Panther ingests alert logs by configuring Tracebit to send alerts to an HTTP endpoint in Panther.
Tracebit maintains canary resources across your organization's cloud infrastructure to detect potential intrusions. Alert logs from Tracebit contain information about activity on canary resources, as well as use of canary credentials.
How to onboard Tracebit logs to Panther
Step 1: Create a new Tracebit source in Panther
In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "Tracebit," then click its tile.
In the slide-out panel, click Start Setup.
Follow , beginning at Step 5.
During setup, on the Configure page, you will be required to use ; this is the only method of authentication Tracebit supports.
The Header Name associated with your Secret Key Value will be locked with a value of X-Tracebit-Signature-256, and the Hashing Algorithm will be locked with a value of SHA 256.
Generate a Secret Key Value and store it in a secure location, as you will need it in the next step.
Payloads sent to this source are subject to the .
Do not proceed to the next step until the creation of your HTTP endpoint has completed.
Step 2: Create a Panther integration in Tracebit
In the Tracebit console, navigate to the Integrations page.
Click Panther.
In the HTTP Log Source URL field, paste the HTTP Source URL you generated in Panther in the previous step.
In the HMAC SHA256 Shared Secret field, paste the Secret Key Value you generated in Panther in the previous step.
Click Save.
Supported log types
Tracebit.Alert
schema: Tracebit.Alert
description: Alerts logs from Tracebit
referenceURL: https://tracebit.com
fields:
- name: discriminator
required: true
description: The type of log.
type: object
fields:
- name: type
required: true
description: The type of log.
type: string
validate:
allow:
- tracebit_alert_log
- name: subtype
description: The subtype of the log. E.g. canary_resource_accessed, canary_credential_used
type: string
- name: id
required: true
description: The unique identifier for the alert log.
type: string
- name: alert_id
required: true
description: The unique identifier for the alert. There can be multiple alert logs for a single alert.
type: string
- name: tracebit_portal_url
description: The URL to the alert in the Tracebit portal.
type: string
indicators:
- url
- name: timestamp
required: true
description: The time at which the alert log occurred.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: provider
description: The provider of the canary or canary credential.
type: string
- name: message
description: A description of the alert log.
type: string
- name: severity
description: The severity of the alert log.
type: string
- name: canary_credential
description: The canary credential that was used which triggered the alert. This will only be present for canary credential alerts.
type: object
fields:
- name: name
description: The name of the canary credential.
type: string
- name: type
description: The type of the canary credential.
type: string
- name: issued_at
description: The time at which the canary credential was issued.
type: timestamp
timeFormats:
- rfc3339
- name: expires_at
description: The time at which the canary credential expires.
type: timestamp
timeFormats:
- rfc3339
- name: labels
description: The labels associated with the canary credential.
type: array
element:
type: object
fields:
- name: name
description: The name of the label.
type: string
- name: value
description: The value of the label.
type: string
- name: aws
description: The AWS-specific details of the canary credential.
type: object
fields:
- name: access_key_id
description: The AWS access key ID.
type: string
- name: canary
description: The resource that was used which triggered the alert. This will only be present for canary resource alerts.
type: object
fields:
- name: tracebit_id
description: The unique identifier for the canary in Tracebit.
type: string
- name: provider_id
description: The unique identifier for the canary resource in its provider.
type: string
- name: provider_account_id
description: The unique identifier for the canary's account in the provider.
type: string
- name: name
description: The name of the canary resource.
type: string
- name: type
description: The type of the canary resource.
type: string
- name: aws
description: The AWS-specific details of the canary resource.
type: object
fields:
- name: account_id
description: The AWS account ID.
type: string
indicators:
- aws_account_id
- name: account_name
description: The AWS account name.
type: string
- name: arn
description: The ARN of the resource.
type: string
indicators:
- aws_arn
- name: okta
description: The Okta-specific details of the canary resource.
type: object
fields:
- name: domain
description: The Okta domain.
type: string
indicators:
- domain
- name: organization_id
description: The Okta organization ID.
type: string
- name: azure
description: The Azure-specific details of the canary resource.
type: object
fields:
- name: subscription_id
description: The Azure subscription ID.
type: string
- name: subscription_name
description: The Azure subscription name.
type: string
- name: resource_id
description: The Azure resource ID.
type: string
- name: principal
description: The principal that triggered the alert.
type: object
fields:
- name: id
description: The unique identifier for the principal.
type: string
indicators:
- actor_id
- name: aws
description: The AWS-specific details of the principal.
type: object
fields:
- name: arn
description: The ARN of the principal.
type: string
indicators:
- aws_arn
- name: type
description: The type of the principal.
type: string
- name: account_id
description: The AWS account ID of the principal.
type: string
indicators:
- aws_account_id
- name: username
description: The username of the principal.
type: string
- name: okta
description: The Okta-specific details of the principal (actor).
type: object
fields:
- name: id
description: The ID of the actor.
type: string
- name: type
description: The type of the actor. E.g. User.
type: string
- name: alternate_id
description: The alternate ID of the actor.
type: string
- name: azure
description: The Azure-specific details of the principal.
type: object
fields:
- name: app_id
description: The Azure application ID.
type: string
- name: tenant_id
description: The Azure tenant ID.
type: string
- name: event
description: The event that triggered the alert log.
type: object
fields:
- name: id
description: The unique identifier for the event.
type: string
- name: operation
description: The operation performed in the event.
type: string
- name: request
description: The request that triggered the event.
type: object
fields:
- name: user_agent
description: The agent through which the request was made that triggered the event.
type: object
fields:
- name: raw
description: The raw user agent string.
type: string
- name: label
description: The label for the user agent.
type: string
- name: ip
description: The IP address from which the request was made.
type: string
indicators:
- ip
- name: resources
description: The resources that were involved in the event.
type: array
element:
type: object
fields:
- name: id
description: The unique identifier for the resource.
type: string
- name: type
description: The type of the resource.
type: string
Tracebit.HealthCheck
schema: Tracebit.HealthCheck
description: Health checks from Tracebit
referenceURL: https://tracebit.com
fields:
- name: discriminator
required: true
description: Information to identify the class of log.
type: object
fields:
- name: type
required: true
description: The type of log.
type: string
validate:
allow:
- health_check
- name: subtype
required: true
description: The subtype of the log.
type: string
- name: timestamp
required: true
description: The time at which the event occurred.
type: timestamp
timeFormats:
- rfc3339
isEventTime: true
- name: is_healthy
required: true
description: Whether the integration is healthy.
type: boolean
