Palo Alto Networks Prisma Cloud Workload Protect

the prisma cloud workload protect connector enables seamless integration with palo alto networks' cloud native security platform, allowing for automated security operations and threat management palo alto networks prisma cloud workload protect offers a comprehensive cloud native security platform that provides full lifecycle security and full stack protection for multi cloud environments by integrating with swimlane turbine, users can automate the management of user groups, scan hosts and images for vulnerabilities, and enforce security policies across their cloud workloads this connector streamlines security operations by enabling rapid response to threats and ensuring consistent security posture management prerequisites to utilize the palo alto networks prisma cloud workload protect connector, ensure you have the following prerequisites username and password authentication with the following parameters url endpoint url for prisma cloud api access username your prisma cloud account username password your prisma cloud account password version the version of the prisma cloud api you are targeting capabilities this connector provides the following capabilities add group delete group by id download app embedded defender download host scan results download image scan results download serverless layer bundle download vm image scan results get agentless scan progress get all ci image scan results get compliance stats get container scan results get defender names get defenders summary get deployed defenders get group names and so on notes for more information on palo alto prisma cloud is found at https //pan dev/prisma cloud/api/ https //pan dev/prisma cloud/api/cwpp/ configurations palo alto prisma cloud compute asset authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required version version string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add group creates a new user group within palo alto networks prisma cloud workload protect using the provided json body endpoint url /groups method post input argument name type required description id string optional group name groupid string optional group identifier in the azure saml identification process groupname string optional group name lastmodified string optional datetime when the group was created or last modified ldapgroup boolean optional indicates if the group is an ldap group (true) or not (false) oauthgroup boolean optional indicates if the group is an oauth group (true) or not (false) oidcgroup boolean optional indicates if the group is an openid connect group (true) or not (false) owner string optional user who created or modified the group permissions array optional permissions is a list of permissions permissions collections array optional list of collections the user can access permissions project string optional names of projects which the user can access role string optional role of the group samlgroup boolean optional indicates if the group is a saml group (true) or not (false) user array optional users in the group user username string optional name of a user input example {"json body" {" id" "1759baf","groupid" "","groupname" "","lastmodified" "2024 06 14t05 48 06 114z","ldapgroup"\ true,"oauthgroup"\ true,"oidcgroup"\ true,"owner" "","permissions" \[{"collections" \[""],"project" ""}],"role" "","samlgroup"\ true,"user" \[{"username" ""}]}} output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" {"success"\ true}} delete group by id removes a specified group from palo alto networks prisma cloud workload protect using the unique id provided endpoint url /groups/{{id}} method delete input argument name type required description path parameters id string required parameters for the delete group by id action input example {"path parameters" {"id" "e89f1d5adf"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" {"status" "deleted"}} download app embedded defender generates and provides the palo alto networks prisma cloud embedded defender bundle for user download endpoint url /images/twistlock defender app embedded tar gz method get output parameter type description status code number http status code of the response reason string response reason phrase status string status value output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" {"status" "downloaded "}} download host scan results download detailed host scan reports from palo alto networks prisma cloud workload protection for comprehensive security insights endpoint url /hosts/download method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters hostname array optional filters the result based on hostnames parameters distro array optional filters the result based on os distribution names parameters compact boolean optional provides the minimal image data information about vulnerabilities, compliance, and extended image metadata are skipped default is false parameters clusters array optional filters the result based on cluster names parameters complianceids array optional filters the result based on compliance ids parameters compliancerulename string optional filters the result based on applied compliance rule name parameters agentless boolean optional retrieves the host names that were scanned by the agentless scanner parameters csa boolean optional filters only images scanned by csa parameters stopped boolean optional retrieves the host names that were skipped during an agentless scan default is false parameters normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false parameters uaiid string optional filters results by uaiid parameters issuetype string optional filters results by issue type input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false,"hostname" \[""],"distro" \[""],"compact"\ false,"clusters" \[""],"complianceids" \[0],"compliancerulename" "","agentless"\ false,"csa"\ false,"stopped"\ false,"normalizedseverity"\ false,"uaiid" "","issuetype" ""}} output parameter type description status code number http status code of the response reason string response reason phrase file array output field file output example {"file" {"file data" "string","filename" "example name"}} download image scan results download detailed csv reports of image scans from palo alto networks prisma cloud workload protection endpoint url /images/download method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters id array optional filters the result based on image ids parameters hostname array optional filters the result based on hostnames parameters repository array optional filters the result based on image repository names parameters registry array optional filters the result based on image registry names parameters fields array optional list of fields to retrieve parameters name array optional filters the result based on image names parameters layers boolean optional indicates whether the cves are mapped to a specific image layer default is false parameters filterbaseimage boolean optional indicates whether to filter the base image for vulnerabilities requires predefined base images that have already been scanned default is false parameters compact boolean optional provides the minimal image data information about vulnerabilities, compliance, and extended image metadata are skipped default is false parameters truststatuses array optional filters the result based on whether an image is trusted or not trusted by a trusted image policy parameters clusters array optional filters the result based on cluster names parameters complianceids array optional filters the result by compliance ids parameters compliancerulename string optional filters the result based on applied compliance rule name parameters appembedded boolean optional filters the result based on whether the images are scanned by app embedded defenders default is false parameters normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false parameters agentless boolean optional indicates whether to retrieve host names that are scanned by agentless scanner default is false parameters csa boolean optional filters only images scanned by csa parameters uaiid string optional filters results by uaiid parameters issuetype string optional filters results by issue type input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false,"id" \["sha256\ abd4f451ddb707c8e68a36d695456a515cdd6f9581b7a8348a380030a6fd7689"],"hostname" \[""],"repository" \[""],"registry" \[""],"fields" \[""],"name" \[""],"layers"\ false,"filterbaseimage"\ false,"compact"\ false,"truststatuses" \[""],"clusters" \[""],"complianceids" \[0],"compliancerulename" "","appembedded"\ false,"normalizedseverity"\ false,"agentless"\ false,"csa"\ false,"uaiid" "","issuetype" ""}} output parameter type description status code number http status code of the response reason string response reason phrase file array output field file output example {"file" {"file data" "string","filename" "example name"}} download serverless layer bundle retrieves a zip file with the defender runtime for serverless apps from palo alto networks prisma cloud, requiring a json body input endpoint url /images/twistlock defender layer zip method post input argument name type required description nodejsmoduletype array optional nodejsmoduletype is the type of a nodejs module provider array optional cloudprovider specifies the cloud provider name proxyca string optional proxyca is the proxy’s ca certificate for defender to trust runtime array optional this represents the runtime type of the serverless function input example {"json body" {"nodejsmoduletype" \["commonjs","ecmascript"],"provider" \["aws","azure","others"],"proxyca" "","runtime" \["python","python3 6","python3 7","python3 8","python3 9","dotnetcore2 1","dotnetcore3 1","dotnet6","java","ruby","ruby2 7"]}} output parameter type description status code number http status code of the response reason string response reason phrase file array output field file output example {"file" {"file data" "string","filename" "example name"}} download vm image scan results retrieve csv formatted scan reports for all vm images from palo alto networks prisma cloud workload protection endpoint url /vms/download method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters id array optional filters the result based on vm ids parameters name array optional filters the result based on image names parameters credential array optional filters the result based on cloud credentials parameters distro array optional filters the result based on os distribution names parameters release array optional filters the result based on release versions parameters imagetype array optional filters the result based on cloud image types use marketplace, managed, or gallery for microsoft azure parameters complianceids array optional filters the result based on compliance ids parameters compliancerulename string optional filters the result based on applied compliance rule name parameters normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false parameters issuetype string optional filters results by issue type input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false,"id" \[""],"name" \[""],"credential" \[""],"distro" \[""],"release" \[""],"imagetype" \[""],"complianceids" \[0],"compliancerulename" "","normalizedseverity"\ false,"issuetype" ""}} output parameter type description status code number http status code of the response reason string response reason phrase file array output field file output example {"file" {"file data" "string","filename" "example name"}} get agentless scan progress displays the progress of agentless vulnerability and compliance scans in palo alto networks prisma cloud endpoint url /agentless/progress method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \[{"aisinitialscaninprogress"\ true,"aisondemandscaninprogress"\ true,"discovery"\ true,"error" "string","hostname" "string","id" "string","ondemand"\ true,"scantime" "2024 06 14t05 48 06 188z","scanned" 0,"title" "string","total" 0,"type" \[]}]} get all ci image scan results retrieve comprehensive ci image scan reports from palo alto prisma cloud, encompassing jenkins plugin and twistcli scan data endpoint url /scans method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters id string optional scan id used in the image layers fetch parameters jobname array optional jenkins job name parameters type array optional scan type parameters pass boolean optional indicates whether to filter on passed scans (true) or not (false) parameters build string optional build number parameters imageid string optional image id of scanned image parameters layers boolean optional indicates if cves are mapped to image layer (true) or not (false) parameters from string optional filters results by start datetime based on scan time parameters to string optional filters results by end datetime based on scan time parameters fields array optional list of fields to retrieve parameters filterbaseimage boolean optional indicates if base image vulnerabilities are to be filtered (true) or not (false) requires predefined base images that have already been scanned parameters uaiid string optional filters results by uaiid parameters issuetype string optional filters results by issue type input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false," id" "","jobname" \[""],"type" \[""],"pass"\ false,"build" "","imageid" "","layers"\ false,"from" "2024 06 14t05 48 06 625z","to" "2024 06 14t05 48 06 625z","fields" \[""],"filterbaseimage"\ false,"uaiid" "","issuetype" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \[{" id" "string","build" "string"}]} get compliance stats retrieve compliance statistics from palo alto networks prisma cloud workload protect to assess security posture endpoint url /stats/compliance method get input argument name type required description parameters collections array optional scopes query by collection parameters accountids array optional scopes query by account id parameters rulename string optional filters results by rule name parameters policytype string optional filters results by policy type used to further scope queries because rule names do not need to be unique between policies parameters category string optional filters results by category for example, a benchmark or resource type parameters template string optional filters results by compliance template input example {"parameters" {"collections" \[""],"accountids" \[""],"rulename" "","policytype" "","category" "","template" ""}} output parameter type description status code number http status code of the response reason string response reason phrase categories array output field categories categories failed number output field categories failed categories name array name of the resource categories total number output field categories total daily array output field daily daily id string unique identifier daily distribution object output field daily distribution daily distribution critical number output field daily distribution critical daily distribution high number output field daily distribution high daily distribution low number output field daily distribution low daily distribution medium number output field daily distribution medium daily distribution total number output field daily distribution total daily modified string output field daily modified ids array unique identifier ids benchmarkid string unique identifier ids category array unique identifier ids description string unique identifier ids failed number unique identifier ids id number unique identifier ids severity string unique identifier ids templatetitle string unique identifier ids total number unique identifier ids type array unique identifier output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" {"categories" \[{}],"daily" \[{}],"ids" \[{}],"rules" \[{}],"templates" \[{}]}} get container scan results retrieve detailed container scan reports from palo alto networks prisma cloud workload protection endpoint url /containers method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters hostname array optional hosts is used to filter containers by host parameters image array optional images is used to filter containers by image name parameters imageid array optional imageids is used to filter containers by image ids parameters id array optional ids is used to filter container by container id parameters profileid array optional profileids is used to filter container by runtime profile id parameters namespaces array optional namespaces are the namespaces to filter parameters fields array optional fields are used to fetch specific container field parameters firewallsupported boolean optional firewallsupported is used to fetch containers with app firewall supported parameters clusters array optional clusters is used to filter containers by cluster name parameters complianceids array optional complianceids is used to filter containers by compliance ids parameters compliancerulename string optional compliancerulename is used to filter containers by applied compliance rule name parameters agentless boolean