Sublime Security Logs

Overview

Panther supports ingesting Sublime Security audit logs, messages with rule matches (also known as Message Events), and all messages in the Message Data Model (MDM) format into Panther via AWS S3.

How to onboard Sublime Security logs to Panther

Step 1: Create a Sublime Security log source in Panther

1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Search for "Sublime Security," then click its tile.

4. In the upper-right corner of the slide-out panel, click Start Setup.

5. Follow Panther’s documentation for configuring an S3 Source.

Step 2: Export Sublime Security logs to S3

• Follow the instructions in the Sublime documentation on how to export logs to an S3 bucket:

  • Export Message MDMs

  • Export Audit Logs and Message Events

    • When configuring the Audit Log and Message Events Export settings, ensure you have not checked the Use JSON Lines text formatting checkbox.

    • Panther expects logs to be in the format shown in the Example Audit Logs section:

      Copy

      {
        "events": ...,
        "count": 0,
        "start": "2023-05-03T23:55:01.06552Z",
        "end": "2023-05-04T00:05:00.309749667Z",
        "key": "sublime_platform_audit_log/2023/05/04/000500Z-LPPJKV.json"
      }

Panther-managed detections

See Panther-managed rules for Sublime Security in the panther-analysis GitHub repository.

Supported log types

Sublime.Audit

Sublime.MessageEvent

Sublime.MDM