Teleport Logs
Connecting Teleport logs to your Panther Console
Overview
Panther supports ingesting Teleport logs via common Data Transport options: Amazon Web Services (AWS) S3 and SQS.
How to onboard Teleport logs to Panther
To pull these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for the log type you want to onboard, then click its tile.
Select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
Configure your Data Transport source to pull in logs from Teleport.
See the Data Transport service provider's documentation for instructions on pulling in logs.
Panther-Built Detections
See Panther's built in rules for Teleport in panther-analysis in Github.
Supported log types
Gravitational.TeleportAudit
Teleport logs events like successful user logins along with the metadata like remote IP address, time and the session ID. Please see Teleport's Cluster Administration Guide for more information.
schema: Gravitational.TeleportAudit
description: Teleport logs events like successful user logins along with the metadata like remote IP address, time and the session ID.
referenceURL: https://goteleport.com/docs/admin-guide/#audit-log
fields:
- name: event
required: true
description: Event type
type: string
- name: code
required: true
description: Event code
type: string
- name: time
required: true
description: Event timestamp
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: uid
description: Event unique id
type: string
- name: user
description: Teleport user name (event type is 'user.login')
type: string
- name: namespace
description: Server namespace. This field is reserved for future use.
type: string
- name: server_id
description: Unique server ID.
type: string
- name: sid
description: Session ID. Can be used to replay the session.
type: string
indicators:
- trace_id
- name: ei
description: Event numeric id
type: int
- name: login
description: OS login
type: string
- name: addr.local
description: Address of the SSH node
type: string
indicators:
- net_addr
- name: addr.remote
description: Address of the connecting client (user)
type: string
indicators:
- net_addr
- name: size
description: Size of terminal
type: string
- name: success
description: Authentication success (if event type is 'auth')
type: boolean
- name: error
description: Authentication error (event type is 'auth')
type: string
- name: command
description: Command that was executed (event type is 'exec')
type: string
- name: exitCode
description: Exit code of the command (event type is 'exec')
type: int
- name: exitError
description: Exit error of the command (event type is 'exec')
type: string
- name: pid
description: Process id of command
type: bigint
- name: ppid
description: Process id of the parent process
type: bigint
- name: cgroup_id
description: Control group id
type: bigint
- name: return_code
description: Return code of the command
type: int
- name: program
description: Name of the command
type: string
- name: argv
description: Arguments passed to command
type: array
element:
type: string
- name: path
description: Executable path or SCP action target file path (scp, session.command)
type: string
- name: len
description: SCP target file size (scp)
type: bigint
- name: action
description: SCP action (scp)
type: string
- name: method
description: Login method used (user.login)
type: string
- name: attributes
description: User login attributes (user.login)
type: json
- name: roles
description: Roles for the new user (user.create)
type: array
element:
type: string
- name: connector
description: Connector that created the user (user.create)
type: string
- name: expires
description: Expiration date
type: timestamp
timeFormats:
- rfc3339
- name: name
description: Name of user or service (github.created, user.create, user.update)
type: string
- name: tx
description: Number of bytes sent
type: bigint
- name: rx
description: Number of bytes received
type: bigint
- name: server_labels
description: Server labels
type: json
- name: server_hostname
description: Server hostname
type: string
indicators:
- hostname
- name: server_addr
description: Server hostname
type: string
indicators:
- net_addr
- name: session_start
description: Timestamp of session start
type: timestamp
timeFormats:
- rfc3339
- name: session_stop
description: Timestamp of session end
type: timestamp
timeFormats:
- rfc3339
- name: interactive
description: Whether the session was interactive
type: boolean
- name: enhanced_recording
description: Whether enhanced recording is enabled
type: boolean
- name: participants
description: Users that participated in the session
type: array
element:
type: string
- name: dst_addr
description: Destination IP address
type: string
indicators:
- ip
- name: src_addr
description: Source IP address
type: string
indicators:
- ip
- name: dst_port
description: Destination port
type: int
- name: version
description: Event version
type: int
- name: cluster_name
description: Teleport cluster name
type: string
- name: db_name
description: Database/schema name
type: string
- name: db_protocol
description: Database protocol
