How to onboard AWS CloudFront standard logs to Panther
Step 1: Enable standard logging in your CloudFront distribution
To pull CloudFront logs into Panther, you'll first need to enable standard logging in the CloudFront distribution you want to monitor. The instructions below explain how to edit an existing distribution, but it's also possible to activate standard logging while creating a new distribution.
In your AWS console, navigate to CloudFront.
In the left-hand navigation bar, click Distributions.
Locate the distribution of interest, then click it.
In the upper-right corner of the Settings tile, click Edit.
Scroll down to the Standard logging field, and set it to On. Configure the fields that appear:
S3 bucket: Enter the name of the bucket you'd like the logs to be sent to.
Log prefix - optional: If you'd like, enter a prefix value to be prepended to log file names.
Cookie logging: Optionally set this field to On.
If Cookie logging is set to On, the AWS.CloudFrontAccess schema will capture cookies sent in standard logs.
Step 2: Create a CloudFront log source in Panther
If the S3 bucket where you are routing CloudFront standard logs is already onboarded in Panther, you can simply attach the AWS.CloudFrontAccess schema to that source and skip this step.
In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
schema: AWS.CloudFrontAccess
parser:
csv:
delimiter: "\t"
columns:
- date
- time
- x-edge-location
- sc-bytes
- c-ip
- cs-method
- cs-Host
- cs-uri-stem
- sc-status
- cs-Referer
- cs-UserAgent
- cs-uri-query
- cs-Cookie
- x-edge-result-type
- x-edge-request-id
- x-host-header
- cs-protocol
- cs-bytes
- time-taken
- x-forwarded-for
- ssl-protocol
- ssl-cipher
- x-edge-response-result-type
- cs-protocol-version
- fle-status
- fle-encrypted-fields
- c-port
- time-to-first-byte
- x-edge-detailed-result-type
- sc-content-type
- sc-content-len
- sc-range-start
- sc-range-end
skipPrefix: '#'
emptyValues:
- '-'
expandFields:
timestamp: '%{date} %{time}'
fields:
- name: timestamp
description: The datetime (date and time) on which the event occurred.
type: timestamp
timeFormat: '%Y-%m-%d %H:%M:%S'
isEventTime: true
- name: x-edge-location
description: The AWS Edge Location that handled the request.
type: string
- name: sc-bytes
description: The number of bytes sent to the client.
type: bigint
- name: c-ip
description: The IP address of the viewer that made the request.
type: string
indicators:
- ip
- name: cs-method
description: The HTTP method used in the request.
type: string
- name: cs-Host
description: The host header in the request.
type: string
indicators:
- hostname
- name: cs-uri-stem
description: The URI stem of the request.
type: string
- name: sc-status
description: The HTTP status code of the response.
type: bigint
- name: cs-Referer
description: The HTTP referrer.
type: string
indicators:
- url
- name: cs-UserAgent
description: The User-Agent header in the request.
type: string
- name: cs-uri-query
description: The query string portion of the URI.
type: string
- name: cs-Cookie
description: The Cookie header in the request, if any.
type: string
- name: x-edge-result-type
description: The type of result of the request.
type: string
- name: x-edge-request-id
description: The unique request ID generated by CloudFront.
type: string
- name: x-host-header
description: The host header in the request.
type: string
- name: cs-protocol
description: The protocol used in the request.
type: string
- name: cs-bytes
description: The response bytes.
type: bigint
- name: time-taken
description: The time in seconds from when the server receives the viewer's request to when the server writes the last byte of the response to the output queue.
type: float
- name: x-forwarded-for
description: The IP address of the viewer that originated the request.
type: string
indicators:
- ip
- name: ssl-protocol
description: The SSL/TLS protocol negotiated for transmitting the request and response.
type: string
- name: ssl-cipher
description: The SSL/TLS cipher negotiated for encrypting the request and response.
type: string
- name: x-edge-response-result-type
description: 'How the server classified the response just before returning it to the viewer. Can be one of: Hit, RefreshHit, Miss, LimitExceeded, CapacityExceeded, Error, Redirect'
type: string
- name: cs-protocol-version
description: The HTTP version specified by the viewer in the request.
type: string
- name: fle-status
description: Field-level encryption status indicating whether the request body was successfully processed.
type: string
- name: fle-encrypted-fields
description: The number of field-level encryption fields encrypted and forwarded to the origin.
type: string
- name: c-port
description: The port number of the request from the viewer.
type: bigint
- name: time-to-first-byte
description: The time in seconds between receiving the request and writing the first byte of the response.
type: float
- name: x-edge-detailed-result-type
description: A detailed result type providing additional information about certain errors.
type: string
- name: sc-content-type
description: The value of the HTTP Content-Type header of the response.
type: string
- name: sc-content-len
description: The value of the HTTP Content-Length header of the response.
type: bigint
- name: sc-range-start
description: The range start value when the response contains the HTTP Content-Range header.
type: bigint
- name: sc-range-end
description: The range end value when the response contains the HTTP Content-Range header.
type: bigint
