_Ping

Checks if the Console is alive, responsive, and reachable from your network host.

get

Checks if Console is reachable from your network host.

cURL Request

The following cURL command pings Console and prints the HTTP response code:

$ curl -k \
-s \
-o /dev/null \
-w "%{http_code}\n" \
-X GET \
https://<CONSOLE>/api/v1/_ping

Role

Minimum role required to access this endpoint: anyone.

Alert profiles

Manage alert profiles, which let you surface critical policy breaches by sending alerts to channels, such as email, Slack, and JIRA.

Alert profiles define which events should be sent to which channel. Each profile declares:

  • One or more recipients.
  • One or more triggers, that raise alerts by sending messages on the configured channel.
get

Retrieve a list of all alert profiles created in the system.

The following example curl command uses basic auth to retrieve all alert profiles:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/alert-profiles

Role

Minimum role required to access this endpoint: auditor.

post

Update an existing alert profile created in the system.

The following example curl command uses basic auth to add a Jira Alert profile:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/alert-profiles \
-d '  {
  "name": "jira",
  "_id": "jira",
  "jira": {
    "enabled": true,
    "projectKey": "TWIS",
    "issueType": "Task",
    "priority": "High",
    "labels": [],
    "assignee": ""
  }
  "policy": {
    "cve": {
      "enabled": true,
      "allRules": true,
      "rules": [],
      "clients": [
        "jira"
      ]
    }
  } '

Role

Minimum role required to access this endpoint: operator.

get

Retrieve a list of only the names of all alert profiles created in the system.

The following example curl command uses basic auth to retrieve all alert profiles' names:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/alert-profiles/names

Example Response:

[
  "jira",
  "aqsa vulns"
]

Role

Minimum role required to access this endpoint: auditor.

post

Sends a test alert to verify successful configuration of the alert profile settings.

The following example curl command uses basic auth to send test alert for an email alert profile:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d <REQUEST-PAYLOAD>
https://<CONSOLE>:8083/api/v1/alert-profiles/test

In this case, the REQUEST-PAYLOAD would be the full JSON formatted alert profile from the base GET command

Role

Minimum role required to access this endpoint: operator.

delete

Deletes an alert profile entry by name. In the request payload, specify the alert profile name. This method has no response data.

The following example curl command uses basic auth to delete an existing alert profile entry, where aqsa is an alert profile name which is being deleted.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/alert-profiles/aqsa

Role

Minimum role required to access this endpoint: operator.

Audits

Retrieve audits from the Twistlock database. Twistlock creates and stores audit event records (audits) for all controls. Endpoints support a wide range of filtering options.

get

Retrieves all access audits. Twistlock records access audits every time a Docker Engine or Kubernetes command is run on a host protected by Defender. You can also configure Twistlock to record audits for any sudo or SSH commands that are executed on hosts protected Defender.

The following example command gives a list of ALL access audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/access

To get just the docker audits run it with type=docker parameter.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/access?type=docker

Role

Minimum role required to access this endpoint: devSecOps.

get

Download all docker access audits into a CSV format file.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/access/download?type=docker > aqsa_audits.csv

Role

Minimum role required to access this endpoint: devSecOps.

get

AdmissionAudits returns all admission audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

DownloadAdmissionAudits downloads the admission audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

get

AppEmbeddedAppFirewallAudits returns all embedded defender firewall audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

DownloadAppEmbeddedAppFirewallAudits downloads the embedded defender firewall audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

get

AppEmbeddedAppFirewallAuditTimeslice returns embedded firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.

get

Retrieves all Cloud Native Application Firewall (CNAF) audits. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to retrieve all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/app/container

Role

Minimum role required to access this endpoint: devSecOps.

get

Downloads all Cloud Native Application Firewall (CNAF) audits into CSV format. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to download all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnaf-container-audits.csv \
https://console:8083/api/v1/audits/firewall/app/container/download



### Role
Minimum role required to access this endpoint: devSecOps.
get

ContainerAppFirewallAuditTimeslice returns container firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.

get

Retrieves all Cloud Native Application Firewall (CNAF) audits. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to retrieve all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/app/host

Role

Minimum role required to access this endpoint: devSecOps.

get

Downloads all Cloud Native Application Firewall (CNAF) audits into CSV format. These are based on violations of CNAF policies defined under Defend > Firewalls > Cloud Native App Firewall. Click here to learn more about CNAF.

The following example uses basic auth to download all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnaf-host-audits.csv \
https://console:8083/api/v1/audits/firewall/app/host/download

Role

Minimum role required to access this endpoint: devSecOps.

get

HostAppFirewallAuditTimeslice returns host firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.

get

ServerlessAppFirewallAudits returns all serverless firewall audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

DownloadServerlessAppFirewallAudits downloads the serverless firewall audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

get

ServerlessAppFirewallAuditTimeslice returns serverless firewall audit buckets according to the query timeframe. Minimum role required to access this endpoint: devSecOps.

get

Retrieves all Cloud Native Network Firewall (CNNF) container audits.

Cloud Native Network Firewall (CNNF) is a Layer 3 container-aware virtual firewall that utilizes machine learning to identify valid traffic flows between app components and alert or block anomalous flows. CNNF works as an east-west firewall between containers. It limits damage by preventing attackers from moving laterally through your environment when they have already compromised one part of it.

