Tech Partner Log Source Integrations

This page provides instructions for Panther Technology Partners who are integrating their product with Panther by sending logs to one of Panther's Data Transport sources—for example, to an S3 bucket or an HTTP endpoint. If you need to create a log pulling integration instead, please work directly with the Panther Tech Partner team.

If you would instead like to create an Alert Destination integration, see Tech Partner Alert Destination Integrations. If you are a Panther customer looking for information on ingesting custom logs, please see the Custom Logs documentation.

Step 1: Contact Panther’s Tech Partner team

• Fill out this form to contact our Tech Partner team.

  • You will work with our Tech Partner team to get access to an NFR (Not for Resale) Panther instance and a shared Slack channel.

Step 2: Determine the integration method(s)

• If your application can export events to an S3 bucket, please see the S3 Source instructions.

• If your data can use one of our other transport options, please see the individual Data Transport documentation pages.

Step 3: Generate schema(s) and detections

1. Generate one or more schemas for your data:

   1. Generate sample data.

   2. Determine how many log schemas you will need to create—see Determine how many custom schemas you need on Custom Logs.

   3. Infer your schema(s) using your sample data.

      • You can infer a schema in the Panther Console or from the CLI using pantherlog.

      • If you are inferring more than one schema, it's recommended to use either the Inferring a custom schema from sample logs method or the Inferring custom schemas from historical S3 data method.

   4. Review the inferred schema(s) for the following:

      • If you generated more than one schema and they have a common set of required properties, events may be misclassified, as the event classification process decides which schema an incoming event belongs to based on the required properties of the schema. If your schemas have the same required properties and you can't differentiate them, consider merging the schemas.

      • If a timestamp property can be used to define the time the event occurred, mark it with isEventTime: true , otherwise its p_parse_time will be used as its event time, and that may lead to inaccurate event timestamps.

      • Consider any transformations that may help make the events easier to reference or manipulate in detections or searches.

   5. Export your schema(s).

      • You can export your schema(s) from the CLI using pantherlog, or you can copy them from the Panther Console and paste it into a text file.

2. (Optional) Create detections for your log source.

   • This is strongly encouraged, as having detections available will promote adoption of your integration. Please contact Panther’s Tech Partner team for more information.

   • See detection examples in the panther-analysis GitHub repository.

Verifying your data is flowing into Panther

At this stage—before a log source tile for your organization has been added in Panther—you may wish to test your integration by setting up a Data Transport source. After you have configured the source, you can verify that data is being ingested into Panther by using the Search tool.

You can learn more about Search on its documentation page, but on a high level:

1. In the left-hand navigation bar of your Panther Console, click Investigate > Search.

2. In the table dropdown filter in the upper-right corner, click the name(s) of your log source's schema(s).

3. Adjust the date/time range filter, if needed.

4. Click Search.

   • Look for events in the results table at the bottom of the page.

Step 4: Write instructional information about the integration

Please create a text file with the following information, which will be used to describe your platform in the Panther Console and to generate a documentation page for this integration:

• A description of the application

• Common use cases

• The supported integration method(s)

• Any caveats or limitations

• Step-by-step instructions on how to make any necessary configurations in your application to forward logs from your service to the Data Transport source

  • For an example, see pages under Supported Logs that use Data Transports, such as Auth0 Logs and GitLab Logs

Step 5: Submit to Panther for review

1. Zip the files containing the following:

   • The text file of information from Step 4

   • A square .svg file of the application’s logo

   • Your test data

   • The schema

   • (Optional) The detections

2. Send the zipped file to Panther via your shared Slack channel.

After submitting your zip file, the Tech Partner team will work with you to coordinate next steps.