# Rapid7 Logs ## Overview Panther can pull in Rapid7's [audit logs](https://docs.rapid7.com/insight/audit-logging/) via [InsightIDR](https://www.rapid7.com/products/insightidr/). ## How to onboard Rapid7 AuditLogs to Panther ### Step 1: Enable audit logging in Rapid7 * Follow the [Rapid7 instructions on how to enable audit logging](https://docs.rapid7.com/insight/audit-logging/#enable-audit-logging). * Copy the **Data Storage Region** value and store it in a secure location, as you will need it in a following step. ### Step 2: Generate an API key in Rapid7 * Follow the [Rapid7 instructions on how to generate an API key](https://docs.rapid7.com/insight/managing-platform-api-keys). It's recommended to create an organization key (instead of a user key), as it [must have Administrator permissions](https://docs.rapid7.com/insight/audit-logging/) to properly view and query audit log events. * Copy the API key value and store it in a secure location, as you will need it in a following step. ### Step 3: Create a new Rapid7 log source in Panther 1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.** 2. Click **Create New**. 3. Search for “Rapid7,” then click its tile. 4. On the slide-out panel, click **Start Setup**.\\

In the Panther Console, the Configure > Log Sources > Add New Source page is shown. There is an arrow drawn from the Rapid7 tile to the Start Setup button on its slide-out panel.

5. On the next screen, enter a descriptive name for the source, e.g., `My Rapid7 logs`. 6. On the **Set Credentials** page, fill in the fields: * **Storage Region**: Enter the shortened version of the **Data Storage Region** you noted from Rapid7 in Step 1. For example, if your region is `United States - 3`, enter `us3`. * If you need to find this value again, you can do so in the Rapid7 Platform console, within the **Home** section of the **Settings** page. You may also be able to see it in your Rapid7's console URL. * **API Key**: Enter the API key you generated in Rapid7 in Step 2. ![Under "Fill in the form below with your credentials" are two empty fields: Storage Region and API Key.](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2Fgit-blob-f3cb3f73476bc2ac7c51654f3feada1b5ed2975d%2FScreenshot%202024-06-12%20at%201.00.21%20PM.png?alt=media) 7. Click **Setup**. You will be directed to a success screen:

The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"

* You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs). * The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\\

The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day

## Supported Log Types ### Rapid7.AuditLog ```yaml schema: Rapid7.AuditLog description: Rapid7 InsightIDR audit log referenceURL: https://docs.rapid7.com/insightidr/audit-logging/ fields: - name: action required: true description: The action performed. type: string - name: audit_id required: true description: Unique identifier for the audit log entry. type: string - name: result description: Result of the action performed. type: string - name: access_method description: The method used to access the service. type: string - name: product description: The product related to the log entry. type: string - name: description description: Additional details or context about the action. type: string - name: service_info description: Information about the service and the event. type: object fields: - name: previousEntry description: Information about the previous entry in the log. type: json - name: event description: Details about the event that triggered the log entry. type: object fields: - name: type description: Type of the event. type: string - name: correlationId description: Correlation identifier for tracking. type: string - name: customerId description: Identifier for the customer. type: string - name: updatedBy description: Identifier for who or what updated the entry. type: string indicators: - email - name: initiatorIdentification description: Identification details of the initiator. type: object fields: - name: email description: Email of the initiator. type: string indicators: - email - name: userId description: User ID of the initiator. type: string - name: apiKeyId description: API key ID of the initiator, if applicable. type: string - name: automatedFlowName description: Name of the automated flow, if applicable. type: string - name: customerId description: Customer ID of the initiator. type: string - name: timestamp description: Event timestamp. type: timestamp timeFormats: - unix_ms isEventTime: true - name: type description: Type of the service information. type: string - name: time required: true description: The timestamp of the audit log. type: timestamp timeFormats: - rfc3339 isEventTime: true - name: request description: Request details including the user information. type: object fields: - name: user description: User details from the request. type: object fields: - name: email description: Email of the user. type: string indicators: - email - name: name description: Name of the user. type: string indicators: - username ```