$ curl -k \
-u <USER> \
https://<CONSOLE>:8083/api/v1/audits/firewall/network/container

Role

Minimum role required to access this endpoint: devSecOps.

get

Downloads all network firewall audits (CNNF) into a CSV file.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
-o cnnf_container_audits.csv \
https://<CONSOLE>:8083/api/v1/audits/firewall/network/container/download

Role

Minimum role required to access this endpoint: devSecOps.

get

Retrieves all Cloud Native Network Firewall (CNNF) audits. These are based on violations of CNNF policies defined under Defend > Firewalls > Cloud Native Network Firewall. Click here to learn more about CNNF.

The following example uses basic auth to retrieve all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/firewall/network/host

Role

Minimum role required to access this endpoint: devSecOps.

get

Downloads all Cloud Native Network Firewall (CNNF) audits. These are based on violations of CNNF policies defined under Defend > Firewalls > Cloud Native Network Firewall. Click here to learn more about CNNF.

The following example uses basic auth to retrieve all application firewall audits.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cnnf-host-audits.csv \
https://console:8083/api/v1/audits/firewall/network/host/download

Role

Minimum role required to access this endpoint: devSecOps.

get

Twistlock analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents. This api call retrieves a list of incidents that are not acknowledged (not in archived state).

The following example uses basic auth to list incidents.

$ curl -k \
-u <USER> \
https://console:8083/api/v1/audits/incidents

Role

Minimum role required to access this endpoint: devSecOps.

patch

Use this call to acknowledge an incident and move it to Archived state. Incident ID of the incident you want to archive is required. You can get incident ID from the list of incidents in GET /api/v1/audits/incidents.

Note that you can undo this action by changing "true" to "false" in the following example.

The following example uses basic auth and PATCH method to acknowledge an incident

$ curl -k \
-u <USER> \
 https://aqsa-console:8083/api/v1/audits/incidents/acknowledge/5c76e18784bf4b7278d9a820 -d '{"acknowledged":true}'

Where 5c76e18784bf4b7278d9a820 is the incident ID

Role

Minimum role required to access this endpoint: auditor.

get

Twistlock analyzes individual audits and correlates them together to surface unfolding attacks. These chains of related audits are called incidents. This api call retrieves a list of incidents that are not acknowledged (not in archived state).

The following example uses basic auth to list incidents.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o incidents.csv \
https://console:8083/api/v1/audits/incidents/download

Role

Minimum role required to access this endpoint: devSecOps.

get

Twistlock can provide events from kubernetes if this integration is configured.

The following example uses basic auth to list all kubernetes events that are configured.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/kubernetes

Role

Minimum role required to access this endpoint: devSecOps.

get

Twistlock can provide events from kubernetes if this integration is configured.

The following example uses basic auth to download all kubernetes events that are configured.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o kubernetes-events.csv \
https://console:8083/api/v1/audits/kubernetes/download

Role

Minimum role required to access this endpoint: devSecOps.

get

Changes to any settings (including previous and new values), changes to any rules (create, modify, or delete), and all logon activity (success and failure) are logged. These events are called management audits.

This call retrieves a list of all management audits that match the query.

The following example curl command uses basic auth to retrieve all management audits

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt

Role

Minimum role required to access this endpoint: auditor.

get

Downloads a list of all management audits into CSV format.

The following example curl command uses basic auth to retrieve all management audits

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt/download -o aqsa.csv

Role

Minimum role required to access this endpoint: auditor.

get

Retrieves a list of management audit types found in your environment. These fields can be firther used as your queries to get management audit data.

The following example curl command uses basic auth to retrieve all management audit filters

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/mgmt/filters

Role

Minimum role required to access this endpoint: auditor.

delete

DeleteAppEmbeddedRuntimeAudits deletes all embedded defender runtime audits. Minimum role required to access this endpoint: operator.

get

AppEmbeddedRuntimeAudits returns all embedded defender audits according to the query specification. Minimum role required to access this endpoint: devSecOps.

get

DownloadAppEmbeddedRuntimeAudits downloads the embedded defender audits according to the specified query. Minimum role required to access this endpoint: devSecOps.

delete

Deletes all container runtime audits.

The following example curl command uses basic auth to delete all the audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/container

Role

Minimum role required to access this endpoint: operator.

get

Twistlock records an audit every time a runtime sensor (process, network, file system, and system call) detects activity that deviates from the predictive model. This endpoint retrieves all container audits from the console Monitor > Runtime > Container Audits.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/container

Role

Minimum role required to access this endpoint: devSecOps.

get

Downloads the runtime container audit logs in csv format.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/container/download
> conatiner_audits.csv

Role

Minimum role required to access this endpoint: devSecOps.

get

Twistlock can provide audits for file-integrity checks that are configured under host runtime rules.

The following example uses basic auth to list these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/runtime/file-integrity

Role

Minimum role required to access this endpoint: devSecOps.

get

Twistlock can provide audits for file-integrity checks that are configured under host runtime rules.

The following example uses basic auth to download these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o file-integrity-events.csv \
https://console:8083/api/v1/audits/runtime/file-integrity/download

Role

Minimum role required to access this endpoint: devSecOps.

delete

Deletes all host audits from the database.

The following example curl command uses basic auth to delete all host audits:

$ curl -k \
-u <USER> \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/host

Role

Minimum role required to access this endpoint: operator.

get

Retrieves a list of all host audits that match the query.

