Can Panther ingest logs emitted by Sublime Security?
Yes, it's possible to ingest Sublime Security logs into Panther using Panther's AWS S3 Data Transport source.
Follow Sublime's documentation on exporting all messages or audit logs and flagged message events to an S3 bucket.
Follow Panther's documentation on how to onboard an S3 bucket. You can base your custom log schemas off of those below.
fields:
- name: count
required: true
type: bigint
- name: end
required: true
type: timestamp
timeFormats:
- rfc3339
- name: events
type: array
element:
type: object
fields:
- name: created_at
isEventTime: true
type: timestamp
timeFormats:
- rfc3339
- name: created_by
type: object
fields:
- name: active
type: boolean
- name: created_at
type: timestamp
timeFormats:
- rfc3339
- name: email_address
type: string
indicators:
- email
- name: first_name
type: string
- name: google_oauth_user_id
type: float
- name: id
type: string
- name: is_enrolled
type: boolean
- name: last_name
type: string
- name: microsoft_oauth_user_id
type: string
- name: role
type: string
- name: updated_at
type: timestamp
timeFormats:
- rfc3339
- name: data
type: object
fields:
- name: message
type: object
fields:
- name: id
type: string
- name: message_group
type: object
fields:
- name: id
type: string
indicators:
- sha256
- name: request
type: object
fields:
- name: query
type: object
fields:
- name: attachment_md5
type: string
- name: attachment_sha1
type: string
- name: attachment_sha256
type: string
- name: created_at_gte_
rename:
from: created_at[gte]
type: timestamp
timeFormats:
- rfc3339
- name: created_at_lte_
rename:
from: created_at[lte]
type: timestamp
timeFormats:
- rfc3339
- name: fetch_all_ids
type: boolean
- name: file_name
type: string
- name: from
type: string
indicators:
- email
- name: limit
type: bigint
- name: mailbox
type: string
- name: message_id
type: string
- name: offset
type: bigint
- name: subject
type: string
- name: to
type: string
- name: limit_size
type: boolean
- name: authentication_method
type: string
- name: body
type: string
- name: id
type: string
- name: ip
type: string
indicators:
- ip
- name: method
type: string
- name: path
type: string
- name: user_agent
type: string
- name: id
type: string
- name: type
type: string
- name: key
required: true
type: string
- name: start
required: true
type: timestamp
timeFormats:
- rfc3339
fields:
- name: count
required: true
type: bigint
- name: end
required: true
type: timestamp
timeFormats:
- rfc3339
- name: events
type: array
element:
type: object
fields:
- name: created_at
isEventTime: true
type: timestamp
timeFormats:
- rfc3339
- name: data
type: object
fields:
- name: flagged_rules
type: array
element:
type: object
fields:
- name: tags
type: array
element:
type: string
- name: id
type: string
- name: name
type: string
- name: message
type: object
fields:
- name: canonical_id
type: string
indicators:
- sha256
- name: external_id
type: bigint
- name: id
type: string
- name: mailbox
type: object
fields:
- name: id
type: string
- name: message_source_id
type: string
- name: type
type: string
- name: key
required: true
type: string
- name: start
required: true
type: timestamp
timeFormats:
- rfc3339
fields:
- name: _errors
type: array
element:
type: object
fields:
- name: field
type: string
- name: message
type: string
- name: type
type: string
- name: _meta
required: true
type: object
fields:
- name: canonical_id
type: string
indicators:
- sha256
- name: created_at
type: timestamp
timeFormats:
- rfc3339
- name: effective_at
type: timestamp
timeFormats:
- rfc3339
- name: id
type: string
- name: attachments
type: array
element:
type: object
fields:
- name: content_id
type: string
indicators:
- email
- name: content_transfer_encoding
type: string
- name: content_type
type: string
- name: file_extension
type: string
- name: file_name
type: string
- name: file_type
type: string
- name: md5
type: string
- name: raw
type: string
- name: sha1
type: string
indicators:
- sha1
- name: sha256
type: string
indicators:
- sha256
- name: size
type: bigint
- name: body
required: true
type: object
fields:
- name: ips
type: array
element:
type: object
fields:
- name: ip
type: string
indicators:
- ip
- name: plain
type: object
fields:
- name: content_transfer_encoding
type: string
- name: charset
type: string
- name: raw
type: string
- name: links
type: array
element:
type: object
fields:
- name: mismatched
type: boolean
- name: display_url
type: object
fields:
- name: password
type: string
- name: fragment
type: string
- name: username
type: string
- name: query_params
type: string
indicators:
- email
- name: path
type: string
indicators:
- email
- name: domain
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: scheme
type: string
- name: url
type: string
indicators:
- email
- url
- name: display_text
type: string
- name: href_url
type: object
fields:
- name: password
type: string
- name: username
type: string
- name: rewrite
type: object
fields:
- name: encoders
type: array
element:
type: string
- name: original
type: string
indicators:
- url
- name: fragment
type: string
- name: query_params
type: string
indicators:
- email
- name: path
type: string
indicators:
- email
- name: domain
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: scheme
type: string
- name: url
type: string
indicators:
- url
- name: html
type: object
fields:
- name: content_transfer_encoding
type: string
- name: charset
type: string
- name: display_text
type: string
- name: inner_text
type: string
- name: raw
type: string
- name: current_thread
type: object
fields:
- name: text
type: string
- name: external
required: true
type: object
fields:
- name: created_at
isEventTime: true
type: timestamp
timeFormats:
- rfc3339
- name: message_id
type: bigint
- name: route_type
type: string
- name: spam
type: boolean
- name: headers
required: true
type: object
fields:
