diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 618d324c2f3..e745c7adcb4 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -93,6 +93,7 @@
/packages/aws_vpcflow_otel @elastic/obs-infraobs-integrations
/packages/awsfargate @elastic/obs-infraobs-integrations
/packages/awsfirehose @elastic/obs-ds-hosted-services
+/packages/axonius @elastic/security-service-integrations
/packages/azure @elastic/obs-infraobs-integrations @elastic/obs-ds-hosted-services @elastic/security-service-integrations
/packages/azure/data_stream/activitylogs @elastic/obs-infraobs-integrations
/packages/azure/data_stream/application_gateway @elastic/security-service-integrations
diff --git a/packages/axonius/_dev/build/build.yml b/packages/axonius/_dev/build/build.yml
new file mode 100644
index 00000000000..b2596b96490
--- /dev/null
+++ b/packages/axonius/_dev/build/build.yml
@@ -0,0 +1,3 @@
+dependencies:
+ ecs:
+ reference: git@v9.2.0
diff --git a/packages/axonius/_dev/build/docs/README.md b/packages/axonius/_dev/build/docs/README.md
new file mode 100644
index 00000000000..3e41884d9cc
--- /dev/null
+++ b/packages/axonius/_dev/build/docs/README.md
@@ -0,0 +1,112 @@
+# Axonius Integration for Elastic
+
+## Overview
+
+[Axonius](https://www.axonius.com/) is a cybersecurity asset management platform that automatically collects data from hundreds of IT and security tools through adapters, merges that information, and builds a unified inventory of all assets—devices, users, SaaS apps, cloud instances, and more. By correlating data from multiple systems, Axonius helps organizations identify visibility gaps, missing security controls, risky configurations, and compliance issues. It lets you create powerful queries to answer any security or IT question and automate actions such as sending alerts, creating tickets, or enforcing policies.
+
+This integration for Elastic allows you to collect assets and security events data using the Axonius API, then visualize the data in Kibana.
+
+### Compatibility
+The Axonius integration is compatible with product version **7.0**.
+
+### How it works
+This integration periodically queries the Axonius API to retrieve logs.
+
+## What data does this integration collect?
+This integration collects log messages of the following type:
+
+- `Gateway`: Collect details of all Gateway (endpoint: `/api/v2/gateway`).
+
+### Supported use cases
+
+Integrating the Axonius Gateway Datastream with Elastic SIEM provides centralized visibility into gateway configurations and the network context they operate in. Kibana dashboards surface key insights into gateway status, routing behavior, and essential connection attributes, helping analysts quickly understand overall network posture.
+
+The dashboards offer clear views of status distribution, highlight important gateway metrics, and provide searchable details that support deeper investigation. Additional tables and saved searches reveal underlying network dependencies and proxy-related information, enabling teams to track configuration changes and identify irregularities.
+
+These insights help security teams monitor gateway health, detect misconfigurations, and streamline network-focused investigations across the environment.
+
+## What do I need to use this integration?
+
+### From Elastic
+
+This integration installs [Elastic latest transforms](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview). For more details, check the [Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) setup and requirements.
+
+### From Axonius
+
+To collect data through the Axonius APIs, you need to provide the **URL**, **API Key** and **API Secret**. Authentication is handled using the **API Key** and **API Secret**, which serves as the required credential.
+
+#### Retrieve URL, API Token and API Secret:
+
+1. Log in to the **Axonius** instance.
+2. Your instance URL is your Base **URL**.
+3. Navigate to **User Settings > API Key**.
+4. Generate an **API Key**.
+5. Copy both values including **API Key and Secret Key** and store them securely for use in the Integration configuration.
+
+## How do I deploy this integration?
+
+This integration supports both Elastic Agentless-based and Agent-based installations.
+
+### Agent-based deployment
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+### Agentless deployment
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using an agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it.
+
+For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html)
+
+### Configure
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **Axonius**.
+3. Select the **Axonius** integration from the search results.
+4. Select **Add Axonius** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+ * To **Collect logs from Axonius API**, you'll need to:
+
+ - Configure **URL**, **API Key** and **API Secret**.
+ - Adjust the integration configuration parameters if required, including the Interval, HTTP Client Timeout etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+### Validation
+
+#### Dashboard populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **Axonius**, and verify the dashboard information is populated.
+
+## Troubleshooting
+
+For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems).
+
+## Scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### Gateway
+
+The `gateway` data stream provides gateway events from axonius.
+
+#### gateway fields
+
+{{ fields "gateway" }}
+
+{{ event "gateway" }}
+
+### Inputs used
+{{/* All inputs used by this package will be automatically listed here. */}}
+{{ inputDocs }}
+
+### API usage
+
+These APIs are used with this integration:
+
+* Gateway (endpoint: `/api/v2/gateway`)
\ No newline at end of file
diff --git a/packages/axonius/_dev/deploy/docker/docker-compose.yml b/packages/axonius/_dev/deploy/docker/docker-compose.yml
new file mode 100644
index 00000000000..2c44356c631
--- /dev/null
+++ b/packages/axonius/_dev/deploy/docker/docker-compose.yml
@@ -0,0 +1,15 @@
+version: '3.8'
+services:
+ axonius:
+ image: docker.elastic.co/observability/stream:v0.20.0
+ hostname: axonius
+ ports:
+ - 8090
+ volumes:
+ - ./files:/files:ro
+ environment:
+ PORT: '8090'
+ command:
+ - http-server
+ - --addr=:8090
+ - --config=/files/config.yml
diff --git a/packages/axonius/_dev/deploy/docker/files/config.yml b/packages/axonius/_dev/deploy/docker/files/config.yml
new file mode 100644
index 00000000000..21e171dafa1
--- /dev/null
+++ b/packages/axonius/_dev/deploy/docker/files/config.yml
@@ -0,0 +1,63 @@
+rules:
+ - path: /api/v2/gateways
+ methods: ['GET']
+ request_headers:
+ Accept: application/json
+ api-key: xxxx
+ api-secret: xxxx
+ responses:
+ - status_code: 200
+ headers:
+ Content-Type:
+ - 'application/json'
+ body: |-
+ {{ minify_json `
+ {
+ "gateways": [
+ {
+ "name": "Gateway_1",
+ "default": false,
+ "dns_server": "1.128.0.0",
+ "email_when_connected": false,
+ "email_when_disconnected": false,
+ "email_recipients": [
+ "john.doe@example.com"
+ ],
+ "backup_ids": [
+ "backup1",
+ "backup2"
+ ],
+ "tunnel_proxy_settings": {
+ "enabled": false,
+ "tunnel_proxy_addr": "addr",
+ "tunnel_proxy_port": 8080,
+ "tunnel_proxy_user": "tunnel-proxy-01"
+ },
+ "id": "tunnel3",
+ "status": "pending"
+ },
+ {
+ "name": "Gateway_3",
+ "default": false,
+ "dns_server": "216.160.83.56",
+ "email_when_connected": false,
+ "email_when_disconnected": false,
+ "email_recipients": [
+ "alias.doe@example.com"
+ ],
+ "backup_ids": [
+ "backup1",
+ "backup2"
+ ],
+ "tunnel_proxy_settings": {
+ "enabled": false,
+ "tunnel_proxy_addr": "addr1",
+ "tunnel_proxy_port": 8081,
+ "tunnel_proxy_user": "tunnel-proxy-02"
+ },
+ "id": "tunnel2",
+ "status": "error"
+ }
+ ]
+ }
+ `}}
diff --git a/packages/axonius/changelog.yml b/packages/axonius/changelog.yml
new file mode 100644
index 00000000000..581073081c8
--- /dev/null
+++ b/packages/axonius/changelog.yml
@@ -0,0 +1,6 @@
+# newer versions go on top
+- version: 0.1.0
+ changes:
+ - description: Initial release.
