Push Security Logs
Connecting Push Security logs in your Panther Console
Overview
Panther ingests Push Security logs by configuring a webhook to post events to a Panther HTTP source.
How to onboard Push Security logs to Panther
Step 1: Create a Push Security source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Push Security,” then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow Panther's instructions for configuring an HTTP Source.
For the Auth method, select None.
Payloads sent to this source are subject to the payload requirements for all HTTP sources.
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps.
Step 2: Create a new webhook in Push Security
In the left-hand navigation bar, click Webhooks.
Click Generate Webhook.
Panther-managed detections
See Panther-managed rules for Push Security in the panther-analysis GitHub repository.
Supported log types
PushSecurity.Activity
schema: Custom.PushSecurity.Activity
description: Push Security enduser activity
referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Activity
fieldDiscoveryEnabled: true
fields:
- name: id
required: true
type: string
- name: new
required: true
type: object
fields:
- name: accountId
type: string
- name: appId
type: string
- name: email
type: string
indicators:
- email
- name: employeeId
type: string
- name: identityProvider
type: string
- name: leakedPassword
type: boolean
- name: loginTimestamp
type: timestamp
timeFormats:
- unix
- name: loginType
type: string
- name: loginUrl
type: string
indicators:
- url
- name: passwordId
type: string
- name: passwordManuallyTyped
type: boolean
- name: weakPassword
type: boolean
- name: weakPasswordReasons
type: array
element:
type: string
- name: workApp
type: boolean
- name: appBanner
type: object
fields:
- name: action
type: string
- name: buttonText
type: string
- name: mode
type: string
- name: subtext
type: string
- name: title
type: string
- name: employee
type: object
fields:
- name: chatopsEnabled
type: boolean
- name: creationTimestamp
type: timestamp
timeFormats:
- unix
- name: department
type: string
- name: email
type: string
indicators:
- email
- name: firstName
type: string
- name: id
type: string
- name: lastName
type: string
- name: licensed
type: boolean
- name: location
type: string
- name: appType
type: string
- name: browser
type: string
- name: os
type: string
- name: sourceIpAddress
type: string
indicators:
- ip
- name: userAgent
type: string
- name: object
validate:
allow: [ "LOGIN",
"APP_BANNER"]
required: true
type: string
- name: timestamp
required: true
type: timestamp
isEventTime: true
timeFormats:
- unix
- name: version
required: true
type: bigintPushSecurity.AttackDetection
schema: Custom.PushSecurity.AttackDetection
description: Push Security detected attacks
referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Attack-detection
fields:
- name: id
required: true
type: string
- name: new
required: true
type: object
fields:
- name: action
type: string
- name: appType
type: string
- name: browser
type: string
- name: email
type: string
indicators:
- email
- name: employee
type: object
fields:
- name: chatopsEnabled
type: boolean
- name: creationTimestamp
type: timestamp
timeFormats:
- unix
- name: department
type: string
- name: email
type: string
indicators:
- email
- name: firstName
type: string
- name: id
type: string
- name: lastName
type: string
- name: licensed
type: boolean
- name: location
type: string
- name: mode
type: string
- name: os
type: string
- name: referrerUrl
type: string
indicators:
- url
- name: sourceIpAddress
type: string
indicators:
- ip
- name: url
type: string
indicators:
- url
- name: userAgent
type: string
- name: object
validate:
allow: [ "SSO_PASSWORD_USED"]
required: true
type: string
- name: timestamp
isEventTime: true
required: true
type: timestamp
timeFormats:
- unix
- name: version
required: true
type: bigintPushSecurity.Entities
schema: Custom.PushSecurity.Entities
description: Push Security Apps, Employees, Accounts, and Findings
referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Entities
fieldDiscoveryEnabled: true
fields:
- name: id
required: true
type: string
- name: new
required: true
type: object
fields:
- name: chatopsEnabled
type: boolean
- name: department
type: string
- name: firstName
type: string
- name: lastName
type: string
- name: licensed
type: boolean
- name: location
type: string
- name: mfaMethods
type: array
element:
type: string
- name: mfaRegistered
type: boolean
- name: state
type: string
- name: appId
type: string
- name: appType
type: string
- name: passwordId
type: string
- name: approvalStatus
type: string
- name: notes
type: string
- name: ownerId
type: string
- name: sensitivityLevel
type: string
- name: type
type: string
- name: otherAppId
type: string
- name: lastUsedTimestamp
type: timestamp
timeFormats:
- unix
- name: loginMethods
type: object
fields:
- name: oktaSwaLogin
type: boolean
- name: vendorSsoLogin
type: string
- name: oidcLogin
type: string
- name: passwordLogin
type: boolean
- name: samlLogin
type: string
- name: email
type: string
indicators:
- email
- name: employeeId
type: string
- name: domain
type: string
- name: hidden
type: boolean
- name: name
type: string
- name: oauthAppId
type: bigint
- name: requestSupportStatus
type: string
- name: creationTimestamp
type: timestamp
timeFormats:
- unix
- name: id
type: string
- name: object
required: true
validate:
allow: [ "EMPLOYEE",
"ACCOUNT",
"FINDING",
"APP",
"ACCOUNT_OTHER",
"APP_OTHER"]
type: string
- name: old
required: false
type: object
fields:
- name: chatopsEnabled
type: boolean
- name: department
type: string
- name: firstName
type: string
- name: lastName
type: string
- name: licensed
type: boolean
- name: location
type: string
- name: lastUsedTimestamp
type: timestamp
timeFormats:
- unix
- name: mfaMethods
type: array
element:
type: string
- name: mfaRegistered
type: boolean
- name: state
type: string
- name: appId
type: string
- name: appType
type: string
- name: passwordId
type: string
- name: approvalStatus
type: string
- name: notes
type: string
- name: ownerId
type: string
- name: sensitivityLevel
type: string
- name: type
type: string
- name: otherAppId
type: string
- name: loginMethods
type: object
fields:
- name: oidcLogin
type: string
- name: oktaSwaLogin
type: boolean
- name: samlLogin
type: string
- name: vendorSsoLogin
type: string
- name: passwordLogin
type: boolean
- name: email
type: string
indicators:
- email
- name: employeeId
type: string
- name: domain
type: string
- name: hidden
type: boolean
- name: name
type: string
- name: oauthAppId
type: bigint
- name: requestSupportStatus
type: string
- name: creationTimestamp
type: timestamp
timeFormats:
- unix
- name: id
type: string
- name: timestamp
required: true
type: timestamp
isEventTime: true
timeFormats:
- unix
- name: type
required: true
type: string
- name: version
required: true
type: bigintLast updated
