# Iru Logs (Beta)

## Overview

{% hint style="info" %}
The Iru integration is in open beta starting with Panther version 1.119, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}

Panther supports ingesting [Iru](https://www.iru.com/) audit logs via an [AWS S3 Data Transport source](https://docs.panther.com/data-onboarding/data-transports/aws/s3).

Iru (formerly Kandji) is a Mobile Device Management (MDM) and endpoint management platform for Apple, Windows, and Android devices. Panther supports ingesting audit logs from Iru to monitor device management activities, policy compliance events, and security-related actions.

Learn more about Iru audit logs in the [Iru API documentation](https://api-docs.kandji.io/).

## How to onboard Iru logs to Panther

### Step 1: Create a new Iru source in Panther

1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New**.
3. Search for "Iru," then click its tile.
4. In the upper-right corner, click **Start Setup**.
5. Follow [Panther’s documentation for configuring an AWS S3 Data Transport source](https://docs.panther.com/data-onboarding/data-transports/aws/s3).

### Step 2: Export Iru logs to S3

* Follow the Iru [Amazon S3 Activity Log Integration](https://support.kandji.io/kb/amazon-s3-activity-log-events-integration) documentation to export logs to S3.

## Supported log types

### Iru.Audit

```yaml
schema: Iru.Audit
description: Iru audit logs for device inventory, security posture, and management data. Relevant for monitoring device compliance, application status, and endpoint security events.
referenceURL: https://api-docs.kandji.io/#auth-info-336d6648-e062-4cbd-a70a-2a0c276cd4ad
fields:
  - name: id
    required: true
    description: The Iru log event ID.
    type: string
  - name: action
    required: true
    description: What was done, this is validated against a list of expected values - create, update, delete
    type: string
  - name: actor_id
    required: true
    description: The id of the who or what did the event
    type: string
    indicators:
      - actor_id
  - name: actor_type
    required: true
    description: The type of actor who did the event, admin user, api token, etc. This is validated against a list of expected values
    type: string
  - name: new_state
    description: The data of the new state. This is what will be validated by the schemas
    type: json
  - name: occurred_at
    required: true
    description: When was this event created, defaults to the current UTC time.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: received_at
    description: The time the event was received
    type: timestamp
    timeFormats:
      - rfc3339
  - name: target_component
    description: The sub-component section of target that was updated
    type: string
  - name: target_id
    required: true
    description: The id of what was updated
    type: string
    indicators:
      - trace_id
  - name: target_type
    required: true
    description: The type of object that was updated - blueprint, library_item, device, user, etc
    type: string
  - name: event_category
    description: The category of the event
    type: string
  - name: tenant_id
    description: The id of the tenant that the event belongs to
    type: string
    indicators:
      - trace_id
  - name: timeline_id
    description: The id of the timeline that the event belongs to
    type: string
    indicators:
      - trace_id
  - name: metadata
    description: Context information about the event itself. Not validated. Could hold information specific to a certain security framework or standard.
    type: json
```