Rapid7 Logs (Beta)
Connecting Rapid7 logs to your Panther Console
Last updated
Connecting Rapid7 logs to your Panther Console
Last updated
Rapid7 Audit Logs ingestion is in open beta starting with Panther version 1.111, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Panther can pull in Rapid7's audit logs via InsightIDR.
Follow the Rapid7 instructions on how to enable audit logging.
Copy the Data Storage Region value and store it in a secure location, as you will need it in a following step.
Follow the Rapid7 instructions on how to generate an API key. It's recommended to create an organization key (instead of a user key), as it must have Administrator permissions to properly view and query audit log events.
Copy the API key value and store it in a secure location, as you will need it in a following step.
In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Rapid7,” then click its tile.
On the slide-out panel, click Start Setup.
On the next screen, enter a descriptive name for the source, e.g., My Rapid7 logs.
On the Set Credentials page, fill in the fields:
Storage Region: Enter the shortened version of the Data Storage Region you noted from Rapid7 in Step 1. For example, if your region is United States - 3, enter us3.
If you need to find this value again, you can do so in the Rapid7 Platform console, within the Home section of the Settings page. You may also be able to see it in your Rapid7's console URL.
API Key: Enter the API key you generated in Rapid7 in Step 2.
Click Setup. You will be directed to a success screen:
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
