# Material Security Logs
## Overview
Panther ingests [Material Security](https://material.security/) logs by configuring an Event Subscription in Material to forward events to an HTTP endpoint in Panther.
Material Security is a unified email security, user behavior analytics, and data loss prevention solution for Microsoft 365 and Google Workspace.
## **How to onboard Material Security logs to Panther**
### Step 1: Create a new Material Security source in Panther
To connect these logs into Panther:
1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New**.
3. Search for “Material Security,” then click its tile.
4. In the slide-out panel, click **Start Setup**.\\
5. Follow Panther's [instructions for configuring an HTTP Source](https://docs.panther.com/data-onboarding/data-transports/http#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5.
* In the **Auth method** dropdown field, select **Bearer**.
* Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-onboarding/data-transports/http#payload-requirements).
* Do not proceed to the next step until the creation of your HTTP endpoint has completed.
### Step 2: Create an Event Subscription in Material Security
1. Log into your Material Security tenant.
2. In the upper-right corner click the puzzle piece (**Integrations**) icon.
3. From the left-hand navigation bar, select **Events**.
4. In the upper-right corner, click **Create Subscription**.
5. In the **Create Subscription** form, under **Event and Notification Type**, enter values for the following fields:
* **Event**: Select **New Case Created**.
* **Notification Type**: Select **Webhook**.
* **Subscription Name**: Enter a short description.
6. Under **Event-Specific Options**, in the **Case Source** field, choose all applicable options.
7. Under **Notification**, enter values for the following fields:
* **HTTP Method**: Select **Method** > **POST**.
* **URI**: Enter the **HTTP Source URL** you generated in Panther in [Step 1](#step-1-create-a-new-material-security-source-in-panther).
8. Under **Headers**, in the **Headers** field, add the bearer token you entered or generated in Panther in [Step 1](#step-1-create-a-new-material-security-source-in-panther), for example: `{ "Authorization": "Bearer " }`.
9. In the top-right corner, click **Save**.
## Supported log types
### Material.CaseCreated
```yaml
schema: Material.NewCaseCreated
description: Cases created in Material
referenceURL: https://material.security/
fields:
- name: caseCreated
type: object
fields:
- name: _internal
type: object
fields:
- name: internalAllMarks
type: array
element:
type: object
fields:
- name: markedBy
type: object
fields:
- name: acctEmail
type: string
indicators:
- email
- name: acctId
type: string
- name: csp
type: string
- name: isAdmin
type: boolean
- name: uAcctId
type: string
- name: userReport
type: object
fields:
- name: job
type: object
fields:
- name: jobId
type: string
- name: jobType
type: string
- name: reportedInMsftReportMsgAddin
type: boolean
- name: reportedInOutlookAddin
type: boolean
- name: labelName
type: string
- name: reportedStub
type: boolean
- name: ruleMatch
type: object
fields:
- name: id
type: string
- name: markedAt
type: string
- name: internalMark
type: object
fields:
- name: markedBy
type: object
fields:
- name: acctEmail
type: string
- name: acctId
type: string
- name: csp
type: string
- name: isAdmin
type: boolean
- name: uAcctId
type: string
- name: userReport
type: object
fields:
- name: job
type: object
fields:
- name: jobId
type: string
- name: jobType
type: string
- name: reportedInMsftReportMsgAddin
type: boolean
- name: reportedInOutlookAddin
type: boolean
- name: labelName
type: string
- name: reportedStub
type: boolean
- name: ruleMatch
type: object
fields:
- name: id
type: string
- name: markedAt
type: string
- name: caseId
type: string
- name: createdAt
type: timestamp
timeFormats:
- rfc3339
- name: createdBy
type: object
fields:
- name: system
type: boolean
- name: mark
type: object
fields:
- name: userReport
type: object
fields:
- name: reportingMethod
type: string
- name: ruleMatch
type: object
fields:
- name: ruleId
type: string
- name: ruleName
type: string
- name: ruleProvenanceType
type: string
- name: markType
type: string
- name: markedAt
type: timestamp
timeFormats:
- rfc3339
- name: markedBy
type: object
fields:
- name: actor
type: object
fields:
- name: acctEmail
type: string
indicators:
- email
- name: acctId
type: string
- name: csp
type: string
- name: isAdmin
type: boolean
- name: uAcctId
type: string
- name: system
type: boolean
- name: messageId
type: string
- name: eventId
type: string
- name: forCase
type: object
