# Island Logs ## Overview Panther ingests [Island](https://www.island.io/) Enterprise Browser logs through an AWS S3 source, which monitors logs exported by Island. Island gives organizations complete control, visibility, and governance over browser activity, with access and security policies embedded directly within the browser where users, applications, and data intersect. Island exports logs to an S3 bucket in your AWS account. Panther ingests three types of Island logs: * **Audit logs**: Administrative actions and authentication events * **Browser Audit logs**: Browser activity, DLP violations, and security threats * **System Event logs**: Device enrollment, lifecycle, and retention events ## How to onboard Island logs to Panther ### Prerequisites * An active Island Enterprise Browser subscription with administrative access * An AWS account where Island can export logs * Permissions to create S3 sources in your Panther Console ### Step 1: Configure Island to export logs to AWS S3 {% hint style="info" %} Detailed instructions for configuring the Island AWS S3 integration are available in the [Island Documentation Portal](https://documentation.island.io/docs/configure-and-manage-the-aws-s3-integration) (requires Management Console login). {% endhint %} 1. Log in to your Island Management Console. 2. Navigate to the AWS S3 integration settings. 3. Configure Island to export logs to an S3 bucket in your AWS account. * Make note of the **S3 bucket name** and **prefix** where Island will write logs. You will need these in Step 2. 4. Configure which log types to export (Audit, Browser Audit, and System Events are supported by Panther). 5. Save your configuration. Island will begin exporting logs to your S3 bucket based on your configuration. ### Step 2: Create a new Island source in Panther 1. In the left-hand navigation bar of your Panther Console, click **Configure** > **Log Sources**. 2. Click **Create New**. 3. Search for "Island", then click its tile. 4. Click **Start Setup**. 5. Follow [Panther's instructions for configuring an AWS S3 source.](https://docs.panther.com/data-transports/aws/s3#how-set-up-an-aws-s3-bucket-log-source-in-panther) * Use the S3 bucket name and prefix that Island is writing logs to. * While configuring the S3 bucket source in Panther, we recommend adding a prefix filter of `*.json` to ensure Panther only processes Island JSON log files. 6. On the **Configuration** page: * Enter a descriptive **Name**, e.g., `Island Enterprise Browser Logs`. * The **Log Types** will automatically detect `Island.Audit`, `Island.BrowserAudit`, and `Island.SystemEvent`. 7. Complete the setup wizard. * You can optionally enable one or more Detection Packs. * The **Trigger an alert when no events are processed** setting defaults to **YES**. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours. ## Supported log types ### Island.Audit Island Audit logs track administrative actions and authentication events within the Island Management Console, including user management, role changes, and system configuration modifications. Reference: [Island AWS S3 Integration Documentation](https://documentation.island.io/docs/configure-and-manage-the-aws-s3-integration) ```yaml schema: Island.Audit description: | Island Audit logs provide visibility into administrative actions and authentication events within the Island Management Console. These logs help track user management, role changes, and system configuration modifications. referenceURL: https://documentation.island.io/docs/configure-and-manage-the-aws-s3-integration fields: - name: id required: true description: Unique identifier for the audit event type: string - name: tenant_id required: true description: Island tenant identifier type: string - name: timestamp required: true description: Event timestamp in RFC3339 format type: timestamp timeFormat: rfc3339 isEventTime: true - name: source description: Audit event source (e.g., AdminAction, SystemEvent) type: string - name: action description: Action performed (e.g., Create, View, Login, AddUserToRole) type: string - name: audit_type description: Category of the audit event (e.g., Authentication, UserManagement, AdminManagement) type: string - name: email description: Email address of the user performing the action type: string indicators: - email - name: user_id description: Identifier of the user performing the action type: string indicators: - username - name: entity_id description: Identifier of the entity affected by the action type: string - name: entity_name description: Name of the entity affected by the action type: string - name: entity_type description: Type of the entity affected by the action type: string - name: source_ip description: IP address from which the action originated type: string indicators: - ip ``` ### Island.BrowserAudit Island Browser Audit logs capture detailed browser activity, including navigation events, file downloads, DLP violations, and security verdicts. These logs provide comprehensive visibility into user interactions with web applications and potential security threats. Reference: [Island AWS S3 Integration Documentation](https://documentation.island.io/docs/configure-and-manage-the-aws-s3-integration) ```yaml schema: Island.BrowserAudit description: | Island Browser Audit logs capture detailed browser activity including navigation events, file downloads, DLP violations, screen recordings, and security verdicts. These logs provide comprehensive visibility into user interactions with web applications and potential security threats. referenceURL: https://documentation.island.io/docs/configure-and-manage-the-aws-s3-integration