optional agentless indicates that we should return only containers that were scanned by an agentless scanner parameters csa boolean optional csa indicates that we should return only containers that were scanned by csa parameters collections string optional collections ids input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false,"hostname" \[""],"image" \[""],"imageid" \[""],"id" \[""],"profileid" \[""],"namespaces" \[""],"fields" \[""],"firewallsupported"\ false,"clusters" \[""],"complianceids" \[1759],"compliancerulename" "","agentless"\ false,"csa"\ false,"collections" "abk2938"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \[{" id" "string","agentless"\ true,"agentlessscanid" 0,"ais"\ true,"collections" \[],"csa"\ true,"firewallprotection" {},"hostname" "string","info" {},"runtimeenabled"\ true,"scantime" "2024 06 14t05 48 06 267z"}]} get defender names retrieve a list of defender hostnames from palo alto networks prisma cloud workload protection endpoint url /defenders/names method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters hostname string optional hostname is a name of a specific defender to retrieve parameters role array optional roles are the defender api roles to filter parameters connected boolean optional indicates whether to return only connected defenders (true) or disconnected defenders (false) parameters type array optional indicates the defender types to return (e g , docker, dockerwindows, cri, etc) parameters latest boolean optional indicates whether to return a list of defenders that are running the latest version of prisma cloud (true) or defenders with older versions (false) parameters supportedversion boolean optional supportedversion indicates only defenders of supported versions should be fetched parameters cluster array optional scopes the query by cluster name parameters tasclusterids array optional scopes the query by tas cluster ids parameters tasblobstorescanner boolean optional scopes the query by tas blobstore scanning only defenders (true) or tas full coverage defenders (false) parameters tasfoundations array optional scopes the query by tas foundations parameters usingoldca boolean optional scopes the query to defenders which are using old certificate parameters usingexpiredca boolean optional scopes the query to defenders which are using expired certificate parameters isarm64 boolean optional scopes the query by provider type indicates whether to return only defenders running on arm64 architecture parameters isvpcobserver boolean optional indicates whether to return only defenders running as vpc observer input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false,"hostname" "","role" \[""],"connected"\ false,"type" \[""],"latest"\ false,"supportedversion"\ false,"cluster" \[""],"tasclusterids" \[""],"tasblobstorescanner"\ false,"tasfoundations" \[""],"usingoldca"\ false,"usingexpiredca"\ false,"isarm64"\ false,"isvpcobserver"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \["string"]} get defenders summary retrieve a summary count of defenders across categories in palo alto networks prisma cloud workload protection endpoint url /defenders/summary method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \[{"category" \[],"connected" 0,"deployed" 0,"licensed" 0}]} get deployed defenders retrieve a list of all deployed defenders in the palo alto networks prisma cloud workload protection environment endpoint url /defenders method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters hostname string optional hostname is a name of a specific defender to retrieve parameters role array optional roles are the defender api roles to filter parameters connected boolean optional indicates whether to return only connected defenders (true) or disconnected defenders (false) parameters type array optional indicates the defender types to return (e g , docker, dockerwindows, cri, etc) parameters latest boolean optional indicates whether to return a list of defenders that are running the latest version of prisma cloud (true) or defenders with older versions (false) parameters supportedversion boolean optional supportedversion indicates only defenders of supported versions should be fetched parameters cluster array optional scopes the query by cluster name parameters tasclusterids array optional scopes the query by tas cluster ids parameters tasblobstorescanner boolean optional scopes the query by tas blobstore scanning only defenders (true) or tas full coverage defenders (false) parameters tasfoundations array optional scopes the query by tas foundations parameters usingoldca boolean optional scopes the query to defenders which are using old certificate parameters usingexpiredca boolean optional scopes the query to defenders which are using expired certificate parameters isarm64 boolean optional scopes the query by provider type indicates whether to return only defenders running on arm64 architecture parameters isvpcobserver boolean optional indicates whether to return only defenders running as vpc observer input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false,"hostname" "","role" \[""],"connected"\ false,"type" \[""],"latest"\ false,"supportedversion"\ false,"cluster" \[""],"tasclusterids" \[""],"tasblobstorescanner"\ false,"tasfoundations" \[""],"usingoldca"\ false,"usingexpiredca"\ false,"isarm64"\ false,"isvpcobserver"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \[{"category" \[],"certificateexpiration" "2024 06 14t05 48 06 278z","cloudmetadata" {}}]} get group names retrieves all available group names from palo alto networks prisma cloud workload protection endpoint url /groups/names method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \["admins","secops","devops"]} get groups retrieves a complete list of groups from palo alto networks prisma cloud workload protection endpoint url /groups method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \[{" id" "string","groupid" "string","groupname" "string","lastmodified" "2024 06 14t05 48 06 290z","ldapgroup"\ true,"oauthgroup"\ true,"oidcgroup"\ true,"owner" "string","permissions" \[],"role" "string","samlgroup"\ true,"user" \[]}]} get host information retrieve essential details about deployed hosts from palo alto prisma cloud, including hostname, distro, release, and agentless status endpoint url /hosts/info method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters hostname array optional filters the result based on hostnames parameters distro array optional filters the result based on os distribution names parameters compact boolean optional provides the minimal image data information about vulnerabilities, compliance, and extended image metadata are skipped default is false parameters clusters array optional filters the result based on cluster names parameters complianceids array optional filters the result based on compliance ids parameters compliancerulename string optional filters the result based on applied compliance rule name parameters agentless boolean optional retrieves the host names that were scanned by the agentless scanner parameters csa boolean optional filters only images scanned by csa parameters stopped boolean optional retrieves the host names that were skipped during an agentless scan default is false parameters normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false parameters uaiid string optional filters results by uaiid parameters issuetype string optional filters results by issue type input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false,"hostname" \[""],"distro" \[""],"compact"\ false,"clusters" \[""],"complianceids" \[0],"compliancerulename" "","agentless"\ false,"csa"\ false,"stopped"\ false,"normalizedseverity"\ false,"uaiid" "","issuetype" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \[{"secrets" \[]," id" "string"}]} get host scan results retrieve detailed host vulnerability reports from palo alto networks prisma cloud workload protection endpoint url /hosts method get input argument name type required description parameters fields string optional fields query parameters parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters hostname array optional filters the result based on hostnames parameters distro array optional filters the result based on os distribution names parameters compact boolean optional provides the minimal image data information about vulnerabilities, compliance, and extended image metadata are skipped default is false parameters clusters array optional filters the result based on cluster names parameters