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/16169
diff --git a/packages/axonius/data_stream/gateway/_dev/test/pipeline/test-common-config.yml b/packages/axonius/data_stream/gateway/_dev/test/pipeline/test-common-config.yml
new file mode 100644
index 00000000000..37e8fa225fd
--- /dev/null
+++ b/packages/axonius/data_stream/gateway/_dev/test/pipeline/test-common-config.yml
@@ -0,0 +1,3 @@
+fields:
+ tags:
+ - preserve_duplicate_custom_fields
diff --git a/packages/axonius/data_stream/gateway/_dev/test/pipeline/test-gateway.log b/packages/axonius/data_stream/gateway/_dev/test/pipeline/test-gateway.log
new file mode 100644
index 00000000000..621234a4634
--- /dev/null
+++ b/packages/axonius/data_stream/gateway/_dev/test/pipeline/test-gateway.log
@@ -0,0 +1,3 @@
+{"name":"Gateway_1","default":false,"dns_server":"1.128.0.0","email_when_connected":false,"email_when_disconnected":false,"email_recipients":["john.doe@example.com"],"backup_ids":["backup1","backup2"],"tunnel_proxy_settings":{"enabled":false,"tunnel_proxy_addr":"addr","tunnel_proxy_port":8080,"tunnel_proxy_user":"tunnel-proxy-01"},"id":"tunnel3","status":"pending"}
+{"name":"Gateway_3","default":false,"dns_server":"216.160.83.56","email_when_connected":false,"email_when_disconnected":false,"email_recipients":["alias.doe@example.com"],"backup_ids":["backup1","backup2"],"tunnel_proxy_settings":{"enabled":false,"tunnel_proxy_addr":"addr1","tunnel_proxy_port":8081,"tunnel_proxy_user":"tunnel-proxy-02"},"id":"tunnel2","status":"error"}
+{"name":"Gateway_2","default":true,"dns_server":"89.160.20.128","email_when_connected":false,"email_when_disconnected":false,"email_recipients":["john.martin@example.com"],"backup_ids":["backup1","backup2"],"tunnel_proxy_settings":{"enabled":false,"tunnel_proxy_addr":"addr2","tunnel_proxy_port":8082,"tunnel_proxy_user":"tunnel-proxy-03"},"id":"tunnel1","status":"success"}
diff --git a/packages/axonius/data_stream/gateway/_dev/test/pipeline/test-gateway.log-expected.json b/packages/axonius/data_stream/gateway/_dev/test/pipeline/test-gateway.log-expected.json
new file mode 100644
index 00000000000..16b437bf2dc
--- /dev/null
+++ b/packages/axonius/data_stream/gateway/_dev/test/pipeline/test-gateway.log-expected.json
@@ -0,0 +1,177 @@
+{
+ "expected": [
+ {
+ "axonius": {
+ "gateway": {
+ "backup_ids": [
+ "backup1",
+ "backup2"
+ ],
+ "default": false,
+ "dns_server": "1.128.0.0",
+ "email_recipients": [
+ "john.doe@example.com"
+ ],
+ "email_when_connected": false,
+ "email_when_disconnected": false,
+ "id": "tunnel3",
+ "name": "Gateway_1",
+ "status": "pending",
+ "tunnel_proxy_settings": {
+ "enabled": false,
+ "tunnel_proxy_addr": "addr",
+ "tunnel_proxy_port": "8080",
+ "tunnel_proxy_user": "tunnel-proxy-01"
+ }
+ }
+ },
+ "dns": {
+ "resolved_ip": [
+ "1.128.0.0"
+ ]
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "email": {
+ "to": {
+ "address": [
+ "john.doe@example.com"
+ ]
+ }
+ },
+ "event": {
+ "id": "tunnel3",
+ "kind": "event",
+ "original": "{\"name\":\"Gateway_1\",\"default\":false,\"dns_server\":\"1.128.0.0\",\"email_when_connected\":false,\"email_when_disconnected\":false,\"email_recipients\":[\"john.doe@example.com\"],\"backup_ids\":[\"backup1\",\"backup2\"],\"tunnel_proxy_settings\":{\"enabled\":false,\"tunnel_proxy_addr\":\"addr\",\"tunnel_proxy_port\":8080,\"tunnel_proxy_user\":\"tunnel-proxy-01\"},\"id\":\"tunnel3\",\"status\":\"pending\"}"
+ },
+ "related": {
+ "ip": [
+ "1.128.0.0"
+ ],
+ "user": [
+ "tunnel-proxy-01"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "axonius": {
+ "gateway": {
+ "backup_ids": [
+ "backup1",
+ "backup2"
+ ],
+ "default": false,
+ "dns_server": "216.160.83.56",
+ "email_recipients": [
+ "alias.doe@example.com"
+ ],
+ "email_when_connected": false,
+ "email_when_disconnected": false,
+ "id": "tunnel2",
+ "name": "Gateway_3",
+ "status": "error",
+ "tunnel_proxy_settings": {
+ "enabled": false,
+ "tunnel_proxy_addr": "addr1",
+ "tunnel_proxy_port": "8081",
+ "tunnel_proxy_user": "tunnel-proxy-02"
+ }
+ }
+ },
+ "dns": {
+ "resolved_ip": [
+ "216.160.83.56"
+ ]
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "email": {
+ "to": {
+ "address": [
+ "alias.doe@example.com"
+ ]
+ }
+ },
+ "event": {
+ "id": "tunnel2",
+ "kind": "event",
+ "original": "{\"name\":\"Gateway_3\",\"default\":false,\"dns_server\":\"216.160.83.56\",\"email_when_connected\":false,\"email_when_disconnected\":false,\"email_recipients\":[\"alias.doe@example.com\"],\"backup_ids\":[\"backup1\",\"backup2\"],\"tunnel_proxy_settings\":{\"enabled\":false,\"tunnel_proxy_addr\":\"addr1\",\"tunnel_proxy_port\":8081,\"tunnel_proxy_user\":\"tunnel-proxy-02\"},\"id\":\"tunnel2\",\"status\":\"error\"}",
+ "outcome": "failure"
+ },
+ "related": {
+ "ip": [
+ "216.160.83.56"
+ ],
+ "user": [
+ "tunnel-proxy-02"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ]
+ },
+ {
+ "axonius": {
+ "gateway": {
+ "backup_ids": [
+ "backup1",
+ "backup2"
+ ],
+ "default": true,
+ "dns_server": "89.160.20.128",
+ "email_recipients": [
+ "john.martin@example.com"
+ ],
+ "email_when_connected": false,
+ "email_when_disconnected": false,
+ "id": "tunnel1",
+ "name": "Gateway_2",
+ "status": "success",
+ "tunnel_proxy_settings": {
+ "enabled": false,
+ "tunnel_proxy_addr": "addr2",
+ "tunnel_proxy_port": "8082",
+ "tunnel_proxy_user": "tunnel-proxy-03"
+ }
+ }
+ },
+ "dns": {
+ "resolved_ip": [
+ "89.160.20.128"
+ ]
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "email": {
+ "to": {
+ "address": [
+ "john.martin@example.com"
+ ]
+ }
+ },
+ "event": {
+ "id": "tunnel1",
+ "kind": "event",
+ "original": "{\"name\":\"Gateway_2\",\"default\":true,\"dns_server\":\"89.160.20.128\",\"email_when_connected\":false,\"email_when_disconnected\":false,\"email_recipients\":[\"john.martin@example.com\"],\"backup_ids\":[\"backup1\",\"backup2\"],\"tunnel_proxy_settings\":{\"enabled\":false,\"tunnel_proxy_addr\":\"addr2\",\"tunnel_proxy_port\":8082,\"tunnel_proxy_user\":\"tunnel-proxy-03\"},\"id\":\"tunnel1\",\"status\":\"success\"}",
+ "outcome": "success"
+ },
+ "related": {
+ "ip": [
+ "89.160.20.128"
+ ],
+ "user": [
+ "tunnel-proxy-03"
+ ]
+ },
+ "tags": [
+ "preserve_duplicate_custom_fields"
+ ]
+ }
+ ]
+}
diff --git a/packages/axonius/data_stream/gateway/_dev/test/system/test-default-config.yml b/packages/axonius/data_stream/gateway/_dev/test/system/test-default-config.yml
new file mode 100644
index 00000000000..456301a9199
--- /dev/null
+++ b/packages/axonius/data_stream/gateway/_dev/test/system/test-default-config.yml
@@ -0,0 +1,12 @@
+input: cel
+service: axonius
+vars:
+ url: http://{{Hostname}}:{{Port}}
+ api_key: xxxx
+ secret_key: xxxx
+data_stream:
+ vars:
+ preserve_original_event: true
+ preserve_duplicate_custom_fields: true
+assert:
+ hit_count: 2
diff --git a/packages/axonius/data_stream/gateway/agent/stream/cel.yml.hbs b/packages/axonius/data_stream/gateway/agent/stream/cel.yml.hbs
new file mode 100644
index 00000000000..3980d1c2458
--- /dev/null
+++ b/packages/axonius/data_stream/gateway/agent/stream/cel.yml.hbs
@@ -0,0 +1,79 @@
+config_version: 2
+interval: {{interval}}
+resource.tracer:
+ enabled: {{enable_request_tracer}}
+ filename: "../../logs/cel/http-request-trace-*.ndjson"
+ maxbackups: 5
+{{#if proxy_url}}
+resource.proxy_url: {{proxy_url}}
+{{/if}}
+{{#if ssl}}
+resource.ssl: {{ssl}}
+{{/if}}
+{{#if http_client_timeout}}
+resource.timeout: {{http_client_timeout}}
+{{/if}}
+resource.url: {{url}}
+
+state:
+ api_key: {{api_key}}
+ secret_key: {{secret_key}}
+redact:
+ fields:
+ - api_key
+ - secret_key
+program: |
+ request(
+ "GET",
+ state.url.trim_right("/") + "/api/v2/gateways"
+ ).with({
+ "Header":{
+ "Accept": ["application/json"],
+ "api-key": [state.api_key],
+ "api-secret": [state.secret_key],
+ }
+ }).do_request().as(resp, resp.StatusCode == 200 ?
