AppOmni Logs

Connecting AppOmni logs to your Panther Console

Overview

Panther supports ingesting AppOmni logs via common Data Transport options: HTTP webhook and AWS S3.

AppOmni continuously monitors and normalizes hundreds of event types across critical SaaS applications, including Salesforce, Box, ServiceNow, Workday, Office365, and Zoom. By ingesting these log into Panther, you can access Panther's alerting capabilities.

How to onboard AppOmni logs to Panther

Step 1: Create a new AppOmni source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "AppOmni," then click its tile.

  4. In the Transport Mechanism drop-down, select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:

  5. Click Start Setup.

  6. Follow the Panther instructions for configuring the data transport method you chose:

Step 2: Configure AppOmni to forward logs

  • Configure AppOmni to push logs to the Data Transport source.

Panther-managed detections

See Panther-managed rules for AppOmni in the panther-analysis GitHub repository.

Supported log types

AppOmni.Alerts

schema: AppOmni.Alerts
description: Alerts logs from AppOmni
referenceURL: https://labs.appomni.com/aces/event.html
fields:
    - name: timestamp
      required: true
      description: Date/time when the event originated.
      rename:
        from: '@timestamp'
      type: timestamp
      timeFormats:
        - rfc3339
    - name: appomni
      required: true
      type: object
      fields:
        - name: alert
          type: object
          fields:
            - name: channel
              description: The channel of a rule is determined by the stage of the rule lifecycle.
              type: string
        - name: event
          type: object
          fields:
            - name: dataset
              description: The dataset of the event. A dataset is generally a collection of similar events.
              type: string
            - name: id
              description: Unique AppOmni-assigned ID of the event.
              type: string
            - name: sortable_event_id
              description: Unique sortable ID of the event assigned when it's collected.
              type: string
            - name: sortable_ingest_id
              description: Unique sortable ID of the event assigned when it arrives in AppOmni's data store.
              type: string
        - name: organization
          type: object
          fields:
            - name: id
              description: ID of the AppOmni Tenant this event originated from.
              type: bigint
    - name: event
      required: true
      type: object
      fields:
        - name: created
          description: Date/time when the event was reported as created in the monitored service.
          type: timestamp
          timeFormats:
            - rfc3339
          isEventTime: true
        - name: kind
          description: high-level information about what type of information the event contains, without being specific to the contents of the event.
          type: string
        - name: severity
          description: The numeric severity of the event according to the source.
          type: bigint
    - name: message
      required: true
      description: A human-readable summary of the event.
      type: string
    - name: related
      required: true
      type: object
      fields:
        - name: ip
          description: IP addresses related to an event (IPv4 or IPv6.)
          type: array
          element:
            type: string
            indicators:
                - ip
        - name: user
          description: User ids related to an event.
          type: array
          element:
            type: string
            indicators:
                - email
        - name: event
          description: Event ids related to an event. Reflecting the AppOmni Event Id from `appomni.event.id`
          type: array
          element:
            type: string
        - name: services
          description: AppOmni Service Ids related to an event.
          type: object
          fields:
            - name: id
              type: array
              element:
                type: bigint
            - name: type
              type: array
              element:
                type: string
    - name: rule
      required: true
      type: object
      fields:
        - name: name
          description: Name of the rule.
          type: string
        - name: ruleset
          description: Name of the ruleset for which the rule is assigned.
          type: string
        - name: threat
          type: object
          fields:
            - name: framework
              description: Name of the threat framework used to classify the tactic and technique of a threat.
              type: string
            - name: tactic
              type: object
              fields:
                - name: id
                  description: ID of the tactic.
                  type: array
                  element:
                    type: string
                - name: name
                  description: Name of the tactic.
                  type: array
                  element:
                    type: string
            - name: technique
              type: object
              fields:
                - name: id
                  description: ID of the technique.
                  type: array
                  element:
                    type: string
                - name: name
                  description: Name of the technique.
                  type: array
                  element:
                    type: string
        - name: uuid
          description: Unique UUID of the rule.
          type: string
        - name: version
          description: Version of the rule.
          type: bigint
    - name: version
      required: true
      description: Version of ACES.
      type: string

