Sysdig Platform Audit

Sysdig provides both a UI and a set of APIs for auditing and reporting on the use of the Sysdig platform itself.

This is in contrast to the Activity Audit or Kubernetes Audit Log features which audit the activities on your target environments.

With Platform Audit, you can answer questions such as:

  • Who deleted a policy?
  • From where was a policy modified?
  • Which modifications were made to a specific alert?
  • What was the payload of the changed alert?
  • What condition was changed?
  • Who added this user?
  • When did we change the single sign-on (SSO) settings?
  • Are dashboards loading properly?

The audit includes the following request methods against the Sysdig system:

  • PUT
  • POST
  • DELETE
  • PATCH
  • GET

The system audit data is retained for 90 days.

Use the Platform Audit UI

Access the UI

To access the Platform Audit UI in Sysdig Secure or Sysdig Monitor:

  1. Log in as an administrator.
  2. Navigate to Integrations in the left panel.
  3. Under Data Sources, click Sysdig Platform Audit.

Use the UI

Use Platform Audit to understand what was done on the Sysdig platform, when, and by whom.

By default, the Platform Audit UI page filters out READ statements through the filter requestMethod != GET. This is based on the assumption that users are primarily interested in changes made on the platform in commands such as PUT, POST, DELETE, and PATCH. T

To view READ actions, click X on the the requestMethod != GET filter.

You can create custom filters by typing in the filter box, or by choosing from the selection of operators shown in the UI.

Data can be filtered based on:

  • User
  • Team
  • Request Method
  • Entity Type
  • Origin IP

The selected date range can be a maximum of 14 days.

Use the Platform Audit API

Prerequisites

Ensure you have the following information to hand:

Commands Overview

CommandDescription
filter=source in ("auditTrail")Informs the events feed API that you want to fetch auditTrail type of events.
{{host}}Host of the region for which you want to fetch audit events. For example, https://app.sysdigcloud.com for AWS US-East.
{{from}}(nanoseconds) Timestamp date range, for example, from=1648477226000000000&to=164934122600000000
{{to}}(nanoseconds) Timestamp date range, for example, from=1648477226000000000&to=164934122600000000
{{limit}}(integer) - The upper bound is 999. Defines how many events you will receive, and is used in combination with offset. For example, offset=100&limit=100 (skip first 100 and show next 100).
{{offset}}(integer) Used when we implement paging; allows you to skip the first x events. For example, offset=100 will skip the first 100 events.
{{token}}(string) - Sysdig Secure or Sysdig Monitor API token.

API Usage

Get All Audit Events Across the Product and Services

For Sysdig Secure

GET {{host}}/api/v1/platformAuditEvents?from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDS
Authorization: Bearer {{token}}

For Sysdig Monitor

GET {{host}}/api/v1/platformAuditEvents?from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDC
Authorization: Bearer {{token}}

Get Audit Events for a Specific Entity

auditTrail.entityType is used if you want to list audit events only for a specific entity or list of entities. In this example, we want to fetch only auth audit events.

X-Sysdig-Product:= SDS (Sysdig Secure) SDC (Sysdig Monitor)

GET {{host}}/api/v1/platformAuditEvents?filter=auditTrail.entityType in ("auth")&from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDS
Authorization: Bearer {{token}}

Entities

Sysdig Admin Endpoints

EntityDescription
billing_reportUsed for subscription billing report.
customerUsed for customers management.
customer_metricsUsed for customers metrics management.
customer_signupUsed for customer signup process.
ondemand_usageUsed for calculating on demand usage.
trial_planUsed for trial plans management.
usage_summaryUsed for usage summary.