+ resp.Body.decode_json().as(body,
+ {
+ "events": body.?gateways.orValue([]).map(e, {
+ "message": e.encode_json(),
+ }),
+ "api_key": state.api_key,
+ "secret_key": state.secret_key,
+ }
+ )
+ :
+ {
+ "events": {
+ "error": {
+ "code": string(resp.StatusCode),
+ "id": string(resp.Status),
+ "message": "GET" + state.url.trim_right("/") + "/api/v2/gateways/: " + (
+ size(resp.Body) != 0 ?
+ string(resp.Body)
+ :
+ string(resp.Status) + ' (' + string(resp.StatusCode) + ')'
+ ),
+ },
+ },
+ "api_key": state.api_key,
+ "secret_key": state.secret_key,
+ }
+ )
+tags:
+{{#if preserve_original_event}}
+ - preserve_original_event
+{{/if}}
+{{#if preserve_duplicate_custom_fields}}
+ - preserve_duplicate_custom_fields
+{{/if}}
+{{#each tags as |tag|}}
+ - {{tag}}
+{{/each}}
+{{#contains "forwarded" tags}}
+publisher_pipeline.disable_host: true
+{{/contains}}
+{{#if processors}}
+processors:
+{{processors}}
+{{/if}}
diff --git a/packages/axonius/data_stream/gateway/elasticsearch/ingest_pipeline/default.yml b/packages/axonius/data_stream/gateway/elasticsearch/ingest_pipeline/default.yml
new file mode 100644
index 00000000000..6b20114054d
--- /dev/null
+++ b/packages/axonius/data_stream/gateway/elasticsearch/ingest_pipeline/default.yml
@@ -0,0 +1,240 @@
+---
+description: Pipeline for processing gateway logs.
+processors:
+ - set:
+ tag: set_ecs_version
+ field: ecs.version
+ value: 9.2.0
+ - terminate:
+ description: error message set and no data to process.
+ tag: terminate_data_collection_error
+ if: ctx.error?.message != null && ctx.message == null && ctx.event?.original == null
+
+ # remove agentless metadata
+ - remove:
+ description: Removes the fields added by Agentless as metadata, as they can collide with ECS fields.
+ tag: remove_agentless_tags
+ if: ctx.organization instanceof String && ctx.division instanceof String && ctx.team instanceof String
+ field:
+ - organization
+ - division
+ - team
+ ignore_missing: true
+
+ # parse the event JSON
+ - rename:
+ description: Renames the original `message` field to `event.original` to store a copy of the original message. The `event.original` field is not touched if the document already has one; it may happen when Logstash sends the document.
+ tag: rename_message_to_event_original
+ if: ctx.event?.original == null
+ field: message
+ target_field: event.original
+ ignore_missing: true
+ - remove:
+ description: The `message` field is no longer required if the document has an `event.original` field.
+ tag: remove_message
+ if: ctx.event?.original != null
+ field: message
+ ignore_missing: true
+ - json:
+ tag: json_event_original_into_axonius_gateway
+ field: event.original
+ target_field: axonius.gateway
+
+ # Add fingerprint
+ - fingerprint:
+ tag: fingerprint_into__id
+ fields:
+ - axonius.gateway.id
+ target_field: _id
+ ignore_missing: true
+
+ # Set event.* fields
+ - set:
+ tag: set_event_kind_1
+ field: event.kind
+ value: event
+
+ # Convert to Boolean
+ - convert:
+ tag: convert_axonius_gateway_default_to_boolean
+ field: axonius.gateway.default
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove_1
+ field: axonius.gateway.default
+ - append:
+ tag: append_error_message_1
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ tag: convert_axonius_gateway_email_when_connected_to_boolean
+ field: axonius.gateway.email_when_connected
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove_2
+ field: axonius.gateway.email_when_connected
+ - append:
+ tag: append_error_message_2
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ tag: convert_axonius_gateway_email_when_disconnected_to_boolean
+ field: axonius.gateway.email_when_disconnected
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove_3
+ field: axonius.gateway.email_when_disconnected
+ - append:
+ tag: append_error_message_3
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - convert:
+ tag: convert_axonius_gateway_tunnel_proxy_settings_enabled_to_boolean
+ field: axonius.gateway.tunnel_proxy_settings.enabled
+ type: boolean
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove_4
+ field: axonius.gateway.tunnel_proxy_settings.enabled
+ - append:
+ tag: append_error_message_4
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+
+ # Convert to String
+ - convert:
+ tag: convert_axonius_gateway_tunnel_proxy_settings_tunnel_proxy_port_to_string
+ field: axonius.gateway.tunnel_proxy_settings.tunnel_proxy_port
+ type: string
+ ignore_missing: true
+
+ # Convert to IP
+ - convert:
+ tag: convert_axonius_gateway_dns_server_to_ip
+ if: ctx.axonius?.gateway?.dns_server != ''
+ field: axonius.gateway.dns_server
+ type: ip
+ ignore_missing: true
+ on_failure:
+ - remove:
+ tag: remove_5
+ field: axonius.gateway.dns_server
+ - append:
+ tag: append_error_message_5
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+
+ # Map custom fields to corresponding ECS and related fields.
+ - set:
+ tag: set_event_id
+ field: event.id
+ copy_from: axonius.gateway.id
+ ignore_empty_value: true
+ - append:
+ tag: append_dns_resolved_ip
+ if: ctx.axonius?.gateway?.dns_server != null
+ field: dns.resolved_ip
+ value: '{{{axonius.gateway.dns_server}}}'
+ allow_duplicates: false
+ - foreach:
+ tag: foreach_of_axonius_gateway_email_recipients
+ if: ctx.axonius?.gateway?.email_recipients instanceof List
+ field: axonius.gateway.email_recipients
+ processor:
+ append:
+ tag: append_email_to_address
+ field: email.to.address
+ value: '{{{_ingest._value}}}'
+ allow_duplicates: false
+ - set:
+ tag: set_event_outcome_1
+ if: ctx.axonius?.gateway?.status != null && ctx.axonius.gateway.status.toLowerCase() == 'success'
+ field: event.outcome
+ value: success
+ - set:
+ tag: set_event_outcome_2
+ if: ctx.axonius?.gateway?.status != null && ctx.axonius.gateway.status.toLowerCase() == 'error'
+ field: event.outcome
+ value: failure
+ - append:
+ tag: append_related_user
+ if: ctx.axonius?.gateway?.tunnel_proxy_settings?.tunnel_proxy_user != null
+ field: related.user
+ value: '{{{axonius.gateway.tunnel_proxy_settings.tunnel_proxy_user}}}'
+ allow_duplicates: false
+ - append:
+ tag: append_related_ip
+ if: ctx.axonius?.gateway?.dns_server != null
+ field: related.ip
+ value: '{{{axonius.gateway.dns_server}}}'
+ allow_duplicates: false
+
+ # Remove duplicate custom fields if preserve_duplicate_custom_fields are not enabled
+ - remove:
+ tag: remove_custom_duplicate_fields
+ if: ctx.tags == null || !ctx.tags.contains('preserve_duplicate_custom_fields')
+ field:
+ - axonius.gateway.dns_server
+ - axonius.gateway.email_recipients
+ - axonius.gateway.id
+ ignore_missing: true
+
+ # Cleanup
+ - script:
+ description: This script processor iterates over the whole document to remove fields with null values.
