The Tracebit logs integration is in open beta starting with Panther version 1.111, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Panther ingests Tracebit alert logs by configuring Tracebit to send alerts to an HTTP endpoint in Panther.
Tracebit maintains canary resources across your organization's cloud infrastructure to detect potential intrusions. Alert logs from Tracebit contain information about activity on canary resources, as well as use of canary credentials.
How to onboard Tracebit logs to Panther
Step 1: Create a new Tracebit source in Panther
In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
During setup, on the Configure page, you will be required to use HMAC authentication; this is the only method of authentication Tracebit supports.
The Header Name associated with your Secret Key Value will be locked with a value of X-Tracebit-Signature-256, and the Hashing Algorithm will be locked with a value of SHA 256.
Generate a Secret Key Value and store it in a secure location, as you will need it in the next step.
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
Step 2: Create a Panther integration in Tracebit
In the Tracebit console, navigate to the Integrations page.
Click Panther.
In the HTTP Log Source URL field, paste the HTTP Source URL you generated in Panther in the previous step.
In the HMAC SHA256 Shared Secret field, paste the Secret Key Value you generated in Panther in the previous step.
Click Save.
Supported log types
Tracebit.Alert
schema:Tracebit.Alertdescription:Alerts logs from TracebitreferenceURL:https://tracebit.comfields: - name:discriminatorrequired:truedescription:The type of log.type:objectfields: - name:typerequired:truedescription:The type of log.type:stringvalidate:allow: - tracebit_alert_log - name:subtypedescription:The subtype of the log. E.g. canary_resource_accessed, canary_credential_usedtype:string - name:idrequired:truedescription:The unique identifier for the alert log.type:string - name:alert_idrequired:truedescription:The unique identifier for the alert. There can be multiple alert logs for a single alert.type:string - name:tracebit_portal_urldescription:The URL to the alert in the Tracebit portal.type:stringindicators: - url - name:timestamprequired:truedescription:The time at which the alert log occurred.type:timestamptimeFormats: - rfc3339isEventTime:true - name:providerdescription:The provider of the canary or canary credential.type:string - name:messagedescription:A description of the alert log.type:string - name:severitydescription:The severity of the alert log.type:string - name:canary_credentialdescription:The canary credential that was used which triggered the alert. This will only be present for canary credential alerts.type:objectfields: - name:namedescription:The name of the canary credential.type:string - name:typedescription:The type of the canary credential.type:string - name:issued_atdescription:The time at which the canary credential was issued.type:timestamptimeFormats: - rfc3339 - name:expires_atdescription:The time at which the canary credential expires.type:timestamptimeFormats: - rfc3339 - name:labelsdescription:The labels associated with the canary credential.type:arrayelement:type:objectfields: - name:namedescription:The name of the label.type:string - name:valuedescription:The value of the label.type:string - name:awsdescription:The AWS-specific details of the canary credential.type:objectfields: - name:access_key_iddescription:The AWS access key ID.type:string - name:canarydescription:The resource that was used which triggered the alert. This will only be present for canary resource alerts.type:objectfields: - name:tracebit_iddescription:The unique identifier for the canary in Tracebit.type:string - name:provider_iddescription:The unique identifier for the canary resource in its provider.type:string - name:provider_account_iddescription:The unique identifier for the canary's account in the provider.type:string - name:namedescription:The name of the canary resource.type:string - name:typedescription:The type of the canary resource.type:string - name:awsdescription:The AWS-specific details of the canary resource.type:objectfields: - name:account_iddescription:The AWS account ID.type:stringindicators: - aws_account_id - name:account_namedescription:The AWS account name.type:string - name:arndescription:The ARN of the resource.type:stringindicators: - aws_arn - name:oktadescription:The Okta-specific details of the canary resource.type:objectfields: - name:domaindescription:The Okta domain.type:stringindicators: - domain - name:organization_iddescription:The Okta organization ID.type:string - name:azuredescription:The Azure-specific details of the canary resource.type:objectfields: - name:subscription_iddescription:The Azure subscription ID.type:string - name:subscription_namedescription:The Azure subscription name.type:string - name:resource_iddescription:The Azure resource ID.type:string - name:principaldescription:The principal that triggered the alert.type:objectfields: - name:iddescription:The unique identifier for the principal.type:stringindicators: - actor_id - name:awsdescription:The AWS-specific details of the principal.type:objectfields: - name:arndescription:The ARN of the principal.type:stringindicators: - aws_arn - name:typedescription:The type of the principal.type:string - name:account_iddescription:The AWS account ID of the principal.type:stringindicators: - aws_account_id - name:usernamedescription:The username of the principal.type:string - name:oktadescription:The Okta-specific details of the principal (actor).type:objectfields: - name:iddescription:The ID of the actor.type:string - name:typedescription:The type of the actor. E.g. User.type:string - name:alternate_iddescription:The alternate ID of the actor.type:string - name:azuredescription:The Azure-specific details of the principal.type:objectfields: - name:app_iddescription:The Azure application ID.type:string - name:tenant_iddescription:The Azure tenant ID.type:string - name:eventdescription:The event that triggered the alert log.type:objectfields: - name:iddescription:The unique identifier for the event.type:string - name:operationdescription:The operation performed in the event.type:string - name:requestdescription:The request that triggered the event.type:objectfields: - name:user_agentdescription:The agent through which the request was made that triggered the event.type:objectfields: - name:rawdescription:The raw user agent string.type:string - name:labeldescription:The label for the user agent.type:string - name:ipdescription:The IP address from which the request was made.type:stringindicators: - ip - name:resourcesdescription:The resources that were involved in the event.type:arrayelement:type:objectfields: - name:iddescription:The unique identifier for the resource.type:string - name:typedescription:The type of the resource.type:string
Tracebit.HealthCheck
schema:Tracebit.HealthCheckdescription:Health checks from TracebitreferenceURL:https://tracebit.comfields: - name:discriminatorrequired:truedescription:Information to identify the class of log.type:objectfields: - name:typerequired:truedescription:The type of log.type:stringvalidate:allow: - health_check - name:subtyperequired:truedescription:The subtype of the log.type:string - name:timestamprequired:truedescription:The time at which the event occurred.type:timestamptimeFormats: - rfc3339isEventTime:true - name:is_healthyrequired:truedescription:Whether the integration is healthy.type:boolean