fields: - name: id required: true description: Unique identifier for the browser audit event type: string - name: tenant_id required: true description: Island tenant identifier type: string - name: timestamp required: true description: Event timestamp in RFC3339 format type: timestamp timeFormat: rfc3339 isEventTime: true - name: source description: Event source (always "BrowserAudit" for this log type) type: string - name: type description: Type of browser event (e.g., Navigation, Download, ScreenRecording) type: string - name: version description: Schema version for the event type: string - name: signature description: Event signature for validation type: string - name: details description: Additional event details in JSON format type: json - name: client_event_id description: Client-side event identifier type: string - name: email description: Email address of the user type: string indicators: - email - name: user_id description: User identifier type: string indicators: - username - name: user_name description: Display name of the user type: string - name: device_id description: Island device identifier type: string - name: machine_id description: Machine identifier type: string - name: machine_name description: Machine hostname type: string indicators: - hostname - name: os_platform description: Operating system platform (e.g., Windows, macOS, iOS) type: string - name: os_user_name description: Operating system username type: string indicators: - username - name: source_ip description: Private/internal IP address of the device type: string indicators: - ip - name: public_ip description: Public IP address of the device type: string indicators: - ip - name: country description: Country name based on IP geolocation type: string - name: country_code description: ISO country code based on IP geolocation type: string - name: region description: Region or state based on IP geolocation type: string - name: verdict description: Security verdict for the event (e.g., Allowed, Blocked, Warned) type: string - name: verdict_reason description: Reason for the security verdict type: string - name: rule_id description: Identifier of the policy rule that triggered the verdict type: string - name: rule_name description: Name of the policy rule that triggered the verdict type: string - name: matched_device_posture description: Device posture information at the time of the event (JSON) type: json - name: compatibility_mode description: Browser compatibility mode setting type: string - name: tab_id description: Browser tab identifier type: string - name: window_id description: Browser window identifier type: string - name: top_level_url description: Top-level URL being accessed type: string indicators: - url - domain - name: frame_url description: Frame URL for iframe events type: string indicators: - url - domain - name: url_web_categories description: Web categories assigned to the URL type: array - name: url_web_reputation description: Web reputation score for the URL type: string - name: saas_application_id description: Identifier of the detected SaaS application type: string - name: saas_application_name description: Name of the detected SaaS application type: string - name: saas_application_category description: Category of the detected SaaS application type: string - name: screenshot_file_name description: Filename of captured screenshot (if applicable) type: string - name: lineage_ids description: Lineage tracking identifiers for related events type: array - name: is_island_private_access description: Indicates if Island Private Access was used type: boolean - name: client_sending_date description: Timestamp when the client sent the event type: timestamp timeFormat: rfc3339 - name: processed_date description: Timestamp when Island processed the event type: timestamp timeFormat: rfc3339 - name: origin description: Origin of the event type: string ``` ### Island.SystemEvent Island System Event logs track device management operations, system alerts, and infrastructure events within the Island platform, including device retention, lifecycle management, and system health. Reference: [Island AWS S3 Integration Documentation](https://documentation.island.io/docs/configure-and-manage-the-aws-s3-integration) ```yaml schema: Island.SystemEvent description: | Island System Event logs track device management operations, system alerts, and infrastructure events within the Island platform. These logs help monitor device retention, lifecycle management, and system health. referenceURL: https://documentation.island.io/docs/configure-and-manage-the-aws-s3-integration fields: - name: id required: true description: Unique identifier for the system event type: string - name: tenant_id required: true description: Island tenant identifier type: string - name: timestamp required: true description: Event timestamp in RFC3339 format type: timestamp timeFormat: rfc3339 isEventTime: true - name: source description: Event source (always "SystemEvent" for this log type) type: string - name: type description: System event type (e.g., Deleted Inactive Device) type: string - name: category description: Event category (e.g., DeviceManagement) type: string - name: sub_category description: Event sub-category (e.g., RETENTION) type: string - name: severity description: Event severity level (Info, Warning, Critical) type: string - name: primary_entity_id description: Identifier of the primary entity affected by the event type: string - name: primary_entity_name description: Name of the primary entity affected by the event (e.g., device name) type: string ```