MongoDB Atlas Logs

Panther supports pulling logs directly from MongoDB Atlas

Overview

Panther has the ability to fetch MongoDB Atlas event logs by querying the MongoDB Atlas Administration API. Panther is specifically monitoring the following MongoDB Atlas events:

Organization events related to hosts, encryption, billing, user access, and much more.
Project events related to hosts, encryption, billing, user access, and much more.

In order to set up MongoDB Atlas as a log source in Panther, you'll need to generate an API key in your MongoDB account, then set up MongoDB Atlas as a log source in Panther.

How to onboard MongoDB Atlas logs to Panther

Step 1: Generate an API key in MongoDB Atlas

Navigate to the Access Manager page for your organization.
1. If it is not already displayed, select your desired organization from the Organizations menu in the navigation menu.
2. In the navigation menu, click Access Manager, then select your organization.
Click Add new > API Key.
Under Enter the API Key Information, fill in the fields:
- Description: Enter a description for the API key, e.g., Panther log puller.
- Organization Permissions: Select one or more roles for the API key, e.g., Organization Read Only.
Click Next.
Copy the public key and store it in a secure location. The public key acts as the username when making API requests.
Copy the private key and store it in a secure location. The private key acts as the password when making API requests.
Click Done.

Step 2: Create a new MongoDB Atlas log source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the upper right corner, click Create New.
Search for "MongoDB Atlas," then click its tile.
Click Start Setup.
On the next screen, enter a memorable name for the source, e.g. My MongoDB Atlas logs.
Click Setup.
On the Set Credentials page, fill in the form:
- Paste the API key from MongoDB Atlas into the API key field.
Click Setup. You will be directed to a success screen:\
- You can optionally enable one or more Detection Packs.
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\

Panther-managed detections

See Panther-managed rules for MongoDB Atlas in the panther-analysis GitHub repository.

Supported log types

MongoDB.OrganizationEvent

# Code generated by Panther; DO NOT EDIT. (@generated)
schema: MongoDB.OrganizationEvent
parser:
  native:
    name: MongoDB.OrganizationEvent
description: All events for the organization.
referenceURL: https://www.mongodb.com/docs/atlas/reference/api/events-orgs-get-all
fields:
  - name: alertId
    description: Unique identifier for the alert associated to the event
    type: string
  - name: alertConfigId
    description: Unique identifier for the alert configuration associated to the alertId
    type: string
  - name: apiKeyId
    description: Unique identifier for the API Key that triggered the event. If this field is present in the response, Atlas does not return the userId field
    type: string
    indicators:
      - username
  - name: clusterName
    description: The name associated with the cluster
    type: string
  - name: collection
    description: Name of the collection on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
    type: string
  - name: created
    required: true
    description: The date and time of the event in rfc3339 standard format
    type: timestamp
    timeFormat: rfc3339
    isEventTime: true
  - name: currentValue
    description: Describes the value of the metricName at the time of the event
    type: object
    fields:
      - name: number
        description: The value of the metricName at the time of the event
        type: float
      - name: units
        description: The unit of measurement of the currentValue.number
        type: string
  - name: database
    description: Name of the database on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
    type: string
  - name: eventTypeName
    required: true
    description: Human-readable label that indicates the type of event
    type: string
  - name: groupId
    description: The unique identifier for the project in which the event occurred
    type: string
  - name: hostname
    description: The hostname of the Atlas host machine associated to the event
    type: string
    indicators:
      - hostname
  - name: id
    required: true
    description: The unique identifier for the event
    type: string
  - name: invoiceId
    description: The unique identifier of the invoice associated to the event
    type: string
  - name: isGlobalAdmin
    description: Indicates whether the user who triggered the event is a MongoDB employee
    type: boolean
  - name: links
    description: One or more uniform resource locators that link to sub-resources and/or related resources. The Web Linking Specification (https://tools.ietf.org/html/5988) explains the relation-types between URLs
    type: array
    element:
      type: object
      fields:
        - name: href
          description: The link target, either a URL or a URL fragment
          type: string
          indicators:
            - url
        - name: rel
          description: Relationship between current document and the linked document (e.g. self)
          type: string
  - name: metricName
    description: The name of the metric associated to the alertId
    type: string
  - name: opType
    description: Type of operation that occurred. This field is present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
    type: string
  - name: orgId
    description: The unique identifier for the organization in which the event occurred
    type: string
  - name: paymentId
    description: The unique identifier of the invoice payment associated to the event
    type: string
  - name: port
    description: The port on which the mongod or mongos listens
    type: bigint
  - name: publicKey
    description: Public key associated with the API Key that triggered the event. If this field is present in the response, Atlas does not return the username field
    type: string
    indicators:
      - username
  - name: raw
    description: Additional meta information about the event
    type: json
  - name: remoteAddress
    description: IP address of the userId Atlas user who triggered the event
    type: string
    indicators:
      - ip
  - name: replicaSetName
    description: The name of the replica set associated to the event
    type: string
  - name: shardName
    description: The name of the shard associated to the event
    type: string
  - name: targetPublicKey
    description: The public key of the API Key targeted by the event
    type: string
    indicators:
      - username
  - name: targetUsername
    description: The username for the Atlas user targeted by the event
    type: string
    indicators:
      - username
  - name: teamId
    description: The unique identifier for the Atlas team associated to the event
    type: string
  - name: userAlias
    description: User-friendly hostname of the cluster node. The user-friendly hostname is typically the standard hostname for a cluster node and it appears in the connection string for a cluster instead of the value of the hostname field
    type: string
    indicators:
      - hostname
  - name: userId
    description: The unique identifier for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the apiKeyId field
    type: string
    indicators:
      - username
  - name: username
    description: The username for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the publicKey field
    type: string
    indicators:
      - username
  - name: whitelistEntry
    description: The white list entry of the API Key targeted by the event
    type: string

