Custom Webhook Destination
Configuring a Custom Webhook as an alert destination in your Panther Console
Last updated
Configuring a Custom Webhook as an alert destination in your Panther Console
Last updated
Destinations are integrations that receive alerts from rules, policies, system health notifications, and rule errors. Panther supports configuring a Custom Webhook as the destination where you will receive alerts.
A Custom Webhook Destination requires only a URL
to the service which can accept an HTTP POST
request containing a JSON
payload. This destination type is designed to allow Panther to communicate with other third-party integrations.
To pass authentication credentials to the delivery location with webhook calls from Panther, you can add custom HTTP headers. During webhook setup, add one or more Header Name / Header Value pairs.
The webhook must accept and acknowledge Panther's POST
request with an HTTP status code in the 2XX
range. If there were any network failures or non 2XX
codes, Panther will attempt to retry the request up to ten (10) times before permanent failure.
The webhook response body will be stored in the delivery status which can be viewed in the Alert Details page.
In the event of a permanent delivery failure, Panther logs and provides workflow continuity by allowing the alert to be manually re-sent by visiting the Alert Details page and viewing the Delivery Status section.
Log in to the Panther Console.
On the left sidebar click Configure > Alert Destinations.
Click +Add your first Destination.
If you have already created Destinations, click Create New in the upper right side of the page to add a new Destination.
Click Custom Webhook.
Fill out the form:
Display Name: Add a friendly name to identify your destination.
Custom Webhook URL: Enter your Custom Webhook forwarding URL.
If you follow the ngrok example later in this documentation, you would enter the http
or https
Forwarding URL from the ngrok
output.
Severity Levels: Select the severity level of alerts to send to this Destination.
Default Alert Types: Select the alert types to send to this Destination.
Log Types: By default, we will send alerts from all log types. Specify log types here if you want to only send alerts from specific log types.
Custom HTTP Headers (Available in Panther v1.44): Optionally provide one or more custom HTTP headers to be included with the POST request that sends the alerts.
Click Add Destination.
On the final page, optionally click Send Test Alert to test the integration using a test payload. When you are finished, click Finish Setup.
A Custom Webhook will deliver a payload containing the following fields:
id
string
Identifier of the alert's detection
createdAt
string
Alert creation time as AWSDateTime (ISO-8601)
severity
string
Severity of the alert
type
string
Type of the alert
link
string
Link to the alert in the Panther Console
title
string
Title of the alert
name
string
Name of the alert's detection
alertId
string
Identifier of the alert in Panther Backend
description
string
Description associated with the alert
runbook
string
Runbook associated with the alert
tags
string[]
List of tags associated with the alert
version
string
Version identifier for the alert's detection
The AWSDateTime scalar type represents a valid extended ISO 8601 DateTime string. In other words, this scalar type accepts datetime strings of the form YYYY-MM-DDThh:mm:ss.sssZ
. The field after the seconds field is a nanoseconds field. It can accept between 1 and 9 digits. The seconds and nanoseconds fields are optional (the seconds field must be specified if the nanoseconds field is to be used). The time zone offset is compulsory for this scalar. The time zone offset must either be Z (representing the UTC time zone) or be in the format ±hh:mm:ss
. The seconds field in the timezone offset will be considered valid even though it is not part of the ISO 8601 standard.
The following example demonstrates sending Panther alerts to a custom webhook which forwards the payload to a simple Node.js server proxied via Ngrok.
Open Command Line.
Create an ngrok account and install ngrok
Run this config command: ngrok config add-authtoken <token>
Run this command to start the service on port 8081: ngrok http 8081
Create a file, webhook.js
, and paste the following snippet:
Open another terminal and start the Node.js server:
In the Panther Console, create a new Custom Webhook and paste the Forwarding URL from ngrok
into the Custom Webhook URL field.
For example, the forwarding URL might look like: https://2d9c-174-27-211-147.ngrok-free.app
Click Send a test alert to see that the node.js server logs the test event.
For more information on alert routing order, modifying or deleting destinations, and workflow automation, please see the Panther docs: Destinations.