Panther Webhook Configuration

Configure the Spyderbat Event Forwarder to send events to Panther via webhook.

This guide covers the Panther-specific steps for configuring the Event Forwarder webhook. Before continuing, complete the SIEM Forwarding Quickstart to install and configure the Event Forwarder.

Step 1: Create the Panther schema

Panther requires an ingestion schema to parse incoming log data.

Download the example Panther schema from the event-forwarder repository.
In the Panther console, go to Configure > Schemas and click Create New.
Give the schema a name, such as SpyderbatR0.
Paste the schema contents into the text box.
Click Validate, then Save.

Step 2: Create the Panther log source

In the Panther console, go to Configure > Log Sources and click Create New.
Select Custom log formats, then click Start under HTTP logs.
Enter a name for the source — for example, Spyderbat Forwarder on <hostname> (32-character limit).
Select the Custom.SpyderbatR0 schema you created.
Set the auth method to Bearer and click the refresh button to generate a bearer secret. Copy the secret immediately — it cannot be retrieved after you leave this screen.
Click Setup.

Step 3: Convert the bearer secret to base64

The event forwarder expects the bearer secret in base64 format. Convert it with:

echo -n YOUR_SECRET | base64

The -n flag is required. Without it, echo appends a trailing newline to the secret, producing invalid base64 that causes silent authentication failures in Panther.

Keep the base64 output handy for the next step.

Step 4: Configure the Event Forwarder webhook

Edit /opt/spyderbat-events/etc/config.yaml and add the webhook block. Replace the placeholders with your Panther HTTP ingest URL and the base64 bearer secret from the previous step.

spyderbat_org_uid: YOUR-ORG-UID
spyderbat_secret_api_key: YOUR-API-KEY

webhook:
  endpoint_url: PANTHER-INGEST-URL
  compression_algo: zstd
  max_payload_bytes: 500000
  authentication:
    method: bearer
    parameters:
      secret_key: YOUR-BASE64-SECRET

Restart the service to apply the config:

sudo systemctl restart spyderbat-event-forwarder.service

Tail the logs to confirm events are reaching Panther without errors:

sudo journalctl -fu spyderbat-event-forwarder.service

Step 5: Verify events in Panther

In the Panther console, go to Configure > Log Sources and confirm a recent ingest timestamp appears for your Spyderbat log source. If the timestamp doesn't update within a few minutes, check the forwarder logs for authentication errors — the most common cause is an incorrectly encoded bearer secret (see Step 3).

SIEM Forwarding — full architecture and setup
SIEM Forwarding Quickstart — end-to-end setup guide
Spyderbat Event Forwarder — architecture overview

Last updated 13 days ago

Was this helpful?

hashtagStep 1: Create the Panther schema

hashtagStep 2: Create the Panther log source

hashtagStep 3: Convert the bearer secret to base64

hashtagStep 4: Configure the Event Forwarder webhook

hashtagStep 5: Verify events in Panther

hashtagRelated pages

Step 1: Create the Panther schema

Step 2: Create the Panther log source

Step 3: Convert the bearer secret to base64

Step 4: Configure the Event Forwarder webhook

Step 5: Verify events in Panther

Related pages