Panther supports ingesting Amazon Web Services (AWS) Virtual Private Cloud (VPC) logs via AWS S3.
How to onboard AWS VPC logs to Panther
Step 1: Configure logging in AWS
The AWS configuration differs depending on if you are onboarding VPC DNS or flow logs. If you are onboarding both DNS and flow logs, you must follow the processes in both tabs below.
With some configuration in AWS, you can use this integration to monitor DNS queries. Malicious actors can use DNS for data theft, C2, DNS tunneling, cache poisoning, DNS hijacking, and more. Logging the queries made and responses received by devices in your network can be valuable in proactive alerting and investigations.
The instructions below explain how to log queries from your AWS services within VPCs to an S3 bucket. The query logging configuration happens within Route 53 and applies to the VPCs within your specified region. A configuration is required per region, but can be applied to multiple VPCs of that region.
Log in to your AWS account.
Navigate to the Route 53 service within the region you plan to log.
On the lefthand side, under Resolver, click Query Logging.
You should be redirected to a “Query logging configurations” page. If not, try clicking “Query Logging” link again.
In the upper right corner, click Configure Query Logging.
On the next page, fill in the Query Logging configuration form:
Name: Enter a descriptive name.
Destination for query logs: Select S3 bucket.
Amazon S3 Bucket: Select the S3 bucket where you want to configure query logging.
VPC Logs: Add all the VPCs you would like to start logging DNS queries from. Search for a VPC, then click Add VPC.
At the bottom of the page, click Configure query logging.
Within a few minutes, you should start receiving logs within your S3 bucket at s3://BucketName/BucketPrefix/AWSLogs/ACCOUNTID/vpcdnsquerylogs/VPCName/Year/Month/Day
To configure VPC flow logging:
Follow the AWS documentation.
Under Log record format, select Custom format, then check Standard attributes. (The AWS default format excludes fields like instance-id.)
Step 2: Create a new AWS VPC source in Panther
You will need to set up an AWS VPC source in Panther, which indicates which S3 bucket the logs will be streamed from.
If you are onboarding both DNS and flow logs:
If both types of logs are configured to be sent to the same S3 bucket, you can create one AWS VPC log source in Panther.
If you have configured your DNS and flow logs to be sent to different S3 buckets, you must complete this step twice (setting up two log sources in Panther).
In the lefthand navigation bar of your Panther Console, click Configure > Log Sources.
schema: AWS.VPCDns
parser:
native:
name: AWS.VPCDns
description: DNS query logs represent the queries that VPC DNS resolvers forward to Route 53.
referenceURL: https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-query-logs-format.html
fields:
- name: version
required: true
description: The version number of the query log format. If we add fields to the log or change the format of existing fields, we'll increment this value.
type: string
- name: account_id
required: true
description: The ID of the AWS account that created the VPC.
type: string
indicators:
- aws_account_id
- name: region
required: true
description: The AWS Region that you created the VPC in.
type: string
- name: vpc_id
required: true
description: The ID of the VPC that the query originated in.
type: string
- name: query_timestamp
required: true
description: The date and time that the query was submitted, in ISO 8601 format and Coordinated Universal Time (UTC)
type: timestamp
timeFormat: rfc3339
isEventTime: true
- name: query_name
required: true
description: The domain name (example.com) or subdomain name (www.example.com) that was specified in the query.
type: string
- name: query_type
required: true
description: Either the DNS record type that was specified in the request, or ANY. For information about the types that Route 53 supports.
type: string
- name: query_class
required: true
description: The class of the query.
type: string
- name: rcode
required: true
description: The DNS response code that Resolver returned in response to the DNS query. The response code indicates whether the query was valid or not. The most common response code is NOERROR, meaning that the query was valid. If the response is not valid, Resolver returns a response code that explains why not. For a list of possible response codes, see DNS RCODEs on the IANA website.
type: string
- name: answers
required: true
description: Answers to the query
type: array
element:
type: object
fields:
- name: Rdata
required: true
description: The value that Resolver returned in response to the query. For example, for an A record, this is an IP address in IPv4 format. For a CNAME record, this is the domain name in the CNAME record.
