Skip to main content

General Settings

Learn how to define the Retention policy, integrate with the Redact service, configure the Audit Schema, and forward log events.

In the Pangea User Console under COMPLIANCE section, select Secure Audit Log and click Settings .

Retention policy

The retention policy settings determine how long audit data will be kept. Log data that has expired and exceeded the retention period cannot be recovered. Ensure your retention policy aligns with your specific needs.

The Secure Audit Log data can be stored in different tiers, each with its own retention policy:

Retention policy tiers on the Secure Audit Log Settings page in the Pangea User Console

Set the retention policy for a Secure Audit Log configuration

Ingested logs are first stored in hot searchable storage for the duration of the configured hot retention window. After that, they move to warm searchable storage for the configured warm retention period. Once the warm period ends, logs are moved to cold storage.

Change the retention policy by updating the unit type and corresponding units to meet your requirements within the allowable limits. Depending on the storage type, you can specify the retention policy periods in Days, Weeks, Months, or Years.

note

You might need to update an old audit configuration to enable tiers in the Secure Audit Log retention policy.

Retention policy screen for an old audit configuration with an option to update it to enable Hot, Warm, and Cold Storage tiers on the Secure Audit Log Settings page in the Pangea User Console

Update a Secure Audit Log configuration to enable Hot, Warm, and Cold tiers in the retention policy settings

In the legacy configurations, the retention policy is determined by the fields appearing after the text Retain audit data for.

Redact log events

The Pangea Redact service integrates with the Pangea Secure Audit log. This integration should be used as a fail-safe measure to prevent the unintentional proliferation of sensitive data within your audit logs.

note

Generally, we recommend omitting personally identifying information or secrets from secure audit logs unless they are protected by redaction.

After enabling the Redact service, you can enable the Redact records option under the Secure Audit Log Settings in the Pangea User Console. Once enabled, select a Redact configuration to use and the audit fields to be redacted. Click Save to apply your selection. The number of applied redaction rules will be displayed in the Redact records item under Secure Audit Log Settings.

To modify the Redact service configuration, click the Configure redaction rules link. Learn more about configuring the redaction rules in the Redact Configuration docs.

Enable Redact Records under Secure Audit Log Settings in the Pangea User Console
Enable Redact Records
tip

If you're integrating the Secure Audit Log and Redact service into your app, the Redact service will, by default, only redact the message, old, and new fields. Review the other parameters, such as actor, available for redaction, as they may be relevant to your use case.

note

You can unredact log events that were redacted with Format Preserving Encryption (FPE) by using the Redact /v1/unredact and /v1/unredact_events endpoints.

Log Signing

Log signing allows you to cryptographically sign a log record for assurance that the content of the log entry has not been modified since created. Logs can also be signed on by the client using the SDK with your own keys that are not provided to Pangea.

To turn on the Log Signing, click the toggle to the enabled position. If the Log Signing service has not been enabled in your project, the enablement modal will appear.

Click Enable to enable the Vault Service. To connect a signing key with Secure Audit Log the Vault service must be enabled first. Now, click Configure a signing key to choose one of the following:

  • Pangea generated - Let Pangea generate the key material for you.

  • Import a key - Bring your own key.

Click Save.

Audit Log Schema

You can view the schema defined for the currently selected audit log configuration. The fields for this schema appear on the right side of the page.

You can adjust a field description, its visibility in the Log Viewer , and whether the field is required.

By following the Create new configuration link, you can create additional configurations .

Audit Log Forwarding

You can configure audit logs to be forwarded to an external data repository using the HTTP Event Collector (HEC) protocol. This enables you to consolidate logs collected by Pangea with your existing data for centralized analysis and reporting.

Crowdstrike (Next-Gen SIEM)

Configure a connector

In your Crowdstrike Falcon console, follow the instructions in Step 1: Configure and activate the Pangea AI Guard data connector in the HEC/HTTP Event Connector guide.

