# MongoDB Atlas Logs
## Overview
Panther has the ability to fetch MongoDB Atlas event logs by querying the [MongoDB Atlas Administration API](https://www.mongodb.com/docs/atlas/configure-api-access/). Panther is specifically monitoring the following MongoDB Atlas events:
* [Organization events](https://www.mongodb.com/docs/atlas/reference/api/events-orgs-get-all/) related to hosts, encryption, billing, user access, and much more.
* [Project events](https://www.mongodb.com/docs/atlas/reference/api/events-projects-get-all/) related to hosts, encryption, billing, user access, and much more.
In order to set up MongoDB Atlas as a log source in Panther, you'll need to generate an API key in your MongoDB account, then set up MongoDB Atlas as a log source in Panther.
## How to onboard MongoDB Atlas logs to Panther
### Step 1: Generate an API key in MongoDB Atlas
1. Navigate to the **Access Manager** page for your organization.
1. If it is not already displayed, select your desired organization from the **Organizations** menu in the navigation menu.
2. In the navigation menu, click **Access Manager**, then select your organization.
2. Click **Add new** > **API Key**.\
3. Under **Enter the API Key Information**, fill in the fields:
* **Description**: Enter a description for the API key, e.g., `Panther log puller`.
* **Organization Permissions**: Select one or more [roles](https://www.mongodb.com/docs/atlas/reference/user-roles/#std-label-organization-roles) for the API key, e.g., `Organization Read Only`.\
4. Click **Next**.
5. Copy the public key and store it in a secure location. The public key acts as the username when making API requests.
6. Copy the private key and store it in a secure location. The private key acts as the password when making API requests.
7. Click **Done**.
### Step 2: Create a new MongoDB Atlas log source in Panther
1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. In the upper right corner, click **Create New.**
3. Search for "MongoDB Atlas," then click its tile.
4. Click **Start Setup.**
5. On the next screen, enter a memorable name for the source, e.g. `My MongoDB Atlas logs`.
6. Click **Setup.**
7. On the **Set Credentials** page, fill in the form:
* Paste the **API key** from MongoDB Atlas into the API key field.
8. Click **Setup**. You will be directed to a success screen:\\
* You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs).
* The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\\
## Panther-managed detections
See [Panther-managed](/detections/panther-managed.md) rules for MongoDB Atlas in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/mongodb_rules).
## Supported log types
### MongoDB.OrganizationEvent
```yaml
# Code generated by Panther; DO NOT EDIT. (@generated)
schema: MongoDB.OrganizationEvent
parser:
native:
name: MongoDB.OrganizationEvent
description: All events for the organization.
referenceURL: https://www.mongodb.com/docs/atlas/reference/api/events-orgs-get-all
fields:
- name: alertId
description: Unique identifier for the alert associated to the event
type: string
- name: alertConfigId
description: Unique identifier for the alert configuration associated to the alertId
type: string
- name: apiKeyId
description: Unique identifier for the API Key that triggered the event. If this field is present in the response, Atlas does not return the userId field
type: string
indicators:
- username
- name: clusterName
description: The name associated with the cluster
type: string
- name: collection
description: Name of the collection on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type: string
- name: created
required: true
description: The date and time of the event in rfc3339 standard format
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: currentValue
description: Describes the value of the metricName at the time of the event
type: object
fields:
- name: number
description: The value of the metricName at the time of the event
type: float
- name: units
description: The unit of measurement of the currentValue.number
type: string
- name: database
description: Name of the database on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type: string
- name: eventTypeName
required: true
description: Human-readable label that indicates the type of event
type: string
- name: groupId
description: The unique identifier for the project in which the event occurred
type: string
- name: hostname
description: The hostname of the Atlas host machine associated to the event
type: string
indicators:
- hostname
- name: id
required: true
description: The unique identifier for the event
type: string
- name: invoiceId
description: The unique identifier of the invoice associated to the event
type: string
- name: isGlobalAdmin
description: Indicates whether the user who triggered the event is a MongoDB employee
type: boolean
- name: links
description: One or more uniform resource locators that link to sub-resources and/or related resources. The Web Linking Specification (https://tools.ietf.org/html/5988) explains the relation-types between URLs
type: array
element:
type: object
fields:
- name: href
description: The link target, either a URL or a URL fragment
type: string
indicators:
- url
- name: rel
description: Relationship between current document and the linked document (e.g. self)
type: string
- name: metricName
description: The name of the metric associated to the alertId
type: string
- name: opType
description: Type of operation that occurred. This field is present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type: string
- name: orgId
description: The unique identifier for the organization in which the event occurred
type: string
- name: paymentId
description: The unique identifier of the invoice payment associated to the event
type: string
- name: port
description: The port on which the mongod or mongos listens
type: bigint
- name: publicKey
description: Public key associated with the API Key that triggered the event. If this field is present in the response, Atlas does not return the username field
type: string
indicators:
- username
- name: raw
description: Additional meta information about the event
type: json
- name: remoteAddress
description: IP address of the userId Atlas user who triggered the event
type: string
indicators:
- ip
- name: replicaSetName
description: The name of the replica set associated to the event
type: string
- name: shardName
description: The name of the shard associated to the event
type: string
- name: targetPublicKey
description: The public key of the API Key targeted by the event
type: string
indicators:
- username
- name: targetUsername
description: The username for the Atlas user targeted by the event
type: string
indicators:
- username
- name: teamId
description: The unique identifier for the Atlas team associated to the event
type: string
- name: userAlias
description: User-friendly hostname of the cluster node. The user-friendly hostname is typically the standard hostname for a cluster node and it appears in the connection string for a cluster instead of the value of the hostname field
type: string
indicators:
- hostname
- name: userId
description: The unique identifier for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the apiKeyId field
type: string
indicators:
- username
- name: username
description: The username for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the publicKey field
type: string
indicators:
- username
- name: whitelistEntry
description: The white list entry of the API Key targeted by the event
type: string
```
### MongoDB.ProjectEvent
```yaml
# Code generated by Panther; DO NOT EDIT. (@generated)
schema: MongoDB.ProjectEvent
parser:
native:
name: MongoDB.ProjectEvent
description: All events associated with projects associated with the organization.
