Rapid7 Logs (Beta)

Connecting Rapid7 logs to your Panther Console

Overview

Rapid7 Audit Logs ingestion is in open beta starting with Panther version 1.111, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther can pull in Rapid7's audit logs via InsightIDR.

How to onboard Rapid7 AuditLogs to Panther

Step 1: Enable audit logging in Rapid7

Follow the Rapid7 instructions on how to enable audit logging.
- Copy the Data Storage Region value and store it in a secure location, as you will need it in a following step.

Step 2: Generate an API key in Rapid7

Follow the Rapid7 instructions on how to generate an API key. It's recommended to create an organization key (instead of a user key), as it must have Administrator permissions to properly view and query audit log events.
- Copy the API key value and store it in a secure location, as you will need it in a following step.

Step 3: Create a new Rapid7 log source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Rapid7,” then click its tile.
On the slide-out panel, click Start Setup.
On the next screen, enter a descriptive name for the source, e.g., My Rapid7 logs.
On the Set Credentials page, fill in the fields:
- Storage Region: Enter the shortened version of the Data Storage Region you noted from Rapid7 in Step 1. For example, if your region is United States - 3, enter us3.
  - If you need to find this value again, you can do so in the Rapid7 Platform console, within the Home section of the Settings page. You may also be able to see it in your Rapid7's console URL.
- API Key: Enter the API key you generated in Rapid7 in Step 2.
Click Setup. You will be directed to a success screen:
- You can optionally enable one or more Detection Packs.
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Supported Log Types

Rapid7.AuditLog

schema: Rapid7.AuditLog
description: Rapid7 InsightIDR audit log
referenceURL: https://docs.rapid7.com/insightidr/audit-logging/
fields:
    - name: action
      required: true
      description: The action performed.
      type: string
    - name: audit_id
      required: true
      description: Unique identifier for the audit log entry.
      type: string
    - name: result
      description: Result of the action performed.
      type: string
    - name: access_method
      description: The method used to access the service.
      type: string
    - name: product
      description: The product related to the log entry.
      type: string
    - name: description
      description: Additional details or context about the action.
      type: string
    - name: service_info
      description: Information about the service and the event.
      type: object
      fields:
        - name: previousEntry
          description: Information about the previous entry in the log.
          type: json
        - name: event
          description: Details about the event that triggered the log entry.
          type: object
          fields:
            - name: type
              description: Type of the event.
              type: string
            - name: correlationId
              description: Correlation identifier for tracking.
              type: string
            - name: customerId
              description: Identifier for the customer.
              type: string
            - name: updatedBy
              description: Identifier for who or what updated the entry.
              type: string
              indicators:
                - email
            - name: initiatorIdentification
              description: Identification details of the initiator.
              type: object
              fields:
                - name: email
                  description: Email of the initiator.
                  type: string
                  indicators:
                    - email
                - name: userId
                  description: User ID of the initiator.
                  type: string
                - name: apiKeyId
                  description: API key ID of the initiator, if applicable.
                  type: string
                - name: automatedFlowName
                  description: Name of the automated flow, if applicable.
                  type: string
                - name: customerId
                  description: Customer ID of the initiator.
                  type: string
            - name: timestamp
              description: Event timestamp.
              type: timestamp
              timeFormats:
                - unix_ms
              isEventTime: true
        - name: type
          description: Type of the service information.
          type: string
    - name: time
      required: true
      description: The timestamp of the audit log.
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: request
      description: Request details including the user information.
      type: object
      fields:
        - name: user
          description: User details from the request.
          type: object
          fields:
            - name: email
              description: Email of the user.
              type: string
              indicators:
                - email
            - name: name
              description: Name of the user.
              type: string
              indicators:
                - username

PreviousPush Security Logs NextSalesforce Logs

Last updated 1 month ago

Was this helpful?

How to onboard Rapid7 AuditLogs to Panther

Step 1: Enable audit logging in Rapid7

Follow the Rapid7 instructions on how to enable audit logging.

Copy the Data Storage Region value and store it in a secure location, as you will need it in a following step.

Step 2: Generate an API key in Rapid7

Follow the Rapid7 instructions on how to generate an API key. It's recommended to create an organization key (instead of a user key), as it must have Administrator permissions to properly view and query audit log events.

Copy the API key value and store it in a secure location, as you will need it in a following step.

Step 3: Create a new Rapid7 log source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.

Click Create New.

Search for “Rapid7,” then click its tile.

On the slide-out panel, click Start Setup.

On the next screen, enter a descriptive name for the source, e.g., My Rapid7 logs.

On the Set Credentials page, fill in the fields:

Storage Region: Enter the shortened version of the Data Storage Region you noted from Rapid7 in Step 1. For example, if your region is United States - 3, enter us3.
- If you need to find this value again, you can do so in the Rapid7 Platform console, within the Home section of the Settings page. You may also be able to see it in your Rapid7's console URL.
API Key: Enter the API key you generated in Rapid7 in Step 2.

Click Setup. You will be directed to a success screen:

You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Supported Log Types

Rapid7.AuditLog

schema: Rapid7.AuditLog
description: Rapid7 InsightIDR audit log
referenceURL: https://docs.rapid7.com/insightidr/audit-logging/
fields:
    - name: action
      required: true
      description: The action performed.
      type: string
    - name: audit_id
      required: true
      description: Unique identifier for the audit log entry.
      type: string
    - name: result
      description: Result of the action performed.
      type: string
    - name: access_method
      description: The method used to access the service.
      type: string
    - name: product
      description: The product related to the log entry.
      type: string
    - name: description
      description: Additional details or context about the action.
      type: string
    - name: service_info
      description: Information about the service and the event.
      type: object
      fields:
        - name: previousEntry
          description: Information about the previous entry in the log.
          type: json
        - name: event
          description: Details about the event that triggered the log entry.
          type: object
          fields:
            - name: type
              description: Type of the event.
              type: string
            - name: correlationId
              description: Correlation identifier for tracking.
              type: string
            - name: customerId
              description: Identifier for the customer.
              type: string
            - name: updatedBy
              description: Identifier for who or what updated the entry.
              type: string
              indicators:
                - email
            - name: initiatorIdentification
              description: Identification details of the initiator.
              type: object
              fields:
                - name: email
                  description: Email of the initiator.
                  type: string
                  indicators:
                    - email
                - name: userId
                  description: User ID of the initiator.
                  type: string
                - name: apiKeyId
                  description: API key ID of the initiator, if applicable.
                  type: string
                - name: automatedFlowName
                  description: Name of the automated flow, if applicable.
                  type: string
                - name: customerId
                  description: Customer ID of the initiator.
                  type: string
            - name: timestamp
              description: Event timestamp.
              type: timestamp
              timeFormats:
                - unix_ms
              isEventTime: true
        - name: type
          description: Type of the service information.
          type: string
    - name: time
      required: true
      description: The timestamp of the audit log.
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true
    - name: request
      description: Request details including the user information.
      type: object
      fields:
        - name: user
          description: User details from the request.
          type: object
          fields:
            - name: email
              description: Email of the user.
              type: string
              indicators:
                - email
            - name: name
              description: Name of the user.
              type: string
              indicators:
                - username