Push Security Logs

Connecting Push Security logs in your Panther Console

Overview

Panther ingests Push Security logs by configuring a webhook to post events to a Panther HTTP source.

How to onboard Push Security logs to Panther

Step 1: Create a Push Security source in Panther

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Push Security,” then click its tile.
- In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
Click Start Setup.
Follow Panther's instructions for configuring an HTTP Source.
- For the Auth method, select HMAC.
  - In the Header Name field, enter x-signature.
- Payloads sent to this source are subject to the payload requirements for all HTTP sources.
- Do not proceed to the next step until the creation of your HTTP endpoint has completed.

After creating the HTTP source, the Panther Console will display your HTTP Source URL—store this and the Secret Key Value in a secure location, as you will need them in the next step.

Step 2: Create a new webhook in Push Security

In the Push Security Ingesting events using Panther documentation, follow the Configure the integration in Push instructions to set up a Panther webhook integration.

Panther-managed detections

See Panther-managed rules for Push Security in the panther-analysis GitHub repository.

Supported log types

PushSecurity.Activity

schema: Custom.PushSecurity.Activity
description: Push Security enduser activity
referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Activity
fieldDiscoveryEnabled: true
fields:
    - name: id
      required: true
      type: string
    - name: new
      required: true
      type: object
      fields:
        - name: accountId
          type: string
        - name: appId
          type: string
        - name: email
          type: string
          indicators:
            - email
        - name: employeeId
          type: string
        - name: identityProvider
          type: string
        - name: leakedPassword
          type: boolean
        - name: loginTimestamp
          type: timestamp
          timeFormats:
            - unix
        - name: loginType
          type: string
        - name: loginUrl
          type: string
          indicators:
            - url
        - name: passwordId
          type: string
        - name: passwordManuallyTyped
          type: boolean
        - name: weakPassword
          type: boolean
        - name: weakPasswordReasons
          type: array
          element:
            type: string
        - name: workApp
          type: boolean
        - name: appBanner
          type: object
          fields:
            - name: action
              type: string
            - name: buttonText
              type: string
            - name: mode
              type: string
            - name: subtext
              type: string
            - name: title
              type: string
        - name: employee
          type: object
          fields:
            - name: chatopsEnabled
              type: boolean
            - name: creationTimestamp
              type: timestamp
              timeFormats:
                - unix
            - name: department
              type: string
            - name: email
              type: string
              indicators:
                - email
            - name: firstName
              type: string
            - name: id
              type: string
            - name: lastName
              type: string
            - name: licensed
              type: boolean
            - name: location
              type: string
        - name: appType
          type: string
        - name: browser
          type: string
        - name: os
          type: string
        - name: sourceIpAddress
          type: string
          indicators:
            - ip
        - name: userAgent
          type: string
    - name: object
      validate:
        allow: [ "LOGIN", 
            "APP_BANNER"]
      required: true
      type: string
    - name: timestamp
      required: true
      type: timestamp
      isEventTime: true
      timeFormats:
        - unix
    - name: version
      required: true
      type: bigint

PushSecurity.Controls

schema: PushSecurity.Controls
description: Push Security detected attacks
referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Controls
fields:
    - name: id
      required: true
      type: string
    - name: new
      required: true
      type: object
      fields:
        - name: action
          type: string
        - name: appType
          type: string
        - name: browser
          type: string
        - name: email
          type: string
          indicators:
            - email
        - name: employee
          type: object
          fields:
            - name: chatopsEnabled
              type: boolean
            - name: creationTimestamp
              type: timestamp
              timeFormats:
                - unix
            - name: department
              type: string
            - name: email
              type: string
              indicators:
                - email
            - name: firstName
              type: string
            - name: id
              type: string
            - name: lastName
              type: string
            - name: licensed
              type: boolean
            - name: location
              type: string
        - name: mode
          type: string
        - name: os
          type: string
        - name: referrerUrl
          type: string
          indicators:
            - url
        - name: sourceIpAddress
          type: string
          indicators:
            - ip
        - name: url
          type: string
          indicators:
            - url
        - name: userAgent
          type: string
    - name: object
      required: true
      type: string
    - name: category
      required: true
      type: string
      validate:
        allow:
            - CONTROL
    - name: timestamp
      required: true
      type: timestamp
      timeFormats:
        - unix
      isEventTime: true
    - name: version
      required: true
      type: bigint

