Data Sources & Transports
Onboard your data sources into Panther to normalize and retain logs


Panther offers built-in integrations for common data sources and data mapping for custom log sources. This page describes available data source options, how to monitor log source health, how to request support for a new log source, and how to configure an Event Threshold alarm.
For information on ingesting Panther Console audit logs, please refer to the related documentation – Panther Audit Logs.

Data Sources & Transports

Data Transports

You can leverage cloud services to push data to Panther from sources such as S3 buckets, CloudWatch, SQS, SNS, or Google Cloud Storage (GCS). For more information, see Data Transports.

Supported Logs

Panther supports pulling logs from vendors via direct integrations that query the API and via AWS EventBridge. In addition, Panther supports pushing logs to common Data Transport sources to ingest logs that have supported schemas but not a direct API integration. For a full list of supported vendors, see the Supported Logs page.

Cloud Accounts

In addition to onboarding AWS as a log source to configure Detections and receive alerts, we recommend configuring Cloud Security Scanning for your AWS account. Cloud Security Scanning works by scanning AWS accounts, modeling the Resources within them, and using Policies to detect misconfigurations. For more information, see Cloud Security Scanning.

Custom Logs

Panther allows you to generate a custom schema if you have a log type that is not yet supported. Panther gives you the ability to build custom schemas, which inform Panther how to parse events correctly. For more information, see Custom Logs.

Monitoring Log Sources

When your log source is onboarded in Panther, you can monitor its data processing metrics and health within the log source's operations page. You can also attach new schemas and view raw data associated with the log source. For more information, see Monitoring Log Sources.

Request support for a log source

If you do not see the log source you want within the list at Integrations > Log Sources, you can request support of a new log source:
  1. 1.
    Log in to your Panther Console.
  2. 2.
    Navigate to Integrations > Log Sources.
  3. 3.
    Click Create New.
  4. 4.
    Scroll to the bottom of the page and click the Request it here hyperlink.
  5. 5.
    Enter the Log Source name you want to request and the use case it will address.
  6. 6.
    Click Create Request.

Configuring event threshold alarms

On the final step of configuring your log source with Panther, you have the option to create an alarm in case the source does not process any events within a configurable period of time. For example, if you configure the threshold to 15 minutes, then you will receive an alert if no events are processed in 15 minutes.
Note: The alert is only sent one time; there is no re-notification for event threshold.
To enable the event threshold alarm:
  1. 1.
    From the Configure Event Threshold Alarm page, toggle the setting to YES next to Set an alarm in case this source does not process any events?.
  2. 2.
    Enter your desired time period by filling in the Number and Period fields next to How long should Panther wait before it sends you an alert that no events have been processed?.
  3. 3.
    Click Apply Changes.
This example would send you an alarm after 15 minutes to let you know that no events have yet been processed.