Issue

When onboarding Sublime Security logs to Panther, classification errors might occur if JSON Lines (JSONL) format is enabled in Sublime's Audit Log and Message Events Export setting, even though logs are being delivered to the S3 bucket and picked up by Panther.

Resolution

To resolve this issue:

1. Navigate to your Sublime Security export configuration settings

2. Ensure that you have not checked the box Use JSON Lines text formatting while configuring the Audit Log and Message Events Export setting. Please uncheck it if it is selected

3. Panther expects a format as seen in the Example Audit Logs section from the Sublime documentation, which looks like:

     "events": ...,
     "count": 0,
     "start": "2023-05-03T23:55:01.06552Z",
     "end": "2023-05-04T00:05:00.309749667Z",
     "key": "sublime_platform_audit_log/2023/05/04/000500Z-LPPJKV.json"
   }

4. Save your configuration

5. Generate new activity to verify logs are being parsed correctly on the Panther side

Cause

This issue occurs because Panther's parser expects Sublime Security logs to be wrapped in a specific structure. When JSON Lines format is enabled, events are exported as individual JSON lines without this wrapper structure, causing classification failures.

The expected format should be:

{
  "events": ...,
  "count": 0,
  "start": "2023-05-03T23:55:01.06552Z",
  "end": "2023-05-04T00:05:00.309749667Z",
  "key": "sublime_platform_audit_log/2023/05/04/000500Z-LPPJKV.json"
}

For additional information on how to connect the Sublime Security logs in your Panther Console please check our relevant documentation.