Knowledge Base Community Release Notes Training Videos Request Demo

AWS Config

Connecting AWS Configuration logs to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) Config configuration snapshot logs via AWS S3. Panther does not support AWS Config History logs.

How to onboard AWS Config logs to Panther

After AWS Config is configured to generate configuration snapshot logs via the AWS CLI, they will be sent to an S3 bucket.

To then pull these logs into Panther, you will need to set up an S3 bucket in the Panther Console.

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for “AWS Config,” then click its tile.

    • On the next screen, the Transport Mechanism dropdown in the upper right corner will be populated with the AWS S3 Bucket option.

  4. Click Start Setup.

  5. Follow Panther’s documentation for configuring S3 for data transport.

    • While configuring the S3 bucket source in Panther, configure the following exclusion filter: *_Config_*ConfigHistory*.json.gz. This will ensure that Panther ignores S3 objects containing unsupported Config History logs.

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Supported AWS Config logs

AWS.Config

Record and evaluate snapshots of your AWS resources' configurations. For more information, see AWS's documentation on how Config works.

The Panther-managed AWS.Config schema is specially designed to extract events out of a configurationItems envelope, which is how they arrive from AWS. This works based on the S3 key name. If you clone this schema and/or try to apply it on files that are not named in the same way that AWS names them, you may receive classification failures.

The event time (p_event_time) is the time the snapshot was created.

schema: AWS.Config
fields:
  - name: relatedEvents
    description: RelatedEvents field
    type: array
    element:
      type: json
  - name: relationships
    description: Relationships field
    type: array
    element:
      type: object
      fields:
        - name: resourceId
          description: ResourceId field
          type: string
        - name: resourceType
          description: ResourceType field
          type: string
        - name: name
          description: Name field
          type: string
  - name: configuration
    required: true
    description: Configuration field
    type: json
  - name: supplementaryConfiguration
    description: SupplementaryConfiguration field
    type: json
  - name: tags
    description: Tags field
    type: json
  - name: configurationItemVersion
    description: ConfigurationItemVersion field
    type: string
  - name: configurationItemCaptureTime
    required: true
    description: ConfigurationItemCaptureTime field
    type: timestamp
    timeFormat: rfc3339
    isEventTime: true
  - name: configurationStateId
    description: ConfigurationStateId field
    type: bigint
  - name: awsAccountId
    required: true
    description: AwsAccountId field
    type: string
    indicators:
      - aws_account_id
  - name: configurationItemStatus
    description: ConfigurationItemStatus field
    type: string
  - name: resourceType
    required: true
    description: ResourceType field
    type: string
  - name: resourceId
    description: ResourceId field
    type: string
  - name: resourceName
    description: ResourceName field
    type: string
  - name: ARN
    description: ARN field
    type: string
    indicators:
      - aws_arn
  - name: awsRegion
    description: AwsRegion field
    type: string
  - name: availabilityZone
    description: AvailabilityZone field
    type: string
  - name: configurationStateMd5Hash
    description: ConfigurationStateMd5Hash field
    type: string
    indicators:
      - md5
  - name: resourceCreationTime
    description: ResourceCreationTime field
    type: timestamp
    timeFormat: rfc3339
PreviousAWS CloudWatchNextAWS EKS

Last updated