Windows Event Logs ingestion is in open beta starting with Panther version 1.75, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
Panther supports ingesting Windows Event Logs through an HTTP Source, after they are forwarded with Fluent Bit.
How to onboard Windows Event Logs to Panther
Step 1: Create a new Windows Event Logs source in Panther
In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Windows Event Logs,” then click its tile.
In the slide-out panel, the Transport Mechanism dropdown in the upper-right corner will be pre-populated with the HTTP option.
After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps.
Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
Name: Set to http.
TLS: Set to ON.
Port: Set to 443.
[SERVICE]
Flush 5
Daemon off
Log_Level info
[INPUT]
Name winevtlog
Channels System,Security
Interval_Sec 1
DB winevtlog.sqlite
[OUTPUT]
Name http
Match *
Host logs.instance-name.runpanther.net
Port 443
URI /http/cb015ee4-543c-4489-9f4b-testaa16d7a
Header x-sender-header {YOUR_SECRET_HERE}
Format json_lines
TLS On
TLS.Verify On
Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
Name: Set to http.
TLS: Set to ON.
Port: Set to 443.
[SERVICE]
Flush 5
Daemon on
Log_Level info
[INPUT]
Name winevtlog
Channels Microsoft-Windows-Sysmon/Operational
Interval_Sec 1
DB winevtlog.sqlite
[OUTPUT]
Name http
Match *
Host logs.instance-name.runpanther.net
Port 443
URI /http/cb015ee4-543c-4489-9f4b-testaa16d7a
Header x-sender-header {YOUR_SECRET_HERE}
Format json_lines
TLS On
TLS.Verify On
Supported log types
Windows.EventLogs
schema:Windows.EventLogsdescription:Windows Event LogsreferenceURL:https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-elementsfields: - name:ProcessIDdescription:Identifies the process that generated the event.type:string - name:ThreadIDdescription:Identifies the thread that generated the event.type:string - name:TimeCreateddescription:The time stamp that identifies when the event was logged.type:timestamptimeFormats: - '%Y-%m-%d %H:%M:%S %z'isEventTime:true - name:EventIDdescription:The identifier that the provider used to identify the event.type:string - name:ProviderNamedescription:The name of the event provider that logged the event.type:string - name:ProviderGuiddescription:The globally unique identifier that uniquely identifies the provider.type:string - name:Qualifiers description: A legacy provider uses a 32-bit number to identify its events. If the event is logged by a legacy provider, the value of EventID element contains the low-order 16 bits of the event identifier and the Qualifier attribute contains the high-order 16 bits of the event identifier.
type:string - name:Versiondescription:The version number of the event's definition.type:string - name:Leveldescription:The severity level defined in the event.type:string - name:Task description: The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
type:string - name:Opcode description: The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.
type:string - name:Keywords description: A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).
type:string - name:EventRecordIDdescription:The record number assigned to the event when it was logged.type:string - name:ActivityID description: A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.
type:stringindicators: - trace_id - name:RelatedActivityID description: A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier.
type:string - name:Channeldescription:The channel to which the event was logged.type:string - name:Computerdescription:The name of the computer on which the event occurred.type:stringindicators: - username - name:UserIDdescription:The security identifier (SID) of the user in string form.type:stringindicators: - username - name:Messagedescription:The rendered message string of the event.type:string - name:StringInsertsdescription:A list of arbitrary event-specific data. Created by fluent-bittype:json - name:ExtraEventData description: Extra Key Value pair map that is extracted from the Message field. This is a field added by Panther to allow for easy structued querying/detection writing.
type:json
