search
Knowledge BaseRelease NotesRequest Demo

Amazon Security Lake

Connecting Amazon Security Lake logs to your Panther Console

hashtag
Overview

Panther supports ingesting Amazon Security Lakearrow-up-right logs for use in detections and search. Security data centralized in Amazon Security Lake is normalized according to the Open Cybersecurity Schema Framework (OCSF)arrow-up-right, and Panther supports ingesting all OSCF event classes found herearrow-up-right.

To set up this integration, you will configure Panther to be a subscriberarrow-up-right of your Security Lake logs.

hashtag
How to onboard Amazon Security Lake logs to Panther

hashtag
Step 1: Begin creating an Amazon Security Lake source in Panther

  1. In the left-hand navigation bar of your Panther Console, click Configure > Log Sources.

  2. Click Create New.

  3. Search for "Amazon Security Lake," then click its tile.

  4. Click Start Setup.

  5. On the Configure page, copy the Panther AWS Account ID and Panther External ID values, and store them in a secure location. You will use them in the next step.

    • Keep this browser tab open. You will return to it in Step 3, below.

hashtag
Step 2: Create a new Subscriber in Amazon Security Lake

  1. In a new browser tab, log in to the AWS Console and navigate to Amazon Security Lake > Subscribers.

  2. Click Create subscriber.

  3. Enter following values for the following fields:

    • Subscriber name: A human-friendly name, e.g., Panther.

    • Account ID: The Panther AWS Account ID you copied in the previous step.

    • External ID: The Panther External ID you copied in the previous step.

    • Data Access: Select S3.

    • S3 Notification type: Select SQS Queue.

    • Log and event sources: Select all applicable sources, and ensure the Version for each is 1.0.\

      A "Log and event sources" section is shown, containing a handful of rows with AWS services. A "Version" column shows 1.0 for all rows.

  4. Click Create.

  5. Click the name of the subscriber you just created.

  6. Copy the AWS role ARN and Subscription endpoint values, and store them in a secure location. You will use them in the next step.

hashtag
Step 3: Complete Amazon Security Lake source creation in Panther

  1. Return to your Panther Console browser tab.

  2. On the Configure page, enter values for the following fields:

    • Name: A human-friendly name for your source, e.g., Amazon Security Lake.

    • AWS Role ARN: The role ARN you generated in the previous step.

    • Subscription endpoint: The SQS queue ARN you generated in the previous step.

  3. Click Setup.

    • You will be directed to a success screen:\

      The success screen reads, "Everything looks good! Panther will now automatically pull & process logs from your account"

      • You can optionally enable one or more Detection Packs.

      • The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\

        The "Trigger an alert when no events are processed" toggle is set to YES. The "How long should Panther wait before it sends you an alert that no events have been processed" setting is set to 1 Day

hashtag
Supported Amazon Security Lake log types

Panther supports ingesting Amazon Security Lake logs with each of the OCSF schemas listed on this OCSF pagearrow-up-right.

PreviousAWS Security HubNextAWS S3

Last updated

Was this helpful?