CloudWatch Logs Source

Onboarding CloudWatch as a Data Transport log source in the Panther Console


Follow the steps below to enable secure access for Panther to pull security logs from CloudWatch.
In order to enable real-time processing of log data, Panther will create a Firehose Delivery Stream and an S3 Bucket that will be used as the Delivery Stream's destination. A subscription filter is then configured for the CloudWatch Logs log group using the Firehose Delivery Stream as its destination. The required read permissions for processing files added by Firehose to the newly created S3 bucket are granted to the IAM role.
More details on this process can be found in Amazon's documentation: AWS Cloudwatch Logs documentation for subscriptions.
See the diagram below to understand how data flows from your application(s) into Panther using CloudWatch Logs.
A diagram shows how data flows from a customer application into Panther, using the CloudWatch Data Transport. The flow is as follows: Application(s), CloudWatch log group, Subscription filter, Kinesis Firehose, S3 bucket, SNS topic, SQS, Panther application, IAM Role (assumed by Panther, S3 bucket, Panther application, parse & normalize, real-time detections, Long term retention in Snowflake, Alerts generated, Alert destination

How to connect CloudWatch as a Data Transport log source

Configure CloudWatch in the Panther Console

Follow the steps below to enable secure access for Panther to pull security logs from CloudWatch.
  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu click Configure > Log Sources.
  3. 3.
    In the upper right corner, click Create New.
  4. 4.
    Click the Custom Log Formats tile.
  5. 5.
    Click AWS CloudWatch Logs.
  6. 6.
    On the "Configure your source" page, fill in the fields:
    • Name: Enter a descriptive name of the CloudWatch logs source.
    • Log Group Name: Enter the unique name of the CloudWatch logs group.
    • AWS Account ID: Enter the AWS Account ID number that your CloudWatch log group lives in.
    • Pattern Filter (optional): Use this field to filter data log data received from CloudWatch. Read more in Amazon's documentation on filter and pattern syntax.
    • Log Types: Select the Log Types Panther should use to parse CloudWatch logs. At least one Log Type must be selected from the dropdown menu.
  7. 7.
    Click Continue.

Setup an IAM role

Panther needs an AWS IAM role with permissions to read objects from your CloudWatch log source.
  1. 1.
    Choose a method set up the IAM role:
    • Launch Console.
      • You will be redirected to the AWS console UI with the template URL pre-filled.
    • Get Template.
      • Download the template and apply it through your own pipeline.
    • Configure the role manually.
      • Create the role manually or through your own automation, then fill in the role ARN in the Panther Console. Note, the IAM role policy must include at least the statements defined in the below policy:
        "Version": "2012-10-17",
        "Statement": [
        "Action": ["s3:GetBucketLocation", "s3:ListBucket"],
        "Resource": "arn:aws:s3:::<bucket-name>",
        "Effect": "Allow"
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::<bucket-name>/*",
        "Effect": "Allow"
  2. 2.
    Optionally, Check the box next to I want Panther to configure bucket notifications for me to allow Panther to configure bucket notifications automatically.
    • Panther uses S3 Event Notifications for notifications about new files added to your bucket. If you check the box, the provided CloudFormation template will add extra permissions to the IAM role, and Panther will configure bucket notifications automatically. Existing configurations will not be removed or overwritten. Otherwise, you will be prompted to configure bucket notifications manually, at a later step.
    • We strongly suggest you allow Panther to configure bucket notifications, as it will help you monitor the health of the CloudWatch logs and surface issues through Panther's system health notifications.
  3. 3.
    When the IAM role is ready, fill in the Bucket Name and Role ARN.
    • After the CloudFormation stack creation is complete, you can find the role ARN in the "Outputs" section of the stack in AWS.
  4. 4.
    Click Continue Setup.

Configure bucket notifications and finish source setup

If you have opted in for Panther-managed notifications in step 2, your S3 source is ready to ingest data and a success page is shown:
A screen in the Panther Console displays the message "Everything looks good!"
To finish the source setup:
  1. 1.
    Optionally configure a log drop-off alarm.
    • Before you finish the setup, we recommend that you create a log drop-off alarm to alert you if data stops flowing from the log source. Be sure to set an appropriate time interval for when you would like Panther to alert you that the log source is not sending data.
  2. 2.
    Optionally enable a Detection Pack.
  3. 3.
    Click Finish Setup.

Viewing Collected Logs

After log sources are configured, your data can be searched with Data Explorer.
Last modified 2mo ago