Sysdig Monitor and Sysdig Platform

Some entities are also used in Sysdig Secure but are served by Sysdig Monitor

EntityDescription
agentUsed for agent operations.
alertUsed for alert management.
alert_notificationUsed for alert notifications. Not used anymore.
alert_silencing_ruleUsed for Alert Silencing Rules Management.
alert_template_groupUsed for listing alert template groups.
api_tokenUsed for User Profile to read and reset API token.
application_user_settingsUsed for fetching some user app settings like firstTimeOnApp, userTrackingEnabled, and so on.
authUsed for login/logout events.
auth_settingsUsed in authentication settings.
auth_ssoUsed for SSO authentication events.
aws_settingsUsed in AWS settings to enable/disable CloudWatch Integration.
benchmarkUsed for benchmark tests and results management
captureUsed for Capture management.
cloud_subscriptionUsed for cloud subscription management.
customer_access_keyUsed for access keys management. API only.
customer_agreementAgreements that customer can sign, for example, end-user license agreements (EULA).
customer_settingsUsed in User Profile to hide Access Key and Agent Installation page for non-admin users.
dashboardUsed for Dashboard management.
dashboard_templateUsed for fetching dashboard templates.
datasourceUsed for listing metric data sources.
datastreamUsed for datastream configuration
default_dashboardUsed for fetching default dashboards.
downtimeUsed in notification channel settings to temporarily disable alert events and mute all notifications.
eventUsed for events management
falco_listUsed for create, read, update and delete (CRUD) operations related to lists (In the UI: Policies->Falco Lists).
falco_macroUsed for CRUD operations related to macros (In the UI: Policies->Falco Macros).
falco_rules_fileUsed for CRUD operations for Falco-related files like default and custom rules files that create macros, lists and rules using yaml (on UI: Policies->Rules Editor).
file_storage_configUsed for file storage management.
group_mappingUsed for mapping identity provider (IdP) groups to Sysdig teams and roles.
ibm_resourceUsed for fetching IBM resource instances.
inactivity_settingsUsed for session expiration settings.
integrationUsed for integration
InvoiceUsed for listing invoices.
licenseUsed to fetch on-prem licenses.
login_bannerThe agreement that must be accepted before logging in.
notification_channelUsed in notification channel settings.
offerUsed for listing offers.
onboardingUsed for fetching onboarding data and updating steps.
overviewUsed for fetching overviews.
permissionUsed for permissions management.
plan_settingsUsed for fetching plan settings.
policyUsed for secure policies management.
policy_actionUsed to get a list of actions corresponding to a policy type when you try to create/edit a policy (in the UI: Policies->Runtime Policies->Add or Edit existing policy).
policy_descriptorUsed to define the scope in which to apply a policy type when creating/editing a policy used for CRUD operations related to lists (in the UI: Policies->Runtime Policies->Add or Edit existing policy).
prometheus_ruleUsed to export alerts and alert notifications in a Prometheus API format. Also allows users to create/export Prometheus alerting/recording rules.
providerUsed in AWS settings for AWS Accounts management.
restricted_tokenUsed for IBM restricted API token management
roleUsed for Role management.
runtime_policy_ruleUsed for CRUD operations related to runtime policy rules (on UI: Policies->Rules Library).
s3_settingsUsed in Sysdig Storage settings.
scanning_eventUsed for scanning events operations.
secure_settingsUsed for secure settings management.
service_accountUsed for service account management
silencing_ruleUsed for Silencing Rules Management.
slackUsed for Slack integration setup.
statementUsed for listing statements.
subscriptionUsed for subscription management.
teamUsed for Teams management.
ui_user_settingsUsed for fetching some UI user settings.
usage_reportUsed for listing usage reports.
userUsed for Users Management and in User Profile to reset passwords.

Sysdig Secure

EntityDescription
acceptance-editUsed for post, put and delete operations in Vulnerability Management (VM) in Risk Acceptance.
acceptance-readUsed for get operations in VM Risk Acceptance.
acceptance-read-scannerUsed for get operations in VM Risk Acceptance.
account
compliance
dataSource
downloadVM Reporting, download
eventUsed to view an event.
falcoUsed to view or modify a Falco rule.
feature
forwarding_integration
framework
health
host
listUsed to refer to a list of items in Falco Rules.
macroUsed for encapsulating small expressions for use in Falco Rules.
networkSecurityUsed to view or change Network Security configurations and see how a KNP policy is generated.
networkTopologyUsed to view the Network Security Topology.
policyUsed for create, read, update and delete (CRUD) operations related to runtime policies.
policyTunerUsed to view or edit exceptions.
provider
reader
report
resource
ruleUsed to view a Falco rule through the rules library, a runtime policy, or an event.
schema
task
user
vm-collector-write
vm-policies-read
vm-policies-write
vm-riskacceptance-read-scanner
vm-riskacceptance-read-ui
vm-riskacceptance-write-ui
writer

The Infrastructure as Code (IAC) Entities

This list contains Infrastructure as Code (IAC) entities in Sysdig Secure:

EntityDescription
secure-iac-cloudengineUsed to read cloud assets posture, create cloud asset reports, and read remediation playbook.
secure-iac-clusteranalysisUsed to read hosts assets posture, create a host asset report, and read the remediation playbook.
secure-iac-complianceUsed to read compliance results, create compliance report, accept posture risks, edit, revoke, and read posture risks, as well as star favorite compliance views.
secure-iac-gitproviderUsed to read Git integration, create a Git integration, and Git source.
secure-iac-inventoryUsed to read assets, resources details, compliance posture status, lists resources, their connections, attributes and configuration.
secure-iac-policyUsed to read policies, controls, create, read, update and delete (CRUD) operations on custom policies, CRUD operations on custom controls, CRUD operations on ACEnforcement, and CRUD operations on Zones.
secure-iac-schedulerUsed for Kubernetes Security Posture Management (KSPM) and Cloud Security Posture Management (CSPM) scan tasks, such as read tasks, re-run tasks, and re-schedule tasks.
secure-iac-workloadUsed to read kubernetes assets posture, create kubernetes asset report, and read kubernetes remediation playbook.