Prisma Cloud Compute API documentation version v1

https://{CONSOLE}:{PORT}/api/{version}

  • CONSOLE: required(string)

    Hostname or IP address where Console can be accessed.

  • PORT: required(string)

    Use port 8081 to access the API over HTTP. Use port 8083 to access the API over HTTPS. You can configure Twistlock to use alternative ports at install time in twistlock.cfg.

  • version: required(v1)

Paginated responses

The number of objects returned from paginated API requests is capped to a max of 50 because very large responses could DoS your Console. If the response contains more than 50 objects, cycle through the collection with the offset query parameter. For example:

https://CONSOLE:8083/api/v1/images?limit=50&offset=X

_Ping

Check if Console is alive, responsive, and reachable.

get

get

Checks if Console is reachable over the network from the host where you call the endpoint. If you get a response code of 200, the request succeeded, and Console is both alive and reachable.

The following curl command pings Console and prints the HTTP response code.

$ curl -k \
-s \
-o /dev/null \
-w "%{http_code}\n" \
-X GET \
https://<CONSOLE>:8083/api/v1/_ping

Minimum role required to access this endpoint: anyone.

Alert profiles

Manage alert profiles, which let you surface critical policy breaches by sending alerts to channels, such as email, Slack, and JIRA.

Alert profiles define which events should be sent to which channel. Each profile declares:

  • One or more recipients.
  • One or more triggers, that raise alerts by sending messages on the configured channel.

get post

get

Retrieve a list of all alert profiles created in the system.

The following example curl command uses basic auth to retrieve all alert profiles:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/alert-profiles

Minimum role required to access this endpoint: auditor.

post

Update an existing alert profile created in the system.

The following example curl command uses basic auth to add a Jira Alert profile:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/alert-profiles \
-d '  {
  "name": "jira",
  "_id": "jira",
  "jira": {
    "enabled": true,
    "projectKey": "TWIS",
    "issueType": "Task",
    "priority": "High",
    "labels": [],
    "assignee": ""
  }
  "policy": {
    "cve": {
      "enabled": true,
      "allRules": true,
      "rules": [],
      "clients": [
        "jira"
      ]
    }
  } '

Minimum role required to access this endpoint: operator.

Update an existing alert profile created in the system.

The following example curl command uses basic auth to add a Jira Alert profile:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/alert-profiles \
-d '  {
  "name": "jira",
  "_id": "jira",
  "jira": {
    "enabled": true,
    "projectKey": "TWIS",
    "issueType": "Task",
    "priority": "High",
    "labels": [],
    "assignee": ""
  }
  "policy": {
    "cve": {
      "enabled": true,
      "allRules": true,
      "rules": [],
      "clients": [
        "jira"
      ]
    }
  } '

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • _id: (string)

    ID is the alert profile ID

  • demisto: (object)

    DemistoSettings contains the Demisto alert profile settings

    • enabled: (boolean)

      Enabled is the Demisto provider enabled/disabled indicator

  • disabled: (boolean)

    Disabled states if the rule is currently disabled

  • email: (object)

    EmailSettings contains the email alert profile settings

    • credentialId: (string)

      CredentialID is the Email authentication credentials id

    • enabled: (boolean)
    • from: (string)

      From is the from address of the mail

    • labels: (string)

      Labels are custom label names from which the mail recipients are extracted, allowing to dynamically extract the target of the alerts

    • port: (integer)
    • recipients: (string)
    • smtpAddress: (string)
    • ssl: (boolean)
  • gcpPubsub: (object)

    GcpPubsubSettings contains the GCP Pub/Sub alert profile settings

    • credentialId: (string)

      CredentialID is the GCP Pub/Sub authentication credentials id

    • enabled: (boolean)

      Enabled indicates whether the GCP Pub/Sub settings are enabled

    • topic: (string)

      Topic is the GCP Pub/Sub topic (used by subscribers to listen for messages)

  • jira: (object)

    JIRASettings contains the JIRA alert profile settings

    • assignee: (object)

      Assignee is the assignee of the issue

      • labels: (string)

        Labels are the dynamic labels of which the value is based on

      • name: (string)

        Name is the static string field

    • baseUrl: (string)

      BaseURL is the JIRA address

    • caCert: (string)

      CACert is the certificate used to verify the server

    • credentialId: (string)

      CredentialID is the JIRA authentication credentials id

    • enabled: (boolean)

      Enabled controls whether the rule is enabled

    • issueType: (string)

      IssueType is the type of the JIRA issue

    • labels: (object)

      Labels is the labels added to the created issue

      • labels: (string)

        Labels are the dynamic labels of which JIRA labels are based on

      • names: (string)

        Names are the static strings field

    • priority: (string)

      Priority is the issue priority

    • projectKey: (object)

      ProjectKey is the key of the project in which the issue will be created

      • labels: (string)

        Labels are the dynamic labels of which the value is based on

      • name: (string)

        Name is the static string field

  • lastError: (string)

    LastError represents the last error when sending the profile

  • modified: (datetime)
  • name: (string)
  • notes: (string)

    Notes are the rule's user notes

  • owner: (string)
  • pagerduty: (object)

    PagerDutySettings contains the PagerDuty alert profile settings

    • enabled: (boolean)

      Enabled is PagerDuty provider enabled/disabled indicator

    • routingKey: (object)

      RoutingKey is the unique PagerDuty service id

      • encrypted: (string)
      • plain: (string)

        Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)

    • severity: (object)

      Severity is the PagerDuty's event severity

    • summary: (string)

      Summary is the PagerDuty's event summary

  • previousName: (string)

    PreviousName is the rule previous name, required for rule renaming

  • securityAdvisor: (object)

    SecurityAdvisor contains the IBM security advisor alert profile settings

    • auto: (boolean)

      Automatic means the configuration was automatically provisioned by security advisor, and only notes should be created

    • credentialID: (string)

      CredentialID is the IBM security advisor credential

    • enabled: (boolean)

      Enabled indicates whether the overbridge settings are enabled

    • findingsURL: (string)

      FindingsURL is the URL to which findings should be sent

    • providerId: (string)

      ProviderID is the configured providerID (default twistlock)

    • tokenURL: (string)

      TokenURL is the url from which security tokens should be fetched

  • securityCenter: (object)

    SecurityCenterSettings contains the security center alert profile settings

    • credentialId: (string)

      CredentialID is the Security Center authentication credentials id

    • enabled: (boolean)
    • sourceID: (string)

      SourceID is the google cloud security center organization source ID (used to construct security advisor findings)

  • securityHub: (object)

    SecurityHub contains the AWS security hub alert profile settings

    • accountID: (string)

      AccountID is the AWS account ID

    • credentialId: (string)

      CredentialID is the SecurityHub authentication credentials id

    • enabled: (boolean)

      Enabled indicates whether the overbridge settings are enabled

    • region: (string)

      Region is the overbridge region

    • roleArn: (string)

      RoleARN is the Amazon Resource Name (ARN) of the role to assume

    • useAWSRole: (boolean)

      UseAWSRole is a flag indicates if local IAM role should be used for authentication (username and password would are ignored)

  • serviceNow: (object)

    ServiceNowSettings contains the ServiceNow alert profile settings

    • application: (object)

      Application is the ServiceNow application this profile sends to

    • assignee: (string)

      Assignee is the ServiceNow user to whom will assign ServiceNow incidents\items

    • assignmentGroup: (string)

      AssignmentGroup is the ServiceNow group of users handling security incidents

    • auditPriority: (string)

      AuditPriority is the priority at which to set audit alerts in security incidents

    • caCert: (string)

      CA certificate for on-premise ssl (optional)

    • credentialID: (string)

      CredentialID is the ServiceNow authentication credentials id

    • enabled: (boolean)

      Enabled is the ServiceNow provider enabled/disabled indicator

    • project: (string)

      Project is the name of the prisma compute project that was used to generate this configuration. It's required as secondary consoles do not store their project name

    • securityIncidentBaseURL: (string)

      SecurityIncidentBaseURL is the ServiceNow address, used to send security incidents

    • vulnerabilityEndpointUrl: (string)

      VulnerabilityEndpointURL to report ServiceNow vulnerabilities, customer defined scripted REST API, see: https://docs.servicenow.com/bundle/orlando-application-development/page/integrate/custom-web-services/concept/c_CustomWebServices.html

  • slack: (object)

    SlackSettings contains the slack alert profile settings

    • channels: (string)
    • enabled: (boolean)
    • users: (string)
    • webhookUrl: (string)
  • webhook: (object)

    WebhookSettings contains the Webhook alert profile settings

    • caCert: (string)

      CACert is the certificate used to verify the server

    • credentialId: (string)

      CredentialID is the id of the basic authentication credential

    • enabled: (boolean)

      Enabled is Webhook provider enabled/disabled indicator

    • json: (string)

      Json is the custom json we send to the url

    • url: (string)

      URL is the Webhook address

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

Retrieve a list of only the names of all alert profiles created in the system.

The following example curl command uses basic auth to retrieve all alert profiles' names:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/alert-profiles/names

Example Response:

[
  "jira",
  "aqsa vulns"
]

Minimum role required to access this endpoint: auditor.

post

post

Sends a test alert to verify successful configuration of the alert profile settings.

The following example curl command uses basic auth to send test alert for an email alert profile:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d <REQUEST-PAYLOAD>
https://<CONSOLE>:8083/api/v1/alert-profiles/test

In this case, the REQUEST-PAYLOAD would be the full JSON formatted alert profile from the base GET command Minimum role required to access this endpoint: operator.

Sends a test alert to verify successful configuration of the alert profile settings.