The following example curl command uses basic auth to retrieve all host audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/runtime/host

Role

Minimum role required to access this endpoint: devSecOps.

get

Downloads the runtime host audit logs in csv format.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o host_audits.csv \
https://<CONSOLE>:8083/api/v1/audits/runtime/host/download

Role

Minimum role required to access this endpoint: devSecOps.

get

Twistlock can provide audits for log inspection checks that are configured under host runtime rules.

The following example uses basic auth to list these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://console:8083/api/v1/audits/runtime/log-inspection

Role

Minimum role required to access this endpoint: devSecOps.

get

Twistlock can provide audits for log inspection checks that are configured under host runtime rules.

The following example uses basic auth to download these audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o log-inspection.csv \
https://console:8083/api/v1/audits/incidents/runtime/log-inspection/download

Role

Minimum role required to access this endpoint: devSecOps.

delete

This endpoint will delete all serverless runtime audits.

The following example curl command uses basic auth to delete the current audits:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/runtime/serverless

Role

Minimum role required to access this endpoint: operator.

get

Returns scan reports in JSON format for any serverless functions you've configured Twistlock to scan.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless 

Role

Minimum role required to access this endpoint: devSecOps.

get

Returns scan reports in CSV format for any serverless functions you've configured Twistlock to scan.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o serverless-audits.csv
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless/download

Role

Minimum role required to access this endpoint: devSecOps.

get

Returns all serverless filters in JSON format. These filters can be used in the base GET request as query parameters.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://CONSOLE_ADDRESS:PORT/api/v1/audits/runtime/serverless/filters

Role

Minimum role required to access this endpoint: devSecOps.

delete

Deletes all the trust audits from the events page in Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/audits/trust

Role

Minimum role required to access this endpoint: operator.

get

Gets all the trust audits from the events page in Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/trust

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

Downloads all the trust audits from the events page in Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/audits/trust/download

Role

Minimum role required to access this endpoint: vulnerabilityManager.

Authenticate

Retrieves an access token using your credentials. Valid tokens are required to access the rest of the Prisma Cloud Compute API.

Note: The Prisma Cloud Compute API can also be accessed using basic auth.

post

Retrieves an access token using your username and password. By default, access tokens are valid for 24 hours.

cURL Request

The following cURL command retrieves a token for user admin with password password.

$ curl -k \
-H "Content-Type: application/json" \
-X POST \
-d \
'{
 "username":"admin",
 "password":"password"
}' \
https://<CONSOLE>/api/v1/authenticate

Note: The username and password values are case-sensitive.

Response

A successful response will return the following response containing the access token which can be used for the rest of the API endpoints.

{"token", "ACCESS_TOKEN_VALUE"}

Role

Minimum role required to access this endpoint: anyone.

get

IdentityRedirectURL returns the redirect URL for the given authentication provider. Minimum role required to access this endpoint: none.

get

Renews an old (unexpired) access token and returns a new token.

cURL Request

The following cURL command retrieves a new access token using an old access token.

$ curl -k \
-H "Authorization: Bearer <OLD_ACCESS_TOKEN>" \
 https://<CONSOLE>/api/v1/authenticate/renew

Response

A successful response will return the following response containing the new access token. This access token replaces the old access token.

{"token", "ACCESS_TOKEN_VALUE"}

Role

Minimum role required to access this endpoint: user.

Authenticate client

Retrieve an access token using a client certificate. Valid tokens are required to access the rest of the Twistlock API. Use this endpoint if your organization has rolled out multi-factor authentication built on x.509 certificates.

The Twistlock API can also be accessed using basic auth.

post

Retrieves an access token using a client certificate. This endpoint checks the supplied client certificate and authorizes the user based on the username in the certificate's CN or UPN field. By default, access tokens are valid for 24 hours.

The following example curl command retrieves a token using a client certificate:

$ curl -k \
-X POST \
--cert <CERT.PEM>
https://<CONSOLE>:8083/api/v1/authenticate-client

Where the certificate must be in PEM format, and the certificate file must consist of a private key and client certificate concatenated together.

Role

Minimum role required to access this endpoint: none.

Backups

Manage backup files.

get

List returns the available backups. Minimum role required to access this endpoint: operator.

post

Backup invokes a mongo backup (dump) process. Minimum role required to access this endpoint: operator.

delete

DeleteBackup deletes the given backup. Minimum role required to access this endpoint: admin.

get

DownloadBackup downloads the given backup file. Minimum role required to access this endpoint: operator.

patch

Renames the specified backup file.

Role

Minimum role required to access this endpoint: admin.

post

UploadBackup saves uploaded backup file. Minimum role required to access this endpoint: operator.

post

Restore invokes a mongo restore process. Minimum role required to access this endpoint: admin.

Certificates

Manage client certificates. Users need client certificates to authenticate commands sent from the Docker client through Twistlock.

get

Downloads a script that installs a client certificate, client private key, and certificate authority certificate for the authenticated user.

The following example curl command uses basic auth to download and run the install script for your client certs:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/certs/client-certs.sh | sh

Role

Minimum role required to access this endpoint: user.

put

RotateCerts rotate the certificates in case of being close to expiration. Minimum role required to access this endpoint: admin.

get

Returns the server certificate bundle from the console.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/certs/server-certs.sh | sh

Role

Minimum role required to access this endpoint: operator.

