Palo Alto Networks Prisma Cloud Workload Protect

the prisma cloud workload protect connector enables seamless integration with palo alto networks' cloud native security platform, allowing for automated security operations and threat management palo alto networks prisma cloud workload protect offers a comprehensive cloud native security platform that provides full lifecycle security and full stack protection for multi cloud environments by integrating with swimlane turbine, users can automate the management of user groups, scan hosts and images for vulnerabilities, and enforce security policies across their cloud workloads this connector streamlines security operations by enabling rapid response to threats and ensuring consistent security posture management prerequisites to utilize the palo alto networks prisma cloud workload protect connector, ensure you have the following prerequisites username and password authentication with the following parameters url endpoint url for prisma cloud api access username your prisma cloud account username password your prisma cloud account password version the version of the prisma cloud api you are targeting capabilities this connector provides the following capabilities add group delete group by id download app embedded defender download host scan results download image scan results download serverless layer bundle download vm image scan results get agentless scan progress get all ci image scan results get compliance stats get container scan results get defender names get defenders summary get deployed defenders get group names and so on configurations palo alto prisma cloud compute asset authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required version version string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add group creates a new user group within palo alto networks prisma cloud workload protect using the provided json body endpoint url /groups method post input argument name type required description id string optional group name groupid string optional group identifier in the azure saml identification process groupname string optional group name lastmodified string optional datetime when the group was created or last modified ldapgroup boolean optional indicates if the group is an ldap group (true) or not (false) oauthgroup boolean optional indicates if the group is an oauth group (true) or not (false) oidcgroup boolean optional indicates if the group is an openid connect group (true) or not (false) owner string optional user who created or modified the group permissions array optional permissions is a list of permissions collections array optional list of collections the user can access project string optional names of projects which the user can access role string optional role of the group samlgroup boolean optional indicates if the group is a saml group (true) or not (false) user array optional users in the group username string optional name of a user output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" { "success" true } } ] delete group by id removes a specified group from palo alto networks prisma cloud workload protect using the unique id provided endpoint url /groups/{{id}} method delete input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase status string status value example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" { "status" "deleted" } } ] download app embedded defender generates and provides the palo alto networks prisma cloud embedded defender bundle for user download endpoint url /images/twistlock defender app embedded tar gz method get output parameter type description status code number http status code of the response reason string response reason phrase status string status value example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" { "status" "downloaded " } } ] download host scan results download detailed host scan reports from palo alto networks prisma cloud workload protection for comprehensive security insights endpoint url /hosts/download method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order hostname array optional filters the result based on hostnames distro array optional filters the result based on os distribution names compact boolean optional provides the minimal image data information about vulnerabilities, compliance, and extended image metadata are skipped default is false clusters array optional filters the result based on cluster names complianceids array optional filters the result based on compliance ids compliancerulename string optional filters the result based on applied compliance rule name agentless boolean optional retrieves the host names that were scanned by the agentless scanner csa boolean optional filters only images scanned by csa stopped boolean optional retrieves the host names that were skipped during an agentless scan default is false normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false uaiid string optional filters results by uaiid issuetype string optional filters results by issue type output parameter type description status code number http status code of the response reason string response reason phrase file array output field file example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "file" { "file data" "string", "filename" "example name" } } ] download image scan results download detailed csv reports of image scans from palo alto networks prisma cloud workload protection endpoint url /images/download method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order id array optional filters the result based on image ids hostname array optional filters the result based on hostnames repository array optional filters the result based on image repository names registry array optional filters the result based on image registry names fields array optional list of fields to retrieve name array optional filters the result based on image names layers boolean optional indicates whether the cves are mapped to a specific image layer default is false filterbaseimage boolean optional indicates whether to filter the base image for vulnerabilities requires predefined base images that have already been scanned default is false compact boolean optional provides the minimal image data information about vulnerabilities, compliance, and extended image metadata are skipped default is false truststatuses array optional filters the result based on whether an image is trusted or not trusted by a trusted image policy clusters array optional filters the result based on cluster names complianceids array optional filters the result by compliance ids compliancerulename string optional filters the result based on applied compliance rule name appembedded boolean optional filters the result based on whether the images are scanned by app embedded defenders default is false normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false agentless boolean