> For the complete documentation index, see [llms.txt](https://docs.panther.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.panther.com/data-onboarding/supported-logs/tracebit.md).
# Tracebit Logs
## Overview
Panther ingests [Tracebit](https://tracebit.com/) alert logs by configuring Tracebit to send alerts to an HTTP endpoint in Panther.
Tracebit maintains canary resources across your organization's cloud infrastructure to detect potential intrusions. Alert logs from Tracebit contain information about activity on canary resources, as well as use of canary credentials.
## How to onboard Tracebit logs to Panther
### Step 1: Create a new Tracebit source in Panther
1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New**.
3. Search for "Tracebit," then click its tile.
4. In the slide-out panel, click **Start Setup**.
5. Follow [Panther's instructions for configuring an HTTP Source](/data-onboarding/data-transports/http.md#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5.
* During setup, on the **Configure** page, you will be required to use [HMAC authentication](/data-onboarding/data-transports/http.md#hmac); this is the only method of authentication Tracebit supports.
* The **Header Name** associated with your **Secret Key Value** will be locked with a value of `X-Tracebit-Signature-256`, and the **Hashing Algorithm** will be locked with a value of `SHA 256`.
* Generate a **Secret Key Value** and store it in a secure location, as you will need it in the next step.
* Payloads sent to this source are subject to the [payload requirements for all HTTP sources](/data-onboarding/data-transports/http.md#payload-requirements).
* Do not proceed to the next step until the creation of your HTTP endpoint has completed.
### Step 2: Create a Panther integration in Tracebit
1. In the Tracebit console, navigate to the **Integrations** page.
2. Click **Panther**.
3. In the **HTTP Log Source URL** field, paste the **HTTP Source URL** you generated in Panther in the previous step.
4. In the **HMAC SHA256 Shared Secret** field, paste the **Secret Key Value** you generated in Panther in the previous step.
5. Click **Save**.
## Supported log types
### Tracebit.Alert
schema: Tracebit.Alert
description: Alerts logs from Tracebit
referenceURL: https://tracebit.com
fields:
- name: discriminator
required: true
description: The type of log.
type: object
fields:
- name: type
required: true
description: The type of log.
type: string
validate:
allow:
- tracebit_alert_log
- name: subtype
description: The subtype of the log. E.g. canary_resource_accessed, canary_credential_used
type: string
- name: id
required: true
description: The unique identifier for the alert log.
type: string
- name: alert_id
required: true
description: The unique identifier for the alert. There can be multiple alert logs for a single alert.
type: string
- name: tracebit_portal_url
description: The URL to the alert in the Tracebit portal.
type: string
- name: timestamp
required: true
description: The time at which the alert log occurred.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: provider
description: The provider of the canary or canary credential.
type: string
- name: message
description: A description of the alert log.
type: string
- name: severity
description: The severity of the alert log.
type: string
- name: canary_credential
description: The canary credential that was used which triggered the alert. This will only be present for canary credential alerts.
type: object
fields:
- name: name
description: The name of the canary credential.
type: string
- name: type
description: The type of the canary credential.
type: string
- name: issued_at
description: The time at which the canary credential was issued.
type: timestamp
timeFormats:
- rfc3339
- name: expires_at
description: The time at which the canary credential expires.
type: timestamp
timeFormats:
- rfc3339
- name: labels
description: The labels associated with the canary credential.
type: array
element:
type: object
fields:
- name: name
description: The name of the label.
type: string
- name: value
description: The value of the label.
type: string
- name: aws
description: The AWS-specific details of the canary credential.
type: object
fields:
- name: access_key_id
description: The AWS access key ID.
type: string
- name: canary
description: The resource that was used which triggered the alert. This will only be present for canary resource alerts.
type: object
fields:
- name: tracebit_id
description: The unique identifier for the canary in Tracebit.
type: string
- name: provider_id
description: The unique identifier for the canary resource in its provider.
type: string
- name: provider_account_id
description: The unique identifier for the canary's account in the provider.
type: string
- name: name
description: The name of the canary resource.
