    SamlGroup indicates whether group is saml group

  • user: (object)

    Users are the users associated with the group

    • username: (string)

      Name is the user name

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

/harbor

get

get

HarborScannerMetadata returns metadata of the PCC vulnerability scanner adapter for Harbor registrySee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.

HarborScannerMetadata returns metadata of the PCC vulnerability scanner adapter for Harbor registrySee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

HarborScannerScan accepts an image vulnerability scan request from Harbor registry and submits it asynchronouslySee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.

HarborScannerScan accepts an image vulnerability scan request from Harbor registry and submits it asynchronouslySee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

HarborScannerInstanceReport returns the scan results of the requested scan via its IDSee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.

HarborScannerInstanceReport returns the scan results of the requested scan via its IDSee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Host scan reports

Host scan reports.

Twistlock scans the host machines in your container environment for CVEs and compliance issues. Scan reports are generated for any host running Defender.

get

get

Retrieves all host scan reports. A curl command to access this endpoint may resemble the following code snippet.

Note that the discovered field for each compliance finding (info > allCompliance > compliance > discovered) doesn't contain valid data and will be removed in a future release.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/hosts \

Role

Minimum role required to access this endpoint: vulnerabilityManager.