+ tag: script_to_drop_null_values
+ lang: painless
+ source: |-
+ void handleMap(Map map) {
+ map.values().removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+ });
+ }
+ void handleList(List list) {
+ list.removeIf(v -> {
+ if (v instanceof Map) {
+ handleMap(v);
+ } else if (v instanceof List) {
+ handleList(v);
+ }
+ return v == null || v == '' || (v instanceof Map && v.size() == 0) || (v instanceof List && v.size() == 0)
+ });
+ }
+ handleMap(ctx);
+ - set:
+ tag: set_event_kind_2
+ if: ctx.error?.message != null
+ field: event.kind
+ value: pipeline_error
+ - append:
+ tag: append_tags_1
+ if: ctx.error?.message != null
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
+on_failure:
+ - append:
+ tag: append_error_message_6
+ field: error.message
+ value: 'Processor {{{_ingest.on_failure_processor_type}}} with tag {{{_ingest.on_failure_processor_tag}}} in pipeline {{{_ingest.on_failure_pipeline}}} failed with message: {{{_ingest.on_failure_message}}}'
+ - set:
+ tag: set_event_kind_3
+ field: event.kind
+ value: pipeline_error
+ - append:
+ tag: append_tags_2
+ field: tags
+ value: preserve_original_event
+ allow_duplicates: false
diff --git a/packages/axonius/data_stream/gateway/fields/base-fields.yml b/packages/axonius/data_stream/gateway/fields/base-fields.yml
new file mode 100644
index 00000000000..56772b01084
--- /dev/null
+++ b/packages/axonius/data_stream/gateway/fields/base-fields.yml
@@ -0,0 +1,16 @@
+- name: data_stream.dataset
+ external: ecs
+- name: data_stream.namespace
+ external: ecs
+- name: data_stream.type
+ external: ecs
+- name: event.dataset
+ type: constant_keyword
+ external: ecs
+ value: axonius.gateway
+- name: event.module
+ type: constant_keyword
+ external: ecs
+ value: axonius
+- name: '@timestamp'
+ external: ecs
diff --git a/packages/axonius/data_stream/gateway/fields/beats.yml b/packages/axonius/data_stream/gateway/fields/beats.yml
new file mode 100644
index 00000000000..4084f1dc7f5
--- /dev/null
+++ b/packages/axonius/data_stream/gateway/fields/beats.yml
@@ -0,0 +1,6 @@
+- name: input.type
+ type: keyword
+ description: Type of filebeat input.
+- name: log.offset
+ type: long
+ description: Log offset.
diff --git a/packages/axonius/data_stream/gateway/fields/ecs.yml b/packages/axonius/data_stream/gateway/fields/ecs.yml
new file mode 100644
index 00000000000..e1d89be8ab4
--- /dev/null
+++ b/packages/axonius/data_stream/gateway/fields/ecs.yml
@@ -0,0 +1,5 @@
+# Define ECS constant fields as constant_keyword
+- name: observer.vendor
+ external: ecs
+ type: constant_keyword
+ value: Axonius
diff --git a/packages/axonius/data_stream/gateway/fields/fields.yml b/packages/axonius/data_stream/gateway/fields/fields.yml
new file mode 100644
index 00000000000..7c80eef1dfe
--- /dev/null
+++ b/packages/axonius/data_stream/gateway/fields/fields.yml
@@ -0,0 +1,44 @@
+- name: axonius
+ type: group
+ fields:
+ - name: gateway
+ type: group
+ fields:
+ - name: backup_ids
+ type: keyword
+ description: A list of backup gateway IDs.
+ - name: default
+ type: boolean
+ description: Indicates if this gateway is the default gateway connection.
+ - name: dns_server
+ type: ip
+ description: The IP of the DNS server.
+ - name: email_recipients
+ type: keyword
+ description: A list of recipient email addresses.
+ - name: email_when_connected
+ type: boolean
+ description: Notify by email when gateway is connected.
+ - name: email_when_disconnected
+ type: boolean
+ description: Notify by email when gateway is disconnected.
+ - name: id
+ type: keyword
+ description: Gateway ID.
+ - name: name
+ type: keyword
+ description: Gateway name.
+ - name: status
+ type: keyword
+ description: The gateway's connection status.
+ - name: tunnel_proxy_settings
+ type: group
+ fields:
+ - name: enabled
+ type: boolean
+ - name: tunnel_proxy_addr
+ type: keyword
+ - name: tunnel_proxy_port
+ type: keyword
+ - name: tunnel_proxy_user
+ type: keyword
diff --git a/packages/axonius/data_stream/gateway/manifest.yml b/packages/axonius/data_stream/gateway/manifest.yml
new file mode 100644
index 00000000000..f0f634119c8
--- /dev/null
+++ b/packages/axonius/data_stream/gateway/manifest.yml
@@ -0,0 +1,71 @@
+title: Gateway
+type: logs
+streams:
+ - input: cel
+ title: Gateway
+ description: Collect Gateway logs from Axonius.
+ template_path: cel.yml.hbs
+ vars:
+ - name: interval
+ type: text
+ title: Interval
+ description: Duration between requests to the Axonius API. Supported units for this parameter are h/m/s.
+ multi: false
+ required: true
+ show_user: true
+ default: 24h
+ - name: enable_request_tracer
+ type: bool
+ title: Enable request tracing
+ multi: false
+ default: false
+ required: false
+ show_user: false
+ description: >-
+ The request tracer logs requests and responses to the agent's local file-system for debugging configurations.
+ Enabling this request tracing compromises security and should only be used for debugging. Disabling the request
+ tracer will delete any stored traces.
+ See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable)
+ for details.
+ - name: preserve_original_event
+ type: bool
+ title: Preserve original event
+ description: Preserves a raw copy of the original event, added to the field event.original.
+ multi: false
+ required: false
+ show_user: true
+ default: false
+ - name: tags
+ type: text
+ title: Tags
+ description: Tags for the data-stream.
+ multi: true
+ required: true
+ show_user: false
+ default:
+ - forwarded
+ - axonius-gateway
+ - name: http_client_timeout
+ type: text
+ title: HTTP Client Timeout
+ description: Duration before declaring that the HTTP client connection has timed out. Supported time units are ns, us, ms, s, m, h.
+ multi: false
+ required: true
+ show_user: false
+ default: 30s
+ - name: preserve_duplicate_custom_fields
+ required: false
+ title: Preserve duplicate custom fields
+ description: Preserve axonius.gateway.* fields that were copied to Elastic Common Schema (ECS) fields.