type: string
- name: type
description: The type of the canary resource.
type: string
- name: aws
description: The AWS-specific details of the canary resource.
type: object
fields:
- name: account_id
description: The AWS account ID.
type: string
indicators:
- aws_account_id
- name: account_name
description: The AWS account name.
type: string
- name: arn
description: The ARN of the resource.
type: string
indicators:
- aws_arn
- name: okta
description: The Okta-specific details of the canary resource.
type: object
fields:
- name: domain
description: The Okta domain.
type: string
indicators:
- domain
- name: organization_id
description: The Okta organization ID.
type: string
- name: azure
description: The Azure-specific details of the canary resource.
type: object
fields:
- name: subscription_id
description: The Azure subscription ID.
type: string
- name: subscription_name
description: The Azure subscription name.
type: string
- name: resource_id
description: The Azure resource ID.
type: string
- name: principal
description: The principal that triggered the alert.
type: object
fields:
- name: id
description: The unique identifier for the principal.
type: string
indicators:
- actor_id
- email
- name: aws
description: The AWS-specific details of the principal.
type: object
fields:
- name: arn
description: The ARN of the principal.
type: string
indicators:
- aws_arn
- name: type
description: The type of the principal.
type: string
- name: account_id
description: The AWS account ID of the principal.
type: string
indicators:
- aws_account_id
- name: username
description: The username of the principal.
type: string
indicators:
- username
- name: okta
description: The Okta-specific details of the principal (actor).
type: object
fields:
- name: id
description: The ID of the actor.
type: string
- name: type
description: The type of the actor. E.g. User.
type: string
- name: alternate_id
description: The alternate ID of the actor.
type: string
indicators:
- email
- actor_id
- name: azure
description: The Azure-specific details of the principal.
type: object
fields:
- name: app_id
description: The Azure application ID.
type: string
- name: tenant_id
description: The Azure tenant ID.
type: string
- name: google_cloud
description: The Google Cloud-specific details of the principal.
type: object
fields:
- name: federated_identity_type
description: The type of the federated identity.
type: string
- name: federated_identity_pool
description: The pool of the federated identity.
type: string
- name: federated_identity_subject
description: The subject of the federated identity.
type: string
- name: event
description: The event that triggered the alert log.
type: object
fields:
- name: id
description: The unique identifier for the event.
type: string
- name: operation
description: The operation performed in the event.
type: string
- name: request
description: The request that triggered the event.
type: object
fields:
- name: user_agent
description: The agent through which the request was made that triggered the event.
type: object
fields:
- name: raw
description: The raw user agent string.
type: string
- name: label
description: The label for the user agent.
type: string
- name: ip
description: The IP address from which the request was made.
type: string
indicators:
- ip
- name: resources
description: The resources that were involved in the event.
type: array
element:
type: object
fields:
- name: id
description: The unique identifier for the resource.
type: string
- name: type
description: The type of the resource.
type: string
### Tracebit.AlertSummary
```yaml
schema: Tracebit.AlertSummary
description: Alert summary logs from Tracebit. A summary aggregates the activity of a single alert, including the canaries accessed and the indicators that were raised.
referenceURL: https://tracebit.com
fields:
- name: discriminator
required: true
description: The type of log.
type: object
fields:
- name: type
required: true
description: The type of log.
type: string
validate:
allow:
- tracebit_alert_summary
- name: subtype
description: The subtype of the log. E.g. canary_resource_accessed, canary_credential_used
type: string
- name: alert_id
required: true
description: The unique identifier for the alert that this summary describes.
type: string
- name: tracebit_portal_url
required: true
description: The URL to the alert in the Tracebit portal.
type: string
- name: timestamp
required: true
description: The time at which the alert summary was generated.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: start_time
required: true
description: The time of the earliest activity included in the alert summary.
type: timestamp
timeFormats:
- rfc3339
- name: end_time
description: The time of the latest activity included in the alert summary.
type: timestamp
timeFormats:
- rfc3339
- name: provider
required: true
description: The provider of the canary or canary credential.
type: string
- name: severity
required: true
description: The severity of the alert.
