CloudWatch Logs Source

Onboarding CloudWatch as a Data Transport log source in the Panther Console

Overview

Panther supports configuring CloudWatch as a Data Transport to pull security logs from CloudWatch into your Panther account.

In order to enable real-time processing of log data, Panther will create a Firehose Delivery Stream and an S3 Bucket that will be used as the Delivery Stream's destination. A subscription filter is then configured for the CloudWatch Logs log group using the Firehose Delivery Stream as its destination. The required read permissions for processing files added by Firehose to the newly created S3 bucket are granted to the IAM role.

More details on this process can be found in Amazon's documentation: AWS Cloudwatch Logs documentation for subscriptions.

See the diagram below to understand how data flows from your application(s) into Panther using CloudWatch Logs (in SaaS):

A diagram shows how data flows from a customer application into Panther, using the CloudWatch Data Transport. The flow is as follows: Application(s), CloudWatch log group, Subscription filter, Kinesis Firehose, S3 bucket, SNS topic, SQS, Panther application, IAM Role (assumed by Panther, S3 bucket, Panther application, parse & normalize, real-time detections, Long term retention in Snowflake, Alerts generated, Alert destination

How to set up a CloudWatch log source in Panther

Step 1: Configure CloudWatch in the Panther Console

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. In the upper-right corner, click Create New.

  3. Click the Custom Log Formats tile.

  4. On the AWS CloudWatch Logs tile, click Start.

  5. On the Setup your Source page, fill in the fields:

    • Name: Enter a descriptive name of the CloudWatch logs source.

    • Log Group Name: Enter the unique name of the CloudWatch logs group.

    • AWS Account ID: Enter the AWS Account ID number that your CloudWatch log group lives in.

    • Pattern Filter (optional): Use this field to filter data log data received from CloudWatch. Read more in Amazon's documentation on filter and pattern syntax.

    • Log Types: Select the Log Types Panther should use to parse CloudWatch logs. At least one Log Type must be selected from the dropdown menu.

  6. Click Setup.

Step 2: Set up an IAM role

To read objects from your source, Panther needs an AWS IAM role with certain permissions. To set up this role, you can choose from the following options:

  • Using the AWS Console UI

    • If this is the first Data Transport source you are setting up in Panther, select this option.

  • CloudFormation or Terraform File

  • I want to set up everything on my own

On the IAM Role Setup page, there are three options: Using the AWS Console UI, CloudFormation or Terraform File, or I want to set everything up on my own

Using the AWS Console UI

Launch a CloudFormation stack using the AWS console:

  1. On the Create IAM Role page, on the Using the AWS Console UI tile, click Continue.

  2. Click Launch Console UI.

    • You will be redirected to the AWS console in a new browser tab, with the template URL pre-filled.

    • The CloudFormation stack will create an AWS IAM role with the minimum required permissions to read objects from your source.

    • Click the "Outputs" tab of the CloudFormation stack in AWS, and note the Role ARN.

  3. Navigate back to the Panther Console, and enter values in the fields:

    • (Not applicable if setting up an S3 Source) Bucket name – Required: Enter the outputted S3 bucket name.

    • Role ARN – Required: Enter the outputted IAM role ARN.

  4. Click Setup.

Step 3: Finish the source setup

You will be directed to a success screen:

The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"
  • You can optionally enable one or more Detection Packs.

  • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day
  • If you have not done so already, click Attach or Infer Schemas to attach one or more schemas to the source.

Viewing ingested logs

After your log source is configured, you can search ingested data using Search or Data Explorer.

Manual IAM role creation: Additional steps

If during log source creation you opted to set up the IAM role manually, you must also follow the instructions below to configure your S3 bucket to send notifications when new data arrives.

Step 1: Create or modify an SNS topic

How to create an SNS topic

Note: If you already have configured the bucket to send All object create events to an SNS topic, instead follow the "Modify an existing SNS topic" tab, and subscribe it to Panther's input data queue.

Only one SNS topic (per AWS account) is required, meaning multiple S3 buckets within one AWS account can all use the same SNS topic. If you've already created an SNS topic for a different S3 bucket in the same AWS account, you can skip this step.

First you need to create an SNS Topic and SNS Subscription to notify Panther that new data is ready for processing.

  1. Log into the AWS Console of the account that owns the S3 bucket.

  2. Select the AWS Region where your S3 bucket is located and navigate to the CloudFormation console.

  3. Navigate to the Stacks section. Select Create Stack (with new resources).

  4. Under the "Specify template" section, enter the following Amazon S3 URL:

    https://panther-public-cloudformation-templates.s3-us-west-2.amazonaws.com/panther-log-processing-notifications/latest/template.yml

  5. Specify the following stack details:

    • Stack name: A name of your choice, e.g. panther-log-processing-notifications-<bucket-label>

    • MasterAccountId: The 12 digit AWS Account ID where Panther is deployed

    • PantherRegion: The region where Panther is deployed

    • SnsTopicName: The name of the SNS topic receiving the notification. The default value is panther-notifications-topic

  6. Click Next, Next, and then Create Stack to complete the process.

    • This stack has one output: SnsTopicArn.

Step 2: Configure event notifications on the S3 bucket

With the SNS topic created, the final step is to enable notifications from the S3 buckets.

  1. Navigate to the AWS S3 console, select the relevant bucket, and click the Properties tab.

  2. Locate the Event notifications card.

  3. Click Create event notification and use the following settings:

    • In the General Configuration section:

      • Event name: PantherEventNotifications

      • Prefix (optional): Limits notifications to objects with keys that start with matching characters

      • Suffix (optional): Limits notifications to objects with keys that end in matching characters

        Avoid creating multiple filters that use overlapping prefixes and suffixes. Otherwise, your configuration will not be considered valid.

    • In the Event Types card, check the box next to All object create events.

    • In the Destination card:

      • Under Destination, select SNS topic.

      • For SNS topic, select the SNS topic you created or modified in an earlier step.

        • If you used the default topic name in the CloudFormation template provided, the SNS topic is named panther-notifications-topic.

        • If you are using a custom SNS topic, ensure it has the correct policies set and a subscription to the Panther SQS queue.

4. Click Save.

  • Return to "Step 3: Finish the source setup," above.

Last updated

Was this helpful?