# Upwind Logs (Beta) ## Overview {% hint style="info" %} The Upwind integration is in open beta starting with Panther version 1.119, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} Panther supports ingesting [Upwind](https://www.upwind.io/) logs by configuring an Upwind webhook to post events to an HTTP endpoint in Panther. Upwind is a cloud-security company offering a Cloud Native Application Protection Platform (CNAPP) that works at runtime. It provides visibility “from the inside out” into cloud deployments, applications, and infrastructure, helping teams identify and prevent risks (e.g. misconfigurations, vulnerabilities, threat behavior) in real time. ## How to onboard Upwind logs to Panther ### Step 1: Create a new Upwind source in Panther 1. In the left-side navigation bar of your Panther Console, click **Configure** > **Log Sources.** 2. Click **Create New**. 3. Search for “Upwind” then click its tile. 4. In the upper-right corner, click **Start Setup**. 5. Follow Panther's [instructions for configuring an HTTP Source](https://docs.panther.com/data-transports/http#how-to-set-up-an-http-log-source-in-panther), beginning at Step 5. * When setting the **Auth method**, you will be required to use **Bearer**. * Payloads sent to this source are subject to the [payload requirements for all HTTP sources](https://docs.panther.com/data-transports/http#payload-requirements). * Do not proceed to the next step until the creation of your HTTP endpoint has completed. ### Step 2: Configure a webhook in Upwind To configure a new webhook using the HTTP endpoint you generated in the previous step: 1. Log in to your [Upwind management console](https://console.upwind.io/). 2. In the lower-left corner, click **Components**. 3. Click the **Integrations** tab. 4. Under **Monitoring & Logging**, on the **Custom Webhook** tile, click **View details**. 5. Click **Create Custom webhook**. 6. On the **Custom Webhook creation** page, fill out the form: * **Webhook name**: Enter a descriptive name, like `Panther ingestion webhook`. * **URL**: Paste the HTTP endpoint you generated in Step 1. * **Authentication type**: Select **Bearer token**. * In the **Value** field, paste in the bearer token you used in Panther in Step 1.
7. Click **Test & save**. ### Step 3: Define a workflow in Upwind To define a workflow using the webhook you created in the previous step: 1. In the lower-left corner of your [Upwind management console](https://console.upwind.io/), click **Components**. 2. Click the **Workflows** tab. 3. Click **Create workflow**. 4. In the **Workflow name** field, enter a custom workflow name, e.g., `Panther workflow`. 5. In the **Workflow trigger** box, click the plus sign, then select one of the following options.\ image2.png

To use both of the below triggers, you will need to create two workflows in Upwind.

* **When a new detection is found**: This workflow will only be triggered when a detection with one of the indicated severities is created. * Select one or more detection severities (Critical, High, Medium, and/or Low). ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FXwGPiY98PFsYXdoRFN8x%2Funknown.png?alt=media\&token=a002897d-62b4-471d-a13a-9f22017023db) * **When a new event is found**: This workflow will only be triggered when an event with one of the indicated categories is found. * Select one or more event categories (Network, API Security, Process, Kubernetes audit logs, CloudTrail logs, Cloud Scanner, File, Syscall, Baseline, and/or Azure Activity Logs). ![](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FkgEcMASpm13GJ0xqHarE%2Funknown.png?alt=media\&token=51b091bf-d11b-4cf8-b596-75f32da85a7e) 6. (Optional) To add a filter that must pass in order for the workflow to be triggered, in the **Workflow selector (optional)** box, click the plus sign, then **+ Add selector**.\ ![image4.png](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FVEXf7TZLYBMj77RN7p1M%2Fimage4.png?alt=media\&token=08d6ba75-64d2-4e45-953e-6d30a58656da) 1. Select an attribute from the following options: * **Cloud account**: A cloud account you've connected in Upwind * **Resource name**: A specific resource name * **Resource kind**: A specific type of resource 2. Based on the attribute you selected, select a value. \ ![image6.png](https://4011785613-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-LgdiSWdyJcXPahGi9Rs-2910905616%2Fuploads%2FcZ2uajtT4pUZUlwswPIe%2Fcloud_select.webp?alt=media\&token=bbf81356-adcb-4ba4-9d13-787448acfa3c) 7. Configure a workflow action: 1. In the **Workflow action** box, click the plus sign. 2. Click **Send to a custom webhook**. 3. In the **Select a webhook** dropdown, select the Panther webhook you defined in Step 2. 8. Click **Save**. ## Supported log types ### Upwind.Detections Provides access to comprehensive details such as triggers (policy violations) and attributes related to associated resources. For more information, see the [Upwind Detections Overview](https://docs.upwind.io/threats/detections/overview) page. ```yaml schema: Upwind.Detections description: Structured security detection records generated by the Upwind platform, containing contextualized threat intelligence, resource metadata, severity classification, MITRE ATT&CK mappings, and policy-triggered event details for cloud environments. referenceURL: https://docs.upwind.io/restapi/v1/get-threat-detection fields: - name: category description: The category of this detection. required: true type: string - name: description description: A detailed description of this detection. type: string - name: first_seen_time description: The timestamp when this detection was first seen. required: true type: timestamp timeFormats: - rfc3339 - name: id description: The unique identifier for this detection. required: true type: string - name: last_seen_time description: The timestamp when this detection was last seen. required: true isEventTime: true type: timestamp timeFormats: - rfc3339 - name: links description: A list of related links associated with this detection, such as console URLs. type: array element: type: object fields: - name: href description: The URL of the related resource. type: string indicators: - url - name: rel description: The relationship type of the link. type: string - name: mitre_attacks description: The MITRE ATT&CK framework information related to this detection. type: array element: type: object fields: - name: links description: The link that points to the mitre attack explanation type: array element: type: object fields: - name: href description: The URL linking to detailed MITRE ATT&CK information. type: string - name: rel description: The relationship type of the link. type: string - name: tactic_id description: The unique identifier for the tactic. type: string - name: tactic_name description: The name of the tactic. type: string - name: technique_id description: The unique identifier for the technique. type: string indicators: - mitre_attack_technique - name: technique_name description: The name of the technique. type: string - name: occurrence_count description: The count of occurrences for this detection. required: true type: bigint - name: resource description: The resource associated with this detection. required: true type: object fields: - name: cloud_account_id description: The unique identifier for the cloud account associated with this resource. type: string indicators: - aws_account_id - name: cloud_account_name description: The name of the cloud account associated with this resource. type: string - name: cloud_account_tags description: List of tags associated with the cloud account the resource belongs to. type: array element: type: object fields: - name: key description: The tag key. type: string - name: value description: The tag value. type: string - name: cloud_provider description: The cloud provider of this resource. type: string - name: cluster_id description: The unique identifier for the cluster associated with this resource. type: string - name: external_id description: The external unique identifier for this resource. type: string indicators: - trace_id - name: id description: The unique identifier for this resource. type: string - name: internet_exposure description: Information about the resource exposure to internet traffic. type: object fields: - name: ingress description: The information about incoming internet-facing communication activities of the resource. type: object fields: - name: active_communication description: An indicator signaling whether there is active incoming communication from the internet to the resource. type: boolean - name: name description: The name of this resource. type: string - name: namespace description: The namespace in which this resource resides type: string - name: region description: The region where this resource is located. type: string - name: risk_categories type: array element: type: string - name: type description: The type of this resource. type: string - name: upwind_asset_id description: The Upwind asset identifier for this resource. type: string - name: severity description: The severity level of this detection. type: string - name: status description: The status of this detection. type: string - name: title description: The title of this detection. required: true type: string - name: triggers description: List of triggers associated with this detection. Each trigger indicates a policy violation that caused this detection. It comprises the policy identifier and a list of events related to the violation. type: array element: type: object fields: - name: events description: List of event summaries. type: array element: type: object fields: - name: data description: Structured event-specific data associated with the detection trigger. type: object fields: - name: command description: The executed command related to this event. type: string - name: description description: A detailed explanation of the event-specific data. type: string - name: execution_count description: The number of times the associated command or activity was executed. type: bigint - name: last_process_tree description: The most recent observed process execution tree related to the event. type: array element: type: object fields: - name: command description: The full command line used to start the process. type: string - name: host_parent_process_id description: The identifier of the parent process on the host. type: bigint - name: host_process_id description: The identifier of the process on the host. type: bigint - name: name description: The name of the process. type: string - name: start_time description: The timestamp when the process started. type: timestamp timeFormats: - rfc3339 - name: name description: The name associated with this event data type: string - name: pattern description: The detection pattern that matched. type: string - name: status description: The status of the event-specific evaluation. type: string - name: user_name description: The username associated with the event activity. type: string indicators: - username - name: validation description: A list of validation checks or evaluation results related to the detection. type: array element: type: string - name: description description: The description of this event. type: string - name: endpointId description: The identifier of the endpoint where the event occurred. type: string - name: initiator description: Information about the entity that initiated the event. type: object fields: - name: accessKeyId description: The access key ID used by the initiator. type: string - name: accountId description: The cloud account ID of the initiator. type: string - name: arn description: The Amazon Resource Name (ARN) of the initiator. type: string indicators: - aws_arn - name: name description: The name of the initiating entity. type: string - name: principalId description: The principal identifier of the initiator. type: string - name: type description: The type of the initiating entity type: string - name: userName description: The username of the initiator. type: string indicators: - username - name: timestamp description: The timestamp when the event occurred. type: timestamp timeFormats: - rfc3339 - name: type description: The type of event. type: string - name: policy_id description: The unique identifier for the policy. type: string - name: policy_name description: The name of the policy. type: string - name: type description: The type of detection. required: true type: string - name: upwind_console_link description: A direct URL link to view this detection in the Upwind console. type: string indicators: - url ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/data-onboarding/supported-logs/upwind.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.