complianceids array optional filters the result based on compliance ids parameters compliancerulename string optional filters the result based on applied compliance rule name parameters agentless boolean optional retrieves the host names that were scanned by the agentless scanner parameters csa boolean optional filters only images scanned by csa parameters stopped boolean optional retrieves the host names that were skipped during an agentless scan default is false parameters normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false parameters uaiid string optional filters results by uaiid parameters issuetype string optional filters results by issue type input example {"parameters" {"fields" "type","offset" 0,"limit" 100,"sort" "","reverse"\ false,"hostname" \[""],"distro" \[""],"compact"\ false,"clusters" \[""],"complianceids" \[0],"compliancerulename" "","agentless"\ false,"csa"\ false,"stopped"\ false,"normalizedseverity"\ false,"uaiid" "","issuetype" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \[{"secrets" \[]," id" "string","agentless"\ true,"vulnerabilitiescount" 0,"vulnerabilitydistribution" {},"vulnerabilityriskscore" 0,"wildfireusage" {}}]} get image names retrieve a list of image names from palo alto networks prisma cloud workload protect to manage and analyze your inventory endpoint url /images/names method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters id array optional filters the result based on image ids parameters hostname array optional filters the result based on hostnames parameters repository array optional filters the result based on image repository names parameters registry array optional filters the result based on image registry names parameters fields array optional list of fields to retrieve parameters name array optional filters the result based on image names parameters layers boolean optional indicates whether the cves are mapped to a specific image layer default is false parameters filterbaseimage boolean optional indicates whether to filter the base image for vulnerabilities requires predefined base images that have already been scanned default is false parameters compact boolean optional provides the minimal image data information about vulnerabilities, compliance, and extended image metadata are skipped default is false parameters truststatuses array optional filters the result based on whether an image is trusted or not trusted by a trusted image policy parameters clusters array optional filters the result based on cluster names parameters complianceids array optional filters the result by compliance ids parameters compliancerulename string optional filters the result based on applied compliance rule name parameters appembedded boolean optional filters the result based on whether the images are scanned by app embedded defenders default is false parameters normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false parameters agentless boolean optional indicates whether to retrieve host names that are scanned by agentless scanner default is false parameters csa boolean optional filters only images scanned by csa parameters uaiid string optional filters results by uaiid parameters issuetype string optional filters results by issue type input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false,"id" \[""],"hostname" \[""],"repository" \[""],"registry" \[""],"fields" \[""],"name" \[""],"layers"\ false,"filterbaseimage"\ false,"compact"\ false,"truststatuses" \[""],"clusters" \[""],"complianceids" \[0],"compliancerulename" "","appembedded"\ false,"normalizedseverity"\ false,"agentless"\ false,"csa"\ false,"uaiid" "","issuetype" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \["string"]} get image scan results retrieve detailed scan results for container images, identifying vulnerabilities and compliance issues from palo alto prisma cloud endpoint url /images method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters id array optional filters the result based on image ids parameters hostname array optional filters the result based on hostnames parameters repository array optional filters the result based on image repository names parameters registry array optional filters the result based on image registry names parameters fields array optional list of fields to retrieve parameters name array optional filters the result based on image names parameters layers boolean optional indicates whether the cves are mapped to a specific image layer default is false parameters filterbaseimage boolean optional indicates whether to filter the base image for vulnerabilities requires predefined base images that have already been scanned default is false parameters compact boolean optional provides the minimal image data information about vulnerabilities, compliance, and extended image metadata are skipped default is false parameters truststatuses array optional filters the result based on whether an image is trusted or not trusted by a trusted image policy parameters clusters array optional filters the result based on cluster names parameters complianceids array optional filters the result by compliance ids parameters compliancerulename string optional filters the result based on applied compliance rule name parameters appembedded boolean optional filters the result based on whether the images are scanned by app embedded defenders default is false parameters normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false parameters agentless boolean optional indicates whether to retrieve host names that are scanned by agentless scanner default is false parameters csa boolean optional filters only images scanned by csa parameters uaiid string optional filters results by uaiid parameters issuetype string optional filters results by issue type input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false,"id" \[""],"hostname" \[""],"repository" \[""],"registry" \[""],"fields" \[""],"name" \[""],"layers"\ false,"filterbaseimage"\ false,"compact"\ false,"truststatuses" \[""],"clusters" \[""],"complianceids" \[0],"compliancerulename" "","appembedded"\ false,"normalizedseverity"\ false,"agentless"\ false,"csa"\ false,"uaiid" "","issuetype" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \[{"secrets" \[]," id" "string","agentless"\ true}]} get registry scan results retrieve detailed scan reports for registry images from palo alto networks prisma cloud workload protection endpoint url /registry method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters id array optional filters results by registry image parameters imageid array optional filters the result by image ids that are available in daemonset parameters repository array optional filters the result based on image repository names parameters registry array optional filters the result based on image registry names parameters name array optional filters the result based on full image names parameters layers boolean optional indicates whether the cves are mapped to an image layer default is false parameters compact boolean optional provides the minimal image data information about vulnerabilities, compliance, and extended image metadata are skipped default is false parameters filterbaseimage boolean optional indicates whether to filter the base image for vulnerabilities requires predefined base images that have already been scanned default is false parameters normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false parameters uaiid string optional filters results by uaiid parameters issuetype string optional filters results by issue type input example {"parameters" {"offset" 0,"limit" 10,"sort" "","reverse"\ false,"id" \[""],"imageid" \[""],"repository" \[""],"registry" \[""],"name" \[""],"layers"\ false,"compact"\ false,"filterbaseimage"\ false,"normalizedseverity"\ false,"uaiid" "","issuetype" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \[{"secrets" \[]," id" "string"}]} get serverless function scan results retrieve scan reports for all serverless functions in palo alto networks prisma cloud workload protection endpoint url /serverless method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters id array optional retrieves a list of cloud function ids parameters cloudcontrolleraddresses array optional retrieves a list of cloud controller addresses that contains the cloud functions parameters runtime array optional filters the result based on cloud runtimes parameters version array optional filters the result based on cloud function's versions parameters functionlayers array optional