ConductorOne
ConductorOne is an identity governance and access management platform. The ConductorOne integration polls the System Log API to collect audit and activity events, providing visibility into access requests, approvals, provisioning activities, and administrative actions across your organization.
RunReveal polls the ConductorOne API every 60 seconds to collect new events.
Setup
To connect ConductorOne to RunReveal, you need a Client ID and Client Secret from your ConductorOne account.
Creating API Credentials
- Sign in to your ConductorOne account.
- Open the User menu (top-right corner) and select AI & API.
- Click Create credential to generate a new API key pair.
- Copy the Client ID and Client Secret values — the secret is only shown once.
The Client ID has the format
<random-id>@<hostname>/<use-case>, for example[email protected]/runreveal. RunReveal uses this format to automatically detect your ConductorOne hostname.
Configuring the Source in RunReveal
- In RunReveal, create a new ConductorOne source and give it a descriptive name.
- Paste your Client ID into the Client ID field. RunReveal will automatically populate the Hostname field from the Client ID.
- Paste your Client Secret into the Client Secret field.
- Save the source. RunReveal will begin polling for events immediately.
Helpful Links
- ConductorOne API Documentation - Full reference for the ConductorOne System Log API and credential management
Verify It’s Working
Once added, logs should begin flowing within a minute. You can validate that RunReveal is receiving your logs by running the following SQL query:
SELECT * FROM runreveal.logs WHERE sourceType = 'conductor-one' LIMIT 1Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: conductorone_logs (59 columns)
conductorone_logs (59 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | LowCardinality(String) |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
| Column | Type |
|---|---|
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
activityID | Int32 |
activityName | String |
classUID | Int32 |
className | String |
categoryUID | Int32 |
typeUID | Int32 |
severityID | Int32 |
status | String |
statusID | Int32 |
message | String |
cloudAccountName | String |
cloudProvider | String |
apiOperation | String |
apiRequest | String |
apiResponseCode | Int32 |
apiResponse | String |
httpMethod | String |
httpPath | String |
userAgent | String |
metadataUID | String |
metadataVersion | String |
actorUserType | String |
actorUserUID | String |
actorUserEmail | String |