This guide walks you through creating a Panther API token, optionally configuring an HTTP log source for event ingestion, and gathering all of the configuration needed to create a Panther SIEM integration.
Log in to your Panther Console with an account that has administrator permissions, or at minimum the ability to create API tokens.
In the upper-right corner of the Panther Console, click the gear icon, then select API Tokens from the dropdown menu.
At the top of the API Tokens page, locate the API URL. Copy the root URL to a safe location (e.g. https://api.<your-instance>.runpanther.net). Do not append any path segments — Synqly uses this root URL to reach both the REST and GraphQL APIs and will add the necessary paths automatically.
Click Create an API Token. Give the token a descriptive name (e.g. "Synqly Integration").
When setting access permissions, enable the following scopes:
- Read Alerts — required for querying and retrieving alerts
- Manage Data Lake Queries — required for executing and retrieving data lake queries to search events
Click Create API Token to generate the token. Copy it to a safe location, the token value will only be displayed once.
Panther supports restricting API token usage to specific IP addresses using CIDR notation. If your Synqly deployment uses static IPs, you can add them here for additional security. See the Synqly static IPs guide for the current list of addresses.
If you intend to send events to Panther through this integration, you will need to create an HTTP log source in Panther. If you only need to query alerts and events, skip to Configure the Integration.
In the left-side navigation of your Panther Console, expand the Configure section and click Log Sources.
On the Log Sources page, click the Create New button in the top right. On the source selection page, locate the Custom Log Formats section and click the HTTP log source card.
On the creation page you will see a Basic Information section and an authentication section.
Source Name: Provide a descriptive name for the source (e.g. "Synqly Events").
Schemas: Click the Schemas dropdown and type OCSF in the search field. Select the top-level OCSF checkbox to add all OCSF event type schemas. This ensures Panther can accept any OCSF-formatted event sent by Synqly.
In the Select Authentication Type section, select Bearer.
A Bearer Token Value field will appear. Click the generate button next to the field to generate a new token value. Click the copy button to copy the token and save it to a safe location.
Click the Setup button at the bottom of the page. Panther will display a loading screen while it provisions the source.
Once provisioning completes, the page will display your HTTP Source URL. Click the copy button next to the URL to copy it and save it to a safe location.
You can skip the optional Detection Packs and drop-off alarm configuration on this page unless you want to enable them for your environment.
Note: You can retrieve the HTTP Source URL later by navigating to Configure > Log Sources, selecting your source, and viewing the HTTP Ingest URL on the Overview tab.
Create your integration by supplying all of the required and any desired optional values.
Base URL This is the root API URL gathered in step 3 (e.g. https://api.<your-instance>.runpanther.net). Do not include any path — provide only the root URL. Synqly appends the required paths for the REST and GraphQL APIs automatically.
API Token This is the API token value gathered in step 4.
Note: the following fields are required only when sending events to Panther.
Ingest URL This is the HTTP Source endpoint URL gathered in step 10.
Ingest Bearer Token This is the bearer token generated for the HTTP Source in step 9.