Panther has the ability to fetch MongoDB Atlas event logs by querying the MongoDB Atlas Administration API to fetch organization and project events. These are integrated via a direct API integration where an API key is generated and supplied in the Panther Console. Once logs are connected, detections can be applied to analyze data as it’s ingested into Panther.
Common security use cases for monitoring MongoDB Atlas with Panther include:
- Alert on authentication failures that may indicate a brute force attack
- Monitor abnormally high usage and billing
- Find users without MFA enabled
How it Works
Panther’s MongoDB Atlas integration is simple and fast:
- Generate an API key in MongoDB Atlas
- Copy the public and private keys into Panther Console’s “Log Sources” page
- Logs will automatically start pulling from your Atlas clusters
- Ingested logs are parsed and normalized into p_fields so common IoC’s can be correlated across all log types
- If an alert fires, investigation tools such as indicator search and data explorer can be used to dig into historical data
You can learn more about Panther's supported log schemas for MongoDB Atlas here.