AppOmni continuously monitors and normalizes hundreds of event types across critical SaaS applications, including Salesforce, Box, ServiceNow, Workday, Office365, and Zoom. By ingesting these log into Panther, you can access Panther's alerting capabilities.
How to onboard AppOmni logs to Panther
Step 1: Create a new AppOmni source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "AppOmni," then click its tile.
In the Transport Mechanism drop-down, select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
schema: AppOmni.Alerts
description: Alerts logs from AppOmni
referenceURL: https://labs.appomni.com/aces/event.html
fields:
- name: timestamp
required: true
description: Date/time when the event originated.
rename:
from: '@timestamp'
type: timestamp
timeFormats:
- rfc3339
- name: appomni
required: true
type: object
fields:
- name: alert
type: object
fields:
- name: channel
description: The channel of a rule is determined by the stage of the rule lifecycle.
type: string
- name: event
type: object
fields:
- name: dataset
description: The dataset of the event. A dataset is generally a collection of similar events.
type: string
- name: id
description: Unique AppOmni-assigned ID of the event.
type: string
- name: sortable_event_id
description: Unique sortable ID of the event assigned when it's collected.
type: string
- name: sortable_ingest_id
description: Unique sortable ID of the event assigned when it arrives in AppOmni's data store.
type: string
- name: organization
type: object
fields:
- name: id
description: ID of the AppOmni Tenant this event originated from.
type: bigint
- name: event
required: true
type: object
fields:
- name: created
description: Date/time when the event was reported as created in the monitored service.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: kind
description: high-level information about what type of information the event contains, without being specific to the contents of the event.
type: string
- name: severity
description: The numeric severity of the event according to the source.
type: bigint
- name: message
required: true
description: A human-readable summary of the event.
type: string
- name: related
required: true
type: object
fields:
- name: ip
description: IP addresses related to an event (IPv4 or IPv6.)
type: array
element:
type: string
indicators:
- ip
- name: user
description: User ids related to an event.
type: array
element:
type: string
indicators:
- email
- name: event
description: Event ids related to an event. Reflecting the AppOmni Event Id from `appomni.event.id`
type: array
element:
type: string
- name: services
description: AppOmni Service Ids related to an event.
type: object
fields:
- name: id
type: array
element:
type: bigint
- name: type
type: array
element:
type: string
- name: rule
required: true
type: object
fields:
- name: name
description: Name of the rule.
type: string
- name: ruleset
description: Name of the ruleset for which the rule is assigned.
type: string
- name: threat
type: object
fields:
- name: framework
description: Name of the threat framework used to classify the tactic and technique of a threat.
type: string
- name: tactic
type: object
fields:
- name: id
description: ID of the tactic.
type: array
element:
type: string
- name: name
description: Name of the tactic.
type: array
element:
type: string
- name: technique
type: object
fields:
- name: id
description: ID of the technique.
type: array
element:
type: string
- name: name
description: Name of the technique.
type: array
element:
type: string
- name: uuid
description: Unique UUID of the rule.
type: string
- name: version
description: Version of the rule.
type: bigint
- name: version
required: true
description: Version of ACES.
type: string