AppOmni.Events

schema: AppOmni.Events
description: Event logs from AppOmni
referenceURL: https://labs.appomni.com/aces/event.html
fields:
    - name: timestamp
      required: true
      rename:
        from: '@timestamp'
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: application
      type: object
      fields:
        - name: name
          type: string
        - name: scopes
          type: array
          element:
            type: string
            indicators:
                - url
    - name: appomni
      required: true
      type: object
      fields:
        - name: event
          type: object
          fields:
            - name: collected_time
              type: timestamp
              timeFormats:
                - rfc3339
            - name: dataset
              type: string
            - name: id
              type: string
            - name: ingestion_time
              type: timestamp
              timeFormats:
                - rfc3339
        - name: organization
          type: object
          fields:
            - name: id
              type: bigint
        - name: service
          type: object
          fields:
            - name: account_id
              type: string
            - name: id
              type: bigint
            - name: name
              type: string
            - name: type
              type: string
    - name: event
      required: true
      type: object
      fields:
        - name: url
          type: string
        - name: provider
          type: string
        - name: reason
          type: string
        - name: category
          type: array
          element:
            type: string
        - name: id
          type: string
        - name: outcome
          type: string
        - name: type
          type: array
          element:
            type: string
        - name: code
          type: string
        - name: action
          type: string
        - name: created
          type: timestamp
          timeFormats:
            - rfc3339
        - name: dataset
          type: string
        - name: ingested
          type: timestamp
          timeFormats:
            - rfc3339
        - name: kind
          type: string
        - name: module
          type: string
        - name: original
          type: string
    - name: labels
      type: object
      fields:
        - name: device_hash
          type: string
          indicators:
            - sha256
        - name: threat_suspected
          type: boolean
        - name: transaction_id
          type: string
        - name: transaction_type
          type: string
        - name: login_key
          type: string
        - name: application
          type: string
        - name: entities
          type: string
        - name: query
          type: string
        - name: row_count
          type: bigint
        - name: type
          type: string
        - name: repo_visibility
          type: string
        - name: is_hosted_runner
          type: boolean
        - name: source_repository_default_branch
          type: string
        - name: public_repo
          type: boolean
        - name: source_repository_created_date
          type: timestamp
          timeFormats:
            - rfc3339
        - name: source_repository_name
          type: string
        - name: organization_name
          type: string
    - name: message
      type: string
    - name: related
      type: object
      fields:
        - name: identity
          type: array
          element:
            type: string
        - name: resource
          type: array
          element:
            type: string
        - name: ip
          type: array
          element:
            type: string
            indicators:
                - ip
        - name: user
          type: array
          element:
            type: string
            indicators:
                - email
    - name: resource
      type: object
      fields:
        - name: id
          type: string
        - name: name
          type: string
        - name: type
          type: string
    - name: service
      type: object
      fields:
        - name: name
          type: string
        - name: id
          type: bigint
    - name: session
      type: object
      fields:
        - name: kind
          type: string
        - name: id
          type: string
    - name: source
      type: object
      fields:
        - name: host
          type: object
          fields:
            - name: hostname
              type: string
            - name: os
              type: object
              fields:
                - name: name
                  type: string
        - name: as
          type: object
          fields:
            - name: country
              type: string
            - name: domain
              type: string
            - name: number
              type: bigint
            - name: organization
              type: object
              fields:
                - name: name
                  type: string
            - name: type
              type: string
        - name: geo
          type: object
          fields:
            - name: country_name
              type: string
            - name: city_name
              type: string
            - name: country_iso_code
              type: string
            - name: location
              type: object
              fields:
                - name: lat
                  type: float
                - name: lon
                  type: float
            - name: postal_code
              type: string
            - name: region_name
              type: string
            - name: timezone
              type: string
        - name: address
          type: string
          indicators:
            - ip
        - name: ip
          type: string
          indicators:
            - ip
    - name: tags
      type: array
      element:
        type: string
    - name: user
      type: object
      fields:
        - name: full_name
          type: string
        - name: email
          type: string
          indicators:
            - email
        - name: target
          type: object
          fields:
            - name: email
              type: string
              indicators:
                - email
            - name: full_name
              type: string
            - name: id
              type: string
            - name: identity
              type: object
              fields:
                - name: id
                  type: string
                - name: admin
                  type: boolean
                - name: email
                  type: string
                  indicators:
                    - email
                - name: elevated
                  type: boolean
                - name: full_name
                  type: string
            - name: roles
              type: array
              element:
                type: string
            - name: name
              type: string
              indicators:
                - email
        - name: effective
          type: object
          fields:
            - name: hash
              type: string
        - name: id
          type: string
        - name: identity
          type: object
          fields:
            - name: id
              type: string
            - name: admin
              type: boolean
            - name: email
              type: string
              indicators:
                - email
            - name: elevated
              type: boolean
            - name: full_name
              type: string
        - name: roles
          type: array
          element:
            type: string
        - name: name
          type: string
          indicators:
            - email
    - name: user_agent
      type: object
      fields:
        - name: name
          type: string
        - name: os
          type: object
          fields:
            - name: name
              type: string
        - name: original
          type: string
    - name: version
      required: true
      type: string

