Defines the schema for resources reported on by the audit log.
| API Endpoint | https://api.bigpanda.io/resources/v2.0/audit/logs/ |
|---|---|
| Supported Methods | GET |
BigPanda audit logs report on Create, Update, and Delete actions for these resources:
- Alert Correlation Patterns
- Alert Enrichment including:
- Tags
- Tags Order
- Tag Enrichments
- Tag Enrichments Order
- Mapping Enrichment Schema
- Mapping Table Upload
- API Keys
- AutoShare Settings
- Environments
- Integrations
- JIT Provisioning
- Maintenance Plans
- Roles
- SAML Attribute Mapping
- SSO Configuration
- SSO Test
- Users
Alert Correlation Pattern Parameters
The correlation_pattern object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| filter | A BPQL query to filter incoming alerts. Only matched alerts will be correlated based on the pattern. | String |
| cross_source | Determines if alerts can be correlated from different source systems into the same incident. Default is false. | Boolean |
| time_window | Time frame to determine correlation in minutes. | Integer |
| updated_at | The Unix Epoch time that the correlation pattern was last updated. | Timestamp (in seconds) |
| updated_by | The ID of the user who last updated the correlation pattern. | User ID |
| active | Whether the pattern should be applied to incoming alerts. | Boolean |
| created_at | The Unix Epoch time that the correlation pattern was created. | Timestamp (in seconds) |
| id | System-generated unique identifier for the correlation pattern. | String |
| created_by | The ID of the user who created the correlation pattern. | User ID |
| tags | Array of tag name(s) to correlate within the pattern.At least 1 item must appear in the array.No more than 5 items in the array.No duplicate names in the array. | Array |
Sample Alert Correlation Pattern Object
{
"resource_type": "correlation_pattern",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"filter": "cluster=_prod_",
"cross_source": true,
"time_window": 1-4320,
"updated_at": 1372854204,
"updated_by": "3123kjlhfasdlkjfh",
"active": true,
"created_at": "1493922189",
"id": "631471d494528700126a5559",
"created_by": "3123kjlhfasdlkjfh",
"tags": ["service","check"]
}
Alert Enrichment Parameters
Alert Enrichment audit logs report on several sub-objects including:
- Tag
- Tags Order
- Tag Enrichments
- Tag Enrichments Order
- Mapping Enrichment
- Mapping Table Upload
Tag Object
The tag object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| name | Tag name in BigPanda. | String |
| created_by | The unique ID associated with the user who created the tag. | String |
| created_at | The Unix epoch time when the tag was created (in seconds). | Timestamp |
| updated_by | The unique ID associated with the user who last updated the tag. | String |
| updated_at | The Unix epoch time when the tag was last updated (in seconds). | Timestamp |
| description | A brief summary of the tag | String |
| active | Whether the tag should be applied to incoming alerts. | Boolean |
| enrichments | List of automatic enrichment items configured for this tag. Items are listed in their run order. | Array of Objects |
Sample Alert Tag Object:
{
"resource_type": "tag",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"name": “region”,
"created_by": "60c5238222fa55553d93d555",
"created_at": 1635260171,
"updated_by": "60c5238222fa55553d93d555",
"updated_at": 1662284281,
"description": "line of business",
"active": true,
"enrichments": [
{ "type": "extraction",
"active": true,
"when": {},
"config": {
"source": "host",
"destination": "tag_name",
"regex": "(.*)",
"template": null
},
"note": null
},
{
"type": "composition",
"active": true,
"when": {},
"config": {
"destination": "tag_name",
"value": "val-${host6666}"
},
"note": "wiki.com"
}
]
}
Tags Order Object
The tag_order object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| created_by | The user who created the tag order. | String |
| alert_tags_order | Alert tags listed in the order they should be run. By default, tags are ordered by creation time. | Array of Strings |
Sample Tag Order Object:
{
"resource_type": "tag_order",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"created_by": "60c5238222fa55553d93d555",
"alert_tags_order": ["owner", "cluster", "host"]
}
Alert Enrichment Object
The tag_enrichments object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| id | System-generated unique identifier for the automatic enrichment item. | String |
| type | Automatic Enrichment rule type.One of: composition, extraction | String |
| active | Whether the rule should be applied to incoming alerts. | Boolean |
| when | A BPQL query to filter incoming alerts. Only matched alerts will receive a value based on the enrichment item. | Object |
| version | Internal version number of the current enrichment item.This number is incremented automatically each time the item is updated. | Integer |
| config | Rules for building or extracting tag values from event data.Configuration attributes are unique to the enrichment type. See the Config Attributes tables for more information. | Object |
| created_by | The unique ID associated with the user who created the enrichment item. | String |
| updated_by | The unique ID associated with the user who last updated the enrichment item. | String |
| note | A description of the enrichment item purpose or functionality. | String |
Sample Alert Enrichment Object:
{
"resource_type": "tag_enrichments",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"id": "191217f6-481d-464e-9f12-3ed846a72555",
"type": "composition",
"active": true,
"when": {
"IN": ["source_system", ["type": "regex", "value": "*"}]]
},
"version": 1,
"config": {
“source”: “nagios”,
"destination": "tag_name",
"value": "val-${host6666}"
},
"created_by": "60c5238222fa55553d93d555",
"updated_by": "60c5238222fa55553d93d555",
"note": "special extraction for nagios"
}
Tag Enrichments Order Object
The tag_enrichments_order object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| created_by | The user who created the enrichment item order. | String |
| enrichment_order | Enrichment items listed in the order they should be run. By default, items are ordered by creation time. | Array of Strings |
Sample Tag Enrichment Order Object
{
"resource_type": "tag_enrichments_order",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"created_by": "60c5238222fa55553d93d555",
"enrichment_order": [
"49ff0d51-8e73-43a7-9cdd-6ffff242666",
"5036032b-eb0c-461e-ff17-74a05785777",
"d987df48-83f6-40ff-a985-ad6f8927888",
"6cff549b-7c14-43f9-950f-3f73706ff99"
]
}
Mapping Enrichment Object
The mapping_enrichment object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| id | System-generated unique identifier for the enrichment map schema. | String |
| type | Enrichment function type used to create enrichment items.Must be “mapping” for mapping enrichment endpoints. | String |
| active | Whether the mapping rules should be applied to incoming alerts. | Boolean |
| when | BPQL query to filter incoming alerts. Only matched alerts will receive a value based on the automatic enrichment item. | Object |
| version | Internal version number of the current schema. This number is incremented automatically each time the schema is updated. | Integer |
| config | Rules for mapping tag values to event data.See the Mapping Enrichment Configuration table for details. | Object |
| created_by | The unique ID associated with the user who created the mapping enrichment rule. | String |
| updated_by | The unique ID associated with the user who last updated the mapping enrichment rule. | String |
| note (optional) | A description of the mapping rule purpose or functionality. | String |
Sample Mapping Enrichment Object
{
"resource_type": "mapping_enrichment",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"id": "1234a53b6789c12d3efg45h",
"type": "mapping",
"active": true,
"when": { "IN": [ "source_system", [ { "type": "regex", "value": "*" } ] ] },
"version": 1,
"config": {
"name": "example",
"fields": [ {
"title": "application",
"type": "query_tag",
"tag_name": "yes",
"override_existing": true,
"optional": false
},
{
"title": "walla",
"type": "result_tag",
"tag_name": "walla", "override_existing": false
}
],
"id_generation_function": "use_md5",
"case_insensitive": false
},
"created_by": "631471d494528700126a5559",
"updated_by": "631471d494528700126a5559",
"note": "Current runbook table"
}
Mapping Table Upload Object
The mapping_table_upload object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| total_count | Total number of results. Returned with a GET call only. | Integer |
| items | The mapping data, in a JSON body | Array of strings |
Sample Mapping Table Upload Object
{
"resource_type": "mapping_table_upload",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"total_count": 473,
"items": [
{
"application": "sale24s",
"yes_sir": "first_tag_dynamic_value_2",
"no_sir": "second_tag_dynamic_value_2"
},
{
"application": "billing23",
"yes_sir": "first_tag_dynamic_value",
"no_sir": "second_tag_dynamic_value"
}
]
}
API Keys Parameters
The api_keys object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| id | System-generated unique identifier for the API key. | String |
| active | Whether or not the API key is currently active. | Boolean |
| created_at | The Unix epoch time when the API key was created (In seconds). | Timestamp |
| created_by | The system-generated unique identifier of the user who created the API key. | String |
| description | User-defined description of the API key. | String |
| last_used | The Unix epoch time when the API key was last used (In seconds). | Timestamp |
| name | User-defined name of the API key. | String |
| organization | The system-generated unique ID of the organization associated with the API key. | String |
| user | The system-generated unique ID of the user associated with the API key. | String |
Sample API Keys Object
{
"id": "669f9f5ac897605fc70eea98",
"active": true,
"created_at": 1721737050,
