Bitwarden Logs

Panther supports pulling logs directly from Bitwarden

Overview

This feature is currently in open beta, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther can query the Bitwarden Events API for new audit events every 60 seconds.

How to onboard Bitwarden logs to Panther

Prerequisite

  • To read events from your Bitwarden account, you must have a Bitwarden organization account with API access.

Step 1: Create a new Bitwarden source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “Bitwarden,” then click its tile.

  4. In the slide-out panel, click Start Setup.

  5. Enter a descriptive name for the source, e.g., "My Bitwarden logs".

  6. Click Setup.

Step 2: Fetch API credentials in Bitwarden

  1. In a separate browser tab, open the Bitwarden web console.

  2. Navigate to the Settings tab.

  3. In the lefthand navigation bar, select Organization info.

  4. Copy the Client ID and Client Secret and store them in a secure location, as you will need them in the next step.

Step 3: Finalize Bitwarden onboarding in Panther

  1. Navigate to the Panther Console, on the Credentials page where you left off in the earlier steps.

  2. Click Setup. You will be directed to a success screen:

    • You can optionally enable one or more Detection Packs.

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Supported log types

Panther supports Bitwarden.Events logs.

Bitwarden.Events

These logs represent events for the entire organization. For more information, see Bitwarden's API documentation.

schema: Bitwarden.Events
parser:
  native:
    name: Bitwarden.Events
description: Event logs from the Bitwarden Event Logs API
referenceURL: https://bitwarden.com/help/event-logs/#events
fields:
  - name: object
    required: true
    description: String representing the object's type.
    type: string
  - name: type
    required: true
    description: Event type
    type: bigint
  - name: itemId
    description: Unique identifier of the related item that the event describes.
    type: string
  - name: collectionId
    description: Unique identifier of the related collection that the event describes.
    type: string
  - name: groupId
    description: Unique identifier of the related group that the event describes.
    type: string
  - name: policyId
    description: Unique identifier of the related policy that the event describes.
    type: string
  - name: memberId
    description: Unique identifier of the related member that the event describes.
    type: string
  - name: actingUserId
    description: Unique identifier of the user that performed the event.
    type: string
  - name: installationId
    description: Unique identifier of the installation that the event describes.
    type: string
  - name: date
    required: true
    description: date/timestamp when the event occurred.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: device
    description: Device type
    type: bigint
  - name: ipAddress
    description: IP address of the acting user
    type: string
    indicators:
      - ip

Last updated

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated