# Push Security Logs ## Overview Panther ingests [Push Security](https://pushsecurity.com/) logs by configuring a webhook to post events to a [Panther HTTP source](https://docs.panther.com/data-onboarding/data-transports/http). ## How to onboard Push Security logs to Panther ### Step 1: Create a Push Security source in Panther 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New**. 3. Search for “Push Security,” then click its tile. * In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option. 4. Click **Start Setup**.
An arrow is drawn from a tile labeled "Push Security" in the background to a "Start Setup" button in the foreground.
5. Follow [Panther's instructions for configuring an HTTP Source](https://docs.panther.com/data-onboarding/data-transports/http). * For the **Auth method**, select **HMAC**. * In the **Header Name** field, enter `x-signature`. * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-onboarding/data-transports/http#payload-requirements). * Do not proceed to the next step until the creation of your HTTP endpoint has completed. After creating the HTTP source, the Panther Console will display your **HTTP Source URL—s**tore this and the **Secret Key Value** in a secure location, as you will need them in the next step. ### Step 2: Create a new webhook in Push Security * In the Push Security [Ingesting events using Panther](https://pushsecurity.com/help/audience/administrators/docs/connect-to-siem-or-soar/ingesting-events-using-panther/#start) documentation, follow the [Configure the integration in Push](https://pushsecurity.com/help/audience/administrators/docs/connect-to-siem-or-soar/ingesting-events-using-panther/#configure-the-integration-in-push) instructions to set up a Panther webhook integration. ## Panther-managed detections See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Push Security in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/push_security_rules). ## Supported log types ### PushSecurity.Activity ```yaml schema: Custom.PushSecurity.Activity description: Push Security enduser activity referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Activity fieldDiscoveryEnabled: true fields: - name: id required: true type: string - name: new required: true type: object fields: - name: accountId type: string - name: appId type: string - name: email type: string indicators: - email - name: employeeId type: string - name: identityProvider type: string - name: leakedPassword type: boolean - name: loginTimestamp type: timestamp timeFormats: - unix - name: loginType type: string - name: loginUrl type: string indicators: - url - name: passwordId type: string - name: passwordManuallyTyped type: boolean - name: weakPassword type: boolean - name: weakPasswordReasons type: array element: type: string - name: workApp type: boolean - name: appBanner type: object fields: - name: action type: string - name: buttonText type: string - name: mode type: string - name: subtext type: string - name: title type: string - name: employee type: object fields: - name: chatopsEnabled type: boolean - name: creationTimestamp type: timestamp timeFormats: - unix - name: department type: string - name: email type: string indicators: - email - name: firstName type: string - name: id type: string - name: lastName type: string - name: licensed type: boolean - name: location type: string - name: appType type: string - name: browser type: string - name: os type: string - name: sourceIpAddress type: string indicators: - ip - name: userAgent type: string - name: object validate: allow: [ "LOGIN", "APP_BANNER"] required: true type: string - name: timestamp required: true type: timestamp isEventTime: true timeFormats: - unix - name: version required: true type: bigint ``` ### PushSecurity.Controls ```yaml schema: PushSecurity.Controls description: Push Security detected attacks referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Controls fields: - name: id required: true type: string - name: new required: true type: object fields: - name: action type: string - name: appType type: string - name: browser type: string - name: email type: string indicators: - email - name: employee type: object fields: - name: chatopsEnabled type: boolean - name: creationTimestamp type: timestamp timeFormats: - unix - name: department type: string - name: email type: string indicators: - email - name: firstName type: string - name: id type: string - name: lastName type: string - name: licensed type: boolean - name: location type: string - name: mode type: string - name: os type: string - name: referrerUrl type: string indicators: - url - name: sourceIpAddress type: string indicators: - ip - name: url type: string indicators: - url - name: userAgent type: string - name: object required: true type: string - name: category required: true type: string validate: allow: - CONTROL - name: timestamp required: true type: timestamp timeFormats: - unix isEventTime: true - name: version required: true type: bigint ``` ### PushSecurity.Entities ```yaml schema: Custom.PushSecurity.Entities description: Push Security Apps, Employees, Accounts, and Findings referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Entities fieldDiscoveryEnabled: true fields: - name: id required: true type: string - name: new required: true type: object fields: - name: chatopsEnabled type: boolean - name: department type: string - name: firstName type: string - name: lastName type: string - name: licensed type: boolean - name: location type: string - name: mfaMethods type: array element: type: string - name: mfaRegistered type: boolean - name: state type: string - name: appId type: string - name: appType type: string - name: passwordId type: string - name: approvalStatus type: string - name: notes type: string - name: ownerId type: string - name: sensitivityLevel type: string - name: type type: string - name: otherAppId type: string - name: lastUsedTimestamp type: timestamp timeFormats: - unix - name: loginMethods type: object fields: - name: oktaSwaLogin type: boolean - name: vendorSsoLogin type: string - name: oidcLogin type: string - name: passwordLogin type: boolean - name: samlLogin type: string - name: email type: string indicators: - email - name: employeeId type: string - name: domain type: string - name: hidden type: boolean - name: name type: string - name: oauthAppId type: bigint - name: requestSupportStatus type: string - name: creationTimestamp type: timestamp timeFormats: - unix - name: id type: string - name: object required: true validate: allow: [ "EMPLOYEE", "ACCOUNT", "FINDING", "APP", "ACCOUNT_OTHER", "APP_OTHER"] type: string - name: old required: false type: object fields: - name: chatopsEnabled type: boolean - name: department type: string - name: firstName type: string - name: lastName type: string - name: licensed type: boolean - name: location type: string - name: lastUsedTimestamp type: timestamp timeFormats: - unix - name: mfaMethods type: array element: type: string - name: mfaRegistered type: boolean - name: state type: string - name: appId type: string - name: appType type: string - name: passwordId type: string - name: approvalStatus type: string - name: notes type: string - name: ownerId type: string - name: sensitivityLevel type: string - name: type type: string - name: otherAppId type: string - name: loginMethods type: object fields: - name: oidcLogin type: string - name: oktaSwaLogin type: boolean - name: samlLogin type: string - name: vendorSsoLogin type: string - name: passwordLogin type: boolean - name: email type: string indicators: - email - name: employeeId type: string - name: domain type: string - name: hidden type: boolean - name: name type: string - name: oauthAppId type: bigint - name: requestSupportStatus type: string - name: creationTimestamp type: timestamp timeFormats: - unix - name: id type: string - name: timestamp required: true type: timestamp isEventTime: true timeFormats: - unix - name: type required: true type: string - name: version required: true type: bigint ```