Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
twingate audit logs | ✅ | ✅ | ✅ | twingate_audit_logs | json | S3 | |
twingate network logs | ✅ | ✅ | ✅ | twingate_network_logs | json | S3 | |
twingate dns logs | ✅ | ✅ | ✅ | twingate_dns_logs | json | S3 |
Overview
Twingate is a Zero Trust Network Access (ZTNA) solution designed to replace traditional VPNs with a more secure, scalable, and user-friendly approach. Instead of granting broad network access, Twingate enforces the principle of least privilege by allowing users to access only the specific applications, services, or resources they are authorized to use.
Beyond enhancing security, Twingate improves performance and operational efficiency by removing VPN bottlenecks, simplifying access management, and delivering a seamless end-user experience. It integrates smoothly with identity providers and existing infrastructure, enabling fast deployment, low latency, and easier administration.
As organizations modernize their security posture to support remote and hybrid workforces, Twingate offers a practical and future-ready solution that balances robust protection with usability and scalability.
Supported data types
Table name: twingate_audit_logs
Twingate Audit Logs are records of administrative actions—such as creation, modification, or deletion of Access API Keys, Devices, Secure DNS rules, Network resources, Policies, Users & Groups, Service accounts, etc.
Table name: twingate_network_logs
Twingate Network Logs are detailed events for user‑to‑resource connections via Twingate, including client IP, resource IP, ports, bytes transferred (rx/tx), status (e.g., “established” or “closed” connection), protocol, user, device, connector info, and timestamps.
Table name: twingate_dns_logs
Twingate DNS Logs are intercepted DNS resolution requests (including DNS-over-HTTPS), the queried domain, client/device metadata, and filter status (e.g., blocked or allowed) along with the reason for blocking if applicable.
Send data to Hunters
Hunters supports the ingestion of Upwind logs via an intermediary AWS S3 bucket.
To connect Upwind logs:
Export your logs from Upwind to an AWS S3 bucket by following this guide.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Twingate Audit Logs (JSON)
Logs are expected in json format with no headers.
{
"event_type": "audit_log",
"event": {
"version": 1,
"time": "2025-02-12T21:09:41.734955+00:00",
"action": "create",
"targets": [
{
"version": "1.0",
"type": "Resource",
"name": "abc-dev-example-dev",
"id": "ABCERDFTGHJHNA==",
"address": {
"type": "FQDN",
"value": "abcd.i.userdata.com"
},
"aliases": [],
"isActive": true,
"protocols": {
"tcp": {
"ports": [],
"policy": "ALLOW_ALL"
},
"udp": {
"ports": [],
"policy": "ALLOW_ALL"
},
"allowIcmp": true
},
"canOpenInBrowser": true,
"isVisibleInClient": false
}
],
"actor": {
"type": "PublicAPIKey",
"id": "ABCERDFTGHJHNA==",
"info": {
"name": "R/W Privilege for Anyscale (Used for dynamically adding/removing anyscale resources)"
}
}
}
}Twingate Network Logs (JSON)
{
"event_type": "network_access",
"event": {
"version": 1,
"time": "2025-08-28T08:14:17.375663+00:00",
"status": "closed_connection",
"connection": {
"client_ip": "12.12.123.123",
"protocol": "udp",
"bytes_received": 12345,
"bytes_transferred": 12345
},
"connector": {
"id": "1234",
"name": "abc-baboon"
},
"remote_network": {
"id": "121122",
"name": "General Access"
},
"resource": {
"address": "abc.example.com",
"applied_rule": "*.example.com",
"id": "123451",
"ip": "12.222.33.400",
"port": 123
},
"relays": [],
"device": {
"id": "1213"
},
"user": {
"id": "112233",
"email": "user@example.com"
},
"location": {
"lat": 12.12,
"lon": -11.11
}
}
}Twingate DNS Logs (JSON)
{
"event_type": "dns_filtering",
"event": {
"version": 1,
"time": "2025-08-28T08:14:16.510822+00:00",
"domain": "abc-domain.enterprise.abc.com",
"root": "abc.com",
"device": {
"id": "ABSDFGHJHG4567YNNO==",
"name": "machine_key",
"model": null
},
"connection": {
"client_ip": "12.123.12.123",
"protocol": "DNS-over-HTTPS"
},
"status": "default",
"reasons": []
}
}