type: string
- name: Type
required: true
description: The DNS record type (such as A, MX, or CNAME) of the value that Resolver is returning in response to the query.
type: string
- name: Class
required: true
description: The class of the Resolver response to the query.
type: string
- name: srcaddr
required: true
description: The IP address of the instance that the query originated from.
type: string
indicators:
- ip
- name: srcport
required: true
description: The port on the instance that the query originated from.
type: string
- name: transport
required: true
description: The protocol used to submit the DNS query.
type: string
- name: srcids
required: true
description: The list of IDs of the sources the DNS query originated from or passed through.
type: object
fields:
- name: instance
description: The ID of the instance that the query originated from.
type: string
indicators:
- aws_instance_id
- name: resolver-endpoint
description: The ID of the resolver endpoint that passes the DNS query to on-premises DNS servers.
type: string
- name: firewall_rule_group_id
description: The ID of the DNS Firewall rule group that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
type: string
- name: firewall_rule_action
description: The action specified by the rule that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
type: string
- name: firewall_domain_list_id
description: The domain list used by the rule that matched the domain name in the query. This is populated only if DNS Firewall found a match for a rule with action set to alert or block.
type: string
AWS.VPCFlow
VPC Flow is a VPC NetFlow log, which is a layer 3 representation of network traffic in EC2.
Note that for Panther to properly ingest VPC NetFlow logs, they must come directly from S3, in CSV format with a header.
schema: AWS.VPCFlow
parser:
native:
name: AWS.VPCFlow
description: VPCFlow is a VPC NetFlow log, which is a layer 3 representation of network traffic in EC2.
referenceURL: https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs-records-examples.html
fields:
- name: version
description: The VPC Flow Logs version. If you use the default format, the version is 2. If you specify a custom format, the version is 3.
type: bigint
- name: account
description: The AWS account ID for the flow log.
type: string
indicators:
- aws_account_id
- name: interfaceId
description: The ID of the network interface for which the traffic is recorded.
type: string
- name: srcAddr
description: The source address for incoming traffic, or the IPv4 or IPv6 address of the network interface for outgoing traffic on the network interface. The IPv4 address of the network interface is always its private IPv4 address.
type: string
indicators:
- ip
- name: dstAddr
description: The destination address for outgoing traffic, or the IPv4 or IPv6 address of the network interface for incoming traffic on the network interface. The IPv4 address of the network interface is always its private IPv4 address.
type: string
indicators:
- ip
- name: srcPort
description: The source port of the traffic.
type: bigint
- name: dstPort
description: The destination port of the traffic.
type: bigint
- name: protocol
description: The IANA protocol number of the traffic.
type: bigint
- name: packets
description: The number of packets transferred during the flow.
type: bigint
- name: bytes
description: The number of bytes transferred during the flow.
type: bigint
- name: start
required: true
description: The time of the start of the flow (UTC).
type: timestamp
timeFormat: rfc3339
- name: end
required: true
description: The time of the end of the flow (UTC).
type: timestamp
timeFormat: rfc3339
- name: action
description: 'The action that is associated with the traffic. ACCEPT: The recorded traffic was permitted by the security groups or network ACLs. REJECT: The recorded traffic was not permitted by the security groups or network ACLs.'
type: string
- name: status
required: true
description: 'The logging status of the flow log. OK: Data is logging normally to the chosen destinations. NODATA: There was no network traffic to or from the network interface during the capture window. SKIPDATA: Some flow log records were skipped during the capture window. This may be because of an internal capacity constraint, or an internal error.'
type: string
- name: vpcId
description: The ID of the VPC that contains the network interface for which the traffic is recorded.
type: string
- name: subNetId
description: The ID of the subnet that contains the network interface for which the traffic is recorded.
type: string
- name: instanceId
description: The ID of the instance that's associated with network interface for which the traffic is recorded, if the instance is owned by you. Returns a '-' symbol for a requester-managed network interface; for example, the network interface for a NAT gateway.
