Prisma Cloud: How to pull full JSON data like in Investigate via API
402
Created On 08/30/22 18:19 PM - Last Modified 07/02/25 13:50 PM
Objective
How to pull full JSON data via API, just like one would get returned in Prisma Cloud -> Investigate as follows:
event from cloud.audit_logs where cloud.type = 'aws' AND operation IN ( 'StartInstance', 'StartInstances', 'StopInstance', 'StopInstances', 'CreateInstance', 'CreateInstances', 'TerminateInstances')
And the above will return the following JSON in investigate.
{
"eventID": "6dcc8909-5262-43d7-ad94-0f781a4f7882",
"readOnly": false,
"awsRegion": "us-east-1",
"eventName": "StartInstances",
"eventTime": "2022-08-28T06:21:54Z",
"eventType": "AwsApiCall",
"requestID": "736947c0-3b85-4a46-8c9b-72fa57ce54d5",
"resources": [
{
"resourceName": "i-066cf6c27e7c48540",
"resourceType": "AWS::EC2::Instance"
}
],
"userAgent": "cloud9.amazonaws.com",
"eventSource": "ec2.amazonaws.com",
"eventVersion": "1.08",
"userIdentity": {
"arn": "arn:aws:sts::************:assumed-role/AWSServiceRoleForAWSCloud9/aws-cloud9",
"type": "AssumedRole",
"accountId": "************",
"invokedBy": "cloud9.amazonaws.com",
"principalId": "AROAXZT577WUNTWBLEVKN:aws-cloud9",
"sessionContext": {
"attributes": {
"creationDate": "2022-08-28T06:21:54Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {
"arn": "arn:aws:iam::************:role/aws-service-role/cloud9.amazonaws.com/AWSServiceRoleForAWSCloud9",
"type": "Role",
"userName": "AWSServiceRoleForAWSCloud9",
"accountId": "************",
"principalId": "AROAXZT577WUNTWBLEVKN"
},
"webIdFederationData": {}
}
},
"eventCategory": "Management",
"managementEvent": true,
"sourceIPAddress": "cloud9.amazonaws.com",
"responseElements": {
"requestId": "736947c0-3b85-4a46-8c9b-72fa57ce54d5",
"instancesSet": {
"items": [
{
"instanceId": "i-066cf6c27e7c48540",
"currentState": {
"code": 0,
"name": "pending"
},
"previousState": {
"code": 80,
"name": "stopped"
}
}
]
}
},
"requestParameters": {
"instancesSet": {
"items": [
{
"instanceId": "i-066cf6c27e7c48540"
}
]
}
},
"recipientAccountId": "536061410728"
}Environment
- Prisma Cloud
Procedure
In order to do this, say for EVENT based RQL's, one will need to make multiple API calls as followed:
The first payload will be the most important and this is how it will look using the RQL mentioned :
"heuristicSearch": False,
"filters": [],
"limit": 100,
"sort": [
{
"direction": "desc",
"field": "time"
}
],
"query": "event from cloud.audit_logs where cloud.accountgroup = 'Desired Account Group' AND operation IN ('StartInstance', 'StartInstances', 'StopInstance', 'StopInstances', 'CreateInstance', 'CreateInstances', 'TerminateInstances')",
"timeRange": {
"type": "relative",
"value": {
"unit": "week",
"amount": 1
},
"relativeTimeType": "BACKWARD"
}
And making the first call with the above Payload should return the following:
{
"cloudType": "all",
"id": "5874181c-5167-4a67-9d88-b5afd4abfd35",
"name": "",
"description": "",
"searchType": "audit_event",
"saved": false,
"timeRange": {
"type": "relative",
"value": {
"unit": "week",
"amount": 1
},
"relativeTimeType": "BACKWARD"
},
"query": "event from cloud.audit_logs where cloud.accountgroup = 'jScheel Account Group' AND operation IN ('StartInstance', 'StartInstances', 'StopInstance', 'StopInstances', 'CreateInstance', 'CreateInstances', 'TerminateInstances')",
"heuristicSearch": false,
"preview": false,
"data": {
"totalRows": 4,
"items": [
{
"account": "************",
"regionId": 1,
"eventTs": 1661667714000,
"subject": "aws-cloud9",
"type": "UPDATE",
"source": "ec2.amazonaws.com",
"name": "StartInstances",
"id": 47116505,
"accessKeyUsed": false,
"role": "AWSServiceRoleForAWSCloud9",
"cityId": -3,
"cityName": "Internal",
"stateId": -3,
"stateName": "Internal",
"countryId": -3,
"countryName": "Internal",
"cityLatitude": -1,
"cityLongitude": -1,
"success": true,
"internal": false,
"dynamicData": {},
"location": "Internal",
"accountName": "Desired AWS Account",
"regionName": "AWS Virginia"
},
{
"account": "************",
"regionId": 1,