optional indicates whether to retrieve host names that are scanned by agentless scanner default is false csa boolean optional filters only images scanned by csa uaiid string optional filters results by uaiid issuetype string optional filters results by issue type output parameter type description status code number http status code of the response reason string response reason phrase file array output field file example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "file" { "file data" "string", "filename" "example name" } } ] download serverless layer bundle retrieves a zip file with the defender runtime for serverless apps from palo alto networks prisma cloud, requiring a json body input endpoint url /images/twistlock defender layer zip method post input argument name type required description nodejsmoduletype array optional nodejsmoduletype is the type of a nodejs module provider array optional cloudprovider specifies the cloud provider name proxyca string optional proxyca is the proxy’s ca certificate for defender to trust runtime array optional this represents the runtime type of the serverless function output parameter type description status code number http status code of the response reason string response reason phrase file array output field file example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "file" { "file data" "string", "filename" "example name" } } ] download vm image scan results retrieve csv formatted scan reports for all vm images from palo alto networks prisma cloud workload protection endpoint url /vms/download method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order id array optional filters the result based on vm ids name array optional filters the result based on image names credential array optional filters the result based on cloud credentials distro array optional filters the result based on os distribution names release array optional filters the result based on release versions imagetype array optional filters the result based on cloud image types use marketplace, managed, or gallery for microsoft azure complianceids array optional filters the result based on compliance ids compliancerulename string optional filters the result based on applied compliance rule name normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false issuetype string optional filters results by issue type output parameter type description status code number http status code of the response reason string response reason phrase file array output field file example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "file" { "file data" "string", "filename" "example name" } } ] get agentless scan progress displays the progress of agentless vulnerability and compliance scans in palo alto networks prisma cloud endpoint url /agentless/progress method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ {} ] } ] get all ci image scan results retrieve comprehensive ci image scan reports from palo alto prisma cloud, encompassing jenkins plugin and twistcli scan data endpoint url /scans method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order id string optional scan id used in the image layers fetch jobname array optional jenkins job name type array optional scan type pass boolean optional indicates whether to filter on passed scans (true) or not (false) build string optional build number imageid string optional image id of scanned image layers boolean optional indicates if cves are mapped to image layer (true) or not (false) from string optional filters results by start datetime based on scan time to string optional filters results by end datetime based on scan time fields array optional list of fields to retrieve filterbaseimage boolean optional indicates if base image vulnerabilities are to be filtered (true) or not (false) requires predefined base images that have already been scanned uaiid string optional filters results by uaiid issuetype string optional filters results by issue type output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ {} ] } ] get compliance stats retrieve compliance statistics from palo alto networks prisma cloud workload protect to assess security posture endpoint url /stats/compliance method get input argument name type required description collections array optional scopes query by collection accountids array optional scopes query by account id rulename string optional filters results by rule name policytype string optional filters results by policy type used to further scope queries because rule names do not need to be unique between policies category string optional filters results by category for example, a benchmark or resource type template string optional filters results by compliance template output parameter type description status code number http status code of the response reason string response reason phrase categories array output field categories failed number output field failed name array name of the resource total number output field total daily array output field daily id string unique identifier distribution object output field distribution critical number output field critical high number output field high low number output field low medium number output field medium total number output field total modified string output field modified ids array unique identifier benchmarkid string unique identifier category array output field category description string output field description failed number output field failed id number unique identifier severity string output field severity templatetitle string output field templatetitle total number output field total type array type of the resource example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" { "categories" \[], "daily" \[], "ids" \[], "rules" \[], "templates" \[] } } ] get container scan results retrieve detailed container scan reports from palo alto networks prisma cloud workload protection endpoint url /containers method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order hostname array optional hosts is used to filter containers by host image array optional images is used to filter containers by image name imageid array optional imageids is used to filter containers by image ids id array optional ids is used to filter container by container id profileid array optional profileids is used to filter container by runtime profile id namespaces array optional namespaces are the namespaces to filter fields array optional fields are used to fetch specific container field firewallsupported boolean optional firewallsupported is used to fetch containers with app firewall supported clusters array optional clusters is used to filter containers by cluster name complianceids array optional complianceids is used to filter containers by compliance ids compliancerulename string optional compliancerulename is used to filter containers by applied compliance rule name agentless