Last updated
Was this helpful?
Last updated
Was this helpful?
Panther ingests logs by configuring a webhook to post events to a .
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Push Security,” then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow .
For the Auth method, select None.
Payloads sent to this source are subject to the .
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps.
In the left-hand navigation bar, click Webhooks.
Click Generate Webhook.
schema: Custom.PushSecurity.Activity
description: Push Security enduser activity
referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Activity
fieldDiscoveryEnabled: true
fields:
- name: id
required: true
type: string
- name: new
required: true
type: object
fields:
- name: accountId
type: string
- name: appId
type: string
- name: email
type: string
indicators:
- email
- name: employeeId
type: string
- name: identityProvider
type: string
- name: leakedPassword
type: boolean
- name: loginTimestamp
type: timestamp
timeFormats:
- unix
- name: loginType
type: string
- name: loginUrl
type: string
indicators:
- url
- name: passwordId
type: string
- name: passwordManuallyTyped
type: boolean
- name: weakPassword
type: boolean
- name: weakPasswordReasons
type: array
element:
type: string
- name: workApp
type: boolean
- name: appBanner
type: object
fields:
- name: action
type: string
- name: buttonText
type: string
- name: mode
type: string
- name: subtext
type: string
- name: title
type: string
- name: employee
type: object
fields:
- name: chatopsEnabled
type: boolean
- name: creationTimestamp
type: timestamp
timeFormats:
- unix
- name: department
type: string
- name: email
type: string
indicators:
- email
- name: firstName
type: string
- name: id
type: string
- name: lastName
type: string
- name: licensed
type: boolean
- name: location
type: string
- name: appType
type: string
- name: browser
type: string
- name: os
type: string
- name: sourceIpAddress
type: string
indicators:
- ip
- name: userAgent
type: string
- name: object
validate:
allow: [ "LOGIN",
"APP_BANNER"]
required: true
type: string
- name: timestamp
required: true
type: timestamp
isEventTime: true
timeFormats:
- unix
- name: version
required: true
type: bigint
schema: Custom.PushSecurity.AttackDetection
description: Push Security detected attacks
referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Attack-detection
fields:
- name: id
required: true
type: string
- name: new
required: true
type: object
fields:
- name: action
type: string
- name: appType
type: string
- name: browser
type: string
- name: email
type: string
indicators:
- email
- name: employee
type: object
fields:
- name: chatopsEnabled
type: boolean
- name: creationTimestamp
type: timestamp
timeFormats:
- unix
- name: department
type: string
- name: email
type: string
indicators:
- email
- name: firstName
type: string
- name: id
type: string
- name: lastName
type: string
- name: licensed
type: boolean
- name: location
type: string
- name: mode
type: string
- name: os
type: string
- name: referrerUrl
type: string
indicators:
- url
- name: sourceIpAddress
type: string
indicators:
- ip
- name: url
type: string
indicators:
- url
- name: userAgent
type: string
- name: object
validate:
allow: [ "SSO_PASSWORD_USED"]
required: true
type: string
- name: timestamp
isEventTime: true
required: true
type: timestamp
timeFormats:
- unix
- name: version
required: true
type: bigint
schema: Custom.PushSecurity.Entities
description: Push Security Apps, Employees, Accounts, and Findings
referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Entities
fieldDiscoveryEnabled: true
fields:
- name: id
required: true
type: string
- name: new
required: true
type: object
fields:
- name: chatopsEnabled
type: boolean
- name: department
type: string
- name: firstName
type: string
- name: lastName
type: string
- name: licensed
type: boolean
- name: location
type: string
- name: mfaMethods
type: array
element:
type: string
- name: mfaRegistered
type: boolean
- name: state
type: string
- name: appId
type: string
- name: appType
type: string
- name: passwordId
type: string
- name: approvalStatus
type: string
- name: notes
type: string
- name: ownerId
type: string
- name: sensitivityLevel
type: string
- name: type
type: string
- name: otherAppId
type: string
- name: lastUsedTimestamp
type: timestamp
timeFormats:
- unix
- name: loginMethods
type: object
fields:
- name: oktaSwaLogin
type: boolean
- name: vendorSsoLogin
type: string
- name: oidcLogin
type: string
- name: passwordLogin
type: boolean
- name: samlLogin
type: string
- name: email
type: string
indicators:
- email
- name: employeeId
type: string
- name: domain
type: string
- name: hidden
type: boolean
- name: name
type: string
- name: oauthAppId
type: bigint
- name: requestSupportStatus
type: string
- name: creationTimestamp
type: timestamp
timeFormats:
- unix
- name: id
type: string
- name: object
required: true
validate:
allow: [ "EMPLOYEE",
"ACCOUNT",
"FINDING",
"APP",
"ACCOUNT_OTHER",
"APP_OTHER"]
type: string
- name: old
required: false
type: object
fields:
- name: chatopsEnabled
type: boolean
- name: department
type: string
- name: firstName
type: string
- name: lastName
type: string
- name: licensed
type: boolean
- name: location
type: string
- name: lastUsedTimestamp
type: timestamp
timeFormats:
- unix
- name: mfaMethods
type: array
element:
type: string
- name: mfaRegistered
type: boolean
- name: state
type: string
- name: appId
type: string
- name: appType
type: string
- name: passwordId
type: string
- name: approvalStatus
type: string
- name: notes
type: string
- name: ownerId
type: string
- name: sensitivityLevel
type: string
- name: type
type: string
- name: otherAppId
type: string
- name: loginMethods
type: object
fields:
- name: oidcLogin
type: string
- name: oktaSwaLogin
type: boolean
- name: samlLogin
type: string
- name: vendorSsoLogin
type: string
- name: passwordLogin
type: boolean
- name: email
type: string
indicators:
- email
- name: employeeId
type: string
- name: domain
type: string
- name: hidden
type: boolean
- name: name
type: string
- name: oauthAppId
type: bigint
- name: requestSupportStatus
type: string
- name: creationTimestamp
type: timestamp
timeFormats:
- unix
- name: id
type: string
- name: timestamp
required: true
type: timestamp
isEventTime: true
timeFormats:
- unix
- name: type
required: true
type: string
- name: version
required: true
type: bigint
In the left-hand navigation bar of Push Security, click the gear icon to access Settings.
On the Webhooks page, click +Webhook.
In the URL field, enter the Panther URL you generated while creating the HTTP source in Step 1.
See rules for Push Security in the .
Connecting Push Security logs in your Panther Console