Sysdig Platform Audit
Sysdig provides both a UI and a set of APIs for auditing and reporting on the use of the Sysdig platform itself.
This is in contrast to the Activity Audit or Kubernetes Audit Log features which audit the activities on your target environments.
With Platform Audit, you can answer questions such as:
- Who deleted a policy?
- From where was a policy modified?
- Which modifications were made to a specific alert?
- Who added this user?
- When did we change the single sign-on (SSO) settings?
The audit includes the following request methods against the Sysdig system:
PUTPOSTDELETEPATCHGET
Sysdig retains system audit data for 90 days. To retain Sysdig Secure platform audit data for longer, you can use Event Forwarding, to forward platform audit events to third-party tools, such as Mezmo. See Event Forwarding. You cannot forward Sysdig Monitor system audit data.
Use the Platform Audit UI
Access the UI
To access the Platform Audit in Sysdig Secure or Sysdig Monitor UI:
- Log in as an administrator.
- From the left navigation bar, select Integrations > Data Sources | Sysdig Platform Audit.
Use the UI
Platform Audit lets you understand what was done on the Sysdig platform, when, and by whom.
You can create custom filters by typing in the filter box, or by choosing from the selection of operators shown in the UI.
Data can be filtered based on:
- User
- Team
- Request Method
- Entity Type
- Origin IP
By default, the Platform Audit UI page filters out READ statements through the filter requestMethod != GET. This is based on the assumption that you might be primarily interested in changes made on the platform with commands such as PUT, POST, DELETE, and PATCH. To view READ actions, click X to delete the requestMethod != GET filter.
The date range is given to the right of the filter bar. Select the dates to open up a calendar, where you can define a custom range. The date range can be a maximum of 14 days.
Use the Platform Audit API
Prerequisites
Ensure you have the following information to hand:
- Your Sysdig Secure or Sysdig Monitor API token
- The correct URL for the region where your Sysdig SaaS platform is deployed. For example,
https://app.sysdigcloud.comfor AWS US-East. To find the correct URL for your region, see SaaS Regions and IP Ranges. - The code of the Sysdig product you want to audit. Secure = SDS. Monitor = SDC.
Commands Overview
| Command | Description |
|---|---|
filter=source in ("auditTrail") | Informs the events feed API that you want to fetch auditTrail type of events. |
{{host}} | Host of the region for which you want to fetch audit events. For example, https://app.sysdigcloud.com for AWS US-East. |
{{from}} | (nanoseconds) Timestamp date range, for example, from=1648477226000000000&to=164934122600000000 |
{{to}} | (nanoseconds) Timestamp date range, for example, from=1648477226000000000&to=164934122600000000 |
{{limit}} | (integer) - The upper bound is 999. Defines how many events you will receive, and is used in combination with offset. For example, offset=100&limit=100 (skip first 100 and show next 100). |
{{offset}} | (integer) Used when we implement paging; allows you to skip the first x events. For example, offset=100 will skip the first 100 events. |
{{token}} | (string) - Sysdig Secure or Sysdig Monitor API token. |
API Usage
Get All Audit Events Across the Product and Services
For Sysdig Secure
GET {{host}}/api/v1/platformAuditEvents?from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDS
Authorization: Bearer {{token}}
For Sysdig Monitor
GET {{host}}/api/v1/platformAuditEvents?from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDC
Authorization: Bearer {{token}}
Get Audit Events for a Specific Entity
auditTrail.entityType is used if you want to list audit events only for a specific entity or list of entities. In this example, we want to fetch only auth audit events.
