# Rapid7 Logs
## Overview
Panther can pull in Rapid7's [audit logs](https://docs.rapid7.com/insight/audit-logging/) via [InsightIDR](https://www.rapid7.com/products/insightidr/).
## How to onboard Rapid7 AuditLogs to Panther
### Step 1: Enable audit logging in Rapid7
* Follow the [Rapid7 instructions on how to enable audit logging](https://docs.rapid7.com/insight/audit-logging/#enable-audit-logging).
* Copy the **Data Storage Region** value and store it in a secure location, as you will need it in a following step.
### Step 2: Generate an API key in Rapid7
* Follow the [Rapid7 instructions on how to generate an API key](https://docs.rapid7.com/insight/managing-platform-api-keys). It's recommended to create an organization key (instead of a user key), as it [must have Administrator permissions](https://docs.rapid7.com/insight/audit-logging/) to properly view and query audit log events.
* Copy the API key value and store it in a secure location, as you will need it in a following step.
### Step 3: Create a new Rapid7 log source in Panther
1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.**
2. Click **Create New**.
3. Search for “Rapid7,” then click its tile.
4. On the slide-out panel, click **Start Setup**.\\
5. On the next screen, enter a descriptive name for the source, e.g., `My Rapid7 logs`.
6. On the **Set Credentials** page, fill in the fields:
* **Storage Region**: Enter the shortened version of the **Data Storage Region** you noted from Rapid7 in Step 1. For example, if your region is `United States - 3`, enter `us3`.
* If you need to find this value again, you can do so in the Rapid7 Platform console, within the **Home** section of the **Settings** page. You may also be able to see it in your Rapid7's console URL.
* **API Key**: Enter the API key you generated in Rapid7 in Step 2.
7. Click **Setup**. You will be directed to a success screen:
* You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs).
* The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\\
## Supported Log Types
### Rapid7.AuditLog
```yaml
schema: Rapid7.AuditLog
description: Rapid7 InsightIDR audit log
referenceURL: https://docs.rapid7.com/insightidr/audit-logging/
fields:
- name: action
required: true
description: The action performed.
type: string
- name: audit_id
required: true
description: Unique identifier for the audit log entry.
type: string
- name: result
description: Result of the action performed.
type: string
- name: access_method
description: The method used to access the service.
type: string
- name: product
description: The product related to the log entry.
type: string
- name: description
description: Additional details or context about the action.
type: string
- name: service_info
description: Information about the service and the event.
type: object
fields:
- name: previousEntry
description: Information about the previous entry in the log.
type: json
- name: event
description: Details about the event that triggered the log entry.
type: object
fields:
- name: type
description: Type of the event.
type: string
- name: correlationId
description: Correlation identifier for tracking.
type: string
- name: customerId
description: Identifier for the customer.
type: string
- name: updatedBy
description: Identifier for who or what updated the entry.
type: string
indicators:
- email
- name: initiatorIdentification
description: Identification details of the initiator.
type: object
fields:
- name: email
description: Email of the initiator.
type: string
indicators:
- email
- name: userId
description: User ID of the initiator.
type: string
- name: apiKeyId
description: API key ID of the initiator, if applicable.
type: string
- name: automatedFlowName
description: Name of the automated flow, if applicable.
type: string
- name: customerId
description: Customer ID of the initiator.
type: string
- name: timestamp
description: Event timestamp.
type: timestamp
timeFormats:
- unix_ms
isEventTime: true
- name: type
description: Type of the service information.
type: string
- name: time
required: true
description: The timestamp of the audit log.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: request
description: Request details including the user information.
type: object
fields:
- name: user
description: User details from the request.
type: object
fields:
- name: email
description: Email of the user.
type: string
indicators:
- email
- name: name
description: Name of the user.
type: string
indicators:
- username
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.panther.com/data-onboarding/supported-logs/rapid7.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.