Panther has the ability to fetch MongoDB Atlas event logs by querying the . Panther is specifically monitoring the following MongoDB Atlas events:
related to hosts, encryption, billing, user access, and much more.
related to hosts, encryption, billing, user access, and much more.
In order to set up MongoDB Atlas as a log source in Panther, you'll need to authorize Panther in MongoDB Atlas by generating an API key in your MongoDB account and then set up MongoDB Atlas as a log source in Panther.
How to onboard MongoDB Atlas logs to Panther
Step 1: Generate an Access Key in MongoDB Atlas
Navigate to the Access Manager page for your organization.
If it is not already displayed, select your desired organization from the Organizations menu in the navigation bar.
Click Access Manager in the sidebar, or click Access Manager in the navigation bar, then click your organization.
Click Create API Key
Enter the API Key Information
Enter a Description.
In the Organization Permissions menu, select the for the API key e.g ORG_READ_ONLY for Organization Read Only permission.
Click Next
Copy and save the Public Key. The public key acts as the username when making API requests.
Copy and save the Private Key. The private key acts as the password when making API requests.
Click Done.
Step 2: Create a new MongoDB Atlas log source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the upper right corner, click Create New.
Search for "MongoDB Atlas," then click its tile.
Click Start Setup.
On the next screen, enter in a memorable name for the source e.g. My MongoDB Atlas logs.
Click Setup.
On the Set Credentials page, fill in the form:
Paste the API key from MongoDB Atlas into the API key field.
Click Setup. You will be directed to a success screen:
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Panther-managed detections
Supported log types
MongoDB.OrganizationEvent
# Code generated by Panther; DO NOT EDIT. (@generated)
schema: MongoDB.OrganizationEvent
parser:
native:
name: MongoDB.OrganizationEvent
description: All events for the organization.
referenceURL: https://www.mongodb.com/docs/atlas/reference/api/events-orgs-get-all
fields:
- name: alertId
description: Unique identifier for the alert associated to the event
type: string
- name: alertConfigId
description: Unique identifier for the alert configuration associated to the alertId
type: string
- name: apiKeyId
description: Unique identifier for the API Key that triggered the event. If this field is present in the response, Atlas does not return the userId field
type: string
indicators:
- username
- name: clusterName
description: The name associated with the cluster
type: string
- name: collection
description: Name of the collection on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type: string
- name: created
required: true
description: The date and time of the event in rfc3339 standard format
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: currentValue
description: Describes the value of the metricName at the time of the event
type: object
fields:
- name: number
description: The value of the metricName at the time of the event
type: float
- name: units
description: The unit of measurement of the currentValue.number
type: string
- name: database
description: Name of the database on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type: string
- name: eventTypeName
required: true
description: Human-readable label that indicates the type of event
type: string
- name: groupId
description: The unique identifier for the project in which the event occurred
type: string
- name: hostname
description: The hostname of the Atlas host machine associated to the event
type: string
indicators:
- hostname
- name: id
required: true
description: The unique identifier for the event
type: string
- name: invoiceId
description: The unique identifier of the invoice associated to the event
type: string
- name: isGlobalAdmin
description: Indicates whether the user who triggered the event is a MongoDB employee
type: boolean
- name: links
description: One or more uniform resource locators that link to sub-resources and/or related resources. The Web Linking Specification (https://tools.ietf.org/html/5988) explains the relation-types between URLs
type: array
element:
type: object
fields:
- name: href
description: The link target, either a URL or a URL fragment
type: string
indicators:
- url
- name: rel
description: Relationship between current document and the linked document (e.g. self)
type: string
- name: metricName
description: The name of the metric associated to the alertId
type: string
- name: opType
description: Type of operation that occurred. This field is present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type: string
- name: orgId
description: The unique identifier for the organization in which the event occurred
type: string
- name: paymentId
description: The unique identifier of the invoice payment associated to the event
type: string
- name: port
description: The port on which the mongod or mongos listens
type: bigint
- name: publicKey
description: Public key associated with the API Key that triggered the event. If this field is present in the response, Atlas does not return the username field
type: string
indicators:
- username
- name: raw
description: Additional meta information about the event
type: json
- name: remoteAddress
description: IP address of the userId Atlas user who triggered the event
type: string
indicators:
- ip
- name: replicaSetName
description: The name of the replica set associated to the event
type: string
- name: shardName
description: The name of the shard associated to the event
type: string
- name: targetPublicKey
description: The public key of the API Key targeted by the event
type: string
indicators:
- username
- name: targetUsername
description: The username for the Atlas user targeted by the event
type: string
indicators:
- username
- name: teamId
description: The unique identifier for the Atlas team associated to the event
type: string
- name: userAlias
description: User-friendly hostname of the cluster node. The user-friendly hostname is typically the standard hostname for a cluster node and it appears in the connection string for a cluster instead of the value of the hostname field
type: string
indicators:
- hostname
- name: userId
description: The unique identifier for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the apiKeyId field
type: string
indicators:
- username
- name: username
description: The username for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the publicKey field
type: string
indicators:
- username
- name: whitelistEntry
description: The white list entry of the API Key targeted by the event
type: string
MongoDB.ProjectEvent
# Code generated by Panther; DO NOT EDIT. (@generated)
schema: MongoDB.ProjectEvent
parser:
native:
name: MongoDB.ProjectEvent
description: All events associated with projects associated with the organization.
