Audit Logs

Collects and ingests audit logs from Endor Labs, providing comprehensive visibility into user activities, system operations, and security events within your Endor Labs organization.

Sync Type: Incremental

Details

This input collects audit logs from the Endor Labs API, capturing critical activities including user authentication, API operations, resource modifications, and administrative actions. The input supports incremental sync with automatic pagination and state management to ensure only new events are collected on subsequent runs. Key features include:

• Incremental sync with automatic state tracking
• Support for custom backfill periods
• Comprehensive audit trail of all platform activities

Prerequisites

Before connecting Monad to Endor Labs, you need:

1. An active Endor Labs account with appropriate permissions
2. API key with audit log access permissions
3. Your Endor Labs organization namespace

Setup Instructions

1. Generate an API Key and Secret

1. Log in to Endor Labs:

   • Navigate to your Endor Labs Dashboard
   • Sign in with your credentials

2. Navigate to API Keys:

   • On the left sidebar, navigate to the Access Control section
   • Select API Keys

3. Generate API Key:

   • Click Generate API Key
   • Specify the following key details:
     • Name: Enter a descriptive name for the API key (e.g., "Monad Audit Log Connector")
     • Permission Level: Choose the appropriate permission level for the API key. Options include:
       • Admin: Full access to all features and functionalities
       • Read-only: View-only access, without the ability to modify or create resources
       • Code Scanner: Access specifically for code scanning functionalities
       • Policy Editor: Access to policy editing features
       • On-Prem Scheduler: Access to manage Outpost and to use monitoring scans across supported platforms when you enable Outpost
   • Select the desired expiry date for the API key, ranging from 30 to 90 days
   • Under the Advanced section, you have the option to propagate the API key to all child namespaces (if applicable)

4. Generate and Copy Credentials:

   • Click Generate API Key for confirmation
   • After generation, click Copy API Key & Secret
   • Important: Make sure to securely store your API secret in a safe location, as it will not be accessible through the Endor Labs UI later

2. Find Your Organization Namespace

1. Locate Namespace:
   • In the Endor Labs dashboard, note your organization namespace
   • This is typically shown in the URL or organization settings
   • The namespace follows the format: your-org.endorlabs.com or similar

Note: Store the API key, API secret, and namespace securely. Never commit these credentials to version control.

Configuration

The following configuration defines the input parameters. Each field's specifications, such as type, requirements, and descriptions, are detailed below.

Settings

Setting	Type	Required	Default	Description
Namespace	string	Yes	-	Your Endor Labs organization namespace (e.g., "your-org")
Backfill Start Time	string	No	-	The date to start fetching data from. If not specified, no past records will be fetched.

Secrets

Secret	Type	Required	Description
API Key	string	Yes	The API key from your Endor Labs organization with permissions to access audit logs
API Secret	string	Yes	The API secret from your Endor Labs organization with permissions to access audit logs

Note on Collection Behavior

The input follows an incremental collection pattern:

• First run: Collects all available audit logs (subject to API retention limits)
• Subsequent runs: Collects only new audit logs since the last successful run
• State management: Tracks the timestamp of the last successfully processed event

Troubleshooting

Common Issues

1. Authentication Failures

   • Verify the API key and secret are correct and haven't expired
   • Ensure the API key has appropriate permissions for audit log access
   • Check that the namespace matches your Endor Labs organization

2. Rate Limiting

   • The input implements automatic rate limiting handling
   • Monitor for other applications using the same API key

3. Missing Events

   • Verify the API key has sufficient permissions for audit log access
   • Check that the namespace is correct for your organization
   • Ensure the backfill start time is within the API's data retention period

Related Articles

• Endor Labs API Documentation
• Endor Labs Authentication Guide
• Audit Logs API Reference
• Endor Labs User Documentation

Sample Record

{
  "uuid": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "tenant_meta": {
    "namespace": "your-org"
  },
  "meta": {
    "create_time": "2024-11-13T15:30:45.123456Z",
    "update_time": "2024-11-13T15:30:45.123456Z",
    "name": "user_login_event",
    "kind": "AuditLog",
    "version": "v1",
    "description": "User authentication event",
    "created_by": "system",
    "updated_by": "system"
  },
  "spec": {
    "message_uuid": "f1e2d3c4-b5a6-9870-fedc-ba0987654321",
    "message_kind": "AuthenticationLog",
    "operation": "USER_LOGIN",
    "payload": {
      "user_id": "user@example.com",
      "authentication_method": "oauth",
      "session_id": "sess_1234567890abcdef",
      "success": true
    },
    "claims": [
      {
        "subject": "user@example.com",
        "issuer": "endorlabs.com",
        "audience": "api.endorlabs.com"
      }
    ],
    "remote_address": "203.0.113.42"
  }
}