Hex Logs

Panther supports ingesting audit logs from Hex via webhook

Overview

Panther can receive real-time audit log events from Hex via webhook. This integration provides visibility into user activity across your Hex workspace, including project access, data exports, and administrative actions, enabling security monitoring and compliance auditing.

How to onboard Hex audit logs to Panther

Prerequisites

To set up this integration, you must be a Hex workspace admin with access to Settings > Audit Logs.

Step 1: Create a new Hex log source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Hex", then click its tile.
Click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
- You will be required to use shared secret authentication.
- Payloads sent to this source are subject to the payload requirements for all HTTP sources.
- Do not proceed to the next step until the creation of your HTTP endpoint has completed. Copy the HTTP Source URL, Header Name, and Secret Key Value — you will need them in Step 2.

Step 2: Configure the audit log stream in Hex

In your Hex workspace, navigate to Settings > Audit Logs.
Select Configure log stream.
Select Generic HTTPS as the destination type.
Fill in the fields:
- URL: enter the HTTP Source URL you generated in Panther.
- Auth header name: enter the Header Name you configured in Panther.
- Auth header value: enter the Secret Key Value you configured in Panther.
Select either JSON or NDJSON for the Request Body Format.
Save the configuration.

Hex will begin streaming new audit events to Panther immediately.

Supported log types

Hex.Audit

Audit log events from the Hex analytics platform, capturing user and system actions within a workspace such as running cells, creating projects, managing access, and downloading data.

schema: Hex.Audit
description: Audit log events from the Hex analytics platform webhook
referenceURL: https://learn.hex.tech/docs/administration/workspace_settings/audit-logs/audit-logs-reference
fields:
  - name: source
    type: string
    description: Webhook envelope source identifier (always "Hex")
  - name: keySuffix
    type: string
    description: Webhook delivery dedup key (ULID assigned by Hex per delivery)
  - name: timestamp
    type: timestamp
    timeFormats:
      - rfc3339
    description: Webhook delivery time (when Hex dispatched the event; distinct from event.occurred_at)
  - name: event
    type: object
    required: true
    description: The audit event payload
    fields:
      - name: actor
        type: object
        required: true
        description: The actor who performed the action
        fields:
          - name: id
            type: string
            description: Unique identifier of the actor
            indicators:
              - actor_id
          - name: type
            type: string
            description: Type of actor (e.g. USER)
          - name: metadata
            type: object
            description: Additional metadata about the actor
            fields:
              - name: email
                type: string
                description: Email address of the actor
                indicators:
                  - email
              - name: workspace
                type: string
                description: Workspace name
              - name: workspaceId
                type: string
                description: Unique identifier of the workspace
              - name: actorOrgRole
                type: string
                description: Organizational role of the actor (e.g. ADMIN, MEMBER)
      - name: action
        required: true
        type: string
        description: The action that was performed (e.g. RUN_CELL, CREATE_PROJECT)
      - name: context
        type: object
        description: Context of where the action was performed
        fields:
          - name: location
            type: string
            description: IP address of the request
            indicators:
              - ip
          - name: user_agent
            type: string
            description: User agent string of the request
      - name: targets
        type: array
        description: Objects affected by the action
        element:
          type: object
          fields:
            - name: id
              type: string
              description: Unique identifier of the target
            - name: type
              type: string
              description: Type of target (e.g. project, project_version, cell)
            - name: metadata
              type: object
              description: Additional metadata about the target
              fields:
                - name: created
                  type: boolean
                  description: Whether the target was created by this action
                - name: principal_type
                  type: string
                  description: Type of principal for access events (e.g. user, group)
                - name: representation
                  type: string
                  description: JSON-encoded representation of the target object
      - name: version
        type: string
        description: Schema version of the event
      - name: metadata
        type: object
        description: Additional metadata about the action
        fields:
          - name: result
            type: string
            description: Outcome of the action (e.g. SUCCESS, FAILURE)
          - name: requestArgs
            type: string
            description: JSON-encoded request arguments
          - name: failureReason
            type: string
            description: Reason for failure if the action failed
          - name: hexTraceId
            type: string
            description: Hex trace ID for correlating events across services
            indicators:
              - trace_id
          - name: source
            type: string
            description: Source system that generated the event
          - name: isRefreshingKey
            type: boolean
            description: Whether the event was triggered by a key refresh operation
          - name: projectCreationMethod
            type: string
            description: Method used to create the project (e.g. BLANK, TEMPLATE)
      - name: occurred_at
        required: true
        type: timestamp
        timeFormats:
          - rfc3339
        isEventTime: true
        description: Timestamp when the event occurred

