Sysdig Platform Audit

Sysdig provides both a UI and a set of APIs for auditing and reporting on the use of the Sysdig platform itself. (This is in contrast to the Activity Audit or Kubernetes Audit Log features which audit activity on your target environments.)

With Platform Audit, you can answer questions such as:

Who deleted a policy?
From where a policy was modified?
Which modifications were made for a specific alert?
What was the payload of the changed alert (condition changed?)
Who added this user?
When did we change the SSO settings?
Are dashboards loading properly?

The audit includes the following request methods against the Sysdig system:

PUT
POST
DELETE
PATCH
GET

The data retention for system audit info is 90 days.

Use the Platform Audit UI

Access the UI

From Sysdig Secure

Log in to Sysdig Secure as an administrator.
Navigate to Integrations > Sysdig Platform Audit.

From Sysdig Monitor

Log in to Sysdig Monitor as an administrator.
Navigate to Integrations > Data Sources | Sysdig Platform Audit.

UI Usage

Use Platform Audit to understand what was done on the Sysdig platform, by whom, and when.

By default, the Platform Audit UI page filters out the READ statements (i.e. requestMethod != GET) on the assumption that users are interested in changes taken on the platform (PUT, POST, DELETE, and PATCH). This filter can be modified if read actions are required.

The data can be filtered based on:

User
Team
Request Method
Entity Type
Origin IP

Selected date range can be maximim 14 days.

Use the Platform Audit API

Prerequisites

Know your:

Sysdig Secure or Sysdig Monitor API token
The host region where your Sysdig platform is deployed, e.g., https://app.sysdigcloud.com for AWS us-east.
The Sysdig product you want to audit (Secure = SDS; Monitor = SDC)

Commands Overview

Command	Description
`filter=source in ("auditTrail")`	Informs the events feed API that you want to fetch `auditTrail` type of events
`{{host}}`	Host of the region for which you want to fetch audit events e.g., https://app.sysdigcloud.com for AWS us-east
`{{from}}`	(nanoseconds) Timestamp date range, e.g. `from=1648477226000000000&to=164934122600000000`
`{{to}}`	(nanoseconds) Timestamp date range, e.g. `from=1648477226000000000&to=164934122600000000`
`{{limit}}`	(integer) - upper bound is 999. Defines how many events you will receive, and is used in combination with offset. For example: `offset=100&limit=100` (skip first 100 and show next 100)
`{{offset}}`	(integer) Used when we implement paging; allows you to skip the first x events. For example, `offset=100` will skip the first 100 events
`{{token}}`	(string) - Sysdig Secure or Sysdig Monitor API token

API Usage

Get All Audit Events Across the Product and Services

For Sysdig Secure

GET {{host}}/api/v1/secureEvents?filter=source in ("auditTrail")&from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDS
Authorization: Bearer {{token}}

For Sysdig Monitor

GET {{host}}/api/v1/secureEvents?filter=source in ("auditTrail")&from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDC
Authorization: Bearer {{token}}

Get Audit Events for a Specific Entity

auditTrail.entityType is used if you want to list audit events only for a specific entity or list of entities. In this example, we want to fetch only auth audit events.

X-Sysdig-Product:= SDS (Sysdig Secure) SDC (Sysdig Monitor)

GET {{host}}/api/v1/secureEvents?filter=source in ("auditTrail") and auditTrail.entityType in ("auth")&from={{from}}&to={{to}}&limit={{limit}}
X-Sysdig-Product: SDS
Authorization: Bearer {{token}}

Entities Used

For Sysdig Monitor/Sysdig Platform

Some entities are also used in Sysdig Secure but are served from Monitor

Entity	Description
agent	Used for agent operations.
alert	Used for alerts management.
alert_notification	Used for alert notifications. Not used anymore
alert_silencing_rule	Used for Alert Silencing Rules Management.
alert_template_group	Used for listing alert template groups.
api_token	Used in user profile to read and reset API token.
application_user_settings	Used for fetching some user app settings like firstTimeOnApp, userTrackingEnabled, etc.
auth	Used for login/logout events.
auth_settings	Used in authentication settings.
auth_sso	Used for SSO authentication events.
aws_settings	Used in aws settings to enable/disable CloudWatch Integration.
benchmark	Used for benchmark tests and results management
capture	Used for captures management.
cloud_subscription	Used for cloud subscription management.
customer_access_key	Used for access keys management. (API only)
customer_agreement	Agreements that customer can sign eg. EULA.
customer_settings	Used in user profile to hide Access Key and Agent Installation page for non-admin users.
dashboard	Used for dashboards management.
dashboard_template	Used for fetching dashboard templates.
datasource	Used for listing mettric data sources.
datastream	Used for datastream configuration
default_dashboard	Used for fetching default dashboards.
downtime	Used in notification channel settings to temporarily disable alerts events and mute all notifications.
event	Used for events management
falco_list	Used for CRUD operations related to lists (on UI: Policies->Falco Lists)
falco_macro	Used for CRUD operations related to macros (on UI: Policies->Falco Macros)
falco_rules_file	Used for CRUD operations for Falco related files like default and custom rules files that create macros, lists and rules using yaml (on UI: Policies->Rules Editor)
file_storage_config	Used for file storage management.
group_mapping	Used for mapping IDP groups to Sysdig teams/roles");
ibm_resource	Used for fetching IBM resource instances
inactivity_settings	Used for session expiration settings.
integration	Used for integration
invoice	Used for listing invoices.
license	Used to fetch onprem license.
login_banner	The agreement that must be accepted before logging in.
notification_channel	Used in notification channel settings.
offer	Used for listing offers.
onboarding	Used for fetching onboarding data and updating steps
overview	Used for fetching overviews.
permission	Used for permissions management.
plan_settings	Used for fetching plan settings.
policy	Used for secure policies management
policy_action	Used to get a list of actions corresponding to a policy type when you try to create/edit a policy (on UI: Policies->Runtime Policies->Add or Edit existing policy)
policy_descriptor	Used to define the scope on which to apply a policy type when creating/editing a policy Used for CRUD operations related to lists (on UI: Policies->Runtime Policies->Add or Edit existing policy)
prometheus_rule	Used to export alert/alert notifications in a prometheus API format. Also allows users to create export prometheus alerting/recording rule
provider	Used in aws settings for AWS Accounts management.
restricted_token	Used for ibm restricted api token management
role	Used for roles management.
runtime_policy_rule	Used for CRUD operations related to runtime policy rules (on UI: Policies->Rules Library)
s3_settings	Used in Sysdig Storage settings.
scanning_event	Used for scanning events operations
secure_settings	Used for secure settings management.
service_account	Used for service account management
silencing_rule	Used for Silencing Rules Management.
slack	Used for slack integration setup.
statement	Used for listing statements.
subscription	Used for subscription management.
team	Used for teams management.
ui_user_settings	Used for fetching some ui user settings.
usage_report	Used for listing usage reports.
user	Used for users management and in user profile to reset password.

For Sysdig Secure

Entity
account
compliance
dataSource
event
falco
feature
forwarding_integration
framework
health
host
list
macro
networkSecurity
networkTopology
policy
policyTuner
provider
report
resource
rule
schema
task
user