filters the result based on aws lambda layers parameters defended boolean optional filters result based on cloud functions that are connected and protected by a defender parameters complianceids array optional filters result based on compliance ids parameters compliancerulename string optional filters the result based on applied compliance rule name parameters platform array optional filters result based on platforms (os and architecture) such as windows, linux arm x64, linux x86, and so on parameters normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false parameters issuetype string optional filters results by issue type input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false,"id" \[""],"cloudcontrolleraddresses" \[""],"runtime" \[""],"version" \[""],"functionlayers" \[""],"defended"\ false,"complianceids" \[0],"compliancerulename" "","platform" \[""],"normalizedseverity"\ false,"issuetype" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \[{"secrets" \[]," id" "string"}]} get vm image names retrieve a list of virtual machine image names from palo alto networks prisma cloud workload protection endpoint url /vms/names method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters id array optional filters the result based on vm ids parameters name array optional filters the result based on image names parameters credential array optional filters the result based on cloud credentials parameters distro array optional filters the result based on os distribution names parameters release array optional filters the result based on release versions parameters imagetype array optional filters the result based on cloud image types use marketplace, managed, or gallery for microsoft azure parameters complianceids array optional filters the result based on compliance ids parameters compliancerulename string optional filters the result based on applied compliance rule name parameters normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false parameters issuetype string optional filters results by issue type input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false,"id" \[""],"name" \[""],"credential" \[""],"distro" \[""],"release" \[""],"imagetype" \[""],"complianceids" \[0],"compliancerulename" "","normalizedseverity"\ false,"issuetype" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \["string"]} get vm image scan results retrieve comprehensive security insights with vm image scan reports from palo alto networks prisma cloud workload protect endpoint url /vms method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters id array optional filters the result based on vm ids parameters name array optional filters the result based on image names parameters credential array optional filters the result based on cloud credentials parameters distro array optional filters the result based on os distribution names parameters release array optional filters the result based on release versions parameters imagetype array optional filters the result based on cloud image types use marketplace, managed, or gallery for microsoft azure parameters complianceids array optional filters the result based on compliance ids parameters compliancerulename string optional filters the result based on applied compliance rule name parameters normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false parameters issuetype string optional filters results by issue type input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false,"id" \[""],"name" \[""],"credential" \[""],"distro" \[""],"release" \[""],"imagetype" \[""],"complianceids" \[0],"compliancerulename" "","normalizedseverity"\ false,"issuetype" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \[{"secrets" \[]," id" "string"}]} get vm image tags retrieve all aws tags for scanned vm images in palo alto networks prisma cloud workload protection endpoint url /vms/labels method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters id array optional filters the result based on vm ids parameters name array optional filters the result based on image names parameters credential array optional filters the result based on cloud credentials parameters distro array optional filters the result based on os distribution names parameters release array optional filters the result based on release versions parameters imagetype array optional filters the result based on cloud image types use marketplace, managed, or gallery for microsoft azure parameters complianceids array optional filters the result based on compliance ids parameters compliancerulename string optional filters the result based on applied compliance rule name parameters normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false parameters issuetype string optional filters results by issue type input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false,"id" \[""],"name" \[""],"credential" \[""],"distro" \[""],"release" \[""],"imagetype" \[""],"complianceids" \[0],"compliancerulename" "","normalizedseverity"\ false,"issuetype" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \["string"]} get vulnerability cves stats retrieve a list of cves for images, hosts, and serverless functions in palo alto networks prisma cloud endpoint url /stats/vulnerabilities method get input argument name type required description parameters offset number optional offsets the result to a specific report count offset starts from 0 parameters limit number optional limit is the amount to fix parameters sort string optional sorts the result using a key parameters reverse boolean optional sorts the result in reverse order parameters cve string optional cve is the single cve id to return vulnerability data for parameters severitythreshold string optional severitythreshold is the minimum severity indicating that all retrieved cves severities are greater than or equal to the threshold parameters cvssthreshold number optional cvssthreshold is the minimum cvss score indicating that all retrieved cves cvss scores are greater than or equal to the threshold parameters resourcetype string optional resourcetype is the single resource type to return vulnerability data for parameters agentless boolean optional agentless indicates whether to retrieve vulnerability data for agentless hosts/images parameters stopped boolean optional stopped indicates whether to retrieve vulnerability data for hosts that were not running during agentless scan parameters packages array optional packages filter by impacted packages parameters riskfactors array optional riskfactors filter by cve risk factors parameters envriskfactors array optional envriskfactors filter by environmental risk factors input example {"parameters" {"offset" 0,"limit" 100,"sort" "","reverse"\ false,"cve" "","severitythreshold" "","cvssthreshold" 10 357,"resourcetype" "","agentless"\ false,"stopped"\ false,"packages" \[""],"riskfactors" \[""],"envriskfactors" \[""]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" \[{" id" "string","containers" {},"functions" {}}]} resolve hosts adds vulnerability data for specified hosts in palo alto networks prisma cloud workload protect using a provided json body endpoint url /hosts/evaluate method post input argument name type required description images array optional parameter for resolve hosts images secrets array optional parameter for resolve hosts images id string optional unique identifier images agentless boolean optional parameter for resolve hosts images aisuuid string optional unique identifier images allcompliance object optional parameter for resolve hosts images allcompliance compliance array optional parameter for resolve hosts images allcompliance compliance applicablerules array optional parameter for resolve hosts images allcompliance compliance binarypkgs array optional parameter for resolve hosts images allcompliance compliance block boolean optional parameter for resolve hosts images allcompliance compliance cause string optional parameter for resolve hosts images allcompliance compliance cri boolean optional parameter for resolve hosts images allcompliance compliance custom boolean optional parameter for resolve hosts images allcompliance compliance cve string optional parameter for resolve hosts images allcompliance compliance cvss number optional parameter for resolve hosts images allcompliance compliance description string optional parameter for resolve hosts images allcompliance compliance discovered string optional parameter for resolve hosts images allcompliance compliance exploit array optional parameter for