Panther supports ingesting Amazon Web Services (AWS) via common options: AWS S3, AWS SQS, or via a direct CloudWatch integration.
Panther also supports ingesting logs stored in CloudWatch. For more information, see the documentation on using .
How to onboard AWS CloudWatch events to Panther
To pull CloudWatch logs into Panther, you will need to set up an S3 bucket or SQS queue in the Panther Console to stream data from your AWS account.
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search "AWS" to see the list of available log sources.
Select AWS CloudWatch Events.
Select a transport method for your source to begin setup, and follow the respective Panther documentation below:
Panther-built detections
Supported AWS CloudWatch logs
AWS.CloudWatchEvents
schema: AWS.CloudWatchEvents
parser:
native:
name: AWS.CloudWatchEvents
description: CloudWatch Events describe changes in AWS resources.
referenceURL: https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/CloudWatchEventsandEventPatterns.html
fields:
- name: id
required: true
description: A unique value is generated for every event. This can be helpful in tracing events as they move through rules to targets, and are processed.
type: string
- name: account
required: true
description: The 12-digit number identifying an AWS account.
type: string
- name: source
required: true
description: Identifies the service that sourced the event. All events sourced from within AWS begin with 'aws'. Customer-generated events can have any value here, as long as it doesn't begin with 'aws'. We recommend the use of Java package-name style reverse domain-name strings.
type: string
- name: resources
required: true
description: This JSON array contains ARNs that identify resources that are involved in the event. Inclusion of these ARNs is at the discretion of the service. For example, Amazon EC2 instance state-changes include Amazon EC2 instance ARNs, Auto Scaling events include ARNs for both instances and Auto Scaling groups, but API calls with AWS CloudTrail do not include resource ARNs.
type: array
element:
type: string
- name: region
required: true
description: Identifies the AWS region where the event originated.
type: string
- name: detail-type
required: true
description: Identifies, in combination with the source field, the fields and values that appear in the detail field.
type: string
- name: version
required: true
description: By default, this is set to 0 (zero) in all events.
type: string
- name: time
required: true
description: The event timestamp, which can be specified by the service originating the event. If the event spans a time interval, the service might choose to report the start time, so this value can be noticeably before the time the event is actually received.
type: timestamp
timeFormat: rfc3339
- name: detail
required: true
description: A JSON object, whose content is at the discretion of the service originating the event. The detail content in the example above is very simple, just two fields. AWS API call events have detail objects with around 50 fields nested several levels deep.
type: json
See Panther's prewritten AWS rules in .
CloudWatch Events describe changes in AWS resources. For more information, see .