type: string
indicators:
- aws_instance_id
- name: tcpFlags
description: "The bitmask value for the following TCP flags: SYN: 2, SYN-ACK: 18, FIN: 1, RST: 4. ACK is reported only when it's accompanied with SYN. TCP flags can be OR-ed during the aggregation interval. For short connections, the flags might be set on the same line in the flow log record, for example, 19 for SYN-ACK and FIN, and 3 for SYN and FIN."
type: bigint
- name: trafficType
description: 'The type of traffic: IPv4, IPv6, or EFA.'
type: string
- name: pktSrcAddr
description: The packet-level (original) source IP address of the traffic. Use this field with the srcaddr field to distinguish between the IP address of an intermediate layer through which traffic flows, and the original source IP address of the traffic. For example, when traffic flows through a network interface for a NAT gateway, or where the IP address of a pod in Amazon EKS is different from the IP address of the network interface of the instance node on which the pod is running.
type: string
indicators:
- ip
- name: pktDstAddr
description: The packet-level (original) destination IP address for the traffic. Use this field with the dstaddr field to distinguish between the IP address of an intermediate layer through which traffic flows, and the final destination IP address of the traffic. For example, when traffic flows through a network interface for a NAT gateway, or where the IP address of a pod in Amazon EKS is different from the IP address of the network interface of the instance node on which the pod is running.
type: string
indicators:
- ip
- name: pktSrcAwsService
description: 'The name of the subset of IP address ranges for the pkt-srcaddr field, if the source IP address is for an AWS service. The possible values are: AMAZON | AMAZON_APPFLOW | AMAZON_CONNECT | API_GATEWAY | CHIME_MEETINGS | CHIME_VOICECONNECTOR | CLOUD9 | CLOUDFRONT | CODEBUILD | DYNAMODB | EC2 | EC2_INSTANCE_CONNECT | GLOBALACCELERATOR | KINESIS_VIDEO_STREAMS | ROUTE53 | ROUTE53_HEALTHCHECKS | S3 | WORKSPACES_GATEWAYS.'
type: string
- name: pktDstAwsService
description: The name of the subset of IP address ranges for the pkt-dstaddr field, if the destination IP address is for an AWS service. For a list of possible values, see the pkt-src-aws-service field.
type: string
- name: flowDirection
description: 'The direction of the flow with respect to the interface where traffic is captured. The possible values are: ingress | egress.'
type: string
- name: trafficPath
description: The path that egress traffic takes to the destination. To determine whether the traffic is egress traffic, check the flow-direction field. The possible values are as follows. If none of the values apply, the field is set to -. If the network interface is attached to an instance based on the Nitro System, the possible values include 7 and 8 but not 2. With instances not based on the Nitro System (for example, T2 and M4), the possible values include 2 but not 7 or 8. 1 — Through another resource in the same VPC, 2 — Through an internet gateway or a gateway VPC endpoint, 3 — Through a virtual private gateway, 4 — Through an intra-region VPC peering connection, 5 — Through an inter-region VPC peering connection, 6 — Through a local gateway, 7 — Through a gateway VPC endpoint, 8 — Through an internet gateway
type: smallint
- name: region
description: The Region that contains the network interface for which traffic is recorded.
type: string
- name: azId
description: The ID of the Availability Zone that contains the network interface for which traffic is recorded. If the traffic is from a sublocation, the record displays a '-' symbol for this field.
type: string
- name: sublocationType
description: "The type of sublocation that's returned in the sublocation-id field. The possible values are: wavelength | outpost | localzone. If the traffic is not from a sublocation, the record displays a '-' symbol for this field."
type: string
- name: sublocationId
description: The ID of the sublocation that contains the network interface for which traffic is recorded. If the traffic is not from a sublocation, the record displays a '-' symbol for this field.
type: string
Follow .
See rules for AWS VPC in the .
See example SQL queries, for use in Panther's , in VPC logs queries.
Panther supports and .
DNS query logs represent the queries that VPC DNS resolvers forward to Route 53. For more information, see .