resolve hosts images allcompliance compliance exploits array optional parameter for resolve hosts images allcompliance compliance exploits kind array optional parameter for resolve hosts images allcompliance compliance exploits link string optional parameter for resolve hosts images allcompliance compliance exploits source array optional parameter for resolve hosts images allcompliance compliance fixdate number optional date value images allcompliance compliance fixlink string optional parameter for resolve hosts images allcompliance compliance functionlayer string optional parameter for resolve hosts input example {"images" \[{"secrets" \["string"]," id" "string","agentless"\ true,"aisuuid" "string","allcompliance" {"compliance" \[{"applicablerules" \["string"],"binarypkgs" \["string"],"block"\ true,"cause" "string","cri"\ true,"custom"\ true,"cve" "string","cvss" 123,"description" "string","discovered" "string","exploit" \["string"],"exploits" \[],"fixdate" 123,"fixlink" "string","functionlayer" "string","graceperioddays" 123,"id" 123,"layertime" 123,"link" "string","packagename" "example name","packagetype" \["string"],"packageversion" "string","published" 123,"riskfactors" {},"secret" {},"severity" "string","status" "active","templates" \[],"text" "string","title" "string","twistlock"\ true,"type" \["string"],"vecstr" "string","vulntaginfos" \[],"wildfiremalware" {}}],"enabled"\ true},"appembedded"\ true,"applications" \[{"installedfrompackage"\ true,"knownvulnerabilities" 123,"layertime" 123,"name" "example name","originpackagename" "example name","path" "string","service"\ true,"version" "string"}],"baseimage" "string","binaries" \[{"altered"\ true,"cvecount" 123,"deps" \["string"],"filemode" 123,"functionlayer" "string","md5" "string","missingpkg"\ true,"name" "example name","path" "string","pkgrootdir" "string","services" \["string"],"version" "string"}],"cloudmetadata" {"accountid" "string","awsexecutionenv" "string","image" "string","labels" \[{"key" "string","sourcename" "example name","sourcetype" \["string"],"timestamp" "2024 01 01t00 00 00z","value" "string"}],"name" "example name","provider" \["string"],"region" "string","resourceid" "string","resourceurl" "string","type" "string","vmid" "string","vmimageid" "string"},"clustertype" \["string"],"clusters" \["string"],"collections" \["string"],"compliancedistribution" {"critical" 123,"high" 123,"low" 123,"medium" 123,"total" 123},"complianceissues" \[{"applicablerules" \["string"],"binarypkgs" \["string"],"block"\ true,"cause" "string","cri"\ true,"custom"\ true,"cve" "string","cvss" 123,"description" "string","discovered" "string","exploit" \["string"],"exploits" \[{"kind" \["string"],"link" "string","source" \["string"]}],"fixdate" 123,"fixlink" "string","functionlayer" "string","graceperioddays" 123,"id" 123,"layertime" 123,"link" "string","packagename" "example name","packagetype" \["string"],"packageversion" "string","published" 123,"riskfactors" {},"secret" {"locationinfile" "string","modifiedtime" 123,"path" "string","secretid" "string","snippet" "string","type" \["string"]},"severity" "string","status" "active","templates" \[{"0" "string","1" "string","2" "string","3" "string","4" "string"}],"text" "string","title" "string","twistlock"\ true,"type" \["string"],"vecstr" "string","vulntaginfos" \[{"color" "string","comment" "string","name" "example name"}],"wildfiremalware" {"md5" "string","path" "string","verdict" "string"}}],"complianceissuescount" 123,"complianceriskscore" 123,"compressed"\ true,"compressedlayertimes" {"apptimes" \[123],"pkgstimes" \[{"pkgtimes" \[123],"pkgstype" \["string"]}]},"creationtime" "string","csa"\ true,"distro" "string","ecsclustername" "example name","err" "string","errcode" 123,"externallabels" \[{"key" "string","sourcename" "example name","sourcetype" \["string"],"timestamp" "2024 01 01t00 00 00z","value" "string"}],"files" \[{"md5" "string","path" "string","sha1" "string","sha256" "string"}],"firewallprotection" {"enabled"\ true,"outofbandmode" \["string"],"ports" \[123],"supported"\ true,"tlsports" \[123],"unprotectedprocesses" \[{"port" 123,"process" "string","tls"\ true}]},"firstscantime" "string","foundsecrets" \[{"locationinfile" "string","modifiedtime" 123,"path" "string","secretid" "string","snippet" "string","type" \["string"]}],"history" \[{"baselayer"\ true,"created" 123,"emptylayer"\ true,"id" "12345678 1234 1234 1234 123456789abc","instruction" "string","sizebytes" 123,"tags" \["string"],"vulnerabilities" \[{"applicablerules" \["string"],"binarypkgs" \["string"],"block"\ true,"cause" "string","cri"\ true,"custom"\ true,"cve" "string","cvss" 123,"description" "string","discovered" "string","exploit" \["string"],"exploits" \[],"fixdate" 123,"fixlink" "string","functionlayer" "string","graceperioddays" 123,"id" 123,"layertime" 123,"link" "string","packagename" "example name","packagetype" \["string"],"packageversion" "string","published" 123,"riskfactors" {},"secret" {},"severity" "string","status" "active","templates" \[],"text" "string","title" "string","twistlock"\ true,"type" \["string"],"vecstr" "string","vulntaginfos" \[],"wildfiremalware" {}}]}],"hostdevices" \[{"ip" "string","name" "example name"}],"hostruntimeenabled"\ true,"hostname" "example name","hosts" {},"id" "12345678 1234 1234 1234 123456789abc","image" {"created" "2024 01 01t00 00 00z","entrypoint" \["string"],"env" \["string"],"healthcheck"\ true,"history" \[{"baselayer"\ true,"created" 123,"emptylayer"\ true,"id" "12345678 1234 1234 1234 123456789abc","instruction" "string","sizebytes" 123,"tags" \["string"],"vulnerabilities" \[]}],"id" "12345678 1234 1234 1234 123456789abc","labels" {},"layers" \["string"],"os" "string","repodigest" \["string"],"repotags" \["string"],"user" "string","workingdir" "string"},"installedproducts" {"agentless"\ true,"apache" "string","awscloud"\ true,"clustertype" \["string"],"crio"\ true,"docker" "string","dockerenterprise"\ true,"haspackagemanager"\ true,"k8sapiserver"\ true,"k8scontrollermanager"\ true,"k8setcd"\ true,"k8sfederationapiserver"\ true,"k8sfederationcontrollermanager"\ true,"k8skubelet"\ true,"k8sproxy"\ true,"k8sscheduler"\ true,"kubernetes" "string","managedclusterversion" "string","openshift"\ true,"openshiftversion" "string","osdistro" "string","serverless"\ true,"swarmmanager"\ true,"swarmnode"\ true},"instances" \[{"host" "string","image" "string","modified" "string","registry" "string","repo" "string","tag" "string"}],"isarm64"\ true,"k8sclusteraddr" "string","labels" \["string"],"layers" \["string"],"malwareanalyzedtime" "string","missingdistrovulncoverage"\ true,"namespaces" \["string"],"osdistro" "string","osdistrorelease" "string","osdistroversion" "string","packagemanager"\ true}]} output parameter type description status code number http status code of the response reason string response reason phrase images array output field images images secrets array output field images secrets images id string unique identifier output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" {"images" \[{}]}} resolve images adds vulnerability data for specified images in palo alto networks prisma cloud workload protect, requiring a json body input endpoint url /images/evaluate method post input argument name type required description images array optional parameter for resolve images images secrets array optional parameter for resolve images images id string optional unique identifier images agentless boolean optional parameter for resolve images images aisuuid string optional unique identifier images allcompliance object optional parameter for resolve images images allcompliance compliance array optional parameter for resolve images images allcompliance compliance applicablerules array optional parameter for resolve images images allcompliance compliance binarypkgs array optional parameter for resolve images images allcompliance compliance block boolean optional parameter for resolve images images allcompliance compliance cause string optional parameter for resolve images images allcompliance compliance cri boolean optional parameter for resolve images images allcompliance compliance custom boolean optional parameter for resolve images images allcompliance compliance cve string optional parameter for resolve images images allcompliance compliance cvss number optional parameter for resolve images images allcompliance compliance description string optional parameter for resolve images images allcompliance compliance discovered string optional parameter for resolve images images allcompliance