Cloud

Find all the cloud-native services being used in your AWS, Azure, and Google Cloud accounts. Twistlock continuously monitors these accounts, detects when new services are added, and reports which services are unprotected.

get

Returns a list of all cloud compliance scan results.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/compliance

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

Download all cloud scan data in CSV format.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cloud-compliance.csv \
https://<CONSOLE>:8083/api/v1/cloud/compliance/download

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

Returns a JSON object of the scan progress.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/compliance/progress

Role

Minimum role required to access this endpoint: vulnerabilityManager.

post

Initiates a new cloud compliance scan.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/scan

Role

Minimum role required to access this endpoint: operator.

post

Terminates a cloud compliance scan that's in progress..

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/compliance/stop

Role

Minimum role required to access this endpoint: operator.

get

Returns a list of all cloud discovery scan results.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/discovery

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

Download all cloud scan data in CSV format.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o cloud-discovery.csv \
https://<CONSOLE>:8083/api/v1/cloud/discovery/download

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

Returns a JSON object of the scan progress.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cloud/discovery/progress

Role

Minimum role required to access this endpoint: vulnerabilityManager.

post

Initiates a new cloud discovery scan.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/scan

Role

Minimum role required to access this endpoint: operator.

post

Terminates a cloud discovery scan that's in progress..

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/cloud/discovery/stop

Role

Minimum role required to access this endpoint: operator.

get

DiscoveredVMs returns discovered cloud VM instances. Minimum role required to access this endpoint: vulnerabilityManager.

Code repo scan reports

Scan reports for your GitHub repositories.

get

CodeRepos returns code repositories scan results. Minimum role required to access this endpoint: vulnerabilityManager.

get

DiscoverCodeRepos discovers the available repositories for a credential according to the given credential ID. Minimum role required to access this endpoint: operator.

get

DownloadCodeRepos downloads code repository scan results. Minimum role required to access this endpoint: vulnerabilityManager.

get

CodeRepoScanProgress returns the code repositories scan progress. Minimum role required to access this endpoint: vulnerabilityManager.

post

ScanCodeRepos triggers a scan for all code repositories. Minimum role required to access this endpoint: operator.

post

StopCodeReposScan stops the current active scan. Minimum role required to access this endpoint: operator.

post

CodeReposWebhook handles events from code repositories. Minimum role required to access this endpoint: none.

Collections

Group related resources (containers, images, hosts) together. Collections are predefined filters that let you segment your views in the Console UI and the Twistlock API.

get

Retrieves the list of collections.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
"https://<CONSOLE>:8083/api/v1/collections"

Role

Minimum role required to access this endpoint: auditor.

post

Creates a new collection. Any field left unspecified is assigned the value of "" (i.e. an emtpy string).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d \
'{
 "name": "my collection",
 "color": "#ff0000",
 "description": "A test collection",
 "images": [
   "docker.io/library/hello-world:latest",
   "docker.io/library/ian_app:1.0"
 ],
 "hosts": [
   "*"
 ]
}' \
https://<CONSOLE>:8083/api/v1/collections

Role

Minimum role required to access this endpoint: operator.

delete

Deletes a collection from the system.

The following example curl command deletes a collection named my collection. Because spaces are considered unsafe characters in a URL, they must be encoded with the value %20.

$ curl -k \
-u <USER> \
-X DELETE \
"https://<CONSOLE>:8083/api/v1/collections/my%20collection"

Role

Minimum role required to access this endpoint: operator.

put

Updates the parameters that define a given collection.

The following example curl command updates the parameters that define the collection named finance_group_app. In general, all parameters in your PUT request should be defined or redefined. Any field left unspecified is assigned the value of "" (i.e. an emtpy string).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
 "name": "finance_group_app",
 "color": "#ff0000",
 "description": "A super cool collection",
 "images": [
   "docker.io/library/hello-world:latest",
   "docker.io/library/ian_app:1.0"
 ],
 "hosts": [
   "*"
 ]
}' \
https://<CONSOLE>:8083/api/v1/collections/test_collection

Role

Minimum role required to access this endpoint: operator.

get

CollectionUsages returns all usages of the queried collection. Minimum role required to access this endpoint: auditor.

Kubernetes auditing

get

GenerateAuditSinkConfig returns the audit sink configuration for integrating k8s audit sink with the Console,based upon https://kubernetes.io/docs/tasks/debug-application-cluster/audit/. Minimum role required to access this endpoint: auditor.

get

GenerateValidatingWebhookConfig returns a validating webhook configuration forintegrating k8s admission control with a Defender. Minimum role required to access this endpoint: operator.

Container scan reports

Container scan reports.

get

Retrieves all container scan reports.

Note that the discovered field for each compliance finding (info > allCompliance > compliance > discovered) doesn't contain valid data and will be removed in a future release.

Example curl command:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

Returns an integer representing the number of containers in your environment.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/count

Role

Minimum role required to access this endpoint: devOps.

get

Downloads all container scan reports in CSV format.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/download
> container_report.csv

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

Returns an array of strings containing all container names.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/containers/names

Role

Minimum role required to access this endpoint: devOps.

post

Re-scan all containers immediately. This endpoint returns the time that the scans were initiated.

The following example command uses curl and basic auth to force Twistlock to re-scan all containers:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/containers/scan

Role

Minimum role required to access this endpoint: operator.

