Sysdig Platform Audit
Sysdig provides both a UI and a set of APIs for auditing and reporting on the use of the Sysdig platform itself.
This is in contrast to the Activity Audit or Kubernetes Audit Log features which audit the activities on your target environments.
With Platform Audit, you can answer questions such as:
- Who deleted a policy?
- From where was a policy modified?
- Which modifications were made to a specific alert?
- Who added this user?
- When did we change the single sign-on (SSO) settings?
The audit includes the following request methods against the Sysdig system:
PUTPOSTDELETEPATCHGET
Sysdig retains system audit data for 90 days. To retain Sysdig Secure platform audit data for longer, you can use Event Forwarding, to forward platform audit events to third-party tools, such as Mezmo. See Event Forwarding. You cannot forward Sysdig Monitor system audit data.
Use the Platform Audit UI
Access the UI
To access the Platform Audit in Sysdig Secure or Sysdig Monitor UI:
- Log in as an administrator.
- From the left navigation bar, select Integrations > Data Sources | Sysdig Platform Audit.
Use the UI
Platform Audit lets you understand what was done on the Sysdig platform, when, and by whom.
You can create custom filters by typing in the filter box, or by choosing from the selection of operators shown in the UI.
Data can be filtered based on:
- User
- Team
- Request Method
- Entity Type
- Origin IP
By default, the Platform Audit UI page filters out READ statements through the filter requestMethod != GET. This is based on the assumption that you might be primarily interested in changes made on the platform with commands such as PUT, POST, DELETE, and PATCH. To view READ actions, click X to delete the requestMethod != GET filter.
The date range is given to the right of the filter bar. Select the dates to open up a calendar, where you can define a custom range. The date range can be a maximum of 14 days.
Use the Platform Audit API
Prerequisites
Ensure you have the following information to hand:
- Your Sysdig Secure or Sysdig Monitor API token
- The correct URL for the region where your Sysdig SaaS platform is deployed. For example,
https://app.sysdigcloud.comfor AWS US-East. To find the correct URL for your region, see SaaS Regions and IP Ranges. - The code of the Sysdig product you want to audit. Secure = SDS. Monitor = SDC.
Commands Overview
| Command | Description |
|---|---|
filter=source in ("auditTrail") | Informs the events feed API that you want to fetch auditTrail type of events. |
{{host}} | Host of the region for which you want to fetch audit events. For example, https://app.sysdigcloud.com for AWS US-East. |
{{from}} | (nanoseconds) Timestamp date range, for example, from=1648477226000000000&to=164934122600000000 |
{{to}} | (nanoseconds) Timestamp date range, for example, from=1648477226000000000&to=164934122600000000 |
{{limit}} | (integer) - The upper bound is 999. Defines how many events you will receive, and is used in combination with offset. For example, offset=100&limit=100 (skip first 100 and show next 100). |
{{offset}} | (integer) Used when we implement paging; allows you to skip the first x events. For example, offset=100 will skip the first 100 events. |
{{token}} | (string) - Sysdig Secure or Sysdig Monitor API token. |
API Usage
Get All Audit Events Across the Product and Services
For Sysdig Secure
GET {{host}}/api/v1/platformAuditEvents?from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDS
Authorization: Bearer {{token}}
For Sysdig Monitor
GET {{host}}/api/v1/platformAuditEvents?from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDC
Authorization: Bearer {{token}}
Get Audit Events for a Specific Entity
auditTrail.entityType is used if you want to list audit events only for a specific entity or list of entities. In this example, we want to fetch only auth audit events.