compliance exploit array optional parameter for resolve images images allcompliance compliance exploits array optional parameter for resolve images images allcompliance compliance exploits kind array optional parameter for resolve images images allcompliance compliance exploits link string optional parameter for resolve images images allcompliance compliance exploits source array optional parameter for resolve images images allcompliance compliance fixdate number optional date value images allcompliance compliance fixlink string optional parameter for resolve images images allcompliance compliance functionlayer string optional parameter for resolve images input example {"json body" {"images" \[{"secrets" \[""]," id" "","agentless"\ true,"aisuuid" "","allcompliance" {"compliance" \[{"applicablerules" \[""],"binarypkgs" \[""],"block"\ true,"cause" "","cri"\ true,"custom"\ true,"cve" "","cvss" 0,"description" "","discovered" "2024 06 14t05 48 06 123z","exploit" \["","exploit db","exploit windows","cisa kev"],"exploits" \[{"kind" \["poc","in the wild"],"link" "","source" \["","exploit db","exploit windows","cisa kev"]}],"fixdate" 0,"fixlink" "","functionlayer" "","graceperioddays" 0,"id" 0,"layertime" 0,"link" "","packagename" "","packagetype" \["nodejs"],"packageversion" "","published" 0,"riskfactors" {},"secret" {"locationinfile" "","modifiedtime" 0,"path" "","secretid" "","snippet" "","type" \[""]},"severity" "","status" "","templates" \[\["pci"]],"text" "","title" "","twistlock"\ true,"type" \["container"],"vecstr" "","vulntaginfos" \[{"color" "","comment" "","name" ""}],"wildfiremalware" {"md5" "","path" "","verdict" ""}}],"enabled"\ true},"appembedded"\ true,"applications" \[{"installedfrompackage"\ true,"knownvulnerabilities" 0,"layertime" 0,"name" "","originpackagename" "","path" "","service"\ true,"version" ""}],"baseimage" "","binaries" \[{"altered"\ true,"cvecount" 0,"deps" \[""],"filemode" 0,"functionlayer" "","md5" "","missingpkg"\ true,"name" "","path" "","pkgrootdir" "","services" \[""],"version" ""}],"cloudmetadata" {"accountid" "","awsexecutionenv" "","image" "","labels" \[{"key" "","sourcename" "","sourcetype" \["namespace"],"timestamp" "2024 06 14t05 48 06 123z","value" ""}],"name" "","provider" \["aws"],"region" "","resourceid" "","resourceurl" "","type" "","vmid" "","vmimageid" ""},"clustertype" \["aks"],"clusters" \[""],"collections" \[""],"compliancedistribution" {"critical" 0,"high" 0,"low" 0,"medium" 0,"total" 0},"complianceissues" \[{"applicablerules" \[""],"binarypkgs" \[""],"block"\ true,"cause" "","cri"\ true,"custom"\ true,"cve" "","cvss" 0,"description" "","discovered" "2024 06 14t05 48 06 123z","exploit" \["","exploit db","exploit windows","cisa kev"],"exploits" \[{"kind" \["poc","in the wild"],"link" "","source" \["","exploit db","exploit windows","cisa kev"]}],"fixdate" 0,"fixlink" "","functionlayer" "","graceperioddays" 0,"id" 0,"layertime" 0,"link" "","packagename" "","packagetype" \["nodejs"],"packageversion" "","published" 0,"riskfactors" {},"secret" {"locationinfile" "","modifiedtime" 0,"path" "","secretid" "","snippet" "","type" \["aws access key id"]},"severity" "","status" "","templates" \[\["pci","hipaa","nist sp 800 190","gdpr","disa stig"]],"text" "","title" "","twistlock"\ true,"type" \["container"],"vecstr" "","vulntaginfos" \[{"color" "","comment" "","name" ""}],"wildfiremalware" {"md5" "","path" "","verdict" ""}}],"complianceissuescount" 0,"complianceriskscore" 0,"compressed"\ true,"compressedlayertimes" {"apptimes" \[0],"pkgstimes" \[{"pkgtimes" \[0],"pkgstype" \["nodejs"]}]},"creationtime" "2024 06 14t05 48 06 123z","csa"\ true,"distro" "","ecsclustername" "","err" "","errcode" 0,"externallabels" \[{"key" "","sourcename" "","sourcetype" \["oci"],"timestamp" "2024 06 14t05 48 06 123z","value" ""}],"files" \[{"md5" "","path" "","sha1" "","sha256" ""}],"firewallprotection" {"enabled"\ true,"outofbandmode" \["","observation","protection"],"ports" \[0],"supported"\ true,"tlsports" \[0],"unprotectedprocesses" \[{"port" 0,"process" "","tls"\ true}]},"firstscantime" "2024 06 14t05 48 06 123z","foundsecrets" \[{"locationinfile" "","modifiedtime" 0,"path" "","secretid" "","snippet" "","type" \["aws access key id"]}],"history" \[{"baselayer"\ true,"created" 0,"emptylayer"\ true,"id" "","instruction" "","sizebytes" 0,"tags" \[""],"vulnerabilities" \[{"applicablerules" \[""],"binarypkgs" \[""],"block"\ true,"cause" "","cri"\ true,"custom"\ true,"cve" "","cvss" 0,"description" "","discovered" "2024 06 14t05 48 06 124z","exploit" \[""],"exploits" \[{"kind" \["poc","in the wild"],"link" "","source" \[""]}],"fixdate" 0,"fixlink" "","functionlayer" "","graceperioddays" 0,"id" 0,"layertime" 0,"link" "","packagename" "","packagetype" \["nodejs"],"packageversion" "","published" 0,"riskfactors" {},"secret" {"locationinfile" "","modifiedtime" 0,"path" "","secretid" "","snippet" "","type" \[""]},"severity" "","status" "","templates" \[\["pci"]],"text" "","title" "","twistlock"\ true,"type" \[""],"vecstr" "","vulntaginfos" \[{"color" "","comment" "","name" ""}],"wildfiremalware" {"md5" "","path" "","verdict" ""}}]}],"hostdevices" \[{"ip" "","name" ""}],"hostruntimeenabled"\ true,"hostname" "","hosts" {},"id" "","image" {"created" "2024 06 14t05 48 06 124z","entrypoint" \[""],"env" \[""],"healthcheck"\ true,"history" \[{"baselayer"\ true,"created" 0,"emptylayer"\ true,"id" "","instruction" "","sizebytes" 0,"tags" \[""],"vulnerabilities" \[{"applicablerules" \[""],"binarypkgs" \[""],"block"\ true,"cause" "","cri"\ true,"custom"\ true,"cve" "","cvss" 0,"description" "","discovered" "2024 06 14t05 48 06 124z","exploit" \["","exploit db","exploit windows","cisa kev"],"exploits" \[{"kind" \["poc","in the wild"],"link" "","source" \[""]}],"fixdate" 0,"fixlink" "","functionlayer" "","graceperioddays" 0,"id" 0,"layertime" 0,"link" "","packagename" "","packagetype" \["nodejs"],"packageversion" "","published" 0,"riskfactors" {},"secret" {"locationinfile" "","modifiedtime" 0,"path" "","secretid" "","snippet" "","type" \["aws access key id"]},"severity" "","status" "","templates" \[\["pci"]],"text" "","title" "","twistlock"\ true,"type" \["container"],"vecstr" "","vulntaginfos" \[{"color" "","comment" "","name" ""}],"wildfiremalware" {"md5" "","path" "","verdict" ""}}]}],"id" "","labels" {},"layers" \[""],"os" "","repodigest" \[""],"repotags" \[""],"user" "","workingdir" ""},"installedproducts" {"agentless"\ true,"apache" "","awscloud"\ true,"clustertype" \["aks","ecs","eks","gke","kubernetes"],"crio"\ true,"docker" "","dockerenterprise"\ true,"haspackagemanager"\ true,"k8sapiserver"\ true,"k8scontrollermanager"\ true,"k8setcd"\ true,"k8sfederationapiserver"\ true,"k8sfederationcontrollermanager"\ true,"k8skubelet"\ true,"k8sproxy"\ true,"k8sscheduler"\ true,"kubernetes" "","managedclusterversion" "","openshift"\ true,"openshiftversion" "","osdistro" "","serverless"\ true,"swarmmanager"\ true,"swarmnode"\ true},"instances" \[{"host" "","image" "","modified" "2024 06 14t05 48 06 124z","registry" "","repo" "","tag" ""}],"isarm64"\ true,"k8sclusteraddr" "","labels" \[""],"layers" \[""],"malwareanalyzedtime" "2024 06 14t05 48 06 124z","missingdistrovulncoverage"\ true,"namespaces" \[""],"osdistro" "","osdistrorelease" "","osdistroversion" "","packagemanager"\ true,"packages" \[{"pkgs" \[{"author" "","binaryidx" \[0],"binarypkgs" \[""],"cvecount" 0,"defaultgem"\ true,"fileinfos" \[{"md5" "","path" "","sha1" "","sha256" ""}],"files" \[{"md5" "","path" "","sha1" "","sha256" ""}],"fullpkgpath" "","functionlayer" "","gopkg"\ true,"jaridentifier" "","layertime" 0,"license" "","name" "","originpackagename" "","ospackage"\ true,"path" "","purl" "","securityrepopkg"\ true,"symbols" \[""],"version" ""}],"pkgstype" \["nodejs"]}],"pullduration" 0,"pushtime" "2024 06 14t05 48 06 125z","redhatnonrpmimage"\ true,"registrynamespace" "","registrytags" \[""],"registrytype" "","repodigests" \[""],"repotag" {"digest" "","id" "","registry" "","repo" "","tag" ""},"rhelrepos" \[""],"riskfactors" {},"scanbuilddate" "","scanduration" 0,"scanid" 0,"scantime" "2024 06 14t05 48 06 125z","scanversion" "","secretscanmetrics" {"failedscans" 0,"foundsecrets" 0,"scantime" 0,"scantimeouts" 0,"scannedfilesize" 0,"scannedfiles" 0,"totalbytes" 0,"totalfiles" 0,"totaltime" 0,"typescount" {}},"startupbinaries" \[{"altered"\ true,"cvecount" 0,"deps" \[""],"filemode" 0,"functionlayer" "","md5" "","missingpkg"\ true,"name" "","path" "","pkgrootdir" "","services" \[""],"version" ""}],"stopped"\ true,"tags" \[{"digest" "","id" "","registry" "","repo" "","tag" ""}],"toplayer" "","trustresult" {"groups" \[{" id" "","disabled"\ true,"images" \[""],"layers" \[""],"modified" "2024 06 14t05 48 06 125z","name" "","notes" "","owner" "","previousname" ""}],"hostsstatuses" \[{"host" "","status" \["trusted","untrusted"]}]},"truststatus" \["trusted","untrusted"],"twistlockimage"\ true,"type" \["image"],"vulnerabilities" \[{"applicablerules" \[""],"binarypkgs" \[""],"block"\ true,"cause" "","cri"\ true,"custom"\ true,"cve" "","cvss" 0,"description" "","discovered" "2024 06 14t05 48 06 125z","exploit" \[""],"exploits" \[{"kind" \["poc","in the wild"],"link" "","source" \[""]}],"fixdate" 0,"fixlink" "","functionlayer" "","graceperioddays" 0,"id" 0,"layertime" 0,"link" "","packagename" "","packagetype" \["nodejs"],"packageversion" "","published" 0,"riskfactors" {},"secret" {"locationinfile" "","modifiedtime" 0,"path" "","secretid" "","snippet" "","type" \["aws access key id"]},"severity" "","status" "","templates" \[\["pci"]],"text" "","title" "","twistlock"\ true,"type" \["container"],"vecstr" "","vulntaginfos" \[{"color" "","comment" "","name" ""}],"wildfiremalware" {"md5" "","path" "","verdict" ""}}],"vulnerabilitiescount" 0,"vulnerabilitydistribution" {"critical" 0,"high" 0,"low" 0,"medium" 0,"total" 0},"vulnerabilityriskscore" 0,"wildfireusage" {"bytes" 0,"queries" 0,"uploads" 0}}]}} output parameter type description status code number http status code of the response reason string response reason phrase images array output field images images secrets array output field images secrets images id string unique identifier output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" {"images" \[{}]}} start a host scan initiates a comprehensive re scan of all hosts in palo alto networks prisma cloud workload protect to update security posture endpoint url /hosts/scan method post output parameter type description status code number http status code of the response reason string response reason phrase status string status value output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" {"status" "scanned hosts "}} start image scan initiates a re scan of all images in palo alto networks prisma cloud workload protect, providing the scan initiation timestamp endpoint url /images/scan method post input argument name type required description hostname string optional hostname is the optional host name to scan imagetag object optional parameter for start image scan imagetag digest string optional image digest (requires v2 or later registry) imagetag id string optional id of the image imagetag registry string optional registry name to which the image belongs imagetag repo string optional repository name to which the image belongs imagetag tag string optional image tag input example {"json body" {"hostname" "","imagetag" {"digest" "","id" "","registry" "","repo" "","tag" ""}}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" {"status" "scanned images "}} start vm image scan initiates a re scan of all vm images in palo alto networks prisma cloud and provides the scan initiation timestamp endpoint url /vms/scan method post output parameter type description status code number http status code of the response reason string response reason phrase status string status value output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" {"status" "scanned vm images "}} stop vm image scan terminate an ongoing vm image scan within palo alto networks prisma cloud workload protect endpoint url /vms/stop method post output parameter type description status code number http status code of the response reason string response reason phrase status string status value output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" {"status" "stopped vm images scan "}} update group by id modifies an existing group in palo alto networks prisma cloud workload protect using a specified id endpoint url /groups/{{id}} method put input argument name type required description path parameters id string required parameters for the update group by id action id string optional group name groupid string optional group identifier in the azure saml identification process groupname string optional group name lastmodified string optional datetime when the group was created or last modified ldapgroup boolean optional indicates if the group is an ldap group (true) or not (false) oauthgroup boolean optional indicates if the group is an oauth group (true) or not (false) oidcgroup boolean optional indicates if the group is an openid connect group (true) or not (false) owner string optional user who created or modified the group permissions array optional parameter for update group by id permissions collections array optional parameter for update group by id permissions project string optional parameter for update group by id role string optional role of the group samlgroup boolean optional indicates if the group is a saml group (true) or not (false) user array optional parameter for update group by id user username string optional name of the resource input example {"json body" {" id" "","groupid" "","groupname" "","lastmodified" "2024 06 14t05 48 06 115z","ldapgroup"\ true,"oauthgroup"\ true,"oidcgroup"\ true,"owner" "","permissions" \[{"collections" \[""],"project" ""}],"role" "","samlgroup"\ true,"user" \[{"username" ""}]},"path parameters" {"id" "e89f1d5adf"}} output parameter type description status code number http status code of the response reason string response reason phrase status string status value output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" {"status" "updated "}} upgrade a defender upgrades the defender component on a specified host using its id in palo alto networks prisma cloud workload protection endpoint url /defenders/{{id}}/upgrade method post input argument name type required description path parameters id string required parameters for the upgrade a defender action input example {"path parameters" {"id" "1297"}} output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" {"success"\ true}} waas openapi scans generates a detailed openapi specifications report, identifying errors and security issues using palo alto prisma endpoint url /waas/openapi scans method post input argument name type required description form data object required response data form data file array required response data form data file file name string required response data form data file file string required response data input example {"form data" {"file" \[{"file name" "test import json","file" "test import json"}]}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier issueresults array result of the operation issueresults id number unique identifier issueresults category string result of the operation issueresults descriptiontext string result of the operation issueresults descriptionurl string url endpoint for the request issueresults id string unique identifier issueresults override object unique identifier issueresults queryname string name of the resource issueresults searchkey string result of the operation issueresults severity array result of the operation issueresults status string status value scaninfo object output field scaninfo scaninfo appid string unique identifier scaninfo policytype array type of the resource scaninfo ruleid string unique identifier scaninfo source array output field scaninfo source scanstarttime string time value severitydistribution object output field severitydistribution severitydistribution high number output field severitydistribution high severitydistribution info number output field severitydistribution info severitydistribution low number output field severitydistribution low severitydistribution medium number output field severitydistribution medium output example {"status code" 200,"response headers" {"date" "wed, 12 jun 2024 09 40 11 gmt","content type" "application/json;charset=utf 8","transfer encoding" "chunked","connection" "keep alive"},"reason" "ok","json body" {" id" "string","issueresults" \[{}],"scaninfo" {"appid" "string","policytype" \[],"ruleid" "string","source" \[]},"scanstarttime" "2024 06 14t05 48 05 260z","severitydistribution" {"high" 0,"info" 0,"low" 0,"medium" 0},"specinfo" {"content" \[],"contenttype" "string","filename" "string"}}} response headers header description example connection http response header connection keep alive content type the media type of the resource application/json date the date and time at which the message was originated wed, 12 jun 2024 09 40 11 gmt transfer encoding http response header transfer encoding chunked