+ type: bool
+ multi: false
+ show_user: false
+ default: false
+ - name: processors
+ type: yaml
+ title: Processors
+ multi: false
+ required: false
+ show_user: false
+ description: >-
+ Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed.
diff --git a/packages/axonius/data_stream/gateway/sample_event.json b/packages/axonius/data_stream/gateway/sample_event.json
new file mode 100644
index 00000000000..5cbdf9e5c80
--- /dev/null
+++ b/packages/axonius/data_stream/gateway/sample_event.json
@@ -0,0 +1,84 @@
+{
+ "@timestamp": "2025-11-26T07:13:10.629Z",
+ "agent": {
+ "ephemeral_id": "594a7f0e-4997-4f55-9396-b711f61561db",
+ "id": "bf9a635e-aa7c-4820-8563-bc0a1a5a6139",
+ "name": "elastic-agent-13247",
+ "type": "filebeat",
+ "version": "8.18.0"
+ },
+ "axonius": {
+ "gateway": {
+ "backup_ids": [
+ "backup1",
+ "backup2"
+ ],
+ "default": false,
+ "dns_server": "1.128.0.0",
+ "email_recipients": [
+ "john.doe@example.com"
+ ],
+ "email_when_connected": false,
+ "email_when_disconnected": false,
+ "id": "tunnel3",
+ "name": "Gateway_1",
+ "status": "pending",
+ "tunnel_proxy_settings": {
+ "enabled": false,
+ "tunnel_proxy_addr": "addr",
+ "tunnel_proxy_port": "8080",
+ "tunnel_proxy_user": "tunnel-proxy-01"
+ }
+ }
+ },
+ "data_stream": {
+ "dataset": "axonius.gateway",
+ "namespace": "83710",
+ "type": "logs"
+ },
+ "dns": {
+ "resolved_ip": [
+ "1.128.0.0"
+ ]
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "elastic_agent": {
+ "id": "bf9a635e-aa7c-4820-8563-bc0a1a5a6139",
+ "snapshot": false,
+ "version": "8.18.0"
+ },
+ "email": {
+ "to": {
+ "address": [
+ "john.doe@example.com"
+ ]
+ }
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "dataset": "axonius.gateway",
+ "id": "tunnel3",
+ "ingested": "2025-11-26T07:13:13Z",
+ "kind": "event",
+ "original": "{\"backup_ids\":[\"backup1\",\"backup2\"],\"default\":false,\"dns_server\":\"1.128.0.0\",\"email_recipients\":[\"john.doe@example.com\"],\"email_when_connected\":false,\"email_when_disconnected\":false,\"id\":\"tunnel3\",\"name\":\"Gateway_1\",\"status\":\"pending\",\"tunnel_proxy_settings\":{\"enabled\":false,\"tunnel_proxy_addr\":\"addr\",\"tunnel_proxy_port\":8080,\"tunnel_proxy_user\":\"tunnel-proxy-01\"}}"
+ },
+ "input": {
+ "type": "cel"
+ },
+ "related": {
+ "ip": [
+ "1.128.0.0"
+ ],
+ "user": [
+ "tunnel-proxy-01"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields",
+ "forwarded",
+ "axonius-gateway"
+ ]
+}
diff --git a/packages/axonius/docs/README.md b/packages/axonius/docs/README.md
new file mode 100644
index 00000000000..e8b2b21ecc3
--- /dev/null
+++ b/packages/axonius/docs/README.md
@@ -0,0 +1,250 @@
+# Axonius Integration for Elastic
+
+## Overview
+
+[Axonius](https://www.axonius.com/) is a cybersecurity asset management platform that automatically collects data from hundreds of IT and security tools through adapters, merges that information, and builds a unified inventory of all assets—devices, users, SaaS apps, cloud instances, and more. By correlating data from multiple systems, Axonius helps organizations identify visibility gaps, missing security controls, risky configurations, and compliance issues. It lets you create powerful queries to answer any security or IT question and automate actions such as sending alerts, creating tickets, or enforcing policies.
+
+This integration for Elastic allows you to collect assets and security events data using the Axonius API, then visualize the data in Kibana.
+
+### Compatibility
+The Axonius integration is compatible with product version **7.0**.
+
+### How it works
+This integration periodically queries the Axonius API to retrieve logs.
+
+## What data does this integration collect?
+This integration collects log messages of the following type:
+
+- `Gateway`: Collect details of all Gateway (endpoint: `/api/v2/gateway`).
+
+### Supported use cases
+
+Integrating the Axonius Gateway Datastream with Elastic SIEM provides centralized visibility into gateway configurations and the network context they operate in. Kibana dashboards surface key insights into gateway status, routing behavior, and essential connection attributes, helping analysts quickly understand overall network posture.
+
+The dashboards offer clear views of status distribution, highlight important gateway metrics, and provide searchable details that support deeper investigation. Additional tables and saved searches reveal underlying network dependencies and proxy-related information, enabling teams to track configuration changes and identify irregularities.
+
+These insights help security teams monitor gateway health, detect misconfigurations, and streamline network-focused investigations across the environment.
+
+## What do I need to use this integration?
+
+### From Elastic
+
+This integration installs [Elastic latest transforms](https://www.elastic.co/docs/explore-analyze/transforms/transform-overview#latest-transform-overview). For more details, check the [Transform](https://www.elastic.co/docs/explore-analyze/transforms/transform-setup) setup and requirements.
+
+### From Axonius
+
+To collect data through the Axonius APIs, you need to provide the **URL**, **API Key** and **API Secret**. Authentication is handled using the **API Key** and **API Secret**, which serves as the required credential.
+
+#### Retrieve URL, API Token and API Secret:
+
+1. Log in to the **Axonius** instance.
+2. Your instance URL is your Base **URL**.
+3. Navigate to **User Settings > API Key**.
+4. Generate an **API Key**.
+5. Copy both values including **API Key and Secret Key** and store them securely for use in the Integration configuration.
+
+## How do I deploy this integration?
+
+This integration supports both Elastic Agentless-based and Agent-based installations.
+
+### Agent-based deployment
+
+Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host.
+
+Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines.
+
+### Agentless deployment
+
+Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. Agentless deployments provide a means to ingest data while avoiding the orchestration, management, and maintenance needs associated with standard ingest infrastructure. Using an agentless deployment makes manual agent deployment unnecessary, allowing you to focus on your data instead of the agent that collects it.
+
+For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html)
+
+### Configure
+
+1. In the top search bar in Kibana, search for **Integrations**.
+2. In the search bar, type **Axonius**.
+3. Select the **Axonius** integration from the search results.
+4. Select **Add Axonius** to add the integration.
+5. Enable and configure only the collection methods which you will use.
+
+ * To **Collect logs from Axonius API**, you'll need to:
+
+ - Configure **URL**, **API Key** and **API Secret**.
+ - Adjust the integration configuration parameters if required, including the Interval, HTTP Client Timeout etc. to enable data collection.
+
+6. Select **Save and continue** to save the integration.
+
+### Validation
+
+#### Dashboard populated
+
+1. In the top search bar in Kibana, search for **Dashboards**.
+2. In the search bar, type **Axonius**, and verify the dashboard information is populated.
+
+## Troubleshooting
+
+For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems).
+
+## Scaling
+
+For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation.
+
+## Reference
+
+### Gateway
+
+The `gateway` data stream provides gateway events from axonius.
