Defines the schema for resources reported on by the audit log.
| API Endpoint | https://api.bigpanda.io/resources/v2.0/audit/logs/ |
|---|---|
| Supported Methods | GET |
BigPanda audit logs report on Create, Update, and Delete actions for these resources:
- Alert Correlation Patterns
- AutoShare Settings
- Environments
- Users
- Alert Enrichment including:
- Tags
- Tags Order
- Tag Enrichments
- Tag Enrichments Order
- Mapping Enrichment Schema
- Mapping Table Upload
Alert Correlation Pattern Parameters
The correlation_pattern object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| filter | A BPQL query to filter incoming alerts. Only matched alerts will be correlated based on the pattern. | String |
| cross_source | Determines if alerts can be correlated from different source systems into the same incident Default is false | Boolean |
| time_window | Time frame to determine correlation in minutes | Integer |
| updated_at | The Unix Epoch time that the correlation pattern was last updated. | Timestamp (in seconds) |
| updated_by | The ID of the user who last updated the correlation pattern | User ID |
| active | Whether the pattern should be applied to incoming alerts. | Boolean |
| created_at | The Unix Epoch time that the correlation pattern was created | Timestamp (in seconds) |
| id | System-generated unique identifier for the correlation pattern | String |
| created_by | The ID of the user who created the correlation pattern | User ID |
| tags | Array of tag name(s) to correlate within the pattern. At least 1 item must appear in the array. No more than 5 items in the array. No duplicate names in the array. | Array |
Sample Alert Correlation Pattern Object:
{
"resource_type": "correlation_pattern",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"filter": "cluster=_prod_",
"cross_source": true,
"time_window": 1-4320,
"updated_at": 1372854204,
"updated_by": "3123kjlhfasdlkjfh",
"active": true,
"created_at": "1493922189",
"id": "631471d494528700126a5559",
"created_by": "3123kjlhfasdlkjfh",
"tags": ["service","check"]
}
AutoShare Configuration Parameters
The auto_share_rules object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| id | System-generated unique identifier for the AutoShare rule. | String |
| env_id | The environment that the incident was shared from. | String |
| target_system_id | The sharing channel that the incident was shared to. | String |
| name | UI name for the Autoshare rule. | String |
| params | Settings for share and frequency. Attributes are -autoshare_options - configuration settings, including share delay | Object |
Sample AutoShare Configuration Object:
{
"resource_type": "environment",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"target_system_id": "ai-analysis.automated_incident_analysis",
"env_id": "f38469c6-356c-4ad9-85e9-88b69c627984",
"name": "P0 All (ai-analysis.automated_incident_analysis)",
"id": "f38469c6-356c-4ad9-85e9-88b69c627984_ai-analysis.automated_incident_analysis_0",
"params": {
"autoshare_options": {
"share_delay_seconds": 120
}
}
}
}
Environment Parameters
The environment object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| filter | A BPQL query to filter incoming incidents. Only matched incidents will be placed in the environment. | String |
| updated_at | The Unix Epoch time that the environment was last updated. | Timestamp (in seconds) |
| created_at | The Unix Epoch time that the environment was created | Timestamp (in seconds) |
| name | The name of the environment as displayed in the BigPanda UI | String |
| id | System-generated unique identifier for the environment | String |
Sample Environment Object:
{
"resource_type": "environment",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"filter": "filter":"(source_system = /.*\\..*/ AND zero_impact != \"true\") OR (source_system = \"scout.default\" AND zero_impact != \"true\")",
"updated_at": 1669032359,
"created_at": "1669031477",
"name": "inoc-team",
"id": "637b6635c0ec7912005d58f8"
}
User Parameters
The users object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| createdAt | The time the user was created. Unix epoch time (in seconds) | Timestamp |
| lastLoginAt | Unix epoch time when the user last logged in (in seconds) | Timestamp |
| name | The name of the user as displayed in the BigPanda UI | String |
| id | Unique system identifier for the user | String |
| state | State of the user in system | String |
| firstLoginAt | The Unix Epoch time the user first logged in (in seconds) | Timestamp |
| username | The email address associated with the user | String |
Sample User Object:
{
"resource_type": "users",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"createdAt": 1662284244,
"lastLoginAt": 1662284281,
"name": "Nataly",
"state": "valid",
"firstLoginAt": 1662284281,
"username": "[email protected]",
"id": "631471d494528700126a5559"
}
Alert Enrichment Parameters
Alert Enrichment Audit logs report on several sub-objects including:
- Tag
- Tags Order
- Tag Enrichments
- Tag Enrichments Order
- Mapping Enrichment
- Mapping Table Upload
Tag Object
The tag object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| name | Tag name in BigPanda. | String |
| created_by | The unique ID associated with the user who created the tag. | String |
| created_at | The Unix epoch time when the tag was created (in seconds). | Timestamp |
| updated_by | The unique ID associated with the user who last updated the tag. | String |
| updated_at | The Unix epoch time when the tag was last updated (in seconds). | Timestamp |
| description | A brief summary of the tag | String |
| active | Whether the tag should be applied to incoming alerts. | Boolean |
| enrichments | List of automatic enrichment items configured for this tag. Items are listed in their run order. | Array of Objects |
Sample Alert Tag Object:
{
