Data Onboarding
Panther offers several options to onboard data: SaaS Logs, Data Transports, Cloud Accounts, and Custom Log Types. You can also request support for a specific log source.
This page also explains how to enable an Event Threshold Alarm to alert you if your log source has not processed any events within your configured period of time.
For information on ingesting Panther Console audit logs, please see the documentation: Panther Audit Logs.

SaaS Logs

Panther leverages two mechanisms to pull logs from SaaS vendors:
  • Direct integrations (by querying APIs)
  • AWS EventBridge
For a list of vendors currently supported, see SaaS Logs.

Data Transports

You may leverage AWS Services in tandem with Panther to get data such as S3 buckets, CloudWatch, SQS, or SNS.
For more information, see Data Transports.

Cloud Accounts

Onboard your AWS account to allow Panther to scan its resources and check for potential vulnerabilities. For more information, see Cloud Accounts.
In addition to onboarding AWS accounts for Cloud Scanning, we also advise you to onboard the same AWS account as a log source so you can configure Detections and receive alerts for active incidents and breaches. For more information, see Built-in Log Types > AWS.

Custom Log Types

Do you have a log type you would like to monitor that Panther does not have schema built for? Panther gives you the ability to generate a custom schema, which informs Panther how to parse events correctly.
For more information, see Custom Log Types.

Configuring Event Threshold Alarms

In the final step of configuring your log source, you have the option to create an alarm in case the source does not process any events within a configurable period of time. For example, if you configure the threshold to 15 minutes, then you will receive an alert if no events are processed in 15 minutes. The alert is only sent one time; there is no re-notification for event threshold.
To enable the alarm:
  1. 1.
    Toggle the setting to YES next to Set an alarm in case this source does not process any events?.
  2. 2.
    Enter your desired time period next to How long should Panther wait before it sends you an alert that no events have been processed?.
  3. 3.
    Click Apply Changes.
The option to set an alarm in case this source does not process any events is set to YES. The setting "How long should Panther wait before it sends you an alert that no events have been processed" is set to 15 minutes.

Request support for a log source

If you do not see the log source you want in the list at Integrations > Log Sources, you can request support of a new log source:
  1. 1.
    Log in to your Panther Console.
  2. 2.
    Navigate to Integrations > Log Sources.
  3. 3.
    Scroll to the bottom of the page and click Request it here.
  4. 4.
    Fill in the form then click Create Request.