# Amazon Security Lake
## Overview
Panther supports ingesting [Amazon Security Lake](https://aws.amazon.com/security-lake/) logs for use in detections and search. Security data centralized in Amazon Security Lake is normalized according to the [Open Cybersecurity Schema Framework (OCSF)](https://ocsf.io/), and Panther supports ingesting [all OSCF event classes found here](https://schema.ocsf.io/).
To set up this integration, you will configure Panther to be a [subscriber](https://docs.aws.amazon.com/security-lake/latest/userguide/subscriber-management.html) of your Security Lake logs.
## How to onboard Amazon Security Lake logs to Panther
### Step 1: Begin creating an Amazon Security Lake source in Panther
1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**.
2. Click **Create New**.
3. Search for "Amazon Security Lake," then click its tile.
4. Click **Start Setup**.
5. On the **Configure** page, copy the **Panther AWS Account ID** and **Panther External ID** values, and store them in a secure location. You will use them in the next step.
* Keep this browser tab open. You will return to it in Step 3, below.
### Step 2: Create a new Subscriber in Amazon Security Lake
1. In a new browser tab, log in to the AWS Console and navigate to **Amazon Security Lake** > **Subscribers**.
2. Click **Create subscriber**.
3. Enter following values for the following fields:
* **Subscriber name**: A human-friendly name, e.g., `Panther`.
* **Account ID**: The **Panther AWS Account ID** you copied in the previous step.
* **External ID**: The **Panther External ID** you copied in the previous step.
* **Data Access**: Select **S3**.
* **S3 Notification type**: Select **SQS Queue.**
* **Log and event sources**: Select all applicable sources, and ensure the `Version` for each is `1.0`.\\
4. Click **Create**.
5. Click the name of the subscriber you just created.
6. Copy the **AWS role ARN** and **Subscription endpoint** values, and store them in a secure location. You will use them in the next step.
### Step 3: Complete Amazon Security Lake source creation in Panther
1. Return to your Panther Console browser tab.
2. On the **Configure** page, enter values for the following fields:
* **Name**: A human-friendly name for your source, e.g., `Amazon Security Lake`.
* **AWS Role ARN:** The role ARN you generated in the previous step.
* **Subscription endpoint**: The SQS queue ARN you generated in the previous step.
3. Click **Setup.**
* You will be directed to a success screen:\\
* You can optionally enable one or more [Detection Packs](/detections/panther-managed/packs.md).
* The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.\\
## Supported Amazon Security Lake log types
Panther supports ingesting Amazon Security Lake logs with each of the OCSF schemas listed on [this OCSF page](https://schema.ocsf.io/).
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.panther.com/data-onboarding/supported-logs/aws/security-lake.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.