The following example curl command uses basic auth to send test alert for an email alert profile:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d <REQUEST-PAYLOAD>
https://<CONSOLE>:8083/api/v1/alert-profiles/test

In this case, the REQUEST-PAYLOAD would be the full JSON formatted alert profile from the base GET command Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • _id: (string)

    ID is the alert profile ID

  • demisto: (object)

    DemistoSettings contains the Demisto alert profile settings

    • enabled: (boolean)

      Enabled is the Demisto provider enabled/disabled indicator

  • disabled: (boolean)

    Disabled states if the rule is currently disabled

  • email: (object)

    EmailSettings contains the email alert profile settings

    • credentialId: (string)

      CredentialID is the Email authentication credentials id

    • enabled: (boolean)
    • from: (string)

      From is the from address of the mail

    • labels: (string)

      Labels are custom label names from which the mail recipients are extracted, allowing to dynamically extract the target of the alerts

    • port: (integer)
    • recipients: (string)
    • smtpAddress: (string)
    • ssl: (boolean)
  • gcpPubsub: (object)

    GcpPubsubSettings contains the GCP Pub/Sub alert profile settings

    • credentialId: (string)

      CredentialID is the GCP Pub/Sub authentication credentials id

    • enabled: (boolean)

      Enabled indicates whether the GCP Pub/Sub settings are enabled

    • topic: (string)

      Topic is the GCP Pub/Sub topic (used by subscribers to listen for messages)

  • jira: (object)

    JIRASettings contains the JIRA alert profile settings

    • assignee: (object)

      Assignee is the assignee of the issue

      • labels: (string)

        Labels are the dynamic labels of which the value is based on

      • name: (string)

        Name is the static string field

    • baseUrl: (string)

      BaseURL is the JIRA address

    • caCert: (string)

      CACert is the certificate used to verify the server

    • credentialId: (string)

      CredentialID is the JIRA authentication credentials id

    • enabled: (boolean)

      Enabled controls whether the rule is enabled

    • issueType: (string)

      IssueType is the type of the JIRA issue

    • labels: (object)

      Labels is the labels added to the created issue

      • labels: (string)

        Labels are the dynamic labels of which JIRA labels are based on

      • names: (string)

        Names are the static strings field

    • priority: (string)

      Priority is the issue priority

    • projectKey: (object)

      ProjectKey is the key of the project in which the issue will be created

      • labels: (string)

        Labels are the dynamic labels of which the value is based on

      • name: (string)

        Name is the static string field

  • lastError: (string)

    LastError represents the last error when sending the profile

  • modified: (datetime)
  • name: (string)
  • notes: (string)

    Notes are the rule's user notes

  • owner: (string)
  • pagerduty: (object)

    PagerDutySettings contains the PagerDuty alert profile settings

    • enabled: (boolean)

      Enabled is PagerDuty provider enabled/disabled indicator

    • routingKey: (object)

      RoutingKey is the unique PagerDuty service id

      • encrypted: (string)
      • plain: (string)

        Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)

    • severity: (object)

      Severity is the PagerDuty's event severity

    • summary: (string)

      Summary is the PagerDuty's event summary

  • previousName: (string)

    PreviousName is the rule previous name, required for rule renaming

  • securityAdvisor: (object)

    SecurityAdvisor contains the IBM security advisor alert profile settings

    • auto: (boolean)

      Automatic means the configuration was automatically provisioned by security advisor, and only notes should be created

    • credentialID: (string)

      CredentialID is the IBM security advisor credential

    • enabled: (boolean)

      Enabled indicates whether the overbridge settings are enabled

    • findingsURL: (string)

      FindingsURL is the URL to which findings should be sent

    • providerId: (string)

      ProviderID is the configured providerID (default twistlock)

    • tokenURL: (string)

      TokenURL is the url from which security tokens should be fetched

  • securityCenter: (object)

    SecurityCenterSettings contains the security center alert profile settings

    • credentialId: (string)

      CredentialID is the Security Center authentication credentials id

    • enabled: (boolean)
    • sourceID: (string)

      SourceID is the google cloud security center organization source ID (used to construct security advisor findings)

  • securityHub: (object)

    SecurityHub contains the AWS security hub alert profile settings

    • accountID: (string)

      AccountID is the AWS account ID

    • credentialId: (string)

      CredentialID is the SecurityHub authentication credentials id

    • enabled: (boolean)

      Enabled indicates whether the overbridge settings are enabled

    • region: (string)

      Region is the overbridge region

    • roleArn: (string)

      RoleARN is the Amazon Resource Name (ARN) of the role to assume

    • useAWSRole: (boolean)

      UseAWSRole is a flag indicates if local IAM role should be used for authentication (username and password would are ignored)

  • serviceNow: (object)

    ServiceNowSettings contains the ServiceNow alert profile settings

    • application: (object)

      Application is the ServiceNow application this profile sends to

    • assignee: (string)

      Assignee is the ServiceNow user to whom will assign ServiceNow incidents\items

    • assignmentGroup: (string)

      AssignmentGroup is the ServiceNow group of users handling security incidents

    • auditPriority: (string)

      AuditPriority is the priority at which to set audit alerts in security incidents

    • caCert: (string)

      CA certificate for on-premise ssl (optional)

    • credentialID: (string)

      CredentialID is the ServiceNow authentication credentials id

    • enabled: (boolean)

      Enabled is the ServiceNow provider enabled/disabled indicator

    • project: (string)

      Project is the name of the prisma compute project that was used to generate this configuration. It's required as secondary consoles do not store their project name

    • securityIncidentBaseURL: (string)

      SecurityIncidentBaseURL is the ServiceNow address, used to send security incidents

    • vulnerabilityEndpointUrl: (string)

      VulnerabilityEndpointURL to report ServiceNow vulnerabilities, customer defined scripted REST API, see: https://docs.servicenow.com/bundle/orlando-application-development/page/integrate/custom-web-services/concept/c_CustomWebServices.html

  • slack: (object)

    SlackSettings contains the slack alert profile settings

    • channels: (string)
    • enabled: (boolean)
    • users: (string)
    • webhookUrl: (string)
  • webhook: (object)

    WebhookSettings contains the Webhook alert profile settings

    • caCert: (string)

      CACert is the certificate used to verify the server

    • credentialId: (string)

      CredentialID is the id of the basic authentication credential

    • enabled: (boolean)

      Enabled is Webhook provider enabled/disabled indicator

    • json: (string)

      Json is the custom json we send to the url

    • url: (string)

      URL is the Webhook address

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

delete

delete

Deletes an alert profile entry by name. In the request payload, specify the alert profile name. This method has no response data.

The following example curl command uses basic auth to delete an existing alert profile entry, where aqsa is an alert profile name which is being deleted.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/alert-profiles/aqsa

Minimum role required to access this endpoint: operator.

Deletes an alert profile entry by name. In the request payload, specify the alert profile name. This method has no response data.

The following example curl command uses basic auth to delete an existing alert profile entry, where aqsa is an alert profile name which is being deleted.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/alert-profiles/aqsa

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Audits

Retrieve audits from the Twistlock database. Twistlock creates and stores audit event records (audits) for all controls. Endpoints support a wide range of filtering options.

get

get

Retrieves all access audits. Twistlock records access audits every time a Docker Engine or Kubernetes command is run on a host protected by Defender. You can also configure Twistlock to record audits for any sudo or SSH commands that are executed on hosts protected Defender.

The following example command gives a list of ALL access audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/access

To get just the docker audits run it with type=docker parameter.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/access?type=docker

Minimum role required to access this endpoint: devSecOps.

get

get

Download all docker access audits into a CSV format file.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/access/download?type=docker > aqsa_audits.csv

Minimum role required to access this endpoint: devSecOps.

get

get

AdmissionAudits returns all admission audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

get

DownloadAdmissionAudits downloads the admission audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

get

get

AppEmbeddedAppFirewallAudits returns all embedded defender firewall audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

get

DownloadAppEmbeddedAppFirewallAudits downloads the embedded defender firewall audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

get

get

Retrieves all Cloud Native Application Firewall (CNAF) audits. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to retrieve all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/app/container

Minimum role required to access this endpoint: devSecOps.

get

get

Downloads all Cloud Native Application Firewall (CNAF) audits into CSV format. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to download all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnaf-container-audits.csv \
https://console:8083/api/v1/audits/firewall/app/container/download

Minimum role required to access this endpoint: devSecOps.

get

get

Retrieves all Cloud Native Application Firewall (CNAF) audits. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to retrieve all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/app/host

Minimum role required to access this endpoint: devSecOps.

get

get

Downloads all Cloud Native Application Firewall (CNAF) audits into CSV format. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to download all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnaf-host-audits.csv \
https://console:8083/api/v1/audits/firewall/app/host/download

Minimum role required to access this endpoint: devSecOps.

get

get

ServerlessAppFirewallAudits returns all serverless firewall audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

get

DownloadServerlessAppFirewallAudits downloads the serverless firewall audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

get

get

Twistlock analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents. This api call retrieves a list of incidents that are not acknowledged (not in archived state).

The following example uses basic auth to list incidents.

$ curl -k \
-u <USER> \
https://console:8083/api/v1/audits/incidents

Minimum role required to access this endpoint: devSecOps.

patch

patch

Use this call to acknowledge an incident and move it to Archived state. Incident ID of the incident you want to archive is required. You can get incident ID from the list of incidents in GET /api/v1/audits/incidents.

Note that you can undo this action by changing "true" to "false" in the following example.

