Material Security Logs

Connecting Material Security logs in your Panther Console
Overview

Panther ingests Material Security logs by configuring an Event Subscription in Material to forward events to an HTTP endpoint in Panther.
Material Security is a unified email security, user behavior analytics, and data loss prevention solution for Microsoft 365 and Google Workspace.
How to onboard Material Security logs to Panther

Step 1: Create a new Material Security source in Panther

To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Material Security,” then click its tile.
In the slide-out panel, click Start Setup.\
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
- In the Auth method dropdown field, select Bearer.
- Payloads sent to this source are subject to the payload requirements for all HTTP sources.
- Do not proceed to the next step until the creation of your HTTP endpoint has completed.
Step 2: Create an Event Subscription in Material Security

Log into your Material Security tenant.
In the upper-right corner click the puzzle piece (Integrations) icon.
From the left-hand navigation bar, select Events.
In the upper-right corner, click Create Subscription.
In the Create Subscription form, under Event and Notification Type, enter values for the following fields:
- Event: Select New Case Created.
- Notification Type: Select Webhook.
- Subscription Name: Enter a short description.
Under Event-Specific Options, in the Case Source field, choose all applicable options.
Under Notification, enter values for the following fields:
- HTTP Method: Select Method > POST.
- URI: Enter the HTTP Source URL you generated in Panther in Step 1.
Under Headers, in the Headers field, add the bearer token you entered or generated in Panther in Step 1, for example: { "Authorization": "Bearer <token value>" }.
In the top-right corner, click Save.
Supported log types

