Defines the schema for resources reported on by the audit log.
| API Endpoint | https://api.bigpanda.io/resources/v2.0/audit/logs/ |
|---|---|
| Supported Methods | GET |
BigPanda audit logs report on Create, Update, and Delete actions for these resources:
- Alert Correlation Patterns
- AutoShare Settings
- Environments
- Users
- Alert Enrichment including:
- Tags
- Tags Order
- Tag Enrichments
- Tag Enrichments Order
- Mapping Enrichment Schema
- Mapping Table Upload
Alert Correlation Pattern Parameters
The correlation_pattern object schema includes the following attributes:
| Attribute | Description | Type | Example |
|---|---|---|---|
| filter | A BPQL query to filter incoming alerts. Only matched alerts will be correlated based on the pattern. | String | "cluster=_prod_"]" |
| cross_source | Determines if alerts can be correlated from different source systems into the same incident Default is false | Boolean | true |
| time_window | Time frame to determine correlation in minutes | Integer | 1-4320 |
| updated_at | The Unix Epoch time that the correlation pattern was last updated. | Timestamp (in seconds) | 1372854204 |
| updated_by | The ID of the user who last updated the correlation pattern | User ID | "3123kjlhfasdlkjfh" |
| active | Whether the pattern should be applied to incoming alerts. | Boolean | true |
| created_at | The Unix Epoch time that the correlation pattern was created | Timestamp (in seconds) | 1493922189 |
| id | System-generated unique identifier for the correlation pattern | String | "12344" |
| created_by | The ID of the user who created the correlation pattern | User ID | "3123kjlhfasdlkjfh" |
| tags | Array of tag name(s) to correlate within the pattern. At least 1 item must appear in the array. No more than 5 items in the array. No duplicate names in the array. | Array | ["service","check"] |
Environment Parameters
The Environment object schema includes the following attributes:
| Attribute | Description | Type | Example |
|---|---|---|---|
| filter | A BPQL query to filter incoming incidents. Only matched incidents will be placed in the environment. | String | "filter":"(source_system = /.*\\..*/ AND zero_impact != \"true\") OR (source_system = \"scout.default\" AND zero_impact != \"true\")" |
| updated_at | The Unix Epoch time that the environment was last updated. | Timestamp (in seconds) | “updated_at":1669032359 |
| created_at | The Unix Epoch time that the environment was created | Timestamp (in seconds) | "created_at":1669031477 |
| name | The name of the environment as displayed in the BigPanda UI | String | "name":"johnny-test-envv" |
| id | System-generated unique identifier for the environment | String | "id":"637b6635c0ec7912005d58f8" |
User Parameters
The User object schema includes the following attributes:
| Attribute | Description | Type | Example |
|---|---|---|---|
| createdAt | The time the user was created. Unix epoch time (in seconds) | Timestamp | 1662284244 |
| lastLoginAt | Unix epoch time when the user last logged in (in seconds) | Timestamp | 1662284244 |
| name | The name of the user as displayed in the BigPanda UI | String | "Betsy Bobbins" |
| id | Unique system identifier for the user | String | "62bc4c139ed3cd00110500da" |
| state | State of the user in system | String | “initial” |
| firstLoginAt | The Unix Epoch time the user first logged in (in seconds) | Timestamp | 1662284244 |
| username | The email address associated with the user | String | "[email protected]" |
Alert Enrichment Parameters
Alert Enrichment Audit logs report on several sub-objects including:
- Tag
- Tags Order
- Tag Enrichments
- Tag Enrichments Order
- Mapping Enrichment
- Mapping Table Upload
Tag Object
The Alert Tag object schema includes the following attributes:
| Attribute | Description | Type | Example |
|---|---|---|---|
| name | Tag name in BigPanda. | String | “region” |
| created_by | The unique ID associated with the user who created the tag. | String | "60c5238222fa55553d93d555" |
| created_at | The Unix epoch time when the tag was created (in seconds). | Timestamp | 1635260171 |
| updated_by | The unique ID associated with the user who last updated the tag. | String | "60c5238222fa55553d93d555" |
| updated_at | The Unix epoch time when the tag was last updated (in seconds). | Timestamp | 1635260171 |
| description | A brief summary of the tag | String | "line of business" |
| active | Whether the tag should be applied to incoming alerts. | Boolean | true |
| enrichments | List of automatic enrichment items configured for this tag. Items are listed in their run order. | Array of Objects | [ { "type": "extraction", "active": true, "when": {}, "config": { "source": "host", "destination": "tag_name", "regex": "(.*)", "template": null }, "note": null }, { "type": "composition", "active": true, "when": {}, "config": { "destination": "tag_name", "value": "val-${host6666}" }, "note": "wiki.com" } ] |