boolean optional agentless indicates that we should return only containers that were scanned by an agentless scanner csa boolean optional csa indicates that we should return only containers that were scanned by csa collections string optional collections ids output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ {} ] } ] get defender names retrieve a list of defender hostnames from palo alto networks prisma cloud workload protection endpoint url /defenders/names method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order hostname string optional hostname is a name of a specific defender to retrieve role array optional roles are the defender api roles to filter connected boolean optional indicates whether to return only connected defenders (true) or disconnected defenders (false) type array optional indicates the defender types to return (e g , docker, dockerwindows, cri, etc) latest boolean optional indicates whether to return a list of defenders that are running the latest version of prisma cloud (true) or defenders with older versions (false) supportedversion boolean optional supportedversion indicates only defenders of supported versions should be fetched cluster array optional scopes the query by cluster name tasclusterids array optional scopes the query by tas cluster ids tasblobstorescanner boolean optional scopes the query by tas blobstore scanning only defenders (true) or tas full coverage defenders (false) tasfoundations array optional scopes the query by tas foundations usingoldca boolean optional scopes the query to defenders which are using old certificate usingexpiredca boolean optional scopes the query to defenders which are using expired certificate isarm64 boolean optional scopes the query by provider type indicates whether to return only defenders running on arm64 architecture isvpcobserver boolean optional indicates whether to return only defenders running as vpc observer output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ "string" ] } ] get defenders summary retrieve a summary count of defenders across categories in palo alto networks prisma cloud workload protection endpoint url /defenders/summary method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ {} ] } ] get deployed defenders retrieve a list of all deployed defenders in the palo alto networks prisma cloud workload protection environment endpoint url /defenders method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order hostname string optional hostname is a name of a specific defender to retrieve role array optional roles are the defender api roles to filter connected boolean optional indicates whether to return only connected defenders (true) or disconnected defenders (false) type array optional indicates the defender types to return (e g , docker, dockerwindows, cri, etc) latest boolean optional indicates whether to return a list of defenders that are running the latest version of prisma cloud (true) or defenders with older versions (false) supportedversion boolean optional supportedversion indicates only defenders of supported versions should be fetched cluster array optional scopes the query by cluster name tasclusterids array optional scopes the query by tas cluster ids tasblobstorescanner boolean optional scopes the query by tas blobstore scanning only defenders (true) or tas full coverage defenders (false) tasfoundations array optional scopes the query by tas foundations usingoldca boolean optional scopes the query to defenders which are using old certificate usingexpiredca boolean optional scopes the query to defenders which are using expired certificate isarm64 boolean optional scopes the query by provider type indicates whether to return only defenders running on arm64 architecture isvpcobserver boolean optional indicates whether to return only defenders running as vpc observer output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ {} ] } ] get group names retrieves all available group names from palo alto networks prisma cloud workload protection endpoint url /groups/names method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ "admins", "secops", "devops" ] } ] get groups retrieves a complete list of groups from palo alto networks prisma cloud workload protection endpoint url /groups method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ {} ] } ] get host information retrieve essential details about deployed hosts from palo alto prisma cloud, including hostname, distro, release, and agentless status endpoint url /hosts/info method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order hostname array optional filters the result based on hostnames distro array optional filters the result based on os distribution names compact boolean optional provides the minimal image data information about vulnerabilities, compliance, and extended image metadata are skipped default is false clusters array optional filters the result based on cluster names complianceids array optional filters the result based on compliance ids compliancerulename string optional filters the result based on applied compliance rule name agentless boolean optional retrieves the host names that were scanned by the agentless scanner csa boolean optional filters only images scanned by csa stopped boolean optional retrieves the host names that were skipped during an agentless scan default is false normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false uaiid string optional filters results by uaiid issuetype string optional filters results by issue type output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ {} ] } ] get host scan results retrieve detailed host vulnerability reports from palo alto networks prisma cloud workload protection endpoint url /hosts method get input argument name type required description fields string optional fields query parameters offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order hostname array optional filters the result based on hostnames distro array optional filters the result based on os distribution names compact boolean optional provides the minimal image data information about vulnerabilities, compliance, and extended image metadata are skipped default is false clusters array optional filters the result based on cluster names complianceids array optional filters the result based on compliance ids compliancerulename string optional filters the result based on applied compliance rule name agentless boolean optional retrieves the host names that were scanned by the agentless scanner csa boolean optional filters only images scanned by csa stopped boolean optional retrieves the host names that were skipped during an agentless scan default is false normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false uaiid string optional filters results by uaiid issuetype string optional filters results by issue type output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ {} ] } ] get image names retrieve a list of image names from palo alto networks prisma cloud workload protect to manage and analyze your inventory endpoint url /images/names method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order id array optional filters the result based on image ids hostname array optional filters the result based on hostnames repository array optional filters the result based on image repository names registry array optional filters the result based on image registry names fields array optional list of fields to retrieve name array optional filters the result based on image names layers boolean optional indicates whether the cves are mapped to a specific image layer default is false filterbaseimage boolean optional indicates whether to filter the base image for vulnerabilities requires predefined base images that have already been scanned default is false compact boolean optional provides the minimal image data information about vulnerabilities, compliance, and extended image metadata are skipped default is false truststatuses array optional filters the result based on whether an image is trusted or not trusted by a trusted image policy clusters array optional filters the result based on cluster names complianceids array optional filters the result by compliance ids compliancerulename string optional filters the result based on applied compliance rule name appembedded boolean optional filters the result based on whether the images are scanned by app embedded defenders default is false normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false agentless boolean optional indicates whether to retrieve host names that are scanned by agentless scanner default is false csa boolean optional filters only images scanned by csa uaiid string optional filters results by uaiid issuetype string optional filters results by issue type output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ "string" ] } ] get image scan results retrieve detailed scan results for container images, identifying vulnerabilities and compliance issues from palo alto prisma cloud endpoint url /images method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order id array optional filters the result based on image ids hostname array optional filters the result based on hostnames repository array optional filters the result based on image repository names registry array optional filters the result based on image registry names fields array optional list of fields to retrieve name array optional filters the result based on image names layers boolean optional indicates whether the cves are mapped to a specific image layer default is false filterbaseimage boolean optional indicates whether to filter the base image for vulnerabilities requires predefined base images that have already been scanned default is false compact boolean optional provides the minimal image data information about vulnerabilities, compliance, and extended image metadata are skipped default is false truststatuses array optional filters the result based on whether an image is trusted or not trusted by a trusted image policy clusters array optional filters the result based on cluster names complianceids array optional filters the result by compliance ids compliancerulename string optional filters the result based on applied compliance rule name appembedded boolean optional filters the result based on whether the images are scanned by app embedded defenders default is false normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false agentless boolean optional indicates whether to retrieve host names that are scanned by agentless scanner default is false csa boolean optional filters only images scanned by csa uaiid string optional filters results by uaiid issuetype string optional filters results by issue type output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ {} ] } ] get registry scan results retrieve detailed scan reports for registry images from palo alto networks prisma cloud workload protection endpoint url /registry method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order id array optional filters results by registry image imageid array optional filters the result by image ids that are available in daemonset repository array optional filters the result based on image repository names registry array optional filters the result based on image registry names name array optional filters the result based on full image names layers boolean optional indicates whether the cves are mapped to an image layer default is false compact boolean optional provides the minimal image data information about vulnerabilities, compliance, and extended image metadata are skipped default is false filterbaseimage boolean optional indicates whether to filter the base image for vulnerabilities requires predefined base images that have already been scanned default is false normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false uaiid string optional filters results by uaiid issuetype string optional filters results by issue type output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ {} ] } ] get serverless function scan results retrieve scan reports for all serverless functions in palo alto networks prisma cloud workload protection endpoint url /serverless method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order id array optional retrieves a list of cloud function ids cloudcontrolleraddresses array optional retrieves a list of cloud controller addresses that contains the cloud functions runtime array optional filters the result based on cloud runtimes version array optional filters the result based on cloud function's versions functionlayers array optional filters the result based on aws lambda layers defended boolean optional filters result based on cloud functions that are connected and protected by a defender complianceids array optional filters result based on compliance ids compliancerulename string optional filters the result based on applied compliance rule name platform array optional filters result based on platforms (os and architecture) such as windows, linux arm x64, linux x86, and so on normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false issuetype string optional filters results by issue type output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ {} ] } ] get vm image names retrieve a list of virtual machine image names from palo alto networks prisma cloud workload protection endpoint url /vms/names method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order id array optional filters the result based on vm ids name array optional filters the result based on image names credential array optional filters the result based on cloud credentials distro array optional filters the result based on os distribution names release array optional filters the result based on release versions imagetype