Material.CaseCreated

schema: Material.NewCaseCreated
description: Cases created in Material
referenceURL: https://material.security/
fields:
  - name: caseCreated
    type: object
    fields:
      - name: _internal
        type: object
        fields:
          - name: internalAllMarks
            type: array
            element:
              type: object
              fields:
                - name: markedBy
                  type: object
                  fields:
                    - name: acctEmail
                      type: string
                      indicators:
                        - email
                    - name: acctId
                      type: string
                    - name: csp
                      type: string
                    - name: isAdmin
                      type: boolean
                    - name: uAcctId
                      type: string
                - name: userReport
                  type: object
                  fields:
                    - name: job
                      type: object
                      fields:
                        - name: jobId
                          type: string
                        - name: jobType
                          type: string
                    - name: reportedInMsftReportMsgAddin
                      type: boolean
                    - name: reportedInOutlookAddin
                      type: boolean
                    - name: labelName
                      type: string
                    - name: reportedStub
                      type: boolean
                - name: ruleMatch
                  type: object
                  fields:
                    - name: id
                      type: string
                - name: markedAt
                  type: string
          - name: internalMark
            type: object
            fields:
              - name: markedBy
                type: object
                fields:
                  - name: acctEmail
                    type: string
                  - name: acctId
                    type: string
                  - name: csp
                    type: string
                  - name: isAdmin
                    type: boolean
                  - name: uAcctId
                    type: string
              - name: userReport
                type: object
                fields:
                  - name: job
                    type: object
                    fields:
                      - name: jobId
                        type: string
                      - name: jobType
                        type: string
                  - name: reportedInMsftReportMsgAddin
                    type: boolean
                  - name: reportedInOutlookAddin
                    type: boolean
                  - name: labelName
                    type: string
                  - name: reportedStub
                    type: boolean
              - name: ruleMatch
                type: object
                fields:
                  - name: id
                    type: string
              - name: markedAt
                type: string
      - name: caseId
        type: string
      - name: createdAt
        type: timestamp
        timeFormats:
          - rfc3339
      - name: createdBy
        type: object
        fields:
          - name: system
            type: boolean
      - name: mark
        type: object
        fields:
          - name: userReport
            type: object
            fields:
              - name: reportingMethod
                type: string
          - name: ruleMatch
            type: object
            fields:
              - name: ruleId
                type: string
              - name: ruleName
                type: string
              - name: ruleProvenanceType
                type: string
          - name: markType
            type: string
          - name: markedAt
            type: timestamp
            timeFormats:
              - rfc3339
          - name: markedBy
            type: object
            fields:
              - name: actor
                type: object
                fields:
                  - name: acctEmail
                    type: string
                    indicators:
                      - email
                  - name: acctId
                    type: string
                  - name: csp
                    type: string
                  - name: isAdmin
                    type: boolean
                  - name: uAcctId
                    type: string
              - name: system
                type: boolean
      - name: messageId
        type: string
  - name: eventId
    type: string
  - name: forCase
    type: object
    fields:
      - name: caseId
        type: string
      - name: info
        type: object
        fields:
          - name: remedyHistory
            type: array
            element:
              type: object
              fields:
                - name: reason
                  type: object
                  fields:
                    - name: userReport
                      type: object
                      fields:
                        - name: global
                          type: boolean
                    - name: rule
                      type: object
                      fields:
                        - name: ruleId
                          type: string
                - name: remedy
                  type: object
                  fields:
                    - name: markSpam
                      type: object
                      fields:
                        - name: selected
                          type: boolean
                    - name: vaxAllow
                      type: object
                      fields:
                        - name: selected
                          type: boolean
                    - name: vaxDeny
                      type: object
                      fields:
                        - name: selected
                          type: boolean
                    - name: vaxTeach
                      type: object
                      fields:
                        - name: message
                          type: string
                        - name: selected
                          type: boolean
                    - name: vaxBanner
                      type: object
                      fields:
                        - name: message
                          type: string
                        - name: selected
                          type: boolean
                - name: reporterAcknowledgementConfig
                  type: object
                  fields:
                    - name: acknowledgeNewReporters
                      type: boolean
                    - name: acknowledgePreviousReporters
                      type: boolean
                    - name: acknowledgementMessage
                      type: string
                    - name: id
                      type: string
                    - name: type
                      type: string
                    - name: version
                      type: string
          - name: judgedBy
            type: string
          - name: caseAnalysis
            type: object
            fields:
              - name: caseId
                type: string
              - name: completedAt
                type: timestamp
                timeFormats:
                  - rfc3339
              - name: judgement
                type: string
              - name: reasons
                type: array
                element:
                  type: string
              - name: type
                type: string
          - name: caseAnalysisHistory
            type: array
            element:
              type: object
              fields:
                - name: caseId
                  type: string
                - name: completedAt
                  type: timestamp
                  timeFormats:
                    - rfc3339
                - name: judgement
                  type: string
                - name: reasons
                  type: array
                  element:
                    type: string
                - name: type
                  type: string
          - name: recommendedJudgementCategory
            type: string
          - name: orgId
            type: string
          - name: caseId
            type: string
          - name: closedStatus
