Kandji
Collect audit logs from your Kandji account to monitor device management actions and administrative changes. RunReveal polls the Kandji API on a regular schedule.
Ingest Methods
Setup the ingestion of this source using the guide below.
API Polling
The Kandji source polls your audit logs using the Kandji API.
Setup
- Go to Sources in RunReveal
- Click the Kandji source tile
- Give it a name and click Connect Source
- Enter your Kandji API URL (e.g.
https://subdomain.api.kandji.io) and API token from Kandji Settings → Access
Your tenant subdomain is the hostname segment in your Kandji API base URL (https://YOUR_SUBDOMAIN.api.kandji.io). In the Kandji web app, open Settings → Access to copy your full API URL and create a token with permission to list audit events. For base URL format and authentication, see the Kandji API documentation.
The integration polls approximately every 60 seconds for new audit events. Historical logs are backfilled on first sync.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: kandji_logs (46 columns)
kandji_logs (46 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | String |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
| Column | Type |
|---|---|
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
enrichments | Array(Tuple(data Map(String, String), name String, provider String, type String, value String)) |
readOnly | Bool |
rawLog | String |
kandjiEventId | String |
action | String |
actorId | String |
actorType | String |
occurredAt | String |
targetType | String |
targetId | String |
targetComponent | String |
newState | String |
metadata | String |