HTTP Source
Creating an HTTP (webhook) source for log ingestion in Panther
Overview
Using Panther's HTTP log ingestion capability, you (or a third party) can send log events directly to Panther with webhooks. When you create an HTTP log source, Panther provides a URL endpoint to which you can make POST requests containing data for ingestion.
For log sources without a direct API puller, using an HTTP source means you can ingest data into Panther without setting up additional infrastructure (as is required with other Data Transports, such as S3 or Google Cloud Storage).
Payload requirements
When sending data to Panther through an HTTP endpoint, note the following specifications.
Maximum size
The maximum supported payload size is 500 KB. You can compress your payloads before sending them to maximize throughput.
Compression
Payloads can be sent compressed (or uncompressed). Learn more about compression specifications in Ingesting compressed data in Panther.
Stream types
Panther supports the below three stream types for data ingested through an HTTP source:
JSON
Lines
JSON Array
See a description and example of each stream type here.
Authentication
To secure your HTTP endpoint, ensuring it only processes requests from authenticated sources, Panther offers the following modes of authentication:
Shared secret
With shared secret authentication (also known as token authentication), you configure a header name and shared secret value during source setup. The entity making the POST request to Panther must include a header with that name and secret value. Panther will only accept payloads with headers and secrets that match your configuration.
This method is referred to as shared secret because the secret is shared between Panther and the entity making the POST request, e.g., a third-party SaaS tool emitting log events.
HMAC
With HMAC authentication, you configure a header name and secret key value during source setup. The entity making the POST request to Panther must hash the payload of each request, use the secret key value to generate a signature, and include that signature in a header. Panther will then retrieve the signature from the header and perform the same signature calculation using the secret key. Only requests with matching signatures will be accepted.
Bearer
With bearer authentication, you define a bearer token value during source setup. The entity making the POST request to Panther must include a header of the format Authorization: Bearer tokenvaluehere. Panther will only accept request with matching bearer tokens.
Basic
With basic authentication, you define a username and password during source setup. The entity making the POST request to Panther must include a header of the format Authorization: Basic aGVsbG8=. The string after the Basic keyword follows RFC 7617, meaning the sender must encode the value of username:password using base64. Panther only accepts requests with a matching username and password.
None
While highly discouraged, it is possible to configure an endpoint without authentication. This means Panther will not perform any authentication checks on incoming requests, effectively making your URL open to all POST requests.
It is strongly recommended to set up authentication on your endpoint. None is offered for situations in which you do not have control over the headers provided by the sender.
How to set up an HTTP log source in Panther
To set up an HTTP log source in Panther, follow the steps below. You can also view the data ingestion video overview for a quick walkthrough of HTTP source setup.
Creating the HTTP log source in Panther
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
In the upper-right corner, click Create New.
Click the Custom Log Formats tile.
On the Configure page, in the Basic Information section, provide values for the following fields:
Source Name: Enter a descriptive name for the source.
Schemas - Optional: Select one or more log types this source will ingest.
This field is optional; you can attach schemas to this source after it has been created. Data sent to the HTTP source before a schema is attached can be used to infer a schema.
Follow the instructions below for the Auth method you chose:
Shared Secret: Enter a Header Name, and generate a Shared Secret Value.
Securely copy your Shared Secret Value, and store it in a safe location. This is the only time you will be shown the Shared Secret Value.
HMAC: Enter a Header Name, generate a Secret Key Value, and choose a Hashing Algorithm (either SHA 256 or SHA 1).
Securely copy your Secret Key Value, and store it in a safe location. This is the only time you will be shown the Secret Key Value.
Bearer: Enter a Bearer Token.
In the value you enter, do not include "Bearer."
Be sure to securely store your Bearer Token value. It will not be visible in the Panther Console.
Basic: Enter Username and Password values.
Be sure to securely store your Password value. It will not be visible in the Panther Console.
None: No additional configuration required.
Click Setup. You will be directed to a success screen:
Take note of your HTTP Source URL. Webhooks should make POST requests to this endpoint.
You can optionally enable one or more Detection Packs.
The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.
Sending data to your HTTP log source
After creating your HTTP log source, you can use it to send data to Panther by making POST requests to the source URL.
Ensure your request passes the authentication method you configured for the source.
Example using curl
curl Last updated
