AppOmni Logs
Connecting AppOmni logs to your Panther Console
Overview
Panther supports ingesting AppOmni logs via common Data Transport options: HTTP webhook and AWS S3.
AppOmni continuously monitors and normalizes hundreds of event types across critical SaaS applications, including Salesforce, Box, ServiceNow, Workday, Office365, and Zoom. By ingesting these log into Panther, you can access Panther's alerting capabilities.
How to onboard AppOmni logs to Panther
Step 1: Create a new AppOmni source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "AppOmni," then click its tile.
In the Transport Mechanism drop-down, select the data transport method you wish to use for this integration, then follow Panther's instructions for configuring the method:
Click Start Setup.
Follow the Panther instructions for configuring the data transport method you chose:
Panther's instructions for configuring an HTTP Source
For the authentication method, choose Shared secret or Bearer.
Payloads sent to this source are subject to the payload requirements for all HTTP sources.
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
Step 2: Configure AppOmni to forward logs
Configure AppOmni to push logs to the Data Transport source.
See AppOmni's documentation for instructions on pushing logs to your selected Data Transport source.
Panther-managed detections
See Panther-managed rules for AppOmni in the panther-analysis GitHub repository.
Supported log types
AppOmni.Alerts
schema: AppOmni.Alerts
description: Alerts logs from AppOmni
referenceURL: https://labs.appomni.com/aces/event.html
fields:
- name: timestamp
required: true
description: Date/time when the event originated.
rename:
from: '@timestamp'
type: timestamp
timeFormats:
- rfc3339
- name: appomni
required: true
type: object
fields:
- name: alert
type: object
fields:
- name: channel
description: The channel of a rule is determined by the stage of the rule lifecycle.
type: string
- name: event
type: object
fields:
- name: dataset
description: The dataset of the event. A dataset is generally a collection of similar events.
type: string
- name: id
description: Unique AppOmni-assigned ID of the event.
type: string
- name: sortable_event_id
description: Unique sortable ID of the event assigned when it's collected.
type: string
- name: sortable_ingest_id
description: Unique sortable ID of the event assigned when it arrives in AppOmni's data store.
type: string
- name: organization
type: object
fields:
- name: id
description: ID of the AppOmni Tenant this event originated from.
type: bigint
- name: event
required: true
type: object
fields:
- name: created
description: Date/time when the event was reported as created in the monitored service.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: kind
description: high-level information about what type of information the event contains, without being specific to the contents of the event.
type: string
- name: severity
description: The numeric severity of the event according to the source.
type: bigint
- name: message
required: true
description: A human-readable summary of the event.
type: string
- name: related
required: true
type: object
fields:
- name: ip
description: IP addresses related to an event (IPv4 or IPv6.)
type: array
element:
type: string
indicators:
- ip
- name: user
description: User ids related to an event.
type: array
element:
type: string
indicators:
- email
- name: event
description: Event ids related to an event. Reflecting the AppOmni Event Id from `appomni.event.id`
type: array
element:
type: string
- name: services
description: AppOmni Service Ids related to an event.
type: object
fields:
- name: id
type: array
element:
type: bigint
- name: type
type: array
element:
type: string
- name: rule
required: true
type: object
fields:
- name: name
description: Name of the rule.
type: string
- name: ruleset
description: Name of the ruleset for which the rule is assigned.
type: string
- name: threat
type: object
fields:
- name: framework
description: Name of the threat framework used to classify the tactic and technique of a threat.
type: string
- name: tactic
type: object
fields:
- name: id
description: ID of the tactic.
type: array
element:
type: string
- name: name
description: Name of the tactic.
type: array
element:
type: string
- name: technique
type: object
fields:
- name: id
description: ID of the technique.
type: array
element:
type: string
- name: name
description: Name of the technique.
type: array
element:
type: string
- name: uuid
description: Unique UUID of the rule.
type: string
- name: version
description: Version of the rule.
type: bigint
- name: version
required: true
description: Version of ACES.
type: stringAppOmni.Events
schema: AppOmni.Events
description: Event logs from AppOmni
referenceURL: https://labs.appomni.com/aces/event.html
fields:
- name: timestamp
required: true
rename:
from: '@timestamp'
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: application
type: object
fields:
- name: name
type: string
- name: scopes
type: array
element:
type: string
indicators:
- url
- name: appomni
required: true
type: object
fields:
- name: event
type: object
fields:
- name: collected_time
type: timestamp
timeFormats:
- rfc3339
- name: dataset
type: string
- name: id
type: string
- name: ingestion_time
type: timestamp
timeFormats:
- rfc3339
- name: organization
type: object
fields:
- name: id
type: bigint
- name: service
type: object
fields:
- name: account_id
type: string
- name: id
type: bigint
- name: name
type: string
- name: type
type: string
- name: event
required: true
type: object
fields:
- name: url
type: string
- name: provider
type: string
- name: reason
type: string
- name: category
type: array
element:
type: string
- name: id
type: string
- name: outcome
type: string
- name: type
type: array
element:
type: string
- name: code
type: string
- name: action
type: string
- name: created
type: timestamp
timeFormats:
- rfc3339
- name: dataset
type: string
- name: ingested
type: timestamp
timeFormats:
- rfc3339
- name: kind
type: string
- name: module
type: string
- name: original
type: string
- name: labels
type: object
fields:
- name: device_hash
type: string
indicators:
- sha256
- name: threat_suspected
type: boolean
- name: transaction_id
type: string
- name: transaction_type
type: string
- name: login_key
type: string
- name: application
type: string
- name: entities