The following example uses basic auth and PATCH method to acknowledge an incident

$ curl -k \
-u <USER> \
 https://aqsa-console:8083/api/v1/audits/incidents/acknowledge/5c76e18784bf4b7278d9a820 -d '{"acknowledged":true}'

Where 5c76e18784bf4b7278d9a820 is the incident ID

Minimum role required to access this endpoint: auditor.

Use this call to acknowledge an incident and move it to Archived state. Incident ID of the incident you want to archive is required. You can get incident ID from the list of incidents in GET /api/v1/audits/incidents.

Note that you can undo this action by changing "true" to "false" in the following example.

The following example uses basic auth and PATCH method to acknowledge an incident

$ curl -k \
-u <USER> \
 https://aqsa-console:8083/api/v1/audits/incidents/acknowledge/5c76e18784bf4b7278d9a820 -d '{"acknowledged":true}'

Where 5c76e18784bf4b7278d9a820 is the incident ID

Minimum role required to access this endpoint: auditor.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Body

Media type: application/json

Type: object

Properties
  • _id: (string)

    ID is internal id representation

  • accountID: (string)

    AccountID is the cloud account ID

  • acknowledged: (boolean)

    Acknowledged indicates that the incident has been acknowledged

  • app: (string)

    App represents the application that caused the incident

  • appID: (string)

    AppID is the application ID

  • category: (object)

    Category represents the incident category (for example: hostViolation, cryptoMiner). Range of acceptable values: portScanning, hijackedProcess, dataExfiltration, kubernetes, backdoorAdministrativeAccount, backdoorSSHAccess, cryptoMiner, lateralMovement, bruteForce, customRule, alteredBinary, suspiciousBinary, executionFlowHijackAttempt

  • collections: (string)

    Collections are collections to which this incident applies

  • containerID: (string)

    ContainerID is the container id that triggered the incident

  • containerName: (string)

    ContainerName is the container unique name

  • customRuleName: (string)

    CustomRuleName is the name of the custom runtime rule that triggered the incident

  • fqdn: (string)

    FQDN is the current hostname's full domain name

  • function: (string)

    Function is the name of the serverless function

  • hostname: (string)

    Hostname is the current hostname

  • imageID: (string)

    ImageID is the container image ID

  • imageName: (string)

    ImageName is the container image name

  • namespace: (string)

    Namespace is the k8s deployment namespace

  • profileID: (string)

    ProfileID is the profile id

  • region: (string)

    Region is the region of the serverless function

  • runtime: (string)

    Runtime is the runtime of the serverless function

  • serialNum: (integer)

    SerialNum is the serial number of the incident

  • shouldCollect: (boolean)

    ShouldCollect indicates this incident should be collected

  • time: (datetime)

    Time is the UTC time of the incident

  • type: (object)

    Type is the incident type (for example host, container). Range of acceptable values: host, container, function, appEmbedded

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

Twistlock analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents. This api call retrieves a list of incidents that are not acknowledged (not in archived state).

The following example uses basic auth to list incidents.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o incidents.csv \
https://console:8083/api/v1/audits/incidents/download

Minimum role required to access this endpoint: devSecOps.

get

get

Twistlock can provide events from kubernetes if this integration is configured.

The following example uses basic auth to list all kubernetes events that are configured.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/kubernetes

Minimum role required to access this endpoint: devSecOps.

get

get

Twistlock can provide events from kubernetes if this integration is configured.

The following example uses basic auth to download all kubernetes events that are configured.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o kubernetes-events.csv \
https://console:8083/api/v1/audits/kubernetes/download

Minimum role required to access this endpoint: devSecOps.

get

get

Changes to any settings (including previous and new values), changes to any rules (create, modify, or delete), and all logon activity (success and failure) are logged. These events are called management audits.

This call retrieves a list of all management audits that match the query.

The following example curl command uses basic auth to retrieve all management audits

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt

Minimum role required to access this endpoint: auditor.

get

get

Downloads a list of all management audits into CSV format.

The following example curl command uses basic auth to retrieve all management audits

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt/download -o aqsa.csv

Minimum role required to access this endpoint: auditor.

get

get

Retrieves a list of management audit types found in your environment. These fields can be firther used as your queries to get management audit data.

The following example curl command uses basic auth to retrieve all management audit filters

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt/filters

Minimum role required to access this endpoint: auditor.

delete get

delete

DeleteAppEmbeddedRuntimeAudits deletes all embedded defender runtime audits. Minimum role required to access this endpoint: operator.

get

AppEmbeddedRuntimeAudits returns all embedded defender audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

get

DownloadAppEmbeddedRuntimeAudits downloads the embedded defender audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

delete get

delete

Deletes all container runtime audits.

The following example curl command uses basic auth to delete all the audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/container

Minimum role required to access this endpoint: operator.

get

Twistlock records an audit every time a runtime sensor (process, network, file system, and system call) detects activity that deviates from the predictive model. This endpoint retrieves all container audits from the console Monitor > Runtime > Container Audits.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/container

Minimum role required to access this endpoint: devSecOps.

get

get

Downloads the runtime container audit logs in csv format.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/container/download
> conatiner_audits.csv

Minimum role required to access this endpoint: devSecOps.

get

get

Twistlock can provide audits for file-integrity checks that are configured under host runtime rules.

The following example uses basic auth to list these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/runtime/file-integrity

Minimum role required to access this endpoint: devSecOps.

get

get

Twistlock can provide audits for file-integrity checks that are configured under host runtime rules.

The following example uses basic auth to download these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o file-integrity-events.csv \
https://console:8083/api/v1/audits/runtime/file-integrity/download

Minimum role required to access this endpoint: devSecOps.

delete get

delete

Deletes all host audits from the database.

The following example curl command uses basic auth to delete all host audits:

$ curl -k \
-u <USER> \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/host

Minimum role required to access this endpoint: operator.

get

Retrieves a list of all host audits that match the query.

The following example curl command uses basic auth to retrieve all host audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/host

Minimum role required to access this endpoint: devSecOps.

get

get

Downloads the runtime host audit logs in csv format.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o host_audits.csv \
https://<CONSOLE>:8083/api/v1/audits/runtime/host/download

Minimum role required to access this endpoint: devSecOps.

get

get

Twistlock can provide audits for log inspection checks that are configured under host runtime rules.

The following example uses basic auth to list these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/runtime/log-inspection

Minimum role required to access this endpoint: devSecOps.

get

get

Twistlock can provide audits for log inspection checks that are configured under host runtime rules.

The following example uses basic auth to download these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o log-inspection.csv \
https://console:8083/api/v1/audits/incidents/runtime/log-inspection/download

Minimum role required to access this endpoint: devSecOps.

delete get

delete

This endpoint will delete all serverless runtime audits.

The following example curl command uses basic auth to delete the current audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/serverless

Minimum role required to access this endpoint: operator.

get

Returns scan reports in JSON format for any serverless functions you've configured Twistlock to scan.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless

Minimum role required to access this endpoint: devSecOps.

get

get

Returns scan reports in CSV format for any serverless functions you've configured Twistlock to scan.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o serverless-audits.csv
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless/download

Minimum role required to access this endpoint: devSecOps.

get

get

Returns all serverless filters in JSON format. These filters can be used in the base GET request as query parameters.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless/filters

Minimum role required to access this endpoint: devSecOps.

delete get

delete

Deletes all the trust audits from the events page in Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/trust

Minimum role required to access this endpoint: operator.

get

Gets all the trust audits from the events page in Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/trust

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Downloads all the trust audits from the events page in Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/trust/download

Minimum role required to access this endpoint: vulnerabilityManager.

Authenticate

Retrieve an access token using your credentials. Valid tokens are required to access the rest of the Twistlock API. The Twistlock API can also be accessed using basic auth.

post

post

Retrieves an access token using your username and password. By default, access tokens are valid for 24 hours.

The following example curl command retrieves a token for user 'admin' with password 'admin':

$ curl -k \
-H "Content-Type: application/json" \
-X POST \
-d \
'{
 "username":"admin",
 "password":"admin"
}' \
https://<CONSOLE>:8083/api/v1/authenticate

Minimum role required to access this endpoint: anyone.

Retrieves an access token using your username and password. By default, access tokens are valid for 24 hours.

The following example curl command retrieves a token for user 'admin' with password 'admin':

$ curl -k \
-H "Content-Type: application/json" \
-X POST \
-d \
'{
 "username":"admin",
 "password":"admin"
}' \
https://<CONSOLE>:8083/api/v1/authenticate

Minimum role required to access this endpoint: anyone.

Body

Media type: application/json

Type: object

Properties
  • password: (string)

    Password for Twistlock user

  • username: (string)

    Username for Twistlock user

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Properties
  • token: (string)

get

get

IdentityRedirectURL return the redirect url for Oauth/OpenID connect/Saml providers. Minimum role required to access this endpoint: none.

get

get

Renews an old (unexpired) access token by returning a new one.

The following example curl command retrieves a new access token:

$ curl -k \
-H "Authorization: Bearer <OLD_ACCESS_TOKEN> \
 https://<CONSOLE>:8083/api/v1/authenticate/renew

Minimum role required to access this endpoint: user.

Authenticate client

Retrieve an access token using a client certificate. Valid tokens are required to access the rest of the Twistlock API. Use this endpoint if your organization has rolled out multi-factor authentication built on x.509 certificates.

The Twistlock API can also be accessed using basic auth.

post

post

Retrieves an access token using a client certificate. This endpoint checks the supplied client certificate and authorizes the user based on the username in the certificate's CN or UPN field. By default, access tokens are valid for 24 hours.

The following example curl command retrieves a token using a client certificate:

$ curl -k \
-X POST \
--cert <CERT.PEM>
https://<CONSOLE>:8083/api/v1/authenticate-client

Where the certificate must be in PEM format, and the certificate file must consist of a private key and client certificate concatenated together. Minimum role required to access this endpoint: none.