Tags Order Object
The Tags Order object schema includes the following attributes:
| Attribute | Description | Type | Example |
|---|---|---|---|
| created_by | The user who created the tag order. | String | 60c5238222fa55553d93d555 |
| alert_tags_order | Alert tags listed in the order they should be run. By default tags are ordered by creation time. | Array of Strings | "alert_tags_order":["owner", "cluster", "host"] |
Alert Enrichment Object
The Alert Enrichment object schema includes the following attributes:
| Attribute | Description | Type | Example |
|---|---|---|---|
| id | System-generated unique identifier for the automatic enrichment item. | String | "191217f6-481d-464e-9f12-3ed846a72555" |
| type | Automatic Enrichment rule type. One of: composition, extraction | String | "composition" |
| active | Whether the rule should be applied to incoming alerts. | Boolean | true |
| when | A BPQL query to filter incoming alerts. Only matched alerts will receive a value based on the enrichment item. | Object | { "IN": [ "source_system", [ { "type": "regex", "value": "*" } ] ] } |
| version | Internal version number of the current enrichment item. This number is incremented automatically each time the item is updated. | Integer | 1 |
| config | Rules for building or extracting tag values from event data. Configuration attributes are unique to the enrichment type. See the Config Attributes tables for more information. | Object | { “source”: “nagios”, "destination": "tag_name", "value": "val-${host6666}" } OR { "source": "host", "destination": "tag_name", "regex": "(.*)", "template": null } |
| created_by | The unique ID associated with the user who created the enrichment item. | String | "60c5238222fa55553d93d555" |
| updated_by | The unique ID associated with the user who last updated the enrichment item. | String | "60c5238222fa55553d93d555" |
| note | A description of the enrichment item purpose or functionality. | String | "adding region" OR "special extraction for nagios" |
Tag Enrichments Order Object
The Tag Enrichments Order object schema includes the following attributes:
| Attribute | Description | Type | Example |
|---|---|---|---|
| created_by | The user who created the enrichment item order. | String | 60c5238222fa55553d93d555 |
| enrichment_order | Enrichment items listed in the order they should be run. By default items are ordered by creation time. | Array of Strings | "enrichment_order": [ "49ff0d51-8e73-43a7-9cdd-6ffff242666", "5036032b-eb0c-461e-ff17-74a05785777", "d987df48-83f6-40ff-a985-ad6f8927888", "6cff549b-7c14-43f9-950f-3f73706ff99" ] |
Mapping Enrichment Object
The Mapping Enrichment object schema includes the following attributes:
| Attribute | Description | Type | Example |
|---|---|---|---|
| id | System-generated unique identifier for the enrichment map schema. | String | 1234a53b6789c12d3efg45h |
| type | Enrichment function type used to create enrichment items. Must be “mapping” for mapping enrichment endpoints. | String | mapping |
| active | Whether the mapping rules should be applied to incoming alerts. | Boolean | true |
| When | BPQL query to filter incoming alerts. Only matched alerts will receive a value based on the automatic enrichment item. | { "IN": [ "source_system", [ { "type": "regex", "value": "*" } ] ] } | |
| Version | Internal version number of the current schema. This number is incremented automatically each time the schema is updated. | Integer | 1 |
| config | Rules for mapping tag values to event data. See the Mapping Enrichment Configuration table for details. | Object | { "name": "example", "fields": [ { "title": "application", "type": "query_tag", "tag_name": "yes", "override_existing": true, "optional": false }, { "title": "walla", "type": "result_tag", "tag_name": "walla", "override_existing": false }, { "title": "very_cool", "type": "result_tag", "tag_name": "very_cool", "override_existing": false } ], "id_generation_function": "use_md5", "case_insensitive": false } |
| created_by | The unique ID associated with the user who created the mapping enrichment rule. | String | 58d77efa5eafe459163f4555 |
| updated_by | The unique ID associated with the user who last updated the mapping enrichment rule. | String | 58d77efa5eafe459163f4555 |
| note (optional) | A description of the mapping rule purpose or functionality. | String | CMDB table OR Current runbook table |
Mapping Table Upload Object
The Mapping Table Upload object schema includes the following attributes:
| Attribute | Description | Type | Example |
|---|---|---|---|
| total_count | Total number of results. Returned with a GET call only. | Integer | 473 |
| items | The mapping data, in a JSON body | Array of strings | "items": [ { "application": "sale24s", "yes_sir": "first_tag_dynamic_value_2", "no_sir": "second_tag_dynamic_value_2" }, { "application": "billing23", "yes_sir": "first_tag_dynamic_value", "no_sir": "second_tag_dynamic_value" } ] |