Links

Bitwarden Logs

Panther supports pulling logs directly from Bitwarden

Overview

This feature is in closed beta as of 1.52. Please reach out to your Panther Support team if you are interested in participating in the beta.
Panther can query the Bitwarden Events API for new audit events every 60 seconds.

How to onboard Bitwarden logs to Panther

Prerequisite

  • To read events from your Bitwarden account, you must have a Bitwarden organization account with API access.

Step 1: Create a new Bitwarden source in Panther

  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Configure > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Select Bitwarden from the list of available log sources. Click Start Source Setup.
  5. 5.
    Enter a descriptive name for the source, e.g., "My Bitwarden logs".
  6. 6.
    Click Continue Setup.

Step 2: Fetch API credentials in Bitwarden

  1. 1.
    In a separate browser tab, open the Bitwarden web console.
  2. 2.
    Navigate to the Settings tab.
  3. 3.
    In the lefthand navigation bar, select Organization info.
  4. 4.
    In the API Key section, click View API key.
    The Bitwarden console shows the Settings > Organization info page. The "Organization name" field has a value of "Panther Test Organization" and there are also fields for Billing email and Business name. Below, an API Key section says "Your API key can be used to authenticate to the Bitwarden public API." Below, there is "View API key" and "Rotate API key" buttons.
  5. 5.
    Copy the Client ID and Client Secret and store them in a secure location, as you will need them in the next step.

Step 3: Finalize Bitwarden onboarding in Panther

  1. 1.
    Navigate to the Panther Console, on the "Set Credentials" page where you left off in the earlier steps.
  2. 2.
    In the Client ID and Client Secret fields, paste the credentials you retrieved from Bitwarden in the previous step.
    The Panther Console's New Log Source screen says "Set the credentials of your Bitwarden App" and below are fields for Client ID and Client Secret.
  3. 3.
    Click Setup.
    • You will be directed to a success screen:
      A screen in the Panther Console displays the message "Everything looks good!"
  4. 4.
    To finish the source setup:
    1. 1.
      Optionally configure a log drop-off alarm.
      • Before you finish the setup, we recommend that you create a log drop-off alarm to alert you if data stops flowing from the log source. Be sure to set an appropriate time interval for when you would like Panther to alert you that the log source is not sending data.
        A setting in the Panther Console reads, "Set an alarm in case this source does not process any events?" The associated toggle is set to Yes. Below is the question, "How long should Panther wait before it sends you an alert that no events have been processed?" A Number selector is set to 1, and a Period selector is set to Day(s).
    2. 2.
      Optionally enable a Detection Pack.
    3. 3.
      Click Finish Setup.

Supported log types

Panther supports Bitwarden.Events logs.

Bitwarden.Events

These logs represent events for the entire organization. For more information, see Bitwarden's API documentation.
schema: Bitwarden.Events
parser:
native:
name: Bitwarden.Events
description: Event logs from the Bitwarden Event Logs API
referenceURL: https://bitwarden.com/help/event-logs/#events
fields:
- name: object
required: true
description: String representing the object's type.
type: string
- name: type
required: true
description: Event type
type: bigint
- name: itemId
description: Unique identifier of the related item that the event describes.
type: string
- name: collectionId
description: Unique identifier of the related collection that the event describes.
type: string
- name: groupId
description: Unique identifier of the related group that the event describes.
type: string
- name: policyId
description: Unique identifier of the related policy that the event describes.
type: string
- name: memberId
description: Unique identifier of the related member that the event describes.
type: string
- name: actingUserId
description: Unique identifier of the user that performed the event.
type: string
- name: installationId
description: Unique identifier of the installation that the event describes.
type: string
- name: date
required: true
description: date/timestamp when the event occurred.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: device
description: Device type
type: bigint
- name: ipAddress
description: IP address of the acting user
type: string
indicators:
- ip
Last modified 1mo ago