Retrieves an access token using a client certificate. This endpoint checks the supplied client certificate and authorizes the user based on the username in the certificate's CN or UPN field. By default, access tokens are valid for 24 hours.

The following example curl command retrieves a token using a client certificate:

$ curl -k \
-X POST \
--cert <CERT.PEM>
https://<CONSOLE>:8083/api/v1/authenticate-client

Where the certificate must be in PEM format, and the certificate file must consist of a private key and client certificate concatenated together. Minimum role required to access this endpoint: none.

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Properties
  • role: (object)

    UserRole is the authenticated user role

  • token: (string)

    Token is the console authentication response token

Backups

Manage backup files.

get post

get

List returns the available backups. Minimum role required to access this endpoint: operator.

post

Backup invokes a mongo backup (dump) process. Minimum role required to access this endpoint: operator.

Backup invokes a mongo backup (dump) process. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

delete get patch post

delete

DeleteBackup deletes the given backup. Minimum role required to access this endpoint: admin.

get

DownloadBackup downloads the given backup file. Minimum role required to access this endpoint: operator.

patch

Renames the specified backup file. Minimum role required to access this endpoint: admin.

post

UploadBackup saves uploaded backup file. Minimum role required to access this endpoint: operator.

DeleteBackup deletes the given backup. Minimum role required to access this endpoint: admin.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

DownloadBackup downloads the given backup file. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Renames the specified backup file. Minimum role required to access this endpoint: admin.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Body

Media type: application/json

Type: object

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

UploadBackup saves uploaded backup file. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

Restore invokes a mongo restore process. Minimum role required to access this endpoint: admin.

Restore invokes a mongo restore process. Minimum role required to access this endpoint: admin.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Certificates

Manage client certificates. Users need client certificates to authenticate commands sent from the Docker client through Twistlock.

get

get

Downloads a script that installs a client certificate, client private key, and certificate authority certificate for the authenticated user.

The following example curl command uses basic auth to download and run the install script for your client certs:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/certs/client-certs.sh | sh

Minimum role required to access this endpoint: user.

put

put

RotateCerts rotate the certificates in case of being close to expiration. Minimum role required to access this endpoint: admin.

get

get

Returns the server certificate bundle from the console.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/certs/server-certs.sh | sh

Minimum role required to access this endpoint: operator.

Cloud

Find all the cloud-native services being used in your AWS, Azure, and Google Cloud accounts. Twistlock continuously monitors these accounts, detects when new services are added, and reports which services are unprotected.

get

get

Returns a list of all cloud compliance scan results.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/compliance

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Download all cloud scan data in CSV format.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cloud-compliance.csv \
https://<CONSOLE>:8083/api/v1/cloud/compliance/download

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Returns a JSON object of the scan progress.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/compliance/progress

Minimum role required to access this endpoint: vulnerabilityManager.

post

post

Initiates a new cloud compliance scan.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/scan

Minimum role required to access this endpoint: operator.

Initiates a new cloud compliance scan.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/scan

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

Terminates a cloud compliance scan that's in progress..

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/stop

Minimum role required to access this endpoint: operator.

Terminates a cloud compliance scan that's in progress..

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/stop

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

Returns a list of all cloud discovery scan results.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/discovery

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Download all cloud scan data in CSV format.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cloud-discovery.csv \
https://<CONSOLE>:8083/api/v1/cloud/discovery/download

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Returns a JSON object of the scan progress.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/discovery/progress

Minimum role required to access this endpoint: vulnerabilityManager.

post

post

Initiates a new cloud discovery scan.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/scan

Minimum role required to access this endpoint: operator.

Initiates a new cloud discovery scan.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/scan

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

Terminates a cloud discovery scan that's in progress..

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/stop

Minimum role required to access this endpoint: operator.

Terminates a cloud discovery scan that's in progress..

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/stop

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

DiscoveredVMs returns discovered cloud VM instances. Minimum role required to access this endpoint: vulnerabilityManager.

Code repo scan reports

Scan reports for your GitHub repositories.

get

get

CodeRepos returns code repositories scan results. Minimum role required to access this endpoint: vulnerabilityManager.

get

get

DiscoverCodeRepos discovers the available repositories for a credential according to the given credential ID. Minimum role required to access this endpoint: operator.

get

get

DownloadCodeRepos downloads code repository scan results. Minimum role required to access this endpoint: vulnerabilityManager.

get

get

CodeRepoScanProgress returns the code repositories scan progress. Minimum role required to access this endpoint: vulnerabilityManager.

post

post

ScanCodeRepos triggers a scan for all code repositories. Minimum role required to access this endpoint: operator.

ScanCodeRepos triggers a scan for all code repositories. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

StopCodeReposScan stops the current active scan. Minimum role required to access this endpoint: operator.

StopCodeReposScan stops the current active scan. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

CodeReposWebhook handles events from code repositories. Minimum role required to access this endpoint: none.

CodeReposWebhook handles events from code repositories. Minimum role required to access this endpoint: none.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Collections

Group related resources (containers, images, hosts) together. Collections are predefined filters that let you segment your views in the Console UI and the Twistlock API.

get post

get

Retrieves the list of collections.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/collections"

Minimum role required to access this endpoint: auditor.

post

Creates a new collection. Any field left unspecified is assigned the value of "" (i.e. an emtpy string).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d \
'{
 "name": "my collection",
 "color": "#ff0000",
 "description": "A test collection",
 "images": [
   "docker.io/library/hello-world:latest",
   "docker.io/library/ian_app:1.0"
 ],
 "hosts": [
   "*"
 ]
}' \
https://<CONSOLE>:8083/api/v1/collections

Minimum role required to access this endpoint: operator.

Creates a new collection. Any field left unspecified is assigned the value of "" (i.e. an emtpy string).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d \
'{
 "name": "my collection",
 "color": "#ff0000",
 "description": "A test collection",
 "images": [
   "docker.io/library/hello-world:latest",
   "docker.io/library/ian_app:1.0"
 ],
 "hosts": [
   "*"
 ]
}' \
https://<CONSOLE>:8083/api/v1/collections

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • accountIDs: (string)

    AccountIDs is a list of the cloud account IDs

  • appIDs: (string)

    AppIDs is a list of application IDs

  • clusters: (string)

    Clusters is a list of kubernetes cluster names

  • codeRepos: (string)

    CodeRepos is a list of remote code repositories

  • color: (object)

    Color is a color associated with this collection

  • containers: (string)
  • description: (string)

    Description is a free-text description of the collection

  • functions: (string)
  • hosts: (string)
  • images: (string)
  • labels: (string)
  • name: (string)

    Unique name associated with this collection

  • namespaces: (string)

    Namespaces are the k8s namespaces

  • system: (boolean)

    System indicates that this collection was created by the system (non user)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

delete put

delete

Deletes a collection from the system.

The following example curl command deletes a collection named my collection. Because spaces are considered unsafe characters in a URL, they must be encoded with the value %20.

$ curl -k \
-u <USER> \
-X DELETE \
"https://<CONSOLE>:8083/api/v1/collections/my%20collection"

Minimum role required to access this endpoint: operator.

put

Updates the parameters that define a given collection.

The following example curl command updates the parameters that define the collection named finance_group_app. In general, all parameters in your PUT request should be defined or redefined. Any field left unspecified is assigned the value of "" (i.e. an emtpy string).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
 "name": "finance_group_app",
 "color": "#ff0000",
 "description": "A super cool collection",
 "images": [
   "docker.io/library/hello-world:latest",
   "docker.io/library/ian_app:1.0"
 ],
 "hosts": [
   "*"
 ]
}' \
https://<CONSOLE>:8083/api/v1/collections/test_collection

Minimum role required to access this endpoint: operator.

Deletes a collection from the system.

The following example curl command deletes a collection named my collection. Because spaces are considered unsafe characters in a URL, they must be encoded with the value %20.

$ curl -k \
-u <USER> \
-X DELETE \
"https://<CONSOLE>:8083/api/v1/collections/my%20collection"

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Updates the parameters that define a given collection.

The following example curl command updates the parameters that define the collection named finance_group_app. In general, all parameters in your PUT request should be defined or redefined. Any field left unspecified is assigned the value of "" (i.e. an emtpy string).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
 "name": "finance_group_app",
 "color": "#ff0000",
 "description": "A super cool collection",
 "images": [
   "docker.io/library/hello-world:latest",
   "docker.io/library/ian_app:1.0"
 ],
 "hosts": [
   "*"
 ]
}' \
https://<CONSOLE>:8083/api/v1/collections/test_collection

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Body

Media type: application/json

Type: object

Properties
  • accountIDs: (string)

    AccountIDs is a list of the cloud account IDs

  • appIDs: (string)

    AppIDs is a list of application IDs

  • clusters: (string)

    Clusters is a list of kubernetes cluster names

  • codeRepos: (string)

    CodeRepos is a list of remote code repositories

  • color: (object)

    Color is a color associated with this collection

  • containers: (string)
  • description: (string)

    Description is a free-text description of the collection

  • functions: (string)
  • hosts: (string)
  • images: (string)
  • labels: (string)
  • name: (string)

    Unique name associated with this collection

  • namespaces: (string)

    Namespaces are the k8s namespaces

  • system: (boolean)

    System indicates that this collection was created by the system (non user)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Kubernetes auditing

get

get

GenerateAuditSinkConfig returns the audit sink configuration for integrating k8s audit sink with the Console,based upon https://kubernetes.io/docs/tasks/debug-application-cluster/audit/. Minimum role required to access this endpoint: auditor.

get

get

GenerateValidatingWebhookConfig returns a validating webhook configuration forintegrating k8s admission control with a Defender. Minimum role required to access this endpoint: operator.