referenceURL: https://www.mongodb.com/docs/atlas/reference/api/events-projects-get-all
fields:
- name: alertId
description: Unique identifier for the alert associated to the event
type: string
- name: alertConfigId
description: Unique identifier for the alert configuration associated to the alertId
type: string
- name: apiKeyId
description: Unique identifier for the API Key that triggered the event. If this field is present in the response, Atlas does not return the userId field
type: string
indicators:
- username
- name: clusterName
description: The name associated with the cluster
type: string
- name: collection
description: Name of the collection on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type: string
- name: created
required: true
description: The date and time of the event in rfc3339 standard format
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: currentValue
description: Describes the value of the metricName at the time of the event
type: object
fields:
- name: number
description: The value of the metricName at the time of the event
type: float
- name: units
description: The unit of measurement of the currentValue.number
type: string
- name: database
description: Name of the database on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type: string
- name: eventTypeName
required: true
description: Human-readable label that indicates the type of event
type: string
- name: groupId
description: The unique identifier for the project in which the event occurred
type: string
- name: hostname
description: The hostname of the Atlas host machine associated to the event
type: string
indicators:
- hostname
- name: id
required: true
description: The unique identifier for the event
type: string
- name: invoiceId
description: The unique identifier of the invoice associated to the event
type: string
- name: isGlobalAdmin
description: Indicates whether the user who triggered the event is a MongoDB employee
type: boolean
- name: links
description: One or more uniform resource locators that link to sub-resources and/or related resources. The Web Linking Specification (https://tools.ietf.org/html/5988) explains the relation-types between URLs
type: array
element:
type: object
fields:
- name: href
description: The link target, either a URL or a URL fragment
type: string
indicators:
- url
- name: rel
description: Relationship between current document and the linked document (e.g. self)
type: string
- name: metricName
description: The name of the metric associated to the alertId
type: string
- name: opType
description: Type of operation that occurred. This field is present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type: string
- name: orgId
description: The unique identifier for the organization in which the event occurred
type: string
- name: paymentId
description: The unique identifier of the invoice payment associated to the event
type: string
- name: port
description: The port on which the mongod or mongos listens
type: bigint
- name: publicKey
description: Public key associated with the API Key that triggered the event. If this field is present in the response, Atlas does not return the username field
type: string
indicators:
- username
- name: raw
description: Additional meta information about the event
type: json
- name: remoteAddress
description: IP address of the userId Atlas user who triggered the event
type: string
indicators:
- ip
- name: replicaSetName
description: The name of the replica set associated to the event
type: string
- name: shardName
description: The name of the shard associated to the event
type: string
- name: targetPublicKey
description: The public key of the API Key targeted by the event
type: string
indicators:
- username
- name: targetUsername
description: The username for the Atlas user targeted by the event
type: string
indicators:
- username
- name: teamId
description: The unique identifier for the Atlas team associated to the event
type: string
- name: userAlias
description: User-friendly hostname of the cluster node. The user-friendly hostname is typically the standard hostname for a cluster node and it appears in the connection string for a cluster instead of the value of the hostname field
type: string
indicators:
- hostname
- name: userId
description: The unique identifier for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the apiKeyId field
type: string
indicators:
- username
- name: username
description: The username for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the publicKey field
type: string
indicators:
- username
- name: whitelistEntry
description: The white list entry of the API Key targeted by the event
type: string