PreviousHeroku Logs NextIru Logs

Last updated 8 days ago

Was this helpful?

schema: Hex.Audit
description: Audit log events from the Hex analytics platform webhook
referenceURL: https://learn.hex.tech/docs/administration/workspace_settings/audit-logs/audit-logs-reference
fields:
  - name: source
    type: string
    description: Webhook envelope source identifier (always "Hex")
  - name: keySuffix
    type: string
    description: Webhook delivery dedup key (ULID assigned by Hex per delivery)
  - name: timestamp
    type: timestamp
    timeFormats:
      - rfc3339
    description: Webhook delivery time (when Hex dispatched the event; distinct from event.occurred_at)
  - name: event
    type: object
    required: true
    description: The audit event payload
    fields:
      - name: actor
        type: object
        required: true
        description: The actor who performed the action
        fields:
          - name: id
            type: string
            description: Unique identifier of the actor
            indicators:
              - actor_id
          - name: type
            type: string
            description: Type of actor (e.g. USER)
          - name: metadata
            type: object
            description: Additional metadata about the actor
            fields:
              - name: email
                type: string
                description: Email address of the actor
                indicators:
                  - email
              - name: workspace
                type: string
                description: Workspace name
              - name: workspaceId
                type: string
                description: Unique identifier of the workspace
              - name: actorOrgRole
                type: string
                description: Organizational role of the actor (e.g. ADMIN, MEMBER)
      - name: action
        required: true
        type: string
        description: The action that was performed (e.g. RUN_CELL, CREATE_PROJECT)
      - name: context
        type: object
        description: Context of where the action was performed
        fields:
          - name: location
            type: string
            description: IP address of the request
            indicators:
              - ip
          - name: user_agent
            type: string
            description: User agent string of the request
      - name: targets
        type: array
        description: Objects affected by the action
        element:
          type: object
          fields:
            - name: id
              type: string
              description: Unique identifier of the target
            - name: type
              type: string
              description: Type of target (e.g. project, project_version, cell)
            - name: metadata
              type: object
              description: Additional metadata about the target
              fields:
                - name: created
                  type: boolean
                  description: Whether the target was created by this action
                - name: principal_type
                  type: string
                  description: Type of principal for access events (e.g. user, group)
                - name: representation
                  type: string
                  description: JSON-encoded representation of the target object
      - name: version
        type: string
        description: Schema version of the event
      - name: metadata
        type: object
        description: Additional metadata about the action
        fields:
          - name: result
            type: string
            description: Outcome of the action (e.g. SUCCESS, FAILURE)
          - name: requestArgs
            type: string
            description: JSON-encoded request arguments
          - name: failureReason
            type: string
            description: Reason for failure if the action failed
          - name: hexTraceId
            type: string
            description: Hex trace ID for correlating events across services
            indicators:
              - trace_id
          - name: source
            type: string
            description: Source system that generated the event
          - name: isRefreshingKey
            type: boolean
            description: Whether the event was triggered by a key refresh operation
          - name: projectCreationMethod
            type: string
            description: Method used to create the project (e.g. BLANK, TEMPLATE)
      - name: occurred_at
        required: true
        type: timestamp
        timeFormats:
          - rfc3339
        isEventTime: true
        description: Timestamp when the event occurred