+
+#### gateway fields
+
+**Exported fields**
+
+| Field | Description | Type |
+|---|---|---|
+| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date |
+| axonius.gateway.backup_ids | A list of backup gateway IDs. | keyword |
+| axonius.gateway.default | Indicates if this gateway is the default gateway connection. | boolean |
+| axonius.gateway.dns_server | The IP of the DNS server. | ip |
+| axonius.gateway.email_recipients | A list of recipient email addresses. | keyword |
+| axonius.gateway.email_when_connected | Notify by email when gateway is connected. | boolean |
+| axonius.gateway.email_when_disconnected | Notify by email when gateway is disconnected. | boolean |
+| axonius.gateway.id | Gateway ID. | keyword |
+| axonius.gateway.name | Gateway name. | keyword |
+| axonius.gateway.status | The gateway's connection status. | keyword |
+| axonius.gateway.tunnel_proxy_settings.enabled | | boolean |
+| axonius.gateway.tunnel_proxy_settings.tunnel_proxy_addr | | keyword |
+| axonius.gateway.tunnel_proxy_settings.tunnel_proxy_port | | keyword |
+| axonius.gateway.tunnel_proxy_settings.tunnel_proxy_user | | keyword |
+| data_stream.dataset | The field can contain anything that makes sense to signify the source of the data. Examples include `nginx.access`, `prometheus`, `endpoint` etc. For data streams that otherwise fit, but that do not have dataset set we use the value "generic" for the dataset value. `event.dataset` should have the same value as `data_stream.dataset`. Beyond the Elasticsearch data stream naming criteria noted above, the `dataset` value has additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword |
+| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword |
+| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword |
+| event.dataset | Name of the dataset. If an event source publishes more than one type of log or events (e.g. access log, error log), the dataset is used to specify which one the event comes from. It's recommended but not required to start the dataset name with the module name, followed by a dot, then the dataset name. | constant_keyword |
+| event.module | Name of the module this data is coming from. If your monitoring agent supports the concept of modules or plugins to process events of a given source (e.g. Apache logs), `event.module` should contain the name of this module. | constant_keyword |
+| input.type | Type of filebeat input. | keyword |
+| log.offset | Log offset. | long |
+| observer.vendor | Vendor name of the observer. | constant_keyword |
+
+
+An example event for `gateway` looks as following:
+
+```json
+{
+ "@timestamp": "2025-11-26T07:13:10.629Z",
+ "agent": {
+ "ephemeral_id": "594a7f0e-4997-4f55-9396-b711f61561db",
+ "id": "bf9a635e-aa7c-4820-8563-bc0a1a5a6139",
+ "name": "elastic-agent-13247",
+ "type": "filebeat",
+ "version": "8.18.0"
+ },
+ "axonius": {
+ "gateway": {
+ "backup_ids": [
+ "backup1",
+ "backup2"
+ ],
+ "default": false,
+ "dns_server": "1.128.0.0",
+ "email_recipients": [
+ "john.doe@example.com"
+ ],
+ "email_when_connected": false,
+ "email_when_disconnected": false,
+ "id": "tunnel3",
+ "name": "Gateway_1",
+ "status": "pending",
+ "tunnel_proxy_settings": {
+ "enabled": false,
+ "tunnel_proxy_addr": "addr",
+ "tunnel_proxy_port": "8080",
+ "tunnel_proxy_user": "tunnel-proxy-01"
+ }
+ }
+ },
+ "data_stream": {
+ "dataset": "axonius.gateway",
+ "namespace": "83710",
+ "type": "logs"
+ },
+ "dns": {
+ "resolved_ip": [
+ "1.128.0.0"
+ ]
+ },
+ "ecs": {
+ "version": "9.2.0"
+ },
+ "elastic_agent": {
+ "id": "bf9a635e-aa7c-4820-8563-bc0a1a5a6139",
+ "snapshot": false,
+ "version": "8.18.0"
+ },
+ "email": {
+ "to": {
+ "address": [
+ "john.doe@example.com"
+ ]
+ }
+ },
+ "event": {
+ "agent_id_status": "verified",
+ "dataset": "axonius.gateway",
+ "id": "tunnel3",
+ "ingested": "2025-11-26T07:13:13Z",
+ "kind": "event",
+ "original": "{\"backup_ids\":[\"backup1\",\"backup2\"],\"default\":false,\"dns_server\":\"1.128.0.0\",\"email_recipients\":[\"john.doe@example.com\"],\"email_when_connected\":false,\"email_when_disconnected\":false,\"id\":\"tunnel3\",\"name\":\"Gateway_1\",\"status\":\"pending\",\"tunnel_proxy_settings\":{\"enabled\":false,\"tunnel_proxy_addr\":\"addr\",\"tunnel_proxy_port\":8080,\"tunnel_proxy_user\":\"tunnel-proxy-01\"}}"
+ },
+ "input": {
+ "type": "cel"
+ },
+ "related": {
+ "ip": [
+ "1.128.0.0"
+ ],
+ "user": [
+ "tunnel-proxy-01"
+ ]
+ },
+ "tags": [
+ "preserve_original_event",
+ "preserve_duplicate_custom_fields",
+ "forwarded",
+ "axonius-gateway"
+ ]
+}
+```
+
+### Inputs used
+
+These inputs can be used with this integration:
+
+cel
+
+## Setup
+
+For more details about the CEL input settings, check the [Filebeat documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html).
+
+Before configuring the CEL input, make sure you have:
+- Network connectivity to the target API endpoint
+- Valid authentication credentials (API keys, tokens, or certificates as required)
+- Appropriate permissions to read from the target data source
+
+### Collecting logs from CEL
+
+To configure the CEL input, you must specify the `request.url` value pointing to the API endpoint. The interval parameter controls how frequently requests are made and is the primary way to balance data freshness with API rate limits and costs. Authentication is often configured through the `request.headers` section using the appropriate method for the service.
+
+NOTE: To access the API service, make sure you have the necessary API credentials and that the Filebeat instance can reach the endpoint URL. Some services may require IP whitelisting or VPN access.
+
+To collect logs via API endpoint, configure the following parameters:
+
+- API Endpoint URL
+- API credentials (tokens, keys, or username/password)
+- Request interval (how often to fetch data)
+
+
+
+### API usage
+
+These APIs are used with this integration:
+
+* Gateway (endpoint: `/api/v2/gateway`)
\ No newline at end of file
diff --git a/packages/axonius/img/axonius-gateway.png b/packages/axonius/img/axonius-gateway.png
new file mode 100644
index 00000000000..ad8823ee0ea
Binary files /dev/null and b/packages/axonius/img/axonius-gateway.png differ
diff --git a/packages/axonius/img/axonius-logo.svg b/packages/axonius/img/axonius-logo.svg
new file mode 100644
index 00000000000..0caa93c63ea
--- /dev/null
+++ b/packages/axonius/img/axonius-logo.svg
@@ -0,0 +1,34 @@
+
\ No newline at end of file
diff --git a/packages/axonius/kibana/dashboard/axonius-428b4f4d-be94-4840-8dc2-8f03a38f97db.json b/packages/axonius/kibana/dashboard/axonius-428b4f4d-be94-4840-8dc2-8f03a38f97db.json
new file mode 100644
index 00000000000..a8244c8f48d
--- /dev/null
+++ b/packages/axonius/kibana/dashboard/axonius-428b4f4d-be94-4840-8dc2-8f03a38f97db.json
@@ -0,0 +1,770 @@
+{
+ "attributes": {
+ "controlGroupInput": {
+ "chainingSystem": "HIERARCHICAL",
+ "controlStyle": "oneLine",
+ "ignoreParentSettingsJSON": {
+ "ignoreFilters": false,
+ "ignoreQuery": false,
+ "ignoreTimerange": false,
+ "ignoreValidations": false
+ },
+ "panelsJSON": {},
+ "showApplySelections": false
+ },
+ "description": "This dashboard shows Gateways collected by the Axonius Integration.",
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "axonius.gateway"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "axonius.gateway"
+ }
+ }
+ }
+ ],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "optionsJSON": {
+ "hidePanelTitles": false,
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false,
+ "useMargins": true
+ },
+ "panelsJSON": [
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-2ad92fb8-c4d3-4602-a4a4-acf22d9fbcab",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "2ad92fb8-c4d3-4602-a4a4-acf22d9fbcab": {
+ "columnOrder": [
+ "0bae39de-31cc-4a3e-a331-c0bc8a993210",
+ "dd4f6544-5f34-4ecc-b7fd-2e4f52436609"
+ ],
+ "columns": {
+ "0bae39de-31cc-4a3e-a331-c0bc8a993210": {
+ "customLabel": true,
+ "dataType": "string",
+ "isBucketed": true,
+ "label": "Status",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "dd4f6544-5f34-4ecc-b7fd-2e4f52436609",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": true,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 5
+ },
+ "scale": "ordinal",