For example:

  1. Navigate to the Data connections page under Next-Gen SIEM >> Data onboarding in your Crowdstrike Falcon console.

  2. Click Add connection in the list of connections.

  3. In the Product filter, select HEC.

  4. Click HEC / HTTP Event Connector in the list.

  5. Click Configure.

  6. On the Add new connector page, enter Data source, Connector name, and Description.

  7. Under Parser details, select a parser.

    Pangea offers a Crowdstrike Next-Gen SIEM parser designed to process events from the AI Guard Activity Log , which is enabled by default when the AI Guard service is activated.

    Select PangeaAIGuardParser if you're forwarding AI Guard activity logs to Crowdstrike.

  8. Accept the terms and conditions, then click Save.

  9. On the connector details page, click Generate API key.

  10. Copy the API key and API URL. You will use these values to configure log forwarding in the Secure Audit Log service.

Set up log forwarding

  1. Select an audit schema.

    On the Secure Audit Log service page in your Pangea User Console , use the schema selector in the top-left to choose the configuration that matches your Crowdstrike parser.

    To forward AI Guard activity logs, select AI Activity Audit Log Schema.

  2. Click General in the sidebar to open the settings for the selected schema.

  3. Under Audit Log Forwarding, toggle the control in the top-right to Enabled.

  4. Set Logging Service to Crowdstrike Next-Gen SIEM.

  5. For Event URL, enter the API URL from your Crowdstrike connector.

  6. Click the Store HEC Token button.

  7. In the New Secret dialog, enter the API key from your Crowdstrike connector in the Secret field.

  8. Click Done.

  9. Click Save to apply the configuration.

  10. Click Test forwarding configuration to validate the setup.

    Successfully tested log forwarding configuration on the Audit Log Forwarding settings page in the Pangea User Console

    A failed test displays an error message, for example:

    Error shown for a failed log forwarding test on the Audit Log Forwarding settings page in the Pangea User Console

To generate real events, return to the service list, open the AI Guard service page, and under Recipes, use the Sandbox feature to send a sample input.

After a few minutes, you should see the forwarded events in your Crowdstrike Falcon console under Next-Gen SIEM >> Advanced event search.

note

The following optional fields are not applicable when using the Crowdstrike Next-Gen SIEM connector:

  • Index
  • Indexer Acknowledgment
  • Provider certificate to use self-signed TLS

Splunk

The provided links offer assistance with the following topics:

To turn on the Audit Log Forwarding, click the toggle to the enabled position. If the Audit Log Forwarding has not been enabled in your project, the enablement modal will appear.

  • Logging Service - Splunk.

  • Event URL - Enter the complete URL for sending events. The URL format is https://<myhost>.<tld>/services/collector/event.

  • Index [Optional] - The Splunk index to pass as part of the HTTP Event Collector (HEC) payload. You can also set this in your HEC token settings.

  • Vault - HEC Token - You will save the HEC token, generated during the HEC setup, within our Pangea Vault service.

  • Provider certificate to use self-signed TLS [Optional] - Do not furnish the public certificate of the private Certificate Authority (CA) that is utilized for verifying the HEC endpoint certificate, unless a public CA like Let's Encrypt was employed.

  • Enable Indexer Acknowledgment [Optional] - Settings for indexer acknowledgment if configured in HEC.

note

Only configure this if the Enable indexer acknowledgment option is enabled in your HEC settings.

  • Acknowledge URL - The verification URL for acknowledgments usually follows this pattern: https://<myhost>.<tld>/services/collector/ack.

  • Channel ID - Required for indexer acknowledgment, the user should supply this ID, which can be generated randomly using the uuidgen command in the terminal.

After everything is configured, save and click Test forwarding configuration to verify that the configuration works. Upon successful completion, you will encounter the following message.

Successfully verified message

In Splunk, you will see a message sent by audit:

Splunk message

In case of failure, a message will appear at the upper part of your screen, explaining the reason. For instance, in this scenario, we have improperly configured the certificates in some manner.

Error message

Was this article helpful?

Contact us