"eventTs": 1661660467000,
"subject": "aws-cloud9",
"type": "UPDATE",
"source": "ec2.amazonaws.com",
"name": "StartInstances",
"id": 47116478,
"accessKeyUsed": false,
"role": "AWSServiceRoleForAWSCloud9",
"cityId": -3,
"cityName": "Internal",
"stateId": -3,
"stateName": "Internal",
"countryId": -3,
"countryName": "Internal",
"cityLatitude": -1,
"cityLongitude": -1,
"success": true,
"internal": false,
"dynamicData": {},
"location": "Internal",
"accountName": "Desired AWS Account",
"regionName": "AWS Virginia"
},
{
"account": "************",
"regionId": 1,
"eventTs": 1661657513000,
"subject": "aws-cloud9",
"type": "UPDATE",
"source": "ec2.amazonaws.com",
"name": "StartInstances",
"id": 47116473,
"accessKeyUsed": false,
"role": "AWSServiceRoleForAWSCloud9",
"cityId": -3,
"cityName": "Internal",
"stateId": -3,
"stateName": "Internal",
"countryId": -3,
"countryName": "Internal",
"cityLatitude": -1,
"cityLongitude": -1,
"success": true,
"internal": false,
"dynamicData": {},
"location": "Internal",
"accountName": "Desired AWS Account",
"regionName": "AWS Virginia"
},
{
"account": "************",
"regionId": 1,
"eventTs": 1661643778000,
"subject": "aws-cloud9",
"type": "UPDATE",
"source": "ec2.amazonaws.com",
"name": "StartInstances",
"id": 47116173,
"accessKeyUsed": false,
"role": "AWSServiceRoleForAWSCloud9",
"cityId": -3,
"cityName": "Internal",
"stateId": -3,
"stateName": "Internal",
"countryId": -3,
"countryName": "Internal",
"cityLatitude": -1,
"cityLongitude": -1,
"success": true,
"internal": false,
"dynamicData": {},
"location": "Internal",
"accountName": "Desired AWS Account",
"regionName": "AWS Virginia"
}
],
"heuristicSearch": false,
"preview": false
}
}
Note that from each of the resources returned in the above will have a value in the JSON that looks like:
"id": 47114942,
And this is the int64_t value you will use in the second API call to return full JSON data of a specific resource.
Now to make the second call you will just need to paste that value in the URL as followed:
url = "https://api2.prismacloud.io/search/event/raw/47114942"
Finally, after making the second API call you should see results as followed:
Really look at where it says "rawEvent" , as that is what is contained in the JSON from Investigate.
{
"account": "************",
"regionId": 3,
"eventTs": 1660950321000,
"subject": "jacob",
"type": "UPDATE",
"source": "ec2.amazonaws.com",
"name": "StopInstances",
"id": 47105820,
"rawEvent": {
"eventID": "af68902e-9fe2-4757-8822-43c83f26827e",
"readOnly": false,
"awsRegion": "us-west-1",
"eventName": "StopInstances",
"eventTime": "2022-08-19T23:05:21Z",
"eventType": "AwsApiCall",
"requestID": "c471c438-cab3-47db-8a94-a1287ffe6a8b",
"resources": [
{
"resourceName": "i-03b879fbae9633619",
"resourceType": "AWS::EC2::Instance"
}
],
"userAgent": "AWS Internal",
"eventSource": "ec2.amazonaws.com",
"eventVersion": "1.08",
"userIdentity": {
"arn": "arn:aws:iam::************:user/Jacob",
"type": "IAMUser",
"userName": "Jacob",
"accountId": "************",
"accessKeyId": "ASIAXZT577WULHFHUAF5",
"principalId": "AIDAXZT577WUDGNDJZPNP",
"sessionContext": {
"attributes": {
"creationDate": "2022-08-19T15:35:20Z",
"mfaAuthenticated": "false"
},
"sessionIssuer": {},
"webIdFederationData": {}
}
},
"eventCategory": "Management",
"managementEvent": true,
"sourceIPAddress": "AWS Internal",
"responseElements": {
"requestId": "c471c438-cab3-47db-8a94-a1287ffe6a8b",
"instancesSet": {
"items": [
{
"instanceId": "i-03b879fbae9633619",
"currentState": {
"code": 64,
"name": "stopping"
},
"previousState": {
"code": 16,
"name": "running"
}
}
]
}
},
"requestParameters": {
"force": false,
"instancesSet": {
"items": [
{
"instanceId": "i-03b879fbae9633619"
}
]
}
},
"recipientAccountId": "************",
"sessionCredentialFromConsole": "true"
},
"accessKeyUsed": false,
"cityId": -1,
"stateId": -1,
"countryId": -1,
"cityLatitude": -1,
"cityLongitude": -1,
"success": false,
"internal": false,
"dynamicData": {},
"location": ""
}
Additional Information
Prisma Cloud Search API Overview.