Connecting AWS S3 Access logs to your Panther Console


Panther supports ingesting Amazon Web Services (AWS) S3 logs via an S3 bucket.

How to onboard AWS S3 logs to Panther

To pull S3 logs into Panther, you will need to set up an S3 bucket in the Panther Console to stream data from your AWS account.
  1. 1.
    Log in to your Panther Console.
  2. 2.
    In the left sidebar menu, click Configure > Log Sources.
  3. 3.
    Click Create.
  4. 4.
    Search "AWS" to see the list of available log sources.
  5. 5.
    Select AWS S3 Server Access.
  6. 6.
    Select AWS S3 Bucket for your source to begin setup. Follow Panther’s documentation for configuring S3 for Data Transport.

Panther-built detections

See Panther's prewritten AWS rules in the panther-analysis Github repository.

Querying logs in Data Explorer

See example SQL queries, for use in Panther's Data Explorer, in S3 Access logs queries.

Supported AWS S3 logs


S3ServerAccess is an S3 access log. For more information, see AWS's documentation on S3 log format.
schema: AWS.S3ServerAccess
description: S3ServerAccess is an AWS S3 Access Log.
- name: bucketowner
required: true
description: The canonical user ID of the owner of the source bucket. The canonical user ID is another form of the AWS account ID.
type: string
- name: bucket
description: The name of the bucket that the request was processed against. If the system receives a malformed request and cannot determine the bucket, the request will not appear in any server access log.
type: string
- name: time
description: The time at which the request was received (UTC).
type: timestamp
timeFormat: rfc3339
- name: remoteip
description: The apparent internet address of the requester. Intermediate proxies and firewalls might obscure the actual address of the machine making the request.
type: string
- name: requester
description: The canonical user ID of the requester, or NULL for unauthenticated requests. If the requester was an IAM user, this field returns the requester's IAM user name along with the AWS root account that the IAM user belongs to. This identifier is the same one used for access control purposes.
type: string
- name: requestid
description: A string generated by Amazon S3 to uniquely identify each request.
type: string
- name: operation
description: The operation listed here is declared as SOAP.operation, REST.HTTP_method.resource_type, WEBSITE.HTTP_method.resource_type, or BATCH.DELETE.OBJECT.
type: string
- name: key
description: The key part of the request, URL encoded, or NULL if the operation does not take a key parameter.
type: string
- name: requesturi
description: The Request-URI part of the HTTP request message.
type: string
- name: httpstatus
description: The numeric HTTP status code of the response.
type: bigint
- name: errorcode
description: The Amazon S3 Error Code, or NULL if no error occurred.
type: string
- name: bytessent
description: The number of response bytes sent, excluding HTTP protocol overhead, or NULL if zero.
type: bigint
- name: objectsize
description: The total size of the object in question.
type: bigint
- name: totaltime
description: The number of milliseconds the request was in flight from the server's perspective. This value is measured from the time your request is received to the time that the last byte of the response is sent. Measurements made from the client's perspective might be longer due to network latency.
type: bigint
- name: turnaroundtime
description: The number of milliseconds that Amazon S3 spent processing your request. This value is measured from the time the last byte of your request was received until the time the first byte of the response was sent.
type: bigint
- name: referrer
description: The value of the HTTP Referer header, if present. HTTP user-agents (for example, browsers) typically set this header to the URL of the linking or embedding page when making a request.
type: string
- name: useragent
description: The value of the HTTP User-Agent header.
type: string
- name: versionid
description: The version ID in the request, or NULL if the operation does not take a versionId parameter.
type: string
- name: hostid
description: The x-amz-id-2 or Amazon S3 extended request ID.
type: string
- name: signatureversion
description: The signature version, SigV2 or SigV4, that was used to authenticate the request or NULL for unauthenticated requests.
type: string
- name: ciphersuite
description: The Secure Sockets Layer (SSL) cipher that was negotiated for HTTPS request or NULL for HTTP.
type: string
- name: authenticationtype
description: The type of request authentication used, AuthHeader for authentication headers, QueryString for query string (pre-signed URL) or NULL for unauthenticated requests.
type: string
- name: hostheader
description: The endpoint used to connect to Amazon S3.
type: string
- name: tlsVersion
description: "The Transport Layer Security (TLS) version negotiated by the client. The value is one of following: TLSv1, TLSv1.1, TLSv1.2; or NULL if TLS wasn't used."
type: string
- name: accesspointarn
description: "The Amazon Resource Name (ARN) of the access point of the request."
type: string
- name: aclrequired
description: "A string that indicates whether the request required an access control list (ACL) for authorization."
type: string
- name: additionalFields
description: The remaining columns in the record as an array.
type: array
type: string