            type: string
          - name: createdAt
            type: timestamp
            timeFormats:
              - rfc3339
          - name: hasNovelDomain
            type: boolean
          - name: hasNovelSender
            type: boolean
          - name: isHistorical
            type: boolean
          - name: isShadow
            type: boolean
          - name: judgedAt
            type: string
          - name: judgementCategory
            type: string
          - name: judgementHistory
            type: array
            element:
              type: object
              fields:
                - name: judgedBy
                  type: string
                - name: recommendedJudgementCategory
                  type: string
                - name: judgedAt
                  type: timestamp
                  timeFormats:
                    - rfc3339
                - name: judgementCategory
                  type: string
                - name: judgementReason
                  type: object
                  fields:
                    - name: default
                      type: boolean
                    - name: adminReport
                      type: boolean
                    - name: caseClassification
                      type: boolean
                    - name: modelName
                      type: string
                    - name: modelVersion
                      type: string
                    - name: reasons
                      type: array
                      element:
                        type: string
                    - name: score
                      type: float
                    - name: rule
                      type: object
                      fields:
                        - name: custom
                          type: object
                          fields:
                            - name: ruleId
                              type: string
                        - name: builtIn
                          type: object
                          fields:
                            - name: ruleId
                              type: string
          - name: judgementReason
            type: object
            fields:
              - name: default
                type: boolean
              - name: adminReport
                type: boolean
              - name: caseClassification
                type: boolean
              - name: modelName
                type: string
              - name: modelVersion
                type: string
              - name: reasons
                type: array
                element:
                  type: string
              - name: score
                type: float
              - name: rule
                type: object
                fields:
                  - name: custom
                    type: object
                    fields:
                      - name: ruleId
                        type: string
                  - name: builtIn
                    type: object
                    fields:
                      - name: ruleId
                        type: string
          - name: newMarkedMessagesCount
            type: bigint
          - name: newSimilarMessagesCount
            type: bigint
          - name: remediateSimilarMessages
            type: boolean
          - name: remedy
            type: object
            fields:
              - name: reason
                type: object
                fields:
                  - name: userReport
                    type: object
                    fields:
                      - name: global
                        type: boolean
                  - name: rule
                    type: object
                    fields:
                      - name: ruleId
                        type: string
              - name: remedy
                type: object
                fields:
                  - name: vaxTeach
                    type: object
                    fields:
                      - name: message
                        type: string
                      - name: selected
                        type: boolean
                  - name: markSpam
                    type: object
                    fields:
                      - name: selected
                        type: boolean
                  - name: vaxDeny
                    type: object
                    fields:
                      - name: selected
                        type: boolean
                  - name: vaxBanner
                    type: object
                    fields:
                      - name: message
                        type: string
                      - name: selected
                        type: boolean
                  - name: vaxAllow
                    type: object
                    fields:
                      - name: selected
                        type: boolean
              - name: reporterAcknowledgementConfig
                type: object
                fields:
                  - name: acknowledgeNewReporters
                    type: boolean
                  - name: acknowledgePreviousReporters
                    type: boolean
                  - name: acknowledgementMessage
                    type: string
                  - name: id
                    type: string
                  - name: type
                    type: string
                  - name: version
                    type: string
          - name: reviewedStatus
            type: string
          - name: shouldInvestigate
            type: boolean
          - name: updatedAt
            type: timestamp
            timeFormats:
              - rfc3339
      - name: status
        type: object
        fields:
          - name: caseId
            type: string
          - name: createdAt
            type: timestamp
            timeFormats:
              - rfc3339
          - name: investigation
            type: object
            fields:
              - name: override
                type: object
                fields:
                  - name: createdAt
                    type: timestamp
                    timeFormats:
                      - rfc3339
          - name: isShadow
            type: boolean
          - name: remedy
            type: object
            fields:
              - name: reason
                type: object
                fields:
                  - name: userReport
                    type: object
                    fields:
                      - name: global
                        type: boolean
                  - name: rule
                    type: object
                    fields:
                      - name: ruleId
                        type: string
              - name: remedy
                type: object
                fields:
                  - name: vaxTeach
                    type: object
                    fields:
                      - name: message
                        type: string
                      - name: selected
                        type: boolean
                  - name: markSpam
                    type: object
                    fields:
                      - name: selected
                        type: boolean
                  - name: vaxDeny
                    type: object
                    fields:
                      - name: selected
                        type: boolean
                  - name: vaxBanner
                    type: object
                    fields:
                      - name: message
                        type: string
                      - name: selected
                        type: boolean
                  - name: vaxAllow
                    type: object
                    fields:
                      - name: selected
                        type: boolean
              - name: reporterAcknowledgementConfig
                type: object
                fields:
                  - name: acknowledgeNewReporters
                    type: boolean
                  - name: acknowledgePreviousReporters
                    type: boolean
                  - name: acknowledgementMessage
                    type: string
                  - name: id
                    type: string
                  - name: type
                    type: string
                  - name: version
                    type: string
          - name: remedyHistory
            type: array
