Upwind Logs (Beta)

Overview

Panther supports ingesting Upwind logs by configuring an Upwind webhook to post events to an HTTP endpoint in Panther.

Upwind is a cloud-security company offering a Cloud Native Application Protection Platform (CNAPP) that works at runtime. It provides visibility “from the inside out” into cloud deployments, applications, and infrastructure, helping teams identify and prevent risks (e.g. misconfigurations, vulnerabilities, threat behavior) in real time.

How to onboard Upwind logs to Panther

Step 1: Create a new Upwind source in Panther

1. In the left-side navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Search for “Upwind” then click its tile.

4. In the upper-right corner, click Start Setup.

5. Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.

   • When setting the Auth method, you will be required to use Bearer.

   • Payloads sent to this source are subject to the payload requirements for all HTTP sources.

   • Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Configure a webhook in Upwind

To configure a new webhook using the HTTP endpoint you generated in the previous step:

1. Log in to your Upwind management console.

2. In the lower-left corner, click Components.

3. Click the Integrations tab.

4. Under Monitoring & Logging, on the Custom Webhook tile, click View details.

5. Click Create Custom webhook.

6. On the Custom Webhook creation page, fill out the form:

   • Webhook name: Enter a descriptive name, like Panther ingestion webhook.

   • URL: Paste the HTTP endpoint you generated in Step 1.

   • Authentication type: Select Bearer token.

     • In the Value field, paste in the bearer token you used in Panther in Step 1.

       
7. Click Test & save.

Step 3: Define a workflow in Upwind

To define a workflow using the webhook you created in the previous step:

1. In the lower-left corner of your Upwind management console, click Components.

2. Click the Workflows tab.

3. Click Create workflow.

4. In the Workflow name field, enter a custom workflow name, e.g., Panther workflow.

5. In the Workflow trigger box, click the plus sign, then select one of the following options.

   To use both of the below triggers, you will need to create two workflows in Upwind.

   • When a new detection is found: This workflow will only be triggered when a detection with one of the indicated severities is created.

     • Select one or more detection severities (Critical, High, Medium, and/or Low).

     

   • When a new event is found: This workflow will only be triggered when an event with one of the indicated categories is found.

     • Select one or more event categories (Network, API Security, Process, Kubernetes audit logs, CloudTrail logs, Cloud Scanner, File, Syscall, Baseline, and/or Azure Activity Logs).

     

6. (Optional) To add a filter that must pass in order for the workflow to be triggered, in the Workflow selector (optional) box, click the plus sign, then + Add selector.

   1. Select an attribute from the following options:

      • Cloud account: A cloud account you've connected in Upwind

      • Resource name: A specific resource name

      • Resource kind: A specific type of resource

   2. Based on the attribute you selected, select a value.

      

7. Configure a workflow action:

   1. In the Workflow action box, click the plus sign.

   2. Click Send to a custom webhook.

   3. In the Select a webhook dropdown, select the Panther webhook you defined in Step 2.

8. Click Save.

Supported log types

Upwind.Detections

Provides access to comprehensive details such as triggers (policy violations) and attributes related to associated resources.

For more information, see the Upwind Detections Overview page.