array optional filters the result based on cloud image types use marketplace, managed, or gallery for microsoft azure complianceids array optional filters the result based on compliance ids compliancerulename string optional filters the result based on applied compliance rule name normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false issuetype string optional filters results by issue type output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ "string" ] } ] get vm image scan results retrieve comprehensive security insights with vm image scan reports from palo alto networks prisma cloud workload protect endpoint url /vms method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order id array optional filters the result based on vm ids name array optional filters the result based on image names credential array optional filters the result based on cloud credentials distro array optional filters the result based on os distribution names release array optional filters the result based on release versions imagetype array optional filters the result based on cloud image types use marketplace, managed, or gallery for microsoft azure complianceids array optional filters the result based on compliance ids compliancerulename string optional filters the result based on applied compliance rule name normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false issuetype string optional filters results by issue type output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ {} ] } ] get vm image tags retrieve all aws tags for scanned vm images in palo alto networks prisma cloud workload protection endpoint url /vms/labels method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order id array optional filters the result based on vm ids name array optional filters the result based on image names credential array optional filters the result based on cloud credentials distro array optional filters the result based on os distribution names release array optional filters the result based on release versions imagetype array optional filters the result based on cloud image types use marketplace, managed, or gallery for microsoft azure complianceids array optional filters the result based on compliance ids compliancerulename string optional filters the result based on applied compliance rule name normalizedseverity boolean optional retrieves the result in the normalized form of low, medium, high, and critical based on vulnerability's severity level default is false issuetype string optional filters results by issue type output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ "string" ] } ] get vulnerability cves stats retrieve a list of cves for images, hosts, and serverless functions in palo alto networks prisma cloud endpoint url /stats/vulnerabilities method get input argument name type required description offset number optional offsets the result to a specific report count offset starts from 0 limit number optional limit is the amount to fix sort string optional sorts the result using a key reverse boolean optional sorts the result in reverse order cve string optional cve is the single cve id to return vulnerability data for severitythreshold string optional severitythreshold is the minimum severity indicating that all retrieved cves severities are greater than or equal to the threshold cvssthreshold number optional cvssthreshold is the minimum cvss score indicating that all retrieved cves cvss scores are greater than or equal to the threshold resourcetype string optional resourcetype is the single resource type to return vulnerability data for agentless boolean optional agentless indicates whether to retrieve vulnerability data for agentless hosts/images stopped boolean optional stopped indicates whether to retrieve vulnerability data for hosts that were not running during agentless scan packages array optional packages filter by impacted packages riskfactors array optional riskfactors filter by cve risk factors envriskfactors array optional envriskfactors filter by environmental risk factors output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" \[ {} ] } ] resolve hosts adds vulnerability data for specified hosts in palo alto networks prisma cloud workload protect using a provided json body endpoint url /hosts/evaluate method post input argument name type required description images array optional parameter for resolve hosts secrets array optional parameter for resolve hosts id string optional unique identifier agentless boolean optional parameter for resolve hosts aisuuid string optional unique identifier allcompliance object optional parameter for resolve hosts compliance array optional parameter for resolve hosts applicablerules array optional parameter for resolve hosts binarypkgs array optional parameter for resolve hosts block boolean optional parameter for resolve hosts cause string optional parameter for resolve hosts cri boolean optional parameter for resolve hosts custom boolean optional parameter for resolve hosts cve string optional parameter for resolve hosts cvss number optional parameter for resolve hosts description string optional parameter for resolve hosts discovered string optional parameter for resolve hosts exploit array optional parameter for resolve hosts exploits array optional parameter for resolve hosts fixdate number optional date value fixlink string optional parameter for resolve hosts functionlayer string optional parameter for resolve hosts graceperioddays number optional parameter for resolve hosts id number optional unique identifier layertime number optional time value output parameter type description status code number http status code of the response reason string response reason phrase images array output field images secrets array output field secrets id string unique identifier example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" { "images" \[] } } ] resolve images adds vulnerability data for specified images in palo alto networks prisma cloud workload protect, requiring a json body input endpoint url /images/evaluate method post input argument name type required description images array optional parameter for resolve images secrets array optional parameter for resolve images id string optional unique identifier agentless boolean optional parameter for resolve images aisuuid string optional unique identifier allcompliance object optional parameter for resolve images compliance array optional parameter for resolve images applicablerules array optional parameter for resolve images binarypkgs array optional parameter for resolve images block boolean optional parameter for resolve images cause string optional parameter for resolve images cri boolean optional parameter for resolve images custom boolean optional parameter for resolve images cve string optional parameter for resolve images cvss number optional parameter for resolve images