            element:
              type: object
              fields:
                - name: reason
                  type: object
                  fields:
                    - name: userReport
                      type: object
                      fields:
                        - name: global
                          type: boolean
                    - name: rule
                      type: object
                      fields:
                        - name: ruleId
                          type: string
                - name: remedy
                  type: object
                  fields:
                    - name: vaxTeach
                      type: object
                      fields:
                        - name: message
                          type: string
                        - name: selected
                          type: boolean
                    - name: markSpam
                      type: object
                      fields:
                        - name: selected
                          type: boolean
                    - name: vaxDeny
                      type: object
                      fields:
                        - name: selected
                          type: boolean
                    - name: vaxBanner
                      type: object
                      fields:
                        - name: message
                          type: string
                        - name: selected
                          type: boolean
                    - name: vaxAllow
                      type: object
                      fields:
                        - name: selected
                          type: boolean
                - name: reporterAcknowledgementConfig
                  type: object
                  fields:
                    - name: acknowledgeNewReporters
                      type: boolean
                    - name: acknowledgePreviousReporters
                      type: boolean
                    - name: acknowledgementMessage
                      type: string
                    - name: id
                      type: string
                    - name: type
                      type: string
                    - name: version
                      type: string
          - name: reviewed
            type: object
            fields:
              - name: status
                type: string
  - name: forMessage
    type: object
    fields:
      - name: json
        type: object
        fields:
          - name: inReplyTo
            type: string
          - name: sender
            type: string
          - name: xMailer
            type: string
          - name: inReplyTos
            type: array
            element:
              type: string
          - name: references
            type: array
            element:
              type: string
          - name: rawReplyTo
            type: array
            element:
              type: string
          - name: replyTo
            type: array
            element:
              type: string
          - name: dkim
            type: string
          - name: dmarc
            type: string
          - name: spf
            type: string
          - name: received
            type: array
            element:
              type: string
          - name: acctEmail
            type: string
            indicators:
              - email
          - name: acctId
            type: string
          - name: attachmentIds
            type: array
            element:
              type: string
          - name: attachmentMimes
            type: array
            element:
              type: string
          - name: attachmentNames
            type: array
            element:
              type: string
          - name: attachments
            type: array
            element:
              type: object
              fields:
                - name: attachId
                  type: string
                - name: filename
                  type: string
                - name: md5
                  type: string
                  indicators:
                    - md5
                - name: mime
                  type: string
                - name: sha256
                  type: string
                  indicators:
                    - sha256
                - name: size
                  type: bigint
                - name: store
                  type: string
          - name: date
            type: timestamp
            timeFormats:
              - rfc3339
          - name: from
            type: string
          - name: headers
            type: array
            element:
              type: object
              fields:
                - name: k
                  type: string
                - name: v
                  type: string
          - name: host
            type: string
          - name: hostDate
            type: timestamp
            timeFormats:
              - rfc3339
          - name: hostFlags
            type: object
            fields:
              - name: isDraft
                type: boolean
              - name: isInbox
                type: boolean
              - name: isRetrieved
                type: boolean
              - name: isSent
                type: boolean
              - name: isSpam
                type: boolean
              - name: isTrash
                type: boolean
              - name: isUnread
                type: boolean
          - name: hostMsgId
            type: string
          - name: hostTags
            type: array
            element:
              type: string
          - name: hostThreadId
            type: string
          - name: isDiagnostic
            type: boolean
          - name: isPurgatoryV2
            type: boolean
          - name: isStub
            type: boolean
          - name: links
            type: array
            element:
              type: object
              fields:
                - name: text
                  type: string
                - name: href
                  type: string
          - name: messageId
            type: string
          - name: numAttachments
            type: bigint
          - name: parts
            type: array
            element:
              type: object
              fields:
                - name: attachmentType
                  type: string
                - name: attachId
                  type: string
                - name: filename
                  type: string
                - name: md5
                  type: string
                  indicators:
                    - md5
                - name: sha256
                  type: string
                  indicators:
                    - sha256
                - name: store
                  type: string
                - name: text
                  type: string
                - name: headers
                  type: array
                  element:
                    type: object
                    fields:
                      - name: k
                        type: string
                      - name: v
                        type: string
                - name: mime
                  type: string
                - name: path
                  type: string
                - name: size
                  type: bigint
          - name: rawFrom
            type: array
            element:
              type: string
          - name: rawTo
            type: array
            element:
              type: string
          - name: receivedDates
            type: array
            element:
              type: timestamp
              timeFormats:
                - rfc3339
          - name: snippet
            type: string
          - name: snippetMime
            type: string
          - name: subject
            type: string
          - name: to
            type: array
            element:
              type: string
          - name: totalSize
            type: bigint
          - name: uDomainId
            type: string
      - name: key
        type: array
        element:
          type: string
  - name: getMaterialBaseUrl
    type: object
    fields:
      - name: url
        type: string
        indicators:
          - url
  - name: timestamp
    type: timestamp
    timeFormats:
      - rfc3339
    isEventTime: true
PreviousLacework Export NextMicrosoft 365 Logs
Last updated 6 months ago
Was this helpful?