Panther supports pulling logs directly from MongoDB Atlas
Overview
Panther has the ability to fetch MongoDB Atlas event logs by querying the MongoDB Atlas Administration API. Panther is specifically monitoring the following MongoDB Atlas events:
Organization events related to hosts, encryption, billing, user access, and much more.
Project events related to hosts, encryption, billing, user access, and much more.
In order to set up MongoDB Atlas as a log source in Panther, you'll need to authorize Panther in MongoDB Atlas by generating an API key in your MongoDB account and then set up MongoDB Atlas as a log source in Panther.
How to onboard MongoDB Atlas logs to Panther
Step 1: Generate an Access Key in MongoDB Atlas
Navigate to the Access Manager page for your organization.
If it is not already displayed, select your desired organization from the Organizations menu in the navigation bar.
Click Access Manager in the sidebar, or click Access Manager in the navigation bar, then click your organization.
Click Create API Key
Enter the API Key Information
Enter a Description.
In the Organization Permissions menu, select the new role or roles for the API key e.g ORG_READ_ONLY for Organization Read Only permission.
Click Next
Copy and save the Public Key. The public key acts as the username when making API requests.
Copy and save the Private Key. The private key acts as the password when making API requests.
Click Done.
Step 2: Create a new MongoDB Atlas log source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the upper right corner, click Create New.
Search for "MongoDB Atlas," then click its tile.
Click Start Setup.
On the next screen, enter in a memorable name for the source e.g. My MongoDB Atlas logs.
Click Setup.
On the Set Credentials page, fill in the form:
Paste the API key from MongoDB Atlas into the API key field.
Click Setup. You will be directed to a success screen:
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
# Code generated by Panther; DO NOT EDIT. (@generated)schema:MongoDB.OrganizationEventparser:native:name:MongoDB.OrganizationEventdescription:All events for the organization.referenceURL:https://www.mongodb.com/docs/atlas/reference/api/events-orgs-get-allfields: - name:alertIddescription:Unique identifier for the alert associated to the eventtype:string - name:alertConfigIddescription:Unique identifier for the alert configuration associated to the alertIdtype:string - name:apiKeyId description: Unique identifier for the API Key that triggered the event. If this field is present in the response, Atlas does not return the userId field
type:stringindicators: - username - name:clusterNamedescription:The name associated with the clustertype:string - name:collection description: Name of the collection on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type:string - name:createdrequired:truedescription:The date and time of the event in rfc3339 standard formattype:timestamptimeFormat:rfc3339isEventTime:true - name:currentValuedescription:Describes the value of the metricName at the time of the eventtype:objectfields: - name:numberdescription:The value of the metricName at the time of the eventtype:float - name:unitsdescription:The unit of measurement of the currentValue.numbertype:string - name:database description: Name of the database on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type:string - name:eventTypeNamerequired:truedescription:Human-readable label that indicates the type of eventtype:string - name:groupIddescription:The unique identifier for the project in which the event occurredtype:string - name:hostnamedescription:The hostname of the Atlas host machine associated to the eventtype:stringindicators: - hostname - name:idrequired:truedescription:The unique identifier for the eventtype:string - name:invoiceIddescription:The unique identifier of the invoice associated to the eventtype:string - name:isGlobalAdmindescription:Indicates whether the user who triggered the event is a MongoDB employeetype:boolean - name:links description: One or more uniform resource locators that link to sub-resources and/or related resources. The Web Linking Specification (https://tools.ietf.org/html/5988) explains the relation-types between URLs
type:arrayelement:type:objectfields: - name:hrefdescription:The link target, either a URL or a URL fragmenttype:stringindicators: - url - name:reldescription:Relationship between current document and the linked document (e.g. self)type:string - name:metricNamedescription:The name of the metric associated to the alertIdtype:string - name:opType description: Type of operation that occurred. This field is present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type:string - name:orgIddescription:The unique identifier for the organization in which the event occurredtype:string - name:paymentIddescription:The unique identifier of the invoice payment associated to the eventtype:string - name:portdescription:The port on which the mongod or mongos listenstype:bigint - name:publicKey description: Public key associated with the API Key that triggered the event. If this field is present in the response, Atlas does not return the username field
type:stringindicators: - username - name:rawdescription:Additional meta information about the eventtype:json - name:remoteAddressdescription:IP address of the userId Atlas user who triggered the eventtype:stringindicators: - ip - name:replicaSetNamedescription:The name of the replica set associated to the eventtype:string - name:shardNamedescription:The name of the shard associated to the eventtype:string - name:targetPublicKeydescription:The public key of the API Key targeted by the eventtype:stringindicators: - username - name:targetUsernamedescription:The username for the Atlas user targeted by the eventtype:stringindicators: - username - name:teamIddescription:The unique identifier for the Atlas team associated to the eventtype:string - name:userAlias description: User-friendly hostname of the cluster node. The user-friendly hostname is typically the standard hostname for a cluster node and it appears in the connection string for a cluster instead of the value of the hostname field
type:stringindicators: - hostname - name:userId description: The unique identifier for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the apiKeyId field
type:stringindicators: - username - name:username description: The username for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the publicKey field
type:stringindicators: - username - name:whitelistEntrydescription:The white list entry of the API Key targeted by the eventtype:string
MongoDB.ProjectEvent
# Code generated by Panther; DO NOT EDIT. (@generated)schema:MongoDB.ProjectEventparser:native:name:MongoDB.ProjectEventdescription:All events associated with projects associated with the organization.referenceURL:https://www.mongodb.com/docs/atlas/reference/api/events-projects-get-allfields: - name:alertIddescription:Unique identifier for the alert associated to the eventtype:string - name:alertConfigIddescription:Unique identifier for the alert configuration associated to the alertIdtype:string - name:apiKeyId description: Unique identifier for the API Key that triggered the event. If this field is present in the response, Atlas does not return the userId field
type:stringindicators: - username - name:clusterNamedescription:The name associated with the clustertype:string - name:collection description: Name of the collection on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type:string - name:createdrequired:truedescription:The date and time of the event in rfc3339 standard formattype:timestamptimeFormat:rfc3339isEventTime:true - name:currentValuedescription:Describes the value of the metricName at the time of the eventtype:objectfields: - name:numberdescription:The value of the metricName at the time of the eventtype:float - name:unitsdescription:The unit of measurement of the currentValue.numbertype:string - name:database description: Name of the database on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type:string - name:eventTypeNamerequired:truedescription:Human-readable label that indicates the type of eventtype:string - name:groupIddescription:The unique identifier for the project in which the event occurredtype:string - name:hostnamedescription:The hostname of the Atlas host machine associated to the eventtype:stringindicators: - hostname - name:idrequired:truedescription:The unique identifier for the eventtype:string - name:invoiceIddescription:The unique identifier of the invoice associated to the eventtype:string - name:isGlobalAdmindescription:Indicates whether the user who triggered the event is a MongoDB employeetype:boolean - name:links description: One or more uniform resource locators that link to sub-resources and/or related resources. The Web Linking Specification (https://tools.ietf.org/html/5988) explains the relation-types between URLs
type:arrayelement:type:objectfields: - name:hrefdescription:The link target, either a URL or a URL fragmenttype:stringindicators: - url - name:reldescription:Relationship between current document and the linked document (e.g. self)type:string - name:metricNamedescription:The name of the metric associated to the alertIdtype:string - name:opType description: Type of operation that occurred. This field is present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type:string - name:orgIddescription:The unique identifier for the organization in which the event occurredtype:string - name:paymentIddescription:The unique identifier of the invoice payment associated to the eventtype:string - name:portdescription:The port on which the mongod or mongos listenstype:bigint - name:publicKey description: Public key associated with the API Key that triggered the event. If this field is present in the response, Atlas does not return the username field
type:stringindicators: - username - name:rawdescription:Additional meta information about the eventtype:json - name:remoteAddressdescription:IP address of the userId Atlas user who triggered the eventtype:stringindicators: - ip - name:replicaSetNamedescription:The name of the replica set associated to the eventtype:string - name:shardNamedescription:The name of the shard associated to the eventtype:string - name:targetPublicKeydescription:The public key of the API Key targeted by the eventtype:stringindicators: - username - name:targetUsernamedescription:The username for the Atlas user targeted by the eventtype:stringindicators: - username - name:teamIddescription:The unique identifier for the Atlas team associated to the eventtype:string - name:userAlias description: User-friendly hostname of the cluster node. The user-friendly hostname is typically the standard hostname for a cluster node and it appears in the connection string for a cluster instead of the value of the hostname field
type:stringindicators: - hostname - name:userId description: The unique identifier for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the apiKeyId field
type:stringindicators: - username - name:username description: The username for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the publicKey field
type:stringindicators: - username - name:whitelistEntrydescription:The white list entry of the API Key targeted by the eventtype:string
