After creating the HTTP source, the Panther Console will display your HTTP Source URL. Store this value in a secure location, as you will need it in the next steps.
Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
Name: Set to http.
TLS: Set to ON.
Port: Set to 443.
[SERVICE]
Flush 5
Daemon off
Log_Level info
[INPUT]
Name winevtlog
Channels System,Security
Interval_Sec 1
DB winevtlog.sqlite
[OUTPUT]
Name http
Match *
Host logs.instance-name.runpanther.net
Port 443
URI /http/cb015ee4-543c-4489-9f4b-testaa16d7a
Header x-sender-header {YOUR_SECRET_HERE}
Format json_lines
TLS On
TLS.Verify On
Header: Enter the header name you created and the secret you generated while configuring your HTTP source in the Panther Console in Step 1.
Name: Set to http.
TLS: Set to ON.
Port: Set to 443.
[SERVICE]
Flush 5
Daemon on
Log_Level info
[INPUT]
Name winevtlog
Channels Microsoft-Windows-Sysmon/Operational
Interval_Sec 1
DB winevtlog.sqlite
[OUTPUT]
Name http
Match *
Host logs.instance-name.runpanther.net
Port 443
URI /http/cb015ee4-543c-4489-9f4b-testaa16d7a
Header x-sender-header {YOUR_SECRET_HERE}
Format json_lines
TLS On
TLS.Verify On
Supported log types
Windows.EventLogs
schema:Windows.EventLogsdescription:Windows Event LogsreferenceURL:https://learn.microsoft.com/en-us/windows/win32/wes/eventschema-elementsfields: - name:ProcessIDdescription:Identifies the process that generated the event.type:string - name:ThreadIDdescription:Identifies the thread that generated the event.type:string - name:TimeCreateddescription:The time stamp that identifies when the event was logged.type:timestamptimeFormats: - '%Y-%m-%d %H:%M:%S %z'isEventTime:true - name:EventIDdescription:The identifier that the provider used to identify the event.type:string - name:ProviderNamedescription:The name of the event provider that logged the event.type:string - name:ProviderGuiddescription:The globally unique identifier that uniquely identifies the provider.type:string - name:Qualifiersdescription:A legacy provider uses a 32-bit number to identify its events. If the event is logged by a legacy provider, the value of EventID element contains the low-order 16 bits of the event identifier and the Qualifier attribute contains the high-order 16 bits of the event identifier.type:string - name:Versiondescription:The version number of the event's definition.type:string - name:Leveldescription:The severity level defined in the event.type:string - name:Taskdescription:The task defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.type:string - name:Opcodedescription:The opcode defined in the event. Task and opcode are typically used to identify the location in the application from where the event was logged.type:string - name:Keywordsdescription:A bitmask of the keywords defined in the event. Keywords are used to classify types of events (for example, events associated with reading data).type:string - name:EventRecordIDdescription:The record number assigned to the event when it was logged.type:string - name:ActivityIDdescription:A globally unique identifier that identifies the current activity. The events that are published with this identifier are part of the same activity.type:stringindicators: - trace_id - name:RelatedActivityIDdescription:A globally unique identifier that identifies the activity to which control was transferred to. The related events would then have this identifier as their ActivityID identifier.type:string - name:Channeldescription:The channel to which the event was logged.type:string - name:Computerdescription:The name of the computer on which the event occurred.type:stringindicators: - username - name:UserIDdescription:The security identifier (SID) of the user in string form.type:stringindicators: - username - name:Messagedescription:The rendered message string of the event.type:string - name:StringInsertsdescription:A list of arbitrary event-specific data. Created by fluent-bittype:json - name:ExtraEventDatadescription:Extra Key Value pair map that is extracted from the Message field. This is a field added by Panther to allow for easy structued querying/detection writing.type:json