type: string
- name: classification
required: true
description: The classification of the alert. E.g. Unclassified, TruePositive, BenignPositive.
type: string
- name: classification_reason
description: The reason for the alert's classification.
type: string
- name: ip_addresses
required: true
description: The IP addresses involved in the alert.
type: array
element:
type: string
indicators:
- ip
- name: canaries_accessed
description: The canary resources that were accessed during the alert.
type: array
element:
type: object
fields:
- name: tracebit_id
description: The unique identifier for the canary in Tracebit.
type: string
- name: provider_id
description: The unique identifier for the canary resource in its provider.
type: string
- name: provider_account_id
description: The unique identifier for the canary's account in the provider.
type: string
- name: name
description: The name of the canary resource.
type: string
- name: type
description: The type of the canary resource.
type: string
- name: deployed_at
description: The time at which the canary resource was deployed.
type: timestamp
timeFormats:
- rfc3339
- name: aws
description: The AWS-specific details of the canary resource.
type: object
fields:
- name: account_id
description: The AWS account ID.
type: string
indicators:
- aws_account_id
- name: account_name
description: The AWS account name.
type: string
- name: arn
description: The ARN of the resource.
type: string
indicators:
- aws_arn
- name: region
description: The AWS region of the resource.
type: string
- name: azure
description: The Azure-specific details of the canary resource.
type: object
fields:
- name: subscription_id
description: The Azure subscription ID.
type: string
- name: subscription_name
description: The Azure subscription name.
type: string
- name: resource_id
description: The Azure resource ID.
type: string
- name: okta
description: The Okta-specific details of the canary resource.
type: object
fields:
- name: domain
description: The Okta domain.
type: string
indicators:
- domain
- name: organization_id
description: The Okta organization ID.
type: string
- name: principal
description: The principal that triggered the alert.
type: object
fields:
- name: id
description: The unique identifier for the principal.
type: string
indicators:
- actor_id
- email
- name: aws
description: The AWS-specific details of the principal.
type: object
fields:
- name: arn
description: The ARN of the principal.
type: string
indicators:
- aws_arn
- name: type
description: The type of the principal.
type: string
- name: account_id
description: The AWS account ID of the principal.
type: string
indicators:
- aws_account_id
- name: username
description: The username of the principal.
type: string
indicators:
- username
- name: azure
description: The Azure-specific details of the principal.
type: object
fields:
- name: app_id
description: The Azure application ID.
type: string
- name: tenant_id
description: The Azure tenant ID.
type: string
- name: okta
description: The Okta-specific details of the principal (actor).
type: object
fields:
- name: id
description: The ID of the actor.
type: string
- name: type
description: The type of the actor. E.g. User.
type: string
- name: alternate_id
description: The alternate ID of the actor.
type: string
indicators:
- email
- actor_id
- name: google_cloud
description: The Google Cloud-specific details of the principal.
type: object
fields:
- name: federated_identity_type
description: The type of the federated identity.
type: string
- name: federated_identity_pool
description: The pool of the federated identity.
type: string
- name: federated_identity_subject
description: The subject of the federated identity.
type: string
- name: indicators
required: true
description: The indicators that were raised for the alert.
type: array
element:
type: object
fields:
- name: id
description: The unique identifier for the indicator.
type: string
- name: name
description: The name of the indicator.
type: string
- name: description
description: A description of the indicator.
type: string
- name: details
description: Additional details about the indicator.
type: json
```
### Tracebit.HealthCheck
```yaml
schema: Tracebit.HealthCheck
description: Health checks from Tracebit
referenceURL: https://tracebit.com
fields:
- name: discriminator
required: true
description: Information to identify the class of log.
type: object
fields:
- name: type
required: true
description: The type of log.
type: string
validate:
allow:
- health_check
- name: subtype
required: true
description: The subtype of the log.
type: string
- name: timestamp
required: true
description: The time at which the event occurred.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: is_healthy
required: true
description: Whether the integration is healthy.
type: boolean
```
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.panther.com/data-onboarding/supported-logs/tracebit.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.