Sysdig Platform Audit
Sysdig provides both a UI and a set of APIs for auditing and reporting on the use of the Sysdig platform itself.
This is in contrast to the Activity Audit or Kubernetes Audit Log features which audit the activities on your target environments.
With Platform Audit, you can answer questions such as:
- Who deleted a policy?
- From where was a policy modified?
- Which modifications were made to a specific alert?
- What was the payload of the changed alert?
- What condition was changed?
- Who added this user?
- When did we change the single sign-on (SSO) settings?
- Are dashboards loading properly?
The audit includes the following request methods against the Sysdig system:
PUTPOSTDELETEPATCHGET
The system audit data is retained for 90 days.
Use the Platform Audit UI
Access the UI
To access the Platform Audit UI in Sysdig Secure or Sysdig Monitor:
- Log in as an administrator.
- Navigate to Integrations in the left panel.
- Under Data Sources, click Sysdig Platform Audit.
Use the UI
Use Platform Audit to understand what was done on the Sysdig platform, when, and by whom.
By default, the Platform Audit UI page filters out READ statements through the filter requestMethod != GET. This is based on the assumption that users are primarily interested in changes made on the platform in commands such as PUT, POST, DELETE, and PATCH. T
To view READ actions, click X on the the requestMethod != GET filter.
You can create custom filters by typing in the filter box, or by choosing from the selection of operators shown in the UI.
Data can be filtered based on:
- User
- Team
- Request Method
- Entity Type
- Origin IP
The selected date range can be a maximum of 14 days.
Use the Platform Audit API
Prerequisites
Ensure you have the following information to hand:
- Your Sysdig Secure or Sysdig Monitor API token
- The host region where your Sysdig platform is deployed. For example, https://app.sysdigcloud.com for AWS US-East.
- The Sysdig product you want to audit (Secure = SDS; Monitor = SDC)
Commands Overview
| Command | Description |
|---|---|
filter=source in ("auditTrail") | Informs the events feed API that you want to fetch auditTrail type of events. |
{{host}} | Host of the region for which you want to fetch audit events. For example, https://app.sysdigcloud.com for AWS US-East. |
{{from}} | (nanoseconds) Timestamp date range, for example, from=1648477226000000000&to=164934122600000000 |
{{to}} | (nanoseconds) Timestamp date range, for example, from=1648477226000000000&to=164934122600000000 |
{{limit}} | (integer) - The upper bound is 999. Defines how many events you will receive, and is used in combination with offset. For example, offset=100&limit=100 (skip first 100 and show next 100). |
{{offset}} | (integer) Used when we implement paging; allows you to skip the first x events. For example, offset=100 will skip the first 100 events. |
{{token}} | (string) - Sysdig Secure or Sysdig Monitor API token. |
API Usage
Get All Audit Events Across the Product and Services
For Sysdig Secure
GET {{host}}/api/v1/platformAuditEvents?from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDS
Authorization: Bearer {{token}}
For Sysdig Monitor
GET {{host}}/api/v1/platformAuditEvents?from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDC
Authorization: Bearer {{token}}
Get Audit Events for a Specific Entity
auditTrail.entityType is used if you want to list audit events only for a specific entity or list of entities. In this example, we want to fetch only auth audit events.
X-Sysdig-Product:= SDS (Sysdig Secure) SDC (Sysdig Monitor)
GET {{host}}/api/v1/platformAuditEvents?filter=auditTrail.entityType in ("auth")&from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDS
Authorization: Bearer {{token}}
Entities
Sysdig Admin Endpoints
| Entity | Description |
|---|---|
| billing_report | Used for subscription billing report. |
| customer | Used for customers management. |
| customer_metrics | Used for customers metrics management. |
| customer_signup | Used for customer signup process. |
| ondemand_usage | Used for calculating on demand usage. |
| trial_plan | Used for trial plans management. |
| usage_summary | Used for usage summary. |
Sysdig Monitor and Sysdig Platform
Some entities are also used in Sysdig Secure but are served by Sysdig Monitor
| Entity | Description |
|---|---|
| agent | Used for agent operations. |
| alert | Used for alert management. |
| alert_notification | Used for alert notifications. Not used anymore. |
| alert_silencing_rule | Used for Alert Silencing Rules Management. |
| alert_template_group | Used for listing alert template groups. |
| api_token | Used for User Profile to read and reset API token. |
| application_user_settings | Used for fetching some user app settings like firstTimeOnApp, userTrackingEnabled, and so on. |
| auth | Used for login/logout events. |
| auth_settings | Used in authentication settings. |
| auth_sso | Used for SSO authentication events. |
| aws_settings | Used in AWS settings to enable/disable CloudWatch Integration. |
| benchmark | Used for benchmark tests and results management |
| capture | Used for Capture management. |
| cloud_subscription | Used for cloud subscription management. |
| customer_access_key | Used for access keys management. API only. |
| customer_agreement | Agreements that customer can sign, for example, end-user license agreements (EULA). |
| customer_settings | Used in User Profile to hide Access Key and Agent Installation page for non-admin users. |
| dashboard | Used for Dashboard management. |
| dashboard_template | Used for fetching dashboard templates. |
| datasource | Used for listing metric data sources. |
| datastream | Used for datastream configuration |
| default_dashboard | Used for fetching default dashboards. |