referenceURL: https://www.mongodb.com/docs/atlas/reference/api/events-projects-get-all
fields:
- name: alertId
description: Unique identifier for the alert associated to the event
type: string
- name: alertConfigId
description: Unique identifier for the alert configuration associated to the alertId
type: string
- name: apiKeyId
description: Unique identifier for the API Key that triggered the event. If this field is present in the response, Atlas does not return the userId field
type: string
indicators:
- username
- name: clusterName
description: The name associated with the cluster
type: string
- name: collection
description: Name of the collection on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type: string
- name: created
required: true
description: The date and time of the event in rfc3339 standard format
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: currentValue
description: Describes the value of the metricName at the time of the event
type: object
fields:
- name: number
description: The value of the metricName at the time of the event
type: float
- name: units
description: The unit of measurement of the currentValue.number
type: string
- name: database
description: Name of the database on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type: string
- name: eventTypeName
required: true
description: Human-readable label that indicates the type of event
type: string
- name: groupId
description: The unique identifier for the project in which the event occurred
type: string
- name: hostname
description: The hostname of the Atlas host machine associated to the event
type: string
indicators:
- hostname
- name: id
required: true
description: The unique identifier for the event
type: string
- name: invoiceId
description: The unique identifier of the invoice associated to the event
type: string
- name: isGlobalAdmin
description: Indicates whether the user who triggered the event is a MongoDB employee
type: boolean
- name: links
description: One or more uniform resource locators that link to sub-resources and/or related resources. The Web Linking Specification (https://tools.ietf.org/html/5988) explains the relation-types between URLs
type: array
element:
type: object
fields:
- name: href
description: The link target, either a URL or a URL fragment
type: string
indicators:
- url
- name: rel
description: Relationship between current document and the linked document (e.g. self)
type: string
- name: metricName
description: The name of the metric associated to the alertId
type: string
- name: opType
description: Type of operation that occurred. This field is present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
type: string
- name: orgId
description: The unique identifier for the organization in which the event occurred
type: string
- name: paymentId
description: The unique identifier of the invoice payment associated to the event
type: string
- name: port
description: The port on which the mongod or mongos listens
type: bigint
- name: publicKey
description: Public key associated with the API Key that triggered the event. If this field is present in the response, Atlas does not return the username field
type: string
indicators:
- username
- name: raw
description: Additional meta information about the event
type: json
- name: remoteAddress
description: IP address of the userId Atlas user who triggered the event
type: string
indicators:
- ip
- name: replicaSetName
description: The name of the replica set associated to the event
type: string
- name: shardName
description: The name of the shard associated to the event
type: string
- name: targetPublicKey
description: The public key of the API Key targeted by the event
type: string
indicators:
- username
- name: targetUsername
description: The username for the Atlas user targeted by the event
type: string
indicators:
- username
- name: teamId
description: The unique identifier for the Atlas team associated to the event
type: string
- name: userAlias
description: User-friendly hostname of the cluster node. The user-friendly hostname is typically the standard hostname for a cluster node and it appears in the connection string for a cluster instead of the value of the hostname field
type: string
indicators:
- hostname
- name: userId
description: The unique identifier for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the apiKeyId field
type: string
indicators:
- username
- name: username
description: The username for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the publicKey field
type: string
indicators:
- username
- name: whitelistEntry
description: The white list entry of the API Key targeted by the event
type: string
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.panther.com/data-onboarding/supported-logs/mongodb.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.