- name: x_sender
type: object
fields:
- name: domain
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
- name: in_reply_to
type: string
indicators:
- email
- name: references
type: array
element:
type: string
indicators:
- email
- name: reply_to
type: array
element:
type: object
fields:
- name: display_name
type: string
- name: email
type: object
fields:
- name: domain
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
indicators:
- sha256
- name: mailer
type: string
- name: ips
type: array
element:
type: object
fields:
- name: ip
type: string
indicators:
- ip
- name: auth_summary
type: object
fields:
- name: dmarc
type: object
fields:
- name: pass
type: boolean
- name: details
type: object
fields:
- name: action
type: string
- name: disposition
type: string
- name: policy
type: string
- name: sub_policy
type: string
- name: from
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: verdict
type: string
- name: received_hop
type: bigint
- name: spf
type: object
fields:
- name: error
type: boolean
- name: pass
type: boolean
- name: details
type: object
fields:
- name: client_ip
type: object
fields:
- name: ip
type: string
indicators:
- ip
- name: server
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: description
type: string
- name: designator
type: string
- name: verdict
type: string
- name: received_hop
type: bigint
- name: delivered_to
type: object
fields:
- name: domain
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
- name: domains
type: array
element:
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: return_path
type: object
fields:
- name: domain
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
- name: date
type: timestamp
timeFormats:
- rfc3339
- name: date_original_offset
type: bigint
- name: hops
type: array
element:
type: object
fields:
- name: received_spf
type: object
fields:
- name: client_ip
type: object
fields:
- name: ip
type: string
indicators:
- ip
- name: description
type: string
- name: designator
type: string
- name: server
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: verdict
type: string
- name: authentication_results
type: object
fields:
- name: dmarc
type: string
- name: dmarc_details
type: object
fields:
- name: action
type: string
- name: disposition
type: string
- name: policy
type: string
- name: sub_policy
type: string
- name: from
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: verdict
type: string
- name: dkim
type: string
- name: dkim_details
type: array
element:
type: object
fields:
- name: domain
type: string
- name: instance
type: string
- name: selector
type: string
- name: signature
type: string
- name: type
type: string
- name: instance
type: bigint
- name: server
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: subdomain
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: spf
type: string
- name: spf_details
type: object
fields:
- name: client_ip
type: object
fields:
- name: ip
type: string
indicators:
- ip
- name: description
type: string
- name: designator
type: string
indicators:
- email
- name: server
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: verdict
type: string
- name: type
type: string
- name: received
type: object
fields:
- name: link
type: object
fields:
- name: raw
type: string
- name: mailbox
type: object
fields:
- name: raw
type: string
indicators:
- email
- name: additional
type: object
fields:
- name: raw
type: string
indicators:
- email
- name: source
type: object
fields:
- name: raw
type: string
indicators:
- ip
- name: id
type: object
fields:
- name: raw
type: string
indicators:
- email
- name: protocol
type: object
fields:
- name: raw
type: string
- name: server
type: object
fields:
- name: raw
type: string
indicators:
- ip
- name: time
type: timestamp
timeFormats:
- rfc3339
- name: zone_offset
type: bigint
- name: signature
type: object
fields:
- name: version
type: bigint
- name: instance
type: string
- name: algorithm
type: string
- name: body_hash
type: string
- name: domain
type: string
- name: headers
type: string
- name: selector
type: string
- name: signature
type: string
- name: type
type: string
- name: fields
type: array
element:
type: object
fields:
- name: name
type: string
- name: position
type: bigint
- name: value
type: string
indicators:
- email
- ip
- name: index
type: bigint
- name: message_id
type: string
indicators:
- email
- name: mailbox
required: true
type: object
fields:
- name: email
type: object
fields:
- name: domain
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
- name: recipients
required: true
type: object
fields:
- name: bcc
type: array
element:
type: object
fields:
- name: email
type: object
fields:
- name: domain
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
- name: cc
type: array
element:
type: object
fields:
- name: display_name
type: string
indicators:
- email
- name: email
type: object
fields:
- name: domain
type: object
fields:
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
- name: to
type: array
element:
type: object
fields:
- name: display_name
type: string
indicators:
- email
- name: email
type: object
fields:
- name: domain
type: object
fields:
- name: subdomain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: domain
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
indicators:
- sha256
- name: sender
required: true
type: object
fields:
- name: display_name
type: string
indicators:
- email
- name: email
type: object
fields:
- name: domain
type: object
fields:
- name: subdomain
type: string
- name: domain
type: string
- name: root_domain
type: string
- name: sld
type: string
- name: tld
type: string
- name: valid
type: boolean
- name: email
type: string
indicators:
- email
- name: local_part
type: string
- name: subject
required: true
type: object
fields:
- name: subject
type: string
- name: type
required: true
type: object
fields:
- name: inbound
type: boolean