+ "sourceField": "axonius.gateway.status"
+ },
+ "dd4f6544-5f34-4ecc-b7fd-2e4f52436609": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Gateway",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "event.id"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "layers": [
+ {
+ "categoryDisplay": "default",
+ "colorMapping": {
+ "assignments": [],
+ "colorMode": {
+ "type": "categorical"
+ },
+ "paletteId": "eui_amsterdam_color_blind",
+ "specialAssignments": [
+ {
+ "color": {
+ "type": "loop"
+ },
+ "rule": {
+ "type": "other"
+ },
+ "touched": false
+ }
+ ]
+ },
+ "layerId": "2ad92fb8-c4d3-4602-a4a4-acf22d9fbcab",
+ "layerType": "data",
+ "legendDisplay": "default",
+ "metrics": [
+ "dd4f6544-5f34-4ecc-b7fd-2e4f52436609"
+ ],
+ "nestedLegend": false,
+ "numberDisplay": "percent",
+ "primaryGroups": [
+ "0bae39de-31cc-4a3e-a331-c0bc8a993210"
+ ]
+ }
+ ],
+ "shape": "pie"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsPie"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "8a5b6486-5f13-4315-9d73-f480ce680be7",
+ "w": 24,
+ "x": 0,
+ "y": 14
+ },
+ "panelIndex": "8a5b6486-5f13-4315-9d73-f480ce680be7",
+ "title": "Gateway by Status",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-8da0867e-0890-4726-99cb-ae04d540356e",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "8da0867e-0890-4726-99cb-ae04d540356e": {
+ "columnOrder": [
+ "556928e5-edb2-4e94-9c37-2206ca1b86d1",
+ "18cad723-c9b8-4050-a86a-9437b1c30654"
+ ],
+ "columns": {
+ "18cad723-c9b8-4050-a86a-9437b1c30654": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Count",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "event.id"
+ },
+ "556928e5-edb2-4e94-9c37-2206ca1b86d1": {
+ "customLabel": true,
+ "dataType": "ip",
+ "isBucketed": true,
+ "label": "DNS Servers",
+ "operationType": "terms",
+ "params": {
+ "exclude": [],
+ "excludeIsRegex": false,
+ "include": [],
+ "includeIsRegex": false,
+ "missingBucket": false,
+ "orderBy": {
+ "columnId": "18cad723-c9b8-4050-a86a-9437b1c30654",
+ "type": "column"
+ },
+ "orderDirection": "desc",
+ "otherBucket": false,
+ "parentFormat": {
+ "id": "terms"
+ },
+ "size": 10
+ },
+ "scale": "ordinal",
+ "sourceField": "dns.resolved_ip"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "columns": [
+ {
+ "columnId": "556928e5-edb2-4e94-9c37-2206ca1b86d1"
+ },
+ {
+ "columnId": "18cad723-c9b8-4050-a86a-9437b1c30654"
+ }
+ ],
+ "layerId": "8da0867e-0890-4726-99cb-ae04d540356e",
+ "layerType": "data"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsDatatable"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 15,
+ "i": "019abf75-6c61-4664-b1c9-90416703e17a",
+ "w": 24,
+ "x": 24,
+ "y": 14
+ },
+ "panelIndex": "019abf75-6c61-4664-b1c9-90416703e17a",
+ "title": "Top DNS Servers",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 15,
+ "i": "8d227d9b-8624-4831-a56d-2fc0315a9d66",
+ "w": 48,
+ "x": 0,
+ "y": 43
+ },
+ "panelIndex": "8d227d9b-8624-4831-a56d-2fc0315a9d66",
+ "panelRefName": "panel_8d227d9b-8624-4831-a56d-2fc0315a9d66",
+ "title": "[Logs Axonius] Email Essential Details",
+ "type": "search"
+ },
+ {
+ "embeddableConfig": {
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "savedVis": {
+ "data": {
+ "aggs": [],
+ "searchSource": {
+ "filter": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "description": "",
+ "id": "",
+ "params": {
+ "fontSize": 12,
+ "markdown": "This dashboard provides a focused view of gateway-related information from Axonius.\n\nIt includes a Gateway by Status pie chart to quickly show the distribution of gateway statuses. Key metrics highlight the counts of Default Gateways and Non-Default Gateways. A saved search displays Email Essential Details, while a table lists the Top DNS Servers for better visibility into network configuration. Additional gateway attributes are available through the Tunnel Proxy Details saved search.\n\n**[Integration Page](/app/integrations/detail/axonius)**",
+ "openLinksInNewTab": false
+ },
+ "title": "",
+ "type": "markdown",
+ "uiState": {}
+ }
+ },
+ "gridData": {
+ "h": 14,
+ "i": "290ec43b-a503-4016-b5ac-3c03f5fb68d6",
+ "w": 20,
+ "x": 0,
+ "y": 0
+ },
+ "panelIndex": "290ec43b-a503-4016-b5ac-3c03f5fb68d6",
+ "title": "Overview",
+ "type": "visualization"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-09002b6f-afd7-4ecb-8714-ac1c56787448",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "80fe1ea6-314b-4544-8ee7-ae46a1adbede",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "09002b6f-afd7-4ecb-8714-ac1c56787448": {
+ "columnOrder": [
+ "7de2a515-ac3b-40c8-84b9-7a83d39e3c7a"
+ ],
+ "columns": {
+ "7de2a515-ac3b-40c8-84b9-7a83d39e3c7a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Default Gateways",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "axonius.gateway.default"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "axonius.gateway.default",
+ "index": "80fe1ea6-314b-4544-8ee7-ae46a1adbede",
+ "key": "axonius.gateway.default",
+ "negate": false,
+ "params": {
+ "query": true
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "axonius.gateway.default": true
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "09002b6f-afd7-4ecb-8714-ac1c56787448",
+ "layerType": "data",
+ "metricAccessor": "7de2a515-ac3b-40c8-84b9-7a83d39e3c7a"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "axonius.gateway.default",
+ "index": "logs-*",
+ "key": "axonius.gateway.default",
+ "negate": false,
+ "params": {
+ "query": true
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "axonius.gateway.default": true
+ }
+ }
+ }
+ ],
+ "hidePanelTitles": true,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "71aa4fa9-378a-4e0b-8a78-69b7a93c15b5",
+ "w": 14,
+ "x": 20,
+ "y": 0
+ },
+ "panelIndex": "71aa4fa9-378a-4e0b-8a78-69b7a93c15b5",
+ "title": "",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "attributes": {
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "indexpattern-datasource-layer-09002b6f-afd7-4ecb-8714-ac1c56787448",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "57d89613-5c9c-421b-807d-e7a00b34d5af",
+ "type": "index-pattern"
+ }
+ ],
+ "state": {
+ "adHocDataViews": {},
+ "datasourceStates": {
+ "formBased": {
+ "layers": {
+ "09002b6f-afd7-4ecb-8714-ac1c56787448": {
+ "columnOrder": [
+ "7de2a515-ac3b-40c8-84b9-7a83d39e3c7a"
+ ],
+ "columns": {
+ "7de2a515-ac3b-40c8-84b9-7a83d39e3c7a": {
+ "customLabel": true,
+ "dataType": "number",
+ "isBucketed": false,
+ "label": "Non-Default Gateways",
+ "operationType": "count",
+ "params": {
+ "emptyAsNull": false,
+ "format": {
+ "id": "number",
+ "params": {
+ "decimals": 0
+ }
+ }
+ },
+ "scale": "ratio",
+ "sourceField": "axonius.gateway.default"
+ }
+ },
+ "incompleteColumns": {},
+ "sampling": 1
+ }
+ }
+ },
+ "indexpattern": {
+ "layers": {}
+ },
+ "textBased": {
+ "layers": {}
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "axonius.gateway.default",
+ "index": "57d89613-5c9c-421b-807d-e7a00b34d5af",
+ "key": "axonius.gateway.default",
+ "negate": false,
+ "params": {
+ "query": false
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "axonius.gateway.default": false
+ }
+ }
+ }
+ ],
+ "internalReferences": [],
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "visualization": {
+ "color": "#6092C0",
+ "layerId": "09002b6f-afd7-4ecb-8714-ac1c56787448",
+ "layerType": "data",
+ "metricAccessor": "7de2a515-ac3b-40c8-84b9-7a83d39e3c7a"
+ }
+ },
+ "title": "",
+ "type": "lens",
+ "visualizationType": "lnsMetric"
+ },
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ },
+ "filters": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "axonius.gateway.default",
+ "index": "logs-*",
+ "key": "axonius.gateway.default",
+ "negate": false,
+ "params": {
+ "query": false
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "axonius.gateway.default": false
+ }
+ }
+ }
+ ],
+ "hidePanelTitles": true,
+ "query": {
+ "language": "kuery",
+ "query": ""
+ },
+ "syncColors": false,
+ "syncCursor": true,
+ "syncTooltips": false
+ },
+ "gridData": {
+ "h": 14,
+ "i": "d81baf96-d81c-447e-bdbb-5a485a9f73a4",
+ "w": 14,
+ "x": 34,
+ "y": 0
+ },
+ "panelIndex": "d81baf96-d81c-447e-bdbb-5a485a9f73a4",
+ "title": "",
+ "type": "lens"
+ },
+ {
+ "embeddableConfig": {
+ "description": "",
+ "enhancements": {
+ "dynamicActions": {