fields:
- name: caseId
type: string
- name: info
type: object
fields:
- name: remedyHistory
type: array
element:
type: object
fields:
- name: reason
type: object
fields:
- name: userReport
type: object
fields:
- name: global
type: boolean
- name: rule
type: object
fields:
- name: ruleId
type: string
- name: remedy
type: object
fields:
- name: markSpam
type: object
fields:
- name: selected
type: boolean
- name: vaxAllow
type: object
fields:
- name: selected
type: boolean
- name: vaxDeny
type: object
fields:
- name: selected
type: boolean
- name: vaxTeach
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: vaxBanner
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: reporterAcknowledgementConfig
type: object
fields:
- name: acknowledgeNewReporters
type: boolean
- name: acknowledgePreviousReporters
type: boolean
- name: acknowledgementMessage
type: string
- name: id
type: string
- name: type
type: string
- name: version
type: string
- name: judgedBy
type: string
- name: caseAnalysis
type: object
fields:
- name: caseId
type: string
- name: completedAt
type: timestamp
timeFormats:
- rfc3339
- name: judgement
type: string
- name: reasons
type: array
element:
type: string
- name: type
type: string
- name: caseAnalysisHistory
type: array
element:
type: object
fields:
- name: caseId
type: string
- name: completedAt
type: timestamp
timeFormats:
- rfc3339
- name: judgement
type: string
- name: reasons
type: array
element:
type: string
- name: type
type: string
- name: recommendedJudgementCategory
type: string
- name: orgId
type: string
- name: caseId
type: string
- name: closedStatus
type: string
- name: createdAt
type: timestamp
timeFormats:
- rfc3339
- name: hasNovelDomain
type: boolean
- name: hasNovelSender
type: boolean
- name: isHistorical
type: boolean
- name: isShadow
type: boolean
- name: judgedAt
type: string
- name: judgementCategory
type: string
- name: judgementHistory
type: array
element:
type: object
fields:
- name: judgedBy
type: string
- name: recommendedJudgementCategory
type: string
- name: judgedAt
type: timestamp
timeFormats:
- rfc3339
- name: judgementCategory
type: string
- name: judgementReason
type: object
fields:
- name: default
type: boolean
- name: adminReport
type: boolean
- name: caseClassification
type: boolean
- name: modelName
type: string
- name: modelVersion
type: string
- name: reasons
type: array
element:
type: string
- name: score
type: float
- name: rule
type: object
fields:
- name: custom
type: object
fields:
- name: ruleId
type: string
- name: builtIn
type: object
fields:
- name: ruleId
type: string
- name: judgementReason
type: object
fields:
- name: default
type: boolean
- name: adminReport
type: boolean
- name: caseClassification
type: boolean
- name: modelName
type: string
- name: modelVersion
type: string
- name: reasons
type: array
element:
type: string
- name: score
type: float
- name: rule
type: object
fields:
- name: custom
type: object
fields:
- name: ruleId
type: string
- name: builtIn
type: object
fields:
- name: ruleId
type: string
- name: newMarkedMessagesCount
type: bigint
- name: newSimilarMessagesCount
type: bigint
- name: remediateSimilarMessages
type: boolean
- name: remedy
type: object
fields:
- name: reason
type: object
fields:
- name: userReport
type: object
fields:
- name: global
type: boolean
- name: rule
type: object
fields:
- name: ruleId
type: string
- name: remedy
type: object
fields:
- name: vaxTeach
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: markSpam
type: object
fields:
- name: selected
type: boolean
- name: vaxDeny
type: object
fields:
- name: selected
type: boolean
- name: vaxBanner
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: vaxAllow
type: object
fields:
- name: selected
type: boolean
- name: reporterAcknowledgementConfig
type: object
fields:
- name: acknowledgeNewReporters
type: boolean
- name: acknowledgePreviousReporters
type: boolean
- name: acknowledgementMessage
type: string
- name: id
type: string
- name: type
type: string
- name: version
type: string
- name: reviewedStatus
type: string
- name: shouldInvestigate
type: boolean
- name: updatedAt
type: timestamp
timeFormats:
- rfc3339
- name: status
type: object
fields:
- name: caseId
type: string
- name: createdAt
type: timestamp
timeFormats:
- rfc3339
- name: investigation
type: object
fields:
- name: override
type: object
fields:
- name: createdAt
type: timestamp
timeFormats:
- rfc3339
- name: isShadow
type: boolean
- name: remedy
type: object
fields:
- name: reason
type: object
fields:
- name: userReport
type: object
fields:
- name: global
type: boolean
- name: rule
type: object
fields:
- name: ruleId
type: string