Credentials

Management of Centrally Managed Credentials

get

This endpoint will return a list in json format of the credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to return:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/credentials

Role

Minimum role required to access this endpoint: auditor.

post

This endpoint will allow for update of the credentials found with the app here Manage > Authentication > Credential Store

Create credentials.json file (example)

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

The following example curl command uses basic auth to update the checks:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--binary-data @credentials.json \
https://<CONSOLE>:8083/api/v1/credentials

Role

Minimum role required to access this endpoint: operator.

delete

This endpoint will delete a specific credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to delete check with id "Sample":

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/credentials/Sample

Below is an example of a credential that was added with the GET endpoint.

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

Role

Minimum role required to access this endpoint: operator.

get

This endpoint will return a list in json format of all the usages of credentials found with the app here Manage > Authentication > Credential Store

The following example curl command uses basic auth to return:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/credentials/Sample/usages

Below is an example of a credential that was added with the GET endpoint.

[
{
  "_id": "Sample",
  "type": "basic",
  "accountID": "username",
  "secret": {
    "plain": "password"
  }
}
]

Role

Minimum role required to access this endpoint: auditor.

Custom compliance checks

Custom image checks give you a way to write and run your own compliance checks to assess, measure, and enforce security baselines in your environment. Although Twistlock supports OpenSCAP and XCCDF, these frameworks are complicated, and they can be overkill when all you want to do is run a simple check. Twistlock lets you implement your own custom image checks with simple scripts.

A custom image check consists of a single script. The script’s exit code determines the result of the check, where 0 is pass and 1 is fail. Scripts are executed in the container’s default shell. For many Linux container images, the default shell is bash, but that’s not always the case. For Windows container images, the default shell is cmd.exe.

get

This endpoint will return a list in json format of all the custom compliance checks found with the app here Defend > Compliance > Custom

The following example curl command uses basic auth to return:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/custom-compliance

An example returned json could be something similar to:

[
{
  "modified": "2019-03-07T17:01:12.355Z",
  "owner": "pierre",
  "name": "apitest",
  "previousName": "",
  "_id": 9000,
  "title": "apitest",
  "script": "if [ $(stat -c %a /bin/busybox) -eq 755 ]; then\n echo 'test permission failure' && exit 1;\nfi",
  "severity": "high"
}
]

Role

Minimum role required to access this endpoint: ci.

put

This endpoint will allow for update of the custom compliance checks on page Defend > Compliance > Custom

Create custom_check.json file (example)

[
{
  "modified": "2019-03-07T17:01:12.355Z",
  "owner": "pierre",
  "name": "apitest",
  "previousName": "",
  "_id": 9000,
  "title": "apitest",
  "script": "if [ $(stat -c %a /bin/busybox) -eq 755 ]; then\n echo 'test permission failure' && exit 1;\nfi",
  "severity": "high"
}
]

The following example curl command uses basic auth to update the checks:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--binary-data @custom_check.json \
https://<CONSOLE>:8083/api/v1/custom-compliance

Role

Minimum role required to access this endpoint: operator.

delete

This endpoint will delete a specific custom compliance check on page Defend > Compliance > Custom

The following example curl command uses basic auth to delete check with id 9000:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/custom-compliance/9000

Role

Minimum role required to access this endpoint: operator.

CVEs

Browse Twistlock's vulnerability database.

get

Retrieves CVEs from Twistlock's vulnernability database. Query the database by CVE ID. Partial matches are supported. A null response indicates that the CVE is not in our database.

The following example curl command queries the Twistlock database for CVE-2018-1102.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cves?id=CVE-2018-1102

Role

Minimum role required to access this endpoint: devOps.

get

Retrieves CVEs from the vulnerability database grouped into distribution where you will see a count for vulnerabilities per distribution.

The following example curl command uses basic auth to retrieve this data:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/cves/distribution

Role

Minimum role required to access this endpoint: auditor.

Defenders

Manage Defender. Defender is Twistlock's security agent. In general, one Defender is deployed per node.

get

Lists all deployed Defenders.

The following command uses basic authorization to retrieve a list of all deployed Defenders along with metadata

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders

Role

Minimum role required to access this endpoint: vulnerabilityManager.

post

EmbedAppEmbeddedDefender returns an augmented Dockerfile + embedded defender dependencies as a ZIP file. Minimum role required to access this endpoint: operator.

post

GenerateDaemonSet generates the defender daemonset k8s yaml. Minimum role required to access this endpoint: operator.

get

Downloads information about deployed Defenders in CSV format. Use the query parameters to filter what data is returned.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/download

Role

Minimum role required to access this endpoint: auditor.

post

GenerateEcsTaskDefinition generates the defender ecs task definition json. Minimum role required to access this endpoint: operator.

post

Returns a protected Fargate task definition given an unprotected task definition.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

Unprotected task definition in unprotected.json

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
--data-binary "@unprotected.json"
--output protected.json
https://<CONSOLE>:8083/api/v1/defenders/fargate.json?consoleaddr=<HOSTNAME>&defenderType=appEmbedded

New Protected task will be in protected.json

Role

Minimum role required to access this endpoint: operator.

post

DefenderHelmChart generates a defender helm chart. Minimum role required to access this endpoint: operator.

get

Returns the full Docker image name for Defender.