"created_by": "651ee43333b38e4a5a19c514",
"description": "",
"last_used": 1721737134,
"name": "Test",
"organization": "63d10d1baf10bd1300ffae1b",
"user": "651ee43333b38e4a5a19c514"
}
AutoShare Configuration Parameters
The auto_share_rules object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| id | System-generated unique identifier for the AutoShare rule. | String |
| env_id | The environment that the incident was shared from. | String |
| target_system_id | The name of the integration that incidents will be shared to. | String |
| name | UI name for the AutoShare rule, which includes environment and target integration names. | String |
| params | Settings for share and frequency. The attributes are:autoshare_options configuration settings, including share delay | Object |
Sample AutoShare Configuration Object:
{
"resource_type": "environment",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"target_system_id": "ai-analysis.automated_incident_analysis",
"env_id": "f38469c6-356c-4ad9-85e9-88b69c627984",
"name": "P0 All (ai-analysis.automated_incident_analysis)",
"id": "f38469c6-356c-4ad9-85e9-88b69c627984_ai-analysis.automated_incident_analysis_0",
"params": {
"autoshare_options": {
"share_delay_seconds": 120
}
}
}
}
Environment Parameters
The environment object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| filter | A BPQL query to filter incoming incidents. Only matched incidents will be placed in the environment. | String |
| updated_at | The Unix Epoch time that the environment was last updated. | Timestamp (in seconds) |
| created_at | The Unix Epoch time that the environment was created. | Timestamp (in seconds) |
| name | The name of the environment as displayed in the BigPanda UI. | String |
| id | System-generated unique identifier for the environment. | String |
Sample Environment Object:
{
"resource_type": "environment",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"filter": "filter":"(source_system = /.*\\..*/ AND zero_impact != \"true\") OR (source_system = \"scout.default\" AND zero_impact != \"true\")",
"updated_at": 1669032359,
"created_at": "1669031477",
"name": "inoc-team",
"id": "637b6635c0ec7912005d58f8"
}
Integrations Parameters
The integrations object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| target_system_id | Unique name for the integration. | String |
| stream_id | System-generated app_key for the integration. | String |
| updated_at | The Unix Epoch time that the environment was last updated. | Timestamp (in seconds) |
| org | The name of the BigPanda Organization where the update occurred. | String |
| changes | List of updated configuration properties with key, old_value and new_value. | Array of Objects |
Sample Integrations Object:
{
"target_system_id": "emailparser.1234",
"stream_id": "2226ba0c9d377143dba39656d725fc9b",
"updated_at": 1706896027,
"org": "bigpanda",
"changes": [{
"key": "status",
"old_value": {
"status_map": {
"critical": ["off"],
"ok": ["better"]
},
"default_to": "critical",
"source": "body"
},
"new_value": {
"status_map": {
"critical": ["off"],
"ok": ["better"],
"warning": ["warning"]
},
"default_to": "critical",
"source": "body"
}
}, {
"key": "allow_list",
"old_value": ["*@bigpanda.io"],
"new_value": [[email protected]"]
}]
}
JIT Provisioning
The jit_domains object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| id | The system-generated unique ID for the domain. | String |
| name | The name of the domain. | String |
| role | The default BigPanda role associated with the domain. | Array of Strings |
| organization | The system-generated unique ID of the organization. | String |
Sample JIT Provisioning Object
{
"id": "065a29561e1fe01f03f17644",
"domain": "domain.com",
"role": {
"id": "6542b144f4cc16a1a455dd7c"
}
"organization": "6542b1aa43cf5112000c8b55"
}
Maintenance Plan and Alert Filtering Parameters
The alert_filtering object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| plan_name | Name of the maintenance plan or alert filter associated with the action. | String |
| plan_id | The ID number of the maintenance plan or alert filter. | String |
| plan_status | The current status of the maintenance plan or alert filter. | String |
| plan_type | The type of plan - either maintenance_plan or filtering_plan, depending on if you created a Maintenance Plan or an Alert Filter. | String |
| time_window | Details of the maintenance plan's time window and whether or not it's recurring. Contains the attributes:start - Unix epoch time when the scheduled plan starts (in seconds).end - Unix epoch time when the scheduled plan ends (in seconds).frequency - How often a recurring plan is scheduled to run.frequency_data - Array of objects that defines the plan window for recurring plans.- duration - Length of time the plan should run (in seconds).- current_run - Unix epoch time when the current running maintenance window began (in seconds).- next_run - Unix epoch time when the next scheduled maintenance window starts (in seconds).- relativity - What week in the month the window should take place. | Array of Objects |
