Zendesk Logs

Panther supports pulling logs directly from Zendesk

Overview

Panther supports pulling logs directly from Zendesk. Panther can fetch Zendesk audit logs by querying the Zendesk Support API.

In order to set up Zendesk as a log source in Panther, you'll need to authorize Panther in Zendesk and then set up Zendesk as a log source in Panther.

Note the following limitations:

Zendesk API rate limits depend on your Zendesk Suite Plan.
- See Zendesk's Rate Limits documentation for more details.
This integration is only available for Zendesk's Enterprise and Enterprise Plus Suite Plans.
- See this Zendesk audit logs article for information on audit logs and plan availability.

How to onboard Zendesk logs to Panther

Step 1: Configure Zendesk for Panther

There are three different options to configure Zendesk to integrate with Panther:

Option 1: Create a new OAuth2 App

You must be a Zendesk Support administrator to register an OAuth2 app.

In order for your Zendesk integration in Panther to continue functioning successfully, the user who creates the OAuth2App must not be removed from Zendesk and must continue to have admin permissions.

For more information, see Zendesk's OAuth documentation.

Log in to your Zendesk Admin Center.
Click the gear icon in the left sidebar, then navigate to Channels > Apps and Integrations> APIs> Zendesk API.
Click the OAuth Clients tab on the Channels/API page, and then click Add Oauth Client on the right side of the client list.
- A page for registering your application appears. The Secret field is pre-populated.
Complete the following required fields:
- Client Name: This is the name that you will see on a list of apps that have access to your Zendesk Support instance.
- Unique Identifier: Click the field to auto-populate it with the name you entered for your app. You can change it if you want.
- Redirect URLs: You will find this in the Zendesk log source onboarding flow in the Panther UI (see screenshot below). This is the URL that Zendesk Support will use to send the user's decision to grant access to your application.
Click Save.
When prompted, copy the Secret value and store it securely, as you will need it in the next steps.
- The characters may extend past the width of the text box, so make sure to select everything before copying.
Click Save.

Option 2: Provide Zendesk email and password

In order for your Zendesk integration in Panther to continue functioning successfully, the Zendesk Support admin user whose email and password are used must not be removed from Zendesk and must continue to have admin permissions.

You can also set up Zendesk as a log source by providing your Zendesk Support admin email and password in the Panther. If you choose this approach, proceed to the last section of this article and have your Admin email and password handy as you onboard Zendesk as a log source in the Panther Console.

Option 3: Generate an API token

You must be a Zendesk Support administrator to create an API token.

In order for your Zendesk integration in Panther to continue functioning successfully, the user who creates the API token must not be removed from Zendesk and must continue to have admin permissions.

Learn more about generating a Zendesk API token here.

Log in to your Zendesk Support account.
Click the gear icon in the left sidebar, then select Channels > Apps and Integrations> APIs > Zendesk API.
Click the Settings tab, and make sure Token Access is enabled.
Click the + button to the right of Active API Tokens.
Enter a name for the token, and click Create. The token is generated, and displayed in a pop-up window.
Copy the token (in red), and store it in a secure location. You will need it in the next steps.
- Note: Once this window is closed, the full token will never be displayed again.

Step 2: Create a new Zendesk source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Select Zendesk from the list of available log sources.
In the upper right corner, click Start Setup.
On the next screen, enter a descriptive Name for the source e.g., My Zendesk Audit logs and your organization's Zendesk Subdomain.
Click Setup.
Authorize Panther to receive logs from Zendesk. Depending on the option you chose earlier in this documentation to configure Zendesk, follow the accompanying steps below:
- Option 1: Use OAuth2 Authorization Flow
  1. Log in to Zendesk as an administrator.
  2. Fill in the below fields. You can find this information on the details page of the OAuth app in your Zendesk account once you have registered the application.
    Client ID: Enter your unique identifier from Zendesk.
    Client Secret: Enter the secret from Zendesk that you obtained in the earlier steps of this documentation.
  3. Click Setup.
  4. On the Verify Setup page, click Grant Access.
  5. You will be routed to Zendesk and prompted to provide Panther access to your Zendesk logs. Click Allow.
- Option 2: Use Email and Password
  1. Fill in the following fields:
    Email: Your Zendesk Support admin Email.
    Password: Your Zendesk Support admin Password.
  2. Click Setup.
- Option 3: Use API authentication
  1. Fill in the following fields:
    Email: Enter your Zendesk Support admin Email.
    API Token: Enter the API token you generated in Zendesk earlier in this documentation.
  2. Click Setup.
You will be directed to a success screen:
- You can optionally enable one or more Detection Packs.
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Panther-managed detections

See Panther-managed rules for Zendesk in the panther-analysis GitHub repository.

Supported log types

Zendesk.Audit

The audit log shows various changes in your Zendesk since the account was created. It saves a record of these changes indefinitely, and you can view the entire change history.

Reference: Zendesk Documentation on Audit Logs.

schema: Zendesk.Audit
parser:
    native:
        name: Zendesk.Audit
description: The audit log shows various changes in your Zendesk since the account was created. It saves a record of these changes indefinitely, and you can view the entire change history.
referenceURL: https://developer.zendesk.com/rest_api/docs/support/audit_logs
fields:
    - name: action
      description: Values can be 'login', 'create', 'update', or 'destroy'
      type: string
    - name: action_label
      description: Localized string of action field
      type: string
    - name: actor_id
      description: The id of the user creating the ticket
      type: bigint
    - name: change_description
      description: The description of the change that occurred
      type: string
    - name: created_at
      required: true
      description: The time the audit got created
      type: timestamp
      timeFormat: rfc3339
      isEventTime: true
    - name: id
      required: true
      description: The id automatically assigned upon creation
      type: bigint
    - name: ip_address
      description: The IP address of the user doing the audit
      type: string
      indicators:
        - ip
    - name: source_id
      description: The id of the item being audited
      type: bigint
    - name: source_label
      description: The name of the item being audited
      type: string
    - name: source_type
      description: The item type being audited
      type: string
    - name: url
      description: The URL to access the audit log
      type: string

PreviousZeek Logs NextZoom Logs

Last updated 5 months ago