Tracebit Logs (Beta)

Connecting Tracebit logs in your Panther Console

Overview

The Tracebit logs integration is in open beta starting with Panther version 1.111, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther ingests Tracebit alert logs by configuring Tracebit to send alerts to an HTTP endpoint in Panther.

Tracebit maintains canary resources across your organization's cloud infrastructure to detect potential intrusions. Alert logs from Tracebit contain information about activity on canary resources, as well as use of canary credentials.

How to onboard Tracebit logs to Panther

Step 1: Create a new Tracebit source in Panther

  1. In the left-side navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "Tracebit," then click its tile.

  4. In the slide-out panel, click Start Setup.

    An arrow is drawn to a "Tracebit" tile to a "Start Setup" button.
  5. Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.

    • During setup, on the Configure page, you will be required to use HMAC authentication; this is the only method of authentication Tracebit supports.

      • The Header Name associated with your Secret Key Value will be locked with a value of X-Tracebit-Signature-256, and the Hashing Algorithm will be locked with a value of SHA 256.

      • Generate a Secret Key Value and store it in a secure location, as you will need it in the next step.

    • Payloads sent to this source are subject to the payload requirements for all HTTP sources.

    • Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Create a Panther integration in Tracebit

  1. In the Tracebit console, navigate to the Integrations page.

  2. Click Panther.

  3. In the HTTP Log Source URL field, paste the HTTP Source URL you generated in Panther in the previous step.

  4. In the HMAC SHA256 Shared Secret field, paste the Secret Key Value you generated in Panther in the previous step.

  5. Click Save.

Supported log types

Tracebit.Alert

schema: Tracebit.Alert
description: Alerts logs from Tracebit
referenceURL: https://tracebit.com
fields:
    - name: discriminator
      required: true
      description: The type of log.
      type: object
      fields:
        - name: type
          required: true
          description: The type of log.
          type: string
          validate:
            allow:
                - tracebit_alert_log
        - name: subtype
          description: The subtype of the log. E.g. canary_resource_accessed, canary_credential_used
          type: string
    - name: id
      required: true
      description: The unique identifier for the alert log.
      type: string
    - name: alert_id
      required: true
      description: The unique identifier for the alert. There can be multiple alert logs for a single alert.
      type: string
    - name: tracebit_portal_url
      description: The URL to the alert in the Tracebit portal.
      type: string
      indicators:
        - url
    - name: timestamp
      required: true
      description: The time at which the alert log occurred.
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: provider
      description: The provider of the canary or canary credential.
      type: string
    - name: message
      description: A description of the alert log.
      type: string
    - name: severity
      description: The severity of the alert log.
      type: string
    - name: canary_credential
      description: The canary credential that was used which triggered the alert. This will only be present for canary credential alerts.
      type: object
      fields:
        - name: name
          description: The name of the canary credential.
          type: string
        - name: type
          description: The type of the canary credential.
          type: string
        - name: issued_at
          description: The time at which the canary credential was issued.
          type: timestamp
          timeFormats:
            - rfc3339
        - name: expires_at
          description: The time at which the canary credential expires.
          type: timestamp
          timeFormats:
            - rfc3339
        - name: labels
          description: The labels associated with the canary credential.
          type: array
          element:
            type: object
            fields:
                - name: name
                  description: The name of the label.
                  type: string
                - name: value
                  description: The value of the label.
                  type: string
        - name: aws
          description: The AWS-specific details of the canary credential.
          type: object
          fields:
            - name: access_key_id
              description: The AWS access key ID.
              type: string
    - name: canary
      description: The resource that was used which triggered the alert. This will only be present for canary resource alerts.
      type: object
      fields:
        - name: tracebit_id
          description: The unique identifier for the canary in Tracebit.
          type: string
        - name: provider_id
          description: The unique identifier for the canary resource in its provider.
          type: string
        - name: provider_account_id
          description: The unique identifier for the canary's account in the provider.
          type: string
        - name: name
          description: The name of the canary resource.
          type: string
        - name: type
          description: The type of the canary resource.
          type: string
        - name: aws
          description: The AWS-specific details of the canary resource.
          type: object
          fields:
            - name: account_id
              description: The AWS account ID.
              type: string
              indicators:
                - aws_account_id
            - name: account_name
              description: The AWS account name.
              type: string
            - name: arn
              description: The ARN of the resource.
              type: string
              indicators:
                - aws_arn
        - name: okta
          description: The Okta-specific details of the canary resource.
          type: object
          fields:
            - name: domain
              description: The Okta domain.
              type: string
              indicators:
                - domain
            - name: organization_id
              description: The Okta organization ID.
              type: string
        - name: azure
          description: The Azure-specific details of the canary resource.
          type: object
          fields:
            - name: subscription_id
              description: The Azure subscription ID.
              type: string
            - name: subscription_name
              description: The Azure subscription name.
              type: string
            - name: resource_id
              description: The Azure resource ID.
              type: string
    - name: principal
      description: The principal that triggered the alert.
      type: object
      fields:
        - name: id
          description: The unique identifier for the principal.
          type: string
          indicators:
            - actor_id
        - name: aws
          description: The AWS-specific details of the principal.
          type: object
          fields:
            - name: arn
              description: The ARN of the principal.
              type: string
              indicators:
                - aws_arn
            - name: type
              description: The type of the principal.
              type: string
            - name: account_id
              description: The AWS account ID of the principal.
              type: string
              indicators:
                - aws_account_id
            - name: username
              description: The username of the principal.
              type: string
        - name: okta
          description: The Okta-specific details of the principal (actor).
          type: object
          fields:
            - name: id
              description: The ID of the actor.
              type: string
            - name: type
              description: The type of the actor. E.g. User.
              type: string
            - name: alternate_id
              description: The alternate ID of the actor.
              type: string
        - name: azure
          description: The Azure-specific details of the principal.
          type: object
          fields:
            - name: app_id
              description: The Azure application ID.
              type: string
            - name: tenant_id
              description: The Azure tenant ID.
              type: string
    - name: event
      description: The event that triggered the alert log.
      type: object
      fields:
        - name: id
          description: The unique identifier for the event.
          type: string
        - name: operation
          description: The operation performed in the event.
          type: string
        - name: request
          description: The request that triggered the event.
          type: object
          fields:
            - name: user_agent
              description: The agent through which the request was made that triggered the event.
              type: object
              fields:
                - name: raw
                  description: The raw user agent string.
                  type: string
                - name: label
                  description: The label for the user agent.
                  type: string
            - name: ip
              description: The IP address from which the request was made.
              type: string
              indicators:
                - ip
        - name: resources
          description: The resources that were involved in the event.
          type: array
          element:
            type: object
            fields:
                - name: id
                  description: The unique identifier for the resource.
                  type: string
                - name: type
                  description: The type of the resource.
                  type: string

Tracebit.HealthCheck

schema: Tracebit.HealthCheck
description: Health checks from Tracebit
referenceURL: https://tracebit.com
fields:
    - name: discriminator
      required: true
      description: Information to identify the class of log.
      type: object
      fields:
        - name: type
          required: true
          description: The type of log.
          type: string
          validate:
            allow:
                - health_check
        - name: subtype
          required: true
          description: The subtype of the log.
          type: string
    - name: timestamp
      required: true
      description: The time at which the event occurred.
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: is_healthy
      required: true
      description: Whether the integration is healthy.
      type: boolean

Last updated