https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-cloud-event-search-api-include-data-items-rawevent-in/m-p/511745#M614 <P>Greetings THolmes,</P> <P>&nbsp;</P> <P>I hope that this note finds you well! I know that it has been a while since you had posted this question but I wanted to see if you still potentially needed any help. Thank you for your time and I hope that you have a good remainder of your day.</P> <P>&nbsp;</P> <P>Kind Regards,</P> <P>J. Avery King</P> Fri, 12 Aug 2022 16:54:33 GMT AKing9 2022-08-12T16:54:33Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-cloud-event-search-api-include-data-items-rawevent-in/m-p/347881#M303 <P>In my organization we have Prisma Cloud integrated into AWS Organization environment.&nbsp; Which is great for monitoring and pulling data from the entire AWS Org.&nbsp; I want to pull the count of all ec2 instances which are created using the&nbsp;<SPAN>RunInstances call.&nbsp; The event search works great for the number of times the&nbsp;</SPAN><SPAN>RunInstances is called, but in the rawEvent data several instances can be started from one call to RunInstances.&nbsp; The below api call will receive the data from Prisma:</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="python">timePeriod = { "type": "absolute", "value": { "startTime": 1596240000000, "endTime": 1598918399000 } } rqlQuery="event where operation = 'RunInstances'" limit=250 prismaToken = prismaAPI.prismaLogin(apiKey,apiSecret) query = {"limit":limit, "query": rqlQuery, "timeRange": timePeriod} totalInstances=0 prismaQueryResult = prismaAPI.prismaQuery(prismaToken, query,'event') def prismaQuery(pToken, rql, type='config'): url = f"https://api3.prismacloud.io/search/{type}" if type != 'network' else "https//api3.prismacloud.io/search" print(f'rql: {rql}') try: headers = { 'accept': "application/json; charset=UTF-8", 'content-type': "application/json; charset=UTF-8", 'x-redlock-auth': pToken } response = requests.request("POST", url, headers=headers, json=rql) response.raise_for_status() return response.json() except HTTPError as http_err: print(f'HTTP error occurred: {http_err}') except Exception as err: print(f'Other error occurred: {err}') else: print('Success!')</LI-CODE> <P>&nbsp;</P> <DIV>&nbsp;</DIV> <P>&nbsp;</P> <P><SPAN>but the raw event data is not included in the response.&nbsp; So then I need to make a call for every event to the&nbsp;<SPAN class="url"><A href="https://api.prismacloud.io" target="_blank" rel="noopener">https://api.prismacloud.io</A></SPAN><SPAN class="api-text">/search/event/raw/</SPAN><SPAN class="api-variable">id endpoint.&nbsp; Is there some way to get the rawEvent data in the initial search api call?&nbsp; There is a&nbsp;data.items[].rawEvent shown as possible response information.</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN><SPAN class="api-variable">Thank you,</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN><SPAN class="api-variable">Trevor</SPAN></SPAN></P> Fri, 12 Aug 2022 17:12:01 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-cloud-event-search-api-include-data-items-rawevent-in/m-p/347881#M303 THolmes 2022-08-12T17:12:01Z https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-cloud-event-search-api-include-data-items-rawevent-in/m-p/511745#M614 <P>Greetings THolmes,</P> <P>&nbsp;</P> <P>I hope that this note finds you well! I know that it has been a while since you had posted this question but I wanted to see if you still potentially needed any help. Thank you for your time and I hope that you have a good remainder of your day.</P> <P>&nbsp;</P> <P>Kind Regards,</P> <P>J. Avery King</P> Fri, 12 Aug 2022 16:54:33 GMT https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/prisma-cloud-event-search-api-include-data-items-rawevent-in/m-p/511745#M614 AKing9 2022-08-12T16:54:33Z