"resource_type": "tag",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"name": “region”,
"created_by": "60c5238222fa55553d93d555",
"created_at": 1635260171,
"updated_by": "60c5238222fa55553d93d555",
"updated_at": 1662284281,
"description": "line of business",
"active": true,
"enrichments": [
{ "type": "extraction",
"active": true,
"when": {},
"config": {
"source": "host",
"destination": "tag_name",
"regex": "(.*)",
"template": null
},
"note": null
},
{
"type": "composition",
"active": true,
"when": {},
"config": {
"destination": "tag_name",
"value": "val-${host6666}"
},
"note": "wiki.com"
}
]
}
Tags Order Object
The tag_order object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| created_by | The user who created the tag order. | String |
| alert_tags_order | Alert tags listed in the order they should be run. By default tags are ordered by creation time. | Array of Strings |
Sample Tag Order Object:
{
"resource_type": "tag_order",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"created_by": "60c5238222fa55553d93d555",
"alert_tags_order": ["owner", "cluster", "host"]
}
Alert Enrichment Object
The tag_enrichments object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| id | System-generated unique identifier for the automatic enrichment item. | String |
| type | Automatic Enrichment rule type. One of: composition, extraction | String |
| active | Whether the rule should be applied to incoming alerts. | Boolean |
| when | A BPQL query to filter incoming alerts. Only matched alerts will receive a value based on the enrichment item. | Object |
| version | Internal version number of the current enrichment item. This number is incremented automatically each time the item is updated. | Integer |
| config | Rules for building or extracting tag values from event data. Configuration attributes are unique to the enrichment type. See the Config Attributes tables for more information. | Object |
| created_by | The unique ID associated with the user who created the enrichment item. | String |
| updated_by | The unique ID associated with the user who last updated the enrichment item. | String |
| note | A description of the enrichment item purpose or functionality. | String |
Sample Alert Enrichment Object:
{
"resource_type": "tag_enrichments",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"id": "191217f6-481d-464e-9f12-3ed846a72555",
"type": "composition",
"active": true,
"when": {
"IN": ["source_system", ["type": "regex", "value": "*"}]]
},
"version": 1,
"config": {
“source”: “nagios”,
"destination": "tag_name",
"value": "val-${host6666}"
},
"created_by": "60c5238222fa55553d93d555",
"updated_by": "60c5238222fa55553d93d555",
"note": "special extraction for nagios"
}
Tag Enrichments Order Object
The tag_enrichments_order object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| created_by | The user who created the enrichment item order. | String |
| enrichment_order | Enrichment items listed in the order they should be run. By default items are ordered by creation time. | Array of Strings |
Sample Tag Enrichment Order Object:
{
"resource_type": "tag_enrichments_order",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"created_by": "60c5238222fa55553d93d555",
"enrichment_order": [
"49ff0d51-8e73-43a7-9cdd-6ffff242666",
"5036032b-eb0c-461e-ff17-74a05785777",
"d987df48-83f6-40ff-a985-ad6f8927888",
"6cff549b-7c14-43f9-950f-3f73706ff99"
]
}
Mapping Enrichment Object
The mapping_enrichment object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| id | System-generated unique identifier for the enrichment map schema. | String |
| type | Enrichment function type used to create enrichment items. Must be “mapping” for mapping enrichment endpoints. | String |
| active | Whether the mapping rules should be applied to incoming alerts. | Boolean |
| when | BPQL query to filter incoming alerts. Only matched alerts will receive a value based on the automatic enrichment item. | |
| version | Internal version number of the current schema. This number is incremented automatically each time the schema is updated. | Integer |
| config | Rules for mapping tag values to event data. See the Mapping Enrichment Configuration table for details. | Object |
| created_by | The unique ID associated with the user who created the mapping enrichment rule. | String |
| updated_by | The unique ID associated with the user who last updated the mapping enrichment rule. | String |
| note (optional) | A description of the mapping rule purpose or functionality. | String |
Sample Mapping Enrichment Object:
{
"resource_type": "mapping_enrichment",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"id": "1234a53b6789c12d3efg45h",
"type": "mapping",
"active": true,
"when": { "IN": [ "source_system", [ { "type": "regex", "value": "*" } ] ] },
"version": 1,
"config": {
"name": "example",
"fields": [ {
"title": "application",
"type": "query_tag",
"tag_name": "yes",
"override_existing": true,
"optional": false
},
{
"title": "walla",
"type": "result_tag",
"tag_name": "walla", "override_existing": false
}
],
"id_generation_function": "use_md5",
"case_insensitive": false
},
"created_by": "631471d494528700126a5559",
"updated_by": "631471d494528700126a5559",
"note": "Current runbook table"
}
Mapping Table Upload Object
The mapping_table_upload object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| total_count | Total number of results. Returned with a GET call only. | Integer |
| items | The mapping data, in a JSON body | Array of strings |
Sample Mapping Table Upload Object:
{
"resource_type": "mapping_table_upload",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"total_count": 473,
"items": [
{
"application": "sale24s",
"yes_sir": "first_tag_dynamic_value_2",
"no_sir": "second_tag_dynamic_value_2"
},
{
"application": "billing23",
"yes_sir": "first_tag_dynamic_value",
"no_sir": "second_tag_dynamic_value"
}
]
}