# MongoDB Atlas Logs ## Overview Panther has the ability to fetch MongoDB Atlas event logs by querying the [MongoDB Atlas Administration API](https://www.mongodb.com/docs/atlas/configure-api-access/). Panther is specifically monitoring the following MongoDB Atlas events: * [Organization events](https://www.mongodb.com/docs/atlas/reference/api/events-orgs-get-all/) related to hosts, encryption, billing, user access, and much more. * [Project events](https://www.mongodb.com/docs/atlas/reference/api/events-projects-get-all/) related to hosts, encryption, billing, user access, and much more. In order to set up MongoDB Atlas as a log source in Panther, you'll need to generate an API key in your MongoDB account, then set up MongoDB Atlas as a log source in Panther. ## How to onboard MongoDB Atlas logs to Panther ### Step 1: Generate an API key in MongoDB Atlas 1. Navigate to the **Access Manager** page for your organization. 1. If it is not already displayed, select your desired organization from the **Organizations** menu in the navigation menu. 2. In the navigation menu, click **Access Manager**, then select your organization. 2. Click **Add new** > **API Key**.\ An arrow is drawn from an "Add new" button to an "API Key" option in a menu. 3. Under **Enter the API Key Information**, fill in the fields: * **Description**: Enter a description for the API key, e.g., `Panther log puller`. * **Organization Permissions**: Select one or more [roles](https://www.mongodb.com/docs/atlas/reference/user-roles/#std-label-organization-roles) for the API key, e.g., `Organization Read Only`.\ ![Under a "Create API Key" header, there are Description and Organization Permissions form fields.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-3e362f9b9562cf92a3e31c05e15cef1770fa11f6%2Fimage%20\(29\).png?alt=media) 4. Click **Next**. 5. Copy the public key and store it in a secure location. The public key acts as the username when making API requests. 6. Copy the private key and store it in a secure location. The private key acts as the password when making API requests. 7. Click **Done**. ### Step 2: Create a new MongoDB Atlas log source in Panther 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. In the upper right corner, click **Create New.** 3. Search for "MongoDB Atlas," then click its tile. 4. Click **Start Setup.** 5. On the next screen, enter a memorable name for the source, e.g. `My MongoDB Atlas logs`. 6. Click **Setup.** 7. On the **Set Credentials** page, fill in the form: * Paste the **API key** from MongoDB Atlas into the API key field. 8. Click **Setup**. You will be directed to a success screen:\\
The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"
* You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs). * The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\\
The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day
## Panther-managed detections See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for MongoDB Atlas in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/mongodb_rules). ## Supported log types ### MongoDB.OrganizationEvent ```yaml # Code generated by Panther; DO NOT EDIT. (@generated) schema: MongoDB.OrganizationEvent parser: native: name: MongoDB.OrganizationEvent description: All events for the organization. referenceURL: https://www.mongodb.com/docs/atlas/reference/api/events-orgs-get-all fields: - name: alertId description: Unique identifier for the alert associated to the event type: string - name: alertConfigId description: Unique identifier for the alert configuration associated to the alertId type: string - name: apiKeyId description: Unique identifier for the API Key that triggered the event. If this field is present in the response, Atlas does not return the userId field type: string indicators: - username - name: clusterName description: The name associated with the cluster type: string - name: collection description: Name of the collection on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD type: string - name: created required: true description: The date and time of the event in rfc3339 standard format type: timestamp timeFormat: rfc3339 isEventTime: true - name: currentValue description: Describes the value of the metricName at the time of the event type: object fields: - name: number description: The value of the metricName at the time of the event type: float - name: units description: The unit of measurement of the currentValue.number type: string - name: database description: Name of the database on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD type: string - name: eventTypeName required: true description: Human-readable label that indicates the type of event type: string - name: groupId description: The unique identifier for the project in which the event occurred type: string - name: hostname description: The hostname of the Atlas host machine associated to the event type: string indicators: - hostname - name: id required: true description: The unique identifier for the event type: string - name: invoiceId description: The unique identifier of the invoice associated to the event type: string - name: isGlobalAdmin description: Indicates whether the user who triggered the event is a MongoDB employee type: boolean - name: links description: One or more uniform resource locators that link to sub-resources and/or related resources. The Web Linking Specification (https://tools.ietf.org/html/5988) explains the relation-types between URLs type: array element: type: object fields: - name: href description: The link target, either a URL or a URL fragment type: string indicators: - url - name: rel description: Relationship between current document and the linked document (e.g. self) type: string - name: metricName description: The name of the metric associated to the alertId type: string - name: opType description: Type of operation that occurred. This field is present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD type: string - name: orgId description: The unique identifier for the organization in which the event occurred type: string - name: paymentId description: The unique identifier of the invoice payment associated to the event type: string - name: port description: The port on which the mongod or mongos listens type: bigint - name: publicKey description: Public key associated with the API Key that triggered the event. If this field is present in the response, Atlas does not