AWS NLB

Connecting AWS NLB logs to your Panther Console

Overview

Panther supports ingesting Amazon Web Services (AWS) Network Load Balancer (NLB) logs via AWS S3.

AWS NLB access logs only support TLS listeners. TCP and UDP listeners do not generate access logs.

How to onboard AWS NLB logs to Panther

To pull NLB logs into Panther, set up an S3 bucket in the Panther Console to stream data from your AWS account.

In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for "AWS Network Load Balancer," then click its tile.
In upper right-hand corner, click Start Setup.
Follow Panther's documentation for configuring S3 for data transport.

Panther-managed detections

See Panther-managed rules for AWS in the panther-analysis GitHub repository.

Supported NLB logs

AWS.NLB

Network Load Balancer logs Layer 4 TLS connection logs for your network load balancer. For more information, see AWS's documentation on NLB access logs.

schema: AWS.NLB
parser:
  native:
    name: AWS.NLB
description: Network Load Balancer logs Layer 4 TLS connection logs for your network load balancer.
referenceURL: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
fields:
  - name: type
    required: true
    description: The type of request or connection.
    type: string
  - name: version
    required: true
    description: The log format version.
    type: string
  - name: time
    required: true
    description: The time when the connection was closed.
    type: timestamp
    timeFormat: rfc3339
  - name: elb
    description: The resource ID of the load balancer.
    type: string
  - name: listener
    description: The resource ID of the TLS listener.
    type: string
  - name: clientIp
    description: The IP address of the client.
    type: string
  - name: clientPort
    description: The port of the client.
    type: bigint
  - name: destinationIp
    description: The IP address of the destination.
    type: string
  - name: destinationPort
    description: The port of the destination.
    type: bigint
  - name: connectionTime
    description: The total time of the connection in milliseconds.
    type: bigint
  - name: tlsHandshakeTime
    description: The total time for the TLS handshake in milliseconds.
    type: bigint
  - name: receivedBytes
    description: The number of bytes received from the client.
    type: bigint
  - name: sentBytes
    description: The number of bytes sent to the client.
    type: bigint
  - name: incomingTlsAlert
    description: The TLS alert code if an alert was received.
    type: bigint
  - name: chosenCertArn
    description: The ARN of the certificate presented to the client.
    type: string
  - name: chosenCertSerial
    description: Reserved field.
    type: string
  - name: tlsCipher
    description: The TLS cipher suite negotiated.
    type: string
  - name: tlsProtocolVersion
    description: The TLS protocol version.
    type: string
  - name: tlsKeyExchange
    description: The TLS key exchange algorithm.
    type: string
  - name: domainName
    description: The SNI hostname provided by the client.
    type: string
  - name: alpnFeProtocol
    description: The protocol negotiated with the client via ALPN.
    type: string
  - name: alpnBeProtocol
    description: The protocol negotiated with the backend via ALPN.
    type: string
  - name: alpnClientPreferenceList
    description: The list of protocols in the ALPN preference list presented by the client.
    type: array
    element:
      type: string
  - name: tlsConnectionCreationTime
    description: The time when the TLS connection was established.
    type: timestamp
    timeFormat: rfc3339

PreviousAWS GuardDuty NextAWS Security Hub

Last updated 3 days ago

Was this helpful?

schema: AWS.NLB
parser:
  native:
    name: AWS.NLB
description: Network Load Balancer logs Layer 4 TLS connection logs for your network load balancer.
referenceURL: https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-access-logs.html
fields:
  - name: type
    required: true
    description: The type of request or connection.
    type: string
  - name: version
    required: true
    description: The log format version.
    type: string
  - name: time
    required: true
    description: The time when the connection was closed.
    type: timestamp
    timeFormat: rfc3339
  - name: elb
    description: The resource ID of the load balancer.
    type: string
  - name: listener
    description: The resource ID of the TLS listener.
    type: string
  - name: clientIp
    description: The IP address of the client.
    type: string
  - name: clientPort
    description: The port of the client.
    type: bigint
  - name: destinationIp
    description: The IP address of the destination.
    type: string
  - name: destinationPort
    description: The port of the destination.
    type: bigint
  - name: connectionTime
    description: The total time of the connection in milliseconds.
    type: bigint
  - name: tlsHandshakeTime
    description: The total time for the TLS handshake in milliseconds.
    type: bigint
  - name: receivedBytes
    description: The number of bytes received from the client.
    type: bigint
  - name: sentBytes
    description: The number of bytes sent to the client.
    type: bigint
  - name: incomingTlsAlert
    description: The TLS alert code if an alert was received.
    type: bigint
  - name: chosenCertArn
    description: The ARN of the certificate presented to the client.
    type: string
  - name: chosenCertSerial
    description: Reserved field.
    type: string
  - name: tlsCipher
    description: The TLS cipher suite negotiated.
    type: string
  - name: tlsProtocolVersion
    description: The TLS protocol version.
    type: string
  - name: tlsKeyExchange
    description: The TLS key exchange algorithm.
    type: string
  - name: domainName
    description: The SNI hostname provided by the client.
    type: string
  - name: alpnFeProtocol
    description: The protocol negotiated with the client via ALPN.
    type: string
  - name: alpnBeProtocol
    description: The protocol negotiated with the backend via ALPN.
    type: string
  - name: alpnClientPreferenceList
    description: The list of protocols in the ALPN preference list presented by the client.
    type: array
    element:
      type: string
  - name: tlsConnectionCreationTime
    description: The time when the TLS connection was established.
    type: timestamp
    timeFormat: rfc3339