Container scan reports

Container scan reports.

get

get

Retrieves all container scan reports.

Note that the discovered field for each compliance finding (info > allCompliance > compliance > discovered) doesn't contain valid data and will be removed in a future release.

Example curl command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Returns an integer representing the number of containers in your environment.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/count

Minimum role required to access this endpoint: devOps.

get

get

Downloads all container scan reports in CSV format.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/download
> container_report.csv

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Returns an array of strings containing all container names.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/names

Minimum role required to access this endpoint: devOps.

post

post

Re-scan all containers immediately. This endpoint returns the time that the scans were initiated.

The following example command uses curl and basic auth to force Twistlock to re-scan all containers:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/containers/scan

Minimum role required to access this endpoint: operator.

Re-scan all containers immediately. This endpoint returns the time that the scans were initiated.

The following example command uses curl and basic auth to force Twistlock to re-scan all containers:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/containers/scan

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Credentials

Management of Centrally Managed Credentials

get post

get

This endpoint will return a list in json format of the credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to return:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/credentials

Minimum role required to access this endpoint: auditor.

post

This endpoint will allow for update of the credentials found with the app here Manage > Authentication > Credential Store

Create credentials.json file (example)

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

The following example curl command uses basic auth to update the checks:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--binary-data @credentials.json \
https://<CONSOLE>:8083/api/v1/credentials

Minimum role required to access this endpoint: operator.

This endpoint will allow for update of the credentials found with the app here Manage > Authentication > Credential Store

Create credentials.json file (example)

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

The following example curl command uses basic auth to update the checks:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--binary-data @credentials.json \
https://<CONSOLE>:8083/api/v1/credentials

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • _id: (string)

    ID is a unique name for the credential

  • accountGUID: (string)

    AccountGUID is the unique ID for an IBM Cloud account

  • accountID: (string)

    AccountID is the account identifier, e.g., username, access key, account GUID, etc

  • apiToken: (object)

    APIToken is token used to authenticate to GCP

    • encrypted: (string)
    • plain: (string)

      Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)

  • caCert: (string)

    CACert is the CA certificate used for cert-based auth

  • external: (boolean)

    External indicates if the credential is external

  • lastModified: (datetime)

    Modified represents the last time the credentials data changed

  • owner: (string)

    Owner represents the user who added/modified the credentials

  • secret: (object)

    Secret is the credential secret data

    • encrypted: (string)
    • plain: (string)

      Plain is the plain text value (remark: marshalling to JSON will be converted to encrypted value)

  • type: (object)

    Type is the cloud provider/external service the credentials are associated with. Range of acceptable values: aws, azure, gcp, ibmCloud, apiToken, githubToken, basic, dtr, kubeconfig, certificate

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

delete

delete

This endpoint will delete a specific credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to delete check with id "Sample":

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/credentials/Sample

Below is an example of a credential that was added with the GET endpoint.

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

Minimum role required to access this endpoint: operator.

This endpoint will delete a specific credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to delete check with id "Sample":

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/credentials/Sample

Below is an example of a credential that was added with the GET endpoint.

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

This endpoint will return a list in json format of all the usages of credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to return:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/credentials/Sample/usages

Below is an example of a credential that was added with the GET endpoint.

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

Minimum role required to access this endpoint: auditor.

This endpoint will return a list in json format of all the usages of credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to return:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/credentials/Sample/usages

Below is an example of a credential that was added with the GET endpoint.

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

Minimum role required to access this endpoint: auditor.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Properties
  • description: (string)

    Description is the resource description, e.g., repository name for registry scan

  • type: (object)

    Type is the usage type, e.g., registry scan, serverless scan. Range of acceptable values: Alert settings, Alert profile, Registry Scan, Serverless Scan, Cloud Scan, Secret Store, Serverless Auto-Deploy, Host Auto-deploy, VM Scan, Code Repository Scan

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Custom compliance checks

Custom image checks give you a way to write and run your own compliance checks to assess, measure, and enforce security baselines in your environment. Although Twistlock supports OpenSCAP and XCCDF, these frameworks are complicated, and they can be overkill when all you want to do is run a simple check. Twistlock lets you implement your own custom image checks with simple scripts.

A custom image check consists of a single script. The script’s exit code determines the result of the check, where 0 is pass and 1 is fail. Scripts are executed in the container’s default shell. For many Linux container images, the default shell is bash, but that’s not always the case. For Windows container images, the default shell is cmd.exe.

get put

get

This endpoint will return a list in json format of all the custom compliance checks found with the app here Defend > Compliance > Custom

The following example curl command uses basic auth to return:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/custom-compliance

An example returned json could be something similar to:

[
{
  "modified": "2019-03-07T17:01:12.355Z",
  "owner": "pierre",
  "name": "apitest",
  "previousName": "",
  "_id": 9000,
  "title": "apitest",
  "script": "if [ $(stat -c %a /bin/busybox) -eq 755 ]; then\n echo 'test permission failure' && exit 1;\nfi",
  "severity": "high"
}
]

Minimum role required to access this endpoint: ci.

put

This endpoint will allow for update of the custom compliance checks on page Defend > Compliance > Custom

Create custom_check.json file (example)

[
{
  "modified": "2019-03-07T17:01:12.355Z",
  "owner": "pierre",
  "name": "apitest",
  "previousName": "",
  "_id": 9000,
  "title": "apitest",
  "script": "if [ $(stat -c %a /bin/busybox) -eq 755 ]; then\n echo 'test permission failure' && exit 1;\nfi",
  "severity": "high"
}
]

The following example curl command uses basic auth to update the checks:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--binary-data @custom_check.json \
https://<CONSOLE>:8083/api/v1/custom-compliance

Minimum role required to access this endpoint: operator.

delete

delete

This endpoint will delete a specific custom compliance check on page Defend > Compliance > Custom

The following example curl command uses basic auth to delete check with id 9000:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/custom-compliance/9000

Minimum role required to access this endpoint: operator.

This endpoint will delete a specific custom compliance check on page Defend > Compliance > Custom

The following example curl command uses basic auth to delete check with id 9000:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/custom-compliance/9000

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

CVEs

Browse Twistlock's vulnerability database.

get

get

Retrieves CVEs from Twistlock's vulnernability database. Query the database by CVE ID. Partial matches are supported. A null response indicates that the CVE is not in our database.

The following example curl command queries the Twistlock database for CVE-2018-1102.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cves?id=CVE-2018-1102

Minimum role required to access this endpoint: devOps.

get

get

Retrieves CVEs from the vulnerability database grouped into distribution where you will see a count for vulnerabilities per distribution.

The following example curl command uses basic auth to retrieve this data:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cves/distribution

Minimum role required to access this endpoint: auditor.

Defenders

Manage Defender. Defender is Twistlock's security agent. In general, one Defender is deployed per node.

get

get

Lists all deployed Defenders.

The following command uses basic authorization to retrieve a list of all deployed Defenders along with metadata

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders

Minimum role required to access this endpoint: vulnerabilityManager.

post

post

EmbedAppEmbeddedDefender returns an augmented Dockerfile + embedded defender dependencies as a ZIP file. Minimum role required to access this endpoint: operator.

EmbedAppEmbeddedDefender returns an augmented Dockerfile + embedded defender dependencies as a ZIP file. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • appID: (string)

    AppID identifies the app that the embedded app defender defender is protecting

  • consoleAddr: (string)

    ConsoleAddr is the console address

  • dataFolder: (string)

    DataFolder is the path to the Twistlock data folder in the container

  • dockerfile: (string)

    Dockerfile is the Dockerfile to embed AppEmbedded defender into

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

GenerateDaemonSet generates the defender daemonset k8s yaml. Minimum role required to access this endpoint: operator.

GenerateDaemonSet generates the defender daemonset k8s yaml. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • cluster: (string)

    Cluster is the kubernetes cluster name

  • collectPodLabels: (boolean)

    CollectPodLabels indicates whether to collect pod related labels resource labels

  • consoleAddr: (string)

    ConsoleAddr is the console address for defender communication

  • containerizedHost: (boolean)

    ContainerizedHost indicates the host is containerized

  • credentialID: (string)

    CredentialID is the name of the credential used

  • cri: (boolean)

    CRI indicates defender uses CRI instead of docker

  • image: (string)

    Image is the full daemonset image name

  • istio: (boolean)

    MonitorIstio indicates whether to monitor Istio

  • namespace: (string)

    Namespace is the target deamonset namespaces

  • nodeSelector: (string)

    NodeSelector is a key/value node selector

  • orchestration: (string)

    Orchestration is the orchestration type

  • privileged: (boolean)

    Privileged indicates whether to run defenders as privileged

  • region: (string)

    Region is the kubernetes cluster location region

  • secretsname: (string)

    SecretName is the secret

  • selinux: (boolean)

    SelinuxEnforced indicates whether selinux is enforced on the target host

  • serviceaccounts: (boolean)

    MonitorServiceAccounts indicates whether to monitor service accounts

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

Downloads information about deployed Defenders in CSV format. Use the query parameters to filter what data is returned.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/download

Minimum role required to access this endpoint: auditor.

post

post

Returns a protected Fargate task definition given an unprotected task definition.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

Unprotected task definition in unprotected.json

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--data-binary "@unprotected.json"
--output protected.json
https://<CONSOLE>:8083/api/v1/defenders/fargate.json?consoleaddr=<HOSTNAME>&defenderType=appEmbedded

New Protected task will be in protected.json Minimum role required to access this endpoint: operator.

