Sysdig Platform Audit
Sysdig provides both a UI and a set of APIs for auditing and reporting on the use of the Sysdig platform itself. (This is in contrast to the Activity Audit or Kubernetes Audit Log features which audit activity on your target environments.)
With Platform Audit, you can answer questions such as:
- Who deleted a policy?
- From where a policy was modified?
- Which modifications were made for a specific alert?
- What was the payload of the changed alert (condition changed?)
- Who added this user?
- When did we change the SSO settings?
- Are dashboards loading properly?
The audit includes the following request methods against the Sysdig system:
PUTPOSTDELETEPATCHGET
The data retention for system audit info is 90 days.
Use the Platform Audit UI
Access the UI
From Sysdig Secure
- Log in to Sysdig Secure as an administrator.
- Navigate to
Integrations > Sysdig Platform Audit.
From Sysdig Monitor
- Log in to Sysdig Monitor as an administrator.
- Navigate to
Integrations > Data Sources | Sysdig Platform Audit.
UI Usage
Use Platform Audit to understand what was done on the Sysdig platform, by whom, and when.
By default, the Platform Audit UI page filters out the READ statements (i.e. requestMethod != GET) on the assumption that users are interested in changes taken on the platform (PUT, POST, DELETE, and PATCH). This filter can be modified if read actions are required.
The data can be filtered based on:
- User
- Team
- Request Method
- Entity Type
- Origin IP
Selected date range can be maximim 14 days.
Use the Platform Audit API
Prerequisites
Know your:
- Sysdig Secure or Sysdig Monitor API token
- The host region where your Sysdig platform is deployed, e.g., https://app.sysdigcloud.com for AWS us-east.
- The Sysdig product you want to audit (Secure = SDS; Monitor = SDC)
Commands Overview
| Command | Description |
|---|---|
filter=source in ("auditTrail") | Informs the events feed API that you want to fetch auditTrail type of events |
{{host}} | Host of the region for which you want to fetch audit events e.g., https://app.sysdigcloud.com for AWS us-east |
{{from}} | (nanoseconds) Timestamp date range, e.g. from=1648477226000000000&to=164934122600000000 |
{{to}} | (nanoseconds) Timestamp date range, e.g. from=1648477226000000000&to=164934122600000000 |
{{limit}} | (integer) - upper bound is 999. Defines how many events you will receive, and is used in combination with offset. For example: offset=100&limit=100 (skip first 100 and show next 100) |
{{offset}} | (integer) Used when we implement paging; allows you to skip the first x events. For example, offset=100 will skip the first 100 events |
{{token}} | (string) - Sysdig Secure or Sysdig Monitor API token |
API Usage
Get All Audit Events Across the Product and Services
For Sysdig Secure
GET {{host}}/api/v1/secureEvents?filter=source in ("auditTrail")&from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDS
Authorization: Bearer {{token}}
For Sysdig Monitor
GET {{host}}/api/v1/secureEvents?filter=source in ("auditTrail")&from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDC
Authorization: Bearer {{token}}
Get Audit Events for a Specific Entity
auditTrail.entityType is used if you want to list audit events only for a specific entity or list of entities. In this example, we want to fetch only auth audit events.
X-Sysdig-Product:= SDS (Sysdig Secure) SDC (Sysdig Monitor)
GET {{host}}/api/v1/secureEvents?filter=source in ("auditTrail") and auditTrail.entityType in ("auth")&from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDS
Authorization: Bearer {{token}}
Entities Used
For Sysdig Monitor/Sysdig Platform
Some entities are also used in Sysdig Secure but are served from Monitor
ui_user_settings
user
policy
falco_rules_file
team
customer_settings
event
api_token
overview
datasource
secure_settings
inactivity_settings
plan_settings
role
application_user_settings
dashboard_template
dashboard
integration
auth
default_dashboard
downtime
alert
capture
alert_notification
agent
alert_template_group
auth_settings
auth_sso
aws_settings
falco_list
falco_macro
invoice
notification_channel
permission
provider
runtime_policy_rule
s3_settings
service_account
silencing_rule
subscription
usage_report
For Sysdig Secure
policy
falco
account
event
feature
health
networkSecurity
report
task
compliance
dataSource
forwarding_integration
framework
host
list
macro
networkTopology
policyTuner
provider
resource
rule
schema
user
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.