How to onboard AWS CloudFront standard logs to Panther
Step 1: Enable standard logging in your CloudFront distribution
To pull CloudFront logs into Panther, you'll first need to enable standard logging in the CloudFront distribution you want to monitor. The instructions below explain how to edit an existing distribution, but it's also possible to activate standard logging while creating a new distribution.
In your AWS console, navigate to CloudFront.
In the left-hand navigation bar, click Distributions.
Locate the distribution of interest, then click it.
In the upper-right corner of the Settings tile, click Edit.
Scroll down to the Standard logging field, and set it to On. Configure the fields that appear:
S3 bucket: Enter the name of the bucket you'd like the logs to be sent to.
Log prefix - optional: If you'd like, enter a prefix value to be prepended to log file names.
Cookie logging: Optionally set this field to On.
If Cookie logging is set to On, the AWS.CloudFrontAccess schema will capture cookies sent in standard logs.
Step 2: Create a CloudFront log source in Panther
If the S3 bucket where you are routing CloudFront standard logs is already onboarded in Panther, you can simply attach the AWS.CloudFrontAccess schema to that source and skip this step.
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
You will need to provide the name of the S3 bucket you used in Step 1.
Supported Logs
AWS.CloudFrontAccess
schema:AWS.CloudFrontAccessparser:csv:delimiter:"\t"columns: - date - time - x-edge-location - sc-bytes - c-ip - cs-method - cs-Host - cs-uri-stem - sc-status - cs-Referer - cs-UserAgent - cs-uri-query - cs-Cookie - x-edge-result-type - x-edge-request-id - x-host-header - cs-protocol - cs-bytes - time-taken - x-forwarded-for - ssl-protocol - ssl-cipher - x-edge-response-result-type - cs-protocol-version - fle-status - fle-encrypted-fields - c-port - time-to-first-byte - x-edge-detailed-result-type - sc-content-type - sc-content-len - sc-range-start - sc-range-endskipPrefix:'#'emptyValues: - '-'expandFields:timestamp:'%{date} %{time}'fields: - name:timestampdescription:The datetime (date and time) on which the event occurred.type:timestamptimeFormat:'%Y-%m-%d %H:%M:%S'isEventTime:true - name:x-edge-locationdescription:The AWS Edge Location that handled the request.type:string - name:sc-bytesdescription:The number of bytes sent to the client.type:bigint - name:c-ipdescription:The IP address of the viewer that made the request.type:stringindicators: - ip - name:cs-methoddescription:The HTTP method used in the request.type:string - name:cs-Hostdescription:The host header in the request.type:stringindicators: - hostname - name:cs-uri-stemdescription:The URI stem of the request.type:string - name:sc-statusdescription:The HTTP status code of the response.type:bigint - name:cs-Refererdescription:The HTTP referrer.type:stringindicators: - url - name:cs-UserAgentdescription:The User-Agent header in the request.type:string - name:cs-uri-querydescription:The query string portion of the URI.type:string - name:cs-Cookiedescription:The Cookie header in the request, if any.type:string - name:x-edge-result-typedescription:The type of result of the request.type:string - name:x-edge-request-iddescription:The unique request ID generated by CloudFront.type:string - name:x-host-headerdescription:The host header in the request.type:string - name:cs-protocoldescription:The protocol used in the request.type:string - name:cs-bytesdescription:The response bytes.type:bigint - name:time-taken description: The time in seconds from when the server receives the viewer's request to when the server writes the last byte of the response to the output queue.
type:float - name:x-forwarded-fordescription:The IP address of the viewer that originated the request.type:stringindicators: - ip - name:ssl-protocoldescription:The SSL/TLS protocol negotiated for transmitting the request and response.type:string - name:ssl-cipherdescription:The SSL/TLS cipher negotiated for encrypting the request and response.type:string - name:x-edge-response-result-type description: 'How the server classified the response just before returning it to the viewer. Can be one of: Hit, RefreshHit, Miss, LimitExceeded, CapacityExceeded, Error, Redirect'
type:string - name:cs-protocol-versiondescription:The HTTP version specified by the viewer in the request.type:string - name:fle-statusdescription:Field-level encryption status indicating whether the request body was successfully processed.type:string - name:fle-encrypted-fieldsdescription:The number of field-level encryption fields encrypted and forwarded to the origin.type:string - name:c-portdescription:The port number of the request from the viewer.type:bigint - name:time-to-first-bytedescription:The time in seconds between receiving the request and writing the first byte of the response.type:float - name:x-edge-detailed-result-typedescription:A detailed result type providing additional information about certain errors.type:string - name:sc-content-typedescription:The value of the HTTP Content-Type header of the response.type:string - name:sc-content-lendescription:The value of the HTTP Content-Length header of the response.type:bigint - name:sc-range-startdescription:The range start value when the response contains the HTTP Content-Range header.type:bigint - name:sc-range-enddescription:The range end value when the response contains the HTTP Content-Range header.type:bigint