Returns a protected Fargate task definition given an unprotected task definition.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

Unprotected task definition in unprotected.json

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--data-binary "@unprotected.json"
--output protected.json
https://<CONSOLE>:8083/api/v1/defenders/fargate.json?consoleaddr=<HOSTNAME>&defenderType=appEmbedded

New Protected task will be in protected.json Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Query Parameters

  • consoleaddr: (string)

    consoleaddr is the remote console address

  • defenderType: (object)

    DefenderType is the type of the defender to create the install bundle for. Range of acceptable values: none, docker, dockerWindows, swarm, daemonset, serverLinux, serverWindows, cri, fargate, appEmbedded, pcf, serverless, dcos

  • interpreter: (string)

    Interpreter is a custom interpreter set by the user to run the fargate defender entrypoint script

Body

Media type: application/json

Type: object

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

DefenderHelmChart generates a defender helm chart. Minimum role required to access this endpoint: operator.

DefenderHelmChart generates a defender helm chart. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • cluster: (string)

    Cluster is the kubernetes cluster name

  • collectPodLabels: (boolean)

    CollectPodLabels indicates whether to collect pod related labels resource labels

  • consoleAddr: (string)

    ConsoleAddr is the console address for defender communication

  • containerizedHost: (boolean)

    ContainerizedHost indicates the host is containerized

  • credentialID: (string)

    CredentialID is the name of the credential used

  • cri: (boolean)

    CRI indicates defender uses CRI instead of docker

  • image: (string)

    Image is the full daemonset image name

  • istio: (boolean)

    MonitorIstio indicates whether to monitor Istio

  • namespace: (string)

    Namespace is the target deamonset namespaces

  • nodeSelector: (string)

    NodeSelector is a key/value node selector

  • orchestration: (string)

    Orchestration is the orchestration type

  • privileged: (boolean)

    Privileged indicates whether to run defenders as privileged

  • region: (string)

    Region is the kubernetes cluster location region

  • secretsname: (string)

    SecretName is the secret

  • selinux: (boolean)

    SelinuxEnforced indicates whether selinux is enforced on the target host

  • serviceaccounts: (boolean)

    MonitorServiceAccounts indicates whether to monitor service accounts

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

Returns the full Docker image name for Defender.

Example: registry-auth.twistlock.com/tw_smbvukudjypnnrqmso0/twistlock/defender:defender_18_11_128

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/image-name

Minimum role required to access this endpoint: operator.

get

get

Returns the certsBundle that Defender needs to securely connect to Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/install-bundle?consoleaddr=<CONSOLEADDR>

Minimum role required to access this endpoint: defenderManager.

get

get

Retrieves a list of Defender hostnames that can be used as the {id} query parameter in other /api/v1/defenders endpoints.

Retrieve a list of all Defenders:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names

Retrieve a list of connected Defenders:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names?connected

Retrieve a list of Defenders by type:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names?type=<linux|windows|docker|...>

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

DownloadServerlessBundle returns a ZIP with serverless defender bundle. Minimum role required to access this endpoint: operator.

get

get

List the number of Defenders in each defender category.

The following command uses basic authorization to retrieve a summary of Defenders:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/summary

Minimum role required to access this endpoint: defenderManager.

post

post

Upgrades all connected single Linux Container Defenders.

This does not update cluster Container Defenders (such as Defender DaemonSets), Serverless Defenders, or Fargate Defenders. To upgrade cluster Container Defenders, reploy them. To upgrade Serverless and Fargate Defenders, re-embed them.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/upgrade

Minimum role required to access this endpoint: operator.

Upgrades all connected single Linux Container Defenders.

This does not update cluster Container Defenders (such as Defender DaemonSets), Serverless Defenders, or Fargate Defenders. To upgrade cluster Container Defenders, reploy them. To upgrade Serverless and Fargate Defenders, re-embed them.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/upgrade

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

delete

delete

Deletes a Defender on a given host.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>

Minimum role required to access this endpoint: operator.

Deletes a Defender on a given host.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

Updates a deployed Defender's configuration.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"proxyListenerType": "tcp", "registryScanner":"<true|false>", "serverlessScanner":"<true|false>"}' \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/features

Minimum role required to access this endpoint: operator.

Updates a deployed Defender's configuration.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"proxyListenerType": "tcp", "registryScanner":"<true|false>", "serverlessScanner":"<true|false>"}' \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/features

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Body

Media type: application/json

Type: object

Properties
  • clusterMonitoring: (boolean)

    ClusterMonitoring determines whether the k8s or Istio cluster monitoring features are enabled

  • proxyListenerType: (object)

    ProxyListenerType determines whether the defender acts as a TCP proxy. Range of acceptable values: none, tcp, default

  • registryScanner: (boolean)

    RegistryScanner determines whether the defender is a registry scanner

HTTP status code 200

Success

Body

Media type: application/json

Type: object

Properties
  • category: (object)

    Category is the category of the defender type (host/container/serverless). Range of acceptable values: container, host, serverless, appEmbedded

  • certificateExpiration: (datetime)

    CertificateExpiration is the client's certificate expiry time

  • cloudMetadata: (object)

    CloudMetadata is the cloud provider metadata of the host

    • accountID: (string)

      AccountID is the cloud account ID

    • id: (string)

      ID is the instance unique ID

    • image: (string)

      Image is the image name

    • name: (string)

      Name is the instance name

    • provider: (object)

      Provider is the cloud provider (AWS/GCP/Azure). Range of acceptable values: aws, azure, gcp, others

    • region: (string)

      Region the instance region

    • type: (string)

      Type is the instance type

  • cluster: (string)

    Cluster is the provided cluster name (fallback is internal IP)

  • clusterID: (string)

    ClusterID is a unique ID generated for each daemon set, and used to group Defenders by clustersNote: Kubernetes does not provide a cluster name as part of its API

  • collections: (string)

    Collections are collections to which this defender applies

  • connected: (boolean)

    Connected indicates whether the defender is connected

  • features: (object)

    Features are feature that are enabled in the defender

    • clusterMonitoring: (boolean)

      ClusterMonitoring determines whether the k8s or Istio cluster monitoring features are enabled

    • proxyListenerType: (object)

      ProxyListenerType determines whether the defender acts as a TCP proxy. Range of acceptable values: none, tcp, default

    • registryScanner: (boolean)

      RegistryScanner determines whether the defender is a registry scanner

  • firewallProtection: (object)

    FirewallProtection describes the firewall protection status of app embedded defenders

    • enabled: (boolean)

      Enabled indicates that WAAS protection is enabled

    • supported: (boolean)

      Supported indicates that WAAS protection is supported

  • fqdn: (string)

    FQDN is the full domain name used in audit alerts to identify specific hosts

  • hostname: (string)

    Hostname is the defender hostname

  • lastModified: (datetime)

    LastModified is the last time the defender connectivity was modified

  • pcfClusterID: (string)

    PCFClusterID is the ID used to identify the PCF cluster of the defender. Typically will be the Cloud controller API address

  • remoteLoggingSupported: (boolean)

    RemoteLoggingSupported indicates if the defender logs can be retrieved from remote

  • remoteMgmtSupported: (boolean)

    RemoteMgmtSupported indicated if the defender can be remotely managed (upgrade, restart)

  • status: (object)

    Status is the feature status of the defender

    • lastModified: (datetime)

      Modified is the time the event was modified

  • systemInfo: (object)

    SystemInfo is the system information of the defender host

    • cpuCount: (integer)

      CPUCount is the CPU count on the defender host

    • freeDiskSpaceGB: (object)

      FreeDiskSpaceGB is the free disk space (in GB) on the defender host

    • kernelVersion: (string)

      KernelVersion is the kernel version on the defender host

    • memoryGB: (number)

      MemoryGB is the total memory (in GB) on the defender host

    • totalDiskSpaceGB: (object)

      TotalDiskSpaceGB is the total disk space (in GB) on the defender host

  • type: (object)

    Type is the type of the defender (registry scanner/kubernetes node/etc...). Range of acceptable values: none, docker, dockerWindows, swarm, daemonset, serverLinux, serverWindows, cri, fargate, appEmbedded, pcf, serverless, dcos

  • version: (string)

    Version is the agent version

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

Restarts Defender on a given host.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/restart

Minimum role required to access this endpoint: operator.

Restarts Defender on a given host.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/restart

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

Upgrades Defender on <HOSTNAME>.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/upgrade

Minimum role required to access this endpoint: operator.

Upgrades Defender on <HOSTNAME>.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/upgrade

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Cortex XSOAR alerts

get

get

DemistoAlerts returns all alerts saved in DBREMARK: All alerts are removed from DB after calling this method. Minimum role required to access this endpoint: auditor.

Deployments

Manage Defender DaemonSet deployments.

get

get

Retrieves a list of deployed Defender DaemonSets. You must specify a credentialID, of type kubeconfig, which identifies your cluster and user. Credentials are managed in Console's credentials store (/api/v1/credentials).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/deployment/daemonsets?credentialID=<CREDENTIAL NAME>

Minimum role required to access this endpoint: auditor.

post

post

Deploys a Defender DaemonSet to the cluster identified by credentialID. The credentialID, of type kubeconfig, must exist before calling this endpoint. It identifies the cluster's API server, user, and credentials.

Use the various request parameters to control the properties of the deployed DaemonSet.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{
    "credentialID": "",
    "consoleAddr": "",
    "namespace": "",
    "orchestration": "",
    "...":"..."
    }' \
https://<CONSOLE>:8083/api/v1/deployment/daemonsets/deploy

Minimum role required to access this endpoint: operator.

