# Push Security Logs
## Overview
Panther ingests [Push Security](https://pushsecurity.com/) logs by configuring a webhook to post events to a [Panther HTTP source](https://docs.panther.com/data-onboarding/data-transports/http).
## How to onboard Push Security logs to Panther
### Step 1: Create a Push Security source in Panther
1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New**.
3. Search for “Push Security,” then click its tile.
* In the slide-out panel, the **Transport Mechanism** dropdown in the upper-right corner will be pre-populated with the **HTTP** option.
4. Click **Start Setup**.
5. Follow [Panther's instructions for configuring an HTTP Source](https://docs.panther.com/data-onboarding/data-transports/http).
* For the **Auth method**, select **HMAC**.
* In the **Header Name** field, enter `x-signature`.
* Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-onboarding/data-transports/http#payload-requirements).
* Do not proceed to the next step until the creation of your HTTP endpoint has completed.
After creating the HTTP source, the Panther Console will display your **HTTP Source URL—s**tore this and the **Secret Key Value** in a secure location, as you will need them in the next step.
### Step 2: Create a new webhook in Push Security
* In the Push Security [Ingesting events using Panther](https://pushsecurity.com/help/audience/administrators/docs/connect-to-siem-or-soar/ingesting-events-using-panther/#start) documentation, follow the [Configure the integration in Push](https://pushsecurity.com/help/audience/administrators/docs/connect-to-siem-or-soar/ingesting-events-using-panther/#configure-the-integration-in-push) instructions to set up a Panther webhook integration.
## Panther-managed detections
See [Panther-managed](https://docs.panther.com/detections/panther-managed) rules for Push Security in the [panther-analysis GitHub repository](https://github.com/panther-labs/panther-analysis/tree/main/rules/push_security_rules).
## Supported log types
### PushSecurity.Activity
```yaml
schema: Custom.PushSecurity.Activity
description: Push Security enduser activity
referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Activity
fieldDiscoveryEnabled: true
fields:
- name: id
required: true
type: string
- name: new
required: true
type: object
fields:
- name: accountId
type: string
- name: appId
type: string
- name: email
type: string
indicators:
- email
- name: employeeId
type: string
- name: identityProvider
type: string
- name: leakedPassword
type: boolean
- name: loginTimestamp
type: timestamp
timeFormats:
- unix
- name: loginType
type: string
- name: loginUrl
type: string
indicators:
- url
- name: passwordId
type: string
- name: passwordManuallyTyped
type: boolean
- name: weakPassword
type: boolean
- name: weakPasswordReasons
type: array
element:
type: string
- name: workApp
type: boolean
- name: appBanner
type: object
fields:
- name: action
type: string
- name: buttonText
type: string
- name: mode
type: string
- name: subtext
type: string
- name: title
type: string
- name: employee
type: object
fields:
- name: chatopsEnabled
type: boolean
- name: creationTimestamp
type: timestamp
timeFormats:
- unix
- name: department
type: string
- name: email
type: string
indicators:
- email
- name: firstName
type: string
- name: id
type: string
- name: lastName
type: string
- name: licensed
type: boolean
- name: location
type: string
- name: appType
type: string
- name: browser
type: string
- name: os
type: string
- name: sourceIpAddress
type: string
indicators:
- ip
- name: userAgent
type: string
- name: object
validate:
allow: [ "LOGIN",
"APP_BANNER"]
required: true
type: string
- name: timestamp
required: true
type: timestamp
isEventTime: true
timeFormats:
- unix
- name: version
required: true
type: bigint
```
### PushSecurity.Controls
```yaml
schema: PushSecurity.Controls
description: Push Security detected attacks
referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Controls
fields:
- name: id
required: true
type: string
- name: new
required: true
type: object
fields:
- name: action
type: string
- name: appType
type: string
