Appearance
Panther SIEM Integration
Send Logs to Panther SIEM
This guide walks you through connecting Realm to Panther as a destination. Realm forwards your log data to Panther using an HTTP log source, where Panther ingests, parses, and makes the data available for detection and investigation.
Note: If you prefer not to use an HTTP source — for example, for high-volume sources where the 1 MB payload limit may be a concern — Panther also supports ingestion via AWS S3 and Google Cloud Storage. In that case, configure an AWS S3 or GCS destination in Realm instead of the HTTP destination described below.
1. Create an HTTP Log Source in Panther
Log in to the Panther Console.
In the left-hand navigation bar, click Configure > Log Sources.
In the upper-right corner, click Create New.
Click the HTTP tile.
In the Basic Information section, enter a Source Name (e.g.,
Realm.Security).Optionally select one or more Schemas for the log types this source will ingest. You can also attach schemas after creation.
In the Select Authentication Type section, choose Bearer from the Auth method dropdown.
Enter a Bearer Token value.
Important: Store this token value securely — it will not be visible in the Panther Console after setup.
Click Setup.
On the success screen, copy the HTTP Source URL — Realm will send
POSTrequests to this endpoint. Endpoint creation may take a few minutes.
2. Configure the Panther Destination in Realm
Navigate to the Destinations page in Realm and create a new destination for Panther.
Add a new Output Feed and configure the following fields:
Name:
Panther
Method:HTTP
Endpoint:<your Panther HTTP Source URL>
Bearer Token:<your Panther Bearer Token>
Compression:GZIPorZSTDChoose your preferred Compression format — Panther supports both GZIP and ZSTD compressed payloads.
Save the Output Feed. Realm will begin forwarding log data to your Panther HTTP source.
Note: For more information on Panther HTTP sources, refer to the Panther HTTP Source documentation.