- name: remedy
type: object
fields:
- name: vaxTeach
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: markSpam
type: object
fields:
- name: selected
type: boolean
- name: vaxDeny
type: object
fields:
- name: selected
type: boolean
- name: vaxBanner
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: vaxAllow
type: object
fields:
- name: selected
type: boolean
- name: reporterAcknowledgementConfig
type: object
fields:
- name: acknowledgeNewReporters
type: boolean
- name: acknowledgePreviousReporters
type: boolean
- name: acknowledgementMessage
type: string
- name: id
type: string
- name: type
type: string
- name: version
type: string
- name: remedyHistory
type: array
element:
type: object
fields:
- name: reason
type: object
fields:
- name: userReport
type: object
fields:
- name: global
type: boolean
- name: rule
type: object
fields:
- name: ruleId
type: string
- name: remedy
type: object
fields:
- name: vaxTeach
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: markSpam
type: object
fields:
- name: selected
type: boolean
- name: vaxDeny
type: object
fields:
- name: selected
type: boolean
- name: vaxBanner
type: object
fields:
- name: message
type: string
- name: selected
type: boolean
- name: vaxAllow
type: object
fields:
- name: selected
type: boolean
- name: reporterAcknowledgementConfig
type: object
fields:
- name: acknowledgeNewReporters
type: boolean
- name: acknowledgePreviousReporters
type: boolean
- name: acknowledgementMessage
type: string
- name: id
type: string
- name: type
type: string
- name: version
type: string
- name: reviewed
type: object
fields:
- name: status
type: string
- name: forMessage
type: object
fields:
- name: json
type: object
fields:
- name: inReplyTo
type: string
- name: sender
type: string
- name: xMailer
type: string
- name: inReplyTos
type: array
element:
type: string
- name: references
type: array
element:
type: string
- name: rawReplyTo
type: array
element:
type: string
- name: replyTo
type: array
element:
type: string
- name: dkim
type: string
- name: dmarc
type: string
- name: spf
type: string
- name: received
type: array
element:
type: string
- name: acctEmail
type: string
indicators:
- email
- name: acctId
type: string
- name: attachmentIds
type: array
element:
type: string
- name: attachmentMimes
type: array
element:
type: string
- name: attachmentNames
type: array
element:
type: string
- name: attachments
type: array
element:
type: object
fields:
- name: attachId
type: string
- name: filename
type: string
- name: md5
type: string
indicators:
- md5
- name: mime
type: string
- name: sha256
type: string
indicators:
- sha256
- name: size
type: bigint
- name: store
type: string
- name: date
type: timestamp
timeFormats:
- rfc3339
- name: from
type: string
- name: headers
type: array
element:
type: object
fields:
- name: k
type: string
- name: v
type: string
- name: host
type: string
- name: hostDate
type: timestamp
timeFormats:
- rfc3339
- name: hostFlags
type: object
fields:
- name: isDraft
type: boolean
- name: isInbox
type: boolean
- name: isRetrieved
type: boolean
- name: isSent
type: boolean
- name: isSpam
type: boolean
- name: isTrash
type: boolean
- name: isUnread
type: boolean
- name: hostMsgId
type: string
- name: hostTags
type: array
element:
type: string
- name: hostThreadId
type: string
- name: isDiagnostic
type: boolean
- name: isPurgatoryV2
type: boolean
- name: isStub
type: boolean
- name: links
type: array
element:
type: object
fields:
- name: text
type: string
- name: href
type: string
- name: messageId
type: string
- name: numAttachments
type: bigint
- name: parts
type: array
element:
type: object
fields:
- name: attachmentType
type: string
- name: attachId
type: string
- name: filename
type: string
- name: md5
type: string
indicators:
- md5
- name: sha256
type: string
indicators:
- sha256
- name: store
type: string
- name: text
type: string
- name: headers
type: array
element:
type: object
fields:
- name: k
type: string
- name: v
type: string
- name: mime
type: string
- name: path
type: string
- name: size
type: bigint
- name: rawFrom
type: array
element:
type: string
- name: rawTo
type: array
element:
type: string
- name: receivedDates
type: array
element:
type: timestamp
timeFormats:
- rfc3339
- name: snippet
type: string
- name: snippetMime
type: string
- name: subject
type: string
- name: to
type: array
element:
type: string
- name: totalSize
type: bigint
- name: uDomainId
type: string
- name: key
type: array
element:
type: string
- name: getMaterialBaseUrl
type: object
fields:
- name: url
type: string
indicators:
- url
- name: timestamp
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
```