Sysdig Logs

Panther supports pulling logs directly from Sysdig

Overview

Panther has the ability to fetch Sysdig Audit logs by querying Sysdig Audit REST API.

Panther is specifically monitoring Sysdig Platform Audit events for auditing and reporting on the use of the Sysdig platform itself.

To set up Sysdig as a log source in Panther, you need to obtain a Sysdig API key and pass it to Panther to give access to the API.

How to onboard Sysdig Logs to Panther

Step 1: Get a Sysdig Secure API Key

Log in to your organization's Sysdig account and navigate to the Settings page.
In the left sidebar, click User Profile.
Scroll down to "Sysdig Secure API." Copy the token value and store it in a secure location, as you will need it in the next steps.

Step 2: Create a new Sysdig log source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Sysdig,” then click its tile.
On the slide-out panel, click Start Setup.
On the next screen, enter a descriptive name for the source, e.g., My Sysdig logs.
Click Setup.
On the Credentials page, fill in the form:
- Host: Select the hosting region for your Sysdig account.
- API Key: Paste the API Key that you copied earlier from your Sysdig account.
Click Setup. You will be directed to a success screen:\
- You can optionally enable one or more Detection Packs.
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\

Supported log types

Sysdig.Audit

schema: Sysdig.Audit
parser:
    native:
        name: Sysdig.Audit
description: Logs that track endpoint access
referenceURL: https://docs.sysdig.com/en/docs/administration/sysdig-platform-audit
version: 0
fields:
    - name: id
      required: true
      description: Unique identifier of the log
      type: string
    - name: cursor
      description: Cursor that points to this event
      type: string
    - name: timestamp
      required: true
      description: Timestamp for the log
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: originator
      description: Where this log was originated
      type: string
    - name: customerId
      required: true
      description: Customer who did the action
      type: bigint
    - name: category
      description: Category of the log
      type: string
    - name: source
      description: Always auditTrail
      type: string
    - name: name
      description: Name of the log
      type: string
    - name: description
      description: Description of the log
      type: string
    - name: severity
      description: Severity as classified by Sysdig
      type: bigint
    - name: content
      required: true
      description: The action itself
      type: object
      fields:
        - name: customerId
          required: true
          description: Customer who did the action
          type: bigint
        - name: entityId
          description: ID of the entity where the action occurred
          type: string
        - name: entityPayload
          description: Payload of the action
          type: string
        - name: entityType
          description: Type of the entity where the action occurred
          type: string
        - name: queryString
          description: Query sent in the request
          type: string
        - name: requestMethod
          required: true
          description: HTTP Method
          type: string
        - name: requestUri
          required: true
          description: Endpoint accessed
          type: string
        - name: responseStatusCode
          required: true
          description: HTTP status code
          type: bigint
        - name: teamId
          description: ID of user's Team
          type: bigint
        - name: timestampNs
          description: Timestamp of log in nanoseconds
          type: timestamp
          timeFormat: unix_ns
        - name: userId
          description: User's ID
          type: bigint
        - name: userOriginIP
          description: User's IP
          type: string
          indicators:
            - ip
    - name: labels
      required: true
      description: Labels that apply to the log
      type: object
      fields:
        - name: entityType
          required: true
          description: Type of the entity
          type: string

PreviousSuricata Logs NextSyslog Logs

Last updated 1 year ago

Was this helpful?

schema: Sysdig.Audit parser: native: name: Sysdig.Audit description: Logs that track endpoint access referenceURL: https://docs.sysdig.com/en/docs/administration/sysdig-platform-audit version: 0 fields: - name: id required: true description: Unique identifier of the log type: string - name: cursor description: Cursor that points to this event type: string - name: timestamp required: true description: Timestamp for the log type: timestamp timeFormat: rfc3339 isEventTime: true - name: originator description: Where this log was originated type: string - name: customerId required: true description: Customer who did the action type: bigint - name: category description: Category of the log type: string - name: source description: Always auditTrail type: string - name: name description: Name of the log type: string - name: description description: Description of the log type: string - name: severity description: Severity as classified by Sysdig type: bigint - name: content required: true description: The action itself type: object fields: - name: customerId required: true description: Customer who did the action type: bigint - name: entityId description: ID of the entity where the action occurred type: string - name: entityPayload description: Payload of the action type: string - name: entityType description: Type of the entity where the action occurred type: string - name: queryString description: Query sent in the request type: string - name: requestMethod required: true description: HTTP Method type: string - name: requestUri required: true description: Endpoint accessed type: string - name: responseStatusCode required: true description: HTTP status code type: bigint - name: teamId description: ID of user's Team type: bigint - name: timestampNs description: Timestamp of log in nanoseconds type: timestamp timeFormat: unix_ns - name: userId description: User's ID type: bigint - name: userOriginIP description: User's IP type: string indicators: - ip - name: labels required: true description: Labels that apply to the log type: object fields: - name: entityType required: true description: Type of the entity type: string