Sysdig Platform Audit
Sysdig provides both a UI and a set of APIs for auditing and reporting on the use of the Sysdig platform itself. (This is in contrast to the Activity Audit or Kubernetes Audit Log features which audit activity on your target environments.)
With Platform Audit, you can answer questions such as:
- Who deleted a policy?
- From where a policy was modified?
- Which modifications were made for a specific alert?
- What was the payload of the changed alert (condition changed?)
- Who added this user?
- When did we change the SSO settings?
- Are dashboards loading properly?
The audit includes the following request methods against the Sysdig system:
PUT
POST
DELETE
PATCH
GET
The data retention for system audit info is 90 days.
Use the Platform Audit UI
Access the UI
From Sysdig Secure
- Log in to Sysdig Secure as an administrator.
- Navigate to
Integrations > Sysdig Platform Audit.
From Sysdig Monitor
- Log in to Sysdig Monitor as an administrator.
- Navigate to
Integrations > Data Sources | Sysdig Platform Audit.
UI Usage
Use Platform Audit to understand what was done on the Sysdig platform, by whom, and when.
By default, the Platform Audit UI page filters out the READ statements (i.e. requestMethod != GET
) on the assumption that users are interested in changes taken on the platform (PUT
, POST
, DELETE
, and PATCH
). This filter can be modified if read actions are required.
The data can be filtered based on:
- User
- Team
- Request Method
- Entity Type
- Origin IP
Selected date range can be maximum 14 days.
Use the Platform Audit API
Prerequisites
Know your:
- Sysdig Secure or Sysdig Monitor API token
- The host region where your Sysdig platform is deployed, e.g., https://app.sysdigcloud.com for AWS us-east.
- The Sysdig product you want to audit (Secure = SDS; Monitor = SDC)
Commands Overview
Command | Description |
---|---|
filter=source in ("auditTrail") | Informs the events feed API that you want to fetch auditTrail type of events |
{{host}} | Host of the region for which you want to fetch audit events e.g., https://app.sysdigcloud.com for AWS us-east |
{{from}} | (nanoseconds) Timestamp date range, e.g. from=1648477226000000000&to=164934122600000000 |
{{to}} | (nanoseconds) Timestamp date range, e.g. from=1648477226000000000&to=164934122600000000 |
{{limit}} | (integer) - upper bound is 999. Defines how many events you will receive, and is used in combination with offset. For example: offset=100&limit=100 (skip first 100 and show next 100) |
{{offset}} | (integer) Used when we implement paging; allows you to skip the first x events. For example, offset=100 will skip the first 100 events |
{{token}} | (string) - Sysdig Secure or Sysdig Monitor API token |
API Usage
Get All Audit Events Across the Product and Services
For Sysdig Secure
GET {{host}}/api/v1/platformAuditEvents?filter=from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDS
Authorization: Bearer {{token}}
For Sysdig Monitor
GET {{host}}/api/v1/platformAuditEvents?filter=from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDC
Authorization: Bearer {{token}}
Get Audit Events for a Specific Entity
auditTrail.entityType
is used if you want to list audit events only for a specific entity or list of entities. In this example, we want to fetch only auth
audit events.
X-Sysdig-Product:
= SDS
(Sysdig Secure) SDC
(Sysdig Monitor)
GET {{host}}/api/v1/platformAuditEvents?filter=auditTrail.entityType in ("auth")&from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDS
Authorization: Bearer {{token}}
Entities Used
For Sysdig Monitor/Sysdig Platform
Some entities are also used in Sysdig Secure but are served from Monitor
Entity | Description |
---|---|
agent | Used for agent operations. |
alert | Used for alerts management. |
alert_notification | Used for alert notifications. Not used anymore |
alert_silencing_rule | Used for Alert Silencing Rules Management. |
alert_template_group | Used for listing alert template groups. |
api_token | Used in user profile to read and reset API token. |
application_user_settings | Used for fetching some user app settings like firstTimeOnApp, userTrackingEnabled, etc. |
auth | Used for login/logout events. |
auth_settings | Used in authentication settings. |
auth_sso | Used for SSO authentication events. |
aws_settings | Used in aws settings to enable/disable CloudWatch Integration. |
benchmark | Used for benchmark tests and results management |
capture | Used for captures management. |
cloud_subscription | Used for cloud subscription management. |
customer_access_key | Used for access keys management. (API only) |
customer_agreement | Agreements that customer can sign eg. EULA. |
customer_settings | Used in user profile to hide Access Key and Agent Installation page for non-admin users. |
dashboard | Used for dashboards management. |
dashboard_template | Used for fetching dashboard templates. |
datasource | Used for listing mettric data sources. |
datastream | Used for datastream configuration |
default_dashboard | Used for fetching default dashboards. |
downtime | Used in notification channel settings to temporarily disable alerts events and mute all notifications. |
event | Used for events management |
falco_list | Used for CRUD operations related to lists (on UI: Policies->Falco Lists) |
falco_macro | Used for CRUD operations related to macros (on UI: Policies->Falco Macros) |
falco_rules_file | Used for CRUD operations for Falco related files like default and custom rules files that create macros, lists and rules using yaml (on UI: Policies->Rules Editor) |
file_storage_config | Used for file storage management. |
group_mapping | Used for mapping IDP groups to Sysdig teams/roles"); |
ibm_resource | Used for fetching IBM resource instances |
inactivity_settings | Used for session expiration settings. |
integration | Used for integration |
invoice | Used for listing invoices. |
license | Used to fetch onprem license. |
login_banner | The agreement that must be accepted before logging in. |
notification_channel | Used in notification channel settings. |
offer | Used for listing offers. |
onboarding | Used for fetching onboarding data and updating steps |
overview | Used for fetching overviews. |
permission | Used for permissions management. |
plan_settings | Used for fetching plan settings. |
policy | Used for secure policies management |
policy_action | Used to get a list of actions corresponding to a policy type when you try to create/edit a policy (on UI: Policies->Runtime Policies->Add or Edit existing policy) |
policy_descriptor | Used to define the scope on which to apply a policy type when creating/editing a policy Used for CRUD operations related to lists (on UI: Policies->Runtime Policies->Add or Edit existing policy) |
prometheus_rule | Used to export alert/alert notifications in a prometheus API format. Also allows users to create export prometheus alerting/recording rule |
provider | Used in aws settings for AWS Accounts management. |
restricted_token | Used for ibm restricted api token management |
role | Used for roles management. |
runtime_policy_rule | Used for CRUD operations related to runtime policy rules (on UI: Policies->Rules Library) |
s3_settings | Used in Sysdig Storage settings. |
scanning_event | Used for scanning events operations |
secure_settings | Used for secure settings management. |
service_account | Used for service account management |
silencing_rule | Used for Silencing Rules Management. |
slack | Used for slack integration setup. |
statement | Used for listing statements. |
subscription | Used for subscription management. |
team | Used for teams management. |
ui_user_settings | Used for fetching some ui user settings. |
usage_report | Used for listing usage reports. |
user | Used for users management and in user profile to reset password. |
For Sysdig Secure
Entity |
---|
account |
compliance |
dataSource |
event |
falco |
feature |
forwarding_integration |
framework |
health |
host |
list |
macro |
networkSecurity |
networkTopology |
policy |
policyTuner |
provider |
report |
resource |
rule |
schema |
task |
user |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.