Cloud Storage (GCS) Source

Onboarding GCS as a Data Transport log source in the Panther Console


Panther supports configuring Google Cloud Storage (GCS) as a Data Transport to pull log data directly from GCS buckets, write rules, and run queries on this processed data. Panther uses Pub/Sub to be notified of new data in your bucket that is ready to be consumed.

Data can be sent compressed (or uncompressed). Learn more about compression specifications in Ingesting compressed data in Panther.

How to set up a GCS log source in Panther

Step 1: Begin creating the GCS source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. In the upper-right corner, click Create New.

  3. Click the Custom Log Formats tile.

  4. On the Google Cloud Storage tile, click Start.

  5. On the Basic Info page, fill in the fields:

    • Name: Enter a descriptive name for the GCS log source.

    • Prefixes & Schemas: Define combinations of prefixes, schemas, and exclusion filters, according the structure of your data storage in GCS.

      • To attach one or more schemas to all data in the bucket, leave the GCS Prefix field blank. This will create a wildcard (*) prefix.

  6. Click Setup.

  7. On the Log Format page, select the stream type of the incoming logs:

    • Auto

    • Lines

    • JSON

    • JSON Array

  8. Click Continue.

Step 2: Create required Google Cloud Platform (GCP) infrastructure

You can set up required GCP infrastructure by applying a Terraform template provided by Panther, or manually, in the GCP console.

Using Terraform to configure GCP infrastructure

  1. On the "Infrastructure & Credentials" page, click Terraform Template to download the Terraform template.

  2. Fill out the fields in the panther.tfvars file with your configuration.

  3. Initialize a working directory containing Terraform configuration files by running the Terraform Command schema provided.

  4. Copy the corresponding Terraform of gcloud command schema provided and run it in your CLI.

  5. Generate a JSON key file by replacing the value for your service account email in the gcloud command code listed.

    • You can find the key file in the output of the Terraform run.

Step 3: Provide key file and configuration values to Panther

  1. Under Provide pulling configuration & JSON Keyfile, upload your JSON key file.

  2. Click Setup. You will be directed to a success screen:

    • You can optionally enable one or more Detection Packs.

    • If you have not done so already, click Attach or Infer Schemas to attach one or more schemas to the source.

    • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Viewing ingested logs

After your log source is configured, you can search ingested data using Search or Data Explorer.

Last updated