CloudWatch Logs Source

Onboarding CloudWatch as a Data Transport log source in the Panther Console


Panther supports configuring CloudWatch as a Data Transport to pull security logs from CloudWatch into your Panther account.

In order to enable real-time processing of log data, Panther will create a Firehose Delivery Stream and an S3 Bucket that will be used as the Delivery Stream's destination. A subscription filter is then configured for the CloudWatch Logs log group using the Firehose Delivery Stream as its destination. The required read permissions for processing files added by Firehose to the newly created S3 bucket are granted to the IAM role.

More details on this process can be found in Amazon's documentation: AWS Cloudwatch Logs documentation for subscriptions.

See the diagram below to understand how data flows from your application(s) into Panther using CloudWatch Logs (in SaaS):

How to set up a CloudWatch log source in Panther

Step 1: Configure CloudWatch in the Panther Console

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. In the upper-right corner, click Create New.

  3. Click the Custom Log Formats tile.

  4. On the AWS CloudWatch Logs tile, click Start.

  5. On the "Configure your source" page, fill in the fields:

    • Name: Enter a descriptive name of the CloudWatch logs source.

    • Log Group Name: Enter the unique name of the CloudWatch logs group.

    • AWS Account ID: Enter the AWS Account ID number that your CloudWatch log group lives in.

    • Pattern Filter (optional): Use this field to filter data log data received from CloudWatch. Read more in Amazon's documentation on filter and pattern syntax.

    • Log Types: Select the Log Types Panther should use to parse CloudWatch logs. At least one Log Type must be selected from the dropdown menu.

  6. Click Setup.

Step 2: Setup an IAM role

Panther needs an AWS IAM role with permissions to read objects from your CloudWatch log source.

  1. Choose a method set up the IAM role:

    • Launch Console.

      • You will be redirected to the AWS console UI with the template URL pre-filled.

    • Get Template.

      • Download the template and apply it through your own pipeline.

    • Configure the role manually.

      • Create the role manually or through your own automation, then fill in the role ARN in the Panther Console. Note, the IAM role policy must include at least the statements defined in the below policy:

            "Version": "2012-10-17",
            "Statement": [
                    "Action": ["s3:GetBucketLocation", "s3:ListBucket"],
                    "Resource": "arn:aws:s3:::<bucket-name>",
                    "Effect": "Allow"
                    "Action": "s3:GetObject",
                    "Resource": "arn:aws:s3:::<bucket-name>/*",
                    "Effect": "Allow"
  2. Optionally, Check the box next to I want Panther to configure bucket notifications for me to allow Panther to configure bucket notifications automatically.

    • Panther uses S3 Event Notifications for notifications about new files added to your bucket. If you check the box, the provided CloudFormation template will add extra permissions to the IAM role, and Panther will configure bucket notifications automatically. Existing configurations will not be removed or overwritten. Otherwise, you will be prompted to configure bucket notifications manually, at a later step.

    • We strongly suggest you allow Panther to configure bucket notifications, as it will help you monitor the health of the CloudWatch logs and surface issues through Panther's system health notifications.

  3. When the IAM role is ready, fill in the Bucket Name and Role ARN.

    • After the CloudFormation stack creation is complete, you can find the role ARN in the "Outputs" section of the stack in AWS.

  4. Click Continue Setup.

Step 3: Configure bucket notifications and finish source setup

If you have opted in for Panther-managed notifications in step 2, your S3 source is ready to ingest data and you will be directed to a success screen:

  • You can optionally enable one or more Detection Packs.

  • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

  • If you have not done so already, click Attach or Infer Schemas to attach one or more schemas to the source.

Viewing ingested logs

After your log source is configured, you can search ingested data using Search or Data Explorer.

Last updated