Material Security Logs
Connecting Material Security logs in your Panther Console
Overview
Panther ingests Material Security logs by configuring an Event Subscription in Material to forward events to an HTTP endpoint in Panther.
Material Security is a unified email security, user behavior analytics, and data loss prevention solution for Microsoft 365 and Google Workspace.
How to onboard Material Security logs to Panther
Step 1: Create a new Material Security source in Panther
To connect these logs into Panther:
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Material Security,” then click its tile.
In the slide-out panel, click Start Setup.
Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.
In the Auth method dropdown field, select Bearer.
Payloads sent to this source are subject to the payload requirements for all HTTP sources.
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
Step 2: Create an Event Subscription in Material Security
Log into your Material Security tenant.
In the upper-right corner click the puzzle piece (Integrations) icon.
From the left-hand navigation bar, select Events.
In the upper-right corner, click Create Subscription.
In the Create Subscription form, under Event and Notification Type, enter values for the following fields:
Event: Select New Case Created.
Notification Type: Select Webhook.
Subscription Name: Enter a short description.
Under Event-Specific Options, in the Case Source field, choose all applicable options.
Under Notification, enter values for the following fields:
HTTP Method: Select Method > POST.
URI: Enter the HTTP Source URL you generated in Panther in Step 1.
Under Headers, in the Headers field, add the bearer token you entered or generated in Panther in Step 1, for example:
{ "Authorization": "Bearer <token value>" }.In the top-right corner, click Save.
Supported log types
Material.CaseCreated
schema: Material.NewCaseCreated
description: Cases created in Material
referenceURL: https://material.security/
fields:
- name: caseCreated
type: object
fields:
- name: _internal
type: object
fields:
- name: internalAllMarks
type: array
element:
type: object
fields:
- name: markedBy
type: object
fields:
- name: acctEmail
type: string
indicators:
- email
- name: acctId
type: string
- name: csp
type: string
- name: isAdmin
type: boolean
- name: uAcctId
type: string
- name: userReport
type: object
fields:
- name: job
type: object
fields:
- name: jobId
type: string
- name: jobType
type: string
- name: reportedInMsftReportMsgAddin
type: boolean
- name: reportedInOutlookAddin
type: boolean
- name: labelName
type: string
- name: reportedStub
type: boolean
- name: ruleMatch
type: object
fields:
- name: id
type: string
- name: markedAt
type: string
- name: internalMark
type: object
fields:
- name: markedBy
type: object
fields:
- name: acctEmail
type: string
- name: acctId
type: string
- name: csp
type: string
- name: isAdmin
type: boolean
- name: uAcctId
type: string
- name: userReport
type: object
fields:
- name: job
type: object
fields:
- name: jobId
type: string
- name: jobType
type: string
- name: reportedInMsftReportMsgAddin
type: boolean
- name: reportedInOutlookAddin
type: boolean
- name: labelName
type: string
- name: reportedStub
type: boolean
- name: ruleMatch
type: object
fields:
- name: id
type: string
- name: markedAt
type: string
- name: caseId
type: string
- name: createdAt
type: timestamp
timeFormats:
- rfc3339
- name: createdBy
type: object
fields:
- name: system
type: boolean
- name: mark
type: object
fields:
- name: userReport
type: object
fields:
- name: reportingMethod
type: string
- name: ruleMatch
type: object
fields:
- name: ruleId
type: string
- name: ruleName
type: string
- name: ruleProvenanceType
type: string
- name: markType
type: string
- name: markedAt
type: timestamp
timeFormats:
- rfc3339
- name: markedBy
type: object
fields:
- name: actor
type: object
fields:
- name: acctEmail
type: string
indicators:
- email
- name: acctId
type: string
- name: csp
type: string
- name: isAdmin
type: boolean
- name: uAcctId
type: string
- name: system
type: boolean
- name: messageId
type: string
- name: eventId
type: string
- name: forCase
type: object
fields:
- name: caseId
type: string
- name: info
type: object
fields:
- name: remedyHistory
type: array
element:
type: object
fields:
- name: reason
type: object
fields:
- name: userReport
type: object
fields:
- name: global
type: boolean
- name: rule
type: object
fields:
- name: ruleId
type: string
- name: remedy