AppOmni.Policy

schema: AppOmni.Policy
description: Policy logs from AppOmni
referenceURL: https://labs.appomni.com/aces/policy.html
fields:
    - name: message_type
      required: true
      type: string
    - name: version
      required: true
      type: string
    - name: stats
      copy:
        from: data.universal.stats
      type: object
      fields:
        - name: created_event_count
          required: true
          type: bigint
        - name: existing_event_count
          required: true
          type: bigint
        - name: existing_instances_count
          required: true
          type: bigint
        - name: instances_resolved_count
          required: true
          type: bigint
        - name: new_instances_count
          required: true
          type: bigint
        - name: reopened_event_count
          required: true
          type: bigint
        - name: resolved_event_count
          required: true
          type: bigint
        - name: total_instances_count
          required: true
          type: bigint
    - name: events
      copy:
        from: data.universal.events
      type: array
      element:
        type: object
        fields:
            - name: audit_date
              required: true
              type: timestamp
              timeFormats:
                - rfc3339
            - name: audit_id
              required: true
              type: bigint
            - name: automated
              required: true
              type: boolean
            - name: control_id
              type: bigint
            - name: created
              required: true
              type: timestamp
              timeFormats:
                - rfc3339
            - name: existing_instances_count
              required: true
              type: bigint
            - name: external_id
              required: true
              type: string
            - name: finding_detail
              required: true
              type: string
            - name: id
              required: true
              type: string
            - name: implementation_id
              required: true
              type: string
            - name: last_activated
              required: true
              type: timestamp
              timeFormats:
                - rfc3339
            - name: new_instances_count
              required: true
              type: bigint
            - name: perspective_id
              required: true
              type: bigint
            - name: perspective_type
              required: true
              type: string
            - name: perspective_username
              required: true
              type: string
            - name: risk_score
              required: true
              type: bigint
            - name: rule_external_id
              type: bigint
            - name: rule_id
              required: true
              type: bigint
            - name: status
              required: true
              type: string
            - name: target_entity
              required: true
              type: object
              fields:
                - name: primary_target_api_name
                  type: string
                - name: primary_target_api_id
                  type: string
                - name: secondary_target_label
                  type: string
                - name: md_kind
                  type: string
                - name: md_version
                  type: string
                - name: primary_target_label
                  type: string
            - name: total_instances_count
              required: true
              type: bigint
    - name: policy_assessment
      copy:
        from: data.universal.policy_assessment
      type: object
      fields:
        - name: completion_date
          required: true
          type: timestamp
          timeFormats:
            - rfc3339
          isEventTime: true
        - name: created
          required: true
          type: timestamp
          timeFormats:
            - rfc3339
        - name: evaluation_stats
          required: true
          type: json
        - name: failed_assessments
          required: true
          type: bigint
        - name: id
          required: true
          type: string
        - name: monitored_services
          required: true
          type: array
          element:
            type: object
            fields:
                - name: id
                  type: string
                - name: name
                  type: string
                - name: service_id
                  type: string
                - name: service_type
                  type: string
                - name: tags
                  type: array
                  element:
                    type: object
                    fields:
                        - name: id
                          type: string
                        - name: name
                          type: string
                        - name: tag_type
                          type: string
        - name: target_assessment_count
          required: true
          type: bigint
    - name: policy
      copy:
        from: data.universal.policy
      type: object
      fields:
        - name: external_id
          required: true
          type: string