# Vercel Logs (Beta) ## Overview {% hint style="info" %} Vercel log ingestion is in open beta starting with Panther version 1.123, and is available to all customers. Please share any bug reports and feature requests with your Panther support team. {% endhint %} Panther ingests [Vercel](https://vercel.com/) audit logs through an HTTP source, which receives logs forwarded by Vercel's custom SIEM log streaming feature. Vercel is a platform for building and deploying web applications. Vercel audit logs track team member activity, including project and deployment changes, domain modifications, team membership updates, environment variable changes, and integration events. ## How to onboard Vercel logs to Panther ### Prerequisites * A Vercel [Enterprise plan](https://vercel.com/docs/plans/enterprise) (required for audit log access) * The **Audit Logs** and **Custom SIEM Log Streaming** permissions in Vercel * Permissions to create HTTP sources in your Panther Console ### Step 1: Create a new Vercel source in Panther 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New**. 3. Search for "Vercel", then click its tile. 4. Click **Start Setup**. 5. Under **Basic Information**, fill in the following fields: 1. Enter a descriptive **Name**, e.g., `Vercel Audit Logs`. 2. The **Log Type** will default to `Vercel.Audit`. 6. The **Auth Method** will be pre-populated with **Bearer**. 1. Generate a **Bearer token** and save it in a secure location—you will need it in Step 2. 7. Click **Setup.** * You can optionally enable one or more Detection Packs. * The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours. Do not proceed to the next step until the creation of your HTTP endpoint has completed. After creating the HTTP source, the Panther Console will display your **HTTP Source URL**. Store this value in a secure location, as you will need it in Step 2. ### Step 2: Configure Vercel to stream audit logs to Panther 1. From your [Vercel dashboard](https://vercel.com/dashboard), go to **Team Settings**. 2. In the sidebar, open **Security & Privacy** and scroll to **Audit Log**. 3. Click the **Configure** button. 4. Select **HTTP POST** as the SIEM provider. 5. Configure the following fields: * **URL**: Enter the HTTP Source URL you generated in Step 1. * **HTTP Header Name**: Enter `Authorization`. * **HTTP Header Value**: Enter `Bearer `, replacing `` with the Bearer token you generated in Step 1. * **Request Body Format**: Select **NDJSON**. 6. Save your configuration. Detailed instructions for configuring Vercel's custom SIEM log streaming are available in the [Vercel Audit Log documentation](https://vercel.com/docs/audit-log#setup-process). ## Supported log types ### Vercel.Audit Vercel Audit logs capture team member activity across your Vercel account, including project management, deployment actions, domain modifications, team membership changes, and environment variable updates. Each event includes the actor who performed the action, context such as IP address and user agent, and the affected target objects. Reference: [Vercel Audit Log Documentation](https://vercel.com/docs/audit-log) ```yaml schema: Vercel.Audit description: Vercel Audit Log referenceURL: https://vercel.com/docs/audit-log fields: - name: action required: true description: Name for the specific event type: string - name: actor required: true type: object fields: - name: id description: User ID of the team member responsible for an event type: string indicators: - actor_id - name: metadata type: object fields: - name: email description: Email address of the team member responsible for the event type: string indicators: - email - name: name description: Account responsible for the action (usually the username) type: string indicators: - username - name: type type: string - name: context required: true type: object fields: - name: location description: IP address from where the action was performed type: string indicators: - ip - name: user_agent description: Details about the application, OS, vendor, and/or browser version used by the team member type: string - name: name type: string - name: occurred_at required: true description: Time and date at which the event occurred type: timestamp timeFormats: - rfc3339 isEventTime: true - name: targets required: true type: array element: type: object fields: - name: id type: string indicators: - trace_id - name: metadata type: object fields: - name: _from type: string - name: alias type: string indicators: - domain - name: cns type: string indicators: - hostname - name: comment type: string - name: configurationId type: string - name: createdAt type: timestamp timeFormats: - unix - name: custom type: string - name: customEnvironmentIds type: string - name: deletedAt type: timestamp timeFormats: - unix - name: deploymentId type: string - name: domain type: string indicators: - domain - name: email type: string indicators: - email - name: expiresAt type: timestamp timeFormats: - rfc3339 - name: from type: string - name: integrationId type: string - name: issuedAt type: timestamp timeFormats: - unix - name: key type: string - name: members type: string - name: passwordProtection type: string - name: projectId type: string - name: redirect type: string indicators: - url - name: redirectStatusCode type: string - name: role type: string - name: slug type: string - name: source type: string - name: target type: string indicators: - hostname - name: to type: string - name: type type: string - name: updatedAt type: timestamp timeFormats: - unix - name: url type: string indicators: - url - name: username type: string indicators: - username - name: webAnalytics type: string - name: type type: string - name: version required: true type: string ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.panther.com/data-onboarding/supported-logs/vercel.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.