type: object
fields:
- name: markSpam
type: object
fields:
- name: selected
type: boolean
- name: vaxAllow
type: object
fields:
- name: selected
type: boolean
- name: vaxDeny
type: object
fields:
- name: selected
type: boolean
- name: vaxTeach
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: vaxBanner
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: reporterAcknowledgementConfig
type: object
fields:
- name: acknowledgeNewReporters
type: boolean
- name: acknowledgePreviousReporters
type: boolean
- name: acknowledgementMessage
type: string
- name: id
type: string
- name: type
type: string
- name: version
type: string
- name: judgedBy
type: string
- name: caseAnalysis
type: object
fields:
- name: caseId
type: string
- name: completedAt
type: timestamp
timeFormats:
- rfc3339
- name: judgement
type: string
- name: reasons
type: array
element:
type: string
- name: type
type: string
- name: caseAnalysisHistory
type: array
element:
type: object
fields:
- name: caseId
type: string
- name: completedAt
type: timestamp
timeFormats:
- rfc3339
- name: judgement
type: string
- name: reasons
type: array
element:
type: string
- name: type
type: string
- name: recommendedJudgementCategory
type: string
- name: orgId
type: string
- name: caseId
type: string
- name: closedStatus
type: string
- name: createdAt
type: timestamp
timeFormats:
- rfc3339
- name: hasNovelDomain
type: boolean
- name: hasNovelSender
type: boolean
- name: isHistorical
type: boolean
- name: isShadow
type: boolean
- name: judgedAt
type: string
- name: judgementCategory
type: string
- name: judgementHistory
type: array
element:
type: object
fields:
- name: judgedBy
type: string
- name: recommendedJudgementCategory
type: string
- name: judgedAt
type: timestamp
timeFormats:
- rfc3339
- name: judgementCategory
type: string
- name: judgementReason
type: object
fields:
- name: default
type: boolean
- name: adminReport
type: boolean
- name: caseClassification
type: boolean
- name: modelName
type: string
- name: modelVersion
type: string
- name: reasons
type: array
element:
type: string
- name: score
type: float
- name: rule
type: object
fields:
- name: custom
type: object
fields:
- name: ruleId
type: string
- name: builtIn
type: object
fields:
- name: ruleId
type: string
- name: judgementReason
type: object
fields:
- name: default
type: boolean
- name: adminReport
type: boolean
- name: caseClassification
type: boolean
- name: modelName
type: string
- name: modelVersion
type: string
- name: reasons
type: array
element:
type: string
- name: score
type: float
- name: rule
type: object
fields:
- name: custom
type: object
fields:
- name: ruleId
type: string
- name: builtIn
type: object
fields:
- name: ruleId
type: string
- name: newMarkedMessagesCount
type: bigint
- name: newSimilarMessagesCount
type: bigint
- name: remediateSimilarMessages
type: boolean
- name: remedy
type: object
fields:
- name: reason
type: object
fields:
- name: userReport
type: object
fields:
- name: global
type: boolean
- name: rule
type: object
fields:
- name: ruleId
type: string
- name: remedy
type: object
fields:
- name: vaxTeach
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: markSpam
type: object
fields:
- name: selected
type: boolean
- name: vaxDeny
type: object
fields:
- name: selected
type: boolean
- name: vaxBanner
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: vaxAllow
type: object
fields:
- name: selected
type: boolean
- name: reporterAcknowledgementConfig
type: object
fields:
- name: acknowledgeNewReporters
type: boolean
- name: acknowledgePreviousReporters
type: boolean
- name: acknowledgementMessage
type: string
- name: id
type: string
- name: type
type: string
- name: version
type: string
- name: reviewedStatus
type: string
- name: shouldInvestigate
type: boolean
- name: updatedAt
type: timestamp
timeFormats:
- rfc3339
- name: status
type: object
fields:
- name: caseId
type: string
- name: createdAt
type: timestamp
timeFormats:
- rfc3339
- name: investigation
type: object
fields:
- name: override
type: object
fields:
- name: createdAt
type: timestamp
timeFormats:
- rfc3339
- name: isShadow
type: boolean
- name: remedy
type: object
fields:
- name: reason
type: object
fields:
- name: userReport
type: object
fields:
- name: global
type: boolean
- name: rule
type: object
fields:
- name: ruleId
type: string
- name: remedy
type: object
fields:
- name: vaxTeach
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: markSpam
type: object
fields:
- name: selected