description string optional parameter for resolve images discovered string optional parameter for resolve images exploit array optional parameter for resolve images exploits array optional parameter for resolve images fixdate number optional date value fixlink string optional parameter for resolve images functionlayer string optional parameter for resolve images graceperioddays number optional parameter for resolve images id number optional unique identifier layertime number optional time value output parameter type description status code number http status code of the response reason string response reason phrase images array output field images secrets array output field secrets id string unique identifier example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" { "images" \[] } } ] start a host scan initiates a comprehensive re scan of all hosts in palo alto networks prisma cloud workload protect to update security posture endpoint url /hosts/scan method post output parameter type description status code number http status code of the response reason string response reason phrase status string status value example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" { "status" "scanned hosts " } } ] start image scan initiates a re scan of all images in palo alto networks prisma cloud workload protect, providing the scan initiation timestamp endpoint url /images/scan method post input argument name type required description hostname string optional hostname is the optional host name to scan imagetag object optional parameter for start image scan digest string optional image digest (requires v2 or later registry) id string optional id of the image registry string optional registry name to which the image belongs repo string optional repository name to which the image belongs tag string optional image tag output parameter type description status code number http status code of the response reason string response reason phrase status string status value example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" { "status" "scanned images " } } ] start vm image scan initiates a re scan of all vm images in palo alto networks prisma cloud and provides the scan initiation timestamp endpoint url /vms/scan method post output parameter type description status code number http status code of the response reason string response reason phrase status string status value example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" { "status" "scanned vm images " } } ] stop vm image scan terminate an ongoing vm image scan within palo alto networks prisma cloud workload protect endpoint url /vms/stop method post output parameter type description status code number http status code of the response reason string response reason phrase status string status value example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" { "status" "stopped vm images scan " } } ] update group by id modifies an existing group in palo alto networks prisma cloud workload protect using a specified id endpoint url /groups/{{id}} method put input argument name type required description id string required unique identifier id string optional group name groupid string optional group identifier in the azure saml identification process groupname string optional group name lastmodified string optional datetime when the group was created or last modified ldapgroup boolean optional indicates if the group is an ldap group (true) or not (false) oauthgroup boolean optional indicates if the group is an oauth group (true) or not (false) oidcgroup boolean optional indicates if the group is an openid connect group (true) or not (false) owner string optional user who created or modified the group permissions array optional parameter for update group by id collections array optional parameter for update group by id project string optional parameter for update group by id role string optional role of the group samlgroup boolean optional indicates if the group is a saml group (true) or not (false) user array optional parameter for update group by id username string optional name of the resource output parameter type description status code number http status code of the response reason string response reason phrase status string status value example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" { "status" "updated " } } ] upgrade a defender upgrades the defender component on a specified host using its id in palo alto networks prisma cloud workload protection endpoint url /defenders/{{id}}/upgrade method post input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase success boolean whether the operation was successful example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" { "success" true } } ] waas openapi scans generates a detailed openapi specifications report, identifying errors and security issues using palo alto prisma endpoint url /waas/openapi scans method post input argument name type required description form data object required response data file array required parameter for waas openapi scans file name string required name of the resource file string required parameter for waas openapi scans output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier issueresults array result of the operation id number unique identifier category string output field category descriptiontext string output field descriptiontext descriptionurl string url endpoint for the request id string unique identifier override object unique identifier queryname string name of the resource searchkey string output field searchkey severity array output field severity status string status value scaninfo object output field scaninfo appid string unique identifier policytype array type of the resource ruleid string unique identifier source array output field source scanstarttime string time value severitydistribution object output field severitydistribution high number output field high info number output field info low number output field low medium number output field medium example \[ { "status code" 200, "response headers" { "date" "wed, 12 jun 2024 09 40 11 gmt", "content type" "application/json;charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive" }, "reason" "ok", "json body" { " id" "string", "issueresults" \[], "scaninfo" {}, "scanstarttime" "2024 06 14t05 48 05 260z", "severitydistribution" {}, "specinfo" {} } } ] response headers header description example connection http response header connection keep alive content type the media type of the resource application/json;charset=utf 8 date the date and time at which the message was originated wed, 12 jun 2024 09 40 11 gmt transfer encoding http response header transfer encoding chunked notes for more information on palo alto prisma cloud is found at palo alto prisma cloud main site https //pan dev/prisma cloud/api/palo alto prisma cloud api documentation https //pan dev/prisma cloud/api/cwpp/