Axonius Logs (Beta)
Connecting Axonius logs in your Panther Console
Overview
Panther ingests Axonius activity logs by configuring Axonius to send logs to an HTTP endpoint in Panther.
Axonius is a cybersecurity asset management platform that provides visibility and control over devices, users, and software in your environment.
How to onboard Axonius logs to Panther
Step 1: Create a new Axonius source in Panther
In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Axonius", then click its tile.
In the slide-out panel, click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
When setting the Auth method for the source, you'll choose between shared secret, bearer, and basic. It's recommended to use shared secret.
If you select SharedSecret, the Header Name will be locked with a value of
x-panther-axonius.
Payloads sent to this source are subject to the payload requirements for all HTTP sources.
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
Step 2: Create an HTTPS webhook in Axonius
Create an HTTPS webhook in Axonius by following the instructions on the Axonius Configuring HTTPS Log Settings documentation.
In the HTTPS logs host field, enter the URL you generated in Step 1.
Configure the authentication based on the method you used in Step 1:
If you used shared secret authentication, in the Custom request headers (JSON format), enter
{"x-panther-axonius": "[your-shared-secret-token]"}.If you used bearer authentication, in the Authorization header field, enter
Bearer <your-bearer-token>.If you used basic authentication, in the Authorization header field, enter
Basic <your-basic-token>.
Supported log types
Axonius.Activity
schema: Axonius.Activity
description: Activity events from Axonius activity logging
referenceURL: https://docs.axonius.com/docs/activities
fields:
- name: time
required: true
description: Timestamp of when the event was generated
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: source
required: true
description: The source system generating the activity event
type: string
- name: event
required: true
description: Collection of fields related to the activity event
type: object
fields:
- name: action
required: true
description: The specific action that was performed
type: string
- name: category
required: true
description: The category of the activity event
type: string
- name: type
required: true
description: The type/severity level of the event
type: string
- name: user
description: The user associated with the event (user-initiated actions)
type: string
- name: params
description: Additional parameters and details about the event (structure varies by event category)
type: object
fields:
- name: source
description: The source system or integration involved in the action (UserManagement events)
type: string
- name: user_name
description: The username or email of the user involved in the action (UserManagement events)
type: string
- name: adapter
description: The adapter name involved in the action (CustomDiscovery, Adapters events)
type: string
- name: client_id
description: The client identifier for the adapter instance (Adapters events)
type: string
- name: devices_count
description: The number of devices processed (Adapters events)
type: bigint
- name: users_count
description: The number of users processed (Adapters events)
type: bigint
- name: duration
description: The duration of the adapter operation in HH:MM:SS format (Adapters events)
type: string
- name: generic_counts_msg
description: Detailed counts message with comprehensive statistics about processed entities (Adapters events)
type: string
- name: space_id
description: The unique identifier for the dashboard space (Dashboard events)
type: string
- name: space_name
description: The human-readable name of the dashboard space (Dashboard events)
type: string
- name: ip
description: The IP address associated with the user session (UserSession events)
type: string
indicators:
- ip
- name: status
description: The status of the authentication attempt (UserSession events)
type: string
- name: name
description: The name of the enforcement rule, policy, workflow, or saved query (Enforcements, Workflows, SavedQueries events)
type: string
- name: access_type
description: The access level of the saved query (SavedQueries events)
type: string
- name: module
description: The data module that the saved query targets (SavedQueries events)
type: string
- name: action_name
description: The descriptive name of the action being executed (RunAction events)
type: string
- name: enforcement
description: The enforcement rule identifier being executed (Enforcements RunAction events)
type: string
- name: workflow
description: The workflow identifier or name being executed (Workflows RunAction events)
type: string
- name: run_id
description: The execution run identifier for tracking action execution (RunAction events)
type: string
- name: id
description: The unique identifier of the data item being accessed (Users ViewItem events)
type: string
- name: config_id
description: The webhook configuration identifier (WebhookManagement events)
type: string
- name: vendor_name
description: The external vendor or service name (WebhookManagement events)
type: stringLast updated
Was this helpful?