return the username field type: string indicators: - username - name: raw description: Additional meta information about the event type: json - name: remoteAddress description: IP address of the userId Atlas user who triggered the event type: string indicators: - ip - name: replicaSetName description: The name of the replica set associated to the event type: string - name: shardName description: The name of the shard associated to the event type: string - name: targetPublicKey description: The public key of the API Key targeted by the event type: string indicators: - username - name: targetUsername description: The username for the Atlas user targeted by the event type: string indicators: - username - name: teamId description: The unique identifier for the Atlas team associated to the event type: string - name: userAlias description: User-friendly hostname of the cluster node. The user-friendly hostname is typically the standard hostname for a cluster node and it appears in the connection string for a cluster instead of the value of the hostname field type: string indicators: - hostname - name: userId description: The unique identifier for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the apiKeyId field type: string indicators: - username - name: username description: The username for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the publicKey field type: string indicators: - username - name: whitelistEntry description: The white list entry of the API Key targeted by the event type: string ``` ### MongoDB.ProjectEvent ```yaml # Code generated by Panther; DO NOT EDIT. (@generated) schema: MongoDB.ProjectEvent parser: native: name: MongoDB.ProjectEvent description: All events associated with projects associated with the organization. referenceURL: https://www.mongodb.com/docs/atlas/reference/api/events-projects-get-all fields: - name: alertId description: Unique identifier for the alert associated to the event type: string - name: alertConfigId description: Unique identifier for the alert configuration associated to the alertId type: string - name: apiKeyId description: Unique identifier for the API Key that triggered the event. If this field is present in the response, Atlas does not return the userId field type: string indicators: - username - name: clusterName description: The name associated with the cluster type: string - name: collection description: Name of the collection on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD type: string - name: created required: true description: The date and time of the event in rfc3339 standard format type: timestamp timeFormat: rfc3339 isEventTime: true - name: currentValue description: Describes the value of the metricName at the time of the event type: object fields: - name: number description: The value of the metricName at the time of the event type: float - name: units description: The unit of measurement of the currentValue.number type: string - name: database description: Name of the database on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD type: string - name: eventTypeName required: true description: Human-readable label that indicates the type of event type: string - name: groupId description: The unique identifier for the project in which the event occurred type: string - name: hostname description: The hostname of the Atlas host machine associated to the event type: string indicators: - hostname - name: id required: true description: The unique identifier for the event type: string - name: invoiceId description: The unique identifier of the invoice associated to the event type: string - name: isGlobalAdmin description: Indicates whether the user who triggered the event is a MongoDB employee type: boolean - name: links description: One or more uniform resource locators that link to sub-resources and/or related resources. The Web Linking Specification (https://tools.ietf.org/html/5988) explains the relation-types between URLs type: array element: type: object fields: - name: href description: The link target, either a URL or a URL fragment type: string indicators: - url - name: rel description: Relationship between current document and the linked document (e.g. self) type: string - name: metricName description: The name of the metric associated to the alertId type: string - name: opType description: Type of operation that occurred. This field is present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD type: string - name: orgId description: The unique identifier for the organization in which the event occurred type: string - name: paymentId description: The unique identifier of the invoice payment associated to the event type: string - name: port description: The port on which the mongod or mongos listens type: bigint - name: publicKey description: Public key associated with the API Key that triggered the event. If this field is present in the response, Atlas does not return the username field type: string indicators: - username - name: raw description: Additional meta information about the event type: json - name: remoteAddress description: IP address of the userId Atlas user who triggered the event type: string indicators: - ip - name: replicaSetName description: The name of the replica set associated to the event type: string - name: shardName description: The name of the shard associated to the event type: string - name: targetPublicKey description: The public key of the API Key targeted by the event type: string indicators: - username - name: targetUsername description: The username for the Atlas user targeted by the event type: string indicators: - username - name: teamId description: The unique identifier for the Atlas team associated to the event type: string - name: userAlias description: User-friendly hostname of the cluster node. The user-friendly hostname is typically the standard hostname for a cluster node and it appears in the connection string for a cluster instead of the value of the hostname field type: string indicators: - hostname - name: userId description: The unique identifier for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the apiKeyId field type: string indicators: - username - name: username description: The username for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the publicKey field type: string indicators: - username - name: whitelistEntry description: The white list entry of the API Key targeted by the event type: string ```