Example: registry-auth.twistlock.com/tw_smbvukudjypnnrqmso0/twistlock/defender:defender_18_11_128

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/image-name

Role

Minimum role required to access this endpoint: operator.

get

Returns the certsBundle that Defender needs to securely connect to Console.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/install-bundle?consoleaddr=<CONSOLEADDR>

Role

Minimum role required to access this endpoint: defenderManager.

get

Retrieves a list of Defender hostnames that can be used as the {id} query parameter in other /api/v1/defenders endpoints.

Retrieve a list of all Defenders:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names

Retrieve a list of connected Defenders:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names?connected

Retrieve a list of Defenders by type:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/names?type=<linux|windows|docker|...>

Role

Minimum role required to access this endpoint: vulnerabilityManager.

get

DownloadServerlessBundle returns a ZIP with serverless defender bundle. Minimum role required to access this endpoint: operator.

get

List the number of Defenders in each defender category.

The following command uses basic authorization to retrieve a summary of Defenders:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/defenders/summary

Role

Minimum role required to access this endpoint: defenderManager.

post

Upgrades all connected single Linux Container Defenders.

This does not update cluster Container Defenders (such as Defender DaemonSets), Serverless Defenders, or Fargate Defenders. To upgrade cluster Container Defenders, reploy them. To upgrade Serverless and Fargate Defenders, re-embed them.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/upgrade

Role

Minimum role required to access this endpoint: operator.

delete

Deletes a Defender on a given host.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X DELETE \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>

Role

Minimum role required to access this endpoint: operator.

post

Updates a deployed Defender's configuration.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"proxyListenerType": "tcp", "registryScanner":"<true|false>", "serverlessScanner":"<true|false>"}' \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/features

Role

Minimum role required to access this endpoint: operator.

post

Restarts Defender on a given host.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/restart

Role

Minimum role required to access this endpoint: operator.

post

Upgrades Defender on <HOSTNAME>.

<HOSTNAME> is a single list item from the /api/v1/defenders/names endpoint.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
https://<CONSOLE>:8083/api/v1/defenders/<HOSTNAME>/upgrade

Role

Minimum role required to access this endpoint: operator.

Deployments

Manage Defender DaemonSet deployments.

get

Retrieves a list of deployed Defender DaemonSets. You must specify a credentialID, of type kubeconfig, which identifies your cluster and user. Credentials are managed in Console's credentials store (/api/v1/credentials).

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/deployment/daemonsets?credentialID=<CREDENTIAL NAME>

Role

Minimum role required to access this endpoint: auditor.

post

Deploys a Defender DaemonSet to the cluster identified by credentialID. The credentialID, of type kubeconfig, must exist before calling this endpoint. It identifies the cluster's API server, user, and credentials.

Use the various request parameters to control the properties of the deployed DaemonSet.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{
    "credentialID": "",
    "consoleAddr": "",
    "namespace": "",
    "orchestration": "",
    "...":"..."
    }' \
https://<CONSOLE>:8083/api/v1/deployment/daemonsets/deploy

Role

Minimum role required to access this endpoint: operator.

get

HostAutoDeployProgress returns the host auto-deploy progress. Minimum role required to access this endpoint: operator.

post

StartHostAutoDeploy starts a host auto-deploy. Minimum role required to access this endpoint: operator.

post

StopHostAutoDeploy stops the host auto-deploy auto-deploy scan. Minimum role required to access this endpoint: operator.

get

ServerlessAutoDeployProgress returns the serverless auto-deploy scan progress. Minimum role required to access this endpoint: operator.

post

StartServerlessAutoDeploy starts a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.

post

StopServerlessAutoDeploy stops a serverless auto-deploy scan. Minimum role required to access this endpoint: operator.

Custom feeds

Augments the Prisma Cloud Compute Intelligence Stream with custom threat data. Enables you expand the scope of threats and vulnerabilities that Prisma Cloud Compute can detect and report.

get

DownloadFeedsBundle creates and serves the intelligence feeds bundle. Minimum role required to access this endpoint: vulnerabilityManager.

put

UploadOfflineIntelligenceFeeds uploads the offline intelligence feeds bundle. Minimum role required to access this endpoint: operator.

get

Retrieves the list of custom vulnerabilities and associated rules for handling internally created or packaged apps.

This list is used by the Prisma Cloud Compute scanner to detect vulnerable custom components (apps, libraries, etc) that were developed and packaged internally.

Note: When a vulnerable custom component is detected in an image, you must have a rule to tell Twistlock how to handle it. Vulnerability rules can be created using the Console UI or with the /api/v1/vulnerabilty/<RESOURCE-TYPE> endpoint. See the /api/v1/vulnerabilty/<RESOURCE-TYPE> endpoint for more info.

cURL Request

The following cURL command retrieves a list of all the custom vulnerabilities and associated rules.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities

Response

A successful response will return a list of custom vulnerability rules and the associated digest:

{
"_id":"customVulnerabilities",
"rules": [
{
     "_id": "<ID>",
     "package": "internal-lib",
     "type": "package",
     "minVersionInclusive": "1.1",
     "name": "internal-lib",
     "maxVersionInclusive": "1.8",
     "md5": ""
   }
],
"digest":"<DIGEST>"
}

Role

Minimum role required to access this endpoint: auditor.

put

Simultaneously updates all the custom vulnerabilities and associated rules for handling internally created or packaged apps.

cURL Request

The following cURL command updates a vulnerability for a library named internal-lib, and specifies that its versions 1.1 to 1.8 are known to be vulnerable.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"rules": [
  {
    "_id": "<ID>",
    "package": "internal-lib",
    "type": "package",
    "minVersionInclusive": "1.1",
    "name": "internal-lib",
    "maxVersionInclusive": "1.8",
    "md5": ""
  }
]
}' \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities

Note: No response will be returned upon successful execution.