PushSecurity.Entities

schema: Custom.PushSecurity.Entities
description: Push Security Apps, Employees, Accounts, and Findings
referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Entities
fieldDiscoveryEnabled: true
fields:
    - name: id
      required: true
      type: string
    - name: new
      required: true
      type: object
      fields:
        - name: chatopsEnabled
          type: boolean
        - name: department
          type: string
        - name: firstName
          type: string
        - name: lastName
          type: string
        - name: licensed
          type: boolean
        - name: location
          type: string
        - name: mfaMethods
          type: array
          element:
            type: string
        - name: mfaRegistered
          type: boolean
        - name: state
          type: string
        - name: appId
          type: string
        - name: appType
          type: string
        - name: passwordId
          type: string
        - name: approvalStatus
          type: string
        - name: notes
          type: string
        - name: ownerId
          type: string
        - name: sensitivityLevel
          type: string
        - name: type
          type: string
        - name: otherAppId
          type: string
        - name: lastUsedTimestamp
          type: timestamp
          timeFormats:
            - unix
        - name: loginMethods
          type: object
          fields:
            - name: oktaSwaLogin
              type: boolean
            - name: vendorSsoLogin
              type: string
            - name: oidcLogin
              type: string
            - name: passwordLogin
              type: boolean
            - name: samlLogin
              type: string
        - name: email
          type: string
          indicators:
            - email
        - name: employeeId
          type: string
        - name: domain
          type: string
        - name: hidden
          type: boolean
        - name: name
          type: string
        - name: oauthAppId
          type: bigint
        - name: requestSupportStatus
          type: string
        - name: creationTimestamp
          type: timestamp
          timeFormats:
            - unix
        - name: id
          type: string
    - name: object
      required: true
      validate:
        allow: [ "EMPLOYEE", 
            "ACCOUNT",
            "FINDING",
            "APP",
            "ACCOUNT_OTHER",
            "APP_OTHER"]
      type: string
    - name: old
      required: false
      type: object
      fields:
        - name: chatopsEnabled
          type: boolean
        - name: department
          type: string
        - name: firstName
          type: string
        - name: lastName
          type: string
        - name: licensed
          type: boolean
        - name: location
          type: string
        - name: lastUsedTimestamp
          type: timestamp
          timeFormats:
            - unix
        - name: mfaMethods
          type: array
          element:
            type: string
        - name: mfaRegistered
          type: boolean
        - name: state
          type: string
        - name: appId
          type: string
        - name: appType
          type: string
        - name: passwordId
          type: string
        - name: approvalStatus
          type: string
        - name: notes
          type: string
        - name: ownerId
          type: string
        - name: sensitivityLevel
          type: string
        - name: type
          type: string
        - name: otherAppId
          type: string
        - name: loginMethods
          type: object
          fields:
            - name: oidcLogin
              type: string
            - name: oktaSwaLogin
              type: boolean
            - name: samlLogin
              type: string
            - name: vendorSsoLogin
              type: string
            - name: passwordLogin
              type: boolean
        - name: email
          type: string
          indicators:
            - email
        - name: employeeId
          type: string
        - name: domain
          type: string
        - name: hidden
          type: boolean
        - name: name
          type: string
        - name: oauthAppId
          type: bigint
        - name: requestSupportStatus
          type: string
        - name: creationTimestamp
          type: timestamp
          timeFormats:
            - unix
        - name: id
          type: string
    - name: timestamp
      required: true
      type: timestamp
      isEventTime: true
      timeFormats:
        - unix
    - name: type
      required: true
      type: string
    - name: version
      required: true
      type: bigint

PreviousProofpoint Logs NextRapid7 Logs

Last updated 3 months ago

Was this helpful?