Deploys a Defender DaemonSet to the cluster identified by credentialID. The credentialID, of type kubeconfig, must exist before calling this endpoint. It identifies the cluster's API server, user, and credentials.

Use the various request parameters to control the properties of the deployed DaemonSet.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{
    "credentialID": "",
    "consoleAddr": "",
    "namespace": "",
    "orchestration": "",
    "...":"..."
    }' \
https://<CONSOLE>:8083/api/v1/deployment/daemonsets/deploy

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • cluster: (string)

    Cluster is the kubernetes cluster name

  • collectPodLabels: (boolean)

    CollectPodLabels indicates whether to collect pod related labels resource labels

  • consoleAddr: (string)

    ConsoleAddr is the console address for defender communication

  • containerizedHost: (boolean)

    ContainerizedHost indicates the host is containerized

  • credentialID: (string)

    CredentialID is the name of the credential used

  • cri: (boolean)

    CRI indicates defender uses CRI instead of docker

  • image: (string)

    Image is the full daemonset image name

  • istio: (boolean)

    MonitorIstio indicates whether to monitor Istio

  • namespace: (string)

    Namespace is the target deamonset namespaces

  • nodeSelector: (string)

    NodeSelector is a key/value node selector

  • orchestration: (string)

    Orchestration is the orchestration type

  • privileged: (boolean)

    Privileged indicates whether to run defenders as privileged

  • region: (string)

    Region is the kubernetes cluster location region

  • secretsname: (string)

    SecretName is the secret

  • selinux: (boolean)

    SelinuxEnforced indicates whether selinux is enforced on the target host

  • serviceaccounts: (boolean)

    MonitorServiceAccounts indicates whether to monitor service accounts

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

HostAutoDeployProgress returns the host auto-deploy progress. Minimum role required to access this endpoint: operator.

post

post

StartHostAutoDeploy starts a host auto-deploy. Minimum role required to access this endpoint: operator.

StartHostAutoDeploy starts a host auto-deploy. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

StopHostAutoDeploy stops the host auto-deploy auto-deploy scan. Minimum role required to access this endpoint: operator.

StopHostAutoDeploy stops the host auto-deploy auto-deploy scan. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

ServerlessAutoDeployProgress returns the serverless auto-deploy scan progress. Minimum role required to access this endpoint: operator.

post

post

StartServerlessAutoDeploy starts a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.

StartServerlessAutoDeploy starts a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

post

post

StopServerlessAutoDeploy stops a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.

StopServerlessAutoDeploy stops a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Custom feeds

Augment the Twistlock Intelligence Stream with your own custom threat data.

get put

get

Retrieves the list of vulnerabilities for internally developed packages.

These entries are used by the Twistlock scanner to detect vulnerable custom components (apps, libraries, etc) that were developed and packaged internally.

NOTE: When a vulnerable custom component is detected in an image, you must have a rule to tell Twistlock how to handle it. Vulnerability rules can be created in the Console UI or with the /api/v1/policies/cve endpoint. Create a vulnerability rule and set ID 412 (Image contains vulnerable custom components) to ignore, alert, or block.

The following example curl command retrieves the list of custom-defined vulnerabilities:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/custom-vulnerabilities

Minimum role required to access this endpoint: auditor.

put

Updates all custom vulnerability rules in a single shot.

The following example curl command defines a vulnerability for a library named internal-lib, where it's known that versions 1.1 to 1.8 are vulnerable.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"rules": [
  {
    "_id": "",
    "package": "internal-lib",
    "type": "package",
    "minVersionInclusive": "1.1",
    "name": "internal-lib",
    "maxVersionInclusive": "1.8",
    "md5": ""
  }
]
}' \
https://<CONSOLE>:8083/api/v1/feeds/custom/custom-vulnerabilities

The procedure to maintain your custom vulnerabilities is:

  1. Get all custom vulnerability rules from the GET endpoint and save the results to a file.

    $ curl -k \
-u <USER> \
https://<CONSOLE>:8083/api/v1/feeds//custom/custom-vulnerabilities \
| jq '.' > custom_vulnerability_rules.json

  2. Add, modify, and/or delete rules by directly editing the JSON output.

  3. Update your rules by pushing the new JSON payload. Do not forget to specify the @ symbol.

    $ curl -k \
-u <USER> \
-X PUT \
-H "Content-Type:application/json" \
https://<CONSOLE>:8083/api/v1/custom/custom-vulnerabilities \
--data-binary "@custom_vulnerability_rules.json"

Any previously installed rules are overwritten with your new rules. Minimum role required to access this endpoint: operator.

get

get

Returns the unique digests for all custom vulnerability feeds configured in the console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/custom-vulnerabilities/digest

Minimum role required to access this endpoint: auditor.

get put

get

Retrieves the list of globally whitelisted CVEs.

The following example curl command retrieves a list of globally whitelisted CVEs:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/cve-allow-list

Minimum role required to access this endpoint: auditor.

put

Specifies a list of CVEs to globally whitelist. Any previously installed list is overwritten.

The following example command uses curl and basic auth to install a list of globally whitelisted CVEs.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"rules": [
  {
    "cve": "CVE-2018-2222",
    "expiration": "2020-06-18T00:00:00Z"
  }
]
}' \
https://<CONSOLE>:8083/api/v1/feeds/custom/cve-allow-list

Minimum role required to access this endpoint: operator.

get

get

Returns the digest hash of the CVE allow lists you have configured in Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/cve-allow-list/digest

Minimum role required to access this endpoint: auditor.

get put

get

Retrieves the custom list of blacklisted IP addresses.

The following example curl command retrieves the custom list of blacklisted IP addresses:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/ips

Minimum role required to access this endpoint: auditor.

put

Specifies a custom list of banned IP addresses.

Any previously installed list is overwritten.

The following example command uses curl and basic auth to install a custom list of banned IP addresses:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"name":"banned-ips", "feed":["193.171.1.1","193.171.1.2"]}' \
https://<CONSOLE>:8083/api/v1/feeds/custom/ips

Minimum role required to access this endpoint: operator.

get

get

Retrieves the digest from the list of suspicious or high risk IP endpoints configured in the console.

The following example curl command retrieves the list of digests:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/ips/digest

Minimum role required to access this endpoint: auditor.

get put

get

Retrieves the custom list of malware signatures.

The following example curl command retrieves the custom list of malware signatures:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/malware

Minimum role required to access this endpoint: auditor.

put

Specifies a custom list of malware signatures.

Any previously installed list is overwritten.

The following example command uses curl and basic auth to install a custom list of malware signatures.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"name": "malware-sigs",
"feed": [
  {
    "name": "dimaaa",
    "md5": "d4ba1008e7d97458fdd65deca2ba801b"
  },
  {
    "name": "emacs",
    "md5": "5ce9d1116755f827f5d1e06246dd30b9"
  }
]
}' \
https://<CONSOLE>:8083/api/v1/feeds/custom/malware

Minimum role required to access this endpoint: operator.

get

get

Retrieves the list of digest for all MD5 signatures of malicious executables under custom feeds.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/feeds/custom/malware/digest

Minimum role required to access this endpoint: auditor.

post

post

Triggers Console to refresh its data from the Intelligence Stream

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/feeds/offline/refresh

Minimum role required to access this endpoint: admin.

Triggers Console to refresh its data from the Intelligence Stream

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/feeds/offline/refresh

Minimum role required to access this endpoint: admin.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Forensics

The forensic endpoint will return data for host activities.

get

get

Retrieves all host activities that can be found on Monitor > Evenets > Host Activities

Use the query parameters to filter what data is returned.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/forensic/activities

Minimum role required to access this endpoint: devSecOps.

get

get

Downloads all host activities that can be found on Monitor > Evenets > Host Activities

Use the query parameters to filter what data is returned.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o host_activities.csv
https://<CONSOLE>:8083/api/v1/forensic/activities/download

Minimum role required to access this endpoint: devSecOps.

Groups

Manage (create, modify, delete) groups in the system. If you integrated OpenLDAP, AD, or SAML, you can re-use groups from there, and assign roles to them as appropriate. Otherwise, create Twistlock local groups to manage privileges for groups of users.

get post

get

Retrieves a list of all groups.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-X GET \
-u <USER> \
-H 'Content-Type: application/json' \
https://<CONSOLE>:8083/api/v1/groups \

Minimum role required to access this endpoint: auditor.

post

Adds a group to the system, or updates an existing one.

The following example command uses curl and basic auth to create a new group with two users. Note that the values for lastModified, owner, and _id do not need to be specified. They are automatically filled in by the system.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups

Minimum role required to access this endpoint: admin.

Adds a group to the system, or updates an existing one.

The following example command uses curl and basic auth to create a new group with two users. Note that the values for lastModified, owner, and _id do not need to be specified. They are automatically filled in by the system.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups

Minimum role required to access this endpoint: admin.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • _id: (string)

    Id is the group name

  • groupId: (string)

    GroupId is used as a group identifier in Azure SAML identification process

  • groupName: (string)

    Name is the group name

  • lastModified: (datetime)

    Modified is the last modification time of the group

  • ldapGroup: (boolean)

    LdapGroup indicates whether group is an ldap group

  • microsegmentationAuthorizations: (object)

    MicrosegmentationAuthorizations is a set of authorization policies, microsegmentation data is fetched from microsegmentation api on-demand and not stored in the db

    • namespace: (string)

      Namespace is the authorized namespace

    • roles: (string)

      Roles are the authorized roles

  • oauthGroup: (boolean)

    OauthGroup indicates whether group is oauth group

  • oidcGroup: (boolean)

    OidcGroup indicates whether group is oidc group

  • owner: (string)

    Owner is the group owner

  • permissions: (object)

    Permissions is the set of projects the group's users is assigned to and the set of collections the user may access in each project

  • role: (object)

    Role is the group role

  • samlGroup: (boolean)

    SamlGroup indicates whether group is saml group

  • user: (object)

    Users are the users associated with the group

    • username: (string)

      Name is the user name

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

Returns the names of all groups as strings in an array.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -X GET \
https://<CONSOLE>:8083/api/v1/groups/names \
-u <USER> \
-H 'Content-Type: application/json' \

Sample output:

[
  "admins",
  "secops",
  "devops",
  ""
]

Minimum role required to access this endpoint: auditor.

delete put

delete

Deletes a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X DELETE \
https://<CONSOLE>:8083/api/v1/groups

Minimum role required to access this endpoint: admin.

put

Adds or modifies a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups

Minimum role required to access this endpoint: admin.