Maintain your Custom Vulnerabilities

We suggest you maintain your custom vulnerabilities using the following steps:

  1. Get all the custom vulnerability rules from the GET endpoint and save the results to a file.

Note: You will need jq to execute this command.

 $ curl -k \
   -u <USER> \
   https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities \
   | jq '.' > custom_vulnerability_rules.json
  1. Open the JSON file and add, modify, and/or delete the rules by directly editing the JSON output. For example:
{
"id": "customVulnerabilities",
"rules": [
    {
      "_id": "<ID>",
      "package": "internal-lib",
      "type": "package",
      "minVersionInclusive": "1.1",
      "name": "internal-lib",
      "maxVersionInclusive": "1.8",
      "md5": ""
    }
],
"digest": "97de7f27XXXXXXXXXX"
}
  1. Update the rules by pushing the new JSON payload. Note: Do not forget to specify the @ symbol.

    $ curl -k \
    -u <USER> \
    -X PUT \
    -H "Content-Type:application/json" \
    -d @custom_vulnerability_rules.json \
    https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities
  2. Run the cURL command for the GET /api/v1/feeds/custom/custom-vulnerabilities endpoint and you can see that the previously installed rules are now overwritten with your new rules.

$ curl -k \
 -u <USER> \
 -H 'Content-Type: application/json' \
 -X GET \
 https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities

Role

Minimum role required to access this endpoint: operator.

get

Returns the unique digest for the custom vulnerabilities and associated rules for handling internally created or packaged apps.

cURL Request

The following cURL command retrieves the digest for the configured custom vulnerabilities.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/custom-vulnerabilities/digest

A successful response will return the digest string. This is the same value as the digest property in the response of the GET api/v1/feeds/custom/custom-vulnerabilities endpoint.

Role

Minimum role required to access this endpoint: auditor.

get

Retrieves the list of globally whitelisted Common Vulnerabilities and Exposures (CVE).

cURL Request

The following cURL command retrieves the globally whitelisted CVE list.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/cve-allow-list

Response

A successful response will return a CVE list that will be used for global whitelisting.

{
"_id":"cveAllowList",
"rules": [
{
    "cve": "CVE-2018-2222",
    "expiration": "2020-06-18T00:00:00Z"
}
],
"digest":"<DIGEST>"
}

Role

Minimum role required to access this endpoint: auditor.

put

Globally whitelists a set of Common Vulnerabilities and Exposures (CVE).

Note: Any previously installed lists are overwritten.

cURL Request

The following cURL command installs a globally whitelisted CVE list.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"rules": [
  {
    "cve": "CVE-2018-2222",
    "expiration": "2020-06-18T00:00:00Z"
  }
]
}' \
https://<CONSOLE>/api/v1/feeds/custom/cve-allow-list

Note: No response will be returned upon successful execution.

To confirm the CVE list has been added to the global whitelist, invoke the GET /api/v1/feeds/custom/cve-allow-list endpoint.

Role

Minimum role required to access this endpoint: operator.

get

Retrieves the digest string for the Common Vulnerabilities and Exposures (CVE) allow list configured in Console.

cURL Request

The following cURL command retrieves the digest for the configured CVE allow list.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/cve-allow-list/digest

A successful response will return the digest string. This is the same value as the digest property in the response of the GET api/v1/feeds/custom/cve-allow-list endpoint.

Role

Minimum role required to access this endpoint: auditor.

get

Retrieves the customized list of blacklisted suspicious or high-risk IP addresses.

cURL Request

The following cURL command retrieves the list of globally blacklisted suspicious or high-risk IP addresses.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/ips

Response

A successful response will return a list of suspicious or high-risk IP addresses that will be banned.

{
"_id":"<ID>",
"modified":"2020-11:00:00T00:00:01.62Z",
"feed":["193.171.1.1","193.171.1.2"]},
"digest":"<DIGEST>"
}

Role

Minimum role required to access this endpoint: auditor.

put

Bans a custom list of suspicious or high-risk IP addresses.

Note: Any previously installed lists are overwritten.

cURL Request

The following cURL command installs a custom list of banned suspicious or high-risk IP addresses.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d '{"name":"banned-ips", "feed":["193.171.1.1","193.171.1.2"]}' \
https://<CONSOLE>/api/v1/feeds/custom/ips

Note: No response will be returned upon successful execution.

To confirm the IPs have been added to the ban list, invoke the GET /api/v1/feeds/custom/ips endpoint.

Role

Minimum role required to access this endpoint: operator.

get

Retrieves the digest string for the list of suspicious or high risk IP endpoints configured in Console.

cURL Request

The following cURL command retrieves the digest for the banned suspicious or high-risk IP addresses.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/ips/digest

A successful response will return the digest string. This is the same value as the digest property in the response of the GET api/v1/feeds/custom/ips endpoint.

Role

Minimum role required to access this endpoint: auditor.

get

Retrieves the customized list of MD5 signatures of malicious executables.

cURL Request

The following cURL command retrieves the list of MD5 signatures of malicious executables.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/malware

Response

A successful response will return a list of MD5 signatures of malicious executables.

