Iru Logs

Connecting Iru logs to your Panther Console

Overview

Panther supports ingesting Iru audit logs via an AWS S3 Data Transport source.

Iru (formerly Kandji) is a Mobile Device Management (MDM) and endpoint management platform for Apple, Windows, and Android devices. Panther supports ingesting audit logs from Iru to monitor device management activities, policy compliance events, and security-related actions.

Learn more about Iru audit logs in the Iru API documentation.

How to onboard Iru logs to Panther

Step 1: Create a new Iru source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Iru," then click its tile.
In the upper-right corner, click Start Setup.
Follow Panther’s documentation for configuring an AWS S3 Data Transport source.

Step 2: Export Iru logs to S3

Follow the Iru Amazon S3 Activity Log Integration documentation to export logs to S3.

Supported log types

Iru.Audit

schema: Iru.Audit
description: Iru audit logs for device inventory, security posture, and management data. Relevant for monitoring device compliance, application status, and endpoint security events.
referenceURL: https://api-docs.kandji.io/#auth-info-336d6648-e062-4cbd-a70a-2a0c276cd4ad
fields:
  - name: id
    required: true
    description: The Iru log event ID.
    type: string
  - name: action
    required: true
    description: What was done, this is validated against a list of expected values - create, update, delete
    type: string
  - name: actor_id
    required: true
    description: The id of the who or what did the event
    type: string
    indicators:
      - actor_id
  - name: actor_type
    required: true
    description: The type of actor who did the event, admin user, api token, etc. This is validated against a list of expected values
    type: string
  - name: new_state
    description: The data of the new state. This is what will be validated by the schemas
    type: json
  - name: occurred_at
    required: true
    description: When was this event created, defaults to the current UTC time.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: received_at
    description: The time the event was received
    type: timestamp
    timeFormats:
      - rfc3339
  - name: target_component
    description: The sub-component section of target that was updated
    type: string
  - name: target_id
    required: true
    description: The id of what was updated
    type: string
    indicators:
      - trace_id
  - name: target_type
    required: true
    description: The type of object that was updated - blueprint, library_item, device, user, etc
    type: string
  - name: event_category
    description: The category of the event
    type: string
  - name: tenant_id
    description: The id of the tenant that the event belongs to
    type: string
    indicators:
      - trace_id
  - name: timeline_id
    description: The id of the timeline that the event belongs to
    type: string
    indicators:
      - trace_id
  - name: metadata
    description: Context information about the event itself. Not validated. Could hold information specific to a certain security framework or standard.
    type: json

PreviousHex Logs NextIsland Logs

Last updated 3 days ago

Was this helpful?

schema: Iru.Audit
description: Iru audit logs for device inventory, security posture, and management data. Relevant for monitoring device compliance, application status, and endpoint security events.
referenceURL: https://api-docs.kandji.io/#auth-info-336d6648-e062-4cbd-a70a-2a0c276cd4ad
fields:
  - name: id
    required: true
    description: The Iru log event ID.
    type: string
  - name: action
    required: true
    description: What was done, this is validated against a list of expected values - create, update, delete
    type: string
  - name: actor_id
    required: true
    description: The id of the who or what did the event
    type: string
    indicators:
      - actor_id
  - name: actor_type
    required: true
    description: The type of actor who did the event, admin user, api token, etc. This is validated against a list of expected values
    type: string
  - name: new_state
    description: The data of the new state. This is what will be validated by the schemas
    type: json
  - name: occurred_at
    required: true
    description: When was this event created, defaults to the current UTC time.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: received_at
    description: The time the event was received
    type: timestamp
    timeFormats:
      - rfc3339
  - name: target_component
    description: The sub-component section of target that was updated
    type: string
  - name: target_id
    required: true
    description: The id of what was updated
    type: string
    indicators:
      - trace_id
  - name: target_type
    required: true
    description: The type of object that was updated - blueprint, library_item, device, user, etc
    type: string
  - name: event_category
    description: The category of the event
    type: string
  - name: tenant_id
    description: The id of the tenant that the event belongs to
    type: string
    indicators:
      - trace_id
  - name: timeline_id
    description: The id of the timeline that the event belongs to
    type: string
    indicators:
      - trace_id
  - name: metadata
    description: Context information about the event itself. Not validated. Could hold information specific to a certain security framework or standard.
    type: json