X-Sysdig-Product:= SDS (Sysdig Secure) SDC (Sysdig Monitor)
GET {{host}}/api/v1/platformAuditEvents?filter=auditTrail.entityType in ("auth")&from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDS
Authorization: Bearer {{token}}
Entities
Sysdig Admin Endpoints
| Entity | Description |
|---|---|
| billing_report | Used for subscription billing report. |
| customer | Used for customers management. |
| customer_metrics | Used for customers metrics management. |
| customer_signup | Used for customer signup process. |
| ondemand_usage | Used for calculating on demand usage. |
| trial_plan | Used for trial plans management. |
| usage_summary | Used for usage summary. |
Sysdig Monitor and Sysdig Platform
Some entities are also used in Sysdig Secure but are served by Sysdig Monitor
| Entity | Description |
|---|---|
| agent | Used for agent operations. |
| alert | Used for alert management. |
| alert_notification | Used for alert notifications. Not used anymore. |
| alert_silencing_rule | Used for Alert Silencing Rules Management. |
| alert_template_group | Used for listing alert template groups. |
| api_token | Used for User Profile to read and reset API token. |
| application_user_settings | Used for fetching some user app settings like firstTimeOnApp, userTrackingEnabled, and so on. |
| auth | Used for login/logout events. |
| auth_settings | Used in authentication settings. |
| auth_sso | Used for SSO authentication events. |
| aws_settings | Used in AWS settings to enable/disable CloudWatch Integration. |
| benchmark | Used for benchmark tests and results management. |
| capture | Used for Capture management. |
| cloud_subscription | Used for cloud subscription management. |
| customer_access_key | Used for access keys management. API only. |
| customer_agreement | Agreements that customer can sign, for example, end-user license agreements (EULA). |
| customer_settings | Used in User Profile to hide Access Key and Agent Installation page for non-admin users. |
| dashboard | Used for Dashboard management. |
| dashboard_template | Used for fetching dashboard templates. |
| datasource | Used for listing metric data sources. |
| datastream | Used for datastream configuration |
| default_dashboard | Used for fetching default dashboards. |
| downtime | Used in notification channel settings to temporarily disable alert events and mute all notifications. |
| event | Used for events management |
| falco_list | Used for create, read, update and delete (CRUD) operations related to lists (In the UI: Policies->Falco Lists). |
| falco_macro | Used for CRUD operations related to macros (In the UI: Policies->Falco Macros). |
| falco_rules_file | Used for CRUD operations for Falco-related files like default and custom rules files that create macros, lists and rules using yaml (on UI: Policies->Rules Editor). |
| file_storage_config | Used for file storage management. |
| group_mapping | Used for mapping identity provider (IdP) groups to Sysdig teams and roles. |
| ibm_resource | Used for fetching IBM resource instances. |
| inactivity_settings | Used for session expiration settings. |
| integration | Used for integration. |
| invoice | Used for listing invoices. |
| license | Used to fetch on-prem licenses. |
| login_banner | The agreement that must be accepted before logging in. |
| notification_channel | Used in notification channel settings. |
| offer | Used for listing offers. |
| onboarding | Used for fetching onboarding data and updating steps. |
| overview | Used for fetching overviews. |
| permission | Used for permissions management. |
| plan_settings | Used for fetching plan settings. |
| policy | Used for secure policies management. |
| policy_action | Used to get a list of actions corresponding to a policy type when you try to create/edit a policy (in the UI: Policies->Runtime Policies->Add or Edit existing policy). |
| policy_descriptor | Used to define the scope in which to apply a policy type when creating/editing a policy used for CRUD operations related to lists (in the UI: Policies->Runtime Policies->Add or Edit existing policy). |
| prometheus_rule | Used to export alerts and alert notifications in a Prometheus API format. Also allows users to create/export Prometheus alerting/recording rules. |
| provider | Used in AWS settings for AWS Accounts management. |
| restricted_token | Used for IBM restricted API token management |
| role | Used for Role management. |
| runtime_policy_rule | Used for CRUD operations related to runtime policy rules (on UI: Policies->Rules Library). |
| s3_settings | Used in Sysdig Storage settings. |
| scanning_event | Used for scanning events operations. |
| secure_settings | Used for secure settings management. |
| service_account | Used for service account management |
| silencing_rule | Used for Silencing Rules Management. |
| slack | Used for Slack integration setup. |
| statement | Used for listing statements. |
| subscription | Used for subscription management. |
| team | Used for Teams management. |
| ui_user_settings | Used for fetching some UI user settings. |
| usage_report | Used for listing usage reports. |