MongoDB.ProjectEvent

# Code generated by Panther; DO NOT EDIT. (@generated)
schema: MongoDB.ProjectEvent
parser:
  native:
    name: MongoDB.ProjectEvent
description: All events associated with projects associated with the organization.
referenceURL: https://www.mongodb.com/docs/atlas/reference/api/events-projects-get-all
fields:
  - name: alertId
    description: Unique identifier for the alert associated to the event
    type: string
  - name: alertConfigId
    description: Unique identifier for the alert configuration associated to the alertId
    type: string
  - name: apiKeyId
    description: Unique identifier for the API Key that triggered the event. If this field is present in the response, Atlas does not return the userId field
    type: string
    indicators:
      - username
  - name: clusterName
    description: The name associated with the cluster
    type: string
  - name: collection
    description: Name of the collection on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
    type: string
  - name: created
    required: true
    description: The date and time of the event in rfc3339 standard format
    type: timestamp
    timeFormat: rfc3339
    isEventTime: true
  - name: currentValue
    description: Describes the value of the metricName at the time of the event
    type: object
    fields:
      - name: number
        description: The value of the metricName at the time of the event
        type: float
      - name: units
        description: The unit of measurement of the currentValue.number
        type: string
  - name: database
    description: Name of the database on which the event occurred. This field can be present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
    type: string
  - name: eventTypeName
    required: true
    description: Human-readable label that indicates the type of event
    type: string
  - name: groupId
    description: The unique identifier for the project in which the event occurred
    type: string
  - name: hostname
    description: The hostname of the Atlas host machine associated to the event
    type: string
    indicators:
      - hostname
  - name: id
    required: true
    description: The unique identifier for the event
    type: string
  - name: invoiceId
    description: The unique identifier of the invoice associated to the event
    type: string
  - name: isGlobalAdmin
    description: Indicates whether the user who triggered the event is a MongoDB employee
    type: boolean
  - name: links
    description: One or more uniform resource locators that link to sub-resources and/or related resources. The Web Linking Specification (https://tools.ietf.org/html/5988) explains the relation-types between URLs
    type: array
    element:
      type: object
      fields:
        - name: href
          description: The link target, either a URL or a URL fragment
          type: string
          indicators:
            - url
        - name: rel
          description: Relationship between current document and the linked document (e.g. self)
          type: string
  - name: metricName
    description: The name of the metric associated to the alertId
    type: string
  - name: opType
    description: Type of operation that occurred. This field is present when the eventTypeName is either DATA_EXPLORER or DATA_EXPLORER_CRUD
    type: string
  - name: orgId
    description: The unique identifier for the organization in which the event occurred
    type: string
  - name: paymentId
    description: The unique identifier of the invoice payment associated to the event
    type: string
  - name: port
    description: The port on which the mongod or mongos listens
    type: bigint
  - name: publicKey
    description: Public key associated with the API Key that triggered the event. If this field is present in the response, Atlas does not return the username field
    type: string
    indicators:
      - username
  - name: raw
    description: Additional meta information about the event
    type: json
  - name: remoteAddress
    description: IP address of the userId Atlas user who triggered the event
    type: string
    indicators:
      - ip
  - name: replicaSetName
    description: The name of the replica set associated to the event
    type: string
  - name: shardName
    description: The name of the shard associated to the event
    type: string
  - name: targetPublicKey
    description: The public key of the API Key targeted by the event
    type: string
    indicators:
      - username
  - name: targetUsername
    description: The username for the Atlas user targeted by the event
    type: string
    indicators:
      - username
  - name: teamId
    description: The unique identifier for the Atlas team associated to the event
    type: string
  - name: userAlias
    description: User-friendly hostname of the cluster node. The user-friendly hostname is typically the standard hostname for a cluster node and it appears in the connection string for a cluster instead of the value of the hostname field
    type: string
    indicators:
      - hostname
  - name: userId
    description: The unique identifier for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the apiKeyId field
    type: string
    indicators:
      - username
  - name: username
    description: The username for the Atlas user who triggered the event. If this field is present in the response, Atlas does not return the publicKey field
    type: string
    indicators:
      - username
  - name: whitelistEntry
    description: The white list entry of the API Key targeted by the event
    type: string

PreviousMicrosoft Intune Logs (Beta)NextNetskope Logs

Last updated 5 months ago

Was this helpful?