X-Sysdig-Product:= SDS (Sysdig Secure) SDC (Sysdig Monitor)
GET {{host}}/api/v1/platformAuditEvents?filter=auditTrail.entityType in ("auth")&from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDS
Authorization: Bearer {{token}}
Entities
Sysdig Admin Endpoints
| Entity | Used for |
|---|---|
| billing_report | Subscription billing report. |
| customer | Customers management. |
| customer_metrics | Customers metrics management. |
| customer_signup | Customer signup process. |
| ondemand_usage | Calculating on demand usage. |
| trial_plan | Trial plans management. |
| usage_summary | Usage summary. |
Sysdig Monitor and Sysdig Platform
Some entities are also used in Sysdig Secure but are served by Sysdig Monitor
| Entity | Used for |
|---|---|
| agent | Agent operations. |
| alert | Alert management. |
| alert_notification | (Legacy) Alert notifications. |
| alert_silencing_rule | Alert Silencing Rules Management. |
| alert_template_group | Listing alert template groups. |
| api_token | User Profile to read and reset API token. |
| application_user_settings | Fetching some user app settings like firstTimeOnApp, userTrackingEnabled, and so on. |
| auth | Login/logout events. |
| auth_settings | Authentication settings. |
| auth_sso | SSO authentication events. |
| aws_settings | AWS settings to enable/disable CloudWatch Integration. |
| benchmark | Benchmark tests and results management. |
| capture | Capture management. |
| cloud_subscription | Cloud subscription management. |
| customer_access_key | Access keys management. API only. |
| customer_agreement | Agreements that customer can sign, for example, end-user license agreements (EULA). |
| customer_settings | User Profile to hide Access Key and Agent Installation page for non-admin users. |
| dashboard | Dashboard management. |
| dashboard_template | Fetching dashboard templates. |
| datasource | Listing metric data sources. |
| datastream | Configuring datastream. |
| default_dashboard | Fetching default dashboards. |
| downtime | Notification channel settings to temporarily disable alert events and mute all notifications. |
| event | Events management |
| falco_list | Create, read, update and delete (CRUD) operations related to lists (In the UI: Policies->Falco Lists). |
| falco_macro | CRUD operations related to macros (In the UI: Policies->Falco Macros). |
| falco_rules_file | CRUD operations for Falco-related files like default and custom rules files that create macros, lists and rules using yaml (on UI: Policies->Rules Editor). |
| file_storage_config | File storage management. |
| group_mapping | Mapping identity provider (IdP) groups to Sysdig teams and roles. |
| ibm_resource | Fetching IBM resource instances. |
| inactivity_settings | Session expiration settings. |
| integration | Integrations. |
| invoice | Listing invoices. |
| license | Used to fetch on-prem licenses. |
| login_banner | The agreement that must be accepted before logging in. |
| notification_channel | Notification channel settings. |
| offer | Listing offers. |
| onboarding | Fetching onboarding data and updating steps. |
| overview | Fetching overviews. |
| permission | Permissions management. |
| plan_settings | Fetching plan settings. |
| policy | Secure policies management. |
| policy_action | Getting a list of actions corresponding to a policy type when you try to create/edit a policy (in the UI: Policies->Runtime Policies->Add or Edit existing policy). |
| policy_descriptor | Defining the scope in which to apply a policy type when creating/editing a policy CRUD operations related to lists (in the UI: Policies->Runtime Policies->Add or Edit existing policy). |
| prometheus_rule | Used to export alerts and alert notifications in a Prometheus API format. Also allows users to create/export Prometheus alerting/recording rules. |
| provider | Used in AWS settings for AWS Accounts management. |
| restricted_token | IBM restricted API token management |
| role | Role management. |
| runtime_policy_rule | CRUD operations related to runtime policy rules (on UI: Policies->Rules Library). |
| s3_settings | Sysdig Storage settings. |
| scanning_event | Scanning events operations. |
| secure_settings | Secure settings management. |
| service_account | Service account management |
| silencing_rule | Silencing Rules Management. |
| slack | Slack integration setup. |
| statement | Listing statements. |
| subscription | Manafinf subscription. |
| team | Teams management. |
| ui_user_settings | Fetching some UI user settings. |
| usage_report | Listing usage reports. |
| user | Users Management and in User Profile to reset passwords. |
Sysdig Secure
| Entity | Used for |
|---|---|
| acceptance-edit | Post, put and delete operations in Vulnerability Management (VM) in Risk Acceptance. |