| downtime | Used in notification channel settings to temporarily disable alert events and mute all notifications. |
| event | Used for events management |
| falco_list | Used for create, read, update and delete (CRUD) operations related to lists (In the UI: Policies->Falco Lists). |
| falco_macro | Used for CRUD operations related to macros (In the UI: Policies->Falco Macros). |
| falco_rules_file | Used for CRUD operations for Falco-related files like default and custom rules files that create macros, lists and rules using yaml (on UI: Policies->Rules Editor). |
| file_storage_config | Used for file storage management. |
| group_mapping | Used for mapping identity provider (IdP) groups to Sysdig teams and roles. |
| ibm_resource | Used for fetching IBM resource instances. |
| inactivity_settings | Used for session expiration settings. |
| integration | Used for integration |
| Invoice | Used for listing invoices. |
| license | Used to fetch on-prem licenses. |
| login_banner | The agreement that must be accepted before logging in. |
| notification_channel | Used in notification channel settings. |
| offer | Used for listing offers. |
| onboarding | Used for fetching onboarding data and updating steps. |
| overview | Used for fetching overviews. |
| permission | Used for permissions management. |
| plan_settings | Used for fetching plan settings. |
| policy | Used for secure policies management. |
| policy_action | Used to get a list of actions corresponding to a policy type when you try to create/edit a policy (in the UI: Policies->Runtime Policies->Add or Edit existing policy). |
| policy_descriptor | Used to define the scope in which to apply a policy type when creating/editing a policy used for CRUD operations related to lists (in the UI: Policies->Runtime Policies->Add or Edit existing policy). |
| prometheus_rule | Used to export alerts and alert notifications in a Prometheus API format. Also allows users to create/export Prometheus alerting/recording rules. |
| provider | Used in AWS settings for AWS Accounts management. |
| restricted_token | Used for IBM restricted API token management |
| role | Used for Role management. |
| runtime_policy_rule | Used for CRUD operations related to runtime policy rules (on UI: Policies->Rules Library). |
| s3_settings | Used in Sysdig Storage settings. |
| scanning_event | Used for scanning events operations. |
| secure_settings | Used for secure settings management. |
| service_account | Used for service account management |
| silencing_rule | Used for Silencing Rules Management. |
| slack | Used for Slack integration setup. |
| statement | Used for listing statements. |
| subscription | Used for subscription management. |
| team | Used for Teams management. |
| ui_user_settings | Used for fetching some UI user settings. |
| usage_report | Used for listing usage reports. |
| user | Used for Users Management and in User Profile to reset passwords. |
Sysdig Secure
| Entity | Description |
|---|---|
| acceptance-edit | Used for post, put and delete operations in Vulnerability Management (VM) in Risk Acceptance. |
| acceptance-read | Used for get operations in VM Risk Acceptance. |
| acceptance-read-scanner | Used for get operations in VM Risk Acceptance. |
| account | |
| compliance | |
| dataSource | |
| download | VM Reporting, download |
| event | Used to view an event. |
| falco | Used to view or modify a Falco rule. |
| feature | |
| forwarding_integration | |
| framework | |
| health | |
| host | |
| list | Used to refer to a list of items in Falco Rules. |
| macro | Used for encapsulating small expressions for use in Falco Rules. |
| networkSecurity | Used to view or change Network Security configurations and see how a KNP policy is generated. |
| networkTopology | Used to view the Network Security Topology. |
| policy | Used for create, read, update and delete (CRUD) operations related to runtime policies. |
| policyTuner | Used to view or edit exceptions. |
| provider | |
| reader | |
| report | |
| resource | |
| rule | Used to view a Falco rule through the rules library, a runtime policy, or an event. |
| schema | |
| task | |
| user | |
| vm-collector-write | |
| vm-policies-read | |
| vm-policies-write | |
| vm-riskacceptance-read-scanner | |
| vm-riskacceptance-read-ui | |
| vm-riskacceptance-write-ui | |
| writer |
The Infrastructure as Code (IAC) Entities
This list contains Infrastructure as Code (IAC) entities in Sysdig Secure:
| Entity | Description |
|---|---|
| secure-iac-cloudengine | Used to read cloud assets posture, create cloud asset reports, and read remediation playbook. |
| secure-iac-clusteranalysis | Used to read hosts assets posture, create a host asset report, and read the remediation playbook. |
| secure-iac-compliance | Used to read compliance results, create compliance report, accept posture risks, edit, revoke, and read posture risks, as well as star favorite compliance views. |
| secure-iac-gitprovider | Used to read Git integration, create a Git integration, and Git source. |
| secure-iac-inventory | Used to read assets, resources details, compliance posture status, lists resources, their connections, attributes and configuration. |
| secure-iac-policy | Used to read policies, controls, create, read, update and delete (CRUD) operations on custom policies, CRUD operations on custom controls, CRUD operations on ACEnforcement, and CRUD operations on Zones. |
| secure-iac-scheduler | Used for Kubernetes Security Posture Management (KSPM) and Cloud Security Posture Management (CSPM) scan tasks, such as read tasks, re-run tasks, and re-schedule tasks. |
| secure-iac-workload | Used to read kubernetes assets posture, create kubernetes asset report, and read kubernetes remediation playbook. |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.