Iru Logs (Beta)

Connecting Iru logs to your Panther Console

Overview

The Iru integration is in open beta starting with Panther version 1.119, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther supports ingesting Iru audit logs via an AWS S3 Data Transport source.

Iru (formerly Kandji) is a Mobile Device Management (MDM) and endpoint management platform for Apple devices. Panther supports ingesting audit logs from Iru to monitor device management activities, policy compliance events, and security-related actions.

Learn more about Iru audit logs in the Iru API documentation.

How to onboard Iru logs to Panther

Step 1: Create a new Iru source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Iru," then click its tile.
In the upper-right corner, click Start Setup.
Follow Panther’s documentation for configuring an AWS S3 Data Transport source.

Step 2: Export Iru logs to S3

Follow the Iru Amazon S3 Activity Log Integration documentation to export logs to S3.

Supported log types

Iru.Audit

schema: Iru.Audit
description: Iru audit logs for device inventory, security posture, and management data. Relevant for monitoring device compliance, application status, and endpoint security events.
referenceURL: https://api-docs.kandji.io/#auth-info-336d6648-e062-4cbd-a70a-2a0c276cd4ad
fields:
  - name: id
    required: true
    description: The Iru log event ID.
    type: string
  - name: action
    required: true
    description: What was done, this is validated against a list of expected values - create, update, delete
    type: string
  - name: actor_id
    required: true
    description: The id of the who or what did the event
    type: string
    indicators:
      - actor_id
  - name: actor_type
    required: true
    description: The type of actor who did the event, admin user, api token, etc. This is validated against a list of expected values
    type: string
  - name: new_state
    description: The data of the new state. This is what will be validated by the schemas
    type: json
  - name: occurred_at
    required: true
    description: When was this event created, defaults to the current UTC time.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: received_at
    description: The time the event was received
    type: timestamp
    timeFormats:
      - rfc3339
  - name: target_component
    description: The sub-component section of target that was updated
    type: string
  - name: target_id
    required: true
    description: The id of what was updated
    type: string
    indicators:
      - trace_id
  - name: target_type
    required: true
    description: The type of object that was updated - blueprint, library_item, device, user, etc
    type: string
  - name: event_category
    description: The category of the event
    type: string
  - name: tenant_id
    description: The id of the tenant that the event belongs to
    type: string
    indicators:
      - trace_id
  - name: timeline_id
    description: The id of the timeline that the event belongs to
    type: string
    indicators:
      - trace_id
  - name: metadata
    description: Context information about the event itself. Not validated. Could hold information specific to a certain security framework or standard.
    type: json

PreviousJuniper Logs NextLacework Logs

Last updated 2 days ago

Was this helpful?

schema: Iru.Audit description: Iru audit logs for device inventory, security posture, and management data. Relevant for monitoring device compliance, application status, and endpoint security events. referenceURL: https://api-docs.kandji.io/#auth-info-336d6648-e062-4cbd-a70a-2a0c276cd4ad fields: - name: id required: true description: The Iru log event ID. type: string - name: action required: true description: What was done, this is validated against a list of expected values - create, update, delete type: string - name: actor_id required: true description: The id of the who or what did the event type: string indicators: - actor_id - name: actor_type required: true description: The type of actor who did the event, admin user, api token, etc. This is validated against a list of expected values type: string - name: new_state description: The data of the new state. This is what will be validated by the schemas type: json - name: occurred_at required: true description: When was this event created, defaults to the current UTC time. type: timestamp timeFormats: - rfc3339 isEventTime: true - name: received_at description: The time the event was received type: timestamp timeFormats: - rfc3339 - name: target_component description: The sub-component section of target that was updated type: string - name: target_id required: true description: The id of what was updated type: string indicators: - trace_id - name: target_type required: true description: The type of object that was updated - blueprint, library_item, device, user, etc type: string - name: event_category description: The category of the event type: string - name: tenant_id description: The id of the tenant that the event belongs to type: string indicators: - trace_id - name: timeline_id description: The id of the timeline that the event belongs to type: string indicators: - trace_id - name: metadata description: Context information about the event itself. Not validated. Could hold information specific to a certain security framework or standard. type: json

hashtagOverview

hashtagHow to onboard Iru logs to Panther

hashtagStep 1: Create a new Iru source in Panther

hashtagStep 2: Export Iru logs to S3

hashtagSupported log types

hashtagIru.Audit