Deletes a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X DELETE \
https://<CONSOLE>:8083/api/v1/groups

Minimum role required to access this endpoint: admin.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Adds or modifies a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups

Minimum role required to access this endpoint: admin.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

URI Parameters

  • id: required(string)

Body

Media type: application/json

Type: object

Properties
  • _id: (string)

    Id is the group name

  • groupId: (string)

    GroupId is used as a group identifier in Azure SAML identification process

  • groupName: (string)

    Name is the group name

  • lastModified: (datetime)

    Modified is the last modification time of the group

  • ldapGroup: (boolean)

    LdapGroup indicates whether group is an ldap group

  • microsegmentationAuthorizations: (object)

    MicrosegmentationAuthorizations is a set of authorization policies, microsegmentation data is fetched from microsegmentation api on-demand and not stored in the db

    • namespace: (string)

      Namespace is the authorized namespace

    • roles: (string)

      Roles are the authorized roles

  • oauthGroup: (boolean)

    OauthGroup indicates whether group is oauth group

  • oidcGroup: (boolean)

    OidcGroup indicates whether group is oidc group

  • owner: (string)

    Owner is the group owner

  • permissions: (object)

    Permissions is the set of projects the group's users is assigned to and the set of collections the user may access in each project

  • role: (object)

    Role is the group role

  • samlGroup: (boolean)

    SamlGroup indicates whether group is saml group

  • user: (object)

    Users are the users associated with the group

    • username: (string)

      Name is the user name

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Host scan reports

Host scan reports.

Twistlock scans the host machines in your container environment for CVEs and compliance issues. Scan reports are generated for any host running Defender.

get

get

Retrieves all host scan reports. A curl command to access this endpoint may resemble the following code snippet.

Note that the discovered field for each compliance finding (info > allCompliance > compliance > discovered) doesn't contain valid data and will be removed in a future release.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/hosts \

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Downloads all host scan reports in CSV format.

A curl command to access this endpoint may resemble the following code snippet:

curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/hosts/download \
> hosts_scan.csv

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Returns information about all deployed hosts.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/hosts/info \

Minimum role required to access this endpoint: vulnerabilityManager.

post

post

Re-scan all hosts immediately.

The following example command uses curl and basic auth to force Twistlock to re-scan all hosts

$ curl -k \
-u <USER> \
-X POST \
https://<CONSOLE>:8083/api/v1/hosts/scan

Minimum role required to access this endpoint: operator.

Re-scan all hosts immediately.

The following example command uses curl and basic auth to force Twistlock to re-scan all hosts

$ curl -k \
-u <USER> \
-X POST \
https://<CONSOLE>:8083/api/v1/hosts/scan

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Image scan reports

Image scan reports.

Note that the compliance issues in an image might be different (fewer) than those in a running instance of the image (i.e. a container).

get

get

Retrieves all image scan reports.

Note that the discovered field for each compliance finding (info > allCompliance > compliance > discovered) doesn't contain valid data and will be removed in a future release.

The following example curl command uses basic auth to retrieve the compact scan report for all images:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/images"

The following example curl command uses basic auth to retrieve the compact scan report for the ubuntu image. The name query is synonymous with the "Search Images" field in the Console UI.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/images?name=https://<REPO-URL>/uqbuntu:latest&compact=true"

The following example curl command uses basic auth to retrieve the scan report for image with the matching sha256 hash:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/images?id=sha256:d461f1845c43105d7d686a9cfca9d73b0272b1dcd0381bf105276c978cb02832"

Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Downloads all image scan reports in CSV format.

The following command is particularly useful for developers. It takes an image ID as the input parameter, and generates a CSV file that lists all vulnerable packages in a given image, organized by layer, with both the affected and fixed versions.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/images/download?id=<IMAGE_ID>&layers=true" \
> images.csv

Where an example <IMAGE_ID> would be sha256:abd4f451ddb707c8e68a36d695456a515cdd6f9581b7a8348a380030a6fd7689. Minimum role required to access this endpoint: vulnerabilityManager.

get

get

Returns an array of strings containing image names.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-X GET \
-u <USER> \
-H 'Content-Type: application/json' \
https://<CONSOLE>:8083/api/v1/images/names

Minimum role required to access this endpoint: devOps.

get

get

Returns the status of image scanning at Monitor > Vulnerabilities > Images

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-X GET \
-u <USER> \
-H 'Content-Type: application/json' \
https://<CONSOLE>:8083/api/v1/images/progress

Minimum role required to access this endpoint: vulnerabilityManager.

post

post

Re-scan all images immediately. This endpoint returns the time that the scans were initiated.

The following example command uses curl and basic auth to force Twistlock to re-scan all images:

$ curl -k \
-u <USER> \
-X POST \
https://<CONSOLE>:8083/api/v1/images/scan

Minimum role required to access this endpoint: operator.

Re-scan all images immediately. This endpoint returns the time that the scans were initiated.

The following example command uses curl and basic auth to force Twistlock to re-scan all images:

$ curl -k \
-u <USER> \
-X POST \
https://<CONSOLE>:8083/api/v1/images/scan

Minimum role required to access this endpoint: operator.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Body

Media type: application/json

Type: object

Properties
  • hostname: (string)

    Hostname is the optional host name to scan

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

get

get

Download the Container Defender image for Linux platforms.

$ curl -k \
-u <USER> \
-H "Content-Type: application/octet-stream" \
-o twistlock_defender.tar.gz \
https://<CONSOLE>:8083/api/v1/images/twistlock_defender.tar.gz

Minimum role required to access this endpoint: defender manager.

get

get

DownloadAppEmbeddedDefender generates the embedded defender bundle and serves it to the user. Minimum role required to access this endpoint: operator.

get

get

Returns the the Twistlock Defender in as a layer that can be used in an AWS Lambda implementation.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-X GET \
-u <USER> \
-H "Content-Type: application/octet-stream" \
-o twistlock_defender_layer.zip \
https://<CONSOLE>:8083/api/v1/images/twistlock_defender_layer.zip

Minimum role required to access this endpoint: operator.

Kubernetes

Kubernetes

post

post

This endpoint will trigger a Kubernetes scan.

The following example curl command uses basic auth to initiate this scan:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/kubernetes/scan

Minimum role required to access this endpoint: admin.

This endpoint will trigger a Kubernetes scan.

The following example curl command uses basic auth to initiate this scan:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/kubernetes/scan

Minimum role required to access this endpoint: admin.

Secured by basicAuth

Authenticate each request with a username and password.

Secured by jwtAccessToken

Authenticate each request with an access token. Request authorization and retrieve an access token using the /api/v1/authenticate endpoint.

Secured by basicAuth

Headers

  • Authorization: required(string)

    Used to send the Base64-encoded "username:password" credentials.

HTTP status code 401

Unauthorized. Either the provided username and password combination is invalid, or the user is not allowed to access the content provided by the requested URL.

Secured by jwtAccessToken

Headers

  • Authorization: required(string)

    When sending the access token in the Authorization header field, use the Bearer authentication scheme to transmit the access token.

    Example:

    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJkYXRhIjp7ImF1dGhUeXBlIjoiYmFzaWMiLCJ1c2VybmFtZSI6ImFkbWluIiwicm9sZSI6ImFkbWluIn0sImlhdCI6MTQ3NzQ5MTU4MywiZXhwIjoxNDc3NTc3OTgzfQ.X4ExX7bFWa4m_WXKImmLO9rYDmxnLrBnoAHAA-vulik

HTTP status code 401

Unauthorized. Bad parameters. Either the provided access token is invalid, the token is expired, or the user is not allowed to access the content provided by the requested URL.

Logs

Retrieve log messages from Console and Defender.

get

get

Retrieves the latest Console log messages.

The following example curl command retrieves the 10 latest Console log messages:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/logs/console?lines=10

Minimum role required to access this endpoint: auditor.

get

get

Retrieves the latest log messages for a given Defender. The Defender is specified by the host where it runs. You can retrieve the hostname for each Defender from the GET /api/v1/defenders endpoint.

The following example curl command retrieves the 10 log messages for the Defender that runs on worker.sandbox.internal. Note that you must quote the URL when running the following command. Otherwise the shell misinterprets the ampersand (&) as the end of the command, and puts the curl command in the background.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/logs/defender?lines=10&hostname=worker.sandbox.internal"

Minimum role required to access this endpoint: operator.

get

get

This endpoint will return the defender logs with tar.gz file extension given the hostname of the defender.

The hostname can be returned from the endpoint /defenders/names

The following example curl command uses basic auth to download the logs:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
-o defender_logs.tar.gz
https://<CONSOLE>:8083/api/v1/logs/defender/download?hostname={hostname}

Minimum role required to access this endpoint: operator.

get

get

This endpoint will return the system debug