type: boolean
- name: vaxDeny
type: object
fields:
- name: selected
type: boolean
- name: vaxBanner
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: vaxAllow
type: object
fields:
- name: selected
type: boolean
- name: reporterAcknowledgementConfig
type: object
fields:
- name: acknowledgeNewReporters
type: boolean
- name: acknowledgePreviousReporters
type: boolean
- name: acknowledgementMessage
type: string
- name: id
type: string
- name: type
type: string
- name: version
type: string
- name: remedyHistory
type: array
element:
type: object
fields:
- name: reason
type: object
fields:
- name: userReport
type: object
fields:
- name: global
type: boolean
- name: rule
type: object
fields:
- name: ruleId
type: string
- name: remedy
type: object
fields:
- name: vaxTeach
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: markSpam
type: object
fields:
- name: selected
type: boolean
- name: vaxDeny
type: object
fields:
- name: selected
type: boolean
- name: vaxBanner
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: vaxAllow
type: object
fields:
- name: selected
type: boolean
- name: reporterAcknowledgementConfig
type: object
fields:
- name: acknowledgeNewReporters
type: boolean
- name: acknowledgePreviousReporters
type: boolean
- name: acknowledgementMessage
type: string
- name: id
type: string
- name: type
type: string
- name: version
type: string
- name: reviewed
type: object
fields:
- name: status
type: string
- name: forMessage
type: object
fields:
- name: json
type: object
fields:
- name: inReplyTo
type: string
- name: sender
type: string
- name: xMailer
type: string
- name: inReplyTos
type: array
element:
type: string
- name: references
type: array
element:
type: string
- name: rawReplyTo
type: array
element:
type: string
- name: replyTo
type: array
element:
type: string
- name: dkim
type: string
- name: dmarc
type: string
- name: spf
type: string
- name: received
type: array
element:
type: string
- name: acctEmail
type: string
indicators:
- email
- name: acctId
type: string
- name: attachmentIds
type: array
element:
type: string
- name: attachmentMimes
type: array
element:
type: string
- name: attachmentNames
type: array
element:
type: string
- name: attachments
type: array
element:
type: object
fields:
- name: attachId
type: string
- name: filename
type: string
- name: md5
type: string
indicators:
- md5
- name: mime
type: string
- name: sha256
type: string
indicators:
- sha256
- name: size
type: bigint
- name: store
type: string
- name: date
type: timestamp
timeFormats:
- rfc3339
- name: from
type: string
- name: headers
type: array
element:
type: object
fields:
- name: k
type: string
- name: v
type: string
- name: host
type: string
- name: hostDate
type: timestamp
timeFormats:
- rfc3339
- name: hostFlags
type: object
fields:
- name: isDraft
type: boolean
- name: isInbox
type: boolean
- name: isRetrieved
type: boolean
- name: isSent
type: boolean
- name: isSpam
type: boolean
- name: isTrash
type: boolean
- name: isUnread
type: boolean
- name: hostMsgId
type: string
- name: hostTags
type: array
element:
type: string
- name: hostThreadId
type: string
- name: isDiagnostic
type: boolean
- name: isPurgatoryV2
type: boolean
- name: isStub
type: boolean
- name: links
type: array
element:
type: object
fields:
- name: text
type: string
- name: href
type: string
- name: messageId
type: string
- name: numAttachments
type: bigint
- name: parts
type: array
element:
type: object
fields:
- name: attachmentType
type: string
- name: attachId
type: string
- name: filename
type: string
- name: md5
type: string
indicators:
- md5
- name: sha256
type: string
indicators:
- sha256
- name: store
type: string
- name: text
type: string
- name: headers
type: array
element:
type: object
fields:
- name: k
type: string
- name: v
type: string
- name: mime
type: string
- name: path
type: string
- name: size
type: bigint
- name: rawFrom
type: array
element:
type: string
- name: rawTo
type: array
element:
type: string
- name: receivedDates
type: array
element:
type: timestamp
timeFormats:
- rfc3339
- name: snippet
type: string
- name: snippetMime
type: string
- name: subject
type: string
- name: to
type: array
element:
type: string
- name: totalSize
type: bigint
- name: uDomainId
type: string
- name: key
type: array
element:
type: string
- name: getMaterialBaseUrl
type: object
fields:
- name: url
type: string
indicators:
- url
- name: timestamp
type: timestamp
timeFormats:
- rfc3339
isEventTime: trueLast updated
Was this helpful?