- name: browser
type: string
- name: email
type: string
indicators:
- email
- name: employee
type: object
fields:
- name: chatopsEnabled
type: boolean
- name: creationTimestamp
type: timestamp
timeFormats:
- unix
- name: department
type: string
- name: email
type: string
indicators:
- email
- name: firstName
type: string
- name: id
type: string
- name: lastName
type: string
- name: licensed
type: boolean
- name: location
type: string
- name: mode
type: string
- name: os
type: string
- name: referrerUrl
type: string
indicators:
- url
- name: sourceIpAddress
type: string
indicators:
- ip
- name: url
type: string
indicators:
- url
- name: userAgent
type: string
- name: object
required: true
type: string
- name: category
required: true
type: string
validate:
allow:
- CONTROL
- name: timestamp
required: true
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: version
required: true
type: bigint
```
### PushSecurity.Entities
```yaml
schema: Custom.PushSecurity.Entities
description: Push Security Apps, Employees, Accounts, and Findings
referenceURL: https://pushsecurity.redoc.ly/webhooks-v1#tag/Entities
fieldDiscoveryEnabled: true
fields:
- name: id
required: true
type: string
- name: new
required: true
type: object
fields:
- name: chatopsEnabled
type: boolean
- name: department
type: string
- name: firstName
type: string
- name: lastName
type: string
- name: licensed
type: boolean
- name: location
type: string
- name: mfaMethods
type: array
element:
type: string
- name: mfaRegistered
type: boolean
- name: state
type: string
- name: appId
type: string
- name: appType
type: string
- name: passwordId
type: string
- name: approvalStatus
type: string
- name: notes
type: string
- name: ownerId
type: string
- name: sensitivityLevel
type: string
- name: type
type: string
- name: otherAppId
type: string
- name: lastUsedTimestamp
type: timestamp
timeFormats:
- unix
- name: loginMethods
type: object
fields:
- name: oktaSwaLogin
type: boolean
- name: vendorSsoLogin
type: string
- name: oidcLogin
type: string
- name: passwordLogin
type: boolean
- name: samlLogin
type: string
- name: email
type: string
indicators:
- email
- name: employeeId
type: string
- name: domain
type: string
- name: hidden
type: boolean
- name: name
type: string
- name: oauthAppId
type: bigint
- name: requestSupportStatus
type: string
- name: creationTimestamp
type: timestamp
timeFormats:
- unix
- name: id
type: string
- name: object
required: true
validate:
allow: [ "EMPLOYEE",
"ACCOUNT",
"FINDING",
"APP",
"ACCOUNT_OTHER",
"APP_OTHER"]
type: string
- name: old
required: false
type: object
fields:
- name: chatopsEnabled
type: boolean
- name: department
type: string
- name: firstName
type: string
- name: lastName
type: string
- name: licensed
type: boolean
- name: location
type: string
- name: lastUsedTimestamp
type: timestamp
timeFormats:
- unix
- name: mfaMethods
type: array
element:
type: string
- name: mfaRegistered
type: boolean
- name: state
type: string
- name: appId
type: string
- name: appType
type: string
- name: passwordId
type: string
- name: approvalStatus
type: string
- name: notes
type: string
- name: ownerId
type: string
- name: sensitivityLevel
type: string
- name: type
type: string
- name: otherAppId
type: string
- name: loginMethods
type: object
fields:
- name: oidcLogin
type: string
- name: oktaSwaLogin
type: boolean
- name: samlLogin
type: string
- name: vendorSsoLogin
type: string
- name: passwordLogin
type: boolean
- name: email
type: string
indicators:
- email
- name: employeeId
type: string
- name: domain
type: string
- name: hidden
type: boolean
- name: name
type: string
- name: oauthAppId
type: bigint
- name: requestSupportStatus
type: string
- name: creationTimestamp
type: timestamp
timeFormats:
- unix
- name: id
type: string
- name: timestamp
required: true
type: timestamp
isEventTime: true
timeFormats:
- unix
- name: type
required: true
type: string
- name: version
required: true
type: bigint
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.panther.com/data-onboarding/supported-logs/push-security.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.