type: string
- name: db_query
description: Text of the query
type: string
- name: db_query_parameters
description: Query parameters (for prepared statements)
type: json
- name: db_service
description: Database service name
type: string
- name: db_uri
description: Database server endpoint
type: string
indicators:
- url
- name: db_user
description: Database account name
type: string
indicators:
- username
- name: desktop_addr
description: Address of desktop
type: string
- name: desktop_name
description: Name of desktop
type: string
- name: desktop_labels
description: Key/Value pairs related to the desktop of this event
type: json
- name: file_path
description: Relative path from the root of the shared directory
type: string
- name: directory_name
description: Name of directory accessed
type: string
- name: directory_id
description: Id of directory accessed
type: string
- name: reviewer
description: Reviewer of the request
type: string
- name: proposed_state
description: Desired state of the request
type: string
- name: state
description: Actual state of the request
type: string
- name: with_mfa
description: WithMFA is a UUID of an MFA device used to start this session.
type: string
- name: impersonator
description: Impersonator is a username of a user impersonating this user
type: string
- name: aws_role_arn
description: AWS Role ARN
type: string
indicators:
- aws_arn
- name: access_requests
description: IDs of Access Requests
type: json
- name: forwarded_by
description: ForwardedBy tells us if the metadata was sent by the node itself or by another node in it's place
type: string
- name: proto
description: Protocol specifies protocol that was captured
type: string
- name: user_agent
description: UserAgent identifies the type of client that attempted the event.
type: string
- name: kubernetes_cluster
description: kubernetes cluster name
type: string
- name: kubernetes_users
description: list of kubernetes usernames
type: json
- name: kubernetes_groups
description: list of kubernetes groups
type: json
- name: kubernetes_labels
description: the labels (static and dynamic) of the kubernetes cluster the session occurred on.
type: json
- name: kubernetes_pod_name
description: Name of the kubernetes pod
type: string
- name: kubernetes_pod_namespace
description: Namespace of the kubernetes pod
type: string
- name: kubernetes_container_name
description: Name of container within the kubernetes pod
type: string
- name: kubernetes_container_image
description: The image of the container within the kubernetes pod
type: string
- name: kubernetes_node_name
description: Name of the node that runs the kubernetes pod
type: string
- name: initial_command
description: The command used to start this session
type: json
- name: session_recording
description: The type of session recording
type: string
- name: ci
description: Chunk index
type: string
- name: bytes
description: How many bytes have been written to the session
type: string
- name: ms
description: Delay in milliseconds from start of session
type: string
- name: offset
description: Offset in bytes from start of session file
type: string
- name: length
description: Number of bytes sent/received
type: string
- name: reason
description: Reason for the event
type: string
- name: max
description: Maximum value
type: string
- name: flags
description: Flags that were passed relevant to this event
type: json
- name: operation
description: Denotes what network operation was performed
type: json
- name: mfa_device
description: The MFA device used during login
type: json
- name: updated_by
description: Indicates the user who modified the resource
type: string
indicators:
- username
- name: ttl
description: Time to live
type: string
- name: id
description: Access request ID
type: string
- name: delegator
description: Used by teleport plugins to indicate the identity
type: string
- name: annotations
description: Annotations is an optional set of attributes supplied by a plugin during approval/rejection
type: json
- name: resource_ids
description: The set of resources to which access is being requested
type: json
- name: cluster
description: Name of cluster
type: string
- name: kind
description: Resource kind
type: string
- name: addr
description: Target port forwarding address
type: string
- name: working_directory
description: The current directory of the event
type: string
- name: target_path
description: The path of the file
type: string
- name: request_path
description: Raw request URL path
type: string
- name: verb
description: HTTP Verb
type: string
- name: resource_api_group
description: Resource API Group
type: string
- name: resource_namespace
description: Resource namespace
type: string
- name: resource_kind
description: Resource API kind
type: string
- name: resource_name
description: Resource API name
type: string
- name: response_code
description: HTTP Response code
type: string
- name: app_uri
description: Application endpoint
type: string
indicators:
- url
- name: app_public_addr
description: The configured application public address.