| updated_fields | The field that was updated in the maintenance plan.field_name - The name of the updated field.old_value - The old field value that was changed.current_value - The updated field value. | Array of Objects |
Sample Maintenance Plan/Alert Filtering Object
{
"object": {
"plan_name": "Monthly Cleanup",
"plan_id": "641de370310000dc501081b2",
"plan_status": "planned",
"plan_type": "maintenance_plan",
"time_window": {
"start": 1679680834,
"end": 32788738800,
"frequency": "Monthly",
"frequency_data": {
"duration": 12600,
"current_run": null,
"next_run": 1690574400,
"relativity": null
}
},
"updated_fields": [
{
"field_name": "end",
"old_value": "32605567199",
"new_value": "32788738800"
}
]
},
"resource_id": "641de370310000dc501081b2",
"resource_type": "alert_filtering",
"timestamp": 1716471783
}
Roles Parameters
The roles object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| id | System-generated unique identifier for the role. | String |
| name | The name of the role. | String |
| users | Users who are assigned to the role. | Array of Strings |
| created_by | The ID of the user who created the | String |
| created_at | The unix epoch time that the role was created. | Timestamp |
| updated_at | The unix epoch time that the role was updated. | Timestamp |
| permissions | An array containing the permissions associated with the role. | Array of Objects |
Sample Roles Object
{
"id": "6695327f443fadc7558ce383",
"name": "Copy of admin",
"users": [
"63d13a8068db95501470aba3"
],
"created_by": "63d13a8068db98001550aba3",
"created_at": 1721053823,
"updated_at": 1721053823,
"permissions": [
{
"resource_type": "audit_logs",
"resource_id": null,
"actions": [
"read"
]
},
{
"resource_type": "incident-tags-definitions",
"resource_id": null,
"actions": [
"full_access"
]
}
]
}
SAML Attribute Mapping
The jit_roles object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| id | The unique system-generated ID associated with the SAML attribute mapping. | String |
| name | The name of the property. | String |
| users | The users assigned to the default role. | String |
| created_by | The system-generated unique identifier of the user who created the SAML attribute mapping. | String |
| created_at | The Unix epoch time when the SAML attribute mapping was created (In seconds). | Timestamp (In seconds) |
| updated_at | The Unix epoch time when the SAML attribute mapping was last updated (In seconds). | Timestamp (In seconds) |
| permissions | The permissions associated with the default role selected for the SAML attribute mapping. | Array of Objects |
Sample SAML Attribute Mapping Object
{
"id": "668bccda0b955da31608fb14",
"name": "Domain",
"users": [
"64e50cb55c960604a71a4e0d5",
"668bcda36e79920fcde7d7db"
],
"created_by": "63d13a8068d558001470aba3",
"created_at": 1720437978,
"updated_at": 1720437978,
"permissions": [
{
"resource_type": "apikeys",
"resource_id": null,
"actions": [
"full_access"
]
}
]
}
SSO Configuration
The sso_config object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| disableRequestedAuthnContext | Whether or not the RequestedAuthnContext element is disabled. This element determines whether a specific authentication context is requested. | Boolean |
| idPissuer | The issuer ID from the IdP. | String |
| idPssoUrl | The SSO URL/SAML 2.0 Endpoint from the IdP. | String |
| provider | The name of the IdP. | String |
Sample SSO Configuration Object
{
"disableRequestedAuthnContext": false,
"idPissuer": "http://www.okta.com/exkh1g4sxiX25555555",
"idPssoUrl": "https://trial-555555.okta.com/app/bigpanda/exkh1g4s555555555Mk697/sso/saml",
"provider": "okta"
}
SSO Test
The sso_test object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| idP | The name of the identity provider. | Boolean |
| status | The status of the SSO configuration. | String |
| tester | The email address of the user who tested the SSO connection. | String |
Sample SSO Test Object
{
"idP": "okta",
"status": "testing",
"tester": "[email protected]"
}
User Parameters
The users object schema includes the following attributes:
| Attribute | Description | Type |
|---|---|---|
| createdAt | The time the user was created. Unix epoch time (in seconds). | Timestamp |
| lastLoginAt | Unix epoch time when the user last logged in (in seconds). | Timestamp |
| name | The name of the user as displayed in the BigPanda UI. | String |
| id | Unique system identifier for the user. | String |
| state | State of the user in system. | String |
| firstLoginAt | The Unix Epoch time the user first logged in (in seconds). | Timestamp |
| username | The email address associated with the user. | String |
Sample User Object:
{
"resource_type": "users",
"resource_id": "631471d494528700126ca555",
"timestamp": 1662284339,
"object": {
"createdAt": 1662284244,
"lastLoginAt": 1662284281,
"name": "Nataly",
"state": "valid",
"firstLoginAt": 1662284281,
"username": "[email protected]",
"id": "631471d494528700126a5559"
}