| acceptance-read | Get operations in VM Risk Acceptance. |
| acceptance-read-scanner | Get operations in VM Risk Acceptance. |
| account | |
| blackout | |
| cluster | Used in VM Legacy for CREATE, READ, UPDATE and DELETE operations on clusters and heartbeat. |
| compliance | the Legacy Compliance module. |
| csv | |
| customerOptOut | |
| dataSource | |
| download | Downloading VM Reports. |
| event | Viewing an event. |
| falco | Viewing or modifying a Falco rule. |
| feature | |
| forwarding_integration | |
| framework | |
| group | |
| health | |
| host | |
| internal | |
| kubernetesNetworking | |
| labels | |
| list | Referring to a list of items in Falco Rules. |
| macro | Encapsulating small expressions for use in Falco Rules. |
| networkSecurity | Viewing or changing Network Security configurations and see how a KNP policy is generated. |
| networkTopology | Viewing the Network Security Topology. |
| overview | |
| policy | Create, read, update and delete (CRUD) operations related to runtime policies. |
| policyTuner | Viewing or editing exceptions. |
| provider | |
| reader | VM Reporting, as well as SNOW and EVE integrations. |
| remediations | |
| report | |
| resource | |
| rule | Used to view a Falco rule through the rules library, a runtime policy, or an event. |
| schema | |
| secure-iac-acprovider | CSPM. Not related to a user action. |
| secure-iac-agenthandler | Posture. Not related to a user action. |
| secure-iac-cloudcollector | CSPM. Not related to a user action. |
| secure-iac-cloudengine | Posture for reading cloud assets posture, creating cloud asset report, and reading remediation playbook. |
| secure-iac-clusteranalysis | Posture for reading host assets posture, creating host asset report, and reading remediation playbook. |
| secure-iac-compliance | Posture and Compliance for reading compliance results, creating compliance report, accepting posture risks, editing \ revoking \ reading posture risks, and adding compliance views to favorites. |
| secure-iac-gitprovider | reading git integration, creating git integration, and git source. |
| secure-iac-inventory | Inventory to read assets/resources details, compliance posture status, list resources, their connections, attributes and configuration. |
| secure-iac-policy | Posture, Compliance and Zones to read policies, controls, CRUD custom policies, CRUD custom controls, CRUD ACEnforcement, CRUD Zones. |
| secure-iac-scheduler | KSPM and CSPM scan tasks: read tasks, re-run task, re-schedule task. |
| secure-iac-temporalworker | CSPM. Not related to a user action. |
| secure-iac-workload | Reading Kubernetes assets posture, create Kubernetes asset report, read Kubernetes remediation playbook. |
| session | |
| task | |
| ticketing | |
| user | |
| vm-collector-write | CLI or other component sending a scan result to the collector. |
| vm-policies-read | Internal API to read VM policies. |
| vm-policies-write | Internal API to write VM policies. |
| vm-riskacceptance-read-scanner | GET operations in Accepted Risk. |
| vm-riskacceptance-read-ui | GET operations in Accepted Risk. |
| vm-riskacceptance-write-ui | POST, PUT and DELETE operations in Accepted Risk. |
| writer | VM Reporting configuration and EVE Integration data reception. |
The Infrastructure as Code (IAC) Entities
This list contains Infrastructure as Code (IAC) entities in Sysdig Secure:
| Entity | Description |
|---|---|
| secure-iac-cloudengine | Used to read cloud assets posture, create cloud asset reports, and read remediation playbook. |
| secure-iac-clusteranalysis | Used to read hosts assets posture, create a host asset report, and read the remediation playbook. |
| secure-iac-compliance | Used to read compliance results, create compliance report, accept posture risks, edit, revoke, and read posture risks, as well as star favorite compliance views. |
| secure-iac-gitprovider | Used to read Git integration, create a Git integration, and Git source. |
| secure-iac-inventory | Used to read assets, resources details, compliance posture status, lists resources, their connections, attributes and configuration. |
| secure-iac-policy | Used to read policies, controls, create, read, update and delete (CRUD) operations on custom policies, CRUD operations on custom controls, CRUD operations on ACEnforcement, and CRUD operations on Zones. |
| secure-iac-scheduler | Kubernetes Security Posture Management (KSPM) and Cloud Security Posture Management (CSPM) scan tasks, such as read tasks, re-run tasks, and re-schedule tasks. |
| secure-iac-workload | Used to read Kubernetes assets posture, create Kubernetes asset report, and read Kubernetes remediation playbook. |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.