type: string
indicators:
- url
- name: app_labels
description: The configured application labels.
type: json
- name: app_name
description: The configured application name
type: string
- name: public_addr
description: Public address
type: string
indicators:
- url
- name: session_chunk_id
description: The ID of the session that was created
type: string
- name: status_code
description: HTTP Response code
type: string
- name: raw_query
description: Encoded query values
type: string
- name: aws_region
description: Requested AWS region
type: string
- name: aws_service
description: Requested AWS service
type: string
- name: aws_host
description: Requested AWS host
type: string
- name: db_labels
description: Database resource labels
type: json
- name: db_aws_region
description: AWS region for AWS hosted databases
type: string
- name: db_aws_redshift_cluster_id
description: Cluster ID for Redshift databases
type: string
- name: db_gcp_project_id
description: Project ID for GCP hosted databases
type: string
- name: db_gcp_instance_id
description: Instance ID for GCP hosted databases
type: string
- name: statement_name
description: Name of the prepared statement
type: string
- name: query
description: Prepared statement query
type: string
- name: portal_name
description: Name of destination portal
type: string
- name: parameters
description: Parameters
type: json
- name: function_oid
description: Object ID of called function
type: string
- name: function_args
description: Formatted function args
type: json
- name: windows_desktop_service
description: Name of service
type: string
- name: windows_domain
description: Active directory domain
type: string
- name: windows_user
description: Windows username
type: string
- name: mfa_device_name
description: User-specified name of the MFA device
type: string
- name: mfa_device_uuid
description: UUID of MFA Device
type: string
- name: mfa_device_type
description: Type of MFA Device
type: string
- name: target
description: Target
type: string
- name: recorded
description: Whether the session was recorded
type: boolean
- name: cert_type
description: Type of certificate used
type: string
- name: identity
description: Identity associated with the request
type: json
- name: unknown_event
description: Unknown event
type: string
- name: unknown_code
description: Unknown code
type: string
- name: data
description: Serialized JSON of unknown event
type: string
- name: url
description: URL of session where event data was uploaded
type: string
- name: search_as_roles
description: List of roles the search was performed as
type: json
- name: resource_type
description: Type of resource being searched for
type: string
- name: labels
description: Label-based matcher used for the search
type: json
- name: predicate_expression
description: List of conditions used for the search
type: json
- name: search_keywords
description: List of search keywords used to match against resource field values
type: json
- name: statement_id
description: Id of the prepared statement
type: string
- name: parameter_id
description: Id of the parameter
type: string
- name: data_size
description: Size of the data
type: string
- name: rows_count
description: Number of rows to fetch
type: string
- name: schema_name
description: Name of schema
type: string
- name: process_id
description: Process Id of a connection
type: string
- name: subcommand
description: String representation of the subcommand
type: string
- name: proc_name
description: The RPC SQL Server procedure name
type: string
- name: category
description: Represents the category if API being accessed in a given request
type: json
- name: upgrade_window_start
description: Upgrade window time
type: string
- name: kube_labels
description: Configured kubernetes cluster labels
type: json
- name: command_id
description: Id of the SSH command that was ran
type: string
- name: instance_id
description: Id of the EC2 instance that was ran
type: string
- name: exit_code
description: Exit code resulting from the command
type: string
- name: status
description: Status of the command
type: string
- name: account_id
description: Id of the AWS account that ran the command
type: string
indicators:
- aws_account_id
- name: region
description: AWS region the command was ran in
type: string
Last updated