# Hex Logs (Beta)

## Overview

{% hint style="info" %}
Hex log ingestion is in open beta starting with Panther version 1.123, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}

Panther can receive real-time audit log events from [Hex](https://hex.tech/) via webhook. This integration provides visibility into user activity across your Hex workspace, including project access, data exports, and administrative actions, enabling security monitoring and compliance auditing.

## How to onboard Hex audit logs to Panther

### Prerequisites

* To set up this integration, you must be a Hex workspace admin with access to **Settings** > **Audit Logs**.

### Step 1: Create a new Hex log source in Panther

1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New.**
3. Search for "Hex", then click its tile.
4. Click **Start Setup**.
5. Follow Panther's [instructions for configuring an HTTP Source](https://github.com/panther-labs/panther-docs/blob/main/docs/gitbook/data-transports/http.md#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5.
   * You will be required to use [shared secret authentication](https://github.com/panther-labs/panther-docs/blob/main/docs/gitbook/data-transports/http.md#shared-secret).
   * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://github.com/panther-labs/panther-docs/blob/main/docs/gitbook/data-transports/http.md#payload-requirements).
   * Do not proceed to the next step until the creation of your HTTP endpoint has completed. Copy the **HTTP Source URL**, **Header Name**, and **Secret Key Value** — you will need them in Step 2.

### Step 2: Configure the audit log stream in Hex

1. In your Hex workspace, navigate to **Settings** > **Audit Logs**.
2. Select **Configure log stream**.
3. Select **Generic HTTPS** as the destination type.
4. Fill in the fields:
   * **URL**: enter the **HTTP Source URL** you generated in Panther.
   * **Auth header name**: enter the **Header Name** you configured in Panther.
   * **Auth header value**: enter the **Secret Key Value** you configured in Panther.
5. Select either **JSON** or **NDJSON** for the **Request Body Format.**
6. Save the configuration.

Hex will begin streaming new audit events to Panther immediately.

## Supported log types

### Hex.Audit

Audit log events from the Hex analytics platform, capturing user and system actions within a workspace such as running cells, creating projects, managing access, and downloading data.

```yaml
schema: Hex.Audit
description: Audit log events from the Hex analytics platform webhook
referenceURL: https://learn.hex.tech/docs/administration/workspace_settings/audit-logs/audit-logs-reference
fields:
  - name: source
    type: string
    description: Webhook envelope source identifier (always "Hex")
  - name: keySuffix
    type: string
    description: Webhook delivery dedup key (ULID assigned by Hex per delivery)
  - name: timestamp
    type: timestamp
    timeFormats:
      - rfc3339
    description: Webhook delivery time (when Hex dispatched the event; distinct from event.occurred_at)
  - name: event
    type: object
    required: true
    description: The audit event payload
    fields:
      - name: actor
        type: object
        required: true
        description: The actor who performed the action
        fields:
          - name: id
            type: string
            description: Unique identifier of the actor
            indicators:
              - actor_id
          - name: type
            type: string
            description: Type of actor (e.g. USER)
          - name: metadata
            type: object
            description: Additional metadata about the actor
            fields:
              - name: email
                type: string
                description: Email address of the actor
                indicators:
                  - email
              - name: workspace
                type: string
                description: Workspace name
              - name: workspaceId
                type: string
                description: Unique identifier of the workspace
              - name: actorOrgRole
                type: string
                description: Organizational role of the actor (e.g. ADMIN, MEMBER)
      - name: action
        required: true
        type: string
        description: The action that was performed (e.g. RUN_CELL, CREATE_PROJECT)
      - name: context
        type: object
        description: Context of where the action was performed
        fields:
          - name: location
            type: string
            description: IP address of the request
            indicators:
              - ip
          - name: user_agent
            type: string
            description: User agent string of the request
      - name: targets
        type: array
        description: Objects affected by the action
        element:
          type: object
          fields:
            - name: id
              type: string
              description: Unique identifier of the target
            - name: type
              type: string
              description: Type of target (e.g. project, project_version, cell)
            - name: metadata
              type: object
              description: Additional metadata about the target
              fields:
                - name: created
                  type: boolean
                  description: Whether the target was created by this action
                - name: principal_type
                  type: string
                  description: Type of principal for access events (e.g. user, group)
                - name: representation
                  type: string
                  description: JSON-encoded representation of the target object
      - name: version
        type: string
        description: Schema version of the event
      - name: metadata
        type: object
        description: Additional metadata about the action
        fields:
          - name: result
            type: string
            description: Outcome of the action (e.g. SUCCESS, FAILURE)
          - name: requestArgs
            type: string
            description: JSON-encoded request arguments
          - name: failureReason
            type: string
            description: Reason for failure if the action failed
          - name: hexTraceId
            type: string
            description: Hex trace ID for correlating events across services
            indicators:
              - trace_id
          - name: source
            type: string
            description: Source system that generated the event
          - name: isRefreshingKey
            type: boolean
            description: Whether the event was triggered by a key refresh operation
          - name: projectCreationMethod
            type: string
            description: Method used to create the project (e.g. BLANK, TEMPLATE)
      - name: occurred_at
        required: true
        type: timestamp
        timeFormats:
          - rfc3339
        isEventTime: true
        description: Timestamp when the event occurred
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/data-onboarding/supported-logs/hex.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.