| user | Used for Users Management and in User Profile to reset passwords. |
Sysdig Secure
| Entity | Description |
|---|---|
| acceptance-edit | Used for post, put and delete operations in Vulnerability Management (VM) in Risk Acceptance. |
| acceptance-read | Used for get operations in VM Risk Acceptance. |
| acceptance-read-scanner | Used for get operations in VM Risk Acceptance. |
| account | |
| blackout | |
| cluster | Used in VM Legacy for CREATE, READ, UPDATE and DELETE operations on clusters and heartbeat. |
| compliance | Used for the Legacy Compliance module. |
| csv | |
| customerOptOut | |
| dataSource | |
| download | Used for downloading VM Reports. |
| event | Used for viewing an event. |
| falco | Used to view or modify a Falco rule. |
| feature | |
| forwarding_integration | |
| framework | |
| group | |
| health | |
| host | |
| internal | |
| kubernetesNetworking | |
| labels | |
| list | Used to refer to a list of items in Falco Rules. |
| macro | Used for encapsulating small expressions for use in Falco Rules. |
| networkSecurity | Used to view or change Network Security configurations and see how a KNP policy is generated. |
| networkTopology | Used to view the Network Security Topology. |
| overview | |
| policy | Used for create, read, update and delete (CRUD) operations related to runtime policies. |
| policyTuner | Used to view or edit exceptions. |
| provider | |
| reader | Used for VM Reporting, as well as SNOW and EVE integrations. |
| remediations | |
| report | |
| resource | |
| rule | Used to view a Falco rule through the rules library, a runtime policy, or an event. |
| schema | |
| secure-iac-acprovider | Used for CSPM. Not related to a user action. |
| secure-iac-agenthandler | Used for Posture. Not related to a user action. |
| secure-iac-cloudcollector | Used for CSPM. Not related to a user action. |
| secure-iac-cloudengine | Used in Posture for reading cloud assets posture, creating cloud asset report, and reading remediation playbook. |
| secure-iac-clusteranalysis | Used in Posture for reading host assets posture, creating host asset report, and reading remediation playbook. |
| secure-iac-compliance | Used in Posture and Compliance for reading compliance results, creating compliance report, accepting posture risks, editing \ revoking \ reading posture risks, and adding compliance views to favorites. |
| secure-iac-gitprovider | Used for reading git integration, creating git integration, and git source. |
| secure-iac-inventory | Used in Inventory to read assets/resources details, compliance posture status, list resources, their connections, attributes and configuration. |
| secure-iac-policy | Used in Posture, Compliance and Zones to read policies, controls, CRUD custom policies, CRUD custom controls, CRUD ACEnforcement, CRUD Zones. |
| secure-iac-scheduler | Used for KSPM and CSPM scan tasks: read tasks, re-run task, re-schedule task. |
| secure-iac-temporalworker | Used for CSPM. Not related to a user action. |
| secure-iac-workload | Used to read kubernetes assets posture, create kubernetes asset report, read kubernetes remediation playbook. |
| session | |
| task | |
| ticketing | |
| user | |
| vm-collector-write | Used for CLI or other component sending a scan result to the collector. |
| vm-policies-read | Internal API to read VM policies. |
| vm-policies-write | Internal API to write VM policies. |
| vm-riskacceptance-read-scanner | Used for GET operations in Accepted Risk. |
| vm-riskacceptance-read-ui | Used for GET operations in Accepted Risk. |
| vm-riskacceptance-write-ui | Used for POST, PUT and DELETE operations in Accepted Risk. |
| writer | Used for VM Reporting configuration and EVE Integration data reception. |
The Infrastructure as Code (IAC) Entities
This list contains Infrastructure as Code (IAC) entities in Sysdig Secure:
| Entity | Description |
|---|---|
| secure-iac-cloudengine | Used to read cloud assets posture, create cloud asset reports, and read remediation playbook. |
| secure-iac-clusteranalysis | Used to read hosts assets posture, create a host asset report, and read the remediation playbook. |
| secure-iac-compliance | Used to read compliance results, create compliance report, accept posture risks, edit, revoke, and read posture risks, as well as star favorite compliance views. |
| secure-iac-gitprovider | Used to read Git integration, create a Git integration, and Git source. |
| secure-iac-inventory | Used to read assets, resources details, compliance posture status, lists resources, their connections, attributes and configuration. |
| secure-iac-policy | Used to read policies, controls, create, read, update and delete (CRUD) operations on custom policies, CRUD operations on custom controls, CRUD operations on ACEnforcement, and CRUD operations on Zones. |
| secure-iac-scheduler | Used for Kubernetes Security Posture Management (KSPM) and Cloud Security Posture Management (CSPM) scan tasks, such as read tasks, re-run tasks, and re-schedule tasks. |
| secure-iac-workload | Used to read kubernetes assets posture, create kubernetes asset report, and read kubernetes remediation playbook. |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.