Sysdig Logs
Panther supports pulling logs directly from Sysdig
Last updated
Was this helpful?
Panther supports pulling logs directly from Sysdig
Last updated
Was this helpful?
Panther has the ability to fetch Sysdig Audit logs by querying Sysdig Audit REST API.
Panther is specifically monitoring Sysdig Platform Audit events for auditing and reporting on the use of the Sysdig platform itself.
To set up Sysdig as a log source in Panther, you need to obtain a Sysdig API key and pass it to Panther to give access to the API.
Log in to your organization's Sysdig account and navigate to the Settings page.
In the left sidebar, click User Profile.
Scroll down to "Sysdig Secure API." Copy the token value and store it in a secure location, as you will need it in the next steps.
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Sysdig,” then click its tile.
On the slide-out panel, click Start Setup.
On the next screen, enter a descriptive name for the source, e.g., My Sysdig logs.
Click Setup.
On the Credentials page, fill in the form:
Host: Select the hosting region for your Sysdig account.
API Key: Paste the API Key that you copied earlier from your Sysdig account.
Click Setup. You will be directed to a success screen:
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
schema: Sysdig.Audit
parser:
native:
name: Sysdig.Audit
description: Logs that track endpoint access
referenceURL: https://docs.sysdig.com/en/docs/administration/sysdig-platform-audit
version: 0
fields:
- name: id
required: true
description: Unique identifier of the log
type: string
- name: cursor
description: Cursor that points to this event
type: string
- name: timestamp
required: true
description: Timestamp for the log
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: originator
description: Where this log was originated
type: string
- name: customerId
required: true
description: Customer who did the action
type: bigint
- name: category
description: Category of the log
type: string
- name: source
description: Always auditTrail
type: string
- name: name
description: Name of the log
type: string
- name: description
description: Description of the log
type: string
- name: severity
description: Severity as classified by Sysdig
type: bigint
- name: content
required: true
description: The action itself
type: object
fields:
- name: customerId
required: true
description: Customer who did the action
type: bigint
- name: entityId
description: ID of the entity where the action occurred
type: string
- name: entityPayload
description: Payload of the action
type: string
- name: entityType
description: Type of the entity where the action occurred
type: string
- name: queryString
description: Query sent in the request
type: string
- name: requestMethod
required: true
description: HTTP Method
type: string
- name: requestUri
required: true
description: Endpoint accessed
type: string
- name: responseStatusCode
required: true
description: HTTP status code
type: bigint
- name: teamId
description: ID of user's Team
type: bigint
- name: timestampNs
description: Timestamp of log in nanoseconds
type: timestamp
timeFormat: unix_ns
- name: userId
description: User's ID
type: bigint
- name: userOriginIP
description: User's IP
type: string
indicators:
- ip
- name: labels
required: true
description: Labels that apply to the log
type: object
fields:
- name: entityType
required: true
description: Type of the entity
type: string
