Panther supports ingesting Amazon Web Services (AWS) Transit Gateway Flow logs via AWS S3.
How to onboard AWS Transit Gateway logs to Panther
To pull Transit Gateway logs into Panther, you need to set up an S3 bucket in the Panther Console to stream data from your AWS account.
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search "AWS" to see the list of available log sources.
Select AWS Transit Gateway Flow.
Select AWS S3 Bucket for your source to begin setup. Follow .
Panther-built detections
See Panther's prewritten AWS rules in .
Supported AWS Transit Gateway logs
AWS.TransitGatewayFlow
TransitGatewayFlow logs enable you to capture information about the IP traffic going to and from your transit gateways.
Note that for Panther to properly ingest TransitGatewayFlow logs, they must come directly from S3, in CSV format with a header.
schema: AWS.TransitGatewayFlow
parser:
native:
name: AWS.TransitGatewayFlow
description: TransitGatewayFlow logs enable you to capture information about the IP traffic going to and from your transit gateways.
referenceURL: https://docs.aws.amazon.com/vpc/latest/tgw/tgw-flow-logs.html
fields:
- name: version
description: The Transit Gateway Flow Logs version. If you use the default format, the version is 2.
type: bigint
- name: resourceType
description: Where the subscription was created, either TransitGateway or TransitGatewayAttachment.
type: string
- name: accountId
description: The AWS account ID owner of the transit gateway.
type: string
indicators:
- aws_account_id
- name: tgwId
required: true
description: The ID of the transit gateway for which traffic is being recorded.
type: string
- name: tgwAttachmentId
description: The ID of the transit gateway attachment for which traffic is being recorded.
type: string
- name: tgwPairAttachmentId
description: Depending on the flow direction, this is either the egress or ingress attachment ID of the flow.
type: string
- name: protocol
description: The IANA protocol number of the traffic.
type: bigint
- name: packets
description: The number of packets transferred during the flow.
type: bigint
- name: bytes
description: The number of bytes transferred during the flow.
type: bigint
- name: start
required: true
description: The time of the start of the flow (UTC).
type: timestamp
timeFormats:
- unix
isEventTime: true
- name: end
description: The time of the end of the flow (UTC).
type: timestamp
timeFormats:
- unix
- name: logStatus
description: 'The logging status of the flow log. OK: Data is logging normally to the chosen destinations. NODATA: There was no network traffic to or from the network interface during the aggregation interval. SKIPDATA: Some flow log records were skipped during the aggregation interval. This might be because of an internal capacity constraint, or an internal error.'
type: string
- name: type
description: 'The type of traffic: IPv4, IPv6, or EFA.'
type: string
- name: packetsLostNoRoute
description: The packets lost due to no route being specified.
type: bigint
- name: packetsLostBlackhole
description: The packets lost due to a black hole.
type: bigint
- name: packetsLostMtuExceeded
description: The packets lost due to the size exceeding the MTU.
type: bigint
- name: packetsLostTtlExpired
description: The packets lost due to the expiration of time-to-live.
type: bigint
- name: tcpFlags
description: 'The bitmask value for the following TCP flags: FIN: 1, SYN: 2, RST: 4, PSH: 8, ACK: 16, SYN-ACK: 18, URG: 32. When a flow log entry consists of only ACK packets, the flag value is 0, not 16. TCP flags can be OR-ed during the aggregation interval. For short connections, the flags might be set on the same line in the flow log record, for example, 19 for SYN-ACK and FIN, and 3 for SYN and FIN.'
type: bigint
- name: region
description: The Region that contains the transit gateway where traffic is recorded.
type: string
- name: flowDirection
description: 'The direction of the flow with respect to the interface where traffic is captured. The possible values are: ingress | egress.'
type: string
- name: tgwSrcVpcAccountId
description: The AWS account ID for the source VPC traffic.
type: string
indicators:
- aws_account_id
- name: tgwSrcVpcId
description: The ID of the source VPC for the transit gateway
type: string
- name: tgwSrcSubnetId
description: The ID of the subnet for the transit gateway source traffic.
type: string
- name: tgwSrcEni
description: The ID of the source transit gateway attachment ENI for the flow.
type: string
- name: tgwSrcAzId
description: The ID of the Availability Zone that contains the source transit gateway for which traffic is recorded. If the traffic is from a sublocation, the record displays a '-' symbol for this field.
type: string
- name: srcAddr
description: The source address for incoming traffic, or the IPv4 or IPv6 address of the transit gateway for outgoing traffic on the transit gateway. The IPv4 address of the transit gateway is always its private IPv4 address.
type: string
indicators:
- ip
- name: srcPort
description: The source port of the traffic.
type: bigint
- name: pktSrcAwsService
description: 'The name of the subset of IP address ranges for the srcaddr if the source IP address is for an AWS service. The possible values are: AMAZON | AMAZON_APPFLOW | AMAZON_CONNECT | API_GATEWAY | CHIME_MEETINGS | CHIME_VOICECONNECTOR | CLOUD9 | CLOUDFRONT | CODEBUILD | DYNAMODB | EBS | EC2 | EC2_INSTANCE_CONNECT | GLOBALACCELERATOR | KINESIS_VIDEO_STREAMS | ROUTE53 | ROUTE53_HEALTHCHECKS | ROUTE53_HEALTHCHECKS_PUBLISHING | ROUTE53_RESOLVER | S3 | WORKSPACES_GATEWAYS.'
type: string
- name: tgwDstVpcAccountId
description: The AWS account ID for the destination VPC traffic.
type: string
indicators:
- aws_account_id
- name: tgwDstVpcId
description: The ID of the destination VPC for the transit gateway.
type: string
- name: tgwDstSubnetId
description: The ID of the subnet for the transit gateway destination traffic.
type: string
- name: tgwDstEni
description: The ID of the destination transit gateway attachment ENI for the flow.
type: string
- name: tgwDstAzId
description: The ID of the Availability Zone that contains the destination transit gateway for which traffic is recorded.
type: string
- name: dstAddr
description: The destination address for outgoing traffic, or the IPv4 or IPv6 address of the transit gateway for incoming traffic on the transit gateway. The IPv4 address of the transit gateway is always its private IPv4 address.
type: string
indicators:
- ip
- name: dstPort
description: The destination port of the traffic.
type: bigint
- name: pktDstAwsService
description: 'The name of the subset of IP address ranges for the dstaddr field, if the destination IP address is for an AWS service. The possible values are: AMAZON | AMAZON_APPFLOW | AMAZON_CONNECT | API_GATEWAY | CHIME_MEETINGS | CHIME_VOICECONNECTOR | CLOUD9 | CLOUDFRONT | CODEBUILD | DYNAMODB | EBS | EC2 | EC2_INSTANCE_CONNECT | GLOBALACCELERATOR | KINESIS_VIDEO_STREAMS | ROUTE53 | ROUTE53_HEALTHCHECKS | ROUTE53_HEALTHCHECKS_PUBLISHING | ROUTE53_RESOLVER | S3 | WORKSPACES_GATEWAYS.'
type: string
