This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Sysdig Platform Audit

    Sysdig provides both a UI and a set of APIs for auditing and reporting on the use of the Sysdig platform itself. (This is in contrast to the Activity Audit or Kubernetes Audit Log features which audit activity on your target environments.)

    With Platform Audit, you can answer questions such as:

    • Who deleted a policy?
    • From where a policy was modified?
    • Which modifications were made for a specific alert?
    • What was the payload of the changed alert (condition changed?)
    • Who added this user?
    • When did we change the SSO settings?
    • Are dashboards loading properly?

    The audit includes the following request methods against the Sysdig system:

    • PUT
    • POST
    • DELETE
    • PATCH
    • GET

    The data retention for system audit info is 90 days.

    Use the Platform Audit UI

    Access the UI

    From Sysdig Secure
    1. Log in to Sysdig Secure as an administrator.
    2. Navigate to Integrations > Sysdig Platform Audit.
    From Sysdig Monitor
    1. Log in to Sysdig Monitor as an administrator.
    2. Navigate to Integrations > Data Sources | Sysdig Platform Audit.

    UI Usage

    Use Platform Audit to understand what was done on the Sysdig platform, by whom, and when.

    By default, the Platform Audit UI page filters out the READ statements (i.e. requestMethod != GET) on the assumption that users are interested in changes taken on the platform (PUT, POST, DELETE, and PATCH). This filter can be modified if read actions are required.

    The data can be filtered based on:

    • User
    • Team
    • Request Method
    • Entity Type
    • Origin IP

    Selected date range can be maximim 14 days.

    Use the Platform Audit API


    Know your:

    Commands Overview

    filter=source in ("auditTrail")Informs the events feed API that you want to fetch auditTrail type of events
    {{host}}Host of the region for which you want to fetch audit events e.g., for AWS us-east
    {{from}}(nanoseconds) Timestamp date range, e.g. from=1648477226000000000&to=164934122600000000
    {{to}}(nanoseconds) Timestamp date range, e.g. from=1648477226000000000&to=164934122600000000
    {{limit}}(integer) - upper bound is 999. Defines how many events you will receive, and is used in combination with offset. For example: offset=100&limit=100 (skip first 100 and show next 100)
    {{offset}}(integer) Used when we implement paging; allows you to skip the first x events. For example, offset=100 will skip the first 100 events
    {{token}}(string) - Sysdig Secure or Sysdig Monitor API token

    API Usage

    Get All Audit Events Across the Product and Services

    For Sysdig Secure

    GET {{host}}/api/v1/secureEvents?filter=source in ("auditTrail")&from={{from}}&to={{to}}&limit={{limit}}
    X-Sysdig-Product: SDS
    Authorization: Bearer {{token}}

    For Sysdig Monitor

    GET {{host}}/api/v1/secureEvents?filter=source in ("auditTrail")&from={{from}}&to={{to}}&limit={{limit}}
    X-Sysdig-Product: SDC
    Authorization: Bearer {{token}}

    Get Audit Events for a Specific Entity

    auditTrail.entityType is used if you want to list audit events only for a specific entity or list of entities. In this example, we want to fetch only auth audit events.

    X-Sysdig-Product:= SDS (Sysdig Secure) SDC (Sysdig Monitor)

    GET {{host}}/api/v1/secureEvents?filter=source in ("auditTrail") and auditTrail.entityType in ("auth")&from={{from}}&to={{to}}&limit={{limit}}
    X-Sysdig-Product: SDS
    Authorization: Bearer {{token}}

    Entities Used

    For Sysdig Monitor/Sysdig Platform

    Some entities are also used in Sysdig Secure but are served from Monitor

    agentUsed for agent operations.
    alertUsed for alerts management.
    alert_notificationUsed for alert notifications. Not used anymore
    alert_silencing_ruleUsed for Alert Silencing Rules Management.
    alert_template_groupUsed for listing alert template groups.
    api_tokenUsed in user profile to read and reset API token.
    application_user_settingsUsed for fetching some user app settings like firstTimeOnApp, userTrackingEnabled, etc.
    authUsed for login/logout events.
    auth_settingsUsed in authentication settings.
    auth_ssoUsed for SSO authentication events.
    aws_settingsUsed in aws settings to enable/disable CloudWatch Integration.
    benchmarkUsed for benchmark tests and results management
    captureUsed for captures management.
    cloud_subscriptionUsed for cloud subscription management.
    customer_access_keyUsed for access keys management. (API only)
    customer_agreementAgreements that customer can sign eg. EULA.
    customer_settingsUsed in user profile to hide Access Key and Agent Installation page for non-admin users.
    dashboardUsed for dashboards management.
    dashboard_templateUsed for fetching dashboard templates.
    datasourceUsed for listing mettric data sources.
    datastreamUsed for datastream configuration
    default_dashboardUsed for fetching default dashboards.
    downtimeUsed in notification channel settings to temporarily disable alerts events and mute all notifications.
    eventUsed for events management
    falco_listUsed for CRUD operations related to lists (on UI: Policies->Falco Lists)
    falco_macroUsed for CRUD operations related to macros (on UI: Policies->Falco Macros)
    falco_rules_fileUsed for CRUD operations for Falco related files like default and custom rules files that create macros, lists and rules using yaml (on UI: Policies->Rules Editor)
    file_storage_configUsed for file storage management.
    group_mappingUsed for mapping IDP groups to Sysdig teams/roles");
    ibm_resourceUsed for fetching IBM resource instances
    inactivity_settingsUsed for session expiration settings.
    integrationUsed for integration
    invoiceUsed for listing invoices.
    licenseUsed to fetch onprem license.
    login_bannerThe agreement that must be accepted before logging in.
    notification_channelUsed in notification channel settings.
    offerUsed for listing offers.
    onboardingUsed for fetching onboarding data and updating steps
    overviewUsed for fetching overviews.
    permissionUsed for permissions management.
    plan_settingsUsed for fetching plan settings.
    policyUsed for secure policies management
    policy_actionUsed to get a list of actions corresponding to a policy type when you try to create/edit a policy (on UI: Policies->Runtime Policies->Add or Edit existing policy)
    policy_descriptorUsed to define the scope on which to apply a policy type when creating/editing a policy Used for CRUD operations related to lists (on UI: Policies->Runtime Policies->Add or Edit existing policy)
    prometheus_ruleUsed to export alert/alert notifications in a prometheus API format. Also allows users to create export prometheus alerting/recording rule
    providerUsed in aws settings for AWS Accounts management.
    restricted_tokenUsed for ibm restricted api token management
    roleUsed for roles management.
    runtime_policy_ruleUsed for CRUD operations related to runtime policy rules (on UI: Policies->Rules Library)
    s3_settingsUsed in Sysdig Storage settings.
    scanning_eventUsed for scanning events operations
    secure_settingsUsed for secure settings management.
    service_accountUsed for service account management
    silencing_ruleUsed for Silencing Rules Management.
    slackUsed for slack integration setup.
    statementUsed for listing statements.
    subscriptionUsed for subscription management.
    teamUsed for teams management.
    ui_user_settingsUsed for fetching some ui user settings.
    usage_reportUsed for listing usage reports.
    userUsed for users management and in user profile to reset password.

    For Sysdig Secure