AWS Aurora
Connecting AWS Aurora MySQL Relational Database Service (RDS) logs to your Panther Console
Overview
Panther supports ingesting Amazon Web Services (AWS) Aurora MySQL Relational Database Service (RDS) logs via AWS S3.
How to onboard AWS Aurora logs to Panther
To pull Aurora logs into Panther, you will need to set up an S3 bucket in the Panther Console to stream data from your AWS account.
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search "AWS" to see the list of available log sources.
Select AWS Aurora MySQL.
Select AWS S3 Bucket for your source to begin setup. Follow Panther’s documentation for configuring S3 for data transport.
Panther-built detections
See Panther's prewritten AWS rules in the panther-analysis Github repository.
Supported AWS Aurora logs
AWS.AuroraMySQLAudit
AuroraMySQLAudit is an RDS Aurora audit log containing context on database calls. For more information, see AWS's documentation on Aurora MySQL database cluster auditing.
schema: AWS.AuroraMySQLAudit
parser:
native:
name: AWS.AuroraMySQLAudit
description: AuroraMySQLAudit is an RDS Aurora audit log which contains context around database calls.
referenceURL: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Auditing.html
fields:
- name: timestamp
description: The timestamp for the logged event with microsecond precision (UTC).
type: timestamp
timeFormat: rfc3339
- name: serverHost
description: The name of the instance that the event is logged for.
type: string
- name: username
description: The connected user name of the user.
type: string
- name: host
description: The host that the user connected from.
type: string
- name: connectionId
description: The connection ID number for the logged operation.
type: bigint
- name: queryId
description: The query ID number, which can be used for finding the relational table events and related queries. For TABLE events, multiple lines are added.
type: bigint
- name: operation
required: true
description: 'The recorded action type. Possible values are: CONNECT, QUERY, READ, WRITE, CREATE, ALTER, RENAME, and DROP.'
type: string
- name: database
description: The active database, as set by the USE command.
type: string
- name: object
description: For QUERY events, this value indicates the executed query. For TABLE events, it indicates the table name.
type: string
- name: retCode
description: The return code of the logged operation.
type: bigint
Last updated
Was this helpful?