+ "events": []
+ }
+ }
+ },
+ "gridData": {
+ "h": 14,
+ "i": "91c1a8b9-4018-4c3c-bfa4-1c4238977a09",
+ "w": 48,
+ "x": 0,
+ "y": 29
+ },
+ "panelIndex": "91c1a8b9-4018-4c3c-bfa4-1c4238977a09",
+ "panelRefName": "panel_91c1a8b9-4018-4c3c-bfa4-1c4238977a09",
+ "title": "[Logs Axonius] Tunnel Proxy Details",
+ "type": "search"
+ }
+ ],
+ "timeRestore": false,
+ "title": "[Logs Axonius] Gateway",
+ "version": 3
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-11-26T06:14:05.343Z",
+ "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0",
+ "id": "axonius-428b4f4d-be94-4840-8dc2-8f03a38f97db",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "axonius-df393688-9361-4015-b5b7-a93420fa0429",
+ "name": "8d227d9b-8624-4831-a56d-2fc0315a9d66:panel_8d227d9b-8624-4831-a56d-2fc0315a9d66",
+ "type": "search"
+ },
+ {
+ "id": "axonius-e83a650f-80cc-430f-be10-dd6e0ff11855",
+ "name": "91c1a8b9-4018-4c3c-bfa4-1c4238977a09:panel_91c1a8b9-4018-4c3c-bfa4-1c4238977a09",
+ "type": "search"
+ },
+ {
+ "id": "logs-*",
+ "name": "8a5b6486-5f13-4315-9d73-f480ce680be7:indexpattern-datasource-layer-2ad92fb8-c4d3-4602-a4a4-acf22d9fbcab",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "019abf75-6c61-4664-b1c9-90416703e17a:indexpattern-datasource-layer-8da0867e-0890-4726-99cb-ae04d540356e",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "71aa4fa9-378a-4e0b-8a78-69b7a93c15b5:indexpattern-datasource-layer-09002b6f-afd7-4ecb-8714-ac1c56787448",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "71aa4fa9-378a-4e0b-8a78-69b7a93c15b5:80fe1ea6-314b-4544-8ee7-ae46a1adbede",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d81baf96-d81c-447e-bdbb-5a485a9f73a4:indexpattern-datasource-layer-09002b6f-afd7-4ecb-8714-ac1c56787448",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "d81baf96-d81c-447e-bdbb-5a485a9f73a4:57d89613-5c9c-421b-807d-e7a00b34d5af",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "dashboard",
+ "typeMigrationVersion": "10.2.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/axonius/kibana/search/axonius-df393688-9361-4015-b5b7-a93420fa0429.json b/packages/axonius/kibana/search/axonius-df393688-9361-4015-b5b7-a93420fa0429.json
new file mode 100644
index 00000000000..ef5a55266e3
--- /dev/null
+++ b/packages/axonius/kibana/search/axonius-df393688-9361-4015-b5b7-a93420fa0429.json
@@ -0,0 +1,74 @@
+{
+ "attributes": {
+ "columns": [
+ "axonius.gateway.name",
+ "email.to.address",
+ "axonius.gateway.email_when_connected",
+ "axonius.gateway.email_when_disconnected"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "axonius.gateway"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "axonius.gateway"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "[Logs Axonius] Email Essential Details"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-11-26T06:34:59.971Z",
+ "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0",
+ "id": "axonius-df393688-9361-4015-b5b7-a93420fa0429",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/axonius/kibana/search/axonius-e83a650f-80cc-430f-be10-dd6e0ff11855.json b/packages/axonius/kibana/search/axonius-e83a650f-80cc-430f-be10-dd6e0ff11855.json
new file mode 100644
index 00000000000..18589987373
--- /dev/null
+++ b/packages/axonius/kibana/search/axonius-e83a650f-80cc-430f-be10-dd6e0ff11855.json
@@ -0,0 +1,73 @@
+{
+ "attributes": {
+ "columns": [
+ "axonius.gateway.tunnel_proxy_settings.tunnel_proxy_addr",
+ "axonius.gateway.tunnel_proxy_settings.tunnel_proxy_port",
+ "axonius.gateway.tunnel_proxy_settings.tunnel_proxy_user"
+ ],
+ "description": "",
+ "grid": {},
+ "hideChart": false,
+ "isTextBasedQuery": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": {
+ "filter": [
+ {
+ "$state": {
+ "store": "appState"
+ },
+ "meta": {
+ "alias": null,
+ "disabled": false,
+ "field": "data_stream.dataset",
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "key": "data_stream.dataset",
+ "negate": false,
+ "params": {
+ "query": "axonius.gateway"
+ },
+ "type": "phrase"
+ },
+ "query": {
+ "match_phrase": {
+ "data_stream.dataset": "axonius.gateway"
+ }
+ }
+ }
+ ],
+ "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "query": {
+ "language": "kuery",
+ "query": ""
+ }
+ }
+ },
+ "sort": [
+ [
+ "@timestamp",
+ "desc"
+ ]
+ ],
+ "timeRestore": false,
+ "title": "[Logs Axonius] Tunnel Proxy Details"
+ },
+ "coreMigrationVersion": "8.8.0",
+ "created_at": "2025-11-26T06:38:37.109Z",
+ "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0",
+ "id": "axonius-e83a650f-80cc-430f-be10-dd6e0ff11855",
+ "references": [
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.index",
+ "type": "index-pattern"
+ },
+ {
+ "id": "logs-*",
+ "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index",
+ "type": "index-pattern"
+ }
+ ],
+ "type": "search",
+ "typeMigrationVersion": "10.5.0",
+ "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0"
+}
\ No newline at end of file
diff --git a/packages/axonius/manifest.yml b/packages/axonius/manifest.yml
new file mode 100644
index 00000000000..239306f78ec
--- /dev/null
+++ b/packages/axonius/manifest.yml
@@ -0,0 +1,102 @@
+format_version: 3.3.2
+name: axonius
+title: Axonius
+version: 0.1.0
+description: Collect logs from Axonius with Elastic Agent.
+type: integration
+categories:
+ - security
+conditions:
+ kibana:
+ version: ^8.18.0 || ^9.0.0
+ elastic:
+ subscription: basic
+screenshots:
+ - src: /img/axonius-gateway.png
+ title: Gateway Dashboard
+ size: 600x600
+ type: image/png
+icons:
+ - src: /img/axonius-logo.svg
+ title: Axonius Logo
+ size: 32x32
+ type: image/svg+xml
+policy_templates:
+ - name: axonius
+ title: Axonius
+ description: Collect logs from Axonius.
+ deployment_modes:
+ default:
+ enabled: true
+ agentless:
+ enabled: true
+ organization: security
+ division: engineering
+ team: security-service-integrations
+ inputs:
+ - type: cel
+ title: Collect logs from Axonius API
+ description: Collecting logs via Axonius API.
+ vars:
+ - name: url
+ type: url
+ title: URL
+ description: Base URL of the Axonius server.
+ multi: false
+ required: true
+ show_user: true
+ - name: api_key
+ type: password
+ title: API Key
+ secret: true
+ description: API key from the Axonius server.
+ multi: false
+ required: true
+ show_user: true
+ - name: secret_key
+ type: password
+ title: API Secret
+ secret: true
+ description: API secret from the Axonius server.
+ multi: false
+ required: true
+ show_user: true
+ - name: proxy_url
+ type: text
+ title: Proxy URL
+ description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format.
+ multi: false
+ required: false
+ show_user: false
+ - name: ssl
+ type: yaml
+ title: SSL Configuration
+ description: SSL configuration options. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/configuration-ssl.html#ssl-common-config) for details.
+ multi: false
+ required: false
+ show_user: false
+ default: |
+ #certificate_authorities:
+ # - |
+ # -----BEGIN CERTIFICATE-----
+ # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF
+ # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2
+ # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB
+ # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n
+ # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl
+ # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t
+ # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP
+ # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41
+ # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O
+ # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux
+ # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D
+ # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw
+ # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA
+ # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu
+ # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0
+ # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk
+ # sxSmbIUfc2SGJGCJD4I=
+ # -----END CERTIFICATE-----
+owner:
+ github: elastic/security-service-integrations
+ type: elastic
diff --git a/packages/axonius/validation.yml b/packages/axonius/validation.yml
new file mode 100644
index 00000000000..1189aa63c89
--- /dev/null
+++ b/packages/axonius/validation.yml
@@ -0,0 +1,3 @@
+errors:
+ exclude_checks:
+ - SVR00004 # References in dashboards.