Material Security Logs

Overview

Panther ingests Material Security logs by configuring an Event Subscription in Material to forward events to an HTTP endpoint in Panther.

Material Security is a unified email security, user behavior analytics, and data loss prevention solution for Microsoft 365 and Google Workspace.

How to onboard Material Security logs to Panther

Step 1: Create a new Material Security source in Panther

To connect these logs into Panther:

1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

2. Click Create New.

3. Search for “Material Security,” then click its tile.

4. In the slide-out panel, click Start Setup.

   
5. Follow Panther's instructions for configuring an HTTP Source, beginning at Step 5.

   • In the Auth method dropdown field, select Bearer.

   • Payloads sent to this source are subject to the payload requirements for all HTTP sources.

   • Do not proceed to the next step until the creation of your HTTP endpoint has completed.

Step 2: Create an Event Subscription in Material Security

1. Log into your Material Security tenant.

2. In the upper-right corner click the puzzle piece (Integrations) icon.

3. From the left-hand navigation bar, select Events.

4. In the upper-right corner, click Create Subscription.

5. In the Create Subscription form, under Event and Notification Type, enter values for the following fields:

   • Event: Select New Case Created.

   • Notification Type: Select Webhook.

   • Subscription Name: Enter a short description.

6. Under Event-Specific Options, in the Case Source field, choose all applicable options.

7. Under Notification, enter values for the following fields:

   • HTTP Method: Select Method > POST.

   • URI: Enter the HTTP Source URL you generated in Panther in Step 1.

8. Under Headers, in the Headers field, add the bearer token you entered or generated in Panther in Step 1, for example: { "Authorization": "Bearer <token value>" }.

9. In the top-right corner, click Save.

Supported log types

Material.CaseCreated

schema: Material.CaseCreated
description: Cases created in Material
referenceURL: https://material.security/
fields:
    - name: content
      required: true
      type: object
      fields:
        - name: caseId
          type: string
        - name: detectionType
          type: string
        - name: mark
          type: object
          fields:
            - name: markedAt
              type: timestamp
              timeFormats:
                - rfc3339
            - name: markedBy
              type: json
            - name: markType
              type: string
            - name: ruleMatch
              type: json
          isEmbeddedJSON: true
        - name: messageDetails
          type: object
          fields:
            - name: spf
              type: string
            - name: attachments
              type: string
            - name: from
              type: string
              indicators:
                - email
            - name: links
              type: string
            - name: subject
              type: string
    - name: eventId
      required: true
      type: string
    - name: eventSource
      required: true
      type: string
      validate:
        allow:
            - material
    - name: eventType
      required: true
      type: string
      validate:
        allow:
            - caseCreated
    - name: timestamp
      required: true
      type: timestamp
      timeFormats:
        - rfc3339
      isEventTime: true