MongoDB Atlas¶
About¶
MongoDB Atlas Audit logs record authentication events, authorization decisions, and administrative or database operations occurring within MongoDB Atlas clusters. These logs provide detailed visibility into user activity and security-relevant actions for monitoring, compliance, and threat detection.
Product Details¶
Vendor URL: MongoDB
Product Type: Audit
Product Tier: Tier II
Integration Method: API
Parser Details¶
Log Format: JSON
Expected Normalization Rate: 100%
Data Label: MONGO_ATLAS_AUDIT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| t.$date | metadata.event_timstamp |
| msg | metadata.description |
| id | metadata.product_log_id |
| c | metadata.product_event_type |
| s | security_result.severity |
| ctx | additional.fields |
| attr.client | principal.ip : principal.port |
| attr.mechanism | extensions.auth.auth_details |
| attr.user | principal.user.userid |
| attr.db | target.resource.name |
| attr.result | security_result.action |
| attr.doc.application.name | principal.application |
| attr.doc.os.type | principal.platform |
| attr.doc.platform | principal.platform_version |
| attr.doc.driver.name | additional.fields |
| attr.doc.driver.version | additional.fields |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| Successful authentication | USER_LOGIN |
| Logout | USER_LOGOUT |
| Connection events | NETWORK_CONNECTION |
| Other events | GENERIC_EVENT |
Log Sample¶
{"t":{"$date":"2026-02-08T18:08:15.765+00:00"},"s":"I", "c":"ACCESS", "id":5286306, "ctx":"conn12","msg":"Successfully authenticated","attr":{"client":"10.10.10.10:80","isSpeculative":true,"isClusterMember":true,"mechanism":"SCRAM-SHA-256","user":"test","db":"local","result":0,"metrics":{"conversation_duration":{"micros":13257,"summary":{"0":{"step":1,"step_total":2,"duration_micros":58},"1":{"step":2,"step_total":2,"duration_micros":89}}}},"doc":{"application":{"name":"MongoDB Automation Agent v13.0 (git: a3f7c9d8124e6b90c5d2a1f84e7b6c3d9f0a1b2c)"},"driver":{"name":"mongo-go-driver","version":"v1.12.0-cloud"},"os":{"type":"linux","architecture":"amd64"},"platform":"go1.24"},"extraInfo":{}}}
Sample Parsing¶
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "MongoDB"
metadata.product_name = "MongoDB Atlas"
metadata.event_timestamp = "2026-02-08T18:08:15Z"
metadata.product_event_type = "ACCESS"
metadata.product_log_id = "5286306"
metadata.description = "Successfully authenticated"
security_result.severity_details = "INFORMATIONAL"
security_result.action = "ALLOW"
principal.ip = "10.10.10.10"
principal.port = 80
principal.user = "test"
extensions.auth.auth_details = "SCRAM-SHA-256"
target.resource.name = "local"
target.resource.type = "DATABASE"
principal.application = "MongoDB Automation Agent v13.0"
principal.platform = LINUX
principal.platform_version = "go1.24"
additional.fields["context"] = "conn12"
additional.fields["driver name"] = "mongo-go-driver"
additional.fields["driver_version"] = "v1.12.0-cloud"
Parser Alerting¶
This product currently does not have any Parser-based Alerting