# Tines Logs

## Overview

Panther can fetch [Tines](https://www.tines.com/) logs by querying the [Tines API](https://www.tines.com/api). Specifically, Panther pulls Tines Audit logs, by querying the [Audit logs API](https://www.tines.com/api/audit-logs).

To set up Tines as a log source in Panther, you'll need to generate a Tines API key that Panther can use to access your Tines instance, then set up Tines as a log source in Panther.

## How to onboard Tines logs to Panther

### Step 1: Generate a Tines API key

1. Follow [Tines's instructions on how to create an API key](https://www.tines.com/api/authentication).
2. Copy the API key and store it in a secure location, as you will need it to create the log source in Panther.

### Step 2: Create a new Tines source in Panther

1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New.**
3. Select **Tines** from the list of available log sources. Click **Start Source Setup**.
4. On the next screen, enter a descriptive name for the source, e.g., `My Tines Audit logs`.
5. Click **Setup.**
6. On the **Set Credentials** page, fill in the form:
   * **Tines Domain**: Enter your Tines tenant domain. As [Tines's documentation outlines](https://www.tines.com/docs/quickstart/signing-in), Cloud deployments of Tines will have a domain similar to either `adjective-noun-1234.tines.io` or `adjective-noun-1234.tines.com`
   * **API Key**: Enter the Tines API key you generated in the previous step of this documentation.
7. Click **Setup**. You will be directed to a success screen:\\

   <figure><img src="/files/lJCvylZLzgzxBKPB2fyE" alt="The success screen reads, &#x22;Everything looks good! Panther will now automatically pull &#x26; process logs from your account&#x22;" width="281"><figcaption></figcaption></figure>

   * You can optionally enable one or more [Detection Packs](https://docs.panther.com/detections/panther-managed/packs).
   * The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\\

     <figure><img src="/files/Qjs5L2RqoxDEnhUcjTYh" alt="The &#x22;Trigger an alert when no events are processed&#x22; toggle is set to YES. The &#x22;How long should Panther wait before it sends you an alert that no events have been processed&#x22; setting is set to 1 Day" width="320"><figcaption></figcaption></figure>

## Panther-managed detections

See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Tines in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/master/rules/tines_rules).

## Supported log types

### Tines.Audit

These are audit logs of events in a Tines tenant. For more information, see [Tines's Audit logs documentation](https://www.tines.com/api/audit-logs).

```yaml
schema: Tines.Audit
description: Audit logs from the Tines Audit Logs API
referenceURL: https://www.tines.com/api/audit-logs
fields:
  - name: created_at
    required: true
    description: The date/time at which the audit log was created.
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
  - name: id
    description: The ID of the audit log.
    type: int
  - name: inputs
    description: JSON Inputs passed to the operation.
    type: json
  - name: operation_name
    required: true
    description: The name of the operation.
    type: string
  - name: request_ip
    required: true
    description: The IP Address the operation was triggered from.
    type: string
    indicators:
      - ip
  - name: request_user_agent
    description: The user agent that the operation was triggered with.
    type: string
  - name: tenant_id
    required: true
    description: The ID of the tenant the operation was triggered on.
    type: string
  - name: user_email
    description: The email of the user who triggered the operation.
    type: string
    indicators:
      - email
  - name: user_id
    required: true
    description: The ID of the user who triggered the operation.
    type: string
  - name: user_name
    description: The name of the user who triggered the operation.
    type: string
    indicators:
      - username
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.panther.com/data-onboarding/supported-logs/tines.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.