schema: Custom.PushSecurity.Activity description: Push Security enduser activity referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Activity fieldDiscoveryEnabled: true fields: - name: id required: true type: string - name: new required: true type: object fields: - name: accountId type: string - name: appId type: string - name: email type: string indicators: - email - name: employeeId type: string - name: identityProvider type: string - name: leakedPassword type: boolean - name: loginTimestamp type: timestamp timeFormats: - unix - name: loginType type: string - name: loginUrl type: string indicators: - url - name: passwordId type: string - name: passwordManuallyTyped type: boolean - name: weakPassword type: boolean - name: weakPasswordReasons type: array element: type: string - name: workApp type: boolean - name: appBanner type: object fields: - name: action type: string - name: buttonText type: string - name: mode type: string - name: subtext type: string - name: title type: string - name: employee type: object fields: - name: chatopsEnabled type: boolean - name: creationTimestamp type: timestamp timeFormats: - unix - name: department type: string - name: email type: string indicators: - email - name: firstName type: string - name: id type: string - name: lastName type: string - name: licensed type: boolean - name: location type: string - name: appType type: string - name: browser type: string - name: os type: string - name: sourceIpAddress type: string indicators: - ip - name: userAgent type: string - name: object validate: allow: [ "LOGIN", "APP_BANNER"] required: true type: string - name: timestamp required: true type: timestamp isEventTime: true timeFormats: - unix - name: version required: true type: bigint

schema: Custom.PushSecurity.Entities description: Push Security Apps, Employees, Accounts, and Findings referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Entities fieldDiscoveryEnabled: true fields: - name: id required: true type: string - name: new required: true type: object fields: - name: chatopsEnabled type: boolean - name: department type: string - name: firstName type: string - name: lastName type: string - name: licensed type: boolean - name: location type: string - name: mfaMethods type: array element: type: string - name: mfaRegistered type: boolean - name: state type: string - name: appId type: string - name: appType type: string - name: passwordId type: string - name: approvalStatus type: string - name: notes type: string - name: ownerId type: string - name: sensitivityLevel type: string - name: type type: string - name: otherAppId type: string - name: lastUsedTimestamp type: timestamp timeFormats: - unix - name: loginMethods type: object fields: - name: oktaSwaLogin type: boolean - name: vendorSsoLogin type: string - name: oidcLogin type: string - name: passwordLogin type: boolean - name: samlLogin type: string - name: email type: string indicators: - email - name: employeeId type: string - name: domain type: string - name: hidden type: boolean - name: name type: string - name: oauthAppId type: bigint - name: requestSupportStatus type: string - name: creationTimestamp type: timestamp timeFormats: - unix - name: id type: string - name: object required: true validate: allow: [ "EMPLOYEE", "ACCOUNT", "FINDING", "APP", "ACCOUNT_OTHER", "APP_OTHER"] type: string - name: old required: false type: object fields: - name: chatopsEnabled type: boolean - name: department type: string - name: firstName type: string - name: lastName type: string - name: licensed type: boolean - name: location type: string - name: lastUsedTimestamp type: timestamp timeFormats: - unix - name: mfaMethods type: array element: type: string - name: mfaRegistered type: boolean - name: state type: string - name: appId type: string - name: appType type: string - name: passwordId type: string - name: approvalStatus type: string - name: notes type: string - name: ownerId type: string - name: sensitivityLevel type: string - name: type type: string - name: otherAppId type: string - name: loginMethods type: object fields: - name: oidcLogin type: string - name: oktaSwaLogin type: boolean - name: samlLogin type: string - name: vendorSsoLogin type: string - name: passwordLogin type: boolean - name: email type: string indicators: - email - name: employeeId type: string - name: domain type: string - name: hidden type: boolean - name: name type: string - name: oauthAppId type: bigint - name: requestSupportStatus type: string - name: creationTimestamp type: timestamp timeFormats: - unix - name: id type: string - name: timestamp required: true type: timestamp isEventTime: true timeFormats: - unix - name: type required: true type: string - name: version required: true type: bigint

hashtagOverview

hashtagHow to onboard Push Security logs to Panther

hashtagStep 1: Create a Push Security source in Panther

hashtagStep 2: Create a new webhook in Push Security

hashtagPanther-managed detections

hashtagSupported log types

hashtagPushSecurity.Activity

hashtagPushSecurity.Controls

hashtagPushSecurity.Entities