Sysdig Logs

Overview

Panther has the ability to fetch Sysdig Audit logs by querying Sysdig Audit REST API.

Panther is specifically monitoring Sysdig Platform Audit events for auditing and reporting on the use of the Sysdig platform itself.

To set up Sysdig as a log source in Panther, you need to obtain a Sysdig API key and pass it to Panther to give access to the API.

How to onboard Sysdig Logs to Panther

Step 1: Get a Sysdig Secure API Key

1. Log in to your organization's Sysdig account and navigate to the Settings page.

2. In the left sidebar, click User Profile.

3. Scroll down to "Sysdig Secure API." Copy the token value and store it in a secure location, as you will need it in the next steps.

Step 2: Create a new Sysdig log source in Panther

1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Search for “Sysdig,” then click its tile.

4. On the slide-out panel, click Start Setup.

5. On the next screen, enter a descriptive name for the source, e.g., My Sysdig logs.

6. Click Setup.

7. On the Credentials page, fill in the form:

   • Host: Select the hosting region for your Sysdig account.

   • API Key: Paste the API Key that you copied earlier from your Sysdig account.

   
8. Click Setup. You will be directed to a success screen:\

   

   • You can optionally enable one or more Detection Packs.

   • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\

     

Supported log types

Sysdig.Audit