{
"_id":"<ID>",
"modified":"2020-11:00:00T00:00:01.62Z",
"feed": [
{
    "name": "dimaaa",
    "md5": "d4ba1008e7d97458fdd65deca2ba801b"
},
{
    "name": "emacs",
    "md5": "5ce9d1116755f827f5d1e06246dd30b9"
}
]
"digest":"<DIGEST>"
}

Role

Minimum role required to access this endpoint: auditor.

put

Creates a custom list of malware MD5 signatures of malicious executables.

Note: Any previously installed lists are overwritten.

cURL Request

The following cURL command installs a custom list of malware MD5 signatures of malicious executables.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X PUT \
-d \
'{
"name": "malware-sigs",
"feed": [
  {
    "name": "dimaaa",
    "md5": "d4ba1008e7d97458fdd65deca2ba801b"
  },
  {
    "name": "emacs",
    "md5": "5ce9d1116755f827f5d1e06246dd30b9"
  }
]
}' \
https://<CONSOLE>/api/v1/feeds/custom/malware

Note: No response will be returned upon successful execution.

To confirm the malware list has been added / overwritten to the ban list, invoke the GET /api/v1/feeds/custom/malware endpoint.

Role

Minimum role required to access this endpoint: operator.

get

Retrieves the digest string for all the MD5 signatures of malicious executables configured in Console.

cURL Request

The following cURL command retrieves the digest for the configured list for the MD5 signatures of malicious executables.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>/api/v1/feeds/custom/malware/digest

A successful response will return the digest string. This is the same value as the digest property in the response of the GET api/v1/feeds/custom/malware endpoint.

Role

Minimum role required to access this endpoint: auditor.

put

ForceIntelligenceUpdate performs pushing/polling of intelligence feeds on demand. Minimum role required to access this endpoint: operator.

Forensics

The forensic endpoint will return data for host activities.

get

Retrieves all host activities that can be found on Monitor > Evenets > Host Activities

Use the query parameters to filter what data is returned.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/forensic/activities

Role

Minimum role required to access this endpoint: devSecOps.

get

Downloads all host activities that can be found on Monitor > Evenets > Host Activities

Use the query parameters to filter what data is returned.

$ curl -k \
-u <USER> \
-H 'Content-Type: text/csv' \
-X GET \
-o host_activities.csv
https://<CONSOLE>:8083/api/v1/forensic/activities/download

Role

Minimum role required to access this endpoint: devSecOps.

Groups

Manage (create, modify, delete) groups in the system. If you integrated OpenLDAP, AD, or SAML, you can re-use groups from there, and assign roles to them as appropriate. Otherwise, create Twistlock local groups to manage privileges for groups of users.

get

Retrieves a list of all groups.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -k \
-X GET \
-u <USER> \
-H 'Content-Type: application/json' \
https://<CONSOLE>:8083/api/v1/groups \

Role

Minimum role required to access this endpoint: auditor.

post

Adds a group to the system, or updates an existing one.

The following example command uses curl and basic auth to create a new group with two users. Note that the values for lastModified, owner, and _id do not need to be specified. They are automatically filled in by the system.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups

Role

Minimum role required to access this endpoint: admin.

get

Returns the names of all groups as strings in an array.

A curl command to access this endpoint may resemble the following code snippet:

$ curl -X GET \
https://<CONSOLE>:8083/api/v1/groups/names \
-u <USER> \
-H 'Content-Type: application/json' \

Sample output:

[
  "admins",
  "secops",
  "devops",
  ""
]

Role

Minimum role required to access this endpoint: auditor.

delete

Deletes a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-X DELETE \
https://<CONSOLE>:8083/api/v1/groups

Role

Minimum role required to access this endpoint: admin.

put

Adds or modifies a group from the system. The id's can be retrieved with a GET from the /group/ api endpoint.

A call to this api endpoint may resemble the following code snippet:

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X POST \
-d '{"groupName": "wonks", "user": [{"username": "ian"},{"username": "toad"}],"ldapGroup": false,"samlGroup": false,"role": "admin"}' \
https://<CONSOLE>:8083/api/v1/groups

Role

Minimum role required to access this endpoint: admin.

/harbor

get

HarborScannerMetadata returns metadata of the PCC vulnerability scanner adapter for Harbor registrySee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.

post

HarborScannerScan accepts an image vulnerability scan request from Harbor registry and submits it asynchronouslySee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.

get

HarborScannerInstanceReport returns the scan results of the requested scan via its IDSee https://editor.swagger.io/?url=https://raw.githubusercontent.com/goharbor/pluggable-scanner-spec/master/api/spec/scanner-adapter-openapi-v1.0.yaml. Minimum role required to access this endpoint: none.

Host scan reports

Host scan reports.

Twistlock scans the host machines in your container environment for CVEs and compliance issues. Scan reports are generated for any host running Defender.

get

Retrieves all host scan reports. A curl command to access this endpoint may resemble the following code snippet.

Note that the discovered field for each compliance finding (info > allCompliance > compliance > discovered) doesn't contain valid data and will be removed in a future release.

$ curl -k \
-u <USER> \
-H 'Content-Type: application/json' \
-X GET \
https://<CONSOLE>:8083/api/v1/hosts \

Role

Minimum role required to access this endpoint: vulnerabilityManager.