type: string
- name: query
type: string
- name: row_count
type: bigint
- name: type
type: string
- name: repo_visibility
type: string
- name: is_hosted_runner
type: boolean
- name: source_repository_default_branch
type: string
- name: public_repo
type: boolean
- name: source_repository_created_date
type: timestamp
timeFormats:
- rfc3339
- name: source_repository_name
type: string
- name: organization_name
type: string
- name: message
type: string
- name: related
type: object
fields:
- name: identity
type: array
element:
type: string
- name: resource
type: array
element:
type: string
- name: ip
type: array
element:
type: string
indicators:
- ip
- name: user
type: array
element:
type: string
indicators:
- email
- name: resource
type: object
fields:
- name: id
type: string
- name: name
type: string
- name: type
type: string
- name: service
type: object
fields:
- name: name
type: string
- name: id
type: bigint
- name: session
type: object
fields:
- name: kind
type: string
- name: id
type: string
- name: source
type: object
fields:
- name: host
type: object
fields:
- name: hostname
type: string
- name: os
type: object
fields:
- name: name
type: string
- name: as
type: object
fields:
- name: country
type: string
- name: domain
type: string
- name: number
type: bigint
- name: organization
type: object
fields:
- name: name
type: string
- name: type
type: string
- name: geo
type: object
fields:
- name: country_name
type: string
- name: city_name
type: string
- name: country_iso_code
type: string
- name: location
type: object
fields:
- name: lat
type: float
- name: lon
type: float
- name: postal_code
type: string
- name: region_name
type: string
- name: timezone
type: string
- name: address
type: string
indicators:
- ip
- name: ip
type: string
indicators:
- ip
- name: tags
type: array
element:
type: string
- name: user
type: object
fields:
- name: full_name
type: string
- name: email
type: string
indicators:
- email
- name: target
type: object
fields:
- name: email
type: string
indicators:
- email
- name: full_name
type: string
- name: id
type: string
- name: identity
type: object
fields:
- name: id
type: string
- name: admin
type: boolean
- name: email
type: string
indicators:
- email
- name: elevated
type: boolean
- name: full_name
type: string
- name: roles
type: array
element:
type: string
- name: name
type: string
indicators:
- email
- name: effective
type: object
fields:
- name: hash
type: string
- name: id
type: string
- name: identity
type: object
fields:
- name: id
type: string
- name: admin
type: boolean
- name: email
type: string
indicators:
- email
- name: elevated
type: boolean
- name: full_name
type: string
- name: roles
type: array
element:
type: string
- name: name
type: string
indicators:
- email
- name: user_agent
type: object
fields:
- name: name
type: string
- name: os
type: object
fields:
- name: name
type: string
- name: original
type: string
- name: version
required: true
type: stringAppOmni.Policy
schema: AppOmni.Policy
description: Policy logs from AppOmni
referenceURL: https://labs.appomni.com/aces/policy.html
fields:
- name: message_type
required: true
type: string
- name: version
required: true
type: string
- name: stats
copy:
from: data.universal.stats
type: object
fields:
- name: created_event_count
required: true
type: bigint
- name: existing_event_count
required: true
type: bigint
- name: existing_instances_count
required: true
type: bigint
- name: instances_resolved_count
required: true
type: bigint
- name: new_instances_count
required: true
type: bigint
- name: reopened_event_count
required: true
type: bigint
- name: resolved_event_count
required: true
type: bigint
- name: total_instances_count
required: true
type: bigint
- name: events
copy:
from: data.universal.events
type: array
element:
type: object
fields:
- name: audit_date
required: true
type: timestamp
timeFormats:
- rfc3339
- name: audit_id
required: true
type: bigint
- name: automated
required: true
type: boolean
- name: control_id
type: bigint
- name: created
required: true
type: timestamp
timeFormats:
- rfc3339
- name: existing_instances_count
required: true
type: bigint
- name: external_id
required: true
type: string
- name: finding_detail
required: true
type: string
- name: id
required: true
type: string
- name: implementation_id
required: true
type: string
- name: last_activated
required: true
type: timestamp
timeFormats:
- rfc3339
- name: new_instances_count
required: true
type: bigint
- name: perspective_id
required: true
type: bigint
- name: perspective_type
required: true
type: string
- name: perspective_username
required: true
type: string
- name: risk_score
required: true
type: bigint
- name: rule_external_id
type: bigint
- name: rule_id
required: true
type: bigint
- name: status
required: true
type: string
- name: target_entity
required: true
type: object
fields:
- name: primary_target_api_name
type: string
- name: primary_target_api_id
type: string
- name: secondary_target_label
type: string
- name: md_kind
type: string
- name: md_version
type: string
- name: primary_target_label
type: string
- name: total_instances_count
required: true
type: bigint
- name: policy_assessment
copy:
from: data.universal.policy_assessment
type: object
fields:
- name: completion_date
required: true
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: created
required: true
type: timestamp
timeFormats:
- rfc3339
- name: evaluation_stats
required: true
type: json
- name: failed_assessments
required: true
type: bigint
- name: id
required: true
type: string
- name: monitored_services
required: true
type: array
element:
type: object
fields:
- name: id
type: string
- name: name
type: string
- name: service_id
type: string
- name: service_type
type: string
- name: tags
type: array
element:
type: object
fields:
- name: id
type: string
- name: name
type: string
- name: tag_type
type: string
- name: target_assessment_count
required: true
type: bigint
- name: policy
copy:
from: data.universal.policy
type: object
fields:
- name: external_id
required: true
type: string
- name: id
required: true
type: string
- name: mode
required: true
type: string
- name: name
required: true
type: string
- name: policy_type
required: true
type: string
- name: results_url
required: true
type: string
indicators:
- url
- name: